The Eugene Neighborhoods Preparedness Network looked at resiliency during cyberattacks.
[00:00:05] Randy Prince: Welcome to the March meeting of the Eugene Neighborhoods Preparedness Network. We are aiming to help our neighbors identify when we are going to have to be our own help in the case of a disaster, something that shuts down and overwhelms the system.
[00:00:20] We’ve talked about lifelines such as the power system in regards to wildfires, and the emergency warning systems, the alert systems. Tonight, our topic is going to be on cyberissues: The Internet.
[00:00:35] John Q: Cybersecurity specialist Seth Woolley.
[00:00:38] Seth Woolley: I’m Seth Woolley. And I’ve been asked to give a brief rundown of neighborhood cybersecurity issues.
[00:00:42] So in disasters, they’re either natural or artificial. In Oregon our main natural disaster, as you all know, is earthquake, flooding, fires, and things like that. In an artificial disaster, it would be some form of terrorism or foreign military attack or occupation or cyberattack.
[00:00:57] I actually rate these as quite a bit lower risk than a natural disaster.
[00:01:00] What most people may not realize is that nations are in constant cyberwarfare. There aren’t actually cybersoldiers trained and not acting. Instead, they constantly act: China’s espionage, targeted attacks on corporations; North Korea’s attacks on critics of government; Russia’s ransomware attacks, infrastructure attacks, election disinformation.
[00:01:20] The United States does it too with deep packet inspection and espionage, and also Israel will do infrastructure attacks and the NSO Group attacks and autocrats will also do, they’ll do this domestically. They’ll do dissident espionage, firewall and deep packet inspection.
[00:01:34] But in many ways, in regard to infrastructure, cyberattacks are more difficult than physical attacks. It’s that it’s easier to harden computers than to repair fundamental errors in the built environment. So you may think it’s easier, but because it’s so easy to patch, that can fix—they can react a lot quicker.
[00:01:50] This is why we’ve only really seen limited success in infrastructure cyberattacks. It does happen, but it’s rare. Iran and Ukraine are notable victims. The U.S. has spent a lot of money in Ukraine, beefing up their systems before the war, which is why we have seen Russia not so easily attack them this time around.
[00:02:08] …Oregon has few military targets— the Oregon National Guard, Umatilla Weapons Depot— things like that. Attacks on factories would be possible, such as the Intel D1X Fab. And if we’re not occupied, these could behave more like natural disasters, except with more precision. The scope would be fairly limited to military targets unless we’re in total war.
[00:02:28] John Q: Seth said we can all take steps to make our home computer networks more secure.
[00:02:32] Seth Woolley: it’s important to have proper security hygiene for your home network. Some good practices are to keep everything patched with regular security updates for all devices, and to use encryption properly for all your wireless networks.
[00:02:44] For personal devices, the recommendations are to turn on tracking and wiping—remote wiping as well as encryption—and never store any personally identifiable data on a device that can’t be fully encrypted and managed. For personal devices, I always disable the location of remote tracking and wiping.
[00:03:01] Personal behavior is also important. So don’t get phished. Even if a message is not suspicious, go directly to them, rather than via a message with an embedded link. Don’t give important numbers to anybody unless it’s for credit verification. For example, if somebody identifies you by your Social Security Number, make sure they know you’ll not be giving it to them, and escalate to their manager until they give up on that.
[00:03:22] Lock your accounts with the credit bureaus and consider using multiple emails and phone numbers for different security levels so they don’t even know your important email addresses. For account passwords for critical accounts, any with financial implications, use long unique passwords with sufficient entropy to avoid brute force attacks, write them down and store them in a fireproof safe. For the especially critical ones, commit them to memory. You can use pass phrases to help you memorize. That’s like long words, sets of words, rather than characters.
[00:03:52] Remember that it’s better to remember your password than to rotate your passwords. People who have to change passwords frequently, often choose weak ones. And if your password is ever compromised, virtually nobody sits on your password without abusing it right away. And two-factor authentication helps in case passwords are compromised in any case.
[00:04:08] Social media is a common attack vector now as well. And it’s great for targeting people who may have something an attacker wants— certain kinds of job, empty home, oversharing personal data for use and account takeovers. To protect yourself, don’t share any personal details. Opt out of location tracking, disable internal app browsing. Go through the privacy settings and lock them down. Don’t use it for signing into other accounts, like ‘Login as Facebook’— use your own email instead,
[00:04:34] John Q: We should also block Internet advertising.
[00:04:37] Seth Woolley: I have a family member that worked in like the Internet advertising world. And so I know how insecure that whole system is. So I, for security reasons, just would block it all. I just don’t consider it secure at all. And every time you go to a website and you leave ads on, it goes to an ad network and the ad network then analyzes everything about your connection, everything they can get from your browser to determine whether or not to give you an ad. They don’t even need to deliver an ad to, to get information from you. If you knew how it worked, you’d be shocked at how ridiculous our data privacy system is in the United States.
[00:05:16] So what Europe’s doing with the General Data Privacy Regulation, GDPR is amazing. And many companies in the United States have implemented part of those rules just because they also work in Europe. That’s helped many of the larger corporations in the U.S. to allow you to delete your own data and filter and things like that, but we don’t have any regulations that would protect you the same way Europe does.
[00:05:39] John Q: As a cybersecurity specialist, Seth conducted white hat testing to find vulnerabilities in popular software. When he found one, he would share his findings with the developers.
[00:05:50] Seth Woolley: One of my vulnerabilities I found was in WordPress in 2003, I found three different holes in it. And I was the first person to look at WordPress. It took them years. I talked to them, they didn’t want to institute my changes that would make it long-term better, but they eventually did about eight years later. They refactored everything, made it more secure. And now it’s much harder to break into a WordPress site. It’s the plugins that people install that people can break into. But most people don’t run like random WordPress plugins though. So it’s getting better.
[00:06:23] John Q: The complete slides are available from ENPN. Your Eugene Neighborhood Preparedness Network is also looking for website helpers.
[00:06:32] Randy Prince: We do have website plans in the works and we’d like to be a good information-sharing network for the different neighborhoods. Don’t hesitate to email us for with word of ways skills you might have to offer in this area.