GATORBYTES PLUGGED IN CYBERSECURITY IN THE MODERN AGE Jon Silman CONTENTS 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What Is Cybersecurity? The Institute and the Preeminence Initiative The Internet of Things Juan Gilbert and His Voting Machine How Does a Network Work? Servers and Their Relationship to Cybersecurity The Cloud and the Myth of Storage in the Sky Kevin Butler and the Importance of Data Provenance The Operating System Michael Fang on Wireless Security The Proliferation of the Hacker What Exactly Is Malware? Joseph Wilson on Hacking and Malware Who Are the Adversaries? Mark Tehranipoor and Chip Security The Specific Challenges of Mobile Security Patrick Traynor and Mobile Security A Look at Social Engineering and Phishing Attacks Daniela Oliveira on Social Engineering Internet Censorship and the Tools to Fight It Tom Shrimpton and the Science of Modern Cryptography Swarup Bhunia and the Security of Integrated Circuits Prabhat Mishra and System Validation Domenic Forte and His Hardware Security Research Staying Safe Online: What You Can Do Notes WHAT IS CYBERSECURITY? Imagine all of your information—medical, financial, and personal—available for anyone in the world to see That medical procedure? The password to your bank account? All of it, readily available for anyone with a little bit of Internet know-how Does that sound scary? Unlikely? Unfortunately, it’s not only real; it’s more common than you might think Files used to be stored in warehouses, in physical folders and lockers, behind doors and guards Physical keys were needed to access rooms Physical presence was required to be inside a house Now, you can check in with a camera connected to a network You can download addresses, social security numbers, and credit cards with a few clicks More and more personal information is now being stored on the cloud Type in a name, at a doctor’s office, for example, and information comes right up Need information on a particular person? Type in a driver’s license number Want to check your bank account balance? Insert username and password So yes, you have information at your fingertips, but at what cost? The ease of access belies the real trouble, the one most people would rather not think about, and that’s security Ease of access is a sacrifice for security Convenience is too Security protocols, though annoying, at least secure information The truth is there are many ways to get at personal information—not just through something as simple as a stolen password but also through backdoors and hacks of the software and even the hardware itself When was the last time you updated all of your apps on your smartphone? Or your operating system? Have you ever thought about the reason why updates are necessary? It’s not just because things need to be up to date Mostly it’s because adversaries (i.e., bad guys) have found ways to infiltrate the software That’s why it’s so important Cybersecurity is not a buzzword It’s not something to be ignored It will only become more and more important as more and more of our lives become interconnected and networked Almost everything we do, every single day, will have some sort of online component It’s important to know the impact of cybersecurity and the importance of staying on top of not only knowledge but the latest practices as well So why is information so hard to secure? Why is cybersecurity such an important topic? According to the Department of Homeland Security, “there is increased risk for wide scale or high-consequence events that could cause harm or disrupt services upon which our economy and the daily lives of millions of Americans depend In light of the risk and potential consequences of cyber events, strengthening the security and resilience of cyberspace has become an important homeland security mission.” This is where the University of Florida comes in With its preeminence initiative, with the goal of becoming a top-ten university, UF has made the field of cybersecurity research one of its main priorities The university has hired some of the best cybersecurity minds in the world to attack the problem from all sides and avenues It has created the Florida Institute for Cybersecurity Research, with leaders from all facets and fields, from electrical engineering to computer science, to study and experiment—to explore the best ways to stay safe online They’re tackling the hard questions and working to stay ahead of the trends They’re figuring out how to keep smartphones safe, how to track data, how to find hardware Trojans on chips—the list goes on In a recent interview, UF College of Engineering Dean Cammy Abernathy spoke about the importance of the research, and what it means “Cybersecurity is one of the most important issues facing our country,” she said “It’s our responsibility to work on issues of importance, and we’ve made it one of our top priorities.” Abernathy said the topic comes up more and more in her daily conversations, especially as more computer systems become embedded in our everyday lives It’s an issue from banking to health care to the automotive industry, and it’s only going to become more prevalent, especially as more and more devices become connected through the Internet “Confidence in these systems is critical to sustain our way of life,” she said “If we lose confidence in these things, it’s going to have a tremendous negative impact.” In addition, she said, it’s also a national security issue, as there are people out there who want to exploit our systems and degrade not only our way of life but our society as a whole As for the birth of the Florida Institute for Cybersecurity Research, she said there were previously members of the college working on this subject, but not to the level that there is today “We found some of the best minds of cybersecurity in the country,” she said, adding that they picked from the brightest young minds they could get and also some of the leading veterans of the field who bring valuable institutional knowledge to the table “We brought them all together, colocated them in one space, formed the institute, and already we’re off to a great start,” she said “We want to build on that.” She relishes the fact that there are such varied brands of research going on at the institute For example, she said the work being done on hardware assurance has gotten national attention She sees the institute and the cybersecurity initiative as a way to breed a new type of engineer, ones that can lead in the twenty-first century, not only with technical know-how, but with the communication and social skills necessary to teach and inform a whole new generation of learners Abernathy said this is only the beginning, as she plans on hiring more people, especially someone who specializes in biomedical research She knows that cybersecurity is a growing field, and she wants to be able to meet the need with the best around “Let’s give them the ability to not only solve the problems of today,” she said, “but also prepare them to tackle the problems fifteen to twenty years from now.” Cybersecurity is a massive topic, and it touches upon all aspects of technology This breadth is why the Florida Institute for Cybersecurity Research was established It’s meant to be the foremost and premier multidisciplinary research institute in the country It’s focused on advancing the field of cybersecurity to stay ahead of the hackers and cybercriminals and foreign agencies who try to compromise and steal not only our data but our cutting-edge technology It’s a partnership between all types of industry and government It’s also a chance for undergraduate and graduate students to learn from elite cybersecurity experts So what challenges does it bring? Who is the team at the Florida Institute for Cybersecurity Research? What are they doing so the bad guys don’t win? THE INSTITUTE AND THE PREEMINENCE INITIATIVE The initiative really got started in November 2013 That’s when the Florida Board of Governors gave the signal to the University of Florida to go on what would become one of the most prolific and consequential hiring sprees in the state They gave the approval to go after the stars in their respective fields, with one goal in mind: make the University of Florida a top-ranked public research university And they ponied up, with a plan to spend $15 million in funding from the legislature for different areas of focus, such as biodiversity and food security and informatics and creative writing—and, of course, cybersecurity The idea is to snag the top minds in the country and bring them all to the same place—Gainesville, Florida In addition to the state money, there’s also a strong private fund-raising contingent to get the campus, the initiatives, the faculty and students, and the systems in place to take on such a transformative endeavor When speaking to UF News about it, University of Florida President Bernie Machen said, “It’s not the rankings themselves that matter But a rising reputation builds momentum that allows us to make ever greater contributions Preeminence means UF can make more life-changing discoveries, create jobs through our startup companies and technology licensing, compete to get Florida its share of federal research dollars, and ensure that Floridians not have to leave the state to get a worldclass education.” The $15 million, five-year annual payout is matched by the university, with the plan to make more than one hundred hires and build new facilities for research Donors responded in kind as well Last year, according to UF News, donors gave an astounding $215.3 million, adding to UF’s ability to address all of its initiatives It was the second year in a row where donations topped $210 million The goal was always to raise $800 million in three years There’s also an additional $71 million in “deferred gifts and pledges,” bringing the total up to $285.9 million All this money, of course, is spread around, and some of it went into hiring the world’s foremost cybersecurity experts The truth is cybercriminals are relentless, and attacks against banks and personal information, military installations, and ATMs are going to continue and get more sophisticated I spent a lot of time conversing with and learning from faculty at the University of Florida, the real experts in cybersecurity They were generous with their time and spoke with gratitude about landing at a place that values and pushes them to greater heights Some of them didn’t have access to computers until they were in college Others learned computer theory through books Some of them came from villages in countries far away Others grew up in the United States and made names for themselves, became nationally regarded, and were plucked to be a part of what they consider the best cybersecurity team in the country All of the hiring and the movement toward national education in the pressing issues of cybersecurity highlight the importance of the topic It’s important to have a good understanding of the whole issue, so let’s take a step back and examine perhaps the most pressing topic of all, to get a better understanding of the way the Internet and interconnectivity are changing the way we use everyday electronic devices THE INTERNET OF THINGS You can’t have a discussion about cybersecurity without a mention of the Internet Cybersecurity wouldn’t be as much of an issue if not for the proliferation of network capabilities on all the networkcapable devices, ones that are such a big part of our everyday lives—all the “smart” devices, including homes, power grids, thermostats, TVs, and wearable devices like the Apple Watch or the Fitbit Practically everything’s connected to a network, and that connectivity means there are points of access for these devices to communicate And with those access points come ways for them to be compromised This phenomenon, the one where everything is network connected, is known as the “Internet of Things,” or IoT According to a Cisco white paper article, there will be fifty billion devices connected to the Internet by 2050 Joseph Wilson, an assistant professor at the University of Florida’s Computer and Information Science and Engineering Department, put it this way: “The real issue is not so much device security; it’s network security A single IoT device, like a lightbulb or a thermostat or a garage-door opener, might not seem like something dangerous by itself, but that one device might provide a foothold for someone to access the rest of your devices They’re not going to get your credit card number from your garage-door opener, but if they can listen to your wifi and use it to get into your Amazon account, that’s a different story.” Currently, IoT is mostly a loose collection of specific, purpose-built networks, such as heating systems, telephone security, and lighting However, these networks are going to coalesce and thus become more powerful—and therein lies the danger At the 2016 cybersecurity conference put on by the Florida Institute for Cybersecurity Research, Yier Jin, a professor at the University of Central Florida, gave a presentation called “IoT Security: From Hacking to Defense.” In his speech, he outlined the ways hackers access everyday devices and explained how vulnerable some of these devices really are Devices that seem innocuous might not be, he said He’s been investigating the problem of security with some of these items, like the Roku, which is a network-connected streaming peripheral, or the Fitbit, which tracks fitness activity What he found was troubling He also investigated the smart car, he said, and with its series of network-connected systems comes the potential danger of hacking What about these so-called fitness-tracking smartbands? They don’t have a keyboard, so they should be difficult to compromise, right? Not really, as he successfully hacked them The ease of it surprised and alarmed him, he said, so he called the company and told them about some security issues They conceded that they hadn’t put security on the devices because it would make them more difficult to use This sentiment came up over and over again at the conference The more security a device has, the harder it will be to use For this reason, the U.S government has been working diligently with researchers to combat the problem As more and more devices become interconnected, cyberattacks get more involved and complicated, and the real-world consequences become more consequential A Harvard Business Review article about cybersecurity outlined the realities of the danger Whereas previous attacks were directed mostly to steal confidential information and create havoc online, new attacks will affect the physical world, like a recent hacking of the Associated Press Twitter account by the Syrian Electronic Army, which sent a tweet about an explosion at the White House The tweet caused the stock market to decline almost one percent before it was revealed as a hoax In 2012, a hacker built a device that could open electronic locks in hotel rooms without a key Even after the flaw was supposedly fixed, criminals continued to use the exploit for months In 2014, the Sony movie studio hack revealed thousands of documents of personal correspondence between studio executives and disrupted the movie industry Perhaps particularly troubling is the issue of driverless cars Engines, locks, hood and trunk releases, heat, dashboard functionalities, and brakes have all been shown to be vulnerable to attack In fact, as recently as July 2015, a man wrote an article for Wired describing the vulnerability He was driving a Jeep, and the cold air suddenly blasted at maximum, without any input from him The radio went full volume, despite his trying to turn it off Then the windshield wipers started going off, and suddenly he started decelerating All without his control It all comes from one small vulnerability: “Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot,” he described “And thanks to one vulnerable element…, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country.” The problem involves much more than smart cars or wearables Network-connected biometric devices like pacemakers are also at risk, as are insulin pumps and implantable heart regulators These are not inconsequential problems, and it’s why the U.S government is keenly interested in the issue It’s also why the University of Florida has spent so much special attention on cybersecurity It’s why they’ve hired people from as far away as Iran and India to tackle this complicated problem They are seeking to find innovative new ways to use IoT devices safely and to find new ways to get by security protocols, so as not to sacrifice usability for security IoT, however, is just one aspect of cybersecurity, and it’s more of an explanation than a method The different methods for hacking devices usually start from one place—the user This idea of the user is interesting because the human component is the key to any device Cybersecurity measures are generally made with the user in mind Perhaps no one is better suited to tackle these issues than Dr Juan E Gilbert, a human-centered computing expert JUAN GILBERT AND HIS VOTING MACHINE Juan E Gilbert, PhD, the Andrew Banks Family Preeminence Endowed Professor and Chair and a member of the Florida Institute for Cybersecurity Research, is an expert in human-centered computing He is a professor in the Computer and Information Science and Engineering Department, and he leads the Human-Experience Research Lab Also, Gilbert was recently named one of the fifty most important African Americans in technology His work involves how we interact with computers and how they can be used to improve the lives of those around us His research includes data mining, culturally relevant computing and databases, spoken language systems, usability and accessibility, and advanced learning techniques One of the biggest and most visible projects he’s involved with is an open-source voting machine specifically made for everyone—including the blind, deaf, or disabled The machine works by allowing voters to vote with a touchscreen or speak into a microphone It will either display letters for you to read or speak to you Those who can’t speak can blow into the microphone to make his or her choice Gilbert developed the Prime III with help from research assistants, a National Science Foundation grant, and a $4.5 million grant from the U.S Election Assistance Commission The open-source release was funded by the Knight Foundation Voting, by design, is meant to be a private endeavor For years, disabled persons have not been able to truly vote by themselves because of their limitations Even in the precinct, they might have someone else telling them what to do, and it could influence them, perhaps because of uncomfortable or uneasy feelings Many might choose to stay away altogether Ensuring private ballots, Gilbert said, was a challenging proposition “You have to make sure they can’t be tied back to an individual,” he said “They have to be secure, and they can’t be modified in the system.” How does he ensure that happens? The key is to keep it off the network and use an “old-school paper ballot.” In fact, the Prime III prints out a ballot for the person, which he or she can then use to vote Security concerns are always important and need to be considered heavily Gilbert said he’s not aware of any elections being stolen by hacking, but he does have evidence of an outcome being changed because of poor interface design In Sarasota, there was a voting machine with a suspicious number of under votes, and the team thought there was a possibility it might have been hacked Upon closer inspection, however, it turned out to be an issue with how the ballot was displayed on the screen Because the line that was highlighted, and drew the eye, was the second contest, many people didn’t notice there was another contest above it It was an issue of design There has to be a balance between usability, security, and accessibility When it comes to cybersecurity, Gilbert stresses diligence on the part of the user He recommends virus protection and being cognizant of phishing attacks The proliferation of the Internet of Things, he said, is going to change a lot about cybersecurity in the coming years Those challenges are why happen that often I knew Kevin Butler from the University of Oregon, and when he was hired here, he wrote to me and said, ‘Hey, if you’re interested, we’re going to some pretty cool things down here in Florida.’” Shrimpton was impressed by what he saw and excited to work with stars in their respective fields of research “The prospect of joining an all-star team excited me,” he said “I have this feeling that this is a group of people who are young and after it with interesting ideas They take risks in research, and that attitude has promulgated out in the students as well It feels like we’re all part of a big team, like we’re all in this together to something bigger.” While software is a big part of cybersecurity, the actual hardware used to run programs is also vulnerable, and often an afterthought—well, an afterthought for those who don’t know In fact, many researchers focus on that very thing, including Swarup Bhunia, whose work with integrated circuits has made him a star in his field 22 SWARUP BHUNIA AND THE SECURITY OF INTEGRATED CIRCUITS Swarup Bhunia is a professor in the Department of Electrical and Computer Engineering He leads Nanoscape, the nanocomputing research lab at UF, and he’s also a member of the cybersecurity team at UF He recently received the Harris Endowed Seed Fund to research on embedded systems security, and he has more than 250 publications in peer-reviewed journals and five books in various computer-related disciplines He’s also been the recipient of quite a few awards, including an IBM Faculty Award and a National Science Foundation career development award What makes that all the more compelling is that Bhunia grew up in a remote village of India in Bengal, close to Bangladesh It’s been a long journey Bhunia said computers always seemed like a sort of magic to him, in the sense that they weren’t readily available, and he didn’t actually see one in person for a long time “I loved computers from a very early age, but I didn’t see one until my college days,” he said “I heard about it from the radio and newspapers.” He did his undergrad work in Kolkata, the capital of the Indian state of West Bengal, at Jadavpur University He got his degree in computer science but “hardly had a chance to work on computers” because there were only a few there and very long lines to use them His first few years in the field, he said, demystified computers, and he gained an understanding of how they worked Feeling like he found something worth pursuing, he continued his education at the Indian Institute of Technology (IIT), in Kharagpur After that he decided to enter the corporate world He went to the Silicon Valley of India—Bangalore It was the late 1990s, and he started working at a company called Silicon Automation Systems He worked on developing software involved with building integrated circuits, which he calls the “backbone of every computing device Tablets have them; cell phones have them; all of them have electronic circuits and microchips.” Most people, he explained, might not be aware of the complexity of the microchips that run their devices, or the very complex steps it takes to manufacture them Microchips often have billions of transistors, also known as switches, that control current, and without software to help design these chips, it would be nearly impossible to make them The work excited him and allowed him to elevate his expertise in the field, as well as look at some of the hardware aspects of computing His next stop was Synopsys, in Portland, a company well known for their electronic design automation (EDA) tools From there he decided to pursue his PhD at Purdue, to work on new algorithms and design tools to build more powerful microchips that take less power to operate “How you design microchips that are extremely energy efficient? We have to charge our phones every day, and the most energy-hungry thing we have in a phone is the processor, also called the CPU,” he said “The CPU has to manage a lot of the workload to run all the apps we like to run— but eats up battery power.” His PhD work really exposed him to the field of electronic hardware, at the different types of chips and how to make them work better Everything, he said, be it a cell phone or a robot, uses some basic components, including the CPU, and reducing their power requirements is key to longer batterylife His research focused on finding ways to lower power consumption It forced him to think about all of the aspects of power consumption, on chips and how various things like the CPU, the memory, sensors (in cellphones), and other things drain power The issue was complicated He had to approach the problem from many different angles “How you rewire the transistors so that the power is reduced? What’s the lowest voltage level you can certain things on? How can you change the internal architecture of the chip to reduce power?” He wanted to continue his work after Purdue, so he went to Case Western Reserve Technology in Cleveland and was a faculty member for about ten years, until UF came calling in 2015 His interest in computer security grew as the Department of Defense asked for researchers to study the security and trustworthiness of microchips “The history of cybersecurity is mostly the security of software and network,” he said “People often assume the underlying hardware is secure, but that’s not always the case.” The reason the government was asking for research proposals on the trustworthiness of chips, he said, is because most microchips are fabricated outside the United States in potentially untrusted foundries There are only a handful of these foundries in the world, because they’re not cheap They require immense amounts of manpower, know-how, and money to build “The overly complex process of making microchips includes hundreds of optical and chemical processing steps to create a carefully connected network of billions of transistors as small as 10 to 20 nanometers,” he said “So small that thousands of transistors fit on an area the size of a human hair.” He came up with an idea to tackle the problem of microchip trust issues and received funding to work on it The worry was that almost all of our national infrastructures, including aviation, healthcare, the power grid, and the military are using these microchips, which they assume to be trustworthy, and that might not be a good idea There’s the possibility, he said, that someone somewhere during the manufacturing process put a malicious circuit, also known as a hardware Trojan, on some of these chips It could be something that could be remotely triggered, or is on a timer, and when it’s activated, it could cause catastrophic consequences “The problem is lots of chips are acquired from a supply chain that’s often globally distributed, and it’s very challenging to see if a chip is infected with a malicious circuit,” he said “What if a chip with a malicious circuit is put in a military helicopter? What if a chip used in a missile defense system from a foreign country is designed to sabotage us?” There’s a legitimate worry there: what if a vehicle using the chip malfunctions? How will we know if it’s because of the chip or because of sabotage? What if the chip is sending information somewhere? In his work, he found out some key points First, it would require a very high level of skill to hack into a microchip Also, hardware Trojans are hard to detect because of the sheer number of components on such a small surface area Perhaps most troubling, he said, is the report that more than fifty thousand chips with hidden hardware backdoors were going to be used in our military systems, and people with malicious intent could potentially sabotage the systems using them Rather than being overwhelmed, Bhunia decided to tackle the problem head on Good hackers know, he said, that people will be trying to look for Trojans in chips, and they’ll try to hide them Traditional testing methods won’t find the Trojans, because a hacker would already know those methods and try to evade them The solution he came up with is also a culmination of the work he’s done with chips since undergrad Basically, he looked at the “current draws” in a chip He designed experiments to look at Trojans and see what the effect was on the current, instead of just looking at the function of the chip If you can measure the amount of power being drawn, he said, a Trojan will have a footprint there His research in this field won him acclaim and a number of research grants “I’m very happy that we published the first academic paper on that,” he said, adding that his group is recognized as one of the pioneers in the world of Trojan research After being in Cleveland for so many years, even though his research was very visible, he was looking for a move—mainly to escape to better weather He heard about the preeminence hiring initiative at the University of Florida and the efforts to form the Florida Institute for Cybersecurity Research with prominent researchers in this field Bhunia said he considers the cybersecurity group at UF one of the best and most visible in the whole world “There are so many talents Together, we have the power to groundbreaking work, spanning all aspects of cybersecurity, and that’s what really excited me.” Another researcher at the University of Florida who’s also doing exciting cybersecurity research in the physical realm also came from the same colleges as Bhunia His name is Prabhat Mishra 23 PRABHAT MISHRA AND SYSTEM VALIDATION Prabhat Mishra is an associate professor in the Department of Computer and Information Science and Engineering, where he leads the Embedded Systems Lab He’s a member of FICS Research, and his work involves the design automation of embedded systems, energy-aware computing, hardware security, and system validation and verification, among other things He got his PhD from the University of California at Irvine Unlike many of his colleagues, Mishra spent a considerable amount of time in the corporate world, working for companies like Intel, Motorola, Synopsys, and Texas Instruments He’s also published four books and received numerous awards, including an NSF Career award and an IBM Faculty award Mishra’s beginnings are humble, and he credits a lot of his success to others To get to where he is today, he said, has been a series of small but important steps in the same direction His curiosity, however, was apparent from a very young age When he would buy something in India, they’d wrap it in newspaper He would always try to read the paper, even though sometimes it would be only a half or a fourth of a story, and then he’d try to figure out the rest, like a game Finding the enjoyment and satisfaction in that helped him realize his passion for learning and education He views cybersecurity as sort of a game between people trying to bad things and people trying to stop bad things from happening When you take out the technical jargon and explain the problems simply, he said, it gets students interested in the field There’s an example he likes to use when he wants to illustrate the importance of good cybersecurity Imagine a pacemaker, he said, the medical device used to regulate heart activity Some versions of the device have an exploit in them—one that would allow a bad guy to drain the battery of the device covertly, from only a few feet away The reason for this exploit is that doctors want to be able to communicate with the device and tune it That way, invasive surgery wasn’t necessary every time the device needed to be adjusted The idea was it would just be easier to adjust wirelessly However, that convenience also makes the device more vulnerable to hackers and requires additional security Nowadays, everything has wireless communication capabilities, but is it secure? What about the practicalities? What if the person has a medical device that’s protected by some sort of password, but the patient is the only one who knows the key? When they are in danger, a doctor wouldn’t be able to help them That scenario illustrates the real conundrum of cybersecurity: the more ways to communicate with a device, the more opportunities for adversaries to take advantage Mishra considers his work right in the boundary between hardware and software He can try to solve a security issue from both sides If there’s a backdoor that an attacker can exploit, he has the expertise and can contribute information on how to close the loopholes and try to stop an attack He has a distinct well of information, not only academically but also from his years spent in the private sector He knows firsthand the difficulties a company might have in trying to market and manufacture a product Though it might have the company name on it, it has many components to it There’s always the possibility that some component might come from different countries, and the component could be designed poorly, or might have intentional flaws, making it hackable His research involves locating vulnerabilities in early stages of hardware design This is the real issue, he explained, and an easily overlooked one Everyone is looking at security at the user level, but it’s important to know the supply chain and where things were manufactured Just like Kevin Butler’s work with data provenance, Mishra stressed the importance of origin Consider, for example, a cell phone Even though the phone could be from a brand-name company, it could have a processor from one company and memory from another, and apps and other software from different parts of the world In his research, he’s found that certain components could leave footprints of what’s been done or sent (maybe because of malicious implants) That’s not right A phone should not be doing that It’s a huge security and privacy issue And to add to that, there are countries with vested interests in attacking our infrastructure, so any vulnerabilities they can use, they will use This possible vulnerability is why, he said, cybersecurity research is so important, especially on the hardware and software boundary, and also why UF has so many people working in the cybersecurity field “If the hardware is not robust,” he said, “then it’s much easier to compromise in spite of all the high-end security at the user level.” In all, he’s grateful to work alongside what he considers the best cybersecurity team around Another member of that team is Domenic Forte He’s a young researcher who already has an impressive career, and he also stresses the importance of hardware cybersecurity 24 DOMENIC FORTE AND HIS HARDWARE SECURITY RESEARCH Domenic Forte is an assistant professor in the Electrical and Computer Engineering Department at UF and a member of FICS Research He previously worked in a similar department at the University of Connecticut, and before that he was awarded his PhD in Electrical and Computer Engineering from the University of Maryland in 2013 He earned his undergraduate degree from Manhattan College, where he was pivotal in the U.S National Science Foundation’s Research Experience for Undergraduates (REU) His research is multifaceted and includes counterfeit detection, hardware Trojan detection, reverse engineering, and even biometrics, among many other topics in and around the field of cybersecurity While he was at the University of Maryland, he received a George Cochran award for excellence in teaching, an award given to the top two teaching assistants, out of up to one hundred He liked computer engineering and was always drawn toward digital learning He knew he’d have a lot of opportunities if he stayed within the field His early research involved work in electrical power resource management and how to balance those resources in terms of power drain He worked with sensors and video streaming, including video on demand He also did an internship at the National Institutes of Health, working on a computer vision system “This system was one that was monitoring robots and mice,” he said The problem was it’s difficult to spend all day physically observing the animals, and it’s also invasive A video camera could the trick He was involved with the under-the-hood mechanisms, building algorithms and dealing with image processing times Forte’s foray into cybersecurity and hardware security began during his PhD, when his advisor told him of all the opportunities in the field It was a good fit He already had some of the skills, and it was a growing area, so he knew he wouldn’t have any trouble, whether he ultimately decided to go into academia or not He started work on physically uncloneable functions—basically, biometrics for circuits, things like fingerprints and other unique identifiers He wrote a paper on it that was recognized and widely read, and that success gave him the confidence to realize he was working in the right field where he could flourish and also innovate “It got me excited and made me realize this is a good area to be working in,” he said “I finally felt like I was going to get some good recognition for the work I was doing.” He got his PhD in 2013, and he said he was one of the first to his thesis in the area of hardware security, as people were starting to realize, more and more, the importance of the field The differences between traditional cybersecurity and hardware security posed interesting challenges for Forte, and this quality of enjoying problem solving is a thread that seems to run through all the researchers at the Florida Institute for Cybersecurity Research They get excited by the prospect of solving problems “Traditional security relies on secure computing and the security of cryptographic algorithms,” he said “But hardware security is different It presents new challenges, and you have to have experience in hardware design and security You have to have an intersect in both disciplines.” Forte considers both Mark Tehranipoor and Swarup Bhunia leaders in the field, men who had to forge their own ways He decided to forego the corporate route for academia because he felt at home in the environment, realizing research was his passion “There’s lots of freedom It’s scary at first, but it grows on you,” he said “I got comfortable with it It’s a freedom you wouldn’t have anywhere else You can push boundaries and work on cuttingedge problems You can be your own boss You can work closely with young students and mentor them, and you feel like you’re making a real impact on their lives.” Forte worked with Mark Tehranipoor at the University of Connecticut, where he said it was a chance to build his reputation and be mentored by someone at the top of his field He learned how to handle a large class load and balance his research work, valuable skills he said help him at UF The transition, since he worked so closely with Tehranipoor in Connecticut, was an easy one to make When you hire someone, he said, like the University of Florida did with Tehranipoor, it makes sense to take the young people who are also working around and with him, a process called cluster hiring Tehranipoor and Forte were also among the first to publish a book on the topic of counterfeit chip detection and avoidance “Lots of critical systems like airplanes and military systems have lifetimes of thirty and forty years Electronics move rapidly, but older systems depend on older chips, so counterfeiters can exploit that,” he said “They’ll try to sell fake chips or persuade governments to buy fake parts, or recycle chips that aren’t authentic.” Chips age like we age, he said, and putting degraded chips into critical systems will just allow them to fail that much easier Counterfeiters will try to refurbish chips and sell them for a huge profit, and the cybersecurity team is trying to put a stop to that practice Tehranipoor developed a sort of taxonomy for chips, with certain specifications that needed to be met—grades, so to speak For example, an aerospace chip needs to work in space and not fail A chip on a submarine would have different specifications because of the pressure and the water The market for those types of chips is fairly small but also very lucrative, and therefore the counterfeit market is as well So how they tell if the chips are fake? Forte said there are a few methods One, and the most obvious probably, is physical inspection Another method is x-rays, and then there’s electrical tests With x-rays, high-powered microscopes are used to see deep into the chip It is, however, an expensive proposition, requiring equipment that can cost in the range of millions of dollars, and some of the methods are destructive, so they can’t be used on all chips The UF researchers are developing techniques, he said—automated techniques and metrics—to test chips at minimum cost As for the electrical tests, the challenge is the sheer number of different types of chips, and the tests require a certain specialty that general electrical testing doesn’t necessarily provide The last method would involve tailoring the inspection method to the design of the chip and recognizing there’s no one-size-fits-all solution Besides chip testing, Forte is also very involved in research involving biometrics for cybersecurity applications “My goals are to investigate biometrics and how you can use them with hardware,” he said Ideally, instead of a person entering a password, a system would be able to recognize some sort of biological input, be it a pulse or a fingerprint, and allow access that way This system would make it much more difficult to attack or misuse a system if you’re not the one who owns it Forte is young and has years of research ahead of him, but he’s glad to be a part of FICS Research and to have the opportunity to work with such a valued team at the university 25 STAYING SAFE ONLINE WHAT YOU CAN DO Cybersecurity is not as intuitive as I thought Going into this, I assumed much and didn’t realize how complicated and involved some of the processes are What I did learn, however, from talking to the best and most qualified cybersecurity experts in the world, conveniently all in one place at the University of Florida, is that there are certain precautions—simple precautions—that we all can take to protect our data online We don’t need to have degrees in computer science to use our common sense The first and most important thing I’ve learned is that adversaries hack programs through exploits and flaws in the design of programs As these exploits are discovered, either by the designers themselves or by the adversaries, they are patched out However, the only way to ensure that you receive a patch is to update your software The whole reason software is updated is to make sure it works optimally, of course, but also to patch out exploits that adversaries may use to compromise it That’s very important Always update This policy especially goes for social media apps on your mobile phones Speaking of social media, we live in a time of rampant over sharing Someone once put it to me this way: being on Facebook or any of the litany of other social media sites is like being in the middle of a crowded hallway When you share something, you are basically standing on a soapbox and yelling to everyone around you It might seem counterintuitive, because you’re sitting in front of a computer and typing something As I’ve gone into earlier, smart criminals use context clues to steal identity If you’re posting pictures of a vacation, they know you’re not at home If you have your address online, they know how to get there It’s important to recognize how visible you are to other people when you post things online Many people who value privacy don’t realize how out in the open they really are I’ve talked a lot about public networks, but it’s good to remember that free wifi means that adversaries with certain technologies can scrub the signals and potentially steal information Be cognizant of the types of things you send over public networks Also consider passwords Never leave a default password Always choose something complicated, with letters and numbers and symbols It might seem like a hassle, but so is dealing with someone who’s stolen your identity or your credit card numbers If you’re really concerned with privacy, consider getting the Tor browser and using a Virtual Private Network (VPN) A VPN connects securely and privately over the Internet using encryption and other security measures, so that no one can see the information being exchanged Good cybersecurity habits are developed over time and don’t just happen Luckily, we have the top-tier researchers at the University of Florida working on ways to keep us all safe They touch all aspects, from hardware to software to provenance to the cloud They work diligently, and the university has made sure to hire the best in the field They’re always working on exciting new technologies over at the Florida Institute for Cybersecurity Research, at the University of Florida It’s a team to keep an eye on NOTES Chapter The Institute and the Preeminence Initiative When speaking to UF News about it: “UF’s Plan for Preeminence Gets Final Go-Ahead from State,” November 21 2013, http://news.ufl.edu/archive/2013/11/ufs-plan-for-preeminence-gets-final-go-ahead-from-state.html Last year, according to UF News: “UF Donors Give Record $215 Million in Fiscal Year 2013-14,” August 28, 2014, http://news.ufl.edu/archive/2014/08/uf-donors-give-record-215-million-in-fiscal-year-2013-14.html Chapter The Internet of Things According to a Cisco white paper article: Dave Evans, “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything,” Cisco Internet Business Solutions Group, April 2011, https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf A Harvard Business Review article: Chris Clearfield, “Rethinking Security for the Internet of Things,” Harvard Business Review, June 26, 2013, https://hbr.org/2013/06/rethinking-security-for-the-in Even after the flaw was supposedly fixed: Andy Greenberg, “Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm’s Fix,” Forbes, May 15, 2013, http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-inburglaries-months-after-lock-firms-fix/#20ee6f0c5434 In fact, as recently as July 2015: Andy Greenberg, “Hackers Remotely Kill a Jeep on the Highway—With Me In It,” Wired, July 21, 2015, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Chapter How Does a Network Work? In order to understand that, it’s important to know: “TCP/IP (Transmission Control Protocol/Internet Protocol),” posted by Margaret Rouse, TechTarget.com, http://searchnetworking.techtarget.com/definition/TCP-IP IP is the Internet’s addressing system: Chris Woodford, “The Internet,” Explainthatstuff.com, Last updated March 15, 2016, http://www.explainthatstuff.com/internet.html Chapter Servers and Their Relationship to Cybersecurity According to an article by the Washington Free Beacon: Bill Gertz, “Chinese Hackers Use US Servers In Cyber Attacks,” Washington Free Beacon, July 17, 2015, http://freebeacon.com/national-security/chinese-hackers-use-us-servers-in-cyber-attacks/ The hack, first announced in early June 2015: James Eng, “OPM Hack: Government Finally Starts Notifying 21.5 Million Victims,” NBCNews.com, October 1, 2015, http://www.nbcnews.com/tech/security/opm-hack-government-finally-starts-notifying-21-5-millionvictims-n437126 Many of the cyberattacks came from servers: Bill Gertz, “Chinese Hackers Use US Servers In Cyber Attacks,” Washington Free Beacon, July 17, 2015, http://freebeacon.com/national-security/chinese-hackers-use-us-servers-in-cyber-attacks/ Chapter The Cloud and the Myth of Storage in the Sky At the simplest level, all that’s needed for cloud storage: Jonathan Strickland, “How Cloud Storage Works,” April 30, 2008, HowStuffWorks.com, http://computer.howstuffworks.com/cloud-computing/cloud-storage.htm A small email could be about two KB: “Kilobytes Megabytes Gigabytes,” https://web.stanford.edu/class/cs101/bits-gigabytes.html Facebook is arguably the world’s most popular website: “The Facebook Data Center FAQ,” DataCenterKnowledge.com, http://www.datacenterknowledge.com/the-facebook-data-center-faq/ To accommodate all this traffic, Facebook has built: Tom Furlong, “The Newest Addition to the Facebook Data Center Fleet: Fort Worth,” Facebook Newsroom, July 7, 2015, http://newsroom.fb.com/news/2015/07/the-newest-addition-to-the-facebook-data-centerfleet-fort-worth/ In May of 2015, Google announced: Frederic Lardinois, “Gmail Now Has 900M Active Users, 75% On Mobile,” Tech-Crunch, May 28, 2015, https://techcrunch.com/2015/05/28/gmail-now-has-900m-active-users-75-on-mobile/ Chapter 11 The Proliferation of the Hacker First, some history: Chris Baraniuk, “Whatever Happened to the Phone Phreaks?” The Atlantic, February 20, 2013, http://www.theatlantic.com/technology/archive/2013/02/whatever-happened-to-the-phone-phreaks/273332/ Enter the 414s, a group of hackers from Milwaukee: “The 414s,” Wikipedia, last modified July 5, 2016, https://en.wikipedia.org/wiki/The_414s Congress enacted the Computer Fraud and Abuse Act: Kim Zetter, “Hacker Lexicon: What Is the Computer Fraud and Abuse Act?” Wired, November 28, 2014, https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/ Morris was a Harvard graduate: “On This Day: Robert Tappan Morris Becomes First Hacker Prosecuted for Spreading Virus,” FindingDulcinea.com, July 26, 2011, http://www.findingdulcinea.com/news/on-this-day/July-August-08/On-this-Day—Robert-MorrisBecomes-First-Hacker-Prosecuted-For-Spreading-Virus.html He meant for only one copy of the worm: Ibid White hats are ethical hackers: Donna Lu, “When Ethical Hacking Can’t Compete,” The Atlantic, December 8, 2015, http://www.theatlantic.com/technology/archive/2015/12/white-hat-ethical-hacking-cybersecurity/419355/ Blue hats refer to employees: “Announcing BlueHat v15 Conference,” posted by BlueHat Redmond, Microsoft BlueHat Blog, October 14, 2015, https://blogs.technet.microsoft.com/bluehat/2015/10/14/announcing-bluehat-v15-conference/ Chapter 12 What Exactly Is Malware? It was sent as an email with an attachment: “ILOVEYOU,” Wikipedia, last modified July 29, 2016, https://en.wikipedia.org/wiki/ILOVEYOU Some versions of this type of malware: Sean Gallagher, “FBI Says Crypto Ransomware Has Raked in >$18 Million for Cybercriminals,” Ars Technica, June 25, 2015, http://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18million-for-cybercriminals/ Chapter 14 Who Are the Adversaries? In January, the CBS News program 60 Minutes: “The Great Brain Robbery,” 60 Minutes, January 17, 2016, http://www.cbsnews.com/videos/the-great-brain-robbery/ The unit, according to forensic evidence: “PLA Unit 61398,” Wikipedia, last modified July 26, 2016, https://en.wikipedia.org/wiki/PLA_Unit_61398 On September 25, 2015, President Barack Obama: Joshua Philipp, “China Security: What Can Be Done to Stop Chinese Economic Theft?” Epoch Times, last updated April 9, 2016, http://www.theepochtimes.com/n3/1944921-china-security-what-can-be-done-to-stopchinese-economic-theft/ The main issue, according to the Epoch Times: Ibid “We lack a legal policy framework”: Kelly Jackson Higgins, “Former Director Of NSA And CIA Says US Cybersecurity Policy MIA,” Dark Reading, January 13, 2016, http://www.darkreading.com/attacks-breaches/former-director-of-nsa-and-cia-says-uscybersecurity-policy-mia/d/d-id/1323888 A month later, the Federal Bureau of Investigation: Zack Whittaker, “FBI Says North Korea Is ‘Responsible’ for Sony Hack, as White House Mulls Response,” ZDNet, December 19, 2014, http://www.zdnet.com/article/us-government-officially-blames-north-koreafor-sony-hack/ Chapter 16 The Specific Challenges of Mobile Security In 2013, The Economist ran a story: “The Threat in the Pocket,” The Economist, October 18, 2013, http://www.economist.com/blogs/babbage/2013/10/difference-engine-0?fsrc=scn/fb/wl/bl/thethreatinthepocket Different sample sizes call for different estimations: “The Lookout Mobile Threat Report–2014 Was the Year of Sophistication,” Lookout Blog, January 15, 2015, https://blog.lookout.com/blog/2015/01/15/mobile-threat-report-2014/ In fact, according to an article about the topic: Chloe Green, “Mobile Malware: Just a Common Annoyance Or a Wolf in Sheep’s Clothing?” Information Age, October 20, 2015, http://www.information-age.com/technology/security/123460363/mobile-malware-justcommon-annoyance-or-wolf-sheeps-clothing Chapter 18 A Look at Social Engineering and Phishing Attacks Phishing attacks are a fairly recent phenomenon: “History of Phishing,” Phishing.org, http://www.phishing.org/history-of-phishing/ The first recorded use of the term: “First Recorded Use of the Term, Phishing,” HistoryofInformation.com, last updated July 31, 2016, http://www.historyofinformation.com/expanded.php?id=1682 Chapter 20 Internet Censorship and the Tools to Fight It Countries like North Korea, Burma, Saudi Arabia, Iran: “Top 10 Internet-Censored Countries,” USA Today, February 5, 2014, http://www.usatoday.com/story/news/world/2014/02/05/top-ten-internet-censors/5222385/ As for China, they use two different ways: “How Does China Censor the Internet?” The Economist, April 21, 2013, http://www.economist.com/blogs/economist-explains/2013/04/economist-explains-how-china-censors-internet Another important aspect in the fight: “Tor: Overview,” TorProject.Org, https://www.torproject.org/about/overview partly funded by the U.S government: Alex Hern, “US Government Increases Funding for Tor, Giving $1.8m in 2013,” The Guardian, July 29, 2014, https://www.theguardian.com/technology/2014/jul/29/us-government-funding-tor-18m-onion-router Copyright 2017 by The University of Florida Board of Trustees All rights reserved Produced in the United States of America ISBN 978-1-942852-13-1 (paper) ISBN 978-1-942852-33-9 (electronic edition) University of Florida Office of the Provost and Academic Affairs 235 Tigert Hall PO Box 113175 Gainesville, FL 32611-3175 ... does it bring? Who is the team at the Florida Institute for Cybersecurity Research? What are they doing so the bad guys don’t win? THE INSTITUTE AND THE PREEMINENCE INITIATIVE The initiative...GATORBYTES PLUGGED IN CYBERSECURITY IN THE MODERN AGE Jon Silman CONTENTS 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What Is Cybersecurity? The Institute and the Preeminence Initiative The Internet... top minds in the country and bring them all to the same place—Gainesville, Florida In addition to the state money, there’s also a strong private fund-raising contingent to get the campus, the initiatives,