TT_-_PV_passwords.jpg

The FBI has launched the “Protected Voices” initiative to help 2020 political campaigns and American voters protect against online foreign influence operations and cyber security threats. The Protected Voices campaign includes information and guidance from the FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence.

This FBI Portland Tech Tuesday report is adapted from the Protected Voices initiative with a focus on providing cyber security information to political campaigns as well as businesses and individuals in Oregon. More information on all aspects of the initiative, including video downloads, can be found at www.FBI.gov/ProtectedVoices.

(Audio)

Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense with passwords… or rather passphrases.

We all use passwords. We use them for our phones, our computers, our email, and just about every other kind of personal account.

Unfortunately, many of us use simple passwords, such as Password1 or 1234, because they’re easier to remember. Some of us even reuse the same simple password for multiple accounts. 

If you use a simple password or pattern of characters, it’s considerably easier for an adversary to crack. Many businesses and sites require that passwords include uppercase letters, lowercase letters, numbers, and special characters. However, recent guidance from the National Institute of Standards and Technology, or NIST, advises that password length is much more important than password complexity. 

Instead of using a short, complex password that is hard to remember… consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.

For example, a phrase such as VoicesProtected2020WeAre is a strong passphrase. Even better – a passphrase that combines multiple unrelated words such as “director month learn truck.”

Here are the recommendations from the National Institute of Standards and Technology (NIST) for your organization:

• Require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters.
• Only require password changes when there’s a reason to believe your network has been compromised.
• Have your network administrators screen everyone’s passwords against lists of dictionary words and passwords known to have been compromised.
• To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
• Don’t allow password “hints.”

Finally, some people use password keeper programs. These programs store all of your passwords in one place, sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault.

The downside of using a password keeper program is that if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts. But many IT professionals agree, the benefit of a password keeper program far outweighs this risk. A little research should help you get started. 

Remember your voice matters, so protect it. Go to www.FBI.gov/ProtectedVoices for more information.

###

TT - Bots - GRAPHIC

The FBI has launched the “Protected Voices” initiative to help 2020 political campaigns and American voters protect against online foreign influence operations and cyber security threats. The Protected Voices campaign includes information and guidance from the FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence. 

This FBI Portland Tech Tuesday report is adapted from the Protected Voices initiative with a focus on providing cyber security information to political campaigns as well as businesses and individuals in Oregon. More information on all aspects of the initiative, including video downloads, can be found at www.FBI.gov/ProtectedVoices. 

(Audio) 

Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense by understanding how foreign actors use both technology and our emotions to interfere in elections. 

Let’s start with the basics. A “bot” is a program that can simulate human behavior. You likely encounter bots on a regular basis. It can be something as simple as “chatting” with a customer service representative at an online business or asking for help on a shopping site. Today, though, we are going to talk about how foreign actors use bots on social media platforms to drive discord and decision-making. 

The Department of Homeland Security (DHS) warns that bots “use artificial intelligence, big data analytics, and other programs or databases to imitate users posting content.” 

The bots start by targeting divisive issues big and small. The issue could be the upcoming election or the appropriate pizza topping. They don’t care about a winning side – it’s all about making people stake out very different positions.  

By getting people to respond, they are able to start building a large following. Once an influencer or a bot network identifies you as someone willing to engage, they often rename accounts and reuse them for multiple issues. 

That large following allows the foreign actors to be effective in spreading misinformation and hate speech, both of which can generate an emotional reaction by those involved in the debate. Feeling anger or extreme satisfaction can cause you to ignore signs of what’s going on and encourage you to like, repost, or share the info to even more people. 

In the end, the foreign actors and their bots impact our ability to have fair and free elections by polluting our political discussions about the candidates and the issues. What can you do? 

Be wary of accounts or profiles where the posts are only working to drive extreme views. Trolls are in it to make you mad – don’t let them. You can also check an account’s activity history. Is it very new? Was it created years ago but started posting a huge volume of content just recently? Has it changed its name repeatedly? Do some basic online research to see if you can determine if that very-American sounding group is really a legitimate organization. 

Finally, if in doubt – take your conversations off-line. Focus on verifiable facts and encourage your friends and family to do the same 

Remember your voice matters, so protect it. Go to www.FBI.gov/ProtectedVoices for more information. 

###

TT - Cosuming Info - GRAPHIC

The FBI has launched the “Protected Voices” initiative to help 2020 political campaigns and American voters protect against online foreign influence operations and cyber security threats. The Protected Voices campaign includes information and guidance from the FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence. 

This FBI Portland Tech Tuesday report is adapted from the Protected Voices initiative with a focus on providing cyber security information to political campaigns as well as businesses and individuals in Oregon. More information on all aspects of the initiative, including video downloads, can be found at www.FBI.gov/ProtectedVoices. 

(Audio) 

Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense relative to how you consume information. 

When you find information on the internet, it’s important to remember that the creator likely had a purpose in writing that post. Things are often put online to a) make money or b) to influence the viewer’s perceptions of an issue or problem. 

It’s really important to consider the source of the information. Who posted this material online, and why? You should start by checking the profile of whomever appears to be posting the information. Do a search to see if the poster is a real person and what their qualifications may be. Specifically, look for: 

• How recently the account was created? 

• Whether there are conflicting posts (such as the person supports an issue in one post, but is against it in another)? 

• Whether there are non-sensical posts or profile info doesn’t make sense?  (Many bots just throw a bunch of words together to make it look like content.) 

• How quickly are the posts hitting? (No human can send 100 posts in 30 seconds.) 

Now, on to the content. Check to see if the headline matches the story. Oftentimes those trying to spread misinformation will use an emotionally-charged headline, but the body of the story doesn’t contain facts that you can verify elsewhere. Can you vet the information through one or more separate, trusted sources? Is what you are reading opinion masking as fact? What related information might have been left out of the material you’re accessing? 

Consider whether the post or article generated a strong emotional reaction in you – it could be anger or desperation – happiness or satisfaction. If so, the purpose of the post may have been to get you to react and re-post without thinking or verifying.  

Social media platforms give foreign actors a way to connect with and manipulate you—so someone who appears to be a like-minded supporter might actually be a foreigner who wants to trick you into sharing propaganda. 

The bottom line? Keep a healthy skepticism when you’re looking at information on the Internet. Consider why something might have been posted online and who stands to gain from that information.  

Remember your voice matters, so protect it. Go to www.FBI.gov/ProtectedVoices for more information. 

### 

TT - Synthetic ID Theft - GRAPHIC

Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense against synthetic ID theft. 

Earlier this month the FBI issued a warning against this particular kind of ID theft – a fraud that is difficult to identify but easy to stop, if you do a little work ahead of time. 

Synthetic identity theft differs from traditional ID theft in that criminals don’t steal a single person’s identity—they create one using a combination of real and fake information. 

When they use that identity to apply for credit, the credit reporting agencies generate a new credit file as though for a new person.  

How do the fraudsters get started? The easiest way is to steal and use Social Security numbers for people who don’t already have credit files: our children. They then combine those clean Social Security numbers with information such as fake names and birth dates. 

That persona then starts applying for credit and keeps going until a bank or business opens an account. Using that fake credit file and the very real Social Security number, the imposter can also get a job, file for a fraudulent tax return, or even get medical benefits. Oftentimes, the lender is not aware of the fraud until the criminal maxes out the credit line and the account goes into default. 

Unfortunately for the child whose Social Security number got stolen, it may not be until he is applying for financial aid for college before he’s aware that a fraudster damaged his credit years prior. 

So how do you protect your kids? 

• Check to see if your children have credit reports. They should not have reports, and if they do, that may be an indicator that someone has used their info. 

To do this, you will need to check with the three major credit reporting agencies: Experian, TransUnion and Equifax. Each has its own requirements, but, generally, you will need to provide the child’s legal name, address, birth date, a copy of the child’s birth certificate, and a copy of the child’s Social Security card. You will also need to provide proof about yourself such as a copy of your driver’s license and a copy of a current utility bill with your address. 

• If you find that your child does have a credit report, check it for illegal activity and report any fraud to all of the credit agencies. 

• If you find that your child does not have a credit report, you can ask that each of the three agencies create a profile.  

• Whether your child already had a profile or you ask to have one created, you can put a freeze that credit file. Putting a freeze on a child’s account requires you to fill out a form or write a letter and provide all of the documentation we talked about previously. Check each credit bureau’s website for specifics as to what that particular bureau requires.  

Federal law requires credit agencies to allow parents and guardians to place these freezes for free for children 15 and under. Those who are 16 or 17 can do so for themselves. 

• As an alternative to freezing, you can put your child on as an authorized user for one of your credit accounts. This will create a credit profile for that child and help establish the child as a legitimate owner of her Social Security number. If you go this route, make sure that you continue to run credit reports for your child, Each person is allowed one free credit report per year from each of the three agencies. 

• Finally, watch for credit offers in the mail addressed to your child, unusual activity on medical insurance statements, and the appropriate reporting of income on annual Social Security statements. Anything out of the ordinary in these venues could indicate a problem. 

If you have been victimized by an online scam or any other cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.IC3.gov or call your local FBI office. 

###

From January 26th - March 30th, PIO Beth Anne Steele will be working on other assignments. During this time, other FBI PIO's will be covering media matters in Oregon. 

Going forward, media outlets are encourgaed to use the Media.Portland@fbi.gov email account to request assistance on FBI matters in the state. Also, please note that we are discontinuing use of the media pager/number. Thank you.

TT - MFA - January 21, 2020 - GRAPHIC

Welcome to the Oregon FBI’s Tech Tuesday segment. Today: Building a digital defense with the fancy-sounding multi-factor authentication. 

It sounds complicated – but multi-factor authentication – or MFA - really isn’t that difficult. In fact, you are probably already using it and just don’t realize it. 

MFA is just a process that requires you to prove who you are in more than one way. Banks, utilities, social media platforms, and more are using this technology every day to protect your private data. Remember the last time you had to answer a challenge question to get into your account? Or you received a one-time PIN via text or email to confirm that it was really you who forgot your password and are now trying to re-set it? That is multi-factor authentication.  

There are three categories of credentials: something you know, something you have, and something you are. Let’s break that down. 

• “Something you know” would be your password or a set PIN that you use to access an account. The PIN doesn’t typically change. 

• “Something you have” would be a security token or app that provides a randomly-generated number that rotates frequently. The token provider confirms that you – and only you – could know what that number is. Also, “something you have” could include verification texts, emails, or calls that you must respond to before accessing an account. 

• “Something you are” includes fingerprints, facial recognition, or voice recognition. Sounds a bit unnerving – but think about how you unlocked your smart phone this morning. You’ve probably used your prints or your face several times already today just to check your email. 

Multi-factor authentication is required by some providers – but for others it is optional. If given the choice, it is in your best interest to take advantage of MFA whenever possible but definitely when dealing with your most sensitive personal data. This includes your primary email account, your financial records, and your health records. 

To make it easy, the U.S. Department of Homeland Security has gathered a list of links from all the major players to walk you through how to set up multi-factor authentication. The list includes the biggest banks, social media platforms, email providers, gaming sites, online health record providers, shopping sites, cloud storage companies, and more. You can get to it by going to https://stopthinkconnect.org/campaigns/lock-down-your-login 

As always, if you have been victimized by a cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.IC3.gov or call your local FBI office. 

###