Local

People too trusting when it comes to their cybersecurity, experts say

Butler Community College instructor Brett Eisenman teaches a cybersecurity class to Mitchell Kelly, left, and Connor Brewer at Butler’s Andover campus. (Sept. 10, 2014)
Butler Community College instructor Brett Eisenman teaches a cybersecurity class to Mitchell Kelly, left, and Connor Brewer at Butler’s Andover campus. (Sept. 10, 2014) The Wichita Eagle

As a child, not that long ago, Connor Brewer played video games hour after hour.

But in the tricky tech world we live in now, Brewer with his laptop and lopsided grin may soon be the guy who saves us from the bad guys.

Brewer is a 19-year-old sophomore at Butler Community College, a self-described loner and tech geek.

By age 12, he was writing his own codes. In high school, he and other kids he knew used desktop computers to crawl repeatedly through networks run by adults who assumed they were secure.

Today he’s what technologists call a white-hat hacker, hacking legally for companies that pay to find their own security holes. When Bill Young, Butler’s chief information security officer, went looking for a white-hat hacker, he hired Brewer, though Brewer has yet to complete his associate’s degree at Butler.

White-hat hackers, or “ethical hackers,” as they also are called, are a rapidly growing industry, Young said.

He says we are all going to need them.

The bad guys are getting a lot better at robbing us.

Young and savvy

In techno-jargon, illegal hackers are “black hats,” Young said.

Butler’s security system comes under attack several times a week, Young said. Around the world, most companies, agencies or schools face that same challenge.

Many of the new breeds of criminals are young – even kids – tech-savvy and raised on games. Hacking is an adrenaline rush to them, Brewer said.

They attack government agencies – all of them – for fun, Brewer said.

Brewer and others like him are hired by companies to deliberately attack a company’s security network. These companies pay bounties if the white hackers find security holes. “Pen testing,” they call it, for “penetration testing.”

Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”

College jobs experts say cybersecurity students like Brewer will in the future make a great deal of money – six figures, some of them.

“He’s a great guy, driven and ethical,” Young said of Brewer. “And he’s going to have a great future.”

Ethics, privacy, theft

We have collectively created as much data in the past four or five years as was created in the entire previous history of mankind, said Khawaja Saeed.

Saeed researches electronic commerce and teaches data communications, networking, programming and computer information systems in the Barton School of Business at Wichita State University.

A lot of that new data got thrown up on the Internet, on the cloud. But security for all that cloud data has lagged behind tech achievements, said Saeed and Murtuza Jadliwala, who researches and teaches ethics, trust, privacy, security and computer technology at WSU’s College of Engineering.

As a sheriff’s officer in Sedgwick County’s Exploited and Missing Child Unit, Brett Eisenman used to pursue criminals who used technology to create child porn. Now he instructs a new generation of people to protect us from Internet robbery and “malicious people.” He teaches cybersecurity to Brewer and other students at Butler Community College.

Many of us behave irresponsibly, he said. We don’t change our passwords, and we don’t learn enough about our electronic devices or how they interact with the networks we use. Above all, we are way too trusting, he said.

Many business people, he said, still don’t understand the risks. “When the (information technology) guy walks in, the boss just looks upon him as an extra expense,” he said.

“Bosses think we’re just money pits,” Young said.

“That’s a mistake.”

Way too trusting

Saeed and Jadliwala say Eisenman is right and that the dangers will become more severe in the next five years. That’s when the “Internet of Things” becomes a more established fact, Jadliwala said.

“Everything from your refrigerator to your electric meter – many things you own are going to be to be cyber-enabled in the next five years,” Jadliwala said. “You will see so much more wireless data available out there – and so many more entry points for bad guys.”

Advertisements tout using your smartphone to raise your garage door, Saeed said. “But if I hack into that, I can get in your house,” he said.

Some of us will even wear clothes that will wirelessly tell our doctors what our vital signs are. And hackers everywhere will tune in, Jadliwala said.

It might make your utility company’s management more efficient to make your electric meter cyber-enabled, he said.

And that means it’s communicating your data wirelessly.

“But what prevents a robber to stand outside, within 100 meters or so, with a radio receiver and figure out from your meter whether anyone is in the house or not?”

We are all too trusting, Jadliwala said. We’ve all seen headlines that should make us more careful.

Hackers penetrated Apple’s cloud service and stole and posted private photos of celebrities, including Jennifer Lawrence and Kate Upton.

Worse than that, Jadliwala said, tens of millions of people saw their private credit card information compromised by hackers who breached security at Target, Home Depot and Goodwill Industries.

“Every scan you make with your credit card gives people your name, credit card number, expiration date, everything.”

How do they know?

It’s not only about our money. He said we don’t ask questions that we should ask about all this technology taking over our lives.

Facebook gives you tools to (supposedly) tailor-make who gets to see your posts, your photos, your thoughts, your life.

“But who are Facebook employees most loyal to?” Jadliwala said. “To us? Or to Facebook?”

His wife recently wanted to download a game on her smartphone. To enable the game, she had to type in her “location.”

“Why would a game need your location?” he said.

Corporations seem to put us at risk without enough thought, he said. They put our private information onto the cloud without asking our permission. And then their data miners analyze our information and target us for ads.

“I buy airline tickets to Dallas,” he said. “And after that, I get advertisements online for hotels in Dallas.

“How do they know I’m going to Dallas?”

Do hackers now know when he is going to Dallas? And what days he won’t be at home?

Costing millions

Most malicious people in technology do simple things that nevertheless fool victims, Saeed said.

They send out malware that creates viruses; they use malware to turn computers into “zombies” that send spam.

Advanced hackers are multiplying worldwide, Saeed said. And they’ve learned how to hack in and embed key logging software, which enables them to record every keystroke their victims make.

He told his own version of the vacation horror story: “You do your bookings,” Saeed said. “If I have access, I know what your plans are. And I have your business trading account. So when you go on vacation and have less access to your own accounts and are more vulnerable, I can try and get money out of your account. This has has happened many multiple times.

“At the corporate level, it’s worse. They install key logging and get access to banking records.”

Many businesses, in spite of security laxness cited by experts, really are worried; they are spending millions more every year on security. And last year, top leaders from 9,600 businesses (30 percent of them from companies worth more than $1 billion in annual revenue) answered security questions posed by a group of technology magazines, Saeed said.

Most of the companies reported that they’d suffered numerous sophisticated network attacks, some costing tens of millions of dollars.

The Global State of Information Security Survey criticizes businesses in its conclusions, saying many businesses we rely on are “defending yesterday” rather than today’s sophisticated threats. But the survey also points out that security spending jumped 51 percent among the surveyed companies from 2012 to 2013.

Big businesses have more resources to fight theft and other attacks, Eisenman said. But small businesses often lack the money and expertise.

Got a virus?

People with tech talent are guaranteed, even in this subdued economy, to get good jobs.

Saeed said the tech major he teaches at WSU has had a 100 percent job placement record in the past two or three years.

Brewer already has a job helping Butler protect its network.

Mitchell Kelly, who sat next to him in Eisenman’s cybersecurity class this past week, is a 21-year-old Wichitan with a full-time job already working with computers for the Goddard school district while completing college.

Eisenman is right, he said. People need to pay a lot more attention to their own cybersafety.

Not long ago, Eisenman went to pay his bill at a barbecue restaurant.

“They said there might be problem with your card,” the woman at the register said. “We’ve had trouble with our system; we’ve got a virus for the last week. Or something.”

“I’ll pay cash, then, please,” Eisenman told her.

Eisenman rolled his eyes, telling this story.

A computer virus? For a week?

Maybe you’ve got hackers trying to steal, he said, and maybe you shouldn’t wait a week to figure that out.

“It’s not just the networks we need to fix,” Young said.

“It’s the people.”

Reach Roy Wenzl at 316-268-6219 or rwenzl@wichitaeagle.com. Follow him on Twitter: @roywenzl.

Related stories from Wichita Eagle

  Comments