11 minute read
Into the Breach
18 | RESEARCH | FALL 2018
Advertisement
INTO THE
BREACH
As cyber threats ramp up at home and around the world, Georgia State researchers are working to uncover how online criminals operate — and how to keep people, businesses and governments safe.
BY CHARLES MCNAIR | ILLUSTRATIONS BY SAM PEET
The City of Atlanta awoke to a real-life nightmare on March 22, 2018. Overnight, unknown cybercriminals had attacked municipal government computer systems. At 5:40 a.m., when early-bird customers tried to pay their water bills, the system failed to respond. Atlanta Police Department officials tapped keyboards in frustration, unable to process reports. The ransomware attack clogged sewer infrastructure requests and brought the gavel down on local court proceedings.
“This is much bigger than a ransomware attack,” said newly elected Atlanta Mayor Keisha Lance Bottoms at a hastily convened morningafter press conference. “This really is an attack on the government, which means it’s an attack on all of us.”
Using SamSam Ransomware, the cybercriminals likely entered a vulnerable city server, then introduced their own encryption program. It unriddled passwords on desktop computers, garbled data and created chaos. The city received a ransom note demanding six Bitcoin (cryptocurrency worth about $50,000 at the time) in exchange for a key to remove the encryption and return the data to normal.
Some victims of ransomware attacks quickly pay to make the problem go away. Cybercriminals often target hospitals, where administrators may decide that a hushed payment outweighs the grave risks that encrypted data might pose to patient safety.
Atlanta refused to pay. Instead, the city mobilized the Federal Bureau of Investigation (FBI) and cybercrime experts. It took days to assess system damages and bring operations back to normal.
Ten months later, a federal grand jury charged two men in Iran with the Atlanta crime and others. The attackers allegedly carried out a 34-month cybercrime spree that raked in $6 million in ransoms and cost some 200 victims an estimated $30 million in reparations. Along with Atlanta, the Iranian duo allegedly hit the Port of San Diego, the City of Newark, N.J., and medical centers.
Although the Atlanta attack cost the city millions and made international news, it represents just a fraction of the global impact of cybercrime, whose scale is nearly unimaginable. In February 2018, the Center for Strategic and International Studies, a think tank based in Washington, D.C., and McAfee, a cybersecurity company, issued a study that appraised the
20 | RESEARCH | SPRING 2019
The Researchers
cost of cybercrime at $600 billion annually, a number approaching one percent of the total global economy.
The report estimates that two-thirds of people online, or more than two billion individuals, have had their personal information stolen or compromised. Between 300,000 and a million viruses and other malicious software products are created every day. Corporations and organizations suffer more sophisticated attacks — and in full public view. Expensive, image-damaging incidents have occurred at Equifax, Marriott, Yahoo, The Home Depot, Target Stores and Facebook, among hundreds of other organizations.
“Cybersecurity is changing because the world is changing,” says Richard Baskerville, Regents’ Professor in the J. Mack Robinson College of Business’ Department of Computer Information Systems. “It’s a great challenge for us not just to protect information systems, but to protect the entire digital world those systems are creating for us.”
Developing Smarter Security
Learning more about how to intercept cybercriminals can’t happen fast enough. The rise of “smart” gadgets has turned everything from door locks to TVs into targets for hackers. And as every aspect of life becomes increasingly digitized, even voting systems, medical networks, power grids and military weapons are vulnerable to cybersecurity threats.
In 2017, Georgia State University announced an initiative to address issues of cybersecurity and public policy in two vital sectors of the nation’s (and Atlanta’s) economy — financial technology and health information. The initiative is funded by Georgia State’s Next Generation Program, which aims to build research of strategic importance to the university, and combines talent housed in the Robinson College, the Andrew Young School of Policy Studies and the College of Arts and Sciences. The goal: to better understand the technical — and human — challenges of cybersecurity.
David Maimon, associate professor in the Andrew Young School’s Department of Criminal Justice and Criminology, is head of the Evidence- Based Cybersecurity Research Group. He and his colleagues seek a stronger factual platform for cybersecurity decision-making.
“Companies spend a lot of money on
Richard Baskerville
Regents’ Professor, Computer Information Systems
David Maimon
Associate Professor, Criminal Justice & Criminology
William Joseph Sabol
Professor, Criminal Justice & Criminology
Yubao Wu
Assistant Professor, Computer Science
cybersecurity, yet we can’t really say whether these tools or policies are making us more protected,” says Maimon. “That’s because we lack solid evidence about their effectiveness at reducing the susceptibility of breaches from outsiders or insiders in organizations.”
Maimon doesn’t fault corporations, manufacturers and governments for being slow to tackle the dangers posed by cybercrime. However, he points out that as technological
Donald Edward Hunt
Postdoctoral Research Fellow, Criminal Justice & Criminology
GEORGIA STATE UNIVERSITY | 21
“ Once upon a time, people walked into a bank and robbed it. Now people hack a bank and rob it. Technology and digital evolution are changing the landscape of crime itself.”
— Donald Edward Hunt
innovation ups the security ante at blistering speed, cybersecurity defenses, and decisions based on them, increasingly risk failure.
In February 2019, he and his collaborators brought together some 30 local chief information security officers and cybersecurity experts and asked them to think about potential ways of measuring the effectiveness of tools and policies they use in their daily operations.
“We gained some insights about the issues that companies are dealing with,” says Maimon. “Now we are in a better position to tailor experiments and other data collection efforts that local industry and government could leverage.”
Baskerville, who is also part of the Evidence- Based Cybersecurity Research Group, is
studying what’s called a cyber kill chain, a framework developed by Lockheed-Martin to describe an attacker’s activities, to pinpoint when and how cybercrime can be stopped.
One aspect of the kill chain is deception, in which attackers pretend to be authorized system users in order to gain access.
“In the animal world, there are natural examples of deception, such as a gopher snake pretending to be a rattlesnake by shaking its tail,” he says. “But here in the cybersecurity world, it’s more like a rattlesnake pretending to be a gopher snake.” Good deception on the part of an attacker can increase the security burden. Defenders have to find every system vulnerability and correct it. Attackers only have to find one.
22 | RESEARCH | SPRING 2019
Cybersecurity 101
You can’t make yourself 100 percent hacker-proof, but you can help protect your personal data by adopting these four simple safeguards.
Quit using predictable passwords. Data breaches have given criminals information about how people typically construct their passwords, and hackers can use a combination of guesswork and algorithms to test pretty much every permutation of your kids’ names, the year you were born or other typical password tricks (like “pa$$w0rd”). Avoid standard password templates, use a different password for every website and change your passwords often.
Pay attention to those “software update is available” notices. When you’re hard at work, stopping to update or patch your software may seem like an annoying time-suck. But software updates aren’t just for cool features or faster run-times, they also introduce security fixes that can make you less vulnerable to hacks.
Read your email like an English teacher. If you get an email that seems suspicious — say, from your bank asking you to verify a transaction — read it carefully. Grammar and spelling mistakes are tell-tale signs of fraudulent emails. And check the sender’s email address. The name may say “Bank of America” but if the “From” address is your own email account (or another account that doesn’t match the company’s Web domain), it’s likely a phishing scam.
Never click any unfamiliar attachments or links. Most of the time, institutions like banks will not include attachments in an email. They also won’t do things like “deactivate your accounts immediately” unless you click a link and type in your Social Security number. Don’t open any files you aren’t expecting, and be wary of urgent requests for personal information.
The trick, says Baskerville, is to find consistent behavioral patterns among cybercriminals during the progression of a cyberattack.
“Then we can develop tools and computer configurations that can mitigate the consequences of an event while it’s occurring,” he says. “For example, defenders can also engage in deception, creating traps that are difficult for attackers to evade.”
Wiretapping the Web
“Once upon a time, people walked into a bank and robbed it,” says Donald Edward Hunt, a postdoctoral research fellow in criminal justice and criminology. “Now people hack a bank and rob it. Technology and digital evolution are changing the landscape of crime itself.”
Hunt understands cybercrime from experience. Before entering academia, he was a white-collar crime investigator for 10 years before embarking on a 14-year cyber career at the world’s largest credit card processing company. Hunt works today with Maimon to set online traps — also known as “honey pots” — to study criminals’ methods and motives.
“Honey pots are essentially computers programmed to look like businesses,” says Hunt, describing Maimon’s research. “But we purposefully leave a hole in their security — that’s the honey. When cybercriminals hit the site, we capture everything they do and add it to our data set.”
The information is blended into a larger database and analyzed to establish trends, make comparisons to other external data sets and inform policy. The researchers are not at liberty to say much about honey pot investigations. (Strict guidelines with the Institutional Review Board govern Georgia State’s research.) They can’t reveal how cybercriminal attacks are monitored, or what and how data are captured.
They do say that, depending on the event, researchers sometimes make contact with wouldbe cybercriminals.
“It usually takes the form of some type of deterrent message sent to the attacker, and then subsequent monitoring to see if the intervention had any effect,” Hunt explains.
Gauging deterrence and analyzing the actions and reactions of cyber attackers can uncover clues to blunting cybercrime.
GEORGIA STATE UNIVERSITY | 23
“What makes them stop?” Hunt asks. “We’re seeing what works, what doesn’t work. What are the motivation, drive, skills and tools they need? We want evidence, statistical analysis, for predicting these things.”
William Joseph Sabol, professor of criminal justice and criminology, studies how to better measure the extent of cybercrime and the criminal justice system’s responses.
“It’s been more than a dozen years since the federal government attempted to measure corporate cybercrime victimization,” says Sabol. “Since then, much has changed in how and how often these attacks happen. This presents challenges for measuring cybercrime and its impact.”
His work is made more complicated given that many smaller cybercrime cases don’t make headlines at all. National and international surveys show that companies report cybercrime — the hacks, server intrusions, phishing scams — to law enforcement at relatively low rates.
Sabol supports the Cybersecurity Research Group’s efforts to understand how cybercrime is changing, and what these changes might mean for law enforcement.
“If cybercrime justice requires special technical knowledge, for example, will we one day have something like a cybercrime court, where judges and prosecutors need special training?” he asks.
Bringing the Dark Net to Light
Yubao Wu, an assistant professor in the Department of Computer Science, deals in large-scale analytics, otherwise known as big data. His computers crunch massive amounts of information sent over from Maimon, Sabol, Hunt and others, and he also sifts his own findings to spot information that might be valuable.
Much of his time is spent mining cryptomarkets — websites that conduct commercial business on the Dark Net, the criminal underworld of the Web. On these sites, which function like a blackmarket Amazon or eBay, users can purchase everything ranging from illegal drugs to malicious malware programs.
Wu and his team are using big data to try to strip information from cryptomarkets, uncovering
Behind the Keyboard
By studying a cyberattack and the way it’s carried out, experts can help shed light on the perpetrators. Here, researcher Donald Hunt ventures general assumptions about hackers who engineer three kinds of intrusions, from least-sophisticated to most-sophisticated.
Scenario 1: Credit Card Fraud “Let’s say you get a call from your credit card company for a $150 charge at a clothing store in Sweden, but your card has never been out of Atlanta. That’s probably a solo hacker, and a person who doesn’t need much in the way of technical know-how. Card numbers can easily be stolen with a skimming device when you swipe to make a purchase. On the Dark Net, criminals can purchase thousands of card numbers from skimmers or other sources for as little as $50.”
Scenario 2: A Ransomware Incident “This kind of attack requires more skill. Attackers usually get in when a person clicks on a link or an attachment embedded in an email. Once inside, the criminals can swipe information or shut down a system and hold it hostage. A ransomware hacker may work alone, but they often work in teams, connected through computers that might be spread all over the world. One hacker might research a target company, while another writes code for the attack, yet another composes phishing emails, and another maps a network or encrypts the data, and there might be still another person who directs it all.”
Scenario 3: Influencing a Presidential Election “With this kind of coordinated, sophisticated attack, attackers are typically in close proximity. Picture an organized office, a command center. These people are very good at what they do, and they are usually brought together by a common goal or a commonly known leader. This may be a foreign government, or people acting on its behalf, conspiring to target national stability or security. Many people believe the next war is going to be fought online, if it’s not being fought already.”
24 | RESEARCH | SPRING 2019
information about who’s there, what they’re selling and what it can be used for. The goal is to deter cyberattacks by identifying would-be hackers and their possible methods of attack. That task becomes Herculean, though, as cryptomarkets pop up like mushrooms.
“As our lives become more and more digitized, that offers more and more paths to sensitive data,” says Wu. “More opportunity means more demand for criminal markets.”
It’s too much information for humans to comb through, at least not in time to circumvent criminal attacks. So Wu is developing computer programs that can crack the data on cryptomarket transactions in real time and analyze it using processing technology.
Buyers in cryptomarkets provide ratings on transactions, which often includes the amount of the transaction (in Bitcoin) and the aliases of the buyer and vendor. Bitcoin transactions
are designed to be anonymous, but basic information — the transaction time, amount and the Bitcoin addresses of both the sender and receiver — is stored in a public ledger.
By using algorithms that can grab and match up these two sets of information, Wu could identify the Bitcoin addresses of those selling and purchasing items on the Dark Net. This could provide security experts with more information about how cybercriminals operate, including their financial activities, sales volume and market size.
Wu says that this kind of technology-aided approach is the future of fighting cybercrime.
“We’ll more and more see humans guide artificial intelligence to gather crucial data,” he predicts. “Then, with luck, we can use that intelligence to send out alerts to the FBI or Drug Enforcement Administration, enabling them to take action before attacks happen.”
GEORGIA STATE UNIVERSITY | 25
