Are you putting yourself, family, friends & workplace at risk without realizing?
By Molly Gluck
The Threat Landscape
Around seventy percent of Americans use social media to connect with one another, engage with news content, and share information. Further, users typically access social media platforms and consume content on their smartphone, which over 80 percent of Americans report owning. Smartphones are just one of the billions of smart devices that monitor our health, fitness and sleep, secure our homes, tell us the weather and cue up our favorite songs, shows, and movies. However, the convenience of smart phones and instant connectivity of the internet and social media come at a price. Are there security risks hiding within our favorite applications and devices?
In honor of National Cybersecurity Awareness Month (NCSAM), an annual initiative spearheaded by the Department of Homeland Security to raise awareness about the importance of cybersecurity, we asked Boston University’s privacy and security experts Ari Trachtenberg, Gianluca Stringhini and Ran Canetti to shed light on the top vulnerabilities we need to know about. They covered security and privacy threats consumers and businesses unknowingly expose themselves to, and outlined best-practices for protection in the Q&A below.
Smart Devices and Social Media
How can we protect ourselves in a connected world?
“Smart devices quietly nestle well within our comfort zones and into our most private spaces: bedrooms, bathrooms, doctor’s offices, etc. At the same time, they are filled with all kinds of sensors that allow them to record and permanently store all kinds of information about our most private moments. The best way to protect yourself is to be aware of this, and keep all smart devices away from your most intimate environments. I, for example, keep most smart devices (TVs, speakers, etc.) out of my home; the few I cannot avoid (smartphones), I keep in a designated location that does not have access to my private areas.” — Ari Trachtenberg
How are we putting our personal information at risk when using social media?
“I think that many users don’t realize that they are not only putting their own information at risk when they’re using social media, but also the information of their friends and acquaintances. For example, when you put up a picture of you with a friend at a location, you are sharing with the social media company (and, quite possibly, all of their third party affiliates) your connection to the location — and your friend’s connection to the location — whether or not your friend wants ad agencies to know this.
The same thing goes for messages you leave on your friends’ social media accounts, or, potentially, even ‘private messages’ that you send to them through social platforms. In short, when you are using a ‘free’ service online, always ask yourself — how is this service making the money to pay its engineers and maintain their hardware? Often the answer is that they’re selling information about you and your friends.” — Ari Trachtenberg
“We provide online service, app and content providers with detailed information about our whereabouts, our thoughts, our feelings, our moods and our life patterns. Our every move is recorded, and aggregated with the moves of others. These content, social platform, and app providers sell this data to third parties who can weaponize it against us — catching us at our weak moments and manipulating our thoughts and behavior.” — Ran Canetti
What are the consequences of this behavior?
“I think that the top security threat today is not directly from overtly malicious actors, but rather from the huge amount of information that is accumulated about each and every one of us through all the devices that we use regularly. This information, inevitably, leaks to actors with very different interests than us (including malicious actors), and it can be harnessed very effectively to cause damage.” — Ari Trachtenberg
What can we do to avoid this risk, while still being active on social media?
“We can opt out of providing our information to content, app, and social media providers. This cuts them off from the ability to leverage our data, and share with advertisers and other third parties. This might cost a small price, but it’s more than worth it.” — Ran Canetti
What is the top security threat you anticipate employees will face on the horizon? What are the repercussions for both the employee and the businesses they work for?
“Ransomware is currently the golden standard of cybercrime. Unlike other cybercrime schemes like fraud and spam, the criminals are not trying to convince their victims to purchase some sketchy good, but instead offer them to give them access to their data back in exchange for money.
Unfortunately, often victims have no choice but to pay their extorters. This significantly increases the return on investment for cybercriminals, and has serious repercussions for both private citizens and companies, who are constantly being targeted.” — Gianluca Stringhini
“There are many truly frightening ways malicious actors can exploit our digital trails in the workplace. For businesses, a serious example is CEO fraud, wherein criminals imitate the email or phone call of a CEO/CFO in requesting large transfers of money, or possibly the businesses’ network and data.
Both of these are exacerbated by the emergence of ‘deep fakes,’ wherein machine learning techniques are used to craft messages that look or sound identical to the person being scammed (i.e., from a few samples of a CEO’s speech, it is sometimes possible to realistically craft different speech, that the CEO has not stated, in the CEOs voice).” — Ari Trachtenberg
Is there an easy fix for this security risk that employees and businesses should adopt?
“To mitigate the risk of being hit by ransomware, users should constantly keep backups of their data. This can be automated, for example scheduled to happen once a week.” — Gianluca Stringhini
“It is very hard for an individual to protect themselves from CEO fraud and deep fake vulnerabilities, much like it is hard for an unarmed civilian to successfully defend against an armed criminal. Individuals should always be skeptical about any unsolicited information that they are given, and companies should have established, secure mechanisms for making significant transfers. They should also put in place pre-specified protocols for dealing with and responding to security emergencies.” — Ari Trachtenberg
Best-Practices for Protection
What is the most overlooked security feature?
“Enabling two-factor authentication can help people keep their online accounts safe. With two-factor authentication enabled, it is not enough for an attacker to know an account’s password to log into it, but they also need to get a hold of a second token, which is usually sent to the user’s mobile phone. This significantly raises the bar for attackers to successfully compromise online attacks, and protects users from the consequences of large data breaches and phishing attacks.” — Gianluca Stringhini
What is the most important “cyber hygiene” routine everyone needs to adopt (that is easy to keep up with) to achieve better security?
“Once a weakness is discovered in a program, the developer usually fixes it rather quickly. Keeping your software constantly updated drastically reduces the chances of getting compromised. Most programs nowadays provide automated updates, which is a great way for people to stay secure while at the same time not having to remember to constantly update their computers.” — Gianluca Stringhini
“Actually, it is what we teach our engineering students throughout their study — understand the basis for the information that you are receiving, and be skeptical of any claims that are not substantiated in a manner that you can reproduce.” — Ari Trachtenberg
For additional commentary by Boston University experts, follow us on Twitter at @BUexperts. You can follow Boston University College of Engineering at @BUCollegeofENG, Boston University Department of Computer Science at @BUCompSci and Boston University Hariri Institute for Computing at @BU_Computing on Twitter.
Over 1,000 Boston University students were forced to change their account passwords after BU servers were flooded with spam emails from student accounts in late September, university officials said. The spam is believed to be a result of a 2018 breach of the educational site Chegg.
Eric Jacobsen, executive director of Information Security at BU, wrote in an email that student accounts that displayed spam activity were temporarily disabled and the students were forced to change their passwords as a means of resecuring their accounts.
“In terms of the breach itself, Boston University cannot know which passwords have been reused with which sites,” Jacobsen wrote. “We became aware of the scope of this problem on September 20th when our email servers were inundated with unsolicited bulk email, often called ‘spam,’ from approximately 1,100 accounts.”
Jacobsen said his team used the “Have I Been Pwned” database, an online resource that helps determine whether or not an email has been part of any data breaches, to determine whether the student accounts had any security issues.
While they cannot pinpoint exactly which accounts received spam, the Information Security team spoke with other institutions and concluded that the Chegg breach was the main source of the spam, Jacobsen wrote.
On Sept. 19, 2018, Chegg announced a security breach that had occurred on April 29, 2018. It notified its users that an unauthorized party accessed a company database that holds not only data belonging to Chegg users but also users of affiliated companies, such as EasyBib. As a result, 40 million users had to go through a password-reset process.
In an 8-K disclosure report to the U.S. Security and Exchange Commission, Chegg stated that the users’ names, email addresses, shipping addresses, usernames and passwords were accessed by the unauthorized third party. While the investigation into this ordeal is still ongoing, at this time there is no evidence of any user’s social security numbers or financial information was accessed.
Chegg is not officially associated with BU, but it is a service many students turn to for resources such as online textbooks and answers to homework. While the hack occurred last year, the effect on BU students was only recently discovered thanks to the September spam emails.
Sandya Ganesan, a senior in the Sargent College of Health and Rehabilitation Sciences, was one of the students who had to re-secure her account. She said this process entailed seeing IT services to change her password, which Ganesan did after noticing that her Blackboard, Student Link and BU wifi were not functioning.
“I deleted my Chegg account early fall of 2018, and I don’t plan on going back at all,” Ganesan said.
With Ganesan and other students who had to re-secure their accounts, emails were sent out with steps students should take to make sure their email was set up normally to rule out the potential of any malfunctioning. Ganesan said she plans to keep her information safe with these tips and other steps.
Ryan Nie, a freshman in the College of Arts and Sciences, said he will keep using the online resource despite the incident.
“If Chegg still gives me homework answers and homework help, I think I’ll still use the website,” Nie said. “I believe you don’t need to have an account to view the answers. So personally, it doesn’t really affect me, but I think even for those that are affected, they will still continue to use it if they need homework help.”
Caroline Richardson, a junior in the College of Communication, said she uses Chegg and said this incident will only make her more careful with her online security.
“After I heard about this, I realized my password for Chegg was the exact same as my school passwords, so I had to change everything,” Richardson said. “I was just more careful. I mean, I just haven’t used as much this year, I really don’t need it with the classes I’m taking right now. But definitely, I’m going to be careful in the future.”
Even if students continue to use Chegg, Jacobsen urges them to be careful with the passwords they choose and to be wary of reusing passwords on multiple platforms.
“Everywhere the individual uses the same password has it protected by the company with the weakest security,” Jacobsen wrote. “The more places you use it, the more likely it is that it will be compromised, and if it becomes compromised you are giving away access to your email, your student records, and potentially health and financial information.”
Jacobsen wrote he wants students to recognize the importance of keeping their BU password exclusive to their BU account. He also said that if students used their BU email to confirm or reset passwords at other organizations, such as banks, those accounts are at risk of being compromised as well.
BU Spokesperson Colin Riley said this incident serves as a reminder to be careful with passwords.
“The important thing about this is the benefit of not using a password from BU with other institutions, because it reduces the security of the password,” Riley said.
Brennan Zhou, a senior in the College of Communication, said that he doesn’t think hacking comes as a surprise to many students.
“It’s pretty common nowadays for data breaches and hacks to happen,” Zhou said. “And that’s not surprising a company that students use is being hacked, because it’s usually credit card companies and stuff like that, so I think the student demographic hasn’t really been tapped.”
Riley said students should take actions to protect themselves from data breaches.
“Breaches are a common and an unfortunate occurrence,” Riley said. “And there are things that users should be doing as frequently as possible, like not reusing old passwords and not clicking on spam emails, to keep themselves safe.”
Some suggestions from BU’s director of information security and free shredding scheduled this week
October is National Cybersecurity Awareness Month (NCSAM), a collaborative effort of the US government and the cybersecurity industry to promote awareness about the resources individuals need to be safer and more secure online. The message of this year’s campaign is focused on citizen privacy, e-commerce security, and consumer devices: “Own IT. Secure IT. Protect IT.”
Not a week goes by without some new headline about a massive cybersecurity attack or data breach, whether it’s a health services corporation, a collection agency, or a retail operation. And with growing privacy issues surrounding social media sites like Facebook and the increasing ransomware attacks that have hit communities nationwide, it’s hard to know what you can do to protect yourself online.
The purpose of NCSAM is pointing out the dangers of these attacks and breaches and the steps to take to safeguard your information. Along those lines, BU Information Security & Technology is partnering with sustainability@BU to host a series of Fall Shred events on both the Charles River and the Medical Campus this week: Tuesday, October 8, in the Kenmore lot (549 Comm Ave), Wednesday, October 9, in the parking lot behind Agganis Arena, and Thursday, October 10, in front of the Talbot Building, 715 Albany St., on the Medical Campus. Students, faculty, and staff are encouraged to bring their old hard drives, notebooks, and personal documents for shredding.
We sat down with Eric Jacobsen (CAS’93, MET’03), BU’s director of information security, to talk about steps the University has taken to protect the online presence of students, faculty, and staff and to ask for some tips on what you should—and shouldn’t—do to ensure your cybersecurity.
WITH ERIC JACOBSEN
BU Today: What measures has IS&T taken to protect BU, and is there anything in the works to increase that protection?
Jacobsen: Information Security does a bunch of things to protect the community at all times. Our overall mission is to help the University protect the sensitive data that it has in its care, and to help the community understand what the cyber risks are and what they have to do in response to those things.
We have a cybersecurity operations component that provides a variety of services, such as supporting compliance assessments for the administration, supporting Research and their compliance requirements, helping design and implement secure services. Most of those don’t get seen by the community, and there are some that are really invisible, like the work we do with network firewalls, scanning for vulnerabilities, monitoring for bad things that happen on our network.
The biggest, most outward-facing service I have in my care is Identity & Access Management, which controls how you get access to everything here on campus from the moment you authenticate to one of our services with a password: to courseware, Student Link, whatever information you need to access at the University. That’s our most visible piece that people touch, but they don’t spend a lot of time thinking about it until something goes wrong, and then it’s high visibility and we do a lot of work to fix those kinds of things.
Finally, the third piece we have is a cyber incident response capability. If something does go wrong, that’s the team that will jump in and find out what happened, find out if there was a breach, and handle the response to that.
Is the issue of cybersecurity becoming more urgent?
It is certainly much more in the public eye than it used to be. The amount of data that we’re putting into our networks and into services that we give to Facebook and other institutions has made this a more important issue to people. There’s a lot of attention to data privacy, what companies know about us and what they share with other people, and how they are using that data. Having good data privacy requires you to have good data security first. So that’s driving a lot of what happens with my industry.
What are the most common mistakes people make that end up putting them in danger online?
From the University’s perspective, our single biggest problem is user account compromise—people responding to phishing messages. Phishing is when somebody sends you an email and tries to convince you to send them personal information, your password, or both. They use a series of standard tricks for doing that: pretending to be somebody that they’re not, trying to convince you that this is urgent, that you need to respond to this today or your account will be disabled, or that something bad will happen to you. The impact of that urgency is that it overrides our common sense. We think, oh my gosh, I can’t think about this, I just have to respond to this message or I’ll lose something that’s important to me. There’s a lot of telephone scams that are doing this now—phishing is the email version of this. The difference in phishing is that it’s virtually free for the attacker. And it succeeds.
When I think about, is there one thing people can do—it’s to be vigilant when they look at their email, when they get these emails that say, “You must do this right now.” Think about whether or not that’s really true. Do you know who sent you the message, were you expecting the message in some way, does it make sense? And then, does the urgency make sense? Anything that asks for your password is a hoax. You need your password—we don’t need it.
What steps should someone take if they believe they’ve been hacked, and how can the University help?
They can reach out to our IT Help Center, and we will help walk them through what to do. The process looks a little different if you’re a student or a faculty or staff member, but the Help Center can be that first point of contact. They come in through our incident response team, and we will help triage the situation. If it’s a case of phishing, they just need to change their password, and they need to change it immediately. But any sort of security concerns someone has, they can bring directly to my team through BU InfoSec or the Help Center and we’ll work with them toward whatever the appropriate resolution is.
What do you think is the biggest misperception people have about cybersecurity?
We all like to feel secure in our lives, and so we assume we have a lot more [security] than we do. Social media is built on the idea of sharing, and we share a lot of information very readily to a very large audience. And that is great—Facebook is a wonderful tool for my family to help keep track of what’s going on in my life. But I think very carefully about the information that I share there. We need to figure out how we as a society want to use these technologies, what we should be sharing and with whom. That Facebook post I write and put up on my page is visible to me and my friends, but it’s also visible to Facebook corporate. And they can do whatever they want with that information. That’s the data privacy challenge that the world is starting to wrangle with.
How does the University stay abreast of such a rapidly changing landscape, with security threats coming from so many different directions?
It is certainly a challenge to keep up with the fast rate of change in technology, the fast rate of security threats within that technology space. And it is something that BU and all institutions are struggling to keep up with. The answer is to build systems and processes that are nimble enough to keep up with that change. The IT industry historically has been about long, slow deployment of services. We need to work to make that happen a little more quickly, and to keep up with the times. We just need to become more nimble.
What are BU and IS&T doing to help promote awareness for cybersecurity during National Cybersecurity Awareness Month?
We’re implementing NCSAM here on campus in several ways. We’re going to send a weekly email throughout October covering a bunch of security topics, things like passwords, phishing, device security, travel security, online privacy. We’ll put up new website content, update our Facebook and Twitter feed. We’re doing paper shreddings this week, which are particularly popular with the offices that collect a lot of paper records, but students are welcome to use the service as well. If they’ve got notebooks they want to shred, old personal information such as bank records, whatever they’ve got, they can bring it for shredding.
IS&T’s 2019 Fall Shred events are being held this week on both the Charles River and the Medical Campus: Tuesday, October 8, at the Kenmore lot (549 Comm Ave), Wednesday, October 9, at the parking lot behind Agganis Arena, (925 Comm Ave), and Thursday, October 10, in front of the Talbot Building, 715 Albany St., on the Medical Campus. All are from 10 am to 1 pm. Find more information here.
IS&T will also host a presentation titled Foreign Influence and the Media on Wednesday, November 6, from 3:30 to 5 pm, with special guest Kristopher Grahame, a longtime FBI Intelligence analyst; location TBA.