It was a week of unsettling cybernews.
A record number of Californians – 18.5 million – were exposed to data breaches in 2013, a staggering sixfold increase from the previous year, according to a report released Tuesday by state Attorney General Kamala Harris. The U.S. will likely suffer a “major” cyberattack within the next 10 years that will cause widespread harm and threaten the country’s financial and government institutions, says a survey of 1,600 computer security experts released Wednesday by the Pew Research Center and others.
And in Sacramento, the local FBI office announced Monday it’s opened a new hotline, urging consumers and businesses to report instances of cyberintrusions.
Clearly, we’re all vulnerable. But there are ways to protect yourself. This week, FBI Special Agent David Rubel in Sacramento answered questions from The Sacramento Bee about cybercrimes and what consumers and businesses can do to protect themselves. Here’s an excerpt:
Sign Up and Save
Get six months of free digital access to The Sacramento Bee
Your office recently announced its new hotline where consumers and businesses and can report attacks and get help from the Sacramento FBI’s cybercrime squad. What prompted the dedicated hotline?
The FBI’s mission is to bring cybercriminals to justice. We want to connect with the public. We feel there’s a lot more crime out there than is being reported to us. We’re very willing to investigate the crime, if they’ll call us. If they are the victim of cybercrime or know someone who’s been a victim, we want to hear from them. (The Sacramento FBI’s “computer intrusion and cyber-tip” hotline is (916) 977-2297.)
So many cybercriminals appear to be operating from overseas, in Eastern Europe or Asia. Is it really possible to catch the bad guys?
Absolutely. There are cybercriminals everywhere. We know they are in Sacramento. We want the public to report (incidents) so we can hunt these people down.
What kind of cyberattacks are most common?
They’re up to everything. The top three: stealing bank account and other financial information (hacking into someone’s computer and installing a keylogger to acquire account passwords); extortion schemes (hacking to steal nude or compromising photos, then demanding money or more photos by threatening to send them to person’s entire contact list or office email); denial-of-service attacks (bombarding a business’s website or computers with high-volume nuisance requests that render the system inoperable).
You’ve also cited phony emails as a common problem.
Spearfishing is a very big issue. It’s the preferred method of hackers getting into your computer. It’s spoofing an email to somebody so that the recipient thinks it’s from a trusted source. If you’re Company A and always do business with Company B, you’ll open an email with an attachment (that looks like it’s legitimate) saying “Please open and let me know what you think.” As soon as it’s opened, malicious code is executed, which gives the attacker access to that (computer) and the entire network. … You really have to verify that everything you’re opening is coming from the person it’s purported to be.
(FBI spokeswoman Gina Swankie cited a media report of small pizza business in Colfax that recently received an email with what appeared to be a résumé attached. It actually wasn’t a résumé, but a file that contained malicious code. Once the file was opened, it executed the code and locked up the business’s computer. The cybercrooks then demanded a $2,000 payment in bitcoins to undo the damage.
(In a larger case, a group affiliated with the global hacking group Anonymous infiltrated the computer systems of Sacramento-based cybersecurity firm HBGary Inc. and others, stealing thousands of account details and posting private company emails. In 2012, six perpetrators were charged in federal court in New York.)
What are some of the basic tips to protect your computer?
Keep your software updated. Apply your computer’s security patches as soon they become available. Use a reputable antivirus scanner (Norton, McAfee, AVG, Microsoft Security Essentials, etc.) and keep it updated. When you update your software and install a virus scanner, it’s the same as eating your vegetables and getting a flu shot. It’ll boost your immunity, but it won’t guarantee you’ll never get sick.
Practice safe use of the Internet. Be careful of what you download. Just as you should be cautious about wandering around in a park at 2 a.m., be cautious about wandering around on questionable websites. That means anything off the beaten path: gambling, pornography sites, etc. You’re more vulnerable. … The back recesses of the Internet are less likely to be regulated, and they’re places where people are less likely to report malware or bring it to the attention to law enforcement.
How extensive is Sacramento’s cybercrime team?
We have an entire cybersquad dedicated to these investigations. The team includes special agents, intelligence analysts and a computer scientist, along with other professional staff to investigate computer intrusions. The capabilities of the team enable us to reverse-engineer attacks, analyze data and examine patterns. … The cyber task force works with investigators from the CHP, the Air Force, the National Guard … and 55 other FBI field offices throughout the country. It’s a united army: local assets plus those with whom we can collaborate virtually.
Protecting yourself against cybercrooks
It’s inevitable that most of us will be targeted by a data breach that exposes our personal or financial information to cyberthieves. To protect yourself, here are some tips from the FBI and state attorney general’s office:
Use strong passwords: Make them at least 10 characters long and use a mix of upper/lowercase letters, symbols, numbers and punctuation. Don’t use dictionary words or those that are easily identifiable, such as your dog’s name. Use passwords based on a phrase, song or book title. For example, “I love tropical sunsets” becomes “1luvtrop1calSuns3ts!”
Be fortified: Use a firewall on your computer. Keep your operating system’s security patches up to date. Don’t use an outdated computer OS – such as older versions of Microsoft’s Windows XP – that no longer carry security updates.
Shut off computers: When you’re done using your computer, power if off. A computer that is “always on” is more susceptible to intrusions. Turning a computer off severs an attacker’s connection.
Back it up: Back up all computer files and data on a separate hard drive. This is especially crucial for small businesses that could lose critical data.
Data breaches: In California, all companies are required to send consumers a letter if their data has been acquired by unauthorized users. If letters are sent to more than 500 individuals, a sample is posted on the state attorney general’s website, where anyone can access the content. To see the state’s list, go to oag.ca.gov and click on “Data Security Breaches.” There’s also information on what to do and whom to contact if your personal information has been exposed in a data breach.
Sources: FBI, www.oag.ca.gov