Last November, Duke professor Gary Gereffi returned from a research trip to Kazakhstan and was informed by his IT department that his computer had been hacked.
Days earlier, a colleague at Harvard University sent Gereffi an email with an attachment to a scholarly paper. Unbeknownst to both professors, malware infected the attachment, and as soon as Gereffi opened the document, hackers could peer into Gereffi’s computer and steal his data.
“It was so sophisticated,” said Gereffi, founding Director of the Duke University Center on Globalization, Governance & Competitiveness. “If it’s coming from someone you know, it would be almost impossible to screen these things out. I was tagged because of the nature of my work.”
Duke’s IT Security Office said the email Gereffi received is a textbook example of “spearphishing,”an attempt to collect sensitive information from a few high level targets. Hackers employed by a sovereign government to commit cybersecurity attacks targeted Gereffi.
Last November alone Duke blocked 173 million messages containing spam, viruses, phishing, and malware. Across the country, cyber attacks and data breaches are growing more common. Last summer, LinkedIn announced that 117 million accounts were compromised. In December, Yahoo reported that 1 billion accounts were hacked. And, according to PewResearchCenter, U.S. intelligence agencies have issued statements and testified before Congress that the Russian government was involved in the hack of the Democratic National Committee with the aim of influencing the 2016 presidential election.
“It’s not that information security has become worse, but it’s become more public and more visible,” Duke’s Chief Information Security Officer, Richard Biever said. “Every time we solve a security issue, the hackers don’t give up and go home, they simply change their mode of operation.”
Jeannine Sato of the Office of Information Technology (OIT) talked with Biever about the evolution of IT security risks and expectations for 2017.
What were the most worrisome incidents of 2016 at Duke and beyond?
I think last year was a watershed year in terms of account security within commercial online services because we saw so many large scale breaches. The Yahoo and LinkedIn breaches were very large and affected millions of users putting their accounts and any other accounts using the same ID and password at risk. Reuse of hacked passwords can lead to Duke account hacks, like one department whose Twitter account was taken over last year. A password change and adding two-factor was the fix.
What can Duke community members do to safeguard password-protected accounts?
I think passwords are cumbersome. They are difficult to remember and need to change frequently, which is what is needed to stay secure. I am hopeful that they will be replaced or supplemented in the coming years. We don’t have a replacement yet, so in the meantime what we can do as individuals is think about how we protect our passwords.
That means having different passwords for every account and using LastPass or One Password (password vaults) to protect those passwords, as well as using multi-factor everywhere we can. For example, if I do online banking, I should be asking my bank to support multi-factor for my online bank account.
What are potential cybersecurity threats for 2017?
The biggest threat is the use of technology for socially engineered attacks like the spearphishing attack we saw at Duke in November. The greatest success for hackers or phishers we’ve seen is that they prey on people's tendencies. Whether it’s phishing or a phone call, whether its social media or a web page designed to get you to click on something that infects your computer with malware. Good attackers impart a sense of urgency, like telling you your account is going to be closed or the IRS is going to sue you. They try to scare you to into making a quick decision. This can lead to successful phishing attacks and ransomware attacks where your data is encrypted until you pay a ransom.
What do you do keep your personal information safe?
I use two-step verification and complex passwords on everything. I also use an ad blocker like UBlock Chrome extension, which blocks ads from being displayed and can also protect you from viruses or malware embedded in some online ads. ‘HTTPS Everywhere’ is a browser extension that converts websites from insecure “http” to secure “https.” And of course, I always update the software on my devices. Nothing makes you more vulnerable than unpatched software.
3 Ways to Protect Data
Enroll in Multi-factor Authentication (MFA)
This two-step authorization process requires you to verify your identity through a device or phone call using specially generated passcodes during login. Duke staff and faculty are required to enroll for the Duke@Work personnel site. Users can also add the protection to other password protected services like email and Box cloud storage. Enroll in Duke's MFA at oit.duke.edu/mfa. Use multi-factor authentication for banking and finance, mail, and social media accounts. This resource lists many sites that support multi-factor authentication.
Enroll in LastPass
LastPass is a free web-based password vault system that keeps all passwords in one place. It works with your browser to help remember and maintain passwords, credit card information and auto-fill forms. LastPass can also do a security check to look for duplicate passwords. Duplicate passwords are not recommended due to the risk of a single breech enabling access to many sites. Finally, LastPass will generate and remember long, complicated passwords. LastPass is offered at no-charge to the Duke community. Download the program at software.duke.edu.
Subscribe to Duke’s IT Alerts
When you sign up for Office of Information Technology IT alerts, you get access to IT Security Alerts that notify you of malicious email campaigns and phishing attacks. Subscribe to alerts by email, text and/or through OIT’s Twitter feed, @DukeOIT.