By Danielle Williams
Baltimore Watchdog Staff Writer
Before submitting personal information or clicking on suspicious websites or emails, computer and Internet users must stop, think and connect, a cyber-security expert advised a Towson University audience on Wednesday.
Mike Kaiser, director of the Office of Information Security, said that people tend to use the same email accounts for multiple login platforms such as social media and bank account logins.
“We’re leaving digital crumbs everywhere,” he told more than a dozen who gathered on the third floor of the University Union. “Those who have the time and motivation are able to piece those crumbs together and before you know it, they’re able to learn enough information about you to answer those security questions on your bank website.”
Kaiser said that social media pages, like Facebook for example, often reveal parents, other family members, friends and acquaintances, as well as people who are connected – essentially exposing a family tree. When one of the security questions in a bank account login asks for one’s mother’s maiden name, a hacker can correctly guess that name by tracing the family tree on social media, he said.
“People need to be generally aware of what they post online because hackers could track behavioral patterns, such as sharing that you eat pizza for example, which could eventually show the pattern of you eating pizza on certain days,” he said. “Anything you post can permanently stay on the Internet because anyone can screenshot it.”
Joel Edwards, a cybersecurity awareness specialist, added, “I’ve seen just walking into the library where students would leave their desktop open with their essays up, and if I’m malicious, I could hit delete and you’re screwed.”
Kaiser said that for July and August, Towson University received 37 million blocked messages from the email filtering system. He said if students ever receive an email that they suspect to be fraudulent, they can forward it to phishing@towson.edu and the Office of Information and Security team will investigate.
An insider threat is a malicious threat to an organization, said Kaiser. Because insiders who are employees of an organization, have access to its technological systems such as passwords, phone numbers, and databases, they can potentially cause the most damage to an organization.
According to a LinkedIn information security group survey of more than 400,000, 90 percent of those surveyed said that they were worried about insider threats, and 53 percent were concerned with the insider threats being an accidental security breach.
An insider leaving passwords on a sticky note for anyone who walks by to see is an example of an accidental security breach, Kaiser said.
A study conducted by an Electrical and Computer Engineering professor at Stevens Institute of Technology, Yingying Chen, found that hackers can find out one’s personal identification number or password based on one’s hand movements if they wear smartwatches.
“If you’re wearing your smartwatch on your dominant hand and you go to the ATM and start punching numbers, they have algorithms that can calculate the likelihood of what your PIN is,” Kaiser said. “According to the study, it has been 80 percent successful on the first try, and 90 percent accurate on the third try.”
Kaiser said default passwords on Wi-Fi routers should be changed because chances are they are printed on the side of other people’s routers as well. In addition, he said passwords should be changed frequently with the code avoiding personal information. He recommended two-factor authentication passwords because he said they are more secure.
To check whether a website and login page of a company, such as Amazon, are fraudulent, called phishing, users can check the URL, he said. Anytime a person types in a password or banking information, he or she should check to see if the URL has HTTPS, which means that the website is secure and encrypted so no one else can steal one’s password. Kaiser said that if the lock symbol is in the URL, then it is secure. However, HTTP is not encrypted, and hackers can easily get password information.
Kaiser also said that the URL should always start with the company’s name. Users should make certain the spelling of the name is correct and that the site has proper grammar. He said if the URL repeats what was in the beginning of the URL after dot com or dot net, then the website is fake, and one should never give away a social security number under the sign up page of a website if it requests one.
To determine if a site is malicious or real, Kaiser recommended that people paste a URL on Virus Total.com.
Towson University alumna, Dayana Fernandez, who earned a master’s degree in Applied Information Technology, said that although insiders are trained to recognize phishing emails, some insiders are still unable to detect whether the phishing emails are fake.
This is often the cause of security breaches among companies and institutions such as University of Maryland, College Park, and MedStar Health, officials said.