Apostolis Zarras is a cybersecurity expert at Maastricht University's Department of Data Science and Knowledge Engineering (DKE). A conversation about his research, humans as the weak link and - quite appropriately - malware attacks.
Author: Florian Raith
In the aftermath of last year's historic cyberattack on Christmas Eve, UM hosted a symposium to publicly share the lessons learned. Before an audience of colleagues, journalists and representatives from government and industry, Vice President of the Board of Trustees Nick Bos addressed the specifics of the hack and subsequent events in his opening remarks. Among other things, Bos said that relatively new threats such as cybercrime are not adequately taken into account in public funding and university budgets, which is, after all, a multi-billion dollar industry.
Bos explained that UM is doing reasonably well, repelling about a thousand cyber attacks every day, but also admitted that there is room for improvement in terms of awareness. "I'm sure we could have done better," agrees cybersecurity expert Apostolis Zarras of the DKE. "We might not have been able to prevent the attack, but we might have been able to limit the potential damage."
UM and other universities must strike a balance between security and convenience when it comes to collaboration and mobility, remembering that security is essentially at odds with openness. "Of course, you can never guarantee 100 percent security. After all, that would mean an offline system, with its own electricity supply, in a concrete shell, under the seabed..."
"If you don't update your systems long enough, they become increasingly vulnerable to attacks," Zarras says. But the biggest risk of all, that's you yourself. "It doesn't matter how secure a system is, because at some point a human has to do something with it." And that's where things often go wrong: mindlessly clicking on something, using the same password for different systems, and you name it.
"Education is very important. At a minimum, people should know the cybersecurity basics: don't open emails, urls or attachments in messages you weren't expecting or that seem questionable. Always update all your devices, including your phone and tablet, make offline backups, and so on." Zarras also recommends using a password manager instead of using the same password for different accounts and systems, or variations thereof.
"Ransomware is a type of malicious software that attempts to invade a system. There it encrypts data and then demands a ransom (hence ransomware) to make the data available again. Often - especially in large attacks - the ransomware tries to leave no trace, allowing it to do its work and spread to other systems undetected, only making itself known at the last minute. Sometimes it also hitchhikes with other malicious software, such as a keylogger, which collects passwords from administrators and tries to invade other systems if the passwords are the same, or similar."
Another common threat is phishing. "That's, for example, a website that looks like your bank's login page asking for your password. That's why banks now use the double authentication system: when you log in, you get a text message with a second code, or something similar."
In his research, Zarras takes a much broader look at cybersecurity. "Then you have to think about children letting everyone know where they are, or cyberbullying, or fake news disrupting the democratic process. One way or another, it affects us all." The answer, again, is education: "Children should be taught about online safety from the age of five or six."
His research has also yielded something very practical: Zarras has developed software that identifies malicious emails. In doing so, he hopes to detect malware and stop its spread. Before the General Data Protection Regulation (GDPR) went into effect in the EU, he had already researched how to make data self-destruct, to ensure that companies cannot keep our data longer than necessary or agreed upon.
He was also involved in a similar European project that revolved around protecting medical data. Zarras and one of his PhD students also deal with phishing emails that attempt to persuade victims to hand over their bank details, in exchange for, say, a portion of an inheritance. The Nigerian Prince is a classic in that genre.
Zarras designed a chatbot that communicates with the criminals behind the emails - and not just for fun. "You can send these phishing emails to millions of people, but you can't easily scale the interaction with your potential victims. During the time the criminals are 'talking' to our bots, they don't have time to convince other people to share their data with them."
Who are these online crooks anyway? A quick scan of stock photos with the "cybercrime" theme yields a bunch of young Russians in hoodies, sitting in a basement hacking on a laptop with a black screen and green ones and zeros. But Zarras says it's all a lot more complicated: "The location of the server or where the bank account number is registered doesn't say much about the nationality of the perpetrators."
You don't have to be a programming genius to become a cybercriminal, but their level of knowledge is astounding, especially in cyberattacks that are country-driven. Zarras does not point an accusing finger at Iran, North Korea or China, but instead points to the Stuxnet computer worm that targeted industrial control systems at Iranian nuclear facilities.
Another recent example is that of the CIA and the BND, a German secret service, who secretly owned the Swiss encryption company Crypto AG, which they bought through a law firm in Liechtenstein. For fifty years, the two secret services manipulated encryption equipment, spying on 120 countries that bought Crypto AG's hardware for their embassies, offices and government agencies.
But, Zarras says, regular users should probably be more concerned about their own casual attitude regarding cybersecurity - from posting data on social media to giving up privacy by accepting cookies from websites.
