Since the dawn of the Information Age, savvy hackers have leveraged the day’s most advanced technology to learn way too much information about computer users. The COVID-19 pandemic forced shelter-in-place orders for an unprecedented number of people around the world, requiring them to work from home and rely on unfamiliar videoconferencing programs. The result was a significant increase in opportunities for hackers to gain access to even more critical information, not only from home computer users, but also from the companies for which they work.
Through it all, in addition to addressing the challenges facing them today, Stony Brook University Information Technology (IT) researchers are striving to make tomorrow’s online experience safer and more secure. These efforts become even more critical when you consider the increase in virtual activity that will likely define not only the future academic experience, but also the global future of business.
Michalis Polychronakis, an associate professor in the Department of Computer Science, said that across the global workforce more administrative work is being conducted through cloud services, so that the same user experience can be achieved even if employees are not working from their offices. At the same time, users have to log on to services from new devices and alternate locations more frequently, increasing user risk.
“The more often passwords need to be typed, the more users become susceptible to phishing attacks,” said Polychronakis, who is a member of the University’s Network Security Working Group, which meets monthly to discuss new security defenses and information policies and procedures for the entire campus.
Further, Zoom, the online chat platform that became seemingly pervasive overnight, led to security challenges that have been widely discussed in the media, according to R. Sekar, SUNY Empire Innovation Professor and associate chair of the Department of Computer Science. “While these problems exist, they are manageable,” he said.
In addition to well-documented reports of Zoom “bombings” — uninvited people showing up in private meetings — the company has been criticized for weak encryption capabilities. As such, Polychronakis is currently focusing on network and system security, network monitoring and measurement, and online privacy.
“My research aims to improve the security of computer systems and networks, build robust defenses against malicious software and online threats, reinforce the privacy of our online interactions and enhance our understanding of the Internet ecosystem and its darker sides,” Polychronakis said. “The COVID crisis and the sharp rise in working remotely made these initiatives even more immediate and critical. We’ve seen that many people can do their job working online. Now I think we’ll see more research on how we can provide stronger authentication and how we can constantly monitor remote users.”
Nick Nikiforakis, an associate professor in the Department of Computer Science, and his colleagues focus on interpreting threats that are not yet understood and working toward solutions that they hope one day will become the state of practice.
Nikiforakis is contributing to this cause by conducting research focusing on improving web security and privacy. One area is debloating web applications, which means shrinking the footprint of software. He explained that when a program expands in size and complexity, the number of programming bugs also increases, along with the vulnerabilities that attackers can use to compromise systems and steal user data.
“Software is constantly increasing in size and complexity due to new features that are introduced into a program, and old features are rarely retired,” Nikiforakis said. “Our goal is to debloat web applications in a way that allows all the useful features to remain but gets rid of unnecessary features and the vulnerabilities that come with them.”
He’s also exploring mobile browser security as more users rely on their smartphones and tablets for the majority of their computing needs.
“These devices have web browsers, which are designed differently from traditional desktop browsers in that they must deal with significantly limited screen real estate, as well as limited computing resources,” Nikiforakis said. “In this area of research, my students and I are investigating the security problems that are specific to mobile browsers and design techniques and countermeasures to defend users against mobile-browser-specific attacks.”
Nikiforakis, Polychronakis and Sekar are part of the National Security Institute (NSI), an organization created at Stony Brook in 2014 that brings together faculty and students working in computer security and privacy. NSI’s goal is to be a multidisciplinary research institute, focusing on educating professionals in defense, national security and cybersecurity, assurance, healthcare and policy.
“In the era of information technology, global connectivity and the Internet of things, the underpinnings of today’s cybersecurity are essential for protecting almost every aspect of human endeavor,” said Fotis Sotiropoulos, Stony Brook’s interim provost and dean, College of Engineering and Applied Sciences. “Our National Security Institute in our Department of Computer Science is at the forefront of addressing these challenges. Our world-class faculty are conducting cutting-edge research aimed at tackling today’s grandest cybersecurity challenges.”
Supporting the NSI initiative, Sekar’s research focuses on organizations that are frequently targeted in sophisticated cyberattack campaigns by powerful adversaries, including large criminal and intelligence organizations.
“Although numerous tools are available in the market for detecting attacks, they rarely provide actionable information for cybersecurity analysts,” Sekar said.
Sekar, who has the distinction of being the first Stony Brook computer science faculty member in cybersecurity, having joined the group 20 years ago, is also researching the sophisticated attacks that are organized as “campaigns.” These attackers have a specific goal in mind, such as stealing credit card or other personal/financial information and organizing the attacks into a series of steps that may involve jumping from one computer to another until they find the data of their interest.
This research is supported with funding from the Defense Advanced Research Projects Agency (DARPA), an agency of the U.S. Department of Defense responsible for the development of emerging technologies for use by the military. DARPA also sponsored adversarial engagements in which independent researchers were commissioned to carry out sophisticated attack campaigns on test networks.
As for the future, the way people live and work is sure to change, and along with it, the way organizations approach online security.
“The obvious change that is sure to come from the COVID crisis is that some people may never physically return to their workplace,” Nikiforakis predicted. “From a security perspective, these companies will have to develop tools and protocols to ensure that the devices that are now always at home are secure, and potential infections of these devices — which may have a dual use as a personal computer and as a work computer — will not jeopardize a company’s data.”
Securing the online future is a challenge Nikiforakis and his colleagues are looking forward to.