UTRGV cybersecurity faculty shares tips to keep data safe


  Friday, October 30, 2020
  Community, Around Campus

By Maria Elena Hernandez

RIO GRANDE VALLEY, TEXAS – The clicking of a keyboard might bring you comfort or annoyance. But did you know it might also make you vulnerable?

 

That seemingly innocuous sound could be giving away your passwords and everything else you type.

 

"Each of these keys, as you type it in, depending on the keyboard, has a certain mechanical vibration. It also emanates certain types of the electromagnetic waves," said Dr. Sheikh Ariful Islam, an assistant professor in the UTRGV Department of Computer Science.

 

A hacker after your information wouldn't need to attach any device or install any software to your computer or network. He or she would just have to listen.

 

One of Islam's graduate students is researching the issue. From a potential victim's perspective, the hack might seem easy. Fortunately, though, there are many factors a potential hacker would have to consider, like the keyboard layout.

 

"Does it have the special numerical bar on the right side? Does it have this audio icon on the top?" Islam said.  

 

This hack may be a work in progress, but there are plenty of other cybersecurity concerns already in circulation.

 

MORE TO HACK, MORE TO LEARN  

 

‘‘The only secure device is one that is turned off. And they’re not even sure of that.
— Dr. Mahmoud Quweider, associate dean, UTRGV Department of Computer Science’’

 

A study still popping up online reports hackers attacked every 39 seconds – but that study was conducted in 2007. That was the year the first iPhone was released, and before the wide adoption of smart speakers, video doorbells and other household items connected to the internet.

 

"The only secure device is one that is turned off. And they're not even sure of that," said Dr. Mahmoud Quweider, associate dean of the UTRGV Department of Computer Science and professor of computer science. "There are so many ways nowadays that hackers can get into your system."

 

Global spending on cybersecurity cost $3 trillion in 2015 and is expected to double that by next year, according to Cybersecurity Ventures. To help meet the growing demand for a skilled workforce, UTRGV started offering a bachelor's degree in cybersecurity this fall.

 

Quweider said the university has been building an Internet of Things lab since last spring. Internet of Things, or IoT, refers to devices that are connected to the internet, such as smartphones, garage doors, watches, refrigerators and weight scales.

 

"We have two labs actually,” he said. “We have a cybersecurity lab and we have the Internet of Things lab." 

The IoT lab will simulate realistic scenarios where students can work, and will include Raspberry Pis, 3D printers and other devices.

 

Quweider said people shouldn't forget the impact of internet-capable items.

 

"It's a lot of convenience, but it's also a lot of responsibility in terms of protecting your system," he said.

 

In one example of leaving a system vulnerable, a casino forgot to protect its fish tank, which connected to the internet for monitoring and automated feedings. Hackers used the fish tank to send data to a server in Finland.

 

PATCHING SECURITY GAPS

 

"We only consider the security as an afterthought," Islam said. "The security has to come in the first place."

 

But even when security flaws are found and fixed, security patches can't protect a system that hasn't been updated. Even large systems managing transportation and public utilities could become vulnerable by simply having outdated software.

 

"It might also happen they’re still running Windows 7, and Microsoft stopped giving updates for Windows 7," he said.

 

But it’s not just updating your device's operating system. Individual software also needs to be kept updated.

 

Islam said the risk of cyberattacks on computers at home has increased during COVID-19, as multiple family members may be using the same devices. One person's lapse in keeping the computer secure from attacks would make the rest of the family vulnerable, as well.

 

For people wanting to avoid all these risks, Islam has some simple advice: "Do not connect to the internet. That's the best advice I could give you." 

 

PASSWORD-PROTECTED?

 

That isn’t very practical these days, though. There are bills to pay, online classes, health records to access, and much more. So, avoiding the internet entirely becomes a difficult – if not already impossible – option. In many cases, a password is the only security accounts have. And given that "123456" continues to be one of the most common passwords, most people don’t have much in the way of cybersecurity.

 

It's even less secure for those who use the same password on a credit card or bank website that was used on another account which was already part of a data breach. You might not care about an old Yahoo or T.J. Maxx account, but if the log-in works on other websites, hackers might still be interested.

 

Related Link: Have I been pwned? - Check if your account was compromised in a data breach 

UTRGV cybersecurity faculty recommend using different passwords for different sites.  

 

"That's my policy, always. My financial institutions, they have a different structure in the password than my personal one, then my gaming one and my social media one," Quweider said.

 

students holding cell phones
(Stock image by Storyblocks)

 

He recommends using a password management software.  

 

"It's a software that literally generates the password. It generates very, very large random passwords that are amazingly hard to figure," he said.

 

When using such software, a person only has to remember the main password for the program.

 

NOT-SO-SECURE QUESTIONS

 

If you have trouble remembering passwords, you've probably used a password reset option that usually involves answering security questions. But the answers to those security questions might be in plain sight, thanks to social media.

 

Questions often include: What's your high school mascot? What city were you born in? What was your first car?

 

"I feel this is bad practice, bad design," said Dr. Lei Xu, UTRGV assistant professor of computer science. "If you set your Facebook to public, then everyone could learn the information there, and they could reset the password."

 

A tip for users is to answer security questions with unrelated answers. For example, what was the model of your first car? Peanut butter.

 

Xu uses a more unstructured approach.  

 

"I just randomly type on my keyboard, but that also creates some trouble for me if I forget my password and want to reset it," he said.

 

It's a trade-off, he said.  

 

"If you want high-level security, you need to sacrifice some convenience, so you have to balance it yourself," Xu said.

 

EXTRA LAYER OF SECURITY

 

The UTRGV cybersecurity faculty recommend using two-factor authentication (or 2FA), a security option growing in use. In addition to a password, a second factor is used to verify the account owner. That second factor can take multiple forms, including a code pushed to your phone, a key plugged into a USB port, or a fingerprint scan.

 

More sites, like cloud storage services, are offering two-factor authentication. Cloud storage allows people to put data – like photos – on a company's servers, so a user can access it on demand from any computer or smartphone with an internet connection. 

 

Dropbox, a popular cloud storage service, encouraged users to enable two-factor authentication, after 68 million of its user credentials were exposed.

 

But even with two-factor authentication, Xu cautions people about using cloud storage systems.

 

"The best practice is not to store your photos to the cloud, to any cloud storage system," he said. "If you want to utilize the cloud storage system, we have a bunch of open-source software you can download and store on your own machine. Then this software can help you to encrypt your data before sending it to the cloud service. You can protect your data pretty well."

 

Oddly, while the steps you take to protect your data can sound and be complicated, hacking doesn't have to be. A hacker doesn't have to outsmart a complicated computer system. All it might take is fooling one person.

 

Tip: Use Two-factor authentication when possible
(Stock image by Storyblocks)

 

SOCIAL ENGINEERING: GO PHISH AND OTHER GAMES

 

"The other day, my wife tells me, 'Oh, you know, I just received an email from my principal. She's asking me to go to Target or somewhere to buy her a gift card.' I told her, 'Let me see.' And the first thing, I looked at the email. It says her principal’s name but… that's not her email," Quweider said.

 

He told his wife to ignore the message, which was trying to get gift cards by pretending to be someone she knows. "You have to be very watchful," Quweider said, because it is easy for people to mistake an email address from an organization with a similarly named one from outside the organization.

 

The email was a phishing attempt. Sometimes the email impersonators request money, gift cards, personal information or confidential information. Phishing is one type of social engineering. In general, social engineering is when a person interacts with someone else to get confidential information.  

 

Quweider said that, in some cases, a person may call a potential victim and pose as someone from IT conducting maintenance to get information.

 

Islam, the assistant professor, said a person trying to steal information could also impersonate a potential victim and get a company's customer service to help reset a password. The impersonator could pretend to be in distress and not have access to his or her usual devices in order to get access to a victim’s account.

 

“And customer service may not have fully understood what they’re trying to achieve,” he said.  

 

As Assistant Professor Xu summed it up, “Humans­­ are probably the most vulnerable factors in the whole system.”

October is Cybersecurity Awareness Month, and presents an opportunity to check if you’re using web services and internet-connected devices securely. To learn how to stay safe and protect your data, visit staysafeonline.org.

 

To learn more about the UTRGV Cyber Security Degree Plan, visit the UTRGV Cyberspace website



ABOUT UTRGV

The University of Texas Rio Grande Valley (UTRGV) was created by the Texas Legislature in 2013 as the first major public university of the 21st century in Texas. This transformative initiative provided the opportunity to expand educational opportunities in the Rio Grande Valley, including a new School of Medicine, and made it possible for residents of the region to benefit from the Permanent University Fund – a public endowment contributing support to the University of Texas System and other institutions.

UTRGV has campuses and off-campus research and teaching sites throughout the Rio Grande Valley including in Boca Chica Beach, Brownsville (formerly The University of Texas at Brownsville campus), Edinburg (formerly The University of Texas-Pan American campus), Harlingen, McAllen, Port Isabel, Rio Grande City, and South Padre Island. UTRGV, a comprehensive academic institution, enrolled its first class in the fall of 2015, and the School of Medicine welcomed its first class in the summer of 2016.