DKE cybersecurity research

Research into cybersecurity: Careful now…

Apostolis Zarras, cybersecurity expert at UM’s Department of Data Science and Knowledge Engineering (DKE), talks about his research into cybersecurity, why humans are the weak link and – topically enough – malware attacks.

In the wake of the momentous cyberattack on Christmas Eve last year, UM held a symposium sharing the lessons learnt with the public. In the opening statement, vice president Nick Bos revealed details about the hack and the consequent events to internal stakeholders, journalists and representatives of the public and private sector. Among other things, Bos touched upon how public funding and university budgets don’t sufficiently factor in a relatively new threat like cybercrime, which is, after all, a billion-euro industry.

While pointing out that UM performs comparatively well and successfully fends off around a thousand cyberattacks per day, Bos also conceded that there is room for improvement when it comes to awareness. “I’m sure we could have done better,” DKE cybersecurity expert Apostolis Zarras agrees, “if not to reduce the likelihood of being successfully targeted then maybe to limit the potential damage.”

UM as well as other universities have to find a way to navigate the trade-off between security and convenience with regard to collaboration and mobility. Essentially, the ethos of security frets against that of openness. “You can never be 100% secure obviously – that would mean an offline system with its own electricity supply, encased in concrete, under the sea floor…”

Meaty risk factor

“Potential risk factors are unpatched systems: if you don’t update it for long enough, it becomes increasingly vulnerable to attacks.” By far the greatest risk factor though is you. “No matter how secure a system is; at some point a human has to interact with it.” And that’s where it often goes wrong – a careless click, using the same password for different systems, etc.

“Education is really important – at least the cybersecurity basics: don’t open mails, URLs or attachments from messages you don’t expect or that seem dodgy to you. Always update all your machines, also your phone and tablet, and make offline backups, etc.” Zarras also suggests using a password manager rather than using the same password or variations of the same password for different accounts and systems.

Florian Raith

Nick Bos during UM's symposium detailing the lessons learnt from the cyber attack

What is ransomware?

“Ransomware is a type of malicious software that tries to infiltrate a system, encrypts data, and demand a ransom in exchange for making the data available again. Often, and especially in cases of a large-scale attack, the ransomware will attempt to cover its traces, so that it can operate and spread undetected to connected systems, and only reveal itself the very last moment. Sometimes, it also piggybacks on other malicious software, such as a keylogger, which collects an administrator’s passwords and tries to get onto other systems if the passwords are the same or similar.”

Another common threat is phishing. “That is, for example, a website that looks like the login page of your bank and asks you for your password. That’s why banks now have a two-factor authentication system: you log on and then receive an SMS message with an additional code, or the likes.”

In his research, Zarras thinks about cybersecurity in a much broader sense though. “Think about things like children revealing their location to whomever, or cyberbullying, or fake news threatening the democratic process – it affects all of us in some way.” The answer, again, must be education: “Children from as young as five or six should be introduced to online security.”

Occupational therapy for Nigerian princes

His research has borne some very practical fruit too: Zarras has developed software to identify malicious email in the hope of detecting and preventing the spread of malware. Before the EU had established the GDPR, he had already looked into how we can create self-destructing data to make sure companies can’t store our details for longer than necessary or agreed to.

In a similar vein, he was involved in an EU project to help protect medical data. Zarras and one of his PhDs have also turned their attention to phishing emails that try to coax victims into giving up their bank details in exchange for a share of e.g. an inheritance. The Nigerian prince is a classic of the genre.

Zarras designed a chatbot that would engage the criminals behind the emails in conversation – and not just for a laugh. “Essentially you can send these emails to millions of people, the only thing that’s not so easy to scale is the interaction with potential victims. If our bots can engage the criminals, then they can’t convince people to share their details during that time.”

Crooks and nations

Who are the online baddies then? A quick perusal of cybercrime stock photos would suggest young Russians with hoodies hacking green ones and zeros into the black screen on a laptop in a basement. But Zarras suggests it’s more complicated than that: “The location of the server or where the bank account is registered doesn’t say much about the nationality of the perpetrators.”

You don’t need to be a programming genius to be a cybercriminal either, but the level of sophistication is staggering, especially when it comes to cyberattacks sponsored by nation states. Rather than fingering Iran, North Korea or China, Zarras points to the Stuxnet computer worm that targeted industrial control systems of Iranian nuclear facilities.

Another recent example is the CIA and BND, Germany’s Federal Intelligence Service, secretly operating the Swiss encryption technology company Crypto AG, which they purchased via a law firm in Liechtenstein. For 50 years, they manipulated encryption machines, effectively to spy on the more than 120 countries who bought the company’s hardware for embassies, administrative offices and government institutions.

The operations were referred to as Rubicon and Minerva respectively – presumably whilst stroking a hairless cat in a swivel chair… But, as Zarras points out, regular users should probably be more immediately concerned about their own cavalier attitude towards cybersecurity – from sharing data with social media networks to surrendering privacy through consenting to cookies when browsing the web.

Also read

  • Quantum Computers

    What is Quantum?

    Atoms and smaller elementary particles behave in unusual, sometimes unpredictable ways. It sounds strange, but it is this unpredictability that gives a quantum computer its power. Executing precise calculations with previously unheard-of possibilities in a way that physicists still do not completely...

  • Gerco Onderwater investigates the flavour of the universe while guarding the flavour of the Maastricht Science Programme. On 31 May, during his inaugural lecture, he provided a pre-taste of his work in Maastricht. 

  • The perfect recycling of plastics from household waste is one step closer, thanks to research into quality monitoring at all stages of the recycling process. The University of Maastricht, the National Test Centre Circular Plastics, and their collaborators have received a government subsidy of over...