There will be 200 billion connected devices to the internet by 2020, according to Caesar Cerrudo in a Jan. 17, 2017, article in Forbes. As more of these devices find their ways into more aspects of daily life, a disruption to these devices and services by virus attacks and hackers becomes increasingly common.
“If I did not like somebody, I could hack into it (smart fridge) and order me you know, a couple thousand dollars’ worth of groceries and bill it to their credit card,” said Travis Sheaffer, instructor at the University, currently teaching classes on computer science and internet security.
Sheaffer said computer security is not at the forefront of many people’s minds, and it needs to be taken more seriously. He attributed it to the number of internet-connected devices in people’s homes, as well as their increased variety. Updating and ensuring they have the latest security installed is a challenge.
“The companies are going to have to put out more education on how the updates are available,” Sheaffer said.
Sheaffer gave an example of a 2016 security breach where a Henry County employee opened an email that contained a virus. It spread throughout their network due to a lack of security measures to prevent a virus from spreading. The measure to protect their network was network segmentation, which kept an infected network from moving to another.
He said this virus spread through the county’s computer systems and got into the network for the Board of Elections. The virus began creating additional vulnerabilities in their computers.
The virus was contained, but the county had to send out letters to every registered voter in the county. They also included free credit monitoring for a year to prevent fraud from potentially hitting registered voters who were on the affected systems.
However, the damage was not limited to the Henry County Board of Elections. The virus found its way to the county engineer’s office, and it wiped out all the data they had stored on their machines. It took two days of downtime to recover data from a backup.
“I mean, you are talking about how much did the LifeLock subscription for the 29,000 people in the county cost? How much did it cost to get these machines repaired, whether they outsourced it or did it internally, it still took time, which equals to money. How will they prevent those in the future? Those are real expenses that you are having, and this is just one example,” said Sheaffer.
Another example of irregularities due to loose cyber security are the elections in Florida, he said, pointing out there were reports of votes coming in greater numbers, than the registered number of voters in the specific county.
“How does that happen? Was there someone hacking into the system to do that? Or is it someone on the inside who’s taking and fooling around with these numbers? That will be something that worries me,” he said.
It is not only laptops and servers that are vulnerable to hackers, according to Sheaffer. The nation’s electric grid can be accessed from the outside. A hacker can gain control of a major facility and induce a blackout. He recalled a major blackout which affected parts of the United States and Canada. Sheaffer said the monetary damage which can come out from an intentional power failure can major implications.
“If you had Wall St. shut down for a day because they do not have any electricity, or if the government not be able to operate. The internet was made for the military, if they can not communicate with their own troops if you are in a wartime, what do you do?” Sheaffer said.
Matthew Haschak, director BGSU IT security and infrastructure since 2007, said hackers rely on social engineering people to get their attention to become vulnerable to hacking. One method employed is marking a message as urgent, the recipient in their rush thinking it is important, click on any links which are in the email, then leads them instead to a virus. This allows people’s mistakes to grant access to systems instead of working to beat the built-in defenses of a network.
“The Human nature is that people want to please people, they want to respond if something gets marked as urgent, people get worried and want to respond back. By far, the bad guys figured out it is far easier to socially engineer somebody that has access to something, than to beat technical controls of the experts,” Haschak said.
He said many people keep their internet connected devices not up to date with the latest security updates as one of the main reasons hackers choose to hack these devices, their favorite ones are webcams and other simple devices connect to a network, internet connected DVRs and TVs for example. These devices were used as a point of attack against DYN servers in 2016, a service which connects users to the websites according to the address they enter.
“There was a major attack, against the DYN servers, and the attack occurred came from IOT (internet of things) connected devices, and the vast majority of those IOT devices were webcams and web connected DVRs,” he said. The reason why these were all used, was because hackers scanned the internet for these devices which many are configured in a basic or known username and password.
The University’s two-factor authentication system, was first introduced in June of 2016. According to Haschak, there were plans in rolling out additional internet security measures at the University. However, between 2014 and 2015 there was what Haschak described as a “catalyst” for the implementation of two-factor login system.
According to Haschak, people fell victim to phishing emails, these emails offer links to users which allows the installation of malicious software. After obtaining usernames and passwords of both students and faculty, financial aid information was changed to send the funds to an account not belonging to the students. This also happened to three faculty members at the University, who saw their salaries diverted from their checking accounts towards the hacker instead, something Haschak called as the final straw.
“Fortunately, on the financial aid front, a lot of students fall for it, but we were able to catch it really fast. As a result, the University and the students did not lose any money. We were not as lucky with the payroll,” Haschak said.
Part of making the University internet secure, according to Haschak, is a third authentication option for a limited number of people in sensitive positions at the University. Besides a password for a username, and the two -factor authentication, the third is a small device called a security token or key fob.
Every time he or anyone in a position has access to key data or financials attempt to log in, they are prompted to use this security token. It works much like a USB device does and is about the same size, it fits into the device he is logging into and presses his thumb into it to verify his fingerprint.
“There are three factors of authentication, there is something you know, something you have, and something you are,” Haschak said. The first is a pin number or password to log in, the second is a device a person may have on them, a smartphone for example. Lastly, something you are is a person’s fingerprint to verify who they are when logging into a service.
Some students at the University feel secure with their cyber security like Jacob Brock Morehouse, junior sport management major. He felt internet security is well managed, attributing the sense of security to the two-factor authentication which he uses to access his BGSU account. He still thinks about internet security, taking the necessary steps by using different passwords for almost all his login information, and changing them regularly.
“I personally have not been a victim of hacking or any other fraud. My father had his credit card hacked on multiple occasions from different restaurants, but that is the extent of any type of hacking. Other than that, I do not know of anybody who has been the victim of internet hacking or something similar.” Morehouse said.
According to Daniel J. Limes, president of limes computing, a computer sales and service business in Perrysburg, Ohio, one third of his repairs come from malware, hacking attempts. The financial setback will cost between $69 to $180, depending on the degree of damage inflicted.
At Inspect UR Gadget in Bowling Green, McLain Walker, lead technician, said repair costs for virus removal varies between $75 to 125. Infected computers make for an amount of business for Walker, as he estimates it makes up about 20% of the machines they work on.
“Not being careful from where you download stuff from,” said Walker, was the number one reason his customers get their machines infected with viruses and malware.
Limes attributes most cases of infection to mistakes, clicking links which ask to be clicked he said, was the most common way he has seen viruses and adware get onto computers.
“I preach common sense, no one is ever going to call you, read what you are installing and clicking on,” he said.