Cybercrime fighters

In the late 1960s, a small group of American researchers developed a system to share information remotely via a network of computers. The individuals knew and could trust each other and therefore weren’t very concerned with security issues. Twenty-five years later, when the network — now known as the internet — was commercialized, suddenly anyone with a modem could join.

Fast forward to today: the internet now features 340 billion websites and traffic of 300 billion emails daily, allowing users to instantly communicate, access information and do business in ways inconceivable just a few years back. The explosion changed the game — and escalated opportunities for nefarious activity.

Cybercrime, estimated in 2011 at $114 billion globally, now costs most businesses more than conventional, physical crime. The United States Department of Defense regularly wards off cyber-attacks from viruses and other malware being created at nearly one new piece per second. In 2011, former CIA director Leon Panetta warned, “The next Pearl Harbour we confront could very well be a cyber-attack.”

Since 2002, faculty and researchers at the Concordia Institute for Information Systems Engineering (CIISE), housed in the Faculty of Engineering and Computer Science, have been on the case to tackle such security and theft issues and threats. These include professional hacking gangs stealing identities, governments attacking their enemies or spying on their own citizens, and friends and ourselves divulging too much on social media.

Mourad Debbabi, who became the CIISE’s first hired faculty member in 2002 and then its director from 2007 to 2013, recalls receiving a recruitment email while sitting in Panasonic’s Atlanta, Ga., research department, where he worked. “It is very rare to have an opportunity to create a department, rather than join one,” he explains. “I was also charmed by the fact that it would be research intensive and interdisciplinary around information and systems engineering. I thought, ‘This is an opportunity not to be missed.’”

The CSL is a brand name now.” The CSL’s expertise and unique setup have brought in more than $4.2 million in external research funding in the past six years alone. Its researchers include those looking to detect and prevent malfeasance, as well as faculty such as Benjamin C.M. Fung, a former assistant professor who specializes in data mining, hoping to track down bad guys. (See the sidebar, “Forensics: Tools to bring criminals to justice.”)

Part of the magnetic attraction for money and students is the CSL’s integral role in the National Cyber- Forensics and Training Alliance Canada (NCFTA). The non-profit organization brings together academic institutions, government and law enforcement, and private companies to share resources, intelligence and expertise to stop emerging cybercrime threats and mitigate existing ones. Since it started in 2008, NCFTA has been headquartered at the CSL, ensuring Concordia scholars work on the latest, most relevant topics — a fast-moving target in the cyber world.

Debbabi’s many research interests include network security, cyberforensics and malicious code detection. “To design less vulnerable systems, you need to detect problems as they occur, prevent them, and also perform more in-depth detection research after the fact — forensics,” he explains.

As president of NCFTA, Debbabi can access information feeds that monitor a wide variety of malfeasance — malicious Internet Protocols (IPs) and domains, reconnaissance and intrusion attempts, and dedicated denial-of-service (DDOS) attacks, a major threat with an interesting local connection.

Back in 2000, a high-school student from Montreal’s West Island made history. Like most hackers of the era, Michael Calce — internet alias: Mafiaboy — was a young man who wanted to show off to other hackers. He had figured out how to control computers remotely by installing viruses via the internet, to link these compromised machines together into powerful networks called “botnets,” and to instruct the linked computers to send packets of information to a receiving server simultaneously, thereby overloading that server and crashing it.

Anything online — military, banks, utilities — could be compromised by hacktivist groups like today’s Anonymous or even by governments. It is widely believed that Russian hackers protested Estonia’s decision to move a Soviet war memorial by unleashing just such an attack in 2007. The Estonian government, media and financial institutions’ sites all went down, virtually incapacitating a country which, like Canada, is one of the planet’s most wired.

As the CSL’s Mohammad Mannan says, early hacker groups running botnets “were flashy and showing off — ‘look, I infected millions of machines in 15 minutes!’ ” Yet as the technology matured, professional gangs monetized it. They shrunk botnets to avoid detection, and now rent them out by the hour to groups attempting DDOS attacks and phishing schemes, who spam to sell real or counterfeit products or spread propaganda, adds Debbabi. Most users automatically delete any spam that slips through the email service’s spam filter — an ad for cheap Viagra, or an ungrammatical help request from a “Nigerian prince” trying to move his money overseas. “But for me, it’s huge,” says Debbabi. “I can get significant levels of intelligence from spam.”

Spam is actually the beginning of a bread-crumb trail to an individual hacker or crime syndicate. If a user responds to the fictitious Nigerian prince, the reply is received by the fake IP that is part of the botnet that sent it. Debbabi’s live feed can detect the response and, through geolocation, identify where the spammers are and what they are doing in real time.

Through NCFTA, the CSL has worked with Canada’s Department of National Defense and Ericsson Canada to research attack detection and create attack prediction models. “We need to identify the servers that are phishing and take them down, by deriving the information from spam,” says Debbabi.

With so many working credit card numbers available that hacker groups sell them to fraudsters for as low as $1 each, and a full ID — date of birth, social insurance number, driver’s licence and photo — for only $5, this is a societal problem. Yet Canada lags behind the U.S. in information sharing for cybercrime mitigation purposes, says Debbabi. That’s why this summer the CSL increased its capacity to become a U.S.-style data hub for information that carries little privacy value — spam and viruses — but can help protect us all.

It is no surprise the first major cyber war was launched from Russia, home to much cyber criminality. Mannan suggests that, like tax havens, botnet location is merely a case of lowest legal resistance. “The attackers are dynamic. If they have, in the Russian or now the Chinese legal system, better opportunities to hide, they will exploit that system.”

With our information under constant threat from hackers, we need armour. The assistant professor holds a Natural Sciences and Engineering Research Council Discovery Grant to improve the security and privacy of high-impact applications, such as email and online banking, “to benefit society and average citizens.”

A major means to thwart threats is improved passwords. Because truly secure passwords are too hard to remember — imagine memorizing X@h6y3i89B9*4n03!k — many users employ simpler ones that include real words and reuse them on multiple accounts. “I can’t really blame people,” says Mannan. “We are pattern-based animals.” Mannan has devised a few password-generation techniques to circumvent these problems.

With his master’s degree student, Adam Skillen, Mannan recently released Myphrase, software that generates a “passphrase”: six words long. To ensure the words themselves are familiar to the user, a 1,024-word dictionary is devised from the user’s own writing, such as sent emails. But, as a compromise between security and memorability, “I do not let you choose which words, or their order, because I know what you will do — make a coherent phrase that is more easily hacked,” says Mannan. The generated passphrase can be a random sequence of words, like “purple monkey dishwasher move seem wish,” or, by using a part-of-speech engine and sentence templates, the connected discourse option gives the passphrase the slightly more memorable ring of semantic sense: “They traced again and loudly radiant.”

For the less linguistically inclined, Mannan’s object-based password (ObPwd) requires a user to select any file from his or her computer or an online location. The software will generate a strong password from the binary code underlying that file. Rather than memorizing a password, all the user has to do is remember where he has stored the file.

Both ObPwd and Myphrase have proven robust to attacks. The greatest risk to the average user, says Mannan, is actually the user her- or himself. Since companies like Google and Facebook don’t want to exclude potential customers, they suggest but don’t enforce using strong passwords. Worse, through social media, people unwittingly reveal password and security-question information — your date and place of birth, siblings’ names, high school and so on.

I think those who post everything on Facebook now will learn and advise their children differently.

“If I have access to your Facebook account, I can customize the attack,” says Mannan. “You think, ‘Who will guess that my password is my wife’s name when there are so many possibilities?’ ” But hackers’ powerful computer algorithms render random guessing attacks quickly, and targeted attacks quicker.

“Even by not using Facebook, your privacy may be leaked,” says Mannan. Tagging friends in a photo confirms their identity, like a photo ID. We are effectively spying on each other.

Our failure to account for both computers’ computational power and the transparency of online communication is what Mannan calls our “mental model problem” with digital technology. “If I send you an email, I think I’m just sending you an email, as if it’s a letter. But all these emails are just sitting in a server, so they’re absolutely not private.”

One possible solution would be to pass more stringent privacy laws. However, Mannan points out, “Government is an interested party. If we disallow Facebook to collect all this information, then the government also has no access to it [through a court order], so there is a conflict.”

And the conflict exists at all levels. While President Obama hosted Chinese President Xi Jinping in June for a friendly yet face-saving summit to discuss the problem of Chinese cyber-espionage stealing U.S. state and corporate secrets, Stuxnet, the U.S.-Israeli cyber worm allegedly deployed in 2010 with Obama’s blessing to cripple Iran’s nuclear centrifuges, was hailed as a lowcost, 21st-century warfare solution. At all levels, “Everyone is targeting and exploiting everyone else,” says Mannan.

The combination of its traceless transparency and the government’s interest make surveillance a given, with most people believing that they’re lawabiding citizens and have nothing to hide. Yet Mannan asks, “Why do you lock your door when you’re home? Would you accept a web cam in your home so that the whole world can see?” He believes attitudes towards discretion will eventually change. “Most people just don’t understand the privacy implications of online services. I think those who post everything on Facebook now will learn and advise their children differently.”

Gangs and governments will always do battle, in the virtual world as in the physical. While great progress has been made on virus and Wi-Fi security, email, a longstanding communications medium and the basis for business today, is still not secure, Mannan warns.

“I am a very optimistic person — I believe there must be usable solutions out there. As academics, we have to do what is best for citizens. These are difficult problems, but they’re not insoluble.”

— Jake Brennan is a Montreal writer.

Related links:

• Concordia Institute for Information Systems Engineering
• Concordia’s Computer Security Laboratory
  
• Department of National Defence
• National Cyber-Forensics and Training Alliance CANADA
• The Central Intelligence Agency