WORDS: Erica Husting GRAPHIC: Tram Nguyen VIDEO: Jenna Watson
When California College of the Arts junior Emily Smith logged into her Facebook account one morning in November 2012, she knew something was wrong.
Chat windows were open in mid-conversation with friends she had not spoken to since she had crossed the Atlantic and traveled abroad for the semester.
By the time Smith realized her account was compromised, it was too late.
Someone posing as Smith and using her personal account had initiated conversations with friends claiming Smith was in danger and needed money.
She never found out why or how the attack happened.
Smith is not alone.
Twenty one percent of Internet users have had an email or social networking account compromised or taken over without their permission, and 11 percent of Internet users have reported having their important information — such as their Social Security number, bank account information or credit card information — compromised according to a Pew Research Internet project titled “Online Identity Theft, Security Issues and Reputational Damage.”
In addition, the study found young adults 18 to 25 years of age are more likely to experience problems of cyber crime, which means Cal Poly students are just as vulnerable.
While there has been recent attention on cybersecurity following wide-scale data breaches and President Barack Obama’s proposed “cybersecurity framework,” the issue of cybersecurity has always been relevant, according to assistant computer science professor Zachary Peterson. But that relevance has increased because of the vast interconnectivity to the Internet, he said.
“The Internet provides a lot of great things. It is essentially in my left hand. I have all of human knowledge, essentially,” Peterson said. “But it also brings people from far reaches of the globe immediately close together. And not everyone has the best intent.”
Through machines connected to the Internet, attackers aim to find unknown weaknesses — known as vulnerabilities — and exploit them to do something they weren’t intended to do, Peterson said.
By taking advantage of these weaknesses, attackers can breach systems, retrieve and access personal information or exploit vulnerabilities for money or more information, Peterson said.
Cyber attacks range in types, methods, complexity and numbers, but can broadly be considered on two extremes, said Ryan Matteson, technology strategist for Information Services/Office of the Chief Information Officer.
Every day, every hour of every day, we are getting attacked on our network.
“There is this psychological-style attack of tricking you as a person, and then this technology-style of an attack, which is taking control of your device,” Matteson said.
Falling under the psychological-style attacks are attacks called social engineering, where the hackers use a personal element to trick users, Matteson said.
“I know something about you, I know just enough about you to trick you into doing something for me,” Matteson said. “In that case, I am trying to get information — information that gives me money, information that gives me access to something.”
One of the most common types of social engineering attacks is phishing, he said.
“We all see these emails saying, ‘Put in your bank account number’ or ‘Respond back for this amazing offer,’” Matteson said. “The trend now is more out of email and more into Facebook and Twitter and all of these social networks where you have some more established trust.”
In technology-style attacks, attackers exploit vulnerabilities in software and reach out past a user’s web browser and take control over the device without the user’s knowledge, he said.
“You go to websites. Maybe you try to just go to trusted websites, say Yahoo!,” Matteson said. “But guess what? The attackers are trying to break into Yahoo!. They may be buying advertising space and inserting bad stuff into the advertisement … If your browser is not up to date, just by downloading that ad, attackers can take control of your computer.”
In addition to the fact that attacks can vary in complexity, styles and methods, another challenge Internet users face are the invisibility of attackers, Matteson said.
“If someone steals your information, it’s not like you look somewhere and ‘poof,’ it’s gone,” Matteson said. “You still have that, but they may have taken something of value you never even see that unless someone is looking out for you or you are trying to understand what is happening.”
Agricultural business sophomore Corinne Madison was in Robert E. Kennedy Library when she received a text message from her bank notifying her there was a large overdraft from her account.
When she logged into her bank account online, she found her checking and savings accounts wiped clean from a $1,000 charge at a Michael’s store in Oklahoma.
Until that notification from her bank, Madison was unaware her debit card information had been compromised. The investigation into the attack is ongoing, but Madison still doesn’t know how it happened.
Cal Poly’s networks are not exempt from these attacks.
“Every day, every hour of every day, we are getting attacked on our network,” Matteson said.
According to Matteson, Cal Poly sees attacks from not just the United States but around the world, most notably Russia, Ukraine, Germany and China.
Each month, there are hundreds of thousands of attacks against the campus over the networks of various types — some are obvious, but other attacks are very subtle because they, for example, resemble the actions of students simply accessing a website, Matteson said.
Though it is impossible to fix all vulnerabilities and prevent all attacks, Cal Poly focuses their attention on protecting personal, sensitive information including payroll services or student records.
On the user side, students can help keep their information safe and even prevent attacks by being aware and alert.
After having her Facebook account compromised, Smith gained a new sense of awareness when using the Internet.
Now as extra precaution, Smith uses different passwords for different sites and accounts and is extra careful who she gives her information to online.
“That whole instance made me realize that these accounts are not as secure as I thought,” Smith said. “Before, I thought this happened when someone wasn’t careful, but it really could happen to anyone.”