Maintaining the edge on hackers requires regularly shifting to new ideas and innovative cybersecurity techniques. Misled or deceived end-users have long been the easiest hack to make to get data flowing down the wrong path, as the growing stream of ever-evolving deceptive emails (i.e. “phishing”) asking users to click on unknown links or fill out unexpected online forms sent from senior management demonstrates. These techniques, known broadly in cybersecurity as “social engineering,” exploit human errors to attack individual users and integrated systems.
UW-Platteville Richland student Justin Yeung has designed research to test the effectiveness of different social engineering techniques hackers are using to offset the growing awareness of phishing techniques among end-users. He will present his research plans and early findings to legislators, state leaders and peers from across the UW System at the 19th annual Research in the Rotunda, held on Wednesday, March 8 in the state Capitol.
Successful phishing depends on users clicking on links uncritically, thereby inserting malicious code into other systems and processes a user has access to. But, as users grow more sophisticated, so must hackers. Yeung thought of another end-user access point that could be exploited – the “terms and conditions” dialogue box that most users rarely ever read.
“That window is a place it’s easy to fool people,” said Yeung, whose research created simulations to see if users paid more or less attention to various kinds of pop-up windows or other deceptive techniques incorporated into “accepting” a software installation or update.
Yeung is also examining other ways computers are deceived into opening communications with each other, most commonly through a “replay attack,” where a hacker intercepts a legitimate packet of authorizing code and then either re-transmits or re-creates it at another time, granting valid but unauthorized communications between systems.
Understanding more about what techniques are more effective at fooling users and ultimately other computers can help develop countermeasures, according to Yeung’s advisor on the research, Dr. Bassam Zahran, assistant professor in the UW-Platteville Department of Computer Science and Software Engineering. Zahran sees real promise and practical implications for Yeung’s research.
“As information technology and operational technology, like industrial control systems, are converging, previously isolated systems are more vulnerable to these kinds of social engineering attacks,” said Zahran.