Research into cybersecurity: Careful now…
Apostolis Zarras, cybersecurity expert at UM’s Department of Data Science and Knowledge Engineering (DKE), talks about his research into cybersecurity, why humans are the weak link and – topically enough – malware attacks.
In the wake of the momentous cyberattack on Christmas Eve last year, UM held a symposium sharing the lessons learnt with the public. In the opening statement, vice president Nick Bos revealed details about the hack and the consequent events to internal stakeholders, journalists and representatives of the public and private sector. Among other things, Bos touched upon how public funding and university budgets don’t sufficiently factor in a relatively new threat like cybercrime, which is, after all, a billion-euro industry.
While pointing out that UM performs comparatively well and successfully fends off around a thousand cyberattacks per day, Bos also conceded that there is room for improvement when it comes to awareness. “I’m sure we could have done better,” DKE cybersecurity expert Apostolis Zarras agrees, “if not to reduce the likelihood of being successfully targeted then maybe to limit the potential damage.”
UM as well as other universities have to find a way to navigate the trade-off between security and convenience with regard to collaboration and mobility. Essentially, the ethos of security frets against that of openness. “You can never be 100% secure obviously – that would mean an offline system with its own electricity supply, encased in concrete, under the sea floor…”
Meaty risk factor
“Potential risk factors are unpatched systems: if you don’t update it for long enough, it becomes increasingly vulnerable to attacks.” By far the greatest risk factor though is you. “No matter how secure a system is; at some point a human has to interact with it.” And that’s where it often goes wrong – a careless click, using the same password for different systems, etc.
“Education is really important – at least the cybersecurity basics: don’t open mails, URLs or attachments from messages you don’t expect or that seem dodgy to you. Always update all your machines, also your phone and tablet, and make offline backups, etc.” Zarras also suggests using a password manager rather than using the same password or variations of the same password for different accounts and systems.
Apostolis Zarras is assistant professor at the Department of Data Science and Knowledge Engineering at Maastricht University. He coordinates the research area cybersecurity. He holds a Ph.D. in IT Security from the Ruhr-University Bochum and conducted postdoctoral research at Technical University of Munich before joining UM. His research interests include systems, network, and web security.
Nick Bos during UM's symposium detailing the lessons learnt from the cyber attack
What is ransomware?
“Ransomware is a type of malicious software that tries to infiltrate a system, encrypts data, and demand a ransom in exchange for making the data available again. Often, and especially in cases of a large-scale attack, the ransomware will attempt to cover its traces, so that it can operate and spread undetected to connected systems, and only reveal itself the very last moment. Sometimes, it also piggybacks on other malicious software, such as a keylogger, which collects an administrator’s passwords and tries to get onto other systems if the passwords are the same or similar.”
Another common threat is phishing. “That is, for example, a website that looks like the login page of your bank and asks you for your password. That’s why banks now have a two-factor authentication system: you log on and then receive an SMS message with an additional code, or the likes.”
In his research, Zarras thinks about cybersecurity in a much broader sense though. “Think about things like children revealing their location to whomever, or cyberbullying, or fake news threatening the democratic process – it affects all of us in some way.” The answer, again, must be education: “Children from as young as five or six should be introduced to online security.”
Occupational therapy for Nigerian princes
His research has borne some very practical fruit too: Zarras has developed software to identify malicious email in the hope of detecting and preventing the spread of malware. Before the EU had established the GDPR, he had already looked into how we can create self-destructing data to make sure companies can’t store our details for longer than necessary or agreed to.
In a similar vein, he was involved in an EU project to help protect medical data. Zarras and one of his PhDs have also turned their attention to phishing emails that try to coax victims into giving up their bank details in exchange for a share of e.g. an inheritance. The Nigerian prince is a classic of the genre.
Zarras designed a chatbot that would engage the criminals behind the emails in conversation – and not just for a laugh. “Essentially you can send these emails to millions of people, the only thing that’s not so easy to scale is the interaction with potential victims. If our bots can engage the criminals, then they can’t convince people to share their details during that time.”
Crooks and nations
Who are the online baddies then? A quick perusal of cybercrime stock photos would suggest young Russians with hoodies hacking green ones and zeros into the black screen on a laptop in a basement. But Zarras suggests it’s more complicated than that: “The location of the server or where the bank account is registered doesn’t say much about the nationality of the perpetrators.”
You don’t need to be a programming genius to be a cybercriminal either, but the level of sophistication is staggering, especially when it comes to cyberattacks sponsored by nation states. Rather than fingering Iran, North Korea or China, Zarras points to the Stuxnet computer worm that targeted industrial control systems of Iranian nuclear facilities.
Another recent example is the CIA and BND, Germany’s Federal Intelligence Service, secretly operating the Swiss encryption technology company Crypto AG, which they purchased via a law firm in Liechtenstein. For 50 years, they manipulated encryption machines, effectively to spy on the more than 120 countries who bought the company’s hardware for embassies, administrative offices and government institutions.
The operations were referred to as Rubicon and Minerva respectively – presumably whilst stroking a hairless cat in a swivel chair… But, as Zarras points out, regular users should probably be more immediately concerned about their own cavalier attitude towards cybersecurity – from sharing data with social media networks to surrendering privacy through consenting to cookies when browsing the web.