Episode 24: Cybersecurity Awareness

Lisa Peña (LP): Now more than ever, we are conducting our lives online. Today we're talking to an SwRI cybersecurity expert working to outsmart hackers. He has some simple tips to keep your smartphones and connected devices safe. That's next on this episode Technology Today.

[MUSIC PLAYING]

We live with technology, science, engineering, and the results of innovative research every day. Now let's understand it better. You're listening to the Technology Today podcast presented by Southwest Research Institute.

Hello and welcome to Technology Today, I'm Lisa Peña. Work, school, shopping, and entertainment during the global pandemic, we are turning to the internet more than ever to keep our lives on track. In fact, we're recording this episode through an online platform right now. Today we're talking to a cybersecurity expert about guarding our online presence. Our guest today is SwRI manager and Certified Information Systems Security Professional, Victor Murray. Thank you for joining us, Vic.

Southwest Research Institute

Many of today’s vehicles use object detection systems to help avoid collisions. SwRI engineers developed unique patterns that can trick these systems into seeing something else, seeing the objects in another location or not seeing the objects at all. In this photo, the object detection system sees a person rather than a vehicle. This research will allow engineers to thoroughly test object detection systems and improve the security of the deep-learning algorithms they use.

Victor Murray (VM): Glad to be here. Thank you so much for having me.

LP: So, Vic, let's start with the term cybersecurity. What does cybersecurity mean to you?

VM: Well, cybersecurity is a very broad term, and I think most people think or when they think cybersecurity, they think what they see in the headlines – data exposure, websites down, big name companies having problems due to somebody attacking them. For me, when I think cybersecurity, I tend to work more with embedded systems, and so I think more about connectivity.

In the early 2000s, we had all these systems, all these embedded electronic devices, and they were safe. And internally, they had no mechanisms to provide security because they didn't need them. Somebody couldn't get access to them. They couldn't put their hands on them.

These same systems today are now connected to the internet. There's lots of devices you could plug into these old circuits, and now instantly, boom, they're on the internet. And a lot of these devices are vulnerable to security attacks. And so how do how do we protect those things and while we're balancing the accessibility. Right? They're connecting them to make things easier, but we have to keep them safe at the same time. So security has to be balanced with the devices working.

So all the devices that you use - your cell phones, your routers at your house, your networks at either at work or at home, security systems. A lot of people now have cameras that they put on their houses. The smart doorbells - you're able to access from your phone, see what's outside. All of these things, security has to be front and center. Because if you can access it remotely, the only thing keeping somebody else accessing it remotely is keeping it cyber secure.

Anything that you have that's connected to the internet, you should be thinking about security. Your Alexas, your smart speakers, your smart TVs. I mean, so many, your gaming systems. All of these things, you want to be secure. Make sure they're configured securely.

Your home networks - you've got to use WPA2 on your Wi-Fi. Don't use unsecured Wi-Fi. Anybody can access it then. So anything that's providing connectivity - your vehicles. A lot of vehicles come with remote start. People can start a car by their phone. Those are all things that can be affected by cybersecurity.

LP: WPA2 - can you tell us what that means?
 

SwRI Engineer Victor Murray supports cybersecurity projects across multiple industries including commercial automotive, defense and transportation. Murray is a Certified Information System Security Professional (CISSP®) and has presented at multiple cybersecurity conferences, including Black Hat USA.

VM: Yeah. The WPA stands for Wireless Protected Access, and 2 just means it's the second version. So 2 is the latest, it's more secure. WPA by itself is actually still an option on a lot of the routers, but it's not recommended for good security.

LP: So it's basically just to password protect your Wi-Fi.

VM: Correct, and it also encrypts it and makes it so that it's tougher for people to get access to your Wi-Fi device and to see the network traffic that's going back and forth between your computer and your router.

LP: What are hackers after?

VM: Well, it depends on the hacker. I typically break up hackers into three categories. There's your nighttime hacker, who is really just playing around or doing things for, quote unquote, fun. Sometimes the things that they do, you and I might not think of as fun. But they may be doing things that are devious or gross, or we've seen somebody playing like death metal music on a baby's security camera, which is, I mean, it's just creepy. Like who could do that? It's really weird. But that's one class of hackers.

Then there's the next class, which is a little more dangerous and a little more motivated, and they have something that they're trying to do. So they're either after money or they're involved in politics or they're supporting their country. They're doing something for a cause. And they're a little more dangerous because they tend to be a little better funded. Somebody is doing it for money, and they've had any success, they're able to try to put more effort into those attacks. And people that are doing it for politics or for pride of their country or whatever, there's a lot of other things that fall under this category, tend to be more willing to put in extra time and work.

And the third category of hackers is nation state. So almost every developed country has a group that, quote unquote, hacks. These guys are the best of the best. They're the best funded. They are able to develop very, very intricate hacks. They're able to exploit zero-days.

Some of your not as well-developed countries, like North Korea for example, has a hacking unit. They tend, at least in the headlines that I read, they tend to be more focused on reuse of publicly available tools. So there's things like Metasploit, which you can go out and download for free. And you can set up and configure it to do denial of service attacks or things like that, which is a really common kind of nuisance attack that just makes people annoyed when they're trying to use a website or trying to access their company's servers. So that's how - each of those hackers are after very different things.

LP: So no matter what category they fall into, they're all up to no good is the bottom line. So, do you not want to become, is what it sounds like that is obviously, is that true, first of all?

VM: No. I mean, there are a lot of good hackers. A lot of what I do is hacking, where, and I we are the good guys. So we try to hack devices to show companies, look, here's the vulnerabilities in your systems. You need to go fix these. That's a big part of our business.

A lot of hackers hack things just for, I mean, the group, I mentioned a kind of nefarious hack in the for-fun. There are some people that hack things because they think it's cool and it really doesn't hurt anybody. Modding your vehicle aftermarket, jailbreaking your cell phone. Are those bad things? No. But you're hacking your devices.

So there are people that do it to get access to functionality or features. There's a company that will unlock features on or show you how to unlock features on your Tesla. And is that good? No, because they're stealing the IP from Tesla by enabling that feature, but are they bad? I wouldn't say that's good, but they're not necessarily just trying to hurt people or do awful things. Does that make sense?

LP: So maybe so maybe there's a fourth category of harmless hackers, or like you said, the good guys, right?

VM: Exactly.

LP: See, it's just, it's the term hacker. It comes with some really negative connotations.

VM: It does.

LP: So, sorry to group you in with the rest. We want to say it again. There are some good-guy hackers out there, like you, trying to get past these security threats. So who is most at risk for cybersecurity threats? Anyone who uses the computer? Anyone who's online?

VM: Well, yes, but there are certain groups or people that are at a lot more risk. Companies in general are big targets, the bigger the company, the bigger the target. People that are well-known, celebrities, politicians are regularly targeted.

I mean, people who post a lot of information publicly, especially if you post about your work. So if you have something critical that other people would want access to and you publish a lot of things online, you may become a target from people, interestingly, the more you publish online, the easier it is for somebody to hack you. Because if they know a lot about you, if they know enough to get your attention and bypass your initial, hey, I shouldn't click on this filter, people let their guard down and tend to be much more trusting.

LP: So what is your advice to stay safe online? I think you kind of touched on it with maybe we don't put as much information about ourselves. That would be a great place to start, but kind of walk us through your steps for online safety.

VM: For sure. I mean, if you're publishing online, I'm not saying that's bad, but in general for staying safe, there's a large number of things to do. But use passwords. I mean, if you have a portable device, make sure you're locking your device. If you are logging on to websites, try not to reuse the same password for everything.

There are hacks that expose usernames and passwords for big name websites. And if you use the same password and username on all of your websites and somebody gets in, your username and password gets published, people will go and try them on other, if some website gets hacked, they're going to go to Amazon and try the same username and password. And if you use the same password, they're going to be able to get access to your account.

Now, are a lot of times, depending on the company, there are sometimes secondary catches to, they'll send a text to your phone or something like, that which is a dual verification, two factor authentication that you are you, which can stop some of those attacks, but some of them do not. Let's see, encrypt your your portable device. If you don't want, if you lose your phone, you lose your iPad, or smart tablet, you don't want somebody to be able to get it and access the data that's on there.

Phishing links, be careful what you click on from text messages, from emails. Clicking on a bad link can give somebody else full access to your computer, your smart device, or your networks at work. Phishing emails, phishing texts are one of the easiest ways to hack networks. They're the most common. The weakest link in security tends to be people.

And finally, use big name websites. If you know the name and people in general know the name, the security for those sites are going to be very good. Your Facebook, your Twitter, your Amazon, Google, all of these are going to have very good security. They're just they're used by so many people. They have to put the resources in to keep them secure.

LP: Can you explain a little bit more about encryption? Exactly what it means and how to do it.

VM: Sure. I mean, encryption means that you don't store it as a readable text. So a lot of times, your devices will, if I unplugged your hard drive from your computer and it's not encrypted, I can plug it in to my computer, and I can get all the data off of it. I can read it, I can open your documents, I can open your files. Encryption makes it so that it's all hidden. And without a password, I can't see what's on your disk.

So same scenario, you encrypt your hard drive, and I'm one of the bad hackers. I steal your hard drive, I plug it into my computer. Without your password, I can't see what's on the disk.

So if you have a strong password and you're using a good encryption, most encryption will be AES, Advanced Encryption Standard. And there is 128, 256-bit. Both are very good. And if you have a strong password, I will not be able to break it. As long as you don't use something that's based on a dictionary or that's not one of the top 1,000 passwords, which there are databases online available that you can download those from, you can set up a script, send each of those 1,000 passwords, and it's very easy to do. So as long as you use a strong password, your hard drive's encrypted, I can't access the data.

LP: So if I wanted to encrypt my laptop that I'm using right now, do I need like a specific software to do that, or is there something I download online?

VM: Both options are available. So it depends on your setup. So at Apple, I'm on a MacBook Pro. And for mine, I go click a button and say, Turn On Encryption, and that's it. And my password to get into the system is used to decrypt it whenever I log in. So your computer devices, your smartphones, even if you have an Android, it's very easy to go and turn on security.

So for talking about cell phones, so Apple will actually default to your iPhones will be encrypted. Your Android devices will not. It's the same button click to turn it on, but for some reason, unless they changed it, Android devices default to not being encrypted.

LP: So for some devices, it's already built in. It's just a matter of, as you mentioned, for the Android phone, just turning it on. Or for certain laptops, you just look for that application, or you look for that button, and you can just press that and you're good to go. That's good to know. I didn't realize that that was available.

So let's go through those steps again. You said use different passwords for different sites. Don't fall back to the same password each time. Encryption, be careful what you click on, and use the big name sites that have a lot of recognition because those are going to have better security.

VM: Correct.

LP: Some great tips there.

VM: I'm not saying don't use the smaller websites, because every everybody has their own things that they go and use on. I really just say that so that you can have a lot of comfort, when you're going to the big name websites, security is not an issue.

LP: OK. That's great to know, and those are really simple ways that we can guard our online presence every day. Let's go to social media now, because that seems to be more of a jungle when it comes to security. Any tips for staying safe on social media?

VM: Yeah. The first, which I hope everybody does, make your profile private. I jus, there's very few people, I know celebrities, things like that have, even for them, they should have a separate public profile that they know is public, they know what they're posting is going to be visible to everybody. You do not want your profile public. If it's public, anybody can go out and see what you post.

And the second is just be cautious with what you're posting, especially as it relates to work. If you work on stuff that other people, especially if you work in defense or security-related areas, you can become a target. And if somebody is able to go and access even if you posted something two or three years ago, that's still online. And if somebody can go out and find that and they want to target you, they can use all that information against you.

The phishing email, which is the or the phishing text, which is the most common way for somebody to get hacked, can be very well crafted based on stuff that's online, so protect your data from the general public. I mean, I don't have any issue with sharing stuff with friends online. Just make sure it's just to your group of friends.

LP: I would say that also extends into accepting friend requests and accepting followers on these different social media platforms. What do you, what's your advice on that? I mean, should we only be friending or accepting requests from people that we know?

VM: Oh, absolutely. This is pretty common as well you get a duplicate friend request. I've seen that several times. I don't accept them. I'm sure your grandma or grandpa forgot their password and creates another account, but have them tell you that.

LP: Verified, right? Yeah.

VM: Exactly. Because what people will do is just clone the account. They can see the username, they can see the publicly available picture. And if they know who any of your, and that stuff's available even if your account's private. But if you allow people to see some other stuff, like if they can see your friends, now they can go and friend, they create this fake account and send a friend request to all of your friends, and now they're able to see anything that's on their profiles.

LP: So during this time of frequent online classes, meetings, and conferences, so we're hearing about these uninvited guests gaining access and disturbing these sessions on various platforms. So one name that's popped up for them, Zoom bombers. Any tips to avoid this specific problem?

VM: Yes. So this problem comes up most often for public meetings. If you have, or a conference or something that a large number of people are coming to that, or it doesn't even have to be a large number of people, but somebody is trying to actively promote it and get a lot of people to come in, but there's a couple of simple things you can do. One, especially if you know who's coming, you can create a lobby, and everybody should be doing this.

In that lobby, you can decide whether or not to enter people or to allow people access to the meeting. And if you aren't expecting them to be there, then don't allow them in. Keep people out that aren't supposed to be at the meeting. And that can be true even for public meetings.

Make sure people send an email ahead of time. You at least have the email address and a name. You can go in, check and make sure, are they on the list? Yes, let them in. If not, don't let them in. Make sure that they register and you're able to do, at least at some level, verify who they are.

LP: So I want to turn now to the work that you do at SwRI. You're working on systems to outsmart hackers who may want to interfere with automated vehicles, which is really cool. Not that they want to interfere with them, but the work you're doing. So automated vehicles are not widespread yet. Much of the technology is in development right now, but you are already making them safer. Tell us about your work.

VM: Yeah. We actually are doing a number of things. We're fortunate to work next door to a group that develops automated vehicles. They've put their autonomy packages on a ton of systems. So one of the super cool things about working on cybersecurity at SwRI is we get to team with lots of other groups. And so we'll coordinate with them. We've done a number of projects with the automated vehicle groups.

So currently, we're supporting a customer and helping them secure their entire automated vehicle ecosystem. So this includes making recommendations, providing best practice recommendations for software development. This is providing guidance on how to integrate their embedded systems securely. How to monitor and trust the data coming from your sensors and the data that's being sent to your control actually.

So a number of different things. We're also helping develop tools to help software developers test their code for cybersecurity vulnerabilities. So helping protect those things that really don't have the ability to protect themselves otherwise. They just, they read the traffic in and they trust what's there. But if you have a separate system that's able to characterize, monitor, and flag when something suspicious is happening, it helps make those systems safer.

LP: So there is one particular problem that you've identified, and that's GPS spoofing. It's a real concern. It is a security threat. So for our listeners, tell us what is GPS spoofing and what brought about your focus on this particular area of cybersecurity?

VM: So spoofing in general means you're faking something. So GPS spoofing is where we send a fake GPS signal to a system. So, and if you spoof it well or if it doesn't have mechanisms to flag spoofing, the system can't tell the difference, and it looks like a real, authentic signal.

GPS is one, our group has actually spoofed all of the common sensors used on automated vehicles. One of the reasons that we recommend you don't rely on a single sensor. A single sensor is vulnerable. Where if you take a group of sensors - several sensors, several different types of sensors, the combination of all of those is very difficult, if not impossible, to spoof in coordination. So that's one of the recommendations we have, one of the areas that we're looking to spend some of our time on, and we have customers interested in that.

LP: Where are you right now with that technology? Has it made a real world difference already? Is it still in development?

VM: So I would, our GPS spoofing capability, I break out our capabilities up into a couple different categories, but one of our primary things that we do is penetration testing, where we break systems. So our capability of being able to spoof GPS is an attacking capability. So we're going in and seeing if we can break systems, and then we make recommendations on how to prevent it.

So for example, for TReS (Time Resilient System) for the electric grid, our recommendation there was to use a local clock to check the timing that comes from GPS. So GPS has very, very accurate timing. That's how it calculates your position. It's down in the nanosecond.

But if you have a local clock, it may not be quite as accurate, but it's still pretty accurate. And if somebody spoofs the signal and starts drifting the timing, you can detect that with a local clock. Similarly, for localization on automated vehicles, there is more than one way to estimate your location. And if you track your GPS signal in coordination with your other localization estimates and look for errors. And if you see an error that's larger than you would expect, you should flag it, and your system should be able to adapt accordingly.

LP: Why would somebody want to spoof these signals in the first place?

VM: Well, being the bad guy, to break things. Let me throw out a scenario. Somebody somewhere doesn't like the United States. Hard to imagine, right?

They have a little bit of funding. They have some resources, a little bit of capability. And let's say 10% of the cars, several years in the future, 10% of the cars drive themselves. They're heavily reliant on these sensors, and they put at a dozen of the busiest intersections in America a device that can break or spoof their GPS signal, and they're able to instantly disable or cause wrecks at these dozen places. Can you imagine the mayhem that follows?

That 10% of cars that we're driving, nobody is going to want to drive their cars now, right? Not only that, think of the people that are injured or die in such an event. It can just cause all kinds of chaos. So if you're able to manipulate something remotely and over a decent sized area, it can cause mayhem, which gets the attention of people who want to do us harm.

LP: So what's fascinating about this is we are not largely in automated vehicle yet, but your group has already identified the safety issue and is already doing something about it. So that when we do get out in the roads, on the roads years from now in our automated vehicles, this will have been thought about and worked through and it'll just be safer. So that's really awesome.

I also wanted to mention to our listeners that you can learn more about SwRI's automated driving capabilities by listening to Episode 5, The Automated Driver, and that came out in March, 2019. So if you want to learn more about SwRI's automated driving capabilities, that's the episode to listen to.

So moving on to Black Hat, Black Hat is a high profile series of information security events held around the world. Thousands of people attend, and you were a Black Hat presenter in 2019. Can you tell us about this event? What happens at Black Hat?

VM: Yeah. Black Hat is one of the largest cybersecurity conferences on the planet. It's held in tandem with DEF CON every year in Las Vegas, at least the North American Conference is. Very large. Was not this year. They held it held it virtually.

And they have some amazing, amazing talks. Some of the best cybersecurity presentations that are out there have been presented at Black Hat. Very proud to have been able to present there. I'm very grateful to Black Hat for letting me present.

And the coolest thing about presenting at Black Hat - I'm an engineer. I've been an engineer since 2004, so 16 years as an engineer. There's - a little bit nerdy and a little bit dorky, and so the first time I have gone somewhere, presented, and felt like an absolute rock star. So when I presented at Black Hat, there was 200 to 300 people there, so a decent sized audience.

But after the presentation, which went great, it was an amazing experience for me. The guy comes up afterwards, and he's like, oh, you killed it. Great job. And then I'm swarmed. There's a group of 15 people, I have friends in the audience that can't reach me because there's so many people around me.

Question this, question that, question. And it was just an absolutely amazing experience. So I am so grateful to have been able to experience that.

LP: You are in high demand, that's for sure. So let's talk about the challenges of cybersecurity. What do you identify as the biggest challenges of cybersecurity?

VM: Well, I think the biggest challenge of cybersecurity is balancing it with usability or the ability for devices to work. So we get to work with a lot of different people at SwRI that work in a lot of different areas, cause cybersecurity is needed across almost everything that we do. But it really runs counter to what the designing engineers or the designing developers are shooting for.

In the example of automated vehicles, which we've talked about, cybersecurity slows down the processing. It's an extra load on top of what the system is already doing. It fights the technology advances for automated vehicles. And so it's a real challenge. There has to be balance.

I joke all the time that I can make a really secure rock. Nobody can hack it. But what does that do? It's of no use to anybody. The devices that people want to use, the devices that people need have the ability to do things. And so the challenge is supporting the doing of those things, while keeping it safe.

LP: And from biggest challenges to your biggest breakthrough in this line of work, can you tell us about that?

VM: I can. The coolest thing that I've seen, so we will get a number of devices or things like that, and we'll hack them. And sometimes we'll get those devices, and then we'll get them again a year later. And then we'll get them again a year later.

And every once in a while, they fix what we told them to fix, and then we break something else. A year later, they fix it. So the coolest thing is being able to impact change on the devices. And these are very popular devices that you and I use all the time. And so we're able to point out security vulnerabilities and get them fixed. Super, super cool.

LP: We say this podcast is a way to listen and learn. To close today, what do you hope our audience learns today? What should be the biggest takeaway about cybersecurity?

VM: Oh, I mean, the biggest takeaway to me is use caution, but don't wrap your life around this stuff. I mean, I mentioned the balance between usability and cybersecurity. I don't want people to take my scary stories as reasons to not use your smart devices. Just be smart.

If you're going online, if you're using smart devices, follow good guidelines. Use your encrypted devices, use your passwords. Don't click on, the most common way for people to get hacked is clicking on bad links. So be very careful what you click on.

LP: All right. The advice doesn't get any better than that, from our SwRI cybersecurity expert. A lot of useful information. Thank you so much for joining us today and sharing your expertise with us, Vic.

VM: Oh, thank you so much for having me. Really enjoyed it. Thank you.

[MUSIC PLAYING]

And that wraps up this episode of Technology Today. Subscribe to the Technology Today Podcast to hear in-depth conversations with people like Victor changing our world and beyond through science, engineering, research, and technology.

Connect with Southwest Research Institute on Facebook, Instagram, Twitter, LinkedIn, and YouTube. Check out the Technology Today Magazine at technologytoday.swri.org. And now is a great time to become an SwRI problem solver. Visit our career page at swri.jobs.

Ian McKinney and Bryan Ortiz are the podcast audio engineers and editors. I am producer and host, Lisa Peña.

Thanks for listening.

[MUSIC PLAYING]