'White hat hackers' of Johns Hopkins protect data, thwart cybercrime
Last year, nude photos of celebrities were hacked through iCloud. Online robbers also made off with millions of credit card numbers at Home Depot and Target. By year-end, the latest Seth Rogen comedy was fueling an international imbroglio replete with tit-for-tat cyberattacks.
Welcome to Anton Dahbura's world.
Dahbura is the executive director of the Johns Hopkins University Information Security Institute, often known more simply by the acronym JHUISI, pronounced "juicy." Its mission: Exploring ways to protect data and thwart cybercrime while pondering the very notion of what privacy means in our wired world. With nearly every single aspect of our society—from commerce, to entertainment, to health care, to democracy itself via computerized voting—reduced to "0s" and "1s" and placed on increasingly networked computers, the urgency of the task has never been greater.
Cybercrime is so omnipresent today, Dahbura jokes, that some of his instructors don't have to lug books to class, or put together PowerPoint presentations. "They really don't have to prepare their lectures in advance," he says. "They just pick up the paper in the morning and lecture right off the front page."
On this dank December day, as Dahbura sits down with a reporter and the institute's technical director, Professor Avi Rubin, the Sony Pictures hack is still big news. Some 100 terabytes of data were lifted from the film studio's networks, including embarrassing executive emails, and in the face of cyberterrorism threats, its film The Interview was (at least initially) pulled from theatrical release.
"Not getting to see Seth Rogen—that hits America in the gut," Dahbura deadpans about the film's fate.
"But it's really more of a benign wake-up call," he continues. "A lot of Americans don't realize just how far-reaching the implications of cyberterrorism can be. On the other extreme, we have all these computer systems that are controlling nuclear power plants, gas lines and oil rigs, transportation networks, and things like that. For all we know, they could already have been infiltrated."
Part of JHUISI's work involves providing its own "wake-up call" to government and business as its researchers and students probe for weaknesses in existing computer systems in a process sometimes referred to as "white hat hacking." For instance, they hacked Exxon's SpeedPass payment system to score free gas, and unlocked an office door with a 3D-printed key made from a single photograph of someone's keychain. (See "Five Great Hacks" sidebar.)
"If we identify a vulnerability, then we have an ethical obligation to notify the manufacturer or service provider, whoever is the originator of the product or software, and give them a fair chance to respond," Dahbura says.
The institute's principal academic track is the Master of Science in Security Informatics program, where course work includes exploring the next generation of data cryptography. (After all, data stolen off a computer network or cell tower can be useless if it's adequately encrypted.) The still-emerging field of computer forensics is another area of study.
"It's not that different from how you would think of forensics at a murder scene," Rubin says. "It's all just happening on a hard drive or on a computer."
In other words, these "detectives" look for "digital footprints" as clues to who broke into a system, discerning the specific techniques used to gain access and other details that can help point to a perpetrator. Another aspect of the field is retrieving data from damaged computers or storage devices—a laptop from a fire scene, or a hard drive that a fleeing terror suspect threw out a window.
The institute, part of the Whiting School of Engineering, was founded in 2001 by Gerald Masson, now a professor emeritus, who is also the founding chairman of the school's Department of Computer Science. "It's one of the first university research centers dedicated to information security," Dahbura says. "Professor Masson also had the foresight to view it as a holistic endeavor; our work is not just purely technical but also involves the legal, legislative, ethical, and business aspects of information security and privacy."
Because of this broad outlook, the program's students frequently interact with the university's Carey Business School and School of Advanced International Studies, and some classes are even held at the schools of Medicine and Public Health. There are high-level programming and systems design courses, and also those that are more theoretical, such as Moral and Legal Foundations of Privacy.
Of course, in the just over a dozen years since the institute's founding, the field has exploded. More and more personal data are being shared on social media and elsewhere, while we increasingly rely on relatively new cloud-based storage systems whose security may be less than resolute (just ask Jennifer Lawrence or Kate Upton). The world in 2001 was a far less connected place. Today, there are nearly twice as many people on Facebook alone than even had access to the Web when the institute was born. And recall that the lowly "dumb" flip phone was king a decade ago. Among the reasons that hacking stories are part of most every news cycle now is that in the great rush to get everything online or in your pocket (or both), the security implications of all this data piling up and/or flying around were not adequately considered.
"It's a crazy new world, and part of the reason is these things," Dahbura says, holding up his smartphone. "These phones can track us and collect data. There is a camera on each side and a microphone. Virtually every factor involved in modern product design now flies against security. There has been fervor to connect everything to the Internet—garage-door openers to locks to thermostats. There's often so much pressure to get feature-rich products out the door that data security was, at best, an afterthought. And if there is one thing we see, it's that wherever there is a potential vulnerability out there, someone is actively trying to exploit it."
Who are these exploiters, these "black hat hackers"? There is a hierarchy, with a small corps of "superhackers" perched at the top. "These are very bright people, who, sadly, would rather put their energy and ingenuity into the dark side and illegitimate means of making money," Rubin says. At the other extreme is what are dubbed "script kiddies," individuals or groups who likely have little computer savvy but have gotten ahold of some prepackaged malicious software that they ruthlessly employ. Many reside deep in Eastern Europe or other remote overseas locations away from much government oversight or legal recourse. "The Chinese government has tens of thousands of people whose full-time job it is to explore vulnerabilities," Rubin adds.
Probably no computer crime is as prevalent or costly, as far as U.S. consumers are concerned, as the theft of credit card data. (Dahbura admits that he himself had a card number caught up in one of the mammoth retail-chain hacks.) Frustratingly, no form of cybercrime is probably as preventable, either.
"The banks in the U. S. and the credit card organizations can make credit cards much more secure than they are, and they haven't felt like doing it because it fits into their business model to just accept fraud as a cost of doing business," Rubin says. "But it's become such a nuisance to the public that it's a defective product and it has to change."
JHUISI will continue to challenge this status quo mindset, as will its graduates, who increasingly are heading off to more diverse occupations than ever. In the past, most went to work for information technology firms or the government. Now, Dahbura notes, they are also ending up in finance, health care, manufacturing, all sorts of places. "Companies are starting to recognize that no matter what they do, they need to have security expertise in house," he says.
Though they don't think it's happened yet, another place that grads could land is in Hollywood. When the entertainment industry isn't being hacked itself, it often depicts cybercrime and hackers in television shows and film. Rubin says a version of his 3D-printed key project was featured in the ABC crime drama Castle, and a scriptwriter once called him about how to hack a GPS system.
"I wonder how often the bad guys get their ideas from TV shows—Hey, can I do that?" Dahbura ponders.
"I watch a lot of these action shows, and more and more, I'm seeing realistic plot lines or things that I've seen in conferences," says Rubin. "Maybe on my next sabbatical I should go consult on TV and movies. That would be fun."
FIVE GREAT HACKS
Opening Doors With a Printer
Could you unlock a door armed with but a picture of a key and some savvy software? Yes, as it turns out. A recent JHUISI student project involved taking a picture of Professor Avi Rubin's key chain and then using the image to create a duplicate key on a 3-D printer. "A week later, [the student] came in with a plastic key that he had made and he opened my office door," Rubin says. (Better keep the grade book somewhere else.)
Speedpassed Without Paying
The Exxon Mobil Speedpass system uses key fobs containing computer chips that wirelessly communicate with gas pumps and cash registers to quickly authorize payments. What could be more quick and convenient? A group from JHUISI figured out how to make this experience even more pleasurable for consumers: It cracked the system's encryption codes and could have bought gas and snack foods without, you know, actually paying.
Let There Be No Light
MacBooks were supposed to be hardwired so that a light would come on whenever the built-in webcam was in use. No exceptions. But in a paper titled "iSeeYou," JHUISI researchers explained how they got around this privacy-protecting feature. This is significant when you consider there have been some high-profile cases—one involving Miss Teen USA—where hackers have used the cameras remotely to take clandestine photos. Paranoid yet? Consider a piece of tape over the lens.
Before joining JHUISI, Stephen Checkoway, now an assistant research professor, was part of a team that showed the feasibility of remotely hacking into a car's computers via its satellite communications system or other wireless methods. Everything under computer control (and with today's high-tech cars, that's practically the whole car, from engine to brakes to windshield wipers) could, in fact, be maliciously controlled. Not sure if you can cite this study when police pull you over for an illegal U-turn, though.
Every Vote Counts (Maybe)
Computerized voting machines are increasingly the norm for jurisdictions large and small. While perhaps not a hack in the classic sense (disrupting an actual election just to show it could be done could land someone in serious trouble), Avi Rubin was part of a team that tested the security of one of the most common voting machines in use, and its findings were not so good for fans of democracy. The team concluded that the system's hacker protections were "far below even the most minimal security standards applicable in other contexts."