Cybersecurity & Covid-19: Vulnerability and What to Do About It

Steve Burgess, 2020

As if we didn’t have enough to worry about.

With so many of us working from home (close to 90% of American corporations are encouraging or requiring employees to do so) and having little time to set up corporate cybersecurity barriers, employees and their companies may be more vulnerable than ever. Hardly anybody has had their home setup properly pen tested or security-checked.

Cybercriminals, ever ready to jump on an opportunity, are likely to take advantage immediately with malware, phishing attacks, and more.

For instance, the World Health Organization (WHO) has been plagued by a doubling of cyber attacks recently. One of the main attempts is suspected to be the Dark Hotel group, in putting up a fake website on or around March 13, 2020 that mimics the internal email system of WHO – but they were caught in the act and this effort appeared to have netted nothing

Real-world virus begets virtual viruses.

One expert, Alexander Urbelis of New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity, said there are about 2,000 coronavirus-themed web sites being set up daily, many of them obviously malicious. This may be true of experts but obvious is in the eyes of the beholder. Most may be more easily fooled.

The FBI says that there has been a huge spike in scams exploiting fears about Covid-19, and that the majority of these target recipients in the three states with the largest number of reported Covid-19 infections – California, New York, and Washington. But don’t imagine that if you’re in one of the other 47 that increased attacks aren’t already on their way.

One victim is the Champaign Urbana Public Health District (CHUPD) in Illinois, which covers 210,000 people, including the state’s biggest university. A ransomware infection called Netwalker took down its primary website on March 12, 2020. CHUPD had to set up an alternate site in order to continue to be in business and communicate with its users.

There are treatment scams (fake cures, vaccines), supply scams (fake accounts and sites supposedly selling medical supplies), provider scams (supposed doctors and hospitals that claim to have treated a friend and now need to get paid – by you), charity scams (of course), app scams (mobile apps disguised as tracking the disease that are only really tracking you), investment scams (as there always are), and lots and lots of phishing scams.

What to do:

You can report fraud and other misbehavior to various government organizations.

• To the Justice Department: Covid fraud reporting https://www.justice.gov/usao-wdpa/covid-19-fraud-page • Or COVID-19 Fraud Coordinator, Senior Litigation Counsel Shaun Sweeney at USAPAW.COVID19@usdoj.gov or 1-888-C19-WDPA • To the FBI at: https://www.ic3.gov/default.aspx or 412-432-4000. • To the Federal Trade Commission at ftc.gov/complaint.

20+ Steps to take on your own

• DO back up your data. • DON’T respond to offers to sell you COVID-19 cures. • DO check out companies offering supplies through online reviews, Better Business Bureau, other rating sites. • DO research any charities soliciting donations. You might check the FTC’s (Federal Trade Commission) website for advice here. • DO use effective passwords. A good guide is at the Perfect Passwords page at Gibson Research Corporation’s website. • DO secure your router – especially your wireless router. The manufacturer or your Internet Service Provider can help you with the best settings for your particular equipment. • DO keep your operating system and antivirus patches updated. • DON’T give out your Social Security number or use it as an ID. You usually only have to give it to your employer, your financial institution and government agencies. • DO disable your Guest account on your computer. • DON’T make your personal info public on social networks or elsewhere. • DON’T open email from people you don’t know. • DON’T make online purchases from or donations to sites you don’t know well. • DO use a firewall (hardware and/or software) for your computer. • DON’T give any of your passwords to others. • DON’T use the same password for everything. • DO make sure that Administrator access on your computer is protected and accessible only to you (use a password). • DO disable Guest access on your computer. • DO disable remote logins • DO require a password to log onto your computer, phone, or email and make sure your phone or computer requires a password after a few minutes idle. It’s a pain, but it’s smart. DO check to see what ports on your computer are wide open do ne’er-do-wells at Gibson Research’s ShieldsUp! Site https://www.grc.com/shieldsup • DO use a password that is hard to guess (4 of the 5 most common iPhone passwords are 1234, 0000, 1111, 5555). Don’t make it easy to guess! • DON’T let your mobile device out of your sight. • Don’t click on links in emails or messages. If you want to go to a site mentioned in an email, type it directly into the browser. It’s a pain (again), but it helps keep you safe. • Don’t open emails from people you don’t know. They may look interesting, but they’re not worth the risk. • Only download apps from the phone vendor’s App store (such as the Apple App Store or the Google Play Store).

There are people helping

There’s a group of volunteers in the UK that’s formed called, “CV19.” Their mission is to “help healthcare organizations identify, protect, detect and respond to existing and emerging cyber threats using volunteers.”

There are thousands or millions of friend, neighbors, and just good people chipping in however they can to help in whatever ways they can. Here are some ways you can do the same.

And please, follow government guidelines about sanitizing and distancing.

Be kind to your neighbors and others, be well, and we’ll get through this together.

Steve Burgess is a freelance technology writer, a practicing Computer Forensics and e-discovery specialist and Expert Witness as the principal of Burgess Forensics, and a contributor to the text, Scientific Evidence in Civil and Criminal Cases, 5th Ed. By Moenssens, et al. Mr. Burgess can be reached at http://www.burgessforensics.com, or via email steve@burgessforensics.com

Related Articles – Covis-19, coronavirus, cybersecurity, tips,