Experts Matter. Find Yours.

Hackers Exploit the Pandemic

Criminals are opportunists, and the COVID-19 global onslaught has brought with it not just health threats but cybersecurity risks, too. Within weeks of the COVID-19 outbreak, hackers have already commandeered the virus to unleash cyberattacks, sending emails purporting to provide coronavirus guidance laced with cyberattack software. In one more alarming case, they appear to have attacked a hospital and forced it to cancel operations and take key systems offline. As the outbreak continues to intensify, the UK National Cyber Security Centre (NCSC) warned that the volume of these attacks will likely increase, pointing to the increased registration of coronavirus-related webpages. Criminals are opportunists, and the COVID-19 global onslaught has brought with it not just health threats but cybersecurity risks, too. As companies move to protect the health of their workforce, it’s also important to protect the systems they’re using to run their businesses. It’s especially important for hospitals to shore-up their cyber defenses. If they don’t, just as they are racing to respond to COVID-19, they could face situations like University Hospital Brno in the Czech Republic, which earlier this month was forced to divert patients and cancel planned operations while it worked to address an attack. The most likely cyber threats are email “phishing” campaigns that use the coronavirus as a lure to get the recipient to open an attachment that contains malware. According to the NCSC, such “phishing” attempts are happening on a global scale in multiple countries, which has led to both a theft of money and sensitive data. Similarly, known hacker groups have been launching websites purporting to sell masks or other safety-related measures for coronavirus, possibly to use them as another vector for cyberattacks. The NCSC has also cautioned that these attacks are “versatile and can be conducted through various media, adapted to different sectors and monetized via multiple means, including ransomware, credential theft, bitcoin or fraud.” The cybersecurity firm ProofPoint has seen a rise in these cyberattack emails with COVID-19 themes since January. Both ProofPoint and IBM’s X-Force cybersecurity unit identified a campaign that targeted users in Japan with an email masquerading as a coronavirus information email that carries with it a potent type of cybercrime software. In the US, the Secret Service recently warned of scams from online criminals posing as sellers of high-demand medical supplies to prevent coronavirus. They’ll require payment upfront and not send the products. Cyber criminals have also been posing as the World Health Organization and the US Centers for Disease Control and Prevention (CDC), sending fraudulent emails from the former and “creating domain names similar to the CDC’s web address to request passwords and even bitcoin donations to fund a vaccine” for the latter. In addition to the use of the coronavirus as a cyberattack vector, the growing need for working remotely to mitigate the spread of COVID-19 has increased companies’ exposure to cyber threats. The increase in remote work creates more opportunities for hackers to make inroads from less secure locations. Companies should also ensure they can provide adequate security when their whole workforce is remote. They should quickly work through the security implications of workers choosing to switch to insecure personal devices. With national-level pressures on home broadband, staff will also resort to mobile hotspots, which are often less secure. And enabling remote connectivity at scale, with the right security configurations, can be a challenge even with months of preparation time. A recent US Department of Homeland Security COVID-19 cybersecurity notice pointed to the importance of making sure that security measures are up to date for companies’ remote access systems. Additional measures to consider include enabling multifactor authentication—which can require two or more steps to verify a user’s identity before granting access to corporate networks. The NCSC is also working to identify malicious sites responsible for phishing and cyberattack software. A final looming cyberthreat related to Covid-19 is disinformation. The World Health Organization and other agencies have for months been combatting disinformation campaigns spreading false information about the origins of and treatments for COVID-19—reports that seed more confusion and increase risks to society. All of that means that computer virus risks are emerging as the biological virus spreads—and both are a threat to business. Cyber risk mitigation efforts should account for the different ways that a company can be affected, including impacts on the technical, operational, legal and reputational aspects of a business. Often, the reputational effects of a cyberattack are more significant than direct the business or technical impact. To mitigate all of the potential impacts of cyberattacks taking advantage of the Covid-19 outbreak, companies should: Review and update crisis and cybersecurity response plans, and ensure internal and external communications response plans are robust. Confirm that members of the crisis management team understand their roles and responsibilities. Make sure all communications channels have the latest security patches. Review and update access controls, particularly when remote access is used heavily, to make sure that only those who require access to sensitive systems to do their jobs have it. Take extra care when handling medical information. For companies managing employees who have contracted Covid-19, it’s important that personal health information is handled with strong security measures, including encryption. Educate employees about the cyber risks that may attempt to capitalize on fear of the Covid-19 virus—whether it be phishing email or disinformation. Covid-19 poses a number of short- and long-term challenges to business resilience, and the virus’s trajectory is quick and unpredictable. But it’s possible to anticipate and mitigate a number of the cyber threats that will try to ride the virus’s coattails. The companies that do will be more resilient and better positioned to withstand the direct health and operational effects of the virus.

Paper ballots, risk-limiting audits can help defend elections and democracy, IU study finds

BLOOMINGTON, Ind. -- With just over two months before the 2020 election, three professors at the Indiana University Kelley School of Business offer a comprehensive review of how other nations are seeking to protect their democratic institutions and presents how a multifaceted, targeted approach is needed to achieve that goal in the U.S., where intelligence officials have warned that Russia and other rivals are again attempting to undermine our democracy. But these concerns over election security are not isolated to the United States and extend far beyond safeguarding insecure voting machines and questions about voting by mail. Based on an analysis of election reforms by Australia and European Union nations, they outline steps to address election infrastructure security -- such as requiring paper ballots and risk-limiting audits -- as well as deeper structural interventions to limit the spread of misinformation and combat digital repression. "In the United States, despite post-2016 funding, still more than two-thirds of U.S. counties report insufficient funding to replace outdated, vulnerable paperless voting machines; further help is needed," said Scott Shackelford, associate professor of business law and ethics in the Kelley School, executive director of the Ostrom Workshop and chair of IU's Cybersecurity Program. "No nation, however powerful, or tech firm, regardless of its ambitions, is able to safeguard democracies against the full range of threats they face in 2020 and beyond. Only a multifaceted, polycentric approach that makes necessary changes up and down the stack will be up to the task." For example, Australia -- which has faced threats from China -- has taken a distinct approach to protect its democratic institutions, including reclassifying its political parties as "critical infrastructure." This is a step that the U.S. government has yet to take despite repeated breaches at both the Democratic and Republican national committees. Based on an analysis of election reforms by Australia and European Union nations, they outline steps to address election infrastructure security -- such as requiring paper ballots and risk-limiting audits -- as well as deeper structural interventions to limit the spread of misinformation and combat digital repression. "In the United States, despite post-2016 funding, still more than two-thirds of U.S. counties report insufficient funding to replace outdated, vulnerable paperless voting machines; further help is needed," said Scott Shackelford, associate professor of business law and ethics in the Kelley School, executive director of the Ostrom Workshop and chair of IU's Cybersecurity Program. "No nation, however powerful, or tech firm, regardless of its ambitions, is able to safeguard democracies against the full range of threats they face in 2020 and beyond. Only a multifaceted, polycentric approach that makes necessary changes up and down the stack will be up to the task." For example, Australia -- which has faced threats from China -- has taken a distinct approach to protect its democratic institutions, including reclassifying its political parties as "critical infrastructure." This is a step that the U.S. government has yet to take despite repeated breaches at both the Democratic and Republican national committees. The article, "Defending Democracy: Taking Stock of the Global Fight Against Digital Repression, Disinformation and Election Insecurity," has been accepted by Washington and Lee Law Review. Other authors are Anjanette "Angie" Raymond, associate professor of business law and ethics, and Abbey Stemler, assistant professor of business law and ethics, both at Kelley; and Cyanne Loyle, associate professor of political science at Pennsylvania State University and a global fellow at the Peace Research Institute Oslo. Aside from appropriating sufficient funds to replace outdated voting machines and tabulation systems, the researchers said that Congress should encourage states to refuse to fund voting machines with paperless ballots. The researchers also suggest requiring risk-limiting audits, which use statistical samples of paper ballots to verify official election results. Other suggested steps include: Congress requiring the National Institute of Standards and Technology to update their voting machine standards, which state and county election officials rely on when deciding which machines to purchase. Australia undertook such a measure. Creating a National Cybersecurity Safety Board to investigate cyberattacks on U.S. election infrastructure and issue post-elections reports to ensure that vulnerabilities are addressed. Working with universities to develop training for election officials nationwide to prepare them for an array of possible scenarios, and creating a cybersecurity guidebook for use by newly elected and appointed election officials. "With regards to disinformation in particular, the U.S. government could work with the EU to globalize the self-regulatory Code of Practice on Disinformation for social media firms and thus avoiding thorny First Amendment concerns," Raymond said. "It could also work to create new forums for international information sharing and more effective rapid alert and joint sanctions regimes. "The international community has the tools to act and hold accountable those actors that would threaten democratic institutions," added Stemler, who also is a faculty associate at Harvard University's Berkman Klein Center for Internet and Society. "Failing the political will to act, pressure from consumer groups and civil society will continue to mount on tech firms, in particular Facebook, which may be sufficient for them to voluntarily expand their efforts in the EU globally, the same way that more firms are beginning to comply with its General Data Protection Regulation globally, as opposed to designing new information systems for each jurisdiction."

Hacking billionaires and the link between Bezos, Iran and what’s next for America

It’s becoming the ultimate he said/she said between the ultra-rich and world elite. Amazon CEO Jeff Bezos is claiming Saudi Crown Prince Mohammed bin Salman hacked his phone via WhatsApp. The motive seems routed to the murdering of the Washington Post’s journalist Jamal Khashoggi. However, as the billionaires debate and deflect what actually happened, the event should be a warning sign of what could be on the horizon. America is still on guard and expecting retaliation in one form or another from the assassination of General Qasem Soleimani, and online attacks and targeting cellphones could be the preferred method from America’s enemies abroad. “We should expect attacks from Iranian hackers or those sympathetic to their cause who appear to be civilians without nation state sponsorship will hit low level targets on the basis of ideological/national pride,” says Michigan State University’s Thomas J. Holt. “There will likely be nation-state sponsored attacks though it is unclear how quickly they will launch or how effective they may be.” This is an area that is familiar with American military and intelligence circles, Holt further explains. “Historically the U.S. has been involved in cyber-attacks that are able to severely affect Iranian capabilities, such as Stuxnet. Their counterattacks have been less public and seemingly less effective. However, they’ve already begun as with that web defacement against a US government website reported last week that appears to have Iranian ties or origination.” And as America waits and watches... What are the obvious and perhaps not so obvious approaches to breaching American cyber-security that we can expect? Will it be app based? Will the general public be a target or is it in the best interests to hit higher- and more visible properties? And if Jeff Bezos and all of his resources are vulnerable – is there any true way to ensure anyone is safe online? There is a lot to be explored as this story progresses and if you are a journalist covering this topic – then let our experts help. Thomas J. Holt is a professor in the School of Criminal Justice at Michigan State University whose research focuses on computer hacking, malware, and the role of the Internet in facilitating all manner of crime and deviance. Professor Holt is available to speak with media about these issues – simply click on his icon to arrange an interview today.

IU Kelley School expert: $170 million fine of Google, YouTube probably not enough

In the largest fine ever, Google agreed to pay $170 million to settle a case with the Federal Trade Commission and New York’s attorney general over charges that YouTube made millions from violating children’s privacy laws. Scott Shackelford, associate professor of business law and ethics at the Indiana University Kelley School of Business, chair of IU’s Cybersecurity Program in Risk Management and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, doubts it will have much of an effect. “Google, via YouTube, has been held accountable by the FTC and the New York Attorney General’s Office for its practices that violated children’s privacy, but it’s questionable whether a $170 million fine is sufficient to change business practices,” Shackelford said. “Similar to its $5 billion fine against Facebook, the FTC needs to do more to both increase these penalties, and even more importantly require the necessary steps to ensure that these violations do not recur. This is the FTC’s third fine against Google since 2011, for example, and it will likely not be the last.”

Cybersecurity expert aims to protect the power grid by hacking would-be hackers

For hackers, the U.S. energy grid is a treasure trove of classified information with vast potential for profit and mayhem. To be effective, the power grid’s protection system has to be a bit like a hacker: highly intelligent, agile and able to learn rapidly. Milos Manic, Ph.D., professor of computer science and director of VCU’s Cybersecurity Center, along with colleagues at the Idaho National Laboratory (INL), has developed a protection system that improves its own effectiveness as it watches and learns from those trying to break into the grid. The team’s Autonomic Intelligent Cyber Sensor (AICS) received an R&D 100 Award for 2018, a worldwide recognition of the year’s most promising inventions and innovations.  “An underground war of many years” Manic calls foreign state actors’ ongoing attempts to infiltrate the power grid — and efforts to thwart them — “an underground war of many years.” These criminals aim to enter critical infrastructures such as energy systems to disrupt or compromise codes, screens login information and other assets for future attacks. The nightmare result would be an infrastructure shutdown in multiple locations, a so-called “Black Sky” event that would erase bank accounts, disable cell phones and devastate the economy. In that scenario, engineers would have less than 72 hours to restore the grid before batteries, food supplies, medicine and water run out.  With high stakes and increasingly sophisticated attackers, artificial intelligence and machine learning are key to respond to the challenges of protecting the grid’s interconnected systems, according to Manic. “Hackers are much smarter than in the past. They don’t necessarily look at one particular component of the system,” Manic said. “Often they can fool the system by taking control of the behavior of two different components to mask their attack on a third.” A nervous system for the power grid Using artificial intelligence algorithms, AICS can look holistically at an array of interconnected systems including the electrical grid and adapt continually as attacks are attempted. It is inspired by the body’s autonomic nervous system, the largely unconscious functions that govern breathing, circulation and fight-or-flight responses. Once installed, AICS acts as a similar “nervous system” for a power grid, silently monitoring all of its components for unusual activity — and learning to spot threats that were unknown when it was first installed.  To “hack” the hacker, AICS often deploys honeypots, shadow systems that appear to be legitimate parts of the grid but that actually divert, trap and quarantine malicious actors. These honeypots allow asset owners to gather information that can help identify both a threat and a potentially compromised system. “Honeypots can make a hacker think he has broken into a real system,” Manic said. “But if the hacker sees that the ‘system’ is not adequately responding, he knows it’s a honeypot.” For this reason, the system’s honeypots are also intelligently updating themselves. Manic developed AICS with his INL colleagues Todd Vollmer, Ph.D., and Craig Rieger, Ph.D. Vollmer was Manic’s Ph.D. student at the University of Idaho. The AICS team formed eight years ago, and Manic continued to work on the project when he came to VCU in 2014. He holds a joint appointment with INL.

Cybersecurity – Is it finally getting the attention it deserves? Ask our experts!

It’s been talked about, dominated the news and has cost some companies billions – but it seems like finally America’s leaders are taking the issue of cybersecurity seriously. With an election looming and non-stop threats coming from enemies near and afar, it seems like America’s leaders are now on side in the battle against cybersecurity. Last week President Trump signed an executive order directing the creation of programs to grow and strengthen our cybersecurity workforce to meet the challenges of the 21st century. “America built the internet and shared it with the world; now we will do our part to secure and preserve cyberspace for future generations.” President Donald J. Trump It’s a lofty goal – and odds are an expensive one, but will it work? Who are the chief actors behind potential cyber-attacks? What are the key targets? What are the costs to secure America’s cyber-territory? And more importantly, what are the consequences if we do not? There are a lot of questions out there and that’s where out experts can help. Dr. Seth Hamman earned his Ph.D. in computer science with an emphasis in cybersecurity at the Air Force's graduate school, the Air Force Institute of Technology, located at Wright-Patterson Air Force Base. As a researcher he is interested in helping to shape the young and growing discipline of cybersecurity education. Contact him today for your story! Simply click on his icon to arrange an interview.

Cybersecurity expert offers holiday shopping tips for protecting identity

Amid the many warnings this holiday season about protecting your identity while shopping online comes advice from Scott Shackelford, associate professor of business law and ethics in the Indiana University Kelley School of Businessand one of the nation's leading cybersecurity experts. "In some ways shopping online is getting safer," said Shackelford, also chair of the Kelley School's Cybersecurity Program in Risk Management and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance. "For example, a few years ago it was relatively uncommon for many sites to use encrypted https technology, but that's become the norm. However, as may be seen by a quick scan of the news, data breaches continue. "The good news is that the cost of those breaches is going up with Federal Trade Commission and European Commission investigations ongoing into firms like Equifax and Facebook, and consumer patience is also wearing thin," he added. "One recent survey, for example, found that 20 percent of consumers would not shop again at a firm that experienced a data breach." Shackelford offers practical advice for holiday shoppers. In essence, there's a lot you can do to become harder targets for cyber criminals, including: Consider freezing your credit. You don't need it open unless you open a new credit card or loan, and even then you can unfreeze it for a short window to allow for the credit check. Install antivirus and antispyware software, use auto-update, and always enable multifactor authentication on all of your accounts. When using public Wi-Fi, use browsers like Tor to make it more difficult for hackers to spy on you. Keep all software up to date -- especially Windows, but also programs like Adobe Reader, Flash and Java, which are often convenient backdoors that can be closed through frequent updates. Use strong passwords of at least 14 characters, keep them secret, and change them often. Consider starting with a favorite sentence, and then just take the first letter of each word. Add numbers, punctuation or symbols for complexity. And be sure to change any default passwords on your new smart devices. Never turn off your firewall; it's an important software program that helps stop viruses and worms. Use flash drives cautiously; they are easily infected. In fact, one of the biggest breaches of U.S. military systems to date was due to a flash drive. Encrypt sensitive information on your computer. Be conscious of what you click on, both in emails and on the web. When in doubt, double check before accessing new files. Look for sites with "https" in the URL. Do not use banks or other sensitive websites that do not have the "s."

The next threat to election meddling? Brain Hacking

Almost 15 percent of Americans have reported changing their opinion on political or social issues because of a social media post, according to a recent Pew Research Center survey. “What if, immediately before spreading polarizing social media posts, our adversaries flashed subliminal images known to induce a type of anxiety called state anxiety? Evidence suggests people would perceive those posts in a more emotional way. Those images could, in turn, influence their voting behavior,” said Dr. Jay Heslen, an expert in intelligence and cybersecurity policy and assistant professor of political science with a joint appointment in the Katherine Reese Pamplin College of Arts, Humanities, and Social Sciences and the School of Computer and Cyber Sciences at Augusta University. “Successfully manipulating the cognition of a few thousand people in order to influence their perception of events could be enough to change the result of an election.” Heslen’s current research project focuses on whether exposure to certain visuals or sounds, including subliminal prompts, can induce a negative emotional arousal on people. He’s interested in learning whether that emotional state, called state anxiety,  can then influence behavior in a specific, predefined way – a concept he calls neurocognitive hacking. Although research using subliminal prompts is not new and has had mixed results, Heslen’s approach is novel. He uses a specific kind of visuals previously shown to trigger people’s unconscious discriminatory behaviors toward outsiders. “Neurocognitive hacking could potentially be used as a weapon in cyberwarfare,” said Heslen, who worked as an intelligence officer with the Defense Intelligence Agency and the United States Air Force for more than 20 years, specializing in combatting terrorism, counterintelligence and strategic cyber intelligence. “We need to study these capabilities not only for our own understanding but to create sound policies and countermeasures to defend ourselves against others who may use them on us.” With 68 percent of Americans on Facebook and 73 percent on YouTube, according to another Pew Research Center survey, neurocognitive hacking could be a national security problem, Heslen said. “As we advance our understanding of the brain and its processes, including how to manipulate it, we will need to provide neurocognitive cybersecurity to people who use information and communication technologies,” Heslen said. “This will be especially true as we spend more time in virtual worlds.” Heslen is available to discuss: ·       How neurocognitive hacking can influence people’s behavior ·       Why neurocognitive hacking is a powerful weapon of cyberwar ·       What kinds of policies should the government create to protect itself and its citizens from neurocognitive hacking Heslen is a Lieutenant Colonel in the United States Air Force Reserve and has served in military operations on four continents to include humanitarian relief operations in Mozambique and South Africa as well as an operational tour in Afghanistan. In his capacity as a reservist, he is currently assigned to the National Intelligence University pursuing an advanced degree in strategic intelligence. Contact us to schedule an interview with Dr. Heslen or learn more about his expertise.

Cloudhopper - What is it and should we worry?

Earlier this week, the Department of Homeland Security issued a warning that a Beijing based group of hackers -dubbed ‘cloudhopper’ was mounting a potential cyber-attack on American based institutions. The Chinese government has denied these claims vigorously and stated that China does not support hacking. So, what is cloudhopper? What businesses and institutions are most vulnerable? And does America need to increase its focus on cyber-security and digital threats? There are a lot of questions – and only a few leading experts who can help explain the situation. That’s where Cedarville can help. Dr. Seth Hamman is an assistant professor of computer science at Cedarville. Seth is an expert in cybersecurity education.  Dr. Hamman is available to speak with media – simply click on his icon to arrange an interview.

Cities value cybersecurity but budget prevents investment

Although city governments increasingly rely on software programs to provide services such as 911 calls, service delivery and online bill payment, they may not have the proper cybersecurity policies in place to protect their systems, according to a recent nationwide survey of cities by Augusta University researchers. “We’re concerned first with the human factor of all issues,” said Dr. William Hatcher, director of Augusta University’s Master of Public Administration program and one of the survey’s authors. “Having trained employees is necessary to stop attacks or even make sure organizations are not tricked through phishing type schemes.” Almost 30 percent of surveyed cities have no formal cybersecurity policy, which would include rules on password creation, guidelines for employee training on computer security and procedures for reviewing the list of employees with access to sensitive systems, according to the survey. Of the cities that have a formal policy, the survey found that: - 17 percent don’t require in-depth background checks when employees are granted access to sensitive systems. - 18 percent don’t teach employees to recognize breaches. - 37 percent don’t provide ongoing training to employees on new computer security procedures. - 47 percent don’t review the list of employees who have security access on a regular basis. - 54 percent don’t work with an outside auditor to review their policies on an annual basis. The survey looked into cities nationwide with more than 10,000 people and received responses from 193 local governments. Based on the results of the survey, Hatcher says most cities understand the importance of cybersecurity but are not investing in vulnerable areas due to financial constraints. “Providing effective cybersecurity protection is expensive, and many municipalities have financial issues paying for the service,” Hatcher said. Hatcher ‘s research focuses on the connection between public administration and the development of local communities. Through his research, he tries to understand why public administration scholars and practitioners often have different views about the efficacy of certain administrative practices. His research has appeared in journals such as American Journal of Public Health, Journal of Public Affairs Education, Public Administration Quarterly and The Review of Regional Studies. Contact us to schedule an interview with Dr. Hatcher or learn more about his expertise. Source: