FBI agent addresses business group about cyber threats, protections

by Aric Mitchell ([email protected]) 1,086 views 

Federal Bureau of Investigation (FBI) Special Agent Jason Frankenberger encouraged the use of two-factor authentication and stronger passwords along with better employee education programs in Tuesday’s (Feb. 20) Cyber Security Symposium presented by the Fort Smith Regional Chamber of Commerce and Talk Business & Politics.

Addressing community business leaders and IT professionals from the Chamber’s Board Room on Garrison Avenue, Frankenberger shared insights from his experiences tracking cyber crimes and security threats in the Northwest Arkansas area.

Frankenberger graduated from the University of Arkansas with a computer engineering degree in 2003. He began with the FBI three years later and has worked in the Memphis, Dallas, and Fayetteville field offices.

While acknowledging two-factor authentication is not foolproof, enacting it “won’t cut out your problems 100 percent, but it probably will 99 percent of the time.” Frankenberger said that was because the process — which requires a user name and password as well as another factor the user usually has on them, such as a random numeric code sent to the user’s phone via text — embraces security protocols that go beyond the capabilities of the average hacker. That’s why companies like Facebook, Dropbox, and Google have embraced it, he said.

Aside from that, encouraging individuals to employ stronger passwords is a must. Frankenberger encouraged longer passwords that also utilize numbers and special characters, noting that the average five-character password can take hackers an average of 19 minutes to crack.

“If offering WiFi to customers and employees, this BYOD (bring your own device) environment is more like, ‘Bring Your Own Disaster.’ They can hook on to your company’s WiFi and create vulnerabilities. Just make sure that if you offer public WiFi, that network is segmented off from the rest of everything else you’re doing,” Frankenberger said, pointing out that Northwest Arkansas has moved to open WiFi in all parks.

“I can’t imagine what’s sitting on those networks,” he added.

EMAIL THREATS
Of the common threats that he has seen while working on cyber security, Frankenberger said clicking on email attachments or links from outside sources remains an issue, fueled along by the fact that many fraudulent emails can appear to be from reputable sources.

Federal Bureau of Investigation (FBI) Special Agent Jason Frankenberger

“We had one company that told us it was not abnormal to get invoices from a company, and they ended up with a ransomware infection when they clicked on the attachment, so be very very careful about that,” Frankenberger said, adding that another case involved a small municipality reaching out after a piece of ransomware had seized all their files.

“They called us on a Thursday, and the ransomware had been going through their network, and all of their HR files were encrypted. It’s a small city. People are not going to eat Friday night if they don’t get their paychecks. Luckily in that case, they were paying a backup service, so they were able to revert back to the previous day.”

Email appears to be a particularly vulnerable threat to cyber security in other ways as well, Frankenberger said, noting that scammers can figure out major company executives and compromise their email addresses to make requests for payment or wire transfers to other members within their organization, a scheme that defrauded one Northwest Arkansas company out of around $600,000.

The lesson: “Establish protocols within your bank or organization when doing wire transfers. Make sure requests are going out from the actual person and not someone appearing to be that person,” Frankenberger said, adding that an executive’s response to an employee asking for verification should not be, “Yes, I told you to do that,” but “Thank you for asking.”

CRYPTO-JACKING
On the latest hacker trend of “crypto-jacking,” or a scammer hacking into a network to mine for cryptocurrency, Frankenberger said a bad actor could get onto a victim’s WiFi and then use their server and/or computer along with the enormous amount of electricity often required for cryptocurrency mining.

A second crypto-jacking approach is through the appearance of advertising.

“You know when you go to a website, there are the ads to the side that say, ‘Come buy my stuff, come buy my stuff?’ Well, they’re not doing ads anymore, but using your computer to mine for Bitcoin.”

Frankenberger said the FBI was “not seeing a ton of it, but that’s going to be something that’s up and coming. In six months, we could be having a different conversation.”

Mining for Bitcoin, according to Morgan Stanley, can cost anywhere from $3,000 to $7,000 per coin in electricity, and in 2017, consumed 36 terawatt hours, or the same amount of electricity used in the entire country of Qatar.

APPLE VS. ANDROID
Lastly, Frankenberger touched on protecting one’s device, noting that a major factor in protecting one’s phone is “Where do you get your apps?”

“I was shocked when the FBI handed me a Samsung, but they lock down our apps. The iPhone runs all apps through one App Store, and they vet all their apps. It’s interesting because I’ve seen statistics that say the iPhone is actually more vulnerable (to hacking), but the lock on the App Store is so tight you can’t install anything (outside) on it, where, on the Android side of the house, anything goes.”

As a result, Frankenberger said Apple products are probably the safest bet for the general user to “stay out of trouble,” but for more advanced users, “people who want to get in there and mess with stuff,” Android is the best way to go.

“At the end of the day, it really depends on who’s using it, and what they’re using it for,” Frankenberger said.