Interviews

"People need to be more computer literate to avoid traps set by cybercriminals"

 

La foto: David Megas

29/04/2020
Rubn Permuy
"When teleworking, we must not store sensitive data on our home computers"
David Megas, director of the Internet Interdisciplinary Institute (IN3) and the K-riptography and Information Security for Open Networks (KISON) research group

 

Cybercriminals are taking advantage of the COVID-19 crisis to attack our digital devices. Being at home for a long time, we are spending more time online and are thus more exposed to the risks involved. We have talked about it with researcher David Megas. He is a Computer Science engineer and PhD who completed his education in the Department of Engineering Science at the University of Oxford. He joined the UOC in 2001 and is currently director of the Internet Interdisciplinary Institute (IN3), a UOC research centre, and principal investigator of the K-riptography and Information Security for Open Networks (KISON) group. KISON specializes in researching the security and privacy of networks and information, areas they develop as part of national and international research programmes. Megas is also one of the experts involved in the Criminal Use of Information Hiding (CUIng) initiative, which works in cooperation with the Europol European Cybercrime Centre (EC3).

 

What is cybersecurity?

It's an umbrella term which encompasses all issues relating to the protection of computer systems, the information circulating in them and digital communications.

Are people knowledgeable enough to understand how it affects them?

Even though the general public are informed of the risks and vulnerabilities of systems connected to the internet, I don't believe they are fully aware of the protection measures they should be taking. I think domestic users need more practical training so that they know how to protect themselves.

What type of cyberattacks are we vulnerable to?

These include phishing and massive attacks against broad targets to acquire information that allows cybercriminals to profit in some way, usually economically. Malicious spam mail campaigns give them access to data such as email addresses and bank details, which can be used in further phishing operations or sold to databases. Another example is ransomware: so, for instance, you get an email about the coronavirus, you open it, click on a link or open an attached file and your computer is infected. The next you know you have cybercriminals demanding that you pay a ransom to regain access to your files.

To what extent are these malicious practices effective?

Malicious campaigns work statistically. Authors know that there's a percentage of users, albeit a small one, that will fall for them. And the more people they hit with these campaigns, the greater the impact and the more data and money they can get. That's why, with the pandemic, as more people are logged on for longer, there is more chance of these malicious actions being successful. So, given that everyone is watching out for information on COVID-19, it's quite likely that if the subject line of a bulk email mentions the illness, a large number of people on the receiving end will fall prey, as this is an issue that gains everyone's attention.

What precautions can we take?

Well, first of all, we must be aware that organizations such as government agencies do not request details from users in emails. If you receive an email from an official body asking for personal information, it's probably a hoax. We must be sensible, ask ourselves how they normally contact us and distrust anything that doesn't seem to be official, even though it tries to look as though it is. Be suspicious of any email from an unknown sender and make sure they are who they say they are. Check the email domain is the usual one, such as .es. Sometimes, if we look at the names that accompany suspicious email addresses, they don't appear dangerous until we look into the real address they've come from, which has a bizarre alphanumeric format.

Shouldn't email servers be enough to detect this type of mail and put it directly in the spam folder, for instance?

Spam mail works statistically. The anti-spam and anti-phishing filters on our email servers work just fine most of the time, but they can fail and let the odd malicious mail through. And that's exactly what cybercriminals play on. If, for every 100,000 users that receive a malicious message, only 1% fall into the trap, that's 1,000 users affected. Of the 1,000, if 100 open it and then click on the malicious link, that's a result. These types of attack are designed to target a large number of users.

Are mobile apps also a source of danger?

In general, apps sold on official market apps like Google Play and the App Store have been reviewed and are safe. They may have legitimate advertising purposes. However, if we download an app from outside the official market, we leave ourselves open to attack. If you're not sure, don't install any app that is not from an official store.

The lockdown has meant more teleworking: does that mean a risk for companies?

Organizations that do not usually work remotely may not have protected infrastructures and may be unprepared, in terms of cybersecurity, to ward off attacks. Adapting systems in a matter of days is not easy, nor is it sufficient to take the necessary steps to prevent vulnerability. One of the major risks for companies is the data being handled. At this time, workers are accessing sensitive company information from their home computers and process it without complying with regulations such as the General Data Protection Regulation. We must be extremely careful with data and save it only exceptionally and temporarily on our home devices. The safest thing is to avoid copying data on devices outside the company network.

What type of data is most sensitive in a cyberattack?

One example is employee data handled by human resources departments. This information, kept on domestic devices that do not have sufficient protection, could fall prey to malware and be sent to remote servers. The risk can be high and we must be aware that at home we do not have the same protection measures as at work. This can be hard for organizations to anticipate, but it must be borne in mind and employees should be warned about making copies of sensitive information.

You are one of the experts working with the Europol European Cybercrime Centre: are we seeing a rise in cyberattacks that is cause for concern?

We are aware of attacks related to the current crisis, which is unprecedented, but we don't believe there is exponential growth of cybercrime, at least not so far. There has been an increase in certain types of attack, particularly phishing, and many of these expeditions use COVID-19 as bait to attract their victims.