Just as National Cybersecurity Awareness Month prepared to enter its last week, the internet on the East Coast was sent reeling by a three-part distributed denial of service attack — commonly known as a DDoS — against a service provider that temporarily blocked access to website-based companies including Twitter, PayPal, Netflix, Airbnb and Reddit.
Aside from the short-term inconvenience of being unable to access one of the companies affected, what does such an attack have to do with Birmingham residents? Plenty, said experts including scientists and federal law enforcers.
“Cybercrime is inherently a local story,” said said Joyce White Vance, the U.S. Attorney for the Northern District of Alabama. “It impacts our national security in multiple ways, whether that’s nation-state actors who are spying against us using cyber or whether it’s criminal actors who threaten our economic viability. So it’s a national security issue across the board. At the same time, where the crime occurs is local.”
How could it affect you? Consider this: if you own a so-called “internet of things” (IoT) device — a thermostat, a webcam, a baby monitor, a printer, etc. — you own equipment that connects directly to the internet and to your other devices. Such devices, which have notoriously weak security measures, are believed to have been used by hackers to send millions of requests to a company called Dyn, a domain name service provider. Dyn, which could not respond to all the requests, was prevented from functioning in its usual way — as a “switchboard” which connects people to other internet companies.
Effectively, the DDoS attack on Dyn, using networked devices that unsuspecting, ordinary people have in their homes, is what caused the massive internet outage that started on the East Coast before spreading elsewhere on Friday.
But even if you don’t have IoT, cybersecurity issues still affect you. Increasingly, almost every crime, from drug trafficking to child pornography, from bank robbery to identity theft, from confidence games to stalking, from money laundering to terrorism, has a cyber element to it. “I often view cybercrime as a way of committing all of the traditional crime that we’re used to combatting,” Vance said. “Cyber is a vector that lets you commit criminal conduct but it removes your need for proximity.”
Although it’s rare in the Northern District of Alabama to hear of cases in which, as pop culture might lead one to expect, federal agents have rounded up clubs of suburban teen hackers, that doesn’t mean cybersecurity is not important. Cybercriminals regularly target people in this community through, for example, various kinds of fraud, con games and identity theft.
Vance, who serves on a cyber subcommittee of the U.S. Department of Justice, offered another example. “It used to be that when we did a drug case, we seized written drug ledgers,” she said. “And at trial you would have an expert who would testify and discuss what all the markings in that drug journal meant and how they proved that the person who had that paper journal was a drug dealer. Now it’s all online, and drug dealers are laundering their proceeds using bitcoin and the dark web.”
She pointed out that a significant amount of cybercrime involves stealing, moving and hiding money electronically. “To rob a bank you used to have to go the bank and rob it and it was pretty easy to figure out who you are,” Vance noted. “Now you can be in a remote country. You can rob a bank and because your proximity to the bank isn’t required, it can be more difficult to figure out who you are.”
Given the way Vance characterizes the cybercrime threat, it might not be surprising that the Obama administration has made cybersecurity a priority. A fact sheet on the Cybersecurity National Action Plan released in February called for sweeping upgrades in the resources, procedures and infrastructure of the nation’s cyberdefense. The administration called for $19 billion to be allocated to cybersecurity in the 2017 budget.
In Birmingham, one result of the administration’s focus on cybersecurity, is that Vance’s office has added staff. Earlier this month, she brought in an attorney whose entire focus will be on cyber issues. “He will join four to five additional lawyers who have heavy experience in cyber,” Vance said. “ I have detailed two of my lawyers up to Washington a couple of years ago to get experience in cyber. And then I took a some our newest [assistant U.S. Attorneys] up to D.C. just for a short introduction to all of the cyber capabilities.”
While most people are not computer experts, understanding the basics of of cybersecurity may be easier if you think about how the crime can touch the lives of ordinary people.
How Hacking Happens
One well-known example of cybercrime that reached across geographic and demographic boundaries involved the 2013 hack of super retailer Target, which compromised the accounts of up to 110 million customers. The data breach ended up costing Target, according to some accounts, nearly $50 million in legal settlements.
But besides demonstrating the ability of cybercriminals to reach from one place to another, the Target case also illustrates why everyone needs to take precautions against tech-based intruders. That breach, Vance said, happened because Target had an HVAC subcontractor which had access to the retailer’s systems, but which did not have strong defenses against hackers.
The criminals who gained access to the Target customer accounts sold that data in packets of one million customers each on the dark web, Vance said. “That’s I.D. theft at a very macro level,” she said.
It’s not uncommon for regular email users to be contacted by hackers or the viruses, phishing programs or other tools they use. The antispam, antivirus or malware programs on most computers catch many efforts by computer intruders and dispose of them easily.
But what you do when an attack gets through your defenses can make a difference. Vance said that one problem involved in cybercrime is that victims don’t always report what happened to authorities. If a hacker gains access to a computer system, most victims try to block access to make the system secure. Banks or other targeted institutions do the same thing. But often the victim, freed from the intruder, doesn’t report the crime, which leaves the criminal to continue looking for or exploiting other victims, she said.
On the other hand, if the crime is reported, authorities can start working on attributing the crime to a particular hacker. The more similar crimes are reported, the more investigators are able to spot patterns, “figure out who the bad guys are and how to take them out,” Vance said.
Victims can report the crime to any federal law enforcement agency and the complaint will wind up in the hands of the appropriate investigators, Vance said.
Cybercriminals, like other criminals, often target the elderly. There is an ongoing scam in this community even now, Vance said.
“Typically, an elderly person gets a phone call saying, ‘You haven’t reported for jury duty and I’m going to send a car to pick you up, or you’re going to be arrested.’ And then the callback is, ‘Well, I’m not going to come and get you, but you need to send me money.’ And often that’s over the internet,” she said. “People need to know that that’s not a legitimate phone call, that they should never follow up with it.”
The U.S. Attorney’s office and other local law enforcement agencies have been known to actually reach out to potential victims — when they are aware of it — to warn them off behavior like sending money to scammers with hard luck stories, Vance said.
“It’s important for people to know that law enforcement is there to help them, particularly with these elderly fraud cases and that we’re willing to talk to potential victims to prevent them from being victimized.”
Other cybersecurity assets
Besides the U.S. Attorney, other federal agencies including the FBI, the Secret Service, and intelligence organizations like the National Security Agency, there are a number of experts working in the cybersecurity field directing their efforts toward hardening the nation’s defenses.
UAB, for example, recently hosted Cyber Security 2020, a conference which featured Vance among the speakers. The conference, aimed at discussing the most recent cybersecurity issues, “was attended by business leaders, academics, policy makers, attorneys, chief information security officers and others interested in the area,” said Tiffany Westry, a public relations specialist with UAB.
UAB’s ongoing efforts against cybercrime cover everything from developing new businesses to helping fight threats through social media. For instance, in 2012, Facebook donated $250,000 to a UAB cyber group, the Center for Information Assurance and Joint Forensics Research, that helped the social media company track spammers, including the international criminals behind the Koobface botnet. The center is a multidisciplinary research hub, which brings together resources from law enforcement, business, government agencies and academia. As of 2012, CIA/JFR was collecting more than one million spam emails daily at its UAB Spam Data Mine.
In 2013, UAB launched a startup company called Malcovery, “which specializes in cyber threat detection to help businesses protect themselves,” Westry said. The company PhishMe acquired Malcovery in 2015, and then appointed UAB Professor Gary Warner, who served as the director of research for the CIA/JFR as their “chief threat scientist.”
Based out of Innovation Depot in downtown Birmingham, Malcovery’s success drew the attention of the website Techrepublic, which called it, in a 2013 article, “the company spammers and phishers hate.” Malcovery’s clients include Facebook, eBay, Visa, LinkedIn and IBM.
In 2014, the MITRE Corporation selected UAB as one of nine universities to serve on its Academic Affiliates Council, which supports MITRE’s operation of the first federally funded research and development center focused entirely on strengthening the nation’s cyberdefenses.
Although UAB has long offered computer science degrees, this year marked the first time the university offered a bachelor of arts degree in Computer and Information Sciences. It is the first institution in Alabama to have such a degree, Westry said. The BA differs from degrees UAB has offered before in that, “traditionally, undergraduate Computer Science degrees have been offered as Bachelor of Science degrees, with a heavy emphasis on math and sciences courses,” Westry said. “These new BA programs in CIS are emerging across the country. So in addition to our BS, Master’s and Ph.D. programs in CIS, we now offer the BA so students can combine their liberal arts interests with a foundation of computer science skills.”
With so much focus on cybersecurity at UAB, students have a great number of opportunities to get involved on the cutting edge of tech-based crime fighting. “Since many of UAB’s CIS labs and Malcovery work closely with businesses, corporations and law enforcement, our CIS students get an incredible amount of hands on, real world work experience in this area,” Westry said. “They’re not only making an impact now in helping protect consumers, but they’re going out and getting jobs in top companies to continue their work in securing, and developing solutions in the area of cybersecurity.”
UAB isn’t the only institution in North Alabama engaged in combatting cybercrime. Cyber Huntsville, a Tennessee Valley Initiative, is a nonprofit “made up of industry, government and academic institutions that are dedicated to making Huntsville and the Tennessee Valley region a nationally and internationally recognized cyber leader,” according to the organization’s website. “In doing this, we focus on … experience in the areas of systems engineering, research and development, modeling and simulation, cyber security, experimentation,” among others.
Cyber Huntsville sponsors an annual National Cyber Security Summit, which, this year brought more than 1,500 participants, among them, representatives of several federal agencies including FBI, the Department of Homeland Security and the Department of Justice.
War on Cybercrime
With crime and terrorism increasingly using the internet, the forces working to repel attacks and protect national assets would seem to need all the help they can get. “Technology plays an increasingly significant role in our daily lives,” President Barack Obama said in his proclamation of National Cybersecurity Month. “The rise of the internet has brought incredible opportunity and new ways of innovating and enhancing our way of life — but with great potential also comes heightened risk to our data. Keeping cyberspace secure is a matter of national security, and in order to ensure we can reap the benefits and utility of technology while minimizing the dangers and threats it presents, we must continue to make cybersecurity a top priority…
“Cyber threats not only pose a danger to our national security, but also have the potential to harm our financial security and undermine the privacy of millions of Americans. An important part of enhancing cybersecurity involves empowering more Americans to help themselves take proper precautions online and in their financial transactions; cybersecurity is a shared responsibility, and everyone can do their part to make smart, safe choices.”
If the president’s call to action sounds like the kind of rhetoric common in times of war, that’s no accident.
“Cyber cases are being worked in every district, every federal district in the country,” Vance said. “It’s pervasive. It’s the future face of crime. We’ve got to all get educated… We all need to start building awareness now and viewing this in context. This is really a war that we’re getting ready to fight in cyberspace.”
The idea that cybersecurity is everyone’s problem is a refrain sounded throughout the month dedicated to it. Here are a few tips sourced directly from the websites of the University of Alabama at Birmingham and the U.S. Department of Homeland Security to make yourself and those connected to you safer.
- Protect Your Device: Add a passcode to your cell phone, tablet or laptop right now!
- Use Strong Passwords or Passphrases: Especially for online banking and other important accounts.
- Check Your Social Media Settings: Review your social media security and privacy settings frequently. Enable two-step verification whenever possible.
- Educate Yourself: Stay informed about the latest technology trends and security issues such as malware and phishing.
- Get Trained: Contact your institution’s IT, information security or privacy office for additional resources or training opportunities.
From the Department of Homeland Security:
- Enable stronger authentication. Always enable stronger authentication for an extra layer of security beyond the password that is available on most major email, social media and financial accounts. Stronger authentication (e.g., multi-factor authentication that can use a one-time code texted to a mobile device) helps verify that a user has authorized access to an online account. For more information about authentication, visit the new Lock Down Your Login Campaign at lockdownyourlogin.com.
- Keep a clean machine. Install updates for apps and update the security software on all of your Internet-connected devices as soon as updates are available. Keeping the software up to date will prevent cybercriminals from being able to take advantage of known vulnerabilities.
- Use long and strong passwords. Create strong passwords with eight or more characters and a combination of upper and lowercase letters, numbers, and symbols.