You're scrolling through your social media feed and come across a television news video about work-from-home scams. The reporter breathlessly reports the schemes his investigation has uncovered and warns the viewer to stay away from certain outfits. The good news is that the reporter has helpfully vetted one legitimate work-from-home opportunity.
The program that garnered the imposter reporter's seal of approval? It's a scam. You don't realize this until after you've racked up a couple hundred dollars in recurring credit card charges you agreed to when you purchased the starter kit, which contains bogus job leads.
"They've gotten good at playing into people's emotions and fears. We need to help law enforcement get a better grasp on this," says Kent Kerley, professor and chair of the Department of Criminology and Criminal Justice. The price of the starter kit is nominal, but if only 3 percent of targeted victims fall for the scheme, it adds up to a lot of money for the swindlers, says Dr. Kerley, who conducted a Google-funded study on work-from-home scams.
Cybercrime victimization is one of the areas Kerley plans to pursue as part of UTA's new multidisciplinary research and teaching cluster in cybersecurity and digital forensic investigation. In fall 2018, the colleges of Liberal Arts, Business, Science, and Engineering are joining forces to help close a skills gap as well as respond to industry demands for more qualified cybersecurity professionals. This enterprise to train future cybersecurity professionals is an extension of UTA's data-driven discovery initiative and joins ongoing University research on preventing cyber breaches and protecting data.
Future Crime Fighters
Historically, the fight against cybercrime started in business schools in response to corporate need, with computer science or engineering researchers focusing on hardware and software solutions. But they have lacked deep forensic investigation tools, knowledge of statutes, and an understanding of victimization and criminology. Bringing these disciplines together makes for a more comprehensive and effective approach to fighting cybercrime, says Seungmug Lee, cybersecurity associate professor in the Criminology and Criminal Justice Department.
"Hackers or cybercrime offenders often go free. We do not see a lot of prosecutions," Dr. Lee says. "One of the biggest challenges is equipping security professionals with tools they need to do forensic investigations. Without proper knowledge of data science and law enforcement, we cannot approach cybercrime cases properly."
The FBI reports receiving nearly 300,000 complaints in 2016, from scams to data breaches to identity theft, with reported losses exceeding $1.3 billion. The taskforce it created to work in partnership with local law enforcement agencies opened just 37 cybercriminal investigations that year. Since 2013, the group has launched 73 investigations.
The need for skilled cybercrime investigators is particularly acute in the Lone Star State. Texas ranks second among states for the most cybervictims and fourth in terms of the financial losses suffered. More than 21,000 Texans have reported cybercrimes, making the state second to California, where nearly 40,000 people have reported being victimized. The reported losses in Texas total $77.1 million, compared to $255.2 million in California. However, the problem is likely more widespread than these numbers indicate because an estimated 85 percent of victims never report cybercrimes.
The need for skilled cybercrime investigators is particularly acute in the Lone Star State.
With the growth of cybercrimes, security professionals have not been able to keep up. A 2018 survey conducted by IT analysis and research firm ESG found that 51 percent of cybersecurity professionals in North America and Europe think their companies have a "problematic shortage of cybersecurity skills." ISACA, a nonprofit information security advocacy group, estimates a global shortage of 2 million cybersecurity professionals by 2019.
Cybersecurity shouldn't "be limited to business schools or those with a computer science background. Security impacts all of us," says Marc Johnson, chief security officer for a global IT company. He lauds UTA's multidisciplinary approach, noting the importance of leveraging other degree programs to produce a well-rounded cybersecurity workforce.
"It's a challenge to find people to fill these roles—with cybersecurity, it's more than having knowledge from a technical perspective. You need people who are communicators," Johnson adds. "We need people who can document chain of custody. We need people who are critical thinkers, have investigative training, can identify patterns, can read between the lines and figure out what's going on, and can communicate risks in a language executives can understand."
While planning for the cybersecurity teaching and research cluster is still in the early stages, Kerley expects that through the multidisciplinary enterprise, students will have an opportunity to earn either a certificate or a minor in cybersecurity. Joint criminology-computer science-business research projects are in the offering.
In the meantime, while UTA's criminal justice program is teaching students how to investigate computer crimes and hold cybercriminals accountable, researchers in the Computer Science and Engineering Department are coming at cybersecurity from other angles.
"It's a cat and mouse game," says Gautam Das, the Distinguished University Chair Professor of Computer Science and Engineering. "As researchers, we have to dream and conceive of attacks, find vulnerabilities, and not make technology so inaccessible that it is of no use to society."
“As researchers, we have to dream and conceive of attacks, find vulnerabilities, and not make technology so inaccessible that it is of no use to society.”
Christoph Csallner, associate professor of computer science and engineering, and Shabnam Aboughadareh ('15 PhD, Computer Science) created a code-monitoring tool called RAI to detect malware in legacy systems. Large companies find it more affordable to update and maintain (rather than replace) their legacy applications, especially if they spent millions developing them.
"Some programs have been running for decades," Dr. Csallner notes. But these older programs are especially vulnerable to malware, furtive software designed to damage or disable computer systems. And taking a system offline to investigate or mitigate malware disrupts the business, affecting its bottom line.
Csallner and Dr. Aboughadareh created a tool that can be installed on a company's main server and individual computers. The tool takes a snapshot of each computer's memory, where malware typically hides, and sends the images back to the server. The central computer then compares the snapshots.
"It can detect which computers are not like the others," Csallner says. "If there are a few outliers, you can assume a small set of machines has been taken over."
Because of its small size, it succeeds where commercial antivirus programs, which take up a lot of memory, fail. Additionally, if malware is installed before the antivirus tool, the tool may think the virus is a normal part of the computer system. RAI is not susceptible to that problem.
"It's common for malware to attack antivirus tools directly. That's why it's no longer best practice to install traditional antivirus," Csallner says. "We don't have that problem because the tool is small. We minimize the attack surface."
“It’s a challenge to find people to fill these roles—with cybersecurity, it’s more than having knowledge from a technical perspective. You need people who are communicators.”
Under certain circumstances, it is OK to release aggregate data but not individual data. For example, investigating the cause of an HIV cluster requires the release of the total number of diagnoses, but it's unethical (and illegal) to reveal that John Smith, in particular, has HIV. Conversely, sometimes it's OK to release individual data, but not aggregate data, such as how a user can search an online retailer's database for a product to purchase, but it is unethical for a competitor to crawl or mine the data to gain a competitive advantage.
Data access control is the focus of research being conducted by Dr. Das. He is exploring how to restrict unauthorized access without making programs too cumbersome for the intended user. A major discovery he has made: vulnerabilities in location-based service apps. Google Maps, Facebook, Instagram, and Waze are great for helping you get around or sharing your location with friends. But you're also inadvertently sharing the location of those nearby.
"We have been able to decode aggregate information. Through sampling methods, I can get an idea of how many people are there in this neighborhood at this time," Das says, noting that if he, as a third party, can figure it out, bad actors can, too.
Learning from Intruders
Ransomware, which seizes control of an entity's data and denies access until the company pays a ransom, can result in data becoming unrecoverable. That's what happened in March 2018 in Atlanta, when malicious software shut down city services, preventing the city from collecting payments on water bills, accepting online job applications, and holding court proceedings.
In his research, Jiang Ming, assistant professor in computer science and engineering, is studying ransomware behavior and its evolution to develop ways to mitigate it without losing data. By monitoring how ransomware interacts with a computer's file system, he'll be able to characterize and model ransomware-like behaviors. By comparing progressive versions of ransomware through a method called "segment equivalence checking," he'll be able to identify semantic differences between ransomware variants. Although malware authors have been successful at evading software-based detection, malware usually leaves an identifiable footprint in hardware performance counters. Dr. Ming is investigating whether hardware can assist in early ransomware detection before any data is lost.
Collectively, the work UTA is doing to prevent, predict, and investigate threats will make an impact in disrupting cybercriminal enterprises that have cost billions in damages globally.
"Cybersecurity is a big area," says Jingguo Wang, associate professor in the Department of Information Systems and Operations Management in the College of Business. Dr. Wang is conducting research on cybersecurity risks posed by employee behavior. "UTA has the opportunity to take a leading role in this aspect of education and research. There's a high demand for skilled cybersecurity analysts and managers, and we should take this opportunity."