Moderated by Rick Badie
Georgia Tech plays a critical role in efforts to combat cyber terrorism. A Tech cyber expert writes that the federal government recently awarded the institution grants of more than $5 million to develop methods and mechanisms that address security flaws and snare cyber invaders. The companion essay deals with consumer phone fraud — the kind that starts with a ring, your “hello” and a silent line.
Tech helps thwart cyberattacks
By Wenke Lee
There used to be a day when a computer hack was as obvious as a slice on the arm. A compromised website would ooze with a blood-red message, “You’ve been hacked!”
How simple the old days were.
Today’s cyber intrusions are more akin to undetected cancer: cellular changes that lie unnoticed until just enough — say the function of an organ, or the performance of an operating system — doesn’t perform the way it should. These “advanced persistent threats” are far more stealthy, sophisticated and damaging than the Internet hacks of 20 years ago. They steal data and cover their tracks, moving throughout the organization to new targets, learning how to better mimic and disguise their behavior with each pilfering.
To develop the groundbreaking cyber security protections needed now, we begin by looking to government for examples of actual intrusions and where it’s spending money to devise new solutions. Government agencies award universities like the Georgia Institute of Technology millions of dollars to research and develop new capabilities when the industry has no ready solutions.
In July, Georgia Tech’s College of Computing received a $4.2 million award to develop a method that will track and record events and data at three layers: user interaction with a program, program processing of input, and program and network interactions with the operating system. Our goal is to secure the entire information flow, to know whether military commands are maliciously altered while in transit. The benefit for industry could be radical, especially for anyone conducting financial or legal transactions online.
In June, the Office of Naval Research awarded the College of Computing $1.25 million to develop a new mechanism to catch and quarantine cyber intrusions on naval warships. The potential impact for industry is an intrusion detection and repair system that doesn’t slow performance — so there is no delay, whether you’re firing off missiles or inventory orders.
Meanwhile, Tech students are developing solutions such as a run-time detection tool that recently caught 11 previously undiscovered, deep security flaws in Chrome and Facebook. Gratefully, vendors fixed the problems, and students received a $100,000 prize from Facebook in August to continue their research.
Tech earns these awards from government and other leading organizations because of our research and past successes. We have sought-after experts in the fields of algorithms, computer architecture, data analysis, theory, operating system, information security, high-performance computing and human-computer interaction. Tech also is one of 14 universities in the nation – and the only one in the Southeast – accredited as a “university affiliated research center” by the U.S. Department of Defense.
For 20 years, Tech has served government and industry with research that pursues the grand challenges of cyber security. College of Computing research focuses on long-term and theoretical explorations, while the Georgia Tech Research Institute pursues applied research to develop immediate solutions to government and industry problems.
To better thwart cyber terrorism, it will take close and fearless collaboration between government entities sharing real data, universities offering research and industry advising how, where and when to take research to the consumer. At Tech, we believe close collaboration that includes the sharing of more data will help us improve methods for securing all data. The work to secure our cyberspace will be never-ending, because insidious malware is as ever-present as cancer.
Wenke Lee is director of the Georgia Tech Information Security Center and professor in the School of Computer Science.
Protect yourself against phone scams
By Vijay Balasubramaniyan
Few people understand how sophisticated real-life organized crime can be. Right now, professional criminal gangs are devising complex strategies to steal identities and take over bank and credit card accounts. These techniques are often so subtle, we don’t realize we are giving away information that could lead to identity theft.
One example of this subterfuge is the silent phone call: You get a call from a number you don’t recognize, and there’s nothing on the other end, not even a recorded message. This is certainly annoying, but you may not realize that by picking up the phone, you have increased your chances of becoming a fraud target.
If you are like most people in this country, when the phone rings, you pick it up and say, “Hello.” Criminals take advantage of this social conditioning to collect data. They use a robodialer to efficiently and cheaply place dozens thousands of phone calls at once. If the robodial system detects someone answering the phone, criminals then know there is a human at the other end of that line, one who is likely to pick up the phone when an unfamiliar number calls.
Criminals compile lists of these “live” phone numbers to efficiently target consumers for the next step in the identity theft process — the consumer phone scam. Criminals call people on their target list and impersonate banks, the IRS or local police in an attempt to steal personal information. Criminals build a dossier on a consumer target from information they gather from these scam calls. They may add further research from online searches or social media.
The final step in this scheme is when criminals monetize the newly acquired information. One of the most lucrative methods involves calling the customer service line of a bank or other financial institution. Most banks rely on a system known as Knowledge Based Authentication (KBA) for phone security. KBA relies on personal questions such as “What’s your mother’s maiden name?” or “What is your Social Security number?”
KBA questions provide little real security. The criminals who have done their homework will already know the answers to most of these questions. They further the deception by “spoofing” their victim’s phone number; phone systems can be manipulated to match the caller ID to the phone number the bank has on file for the target.
Once criminals gain access to an account, they can change PINs and passwords, request money transfers, and even open new lines of credit. My company, Pindrop Security, works with financial institutions to combat this type of phone fraud. Our researchers estimate 1 in every 2,200 calls to a bank is a fraud attempt. We’ve also found the average financial institution exposes $7 million to $15 million every year to phone fraud.
How can these phone criminals be stopped?
On the banking side, the key is analyzing components of a call that criminals can’t manipulate. Pindrop researchers have identified 147 clues in the audio of a phone call (beyond the actual voice and what the person says) that can identify whether the caller is trustworthy or trying to disguise his or her identity. These clues tell us what device a caller is using, what part of the world the call is coming from, and whether the caller is using a land line, mobile or VoIP. Pindrop combines these clues to create unique “audio fingerprints.”
Consumers can do their part to stop fraud by being wary of answering calls from unknown numbers. Hang up on robocalls without interacting or pressing a button to be removed from the list. Be aware of popular phone scams, and never give out personal information over the phone.
Vijay Balasubramaniyan is CEO of Atlanta-based Pindrop Security.