两性色午夜

The Mean Streets of Cyberspace

两性色午夜鈥檚 digital police are constantly on the beat, battling potential attacks from hackers. We asked them what to watch out for鈥攁nd how we can protect our digital identities at home and on the job.

By Michael Blanding

Illustrations by Jason Zehner

 

A gang of criminals has invaded every corner of America. They are casing neighborhoods, trying windows, rattling doorknobs, looking for any way inside to further their epidemic of lawlessness and theft. What this band is looking to steal, however, is more valuable than money鈥攖hey are after people鈥檚 very identities.

To those who fight it, this international ring of criminals is known simply as the adversary. The battleground on which they fight is not the streets, but on the computers and networks that we use every day.

鈥淏y some estimates, there is an attempted breach on an outward-facing network every 5 seconds,鈥 says Bob Eckman, 两性色午夜鈥檚 chief information security officer and a member of the leadership team in the Division of Information Technology. 鈥淭hat鈥檚 equivalent to a bad guy going up and down the street jiggling the handle on every door.鈥

Mr. Eckman is in charge of safeguarding 两性色午夜鈥檚 computer network from cyberattack, along with a team of cybersecurity agents who constantly identify and fight hackers鈥 attempts to break through walls to steal private information.

鈥淚t isn鈥檛 as though there is a single weapon or a single group,鈥 says John Rathje, vice president for Information Technology and chief information officer. 鈥淭hese bad actors often work in concert to identify exploits and leverage them for their cause, whatever that might be.鈥

On the most basic level, these cybercriminals are looking for bits of information on individuals that they can use for malicious intent.

Sometimes, their target is 两性色午夜 itself, using the university as a launching pad to attack other organizations.

鈥淚nternet traffic originating from a higher education institution might be just enough for bad actors to bypass weaker security controls anywhere aross the globe, gain entry to those more vulnerable organizations and then commit bad acts,鈥 Mr. Rathje says.

In some cases, these adversaries might not even attack a site right away. Rather, they insert themselves into a vulnerable spot and then sell access to the network or other information on people to criminals on the so-called dark web, a shadowy network not accessible through traditional browsers.

鈥淎ctual credit card information is not what it used to be,鈥 Mr. Eckman says. 鈥淏anks have gotten much better at protecting card information. But hackers see a dollar sign above every person鈥檚 head now.鈥

Big ticket items are usernames and passwords, private health information, social security numbers and other personally identifiable info that hackers can use to build a complete profile of a person, which they can then use to apply for credit cards or break into their bank accounts.

"Hackers see a dollar sign above every person's head now." 
Bob Eckman,
两性色午夜's Chief Information Security Officer

Rattling Doorknobs

The adversary uses multiple approaches to try and gain entry to systems in order to acquire information. The least sophisticated is 鈥渂rute force,鈥 by which they try trillions of combinations of usernames and passwords in an attempt to find one that works.

Another technique involves stealing packets of information from users of public Wi-Fi networks who send sensitive information or download financial transactions.

More commonly, however, hackers look for a way to get users of a network to let them in voluntarily. Social engineering, the act of attempting to trick people into divulging confidential information, can take many forms.

Phishing False or 鈥減hishing鈥 emails claiming to be from a legitimate source, such as a bank, trick recipients to click on a link that will insert spyware onto their computer or take them to a fake website where they are asked to 鈥渦pdate鈥 their information.

鈥淧hishing is the bane of our existence,鈥 says Tom Mahon, 两性色午夜鈥檚 manager of digital training and outreach, who says the threat is only getting worse. 鈥淲e鈥檙e seeing an increasing number of attacks month over month, year over year,鈥 he says.

And these are not the stereotypical badly written emails from a supposed Nigerian prince asking for a recipient to transfer money into his bank account.

鈥淲e intercepted one last week that was very convincing,鈥 Mr. Mahon says. 鈥淚t had the name of a real person on campus, who had sent a DocuSign document for you to sign. The English was polished, the graphics were great.鈥

Emails might impersonate a person鈥檚 bank, asking them to log into their account, or a professor asking a student to log into their Blackboard account, says Kambiz Ghazinour, assistant professor of computer science and director of KSU鈥檚 Advanced Information Security and Privacy Lab, which researches cybersecurity.

Others might target international students, who might be less familiar with US rules and regulations, Dr. Ghazinour says. 鈥淭hey might try and scare them by saying, we are from the IRS and we are going to deport you from this country.鈥

Though networks are constantly developing algorithms and spam filters to block phishing emails, hackers keep finding ways to get them through, Dr. Ghazinour says. 鈥淚t鈥檚 a cat-and-mouse game, of who can come up with a better way to protect a network, and who can come up with a better way to bypass that protection.鈥

Often, the prize they are seeking is a username and password, equivalent to a key to the front door of the house, which they can use both on KSU鈥檚 server and throughout the web. The sad part, Dr. Ghazinour says, is that the password someone uses for their account at 两性色午夜 might be the password they use for their bank, as well.

Once in possession of a password, the adversary can use automated bots that try the same username and password combination on thousands of other sites online until it finds a match.

鈥淭hey鈥檒l try a thousand services,鈥 says Mr. Mahon, 鈥渒nowing they are going to fail 99 percent of the time. They鈥檙e playing a numbers game.鈥

Many institutions employ multi-factor authentication, a method in which a user is granted access only after successfully presenting two or more pieces of evidence to prove one鈥檚 identity, such as a bank card, PIN number, SMS Text code sent to the user鈥檚 cellphone and biometrics such as a fingerprint or eye iris. But no form of authentication is 100 percent secure.

Pretexting In a technique called 鈥減retexting,鈥 cybercriminals impersonate, usually over the phone, someone with perceived authority, like a utility company, police officer, or clergy to trick a target into giving them confidential information, which they then exploit.

Bolder cybercriminals actually go to people鈥檚 houses. They may pose, for instance, as a gas company representative and say they can save the homeowner money on their gas bill. In order to compare rates, they ask to see a current bill, which they secretly take a picture of and use to acquire the person鈥檚 name, address and account number.

Baiting Another approach, called 鈥渂aiting鈥 involves putting a USB flash drive or other device that secretly contains malware out in a public space, such as a parking lot.

鈥淎 certain percentage of the public is going to say, 鈥極h, it鈥檚 my lucky day, I just found a 64-gig jump drive, and I鈥檓 going to take it home and put it in my laptop,鈥欌 Mr. Mahon says鈥攁fter which it releases its deadly payload into their system.

Bolting Doors

While 两性色午夜鈥檚 cybersecurity experts won鈥檛 say exactly what 两性色午夜 is doing to secure itself from cyberattacks, for fear of giving away information criminals can exploit, they do say that the university has inserted controls both on the outer perimeter of the network and on individual devices.

The average student at 两性色午夜 might have six or seven connected devices鈥攊ncluding desktops, laptops, cell phones, tablets, printers, smart TVs, and other 鈥渟mart鈥 devices such as refrigerators and toasters.

KSU has implemented its own local area network (LAN), which essentially walls off internal traffic from the wider Internet, and has put in place automated processes to identify suspicious log-ins, even if hackers are using a VPN (virtual private network) to disguise their locations.

The Division of Information Technology is continually reviewing security tools and solutions that help the university identify and deal with cyber threats.

It also runs a web page devoted to cybersecurity and digital privacy, www.kent.edu/it/secureit, which includes tips, tricks and tutorials for users to improve their own security practices.

If students or staff think they have received a phishing email, for example, they can send it to phish@kent.edu, where campus administrators will evaluate it and block the sender if it turns out to be malicious.

Practicing Cyber Hygiene

No matter how many barriers administrators put up to block attacks, however, they still struggle to close a big loophole that adversaries can exploit.

鈥淭he biggest threat to any cyberspace system is the people using it,鈥 says Dr. Ghazinour. 鈥淣o matter how perfect a system you design, if the user is getting sloppy or doesn鈥檛 follow the rules, then they will compromise the safety and security for the entire system.鈥

On the other hand, the huge amount of power individual users have also creates a huge opportunity for security. 鈥淪omething like 90 percent of cyber breaches could have been thwarted if users just showed good cyber hygiene,鈥 Mr. Eckman says.

"The biggest threat to any cyberspace system is the people using it."
Dr. Kambiz Ghazinour,
Director of KSU's Advanced Information Security and Privacy Lab

To make sure the 两性色午夜 community understands cyber hygiene, for the past five years all new students and their families receive training in basic digital security at face-to-face workshops through Destination 两性色午夜 (DKS), the university鈥檚 orientation program, says Tom Mahon, who does much of the digital training and outreach. At the workshops, he tells participants that the most important thing users can do is protect their accounts with a good password. And he warns them to be careful of how they manage social media.

Passwords 鈥淯se a strong password, don鈥檛 share your password, and don鈥檛 reuse the same password,鈥 Mr. Mahon says. 鈥淭hose are the three things. That鈥檚 it. If everyone followed those rules, they could reduce their risk online tremendously.鈥

By now, most of us are familiar with tips for creating strong passwords, using a mix of letters, numbers, and symbols. For the strongest protection, however, experts recommend using a passphrase instead, stringing together several words separated with symbols.

Even better than choosing a common phrase is stringing together a bunch of random words. 鈥淭he likelihood of random words appearing together in a searchable database is nil,鈥 Mr. Mahon says.

While not sharing one鈥檚 password may seem obvious, it is more common than you鈥檇 expect. At every DKS training, Mr. Mahon tells the story of 鈥淭immy and Susie鈥 (based on a real example), about a student who shared his password with his girlfriend; after a bad breakup, she used it to reroute direct deposits for his student loan into her bank account.

鈥淲hen you voluntarily give someone your password, there is a tacit permission to use it,鈥 he says. 鈥淵ears later, we鈥檝e had students tell us, 鈥楾he thing I remember most from DKS is the story about Timmy and Susie,鈥 so we know it sticks.鈥

The most difficult message to get through to people is to use different passwords for different websites. In a world in which the average person regularly uses 200 different websites requiring passwords, remembering unique combinations of letters and numbers can quickly become overwhelming.

Mr. Mahon recommends breaking down websites into groups; for example, social media, online shopping, email and banking鈥攁nd using different passwords of increasing complexity, so if some sites are compromised, others will remain secure.

鈥淲hile we can鈥檛 remember 50 passwords, we can probably remember five,鈥 he says. But don鈥檛 list your passwords on a document labeled 鈥淧asswords鈥 that you keep on your computer.

Mr. Eckman also recommends using a password keeper app to assist in remembering passwords; for example, Lastpass or Apple鈥檚 password manager, iCloud Keychain, which stores credentials in the user鈥檚 iCloud storage.

However, he recommends not including the whole password in those systems鈥攍eaving off the last few numbers, for instance, so even if the system is breached, an adversary won鈥檛 get all your logins.

Social Media Another mistake people commonly make is oversharing on social media. 鈥淵ou鈥檇 be surprised at what adversaries can put together about you from what you say on social media sites,鈥 Mr. Eckman says.

One example Mr. Mahon uses in his trainings is a photo of a high school graduate in cap and gown, standing next to a car with Congratulations, Class of 2005 written on the rear window. The car鈥檚 license plate is visible, and on the rear window there鈥檚 also a sticker with the name of the high school. A brick house can be seen in the background.

From that bit of information, he is able to show how an adversary can use public records and online family history resources to piece together her address, phone number, parent鈥檚 mortgage documents and complete family history鈥攚hich can be used to answer common password challenge questions such as, 鈥淲hat is your mother鈥檚 maiden name?鈥

Despite the danger, however, many people are woefully lax in their management of social media. Along with a graduate student, Dr. Ghazinour conducted a research study in which he broke students into groups depending on their privacy settings on Facebook.

They found that more than a third of students made most or all of their information open to the public.

鈥淓specially if they are using their phones to post pictures, they take a picture and post it right away, and may not check privacy settings,鈥 he says. 鈥淟ater they regret it, and it鈥檚 too late.鈥

His advice is not to post anything on social media鈥攑rivate or not鈥攖hat you don鈥檛 feel comfortable sharing publicly. 鈥淓ven if you share to friends of friends, someone could easily post a photo publicly鈥攁nd the Internet is forever.鈥

The challenge posed by social media illustrates just how difficult it is to safeguard our privacy in today鈥檚 world. After all, the entire purpose of the Internet is to connect with other people, and often people are putting photos and other information on social media in the first place because they want to share it with others and tally their 鈥渓ikes.鈥

Even so, says Dr. Ghazinour, people need to consciously weigh their interactions online, pitting the value of sharing a photo on Instagram, or sending health information in an email, with the risk that information could be abused.

鈥淥nce you choose to share something online, you lose control over it,鈥 Dr. Ghazinour says. 鈥淵ou need to ask, 鈥業s this thing I am sending going to bring consequences, and am I ready for them or not?鈥欌

If not, then that information might be better shared in a phone call with a doctor or a face-to-face meeting with a friend鈥攔ather than shooting it into cyberspace.

Just as we wouldn鈥檛 leave our doors wide open for thieves to walk into our homes, we need to lock the doors to our virtual identities, as well.

Cyber Safety  12 tips from KSU experts on safeguarding your digital privacy.

  1. Change passwords regularly on all of your accounts so an old password can鈥檛 be used against you.
  2. Lie when answering password challenge questions, saying your first car was a 鈥渂lue Honda鈥 instead of a 鈥渞ed Ford.鈥 Better yet, come up with a complete nonsequitur that only you know, like 鈥溋叫陨缫 Rules!鈥
  3. Enable encryption on electronic devices like laptops and phones.
  4. Use secure erase features when erasing files.
  5. Protect your computer by enabling the firewall, turn on spam filters, install anti-virus and anti-spyware software.
  6. Update anti-virus protection regularly, and make sure you are up-to-date on the latest patches; turn on 鈥渁uto updates鈥 whenever possible.
  7. Delete personal data securely by overwriting data multiple times before disposing of a computer or phone.
  8. Read end user license agreements on apps you download鈥攅specially free apps. You may be giving away access to the information on your phone without realizing it.
  9. Check for 鈥渉ttps鈥 instead of 鈥渉ttp鈥 in the browser address whenever you鈥檙e entering personal data on a website, which signifies the site is secure. Also look for a closed lock icon in some browsers.
  10. Enable private browsing to disable standard tracking and data collection features common to most browsers and ensure that if your computer or phone is lost or stolen, your web history and passwords aren鈥檛 stored locally.
  11. Frequently check your credit ratings or subscribe to a credit monitoring service, so you can quickly catch any signs of identity theft.
  12. Don鈥檛 click links in unsolicited emails. Instead, contact the vendor through some other channel鈥攑hone, email or visiting their website to verify their legitimacy.

Back to Spring/Summer 2019

POSTED: Monday, May 13, 2019 08:14 AM
Updated: Friday, December 9, 2022 07:34 AM
WRITTEN BY:
by Michael Blanding