Outhacking the hackers
|Stefan Savage, a computer science professor and winner of a MacArthur "genius" award, discusses cybersecurity in this Q&A.
Photo: Alex Matthews/Calit2
San Diego, Calif., Jan. 12, 2018 -- This fall, UC San Diego computer science professor Stefan Savage began receiving calls from an unknown number in Chicago. As a cybersecurity expert who often targets hackers, Savage was wary. But he soon learned that is was the MacArthur Foundation, award him the fellowship commonly known as a “genius” award.
Here he gives his insights on the future of cybersecurity and advice on how we can keep ourselves safe in cyberspace.
Let’s get right to what people want to know: What’s the best way to protect our personal data?
There are a few things I recommend everyone consider. First, make sure you do regular backups of your computer. This is really the best defense against ransomware. Second, since the most common vector for account hijacking is via password reuse, it is best to have distinct passwords for each site (and no, having one password with the site name appended doesn’t count). The easiest way to do this is to get a third-party password manager program to do it for you, and then just have one complex password for the password manager. Third, for important sites like your principal email site and for banking and major e-commerce sites, enable two-factor authentication if they have it. This means that even if your password is stolen, thieves won’t be able to log in to your site. Finally, be suspicious of any message or email you receive that sounds too good or too bad—scammers like to send messages that heighten our emotions so we don’t think rationally.
What about massive data breaches like Equifax? What can we do about those?
Sadly, I think the herd has already left this particular barn … it has been easy for scammers to get your Social Security number data for quite some time. There are limits to what you can do here, but I encourage people to avail themselves of their annual free credit report and check it for errors. Second, you can freeze your credit at all three credit agencies, which will make it difficult for someone to open a new line of credit in your name (note that you’ll need to unfreeze your report when you want to get a new credit card or mortgage, so plan accordingly).
What got you interested in the field of cybersecurity in the first place?
It was a bit of an accident. I had been doing network measurement work, and I needed help from people around the internet to measure traffic both from my computer to them and back from them to my computer. That doesn’t scale well, so I found myself wondering if the underlying network protocols could be manipulated to convince the other side to do the measurement for me (i.e., without needing a friend). That this was possible opened my eyes to how much of the existing internet depends on everyone following norms of what is “supposed to” happen, without many checks to make sure that everyone is playing by the rules. Once I got to UC San Diego, we discovered a bunch of unsolicited network traffic arriving here on campus and found that it was caused by side effects of denial-of-service attacks all over the internet—we had accidentally stumbled on a way to measure global denial-of-service attacks. Looking at everything through the perspective of a potential adversary highlights a range of issues that don’t appear when you’re just focused on building systems to solve some problem.
What is different about the way you, your colleagues and students approach cybersecurity problems?
One area that I think we’ve helped develop is trying to place the technical components of cybersecurity within a broader economic and policy framework. Yes, it’s bad that an attacker can gain access to a website by manipulating some particular bits in a network packet. But more interesting is why they are doing it, how hard is it for them, how do they make money, how efficient is their business? These are the questions that let you determine what kind of defense or intervention is going to be effective in stopping them.
|This diagram describes all the steps involved in monetizing a particular spam message Savage and colleagues received.|
What do you see as some of the biggest security threats facing consumers in the next five years?
I think the biggest challenge we face is that with the deconstruction of media platforms, we have lost the editorial controls that implicitly served as gatekeepers on abuse. The cost structures of current communications platforms (social media, advertising, streaming video, etc.) allow our adversaries to manipulate what we know about the world and do so in a way that is very hard to identify, let alone defend against.
After this, I think there are obvious concerns about the systemic risks posed by introducing computing and communications into virtually every aspect of our daily lives.Individually, each represents a new and wanted capability. However, taken together, it centralizes risk in way that can be quite scary. In 2010, my colleagues and I had the ability to disable the brakes on several million cars in the U.S. due to such a risk. Today, we are being pervasively monitored and hand over our health and safety to systems that are designed to operate correctly, but if compromised, could cause significant harm.
Even though you’ve shown cars can be hacked into, you’ve said that this isn’t something that most people should worry about. Can you explain why?
There are two different issues here: capability and intent. When we did our initial work in 2010, it took us over a year with over $1M in funding. The cost, time and technical sophistication required put it outside the realm of most attackers. That said, the barrier to entry has gone down since then (thankfully, at least some brands have significantly improved car security as well). But more people have since learned how to do these kinds of attacks.
The second issue is intent. While there are actors who use cyber means to break into cars for the purpose of theft, I’m unaware yet of any cyberattack on the safety of an automobile outside the research community. Thankfully, there are not that many people who have the intent to actually hurt other human beings and, when they do, there are still far cheaper and easier means to do so. Having said that, I am happy to see more companies in the automotive industry invest in improving security.
What are some of the projects that you plan to tackle in the future?
We’re looking at a range of issues including empirical measures of cyber risk (i.e., what kinds of defenses or behaviors actually lower the chances that our machines will be compromised and by how much), exploring how various human factors play a role in people using (and using correctly) appropriate security measures. We also are doing some work on aviation security and ongoing efforts looking at the intersection of computer security and law enforcement that we think will yield some exciting results.
Looking forward, how much do you think cybersecurity will become a part of everyone’s life in the next five-10 years?
I think cybersecurity risks are going to stay with us for the foreseeable future. This in and of itself isn’t so problematic—there are lots of risks in life that we have learned to plan around and manage. However, we are not well suited to tolerating risks that are unknown or changing quickly, and that is precisely the challenge that cybersecurity is presenting us. Over the next decade, we will need to find a way to feel comfortable that cybersecurity is a manageable risk as opposed to a problem of unknown scope and impact.