CI master students’ research accepted at the KES2020 international conference in Verona

KES 2020 in Verona but virtual

CSUCI Master of Computer Science students were successful in submitting two papers to KES 2020, the 24rd International Conference on Knowledge-Based and Intelligent Information & Engineering Systems, which this year is taking place in Verona, Italy, in September 2020. However, due to the COVID pandemic, the conference will be held virtually. The papers are the following:

  • Malware Persistence Mechanisms, co-authored by Zane Gittins and Michael Soltys. Zane Gittins is a masters student in Computer Science at CSUCI, and this paper is the result of his masters thesis. Zane Gittins has worked as a Cybersecurity experts at HAAS, and currently is working at Meissner Filtration. (This paper will be presented in the General Track session G3b: Cybersecurity.)
  • Voyager: Tracking with a Click, co-authored by Samuel Decanio, Kimo Hildreth and Michael Soltys. Sam Decanio is a masters student in Computer Science at CSUCI, and this paper is the result of his masters thesis and a fruitful collaboration between Computer Science at CI and the SoCal High Technology Task Force. Sam Decanio is currently working at the Navy. (This paper will be presented in the General Track session G3b: Cybersecurity.)

My five recommendations for readings in Cybersecurity

Over the last year I read a dozen excellent books on Cybersecurity, and I want to recommend some of them – these are books accessible to the general audience and which read like good thrillers, and thus will make time go by faster sitting in airplanes and other modes of transportation. It could be said that all these books focus on malware and that to some degree sensationalize cybersecurity, but that is part of their charm, and that is what makes them ‘page turners’. However, it is important to remember that there is nothing magical about cyberattacks, and it is not surprising that state actors want to wield the Internet, specifically the Internet of Things (IoT) as a weapon. IT systems are complex, and we do not yet have proven methods to write reliable (i.e., correct) software, and hence our vast IT infrastructure is of course vulnerable to attack, and all is fair in love and war. All books however, stress the need to be prepared, and the need to emphasize defense as well as attack capabilities. All the books have significant overlaps (e.g., they all mention Stuxnet).


Sandworm

My first recommendation is Andy Greenberg’s Sandworm, a book that came out in 2019, which details all that is known about the hacker group known as Sandworm, a group that is responsible for major attacks such as NotPetya. Andy Greenberg is such a good writer, and presents the geopolitical context in such vivid detail, that I found myself having a mental conversation with him during the reading of the book. This book is not intended for the Computer Scientist who is interested in the technical details of the attacks, but those details can always be found on the Internet. The description of the political situation in Ukraine is a little simplistic, and I do not agree with the sobriquet of Poland as imperialist toward Ukraine (much of western Ukraine was simply Polish before World War II, such as the city of Lwów), but the history of that part of the world is complex, and this is not the book to unwind it. I have always been an avid reader of the late Harold Bloom, and one of his lessons to writers has been to be sympathetic even to the villain in your story; I feel that Russia’s concerns in eastern Ukraine (Crimea) could have been presented as part of the story.


The Perfect Weapon

David E. Sanger’s The Perfect Weapon, published in 2018, is a comprehensive overview of how world’s powers are deploying digital sabotage. Sanger is the national security correspondent for the New York Times and also teaches national security policy at the Harvard’s Kennedy School of Government. This book is a study of how cyberweapons are transforming geopolitics, and that they are a game changer of the same caliber as the atomic bomb was at the time of its invention. Sanger was the author of the New York Times article in May 2012 that first attributed the Stuxnet malware (known as the Olympic Games operation to the US intelligence community), to the Obama administration’s secret order to deploy increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities at Natanz. A well researched, well written book, with a gripping narrative, a great place to start understanding – and demystifying – Cyberweapons.


Click Here to Kill Everybody

Bruce Schneier’s Click Here to Kill Everybody, with the subtitle Security and Survival in a Hyper-connected World, is a fantastic read on Cybersecurity in the context of the Internet of Things (IoT). Bruce Schneier is of course very well know in the Cybersecurity community (www.schneier.com) and he is the author of one of the first modern books on Cryptography (Applied Cryptography, first edition 1996). I liked many things about this book, but especially the author’s insights on the philosophy of Cybersecurity. For example:

  • Large Attack Surface problem, where the defender has to secure the entire attack surface from every possible attack all the time, but the attacker only has to get lucky once. During my PhD, and for many years after, I worked in the field of proof complexity, where the goal is to study the power of logical theories; this reminds me of a profound observation in mathematics, that universal statements (∀-statements) are often much more difficult to prove than existential statements (∃-statements). A ∀-statement frequently requires the full power of induction, while ∃-statements can be frequently proven with a simple construction (this is a very high-level intuition driven statement).
  • Complex systems are very versatile, flexible and so they have lots of options. A classic safe is easy to see if it is opened or closed; yank the handle. But checking whether the permissions in your OS are set correctly is difficult.
  • Attribution: it is very difficult to do digital forensics; who penetrated your system? We may all “know” where the attack originated, but the evidence is usually scant.
  • And other concepts such as Skills vs Abilities, Small Gains, Skills Gap and Public Education, which the interested reader can find in the book.

Countdown to Zero Day

Kim Zetter’s Countdown to Zero Day – and older book (2014) based on an even earlier article by the same author in Wired magazine (2011) – describes in great detail the geopolitics, but also to some extent the mechanics, of the Stuxnet malware (mentioned in some of the books listed above). Stuxnet was a sophisticated worm, developed by the US and Isreaeli governments around 2005 (code name Olympic Games), aimed at the uranium enrichment facility in Natanz (Iran), and discovered by the Infosec community around 2010. The worm attacked PLCs Programmable Logic Controllers (PLC) manufactured by the German company Siemens and deployed at the Natanz facility to run centrifuges. There are many interesting aspects to Stuxnet; for example, the first major deployment of a cyberweapon, the attack on the IoT, etc. The book is very detailed, and while this can help experts piece together a very detailed picture of what happened, it could be a little bit dry at times to the casual reader. I would suggest to read this book not being afraid to skip certain parts, especially those that might sound repetitive, or parts with which the reader is familiar already. Still, this book is in my opinion the definitive companion to the Stuxnet malware. For those interested to go even deeper, please keep in mind that there are public repositories containing the Stuxnet code: https://github.com/micrictor/stuxnet


Cyberwar

Richard A. Clarke’s Cyberwar is the oldest (2010) and least technical book on this list, but very important as it presents Cyberwar from a policy / national security perspective. Clarke has served in several administrations, starting with president Reagan, and has thought deeply about the national security perspective of all things Cyber. It should be noted that this book has been written with Robert K. Knake as co-author. Often, in the field of Cybersecurity, experts are siloed, and those with command of the technical aspects of the field, have little understanding of, say, legal / policy aspects. This book, while interesting in itself, also has the advantage of defining various concepts in a precise manner that can lead to meaningful policy discussions.

In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc

For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services.

But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case.

Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard.It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs.

Source: In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc – The New York Times

CI students’ research accepted at the KES2019 international conference in Budapest

KES 2019 conference in Budapest, Hungary

CI Computer Science students were successful in submitting three papers to KES 2019, the 23rd International Conference on Knowledge-Based and Intelligent Information & Engineering Systems, which this year is taking place in Budapest, Hungary, in September 2019. The papers are the following:

  • Approximating consistency in pairwise comparisons, co-authored by Chris Kuske, Konrad Kułakowski and Michael Soltys. Chris Kuske was a masters student in Computer Science at CI, and this paper is the result of his masters thesis [pdf], which was co-supervised by Prof. Konrad Kułakowski (AGH), who at the time was a Kościuszko Scholar in Computer Science at CI. Chris Kuske is a Software Lead at Teledyne Controls where he develops avionics software for commercial aircrafts. (This paper will be presented in the Invited Session IS18: Decision modeling with and without pairwise comparisons.)
  • SEAKER: A mobile digital forensics triage device, co-authored by Eric Gentry and Michael Soltys. Eric Gentry was a masters student in Computer Science at CI, and currently working at GBL Systems, and lecturing for Computer Science at CI. This paper is the result of a collaboration between Computer Science at CI and the SoCal High Technology Task Force. For more details on this collaboration please see here. (This paper will be presented in the Invited Session IS13: Cybercrime Investigation and Digital Forensics.)
  • Deploying Health Campaign Strategies to Defend Against Social Engineering Threats, co-authored by Noelle Abe and Michael Soltys. Noelle Abe is a senior student at CI, who just graduated this May with a degree in Computer Science. Noelle Abe was both a President’s Scholar at CI, and the vice-president of the Computer Science Girls Club. This paper was initiated by Noelle as part of her research as an exchange student in the UK in 2017. (This paper will be presented in the Invited Sessions IS24: Knowledge-based Learning and Education Support System: Design and Function.)

Governor’s Cybersecurity Task Force (GCTF)

I am very happy to be part of the California Governor’s Cybersecurity Task Force (GCTF), serving on the Workforce Development and Education Subcommittee. The main objective of this subcommittee is to address the growing workforce gap; currently, there are 37,000 available cybersecurity positions in California, and 314,000 in the nation. About 70% of those positions require a 4 year degree or more.

The aim of our subcommittee is three fold: to enrich and standardize the educational pathway from K12 to PhD/Certification; to teach a general Cyber hygiene, both to the workforce and the public; and to help military, especially veterans, transition into civilian careers in Cybersecurity.

Computer Science at CI is well positioned to address some of the challenges:

  • A thriving program in Computer Science, with a minor in Cybersecurity; we are part of CyberWatchWest, we have a Cybersecurity student club, and we teach courses in Cybersecurity at the undergraduate and graduate level.
  • Experience in “hands-on” education, which is one of the aims of the workforce development. We have strong connections with the industry and the public sector (such as the SoCal High Technology Task Force).
  • An ongoing collaboration with the Navy, and have worked with both Navy officer and civilians as instructors and collaborators.

Please read more here.

SEAKER

Raspberry Pi controller, the hardware for SEAKER

In the summer 2017, while I was teaching COMP 524 (Cybersecurity) at California State University Channel Islands, the students were introduced to a project based on an R&D from the SoCal High Technology Task Force (HTTF). The requirements and specifications asked for a device that could automate the search through vast amounts of data contained in portable devices (such as hard disks and thumb-drives), looking for pre-established patterns in file-names.

The students designed and prototyped a device the we christened SEAKER (Storage Evaluator and Knowledge Extractor Reader), based on a Raspberry Pi, with a custom designed version of Raspbian (the OS running on Raspberry Pis), and a bash shell script for cloning such devices. The first presentation of SEAKER took place on August 7, 2017, to an audience composed of CI faculty and students, as well as investigators from the SoCal HTTF.

As SEAKER was being developed, it was presented at various other venues, for example:

We have also published the research resulting from the SEAKER project:

  • As the masters thesis of Eric Gentry, April 2019 [pdf]
  • In the proceedings of the 2019 Future of Information and Communication Conference (FICC) [doi]
  • To appear in the proceedings of the 2019 23rd International Conference on Knowledge-Based and Intelligent Information & Engineering Systems (KES), track: Cybercrime Investigation and Digital Forensics

The Beast project

The Beast at the SCHTTF forensic lab

In September of 2018, a group of CI students, working on their senior capstone project under my supervision, started to build a machine capable of massive parallel computing. We christened the machine “The Beast.” We undertook to build the machine following the specification of the So Cal High Technology Task Force (HTTF) digital forensics lab in Ventura County.

The Beast was built with five EVGA GeForce GTX 1080Ti, capable of massive computational parallelism, a MSI Z370-A-Pro motherboard, a i5-8400 CPU, as well as a Hydra II 8 GPU 6U Server Mining Rig Case, and power supplied capable of maintaining four big fans; cooling The Beast was an important part of the project.

Presenting The Beast at the Capstone Showcase

The students who participated in the project were, in alphabetical order, Noelle Abe, Benjamin Alcazar, Matthew Atcheson, Joshua Buckley, Joshua Carter, John Miller, Scott Slocum, Ryan Torres and Devon Trammell (the team leader). On May 2nd, after working on the project during both terms of 2018/19, and having overcome many technical difficulties, the team presented The Beast at the Computer Science Advisory Board Meeting and the Computer Science Capstone Showcase; following these presentation, The Beast was handed over to the SoCal HTTF digital forensics lab. As you can see from the first picture above, The Beast has settled in its new home, a cooling room at the HTTF lab.

Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security

Hospitals are pushing medical-device makers to improve cyber defenses of their internet-connected infusion pumps, biopsy imaging tables and other health-care products as reports of attacks rise.

Rattled by recent global cyberattacks, U.S. hospitals are conducting tests to detect weaknesses in specific devices, and asking manufacturers to reveal the proprietary software running the products in order to identify vulnerabilities. In some cases, hospitals have canceled orders and rejected bids for devices that lacked safety features….

Source: Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security – WSJ

The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source

THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.”

If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.”

Source: The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open Source | WIRED

KES 2019 special session on Cybercrime Investigation and Digital Forensics

I am happy to co-chair a KES 2019 special session on Cybercrime Investigation and Digital Forensics in September 4-6, 2019, in Budapest, Hungary. Please consider submitting a paper to this event (submission instructions here).