Tag: technology

JSU improves cybersecurity in light of February breach

By Marie McBurnett

Special to The Chanticleer

Jacksonville State University is instituting changes in the way it handles data on its server due to a security breach in February – but it could have been worse.

Vinson Houston, JSU’s chief information officer in the information technology department said in an interview that it is one of his department’s responsibilities to ensure data – including everything from fraternity affiliation to credit card accounts – stayed out of the hands of potential threats.

“We do the programming and maintenance for the centralized software the university uses to run its day-to-day operations that students utilize to pay their bills, manage their accounts and those type things,” Houston said.

The university currently has two firewalls: a primary firewall that faces outward and an internal firewall that faces in to protect enterprise data.

Thomas Madden, a retired federal Chief Information Security Officer for the Centers of Disease Control compared computer firewalls to what firewalls were before the computer era.

“Original firewalls are in vehicles. They are in between the engine and the driver. Computer firewalls are the same way,” Madden said in an interview. “They stop attacks from coming in from the outside, and they aren’t bulletproof.”

Houston said the university pays around $90,000 to $100,000 for its firewall.

In February 2016, JSU student and faculty information was published on a website which stated it was untraceable. The website included pictures, classification, birthdays, organizational affiliations, student numbers and addresses of current students, graduates and faculty.

While JSU’s Department of Information Technology and law enforcement had tracked down the website publisher and shut down the website in less than a week, the university could suffer from decreased reliability in cybersecurity.

According to a study conducted in June 2016 by the Ponemon Institute, the largest financial downfall to an organization after a security breach is the loss of trust between the business and its customers. The study also highlighted the root causes of data breach and some major positive and negative factors that influence the cost of breaches.

Marie Chart.png

Factors that decrease costs of a breach per capita:

  • Incident response team ($16)
  • Extensive use of encryption ($13)
  • Employee training ($9)
  • Participation in threat training ($9)
  • BCM involvement ($9)
  • Use of DLP ($8)
  • CISO appointed ($7)
  • Board-level involvement ($6)
  • Data classification schema ($5)
  • Insurance protection ($5)

Factors that increase cost of a breach per capita:

  • Provision of ID protection (-$3)
  • Consultants engaged (-$5)
  • Lost or stolen devices (-$5)
  • Rush to notify (-$6)
  • Extensive cloud migration (-$12)
  • Third party involvement (-$14)

The breach in February did not include much more than directory information, but the university began implementing a few strategies listed by the Ponemon institute study, including security consultants and employee training.

“We are currently working with a security consultation firm to help us improve our security posture,” said Houston.

According to him, the university and the firm began a relationship a few months ago. He declined to give the name of the companies involved and the cost of the consultation and evaluation. He said this was the first year JSU has consulted for security evaluation and it looked like it was something they would take part in on an annual basis.

A cybersecurity consultant can cost “a couple thousand if you hire someone fresh out of college,” said Madden. He said for a consultant more renown, if can cost $50,000 or more per year.

“We work with multiple companies,” said university counsel Sam Monk in an email. “We have consulted with one firm that surveyed practices and procedures to help us identify any operational matters that should be addressed.”

The company’s report and the cybersecurity plan that will follow will only be discussed on a “need-to-know basis,” said Monk. The email went on to say the firm JSU hired was an Alabama company that has a “special knowledge of issues peculiar to higher education applications, processes and regulatory requirements.”

These companies, according to Madden, employ white hat hackers – or hackers who hack into networks in an effort to reveal weaknesses – in an effort to penetrate a system remotely, after which they are known as a “trusted insider.” When these hackers get inside, Madden said, they try to increase their privileges in order to create their own account. If they achieve that, they have free range of the system.

In addition to testing penetration, JSU’s consultants also “reviewed different policies and procedures and looked at adding additional training,” said Houston.

Another responsibility of the consultants was to hold different social engineering projects.

Houston said the consultants who visited the campus would plant storage devices with malware on them. The hackers could then “sit at the back of your computer and watch you” if someone plugged it into a computer.

Houston said they could attempt to phish users by sending emails from jsu.com or from a JSU-linked email account.

“They went in different offices to see kind of what’s going on, or they were lost or looking for something and they would observe and drop a flash drive to see what happens,” Houston said in reference to the white hat hackers.

“A lot of it falls back on employees and how they manage data they have access to,” said Houston

According to a study published by Symantec in April 2015, universities are one of the top targets for security breach.

ids.jpg

Madden attributed this to the day-to-day data flow.

“A lot of people use the same network every day,” he said. “Universities are a waypoint for stolen documents and it gives the adversary deniability. With the data flow, it acts like camouflage.”

Madden also said with all the credit card accounts linked to university’s networks, there is a “treasure trove” for hackers.

According to Symantec’s research, while the education sector was at the top for incidents of security breach, it was near the bottom in identities exposed. This could mean that hackers are looking for something other than identities to steal.

incidents.jpg

“We’ve been more fortunate than all our peer institutions,” Houston said in reference to the number of JSU’s breach occurrences. “Part of that could be we aren’t really a research institution.”

He said that targets for hackers are institutions that research diseases and have other trade secrets that may be desirable to someone else.

“If you look at the number of instances we’ve had compared to the number of instances they’ve had, theirs has been far more disruptive, being the type of information exposed,” said Houston, also pointing out JSU has not had a full-time staff dedicated to cybersecurity like other institutions.

Houston said the incident in February was not as bad as it could have been.

“You don’t want people’s photos out there and their home addresses and their classification, but that goes back to a matter of an internal compromise,” he said. “We had some student workers that had their credentials exposed. And as a result, that allowed this person to gain access to the system, to allow them to extract some information that otherwise he would not have had access to.”

Someone familiar with the incident said they knew both students arrested in connection to the security breach. One of the people arrested was a juvenile, and due to Alabama law, is subject to anonymity. Another student, Kurt Nilsson, 21, was arrested for hindering prosecution of the case.

“As far as I knew, they were just friends. I saw them hanging out a lot,” the source said. “It was generally accepted that Kurt gave his password over, whether he knew what the other fellow was planning on doing, I don’t know, however, my impression was not that he was coerced or that the information was taken.”

When asked how they knew that Nilsson gave up his credentials to the juvenile, the source said “he was fired, and then it was in the paper that he was arrested.”

Nilsson, according to the source, was a residential assistant in Dixon Hall at the time of the breach.

“JSU turned the case over to state and federal law enforcement agencies,” Monk said in his email. “We can make no comment on the status of the case.”

Monk did not know who Nilsson was and Houston declined to answer specific questions about the people involved in the case.

“Our IT team put together pieces of a story and the pieces started to fit,” Houston said regarding the investigation to find the person behind the website. “We gathered non-technical information and saw what made sense.”

Responding to a question posed about if there was a connection between the security consultation and the breach in February, Houston said: “Absolutely. We wanted to respond aggressively to identify any areas of weaknesses.”

In addition to the security firm, Houston cited FERPA training as an effort to educate employees of the university about the information they have access to and what information they can legally give out.

“If you have a key to the front door, I don’t care how good your alarm system is, and hackers know that,” said Houston, referring to internal threats to cybersecurity.

“Everything runs on computers and chips,” said Madden. It’s possible to hack into a network through an air conditioning unit or a copier, he said.

“You could have the best security system in the world, and at the end of the day you can get hacked,” said Houston. “You just have to do such things to show diligence, to show that you’re making a best case effort to protect your clients, which in our case is our students.”

Connecting with technology: devices that do everything

As a lover of technology, I often find myself trying to decide which devices I actually need. As I write this, I am literally surrounded in my toys. There’s a smart watch on my wrist, a smartphone and tablet on the desk next to me, and I write from my 2-in-1 laptop as the desktop sits idly in the other room. Of course I also have my Playstation Vita nearby in case I decide some procrastination is in order.

In day to day life, it honestly does not feel like I have all that much. However, once it is listed out I definitely feel that there may be a little too much. I’m still trying to clear out the clutter and wanted to remind the others suffering from gadget overload that they are not alone.

It is strange that so many devices are marketed as all-in-one, multipurpose, jack of all trades machines, and yet none of them offer a truly complete solution. In my case, each device I listed above serves a very specific purpose compared to all of the others.

My cell phone is the one device I can expect to have with me 100% of the time. In my case, it’s my camera (though I wish I also had a dedicated camera), it’s my music player, it’s good for a quick web search when I’m out and about.

Unlike my phone, my tablet has a very specific set of uses. First off, it is almost exclusively used at home. It’s an 8.3 inch tablet so it is reasonably portable, but in most cases my phone is just easier to get to. Because my tablet is only used at home, it is my web browsing companion and ultimately my go-to media consumption device. More than anything, my tablet is a comic book reader. I read news on my tablet, I watch videos on my tablet, browse social media, and other things of that nature. I could admittedly do all of this on my phone, but having the larger screen just makes things easier especially while I’m relaxing on the couch. This allows my phone to stay on the charger at home.

Now we get to my 2-in-1 laptop which is a recent addition. I tried using my tablet for productivity but it just did not work. What I found was that multitasking on an Android tablet just isn’t very great. Samsung has some offerings that make multitasking a little better, but still ridiculously far away from a traditional desktop operating system. Now I use my 2-in-1 to take notes and write assignments. It is my dedicated school machine. I don’t use it as a tablet often,  but having the touchscreen is definitely helpful.

Where does that leave the desktop? Honestly, even if I am at home I hardly touch it. I like to consider it my fail-safe. With the desktop, I don’t need to worry about a battery or charger, I just sit at the desk and get to work. Because desktop storage and components are cheaper, it is home to the majority of my media. Most of my desktop sessions are ridiculously brief.

With so many devices around me, I find it easy to get lost and distracted. Dedicating a specific purpose to each device made it far easier for me to focus and get the best use out of my many electronics. I game exclusively on my gaming consoles, use my tablet for consumption, and laptop for creation. This system has worked great so far but of course I’m always looking for improvements. If you are feeling overwhelmed by the number of devices around you, you should consider repurposing them. It could breathe new life into something you already have as opposed to going out and buying something new.

Myron Jones
Technology Columnist

Ride the Yak: Yik Yak becomes hit craze on campuses across the nation

The anonymous social media app known as Yik Yak has been sweeping college campuses across the nation since last summer. To date, students on over 1,600 campuses use Yik Yak to share opinions, vent frustrations and elicit the occasional helping hand.

Furman University students Brooks Buffington and Tyler Droll created Yik Yak in November of 2013.

“They thought, ‘Why doesn’t everyone have this power to reach out their community and say what’s on their mind?’” said Ben Popkin in an exclusive interview with The Chanticleer last week. Popkin is the lead community manager for Yik Yak, and his department manages aspects such as customer support, press releases and overview and monitoring of the Yaks.

“[They wanted] a way to give everyone an equal playing field and an equal voice,” said Popkin.

For students with the app, an “equal playing field” is not necessarily the first thought that comes to mind. While there are gems to be found (What student doesn’t appreciate Patrick Star’s voice in their head when they read, “We should take Stone Center and push it somewhere else,”) they are often hidden underneath scores of Yaks looking for one night stands or raging parties.

And, of course, not everyone is fond of Yik Yak. Many people, especially those who work for or have children in high schools, see the app as just another medium for cyberbullying. In fact, several high schools from Connecticut to California petitioned Yik Yak to ban the app in middle schools and high schools during the app’s early days.

Yik Yak’s response was geofencing, a software feature that blocks the app from being accessed within 1.5 miles of a high school.

“We recognize that with any social media there’s a likelihood for misuse by certain small groups, [but] we see it mostly used the way we intended it to,” Popkin said. “Occasionally, like all social media apps, we don’t have 100% perfect use on college campuses. They’re mostly mature. The good stuff gets upvoted and the bad stuff gets downvoted, so usually the bad things get rid of themselves.”

In regards to the threats of violence that have shut down high school and colleges campuses alike, Popkin said, “It is anonymous social media site, but being anonymous doesn’t give people the right to make threats. It’s like any other social media site. If threats are made and the police get involved, we have to comply.”

And then there’s a more recent controversy. Yik Yak has been accused of systematically downvoting all Yaks containing a competing app’s name, such as Fade and Sneak, even if it is completely out of context. For example, if someone were to Yak, “Who wants a sneak peek of the Southerners’ 2015 show?”, an algorithm would detect the word “sneak” and automatically downvote the Yak once every minute until it disappeared.

“Yik Yak¹s security and anti-spam measures are meant to improve the user experience and aligns with Yik Yak¹s goal of creating beneficial social communities,” Popkin said. “The company recognizes the importance of constantly improving the technology to ensure users are having the best possible experience on the app.”

Yik Yak recently contacted The Chanticleer about JSU’s Yik Yak feed, stating that it has become one of the most active campuses in the region.

“JSU is a good community,” Popkin said. “It’s a good, close college campus. You guys kind of came together and bonded over that [snow day]. You guys really use the app in the way it’s meant to.”

So, there’s something for you to yak about, Gamecocks!

Katie Cline
Staff Writer

Spinning the wonderful World Wide Web wider

One of the latest trends in electronics is the Internet of Things. Internet of Things is all about expanding the use of the Internet beyond human to computer interaction. Instead, the Internet of Things sees the Internet as a method of better connecting people to the world around them. With the rise of cloud computing, this is becoming increasingly possible. Many devices have already started adding Internet connectivity but is it really for the better?

Some of the main applications for increased connectivity are already available. These include smart TVs and smartwatches. The promise of such devices is that the increased connectivity gives you enhanced performance and extra convenience at the cost of a higher price tag.

Smart televisions are essentially your typical TV with additional computing components built in. Many Americans are no longer subscribing to cable services, and instead use internet streaming for their entertainment needs. Most smart TVs support Netflix, Hulu, and Youtube among other services, but they still cannot handle as wide of a variety of tasks as a smartphone can. Smart TVs also don’t have anything close to the strength of an actual computer. Because of this, it is actually more practical and cost effective to buy an extra device that gives your existing television the features a smart TV would have in addition to others. Such devices include AppleTV, Google Chromecast, Amazon Fire TV Stick, or even your gaming consoles. Supplementing your television with one of the above devices is both more cost effective than purchasing a smart TV and more versatile.

Wearables are another large focus in adding connectivity. In just the past couple of years, the market has become filled with a wide assortment of wearable technology that is meant to bring us closer to the Internet. The Pebble smartwatch, Google Glass, Android Wear devices, and fitness trackers such as the Fitbit Surge are currently available. The Apple Watch and Microsoft’s HoloLens are wearables that have been announced but not yet released. Unlike smart TVs, I feel that wearables actually add something significant. The benefit of wearables is that you can always have them just as you would your smartphone. Some wearables offer information at a glance, while others offer a completely new way to interact with the world around us.

Smart TVs and wearables are not the only devices to enter the Internet of Things. There are even lightbulbs, such as LIFX and Hue from Phillips. Wemo offers an assortment of devices that connect to your other devices for both automation and notifications. There are smart washing machines and dryers as well. These devices aren’t meant for everyone, because there honestly is not much of a need. However, some people may be overwhelmed with joy at the realization that they can receive an email when it’s time to start a new load of laundry.

As a fan of automation, I think the more internet-connected devices we have access to, the better. However, the major factor is price point. If companies are charging a premium for internet connectivity as seen with most smart TVs, the Internet of Things will never catch on. Connectivity needs to be a feature as opposed to a selling point.

Myron Jones
Technology Columnist

JSU student creates life-saving app

JSU student Andrew Green and Dr. David Thornton (Department Head and Associate Professor of Computer Science) have been developing an emergency training app entirely from scratch.

“The app is going to be used for training the students at the Center for Domestic Preparedness in Anniston,” Green explained.

“It will allow one person to oversee all of the trainees on one screen. I created the map of the training facility that the operator will see. The idea is to be able to monitor the trainees and make improvements on how they function,” Green said.

“For example, a group of firefighters would be one squad, and in that squad 4 members. The operator could relay information on the building to the squad, so they would be better suited to stop the fire. The operator might tell 2 of them to go to rear of the building because the fire spread there. Or he might say that the building holds flammable or hazardous materials.”

As of now, Green and Dr. Thornton have been referring to their app in progress as the “Squad Tracker,” but have not made the moniker official yet.

“We are going to continue to improve it this semester,” Green said.