In the second interview of #CyberAware series, we discussed with Kevin Curran who is known for finding vulnerabilities in computer networks. At the start of his career, Kevin found weaknesses on famous corporate computer networks.
Currently, Kevin is teaching Cybersecurity at Ulster University and is a group leader for the Ambient Intelligence & Virtual Worlds Research Group.
Kevin’s achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes.
He has made significant contributions to advancing the knowledge and understanding of computer science evidenced by over 700 published research papers. He is perhaps most well-known for his work on location positioning within indoor environments and network security.
He is a regular contributor to broadcast media and has done some interviews in the recent years. He is currently the recipient of a Royal Academy of Engineering Senior Research Fellowship and is an IEEE Technical Expert for Internet Security.
Professor Curran has performed external panel duties for various Higher Education Institutions and public bodies such as OFCOM and the National Institute for Health Research (NIHR).
1) Thank you, Kevin, for taking out the time for this interview. First, let's start with your journey. What led you to become a professor? What made you choose Cybersecurity as a career?
Looking back at my early school life, I can see now that I had attention deficit disorder. Apart from English, nothing interested me in school, so I was always disruptive – that is until I discovered computers when I was 16 years old. I remember the moment I saw a Spectrum 48K home computer, and I knew what I wanted to do with the rest of my life. I then studied hard for my remaining two years in high school to go to college and study computers. Once there, I always excelled.
Security is something that went hand-in-hand with my favorite computer subject, which was computer networks. While working on my Ph.D. in computer networks, I started to become more interested in security – especially wireless security and I was one of the first people that I know of to use 802.11 Wi-Fi in a laptop.
In fact, I was using it so much earlier than my peers that a few years later when I had published academic papers on the weaknesses of enterprise wireless security and a press release was done, it ended up being sensationalised and I hit the front page of national papers, regional papers and websites around the world including the BBC.
That is what kick started my becoming a media commentator, and in the years that followed, media outlets would approach me for comment on breaking stories in technology. However, I have never lost the bad feeling of walking into your local shop and seeing my face plastered on the front page of every paper…
2) What was the first cybersecurity lesson you taught to your new students and is it still relevant today?
I often tell my students on day one that if they wish to be secure online, then they should not buy a computing device. If they must, then they must not turn it on. If they must turn it on, then only turn it on and use it for a few minutes.
I am flippant of course, but there is an underlying truth in what I say. First of all, there is no such thing as a truly secure network or computing device. Also, the more sites you visit, the more apps you download, then the broader will be the attack vectors which hackers can use to compromise you. It makes sense. If you only visit a few sites in a day, you are less likely to download malicious software or be fooled by a phishing email.
The other lesson I teach on the final day after I show them all the weaknesses and tools that hackers use – is to simply keep their systems updated with the latest patches. That stops a multitude of attacks.
3) What are some most notorious cyber security threats of today? And what are some future risks do you see? We are talking about a hyper-connected world where our daily lives will be with driverless cars, VR, AR, microchips in our body?
Cyber-attacks can be incredibly complicated. One of the more complex cyber-attacks used the Volatile Cedar malware. It took great strides to remain under the radar of leading AV solutions. It starts off by targeting publicly facing web servers running Windows OS using a mix of automatic and manual vulnerability discovery.
The targeting of a web server is not as common as you might think. Once a server has been compromised, they further penetrate the connected internal network using exploits and automatic USB infection. To be specific, the attack uses web shells to control a compromised server and then the Explosive Trojan is implanted so the attackers can send commands to all targets through the substantial number of diverse Command and Control servers.
This can only be because of a well-funded operation. The critical threat of the malware is its ability to evade detection, and it goes to great length to do so efficiently. A crucial aspect here was 'radio silence' in that it knew when to basically 'shut up' and lie dormant. It achieved this through sophisticated monitoring of system processes.
The core of the malware is a custom built remote access Trojan called Explosive. This is what sends the target information including screenshots, keylogging & clipboard information, credentials & sensitive documents back through a sophisticated botnet of command and control nodes. There is also an ability to infect USB drives.
It also helped that they only targeted a small number of specific sites rather than a 'release and hope' scatter attack. Even the targets they selected were done using custom-made attacks. It is worth highlighting the impressive 'stealth mode' techniques adopted by this malware to evade detection.
Techniques to avoid detection include frequently checking AV results and changing versions and builds on all infected servers when any traces of detection appear in addition to monitoring memory consumption to prevent common server administration utilities from detecting the Explosive processes.
Of course, whenever Explosive’s memory consumption reaches a predefined threshold, its hosting process is restarted. It is also dynamic in so far as features were added over time including the USB infection mechanism.
This is just another example of the sophistication that we are now seeing that malware can possess. Previous high-profile examples include Stuxnet and Flame. Stuxnet was the notorious computer worm which included a highly specialized malware payload designed to target only supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.
These SCADA systems were used in Iran's uranium enrichment program. The related Flame malware can gather personal files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots, log instant messaging chats and cover its tracks very cleverly. It can be distributed via removable networks and local area networks.
It can snoop on a network, detecting network resources, and collecting lists of vulnerable passwords as they pass by over that network. It can capture the contents of any fields filled out, even when obscured by asterisks or dots (e.g., password fields). It can scan disks of an infected system seeking specific content.
It can perform screen captures of the infected machine when specific programs are running, and it can activate a microphone and record over an extended period any sounds in the environment. It can overcome the security of Skype calls by such a process. All of the data captured is saved in a local database which it can transfer back to control servers – encrypted.
Another example of a clever, complex attack is where the Russian hacking group Turla hijacked satellite-based Internet links to communicate with command and control servers. It turns out that some uni-directional satellite links are unencrypted and can be intercepted by anyone within a radius of more than 600 miles.
This group used off the shelf satellites and dedicated DVB-S tuners to allow computers infected with Turla spyware to communicate with Turla C&C servers without disclosing their real-world location (as they could be anywhere within a 600-mile radius). This allows them to prevent being shut down. They also only used it on their highest-profile targets.
4) Gartner forecasts that IoT devices will grow by 21 billion by the year 2020. What cyber security threats will we see? What are some great companies do you think are working on IoT security?
There is an argument for organizations to keep it dumb when it comes to the Internet of Things. A basic rule of thumb in security is that the more devices you have exposed to the internet, then the more exposure you have to be hacked. It means that you are more likely to have neglected machines which are not updated and hence more vulnerable.
It is crucial that IT departments monitor their networks 24-7, looking for potential intrusions and unusual activity on the system but in reality how many do this and take appropriate actions. The sheer scale of deployment of these limited-function embedded devices in households and public areas can lead to unique attacks.
There is also the worry of the domino effect where if one device becomes 'owned' – it can quickly spread to the remainder of the cluster. The privacy issues arise due to the data collection mechanisms which may lead to user profiling and identification of individuals in unforeseen use case scenarios. The utmost care needs to be taken when deploying IoT devices with regards their lifecycle, data collection mechanisms and overall security protocols.
We have now seen a significant issue with IoT devices due to their implementation of default passwords which are known to hackers in addition to many of these devices have pre-installed unchangeable passwords which are utterly careless on behalf of the manufacturers.
Only a few IoT manufacturers are considering the correct forms of cryptographic algorithms and modes needed in particular for IoT devices. There is an international ISO/IEC 29192 standard which was devised to implement lightweight cryptography on constrained devices. There was a need for this as many IoT devices have a limited memory size, limited battery life along with restricted processors.
Traditional 'heavy' cryptography is complicated to deploy on a typical sensor hence the deployment of many insecure IoT devices. Severe pressure needs to be placed on IoT manufacturers to implement best practice in securing these devices before they leave the factory.
We know the public will be unaware of the need to update their lightbulbs so we in the security industry must force the manufacturers not to make it so easy for the hackers to exploit them. As we have seen lately, we are now all at risk from IoT devices which were thought to be too dumb to cause harm. The opposite is the truth. Unpatched, poorly deployed dumb devices have the power to bring the Internet to its knees.
5) You mentioned that humanoid robots are an inevitable part of our future. Back in 2004, Will Smith played in a movie I, Robot. Do you think the robot using AI will be threatening?
The term itself – Artificial Intelligence – posits itself as a 'pseudo human intelligence.' Its core applications consist of simulating (and attempting to outperform) human intelligence. To achieve this, it seems that the highest ranking algorithms or processes to date are those who closely mimic our limited understanding of how the brain works with the neural pathways.
It is possible that a future breakthrough devises an alternative means of replicating human intelligence in a manner which does not align itself to how we believe our intelligence is working but until then, it seems that the most effective AI is a crude model of human thinking.
A human can recognize and distinguish real-world objects, interpret conversations with little or no ambiguity and function for long periods in the real world without making 'mistakes.'
The very best AI can only perform a subset of these examples for in clear use cases. For example, object recognition systems are reliant on the pre-programmed corpus of objects fed to them and after that are reliant on external sensor input correctly interpreting these patterns through a 2D camera sensor which can frequently lead to misclassifications.
Natural language processing and speech recognition systems reliant on sophisticated AI techniques can also struggle where humans would not. All of these foundational AI systems are indeed making great strides year on year, but they also highlight the great divide between human intelligence and machine intelligence.
Many predict a time soon when AI will win over humans. Some of this basis lies in science fiction and Hollywood. One of the most influential proponents of this prediction comes from what is known as the technological singularity.
This is a hypothetical event in which AI would be capable of recursive self-improvement where it builds ever smarter & more powerful machines than itself, right up to the point of a runaway effect which is an intelligence explosion. Basically, in an instance, this AI would result in an intelligence surpassing all existing human knowledge.
I have always had a fondness for the singularity hypothesis, and it is indeed a logical prediction, but of course, a true artificially intelligent machine would be a recreation of the human thought process – a human-made device with our intellectual abilities.
This would include the ability to learn just about anything, the ability to reason, the ability to use language and the ability to formulate original ideas. We are nowhere near achieving this level of artificial intelligence, but they have made a lot of progress with more limited AI. The question comes down to the limitations of belief in whether essentially a human-made creation can rise to such lofty heights.
Today's AI machines can replicate some specific elements of intellectual ability. Computers can already solve problems in limited realms. The basic idea of AI problem-solving is straightforward, though its execution is complicated. First, the AI gathers facts about a situation through sensors or human input.
The computer compares this information to stored data and decides what the information signifies. The computer runs through various possible actions and predicts which action will be most successful based on the collected data.
Of course, the computer can only solve problems it is programmed to answer — it does not have any generalized analytical ability – and for many, that is the limitations which may perhaps the singularity from arising.
I do think we are not anywhere near the limits of what artificial intelligence can achieve, but I am not in the camp which worries about a takeover. Sophisticated AI is just as likely to be nurturing and of course beneficial in so many ways to humans so I would see the risks as being worth it. Let us keep moving forward with improving AI.
6) In a recent interview, you mentioned crucial flaws that led to the success of the Krack Attack. What are some possible solutions do you recommend? How do you think it is going to affect the everyday WiFi internet user?
The Krack Attack is one of the first WiFi vulnerabilities we have seen in some time. WiFi to date was assumed to be entirely secure, but this key reinstallation (Krack) attack allows the manipulation and replaying of cryptographic handshake messages in WiFi to fool a victim into reinstalling an already-in-use key. When this occurs, crucial parameters such as the incremental transmit packet number (aka nonce) and receive packet number are reset to their initial value.
This is the weakness – as a key should only be installed and used once. Decryption of information then becomes possible as the same encryption key is used with nonce values that have already been used previously.
They have also exposed other variants against group keys and more and have effectively broken down the door to WPA2. It is catastrophic against Linux WiFi implementations (wpa_supplicant) which install an all-zero encryption key instead of reinstalling the real key. This makes the attack easy. Android also uses wpa_supplicant, and at his time, it seems that 4 out of 10 Android devices are vulnerable to this variant of Krack.
This attack could technically allow sensitive information such as credit card numbers, chat messages, passwords, banking logins, emails, photos, and in fact most information traveling over a WiFi network to be snooped.
In some cases, data can be manipulated, and malware injected into websites. Unfortunately, there is no alternative to using the underlying wireless WPA2 at present, but users should consider using VPNs and other security technologies to protect connections. A positive aspect is that HTTPS is becoming more pervasive on the web and some services like TLS, SSH, PGP use strong encryption. The author of Krack does, however, point out that HTTPS was previously bypassed in non-browser software, Apple's iOS, OS X, Android apps, banking apps and VPN apps.
So really a patch for this attack is crucial. Other information that can be discovered with this flaw includes unique device identifiers and metadata (visited sites, traffic timing, patterns, a quantity of data exchanged) – all privacy leaks. A fix will come, but it does require router firmware to be updated. This can be a problem as the average user is unlikely to do this and many routers will not have updates rolled out.
That is a more significant issue for the security community where there is inadequate support from manufacturers for updates. For once, this is not an over excited security flaw with a catchy name – this is the real deal. Once again, it proves how difficult it is to write secure protocols truly.
7) Encryption. Use of VPN and hiding your IP was one of the most suggested solutions to be private of the internet. How do you stay private and secure your work, transactions, daily life from hackers?
That is a big question for me but I will pass on some advice which could prevent someone becoming a victim of computer fraud and what I recommend does not require much technical knowledge.
– Keep software updated. Running the most recent versions of your mobile operating system, security software, apps & Web browsers is among the best defences against malware and other threats. When you see a message on your computer or mobile to update, then do so immediately. These updates often contain security patches which protect against new vulnerabilities.
– Use different passwords on all sites – and change them frequently. Hackers often steal a login and password from one site and attempt to use it on other sites. To make it simple to generate – and remember – long, strong and unique passwords, it is good practice to install a reputable password manager which will create complex strong passwords and store them in an encrypted file on your own computer. You then only need to remember one Master password and the password manager will automatically take care of logging you into different sites with secure passwords.
– Use an ad blocker – Believe it or no but there are a lot of malicious ads that can cause your device to become infected. Using an ad blocker on your browser can prevent these malicious ads appearing. It also speeds up browsing so you will experience quicker loading of websites. It is a win-win but unfortunately, some websites require you to turn it off to see their content.
– Register with haveibeenpwned.com – This is a legitimate website which collects all the emails associated with publicly known website hacks. Here you can submit your email to see if your personal details have been released in previous website hacks and you can also register your email to receive future notifications if your details appear in a future hack. If you do find your details registered, then login into the site where you were compromised and change your password. Watch out also for phishing emails from the site just hacked
– Look for a secure padlock icon in your browser – This icon to the left of your URL signifies that the website is using https. Https is ‘secure HTTP’ which ensures an encrypted connection is active so that your sensitive information like credit cards or passwords is not as easily ‘sniffable’ by a hacker who is snooping on a network between you and the legitimate website. Not all websites support https now but you should expect all sites which accept payments to have https enabled.
– Double-check the domain name of the website – Always check before entering sensitive information to make sure you are not on a phishing website like paypa1.com or g00gle.com. You should also never click on a link in an email telling you to login to your sensitive accounts to resolve an issue. Instead, leave the email and go directly to the site and login. Links in emails which look legitimate can reroute you to rogue sites which capture your login details.
– Enable two-step authentication when offered – Many sites such as Apple, Microsoft and Google now ask you to associate a mobile phone with your account. Two-factor authentication does not let you login without access to your mobile phone and this ultimately makes it much harder for an attacker to hijack your account (as they do not have your mobile phone to change account details).
– Do not click on anti-virus popup windows – This is a common scam which tells you that your computer is infected with a virus. Genuine antivirus software does not do this. The popups install malware onto your computer, with your permission. Many now require you to pay money to have the software removed by the software originator. Malware such as Cryptolocker are a nightmare and are unremovable without paying ransom.
– Change default passwords – Whenever you buy an Internet Connected device e.g. router, baby monitor, connected CCTV – change the default password. In fact, every device you purchase which has a default password should be changed on first use. There are search engines like Shodan which crawl the web for connected IoT devices and hackers will try default passwords on those devices. You are basically leaving your keys in the door.
– Close Out Old Accounts – They simply create more points of vulnerability. Sometimes that might mean having to go through steps to recover an old password you might not remember, but it is worth it. The less footprint you have online, the better in general.
Click to Tweet: In order to remain secure it is highly recommended to “close out old accounts”. They simply create more points of vulnerability @purevpn @profkevincurran #CyberAware #InfoSec #Cybersecurity #privacy
– Review your online accounts and credit report – You should review your bank accounts, auction accounts, and mobile phone accounts for signs of fraud or charges that you did not make. Make this a regular habit. Yes, banks and credit card companies are quite good at spotting fraud but ultimately, it is up to you to spot fraud on your account.
– Treat public WiFi differently – You should not use public wi-fi hotspots without using a VPN connection. A VPN will encrypt your communications to and from the internet to prevent eavesdropping. At home or on wireless networks, where you enter a password, the connection is encrypted so that your information is not sent ‘in the clear’. Just be aware that wireless networks with no required logins, can be easily sniffed by a stranger on the same network.
Click to Tweet: You should not use public Wi-Fi hotspots without using a #VPN connection. A VPN will encrypt your communications to and from the internet to prevent eavesdropping. #CyberAware #Infosec #Cybersecurity @purevpn @profkevincurran
– Do not open links or attachments in suspicious emails. Be aware that even when they seem to be sent by someone you know, use caution as their email account might have been compromised by a hacker. If in doubt, call the person or company to check first. Do not try emailing unless you can ask them for information only known to you both. Do not trust any phone numbers in the email.
Finally, do not download pirated or cracked software as it can often contain malware. Where available on IOS devices, use touchID and register multiple fingers. Place tape over your webcam when not in use and use a credit card online as you are then protected for purchases >100 and <30,000.
Do not text or email your credit cards, bank account numbers, or passwords, no matter how much you trust the person on the other end. Keep your mobile device secure by using a secure password to lock it. If you are going to use email, use Gmail, with a physical security key on your laptop and Google Authenticator on your phone. Use Signal or WhatsApp on your phone to communicate with other people, rather than SMS or iMessage. Do as much of your work as possible on an iPhone or iPad. Use a Bluetooth keyboard for more comfortable typing. Consider using a Chromebook. Chromebooks are secure options especially for opening attachments: you can safely open them on it.
If you have a Windows laptop, uninstall any antivirus products except for Windows Defender (from Microsoft). Avoid installing spurious, unknown or unnecessary browser extensions. Turn on full-disk encryption on all devices.
Never plug your device into an unknown port. Never plug an unknown device into your computer or mobile device. Carry a “'USB data blocker”' (either the whole cable or an adapter that plugs into your cable like this) to charge at airport or hotel chargers.
8) What are some people who have influenced you in the cybersecurity world? [Name at least 5].
There are no real household names in computer security but the person most considered the Godfather of computer security would be Bruce Schneier. He is an American cryptographer, computer security professional, privacy specialist, and writer. He is mainstream media outlets interview the author of several books on general security topics, computer security and cryptography and frequently. His blog is a favorite read of mine, and I always value his wisdom.
Click to Tweet: The Godfather of computer security would be Bruce Schneier. He is an American cryptographer, computer security professional, privacy specialist and writer @schneierblog @purevpn @profkevincurran
Another guru in the security space is Moxie Marlinspike. He is an American computer security researcher & cypherpunk. His research has focused primarily on techniques for intercepting communication, as well as methods for strengthening communication infrastructure against interception. He was the guy behind Signal protocol which is widely considered to be the most secure free encrypted messaging and voice-calling app. It was also integrated into WhatsApp.
Click to Tweet: A renowned Guru in the security space is Moxie Marlinspike. He is an American computer security researcher & cypherpunk. His research has focused primarily on techniques for intercepting communication #CyberAware @moxie @purevpn @profkevincurran
Finally, another network security expert I admire is H D Moore. He was the developer of the Metasploit Framework which is a penetration testing software suite of immense power and used by hackers the world over. He has often been called the industry's most famous white hat hacker.
Click to Tweet: I admire the work of H D Moore. He is the developer of the Metasploit Framework which is a penetration testing software suite of immense power and used by hackers the world over #CyberAware #Infosec #Cybersecurity @hdmoore @purevpn @profkevincurran
9) What are some recommended TedTalks on Digital Privacy and Cyber Security to our readers?
My favorite security talk from TED is “The Security Mirage” by Bruce Schneier. Here he explains why we spend billions addressing news story risks, like the "security theater" now playing at your local airport, while neglecting more probable risks and how we can break this pattern.
I also enjoyed Bryan Seely’s talk on “Wiretapping the Secret Service can be easy and fun.” Here he explains how there are some critical problems with the websites we use most often and to prove his point, Seely hacked the Secret Service and the FBI and then turned himself in to alert authorities to the problem. Quite fun.