Local cybersecurity concerns grow along with attacks

Hacking. Phishing. Identity theft. They’re household words in this digital age. If it seems like you’re hearing about them more often, you probably are.

“It’s going to get even worse before it gets better. We ain’t seen nothing yet,” says Sri Sridharan, Managing Director of the Florida Center for Cybersecurity housed at the University of South Florida, or FC2. “Right now we are in a very defensive posture. We are very reactive to cyber attacks. We need to be proactive, making sure the attacks don’t happen.”

The solution is new technologies, he says. “We’re trying to encourage people to work on different aspects of cybersecurity,” he explains.

FBI Special Agent A.J. Gilman agrees the problem “probably is getting a little bit worse. It’s also in the mainstream media more.”

One of the newer scams involves ransomware, which had all hands on deck at Reliaquest in Tampa during May in response to the WannaCry attack.

Ransomware is a computer virus that essentially locks your computer unless you pay a ransom. “We can’t help anybody recover their files. If you don’t have a good backup of your files, the only way to really recover those files — and we don’t really advocate this — may be to pay the ransom,” Gilman says.

Florida ranks third in the nation in 2016 for the number of Internet crime victims, according to the FBI’s 2016 Crime Report. Florida has 21,068, victims, behind California with 39,547 and Texas with 21,441. It also ranks third in dollar loss, with $88.8 million, behind California’s $255.2 million and New York’s $106.2 million.

Nearly 1.4 billion data records were compromised worldwide in 2016, according to Gemalto, a global digital security leader. Some 59 percent involved identity theft. The technology sector was heavy hit — with 28 percent of compromised records from the sector in 2016.

Symantec, which tracks cybersecurity threats through a global network, reports 2016 was problematic. “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the U.S. electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices,” it states in its April, 2017, International Security Threat Report.

Some cyber crime goes unreported. Victims may not know where to report a crime. They may think it’s too insignificant to report. Or they may be concerned about repercussions if personal data has been hacked.

J.R. Sepulveda, a Master Detective in Hillsborough County Sheriff’s Office’s Economic Crime Section, advises victims to report crimes and let law enforcement personnel decide if they are worth investigating. Victims can report crimes to their local Sheriff’s Office, the FBI’s Internet Crime Complaint Center at or to the Federal Trade Commission.

The importance of security

No doubt, hacking or breaking into an account or website is a problem. But savvy crooks find ways to gather private data without it. There’s no need to hack into the system if people will supply their password when asked, points out Bryan Graf, Principal at Cloudbase Security LLC of Tampa. Employees need to be trained so they will be aware of what to do, and what not to do.

“Security is vital,” says Graf, who likens the Internet to a pile of unprotected gold in a parking lot.

Old technology, like a digital camera still connected to our systems, can be used by hackers, he says.

Those that are the most vulnerable are those that don’t know to protect themselves.

“They’re most vulnerable because they don’t realize the dangers of not having cybersecurity measures in place,” asserts John Fay, Director of Corporate Development for Tampa’s Abacode.

The Tampa Bay Lightning recognizes that, and agreed to partner with Abacode earlier this year to guard the sports organization from cyber attacks and to help raise awareness about the need for cybersecurity.

“If we don’t stop the bad guys, a lot of dominoes fall, and a lot of bad things happen,” says Fay. “It’s a bigger deal than most people think.”

MacDill Air Force Base has an impact on Tampa locals.

“There is an impact to you because you are so closely located to MacDill. You are a target of the cyber war,” he says. “As we partner with these folks and educate the community, we’re looking around, noticing we’re the only company doing that.”

He warns that data stored in the cloud, a network of remote servers, isn’t necessarily safe.

“The data inside, it is your responsibility,” he says.

Making wise choices

Sometimes we make ourselves vulnerable through our choices. Online classifieds are a good example. While online classifieds are an easy way to find an apartment or a job, anyone can copy and paste an ad — and you may not be dealing with a real landlord or honest employer.

“Check it out before you spend money,” warns Sepulveda, who investigates fraud online and off.

Be wary of so-called landlords who are too busy to meet with you, and instead send you a key. Or have an associate show you the apartment. He or she may have changed the apartment’s locks, and they may plan to bilk you before the real owner returns.

Sepulveda recommends using a reputable real estate agent instead. “There’s no way to know who’s uploading this information,” he says.

Work-at-home ads may be an attempt to shield thieves, who pay you with gift cards to ship overseas goods purchased with stolen credit cards.

“You have to be wary if they are asking you to receive money or to receive packages,” he explains. “All you’re doing is receiving stolen merchandise.”

These, and other scams like them, may offer a “new twist” on an old scam, says Sepulveda, who investigates various types of identity theft, financial exploitation and all types of scams.

The criminals copy and paste logos and send you an email alerting you your power bill will be turned off unless you give them a gift card, or your driver’s license will be suspended unless you pay a fine with a gift card.

Criminals usually prey on emotions, perhaps greed, fear or a desire for romance. They may tell you a sob story. They like to ask victims to wire them money or send a gift card they can redeem for cash, or use to purchase merchandise. They also may offer you more money than you are asking in exchange for a favor. Sometimes, they convince individuals or a company’s employees to unwittingly give them access.

Keeping safe through cyber hygiene

Keeping safe in an increasingly digital world involves some basic cyber hygiene, according to Sridharan. He recommends using long and complex passwords, “not stupid passwords” like 123456 or a pet’s name.

Every login should be different.

“Make sure if Windows or Adobe sends you an update or patch, apply the patch,” he says. “Apply it as soon as possible so that your system is kept up to date.”

Avoid sharing too much information on social media, like when you’ll be on vacation. When that tidbit is paired with your address, it’s a recipe for a break-in.

And download only from legitimate sources like Apple or Google Play. Viruses can be spread through downloads, or even through infected, free thumb drives.

Gilman advises computer users to avoid using their machine’s admin account for routine tasks like downloading software. Instead, they should rely on a user account for that.

“If you inadvertently download some malware, if your account is an administrative account, the malware, … that malicious computer program, is now running with the privileges of your [admin] account,” he explains.

Here are more tips

• A cloud system is a system that is not yours, Graf says. Using public cloud systems to store data is “potentially less secure,” he advises. “Anytime you’re granting more access to more people, you inherently making it less secure.”

A company needs to do whatever it can to protect its data, and the data of others under its control, he says.

• Links in emails can take recipients to websites set up by criminals to obtain sensitive information, Sepulveda points out. It may appear to be a bank or other company you’re doing business with. “Be careful with links,” he says. “Account takeovers prey upon the fact that you are going to click on a link.”

Encryption ordinarily makes it “almost impossible” to break into your account, he says. Usually victims clicked on a link or provided information to the criminals.

• “Be very careful conducting business on the internet using public wifi,” Sepulveda says. “You are basically showing the entire world everything you are doing online.”

Sometimes wifi service is set up by the criminals to lure the unsuspecting. It’s given the name of a hotel or other legitimate business to sound legitimate. Using the Internet at home is safer because it usually is protected, Sepulveda says.

• Businesses should stick with established merchant services practices. “If you deviate from the rules and something happens, you are not protected,” Sepulveda says.

• When it comes to identity fraud, Sepulveda’s advice is “monitor, monitor, monitor.” Bank accounts should be checked daily, if possible.

• Expect to be attacked and keep logs, Gilman advises. “Somebody’s got to be looking at those logs. Many companies will never know that they’ve been attacked,” he says. “The FBI is often the one to inform companies that they have a problem.”

He advises people to “minimize the amount of time a bad guy is on your network.”

Individual bloggers or small e-commerce website owners may think criminals have no interest in them, but that’s not the case. Even low-traffic, personal blogs and websites can be prey to cyber criminals. Once hackers break into your web account, they can upload files that redirect traffic to websites they are using to defraud others. Or they can break into a WordPress account through the login, and gain use of your web domain for their own purposes.

“Website defacements were pretty big 18+ years ago. Those still happen,” Gilman says.

Because of the low dollar loss, the FBI usually doesn’t investigate, he says.

Cybersecurity a big business concern

Stakes are much higher for big businesses. Because a company’s data is their life, cybersecurity is an important topic in corporate boardrooms.

“Businesses are being encouraged to pick up cyber insurance to protect themselves,” Sridharan says. “If the data is hacked they could go out of business.”

Startups are prime targets because they generally aren’t concerned about security, according to Graf, who spoke about the topic at 2017 Tampa Bay Startup Week. They may put off buying security until they start making money.

While people usually envision hackers in a big room, a common problem is phishing. Most small organizations are going to be phished through emails seeking sensitive information, he says.

“The cyber attacks that are going on are only increasing, and will only continue to increase,” says Pete Slade, President and CTO of Nitro Solutions. “Nobody is immune from an attack.”

A brighter future

The good news is that people like Slade are hard at work to resolve problems. At Nitro Solutions, they’re approaching attacks much like disease in the human body. The Tampa company has developed an appliance, the NitroDefenderTM, which mechanizes monitoring through an artificial intelligence system. The system learns what is normal and what is not, sending out alerts and allowing users to investigate an attack from an online interface. It’s currently a pilot project, but is slated for the marketplace by the end of the year

At USF, they also have taken up the challenge. Jay Ligatti, PhD., an Associate Professor, and Dmitry Goldgof, a Professor, both at USF’s College of Engineering, Department of Computer Science and Engineering, along with students Jean-Baptiste Subils and Cagri Cetin, have developed a way of beefing up security through co-authentification. It involves identifying yourself with at least two devices when logging into websites.

“One of the great things about it is that it is simple,” Ligatti explains. “Multiple devices collaborate to authenticate you.”

If a thief steals your computer, he wouldn’t be able to gain access to your account without obtaining that second device registered to the account. “The server knows, the bank knows who you are based on your device.”

Those devices can be a cellphone and a laptop, fitbit, smart watch, or even a smart appliance like a refrigerator. The invention already has been licensed non-exclusively by a Gainesville company, Stonevault.

The end result is increasing security while avoiding those pesky passwords, or the aggravation of having fingerprints scanned.

“We authenticate many times a day. It’s kind of tedious,” Ligatti says. “The goal is to have a new … product, a new authenticating system for securing, getting access to things. Without having to go through the hurdles we have to go through now.”


Leave a Reply