The Mean Streets of Cyberspace
Kent State’s digital police are constantly on the beat, battling potential attacks from hackers. We asked them what to watch out for—and how we can protect our digital identities at home and on the job.
By Michael Blanding
Illustrations by Jason Zehner
A gang of criminals has invaded every corner of America. They are casing neighborhoods, trying windows, rattling doorknobs, looking for any way inside to further their epidemic of lawlessness and theft. What this band is looking to steal, however, is more valuable than money—they are after people’s very identities.
To those who fight it, this international ring of criminals is known simply as the adversary. The battleground on which they fight is not the streets, but on the computers and networks that we use every day.
“By some estimates, there is an attempted breach on an outward-facing network every 5 seconds,” says Bob Eckman, Kent State’s chief information security officer and a member of the leadership team in the Division of Information Technology. “That’s equivalent to a bad guy going up and down the street jiggling the handle on every door.”
Mr. Eckman is in charge of safeguarding Kent State’s computer network from cyberattack, along with a team of cybersecurity agents who constantly identify and fight hackers’ attempts to break through walls to steal private information.
“It isn’t as though there is a single weapon or a single group,” says John Rathje, vice president for Information Technology and chief information officer. “These bad actors often work in concert to identify exploits and leverage them for their cause, whatever that might be.”
On the most basic level, these cybercriminals are looking for bits of information on individuals that they can use for malicious intent.
Sometimes, their target is Kent State itself, using the university as a launching pad to attack other organizations.
“Internet traffic originating from a higher education institution might be just enough for bad actors to bypass weaker security controls anywhere aross the globe, gain entry to those more vulnerable organizations and then commit bad acts,” Mr. Rathje says.
In some cases, these adversaries might not even attack a site right away. Rather, they insert themselves into a vulnerable spot and then sell access to the network or other information on people to criminals on the so-called dark web, a shadowy network not accessible through traditional browsers.
“Actual credit card information is not what it used to be,” Mr. Eckman says. “Banks have gotten much better at protecting card information. But hackers see a dollar sign above every person’s head now.”
Big ticket items are usernames and passwords, private health information, social security numbers and other personally identifiable info that hackers can use to build a complete profile of a person, which they can then use to apply for credit cards or break into their bank accounts.
"Hackers see a dollar sign above every person's head now."
Kent State's Chief Information Security Officer
The adversary uses multiple approaches to try and gain entry to systems in order to acquire information. The least sophisticated is “brute force,” by which they try trillions of combinations of usernames and passwords in an attempt to find one that works.
Another technique involves stealing packets of information from users of public Wi-Fi networks who send sensitive information or download financial transactions.
More commonly, however, hackers look for a way to get users of a network to let them in voluntarily. Social engineering, the act of attempting to trick people into divulging confidential information, can take many forms.
Phishing False or “phishing” emails claiming to be from a legitimate source, such as a bank, trick recipients to click on a link that will insert spyware onto their computer or take them to a fake website where they are asked to “update” their information.
“Phishing is the bane of our existence,” says Tom Mahon, Kent State’s manager of digital training and outreach, who says the threat is only getting worse. “We’re seeing an increasing number of attacks month over month, year over year,” he says.
And these are not the stereotypical badly written emails from a supposed Nigerian prince asking for a recipient to transfer money into his bank account.
“We intercepted one last week that was very convincing,” Mr. Mahon says. “It had the name of a real person on campus, who had sent a DocuSign document for you to sign. The English was polished, the graphics were great.”
Emails might impersonate a person’s bank, asking them to log into their account, or a professor asking a student to log into their Blackboard account, says Kambiz Ghazinour, assistant professor of computer science and director of KSU’s Advanced Information Security and Privacy Lab, which researches cybersecurity.
Others might target international students, who might be less familiar with US rules and regulations, Dr. Ghazinour says. “They might try and scare them by saying, we are from the IRS and we are going to deport you from this country.”
Though networks are constantly developing algorithms and spam filters to block phishing emails, hackers keep finding ways to get them through, Dr. Ghazinour says. “It’s a cat-and-mouse game, of who can come up with a better way to protect a network, and who can come up with a better way to bypass that protection.”
Often, the prize they are seeking is a username and password, equivalent to a key to the front door of the house, which they can use both on KSU’s server and throughout the web. The sad part, Dr. Ghazinour says, is that the password someone uses for their account at Kent State might be the password they use for their bank, as well.
Once in possession of a password, the adversary can use automated bots that try the same username and password combination on thousands of other sites online until it finds a match.
“They’ll try a thousand services,” says Mr. Mahon, “knowing they are going to fail 99 percent of the time. They’re playing a numbers game.”
Many institutions employ multi-factor authentication, a method in which a user is granted access only after successfully presenting two or more pieces of evidence to prove one’s identity, such as a bank card, PIN number, SMS Text code sent to the user’s cellphone and biometrics such as a fingerprint or eye iris. But no form of authentication is 100 percent secure.
Pretexting In a technique called “pretexting,” cybercriminals impersonate, usually over the phone, someone with perceived authority, like a utility company, police officer, or clergy to trick a target into giving them confidential information, which they then exploit.
Bolder cybercriminals actually go to people’s houses. They may pose, for instance, as a gas company representative and say they can save the homeowner money on their gas bill. In order to compare rates, they ask to see a current bill, which they secretly take a picture of and use to acquire the person’s name, address and account number.
Baiting Another approach, called “baiting” involves putting a USB flash drive or other device that secretly contains malware out in a public space, such as a parking lot.
“A certain percentage of the public is going to say, ‘Oh, it’s my lucky day, I just found a 64-gig jump drive, and I’m going to take it home and put it in my laptop,’” Mr. Mahon says—after which it releases its deadly payload into their system.
While Kent State’s cybersecurity experts won’t say exactly what Kent State is doing to secure itself from cyberattacks, for fear of giving away information criminals can exploit, they do say that the university has inserted controls both on the outer perimeter of the network and on individual devices.
The average student at Kent State might have six or seven connected devices—including desktops, laptops, cell phones, tablets, printers, smart TVs, and other “smart” devices such as refrigerators and toasters.
KSU has implemented its own local area network (LAN), which essentially walls off internal traffic from the wider Internet, and has put in place automated processes to identify suspicious log-ins, even if hackers are using a VPN (virtual private network) to disguise their locations.
The Division of Information Technology is continually reviewing security tools and solutions that help the university identify and deal with cyber threats.
It also runs a web page devoted to cybersecurity and digital privacy, www.kent.edu/it/secureit, which includes tips, tricks and tutorials for users to improve their own security practices.
If students or staff think they have received a phishing email, for example, they can send it to firstname.lastname@example.org, where campus administrators will evaluate it and block the sender if it turns out to be malicious.
Practicing Cyber Hygiene
No matter how many barriers administrators put up to block attacks, however, they still struggle to close a big loophole that adversaries can exploit.
“The biggest threat to any cyberspace system is the people using it,” says Dr. Ghazinour. “No matter how perfect a system you design, if the user is getting sloppy or doesn’t follow the rules, then they will compromise the safety and security for the entire system.”
On the other hand, the huge amount of power individual users have also creates a huge opportunity for security. “Something like 90 percent of cyber breaches could have been thwarted if users just showed good cyber hygiene,” Mr. Eckman says.
"The biggest threat to any cyberspace system is the people using it."
Dr. Kambiz Ghazinour,
Director of KSU's Advanced Information Security and Privacy Lab
To make sure the Kent State community understands cyber hygiene, for the past five years all new students and their families receive training in basic digital security at face-to-face workshops through Destination Kent State (DKS), the university’s orientation program, says Tom Mahon, who does much of the digital training and outreach. At the workshops, he tells participants that the most important thing users can do is protect their accounts with a good password. And he warns them to be careful of how they manage social media.
Passwords “Use a strong password, don’t share your password, and don’t reuse the same password,” Mr. Mahon says. “Those are the three things. That’s it. If everyone followed those rules, they could reduce their risk online tremendously.”
By now, most of us are familiar with tips for creating strong passwords, using a mix of letters, numbers, and symbols. For the strongest protection, however, experts recommend using a passphrase instead, stringing together several words separated with symbols.
Even better than choosing a common phrase is stringing together a bunch of random words. “The likelihood of random words appearing together in a searchable database is nil,” Mr. Mahon says.
While not sharing one’s password may seem obvious, it is more common than you’d expect. At every DKS training, Mr. Mahon tells the story of “Timmy and Susie” (based on a real example), about a student who shared his password with his girlfriend; after a bad breakup, she used it to reroute direct deposits for his student loan into her bank account.
“When you voluntarily give someone your password, there is a tacit permission to use it,” he says. “Years later, we’ve had students tell us, ‘The thing I remember most from DKS is the story about Timmy and Susie,’ so we know it sticks.”
The most difficult message to get through to people is to use different passwords for different websites. In a world in which the average person regularly uses 200 different websites requiring passwords, remembering unique combinations of letters and numbers can quickly become overwhelming.
Mr. Mahon recommends breaking down websites into groups; for example, social media, online shopping, email and banking—and using different passwords of increasing complexity, so if some sites are compromised, others will remain secure.
“While we can’t remember 50 passwords, we can probably remember five,” he says. But don’t list your passwords on a document labeled “Passwords” that you keep on your computer.
Mr. Eckman also recommends using a password keeper app to assist in remembering passwords; for example, Lastpass or Apple’s password manager, iCloud Keychain, which stores credentials in the user’s iCloud storage.
However, he recommends not including the whole password in those systems—leaving off the last few numbers, for instance, so even if the system is breached, an adversary won’t get all your logins.
Social Media Another mistake people commonly make is oversharing on social media. “You’d be surprised at what adversaries can put together about you from what you say on social media sites,” Mr. Eckman says.
One example Mr. Mahon uses in his trainings is a photo of a high school graduate in cap and gown, standing next to a car with Congratulations, Class of 2005 written on the rear window. The car’s license plate is visible, and on the rear window there’s also a sticker with the name of the high school. A brick house can be seen in the background.
From that bit of information, he is able to show how an adversary can use public records and online family history resources to piece together her address, phone number, parent’s mortgage documents and complete family history—which can be used to answer common password challenge questions such as, “What is your mother’s maiden name?”
Despite the danger, however, many people are woefully lax in their management of social media. Along with a graduate student, Dr. Ghazinour conducted a research study in which he broke students into groups depending on their privacy settings on Facebook.
They found that more than a third of students made most or all of their information open to the public.
“Especially if they are using their phones to post pictures, they take a picture and post it right away, and may not check privacy settings,” he says. “Later they regret it, and it’s too late.”
His advice is not to post anything on social media—private or not—that you don’t feel comfortable sharing publicly. “Even if you share to friends of friends, someone could easily post a photo publicly—and the Internet is forever.”
The challenge posed by social media illustrates just how difficult it is to safeguard our privacy in today’s world. After all, the entire purpose of the Internet is to connect with other people, and often people are putting photos and other information on social media in the first place because they want to share it with others and tally their “likes.”
Even so, says Dr. Ghazinour, people need to consciously weigh their interactions online, pitting the value of sharing a photo on Instagram, or sending health information in an email, with the risk that information could be abused.
“Once you choose to share something online, you lose control over it,” Dr. Ghazinour says. “You need to ask, ‘Is this thing I am sending going to bring consequences, and am I ready for them or not?’”
If not, then that information might be better shared in a phone call with a doctor or a face-to-face meeting with a friend—rather than shooting it into cyberspace.
Just as we wouldn’t leave our doors wide open for thieves to walk into our homes, we need to lock the doors to our virtual identities, as well.
Cyber Safety 12 tips from KSU experts on safeguarding your digital privacy.
- Change passwords regularly on all of your accounts so an old password can’t be used against you.
- Lie when answering password challenge questions, saying your first car was a “blue Honda” instead of a “red Ford.” Better yet, come up with a complete nonsequitur that only you know, like “Kent State Rules!”
- Enable encryption on electronic devices like laptops and phones.
- Use secure erase features when erasing files.
- Protect your computer by enabling the firewall, turn on spam filters, install anti-virus and anti-spyware software.
- Update anti-virus protection regularly, and make sure you are up-to-date on the latest patches; turn on “auto updates” whenever possible.
- Delete personal data securely by overwriting data multiple times before disposing of a computer or phone.
- Read end user license agreements on apps you download—especially free apps. You may be giving away access to the information on your phone without realizing it.
- Check for “https” instead of “http” in the browser address whenever you’re entering personal data on a website, which signifies the site is secure. Also look for a closed lock icon in some browsers.
- Enable private browsing to disable standard tracking and data collection features common to most browsers and ensure that if your computer or phone is lost or stolen, your web history and passwords aren’t stored locally.
- Frequently check your credit ratings or subscribe to a credit monitoring service, so you can quickly catch any signs of identity theft.
- Don’t click links in unsolicited emails. Instead, contact the vendor through some other channel—phone, email or visiting their website to verify their legitimacy.