Pamela Gupta asked the audience at a recent Cyber Security Seminar at the Easton Public Library what percentage of the Internet they thought that emails, banking, corporate networks, and websites occupy.
“The upper 4%,” Gupta told the two dozen or so residents who turned out to learn how to keep their families safe in an increasingly dangerous and interconnected world. “The rest is the darknet or the dark web, which is very much the underlying component. I suggest you look up the darknet. I don’t mean to scare you.”
“They are scared,” co-presenter Richard Colangelo said. As well they should be, based on the number and sophistication of cyber crimes targeting Internet users. “I almost didn’t show up tonight,” he said. “I won the Nigerian lottery.”
Colangelo, who is chairman of the Easton Board of Police Commissioners, was referring to one of the scams most people have encountered in their email. The fact that these scams keep popping up shows they work for the criminals who ask people to send their personal banking information in return for a huge payoff that never comes, he said.
Gupta, founder and president of Outsecure Inc., a cybersecurity firm that helps businesses avoid falling victim to Internet predators, and Colangelo, Stamford state’s attorney, described the hacktivists, organized crime syndicates and nation states that seek to steal personal, corporate and government information. Both are parents of students at Joel Barlow High School, and both also have younger children.
They offered steps people can take to prevent their children or themselves falling prey to the downside of the Internet of Things, where everything from home appliances to cars, personal gadgets and medical devices is connected. Colangelo said he hasn’t heard of any pacemakers being hacked, but since they are monitored online, it’s probably a question of time.
The so-called dark web is part of the World Wide Web, which is accessible through overlay networks that use the public Internet but require specific software, configurations or authorization for access. Users of the dark web refer to the regular web as Clearnet because of its unencrypted nature.
Hacktivists, such as WikiLeaks and Anonymous; organized crime, such as drug markets, pedophiles and sex traffickers, looking to steal people’s money; and nation states, seeking bigger goals, use the darknet to do their dirty work.
Millions of people have had their personal information compromised as a result of cyber attacks on businesses like Yahoo, Target and Anthem, to name a few.
“Last year we saw the first security alert for cars,” Gupta said. “What is it that we are protecting? Who is out there on the Internet?”
She explained the importance of protecting personal information, which is any data that can be used alone or in combination with other facts to identify, locate and contact an individual. Name, email address and age are some of the sensitive information, in addition to Internet Protocol address or biometric data. Sensitive personal data, such as medical information and Social Security number, has been classified as deserving additional privacy and security protections.
“If they get your credit card you can get a new one, but you can’t get new dental records, which is why insurance fraud has added value,” Gupta said.
Personal information can be sold for anywhere from 10 cents to $25 on the darkweb; medical information can go for as high as $200.
Gupta and Colangelo advised parents to be aware of social media and gaming sites their kids might visit and to warn their children against giving out information to strangers.
It’s important to understand where sensitive information is getting collected and where it can it get compromised, they said.
After the Target breach, the company gave affected customers free credit monitoring, but that’s not enough to avoid future problems, Gupta said. She advised against ever clicking on links in emails, which is where most breaches occur.
The links can slip a virus into the computer, which can steal contacts and learn logins and passwords. They can discover banking, doctor’s or dentist’s contact information and surreptitiously coax people to reveal personal information by telephone or email.
She urged people to install strong spyware on their computers, not just the free kind that is readily available.
“Phishing is the biggest return on investment,” she said. Criminals can install tracking devices that obtain the victim’s credentials and use them to log in to legitimate sites.
“The best thing is to go and check your credit report to make sure no one has opened an account in your name,” Colangelo said. “Companies like Credit Karma offer free credit report monitoring.”
Still, the biggest impact of cyber fraud is on businesses, which have to offer free credit monitoring to affected customers, pay back losses incurred by customers, clear their names, and pay for lawyers, she said.
Investigative task force
Through his job as state’s attorney, Colangelo leads a cyber investigative task force that covers eight towns from Stamford to Weston, and he was able to add Easton, because he lives here. The task force, which is connected with Homeland Security and the Secret Service, conducts computer and cell phone forensics.
The task force has investigated cases involving public libraries, police departments and school systems that have been hacked. Some organizations have been hit by ransomware, a cyber crime in which criminals gain access to the organization’s computer system — or someone’s personal computer — and demand a sum of money with the threat that they must pay or lose access to all the information.
“No one is going to call and tell you something is wrong with your computer unless they want you to you pay them money,” he said.
The best way to defend against such an attack is to conscientiously back up data so that if a threat is made, the information can be accessed without having to pay a ransom.
A popular scam that keeps going around is directed at grandparents. A criminal pretending to be a grandchild says he has gotten in trouble and needs help getting out and doesn’t want his parents to know. He appeals to his grandparents to send money to get him out of a jam.
Another cyber crime Colangelo has encountered involves women who fall in love with someone online. When the person comes to meet them, the person demands money or threatens them.
“Has anyone gotten a call from the IRS to say they owe money?” Colangelo asked. Several hands shot up. Enough people pay to make it worthwhile for the scam to continue, even though the IRS doesn’t contact people that way, he said.
Colangelo said he got an email claiming he owed money to PayPal. Trouble is, he doesn’t have a PayPal account, and names were misspelled on the email, another common tipoff that something isn’t right, he said.
Library Director Lynn Zaffino, who attended the seminar, said she has received an email that pretends to be from UPS and advises the receiver to click on a link to be able to pick up a package. The link contains spyware, Gupta said. Fortunately, Zaffino didn’t take the bait.
Always go to the company website and access the information there rather than clicking on a link, Gupta and Colangelo advised.
Gupta further advised using a different computer for online banking, not the same device as is used for searching the Internet, which is vulnerable to spyware and tracking devices.
Top cyber safety actions
Gupta offered some final advice for staying safe online:
- Buy products that are secure. It’s worth it to pay more and to let manufacturers know that protecting sensitive information is important. This is all the more critical now that Congress rolled back Obama-era protections that required Internet service providers to get permission before tracking users’ personal online data, which they can now do without permission.
- Install operating system security updates, which close security vulnerabilities.
- Regularly run anti-virus software.
- Prevent identity theft: Think before you connect, click or post.
- Use firewalls and Web content filtering tools.
- Use and protect strong passwords. Use two-step verification when possible. Never keep default passwords that come with a piece of equipment, such as a router.
- Back up important files.