Steve W. McLaughlin
Audio & Captions
[instrumental Ramblin’ Wreck from Georgia Tech fight song]
Steve McLaughlin: You’re listening to “The Uncommon Engineer.” I’m your host, Steve McLaughlin, dean of the college.
Announcer: We’re just absolutely pleased as punch to have you with us. Please say a few words?
Steve McLaughlin: Welcome to “The Uncommon Engineer” podcast. I’m Steve McLaughlin, Dean of the Georgia Tech College of Engineering. Our podcast is all about how Georgia Tech engineers make a difference in our world and in our daily lives. In this episode we’re going to be talking about cybersecurity. Today, cybercrime is everywhere, and no one is immune. Last year’s Equifax breach left millions of people exposed to identity theft. Facebook is selling our data for political gain. And the city of Atlanta just had a ransomware attack demanding payment. Cybercrime is rampant.
Our guest today is Professor Brendan Saltaformaggio, professor in the School of Electrical and Computer Engineering here at Georgia Tech. He’s at the top of his field of data security and cyber forensics, and he’s literally developing programs to fight both cybercrime and real human crime. Welcome to the program, Brendan.
Brendan Saltaformaggio: Hi Steve. Thanks for having me.
Steve McLaughlin: You hear so much today about privacy, about cybercrime. In fact, I know it’s one of the areas you worked in—when someone has an iPhone that someone else wants to get in to see what happened, maybe during a crime, all of those things are out there today. Can you give us a summary of the kind of things that you’re interested in and that you’re working on here at Georgia Tech?
Brendan Saltaformaggio: Well you hit the nail on the head. Digital devices like iPhones or Android devices, people’s computers—these are all being employed in crimes that are being investigated every day by the FBI or local law enforcement. And extracting evidence from these devices is a very challenging task, and it takes experts many weeks or months to be able to recover all of that evidence. And so the research that’s near and dear to my heart is coming up with better techniques, better tools to allow our law enforcement to better investigate crimes, get those results out as quickly as they can so that they can investigate what happened.
Steve McLaughlin: When someone commits a crime, say, with a phone, can’t they just turn off the phone or even, you know, erase their phone and everything’s gone away? Isn’t that a pretty simple way for a criminal to avoid being detected or being tracked?
Brendan Saltaformaggio: That’s a very common misconception; data tends to stay around far longer than you would expect. Even after deleting files or turning off your phone, investigators can still recover an incredible amount of information about what the suspects were doing on the device. But don’t worry, these investigation techniques always come after a warrant has been served, so you can usually trust your own privacy just as long as you don’t commit a crime.
Steve McLaughlin: So you talked about being able to reconstruct, say, on a phone, you know, the activities of a criminal even when they’ve turned off their phone and erased their phone. Can you talk a little bit more about the specifics of what’s going on in your research group, the kind of work that your students are doing and, more importantly, what’s the cutting edge in that field?
Brendan Saltaformaggio: In my lab right now we’re working on a number of these sort of state- of-the-art forensics techniques. One I can give you a pretty cool example of: It turns out, as you’re using your phone, say, an Android device, every time you are pressing a button or changing the screen in the background, Android is kind of scribbling down little notes about what you’ve been doing, so that the next time you do it, it can do it even faster, it can do it even better for you, the screens will load more quickly because everyone likes an Android phone that runs faster, right? This is a good thing in the system. But as an investigator, if I can get access to those little notes that Android has been jotting down, I can use that to reconstruct some sequence of activities that you’ve done on your device. And so my students right now—some of my best Ph.D. students—are coming up with techniques to recover those little notes and be able to translate them out of Android’s own little language into a way that investigators can actually use them as tangible evidence in a case.
Steve McLaughlin: So you’re saying, for example, if the criminal was working on a particular app on the phone and saw the police coming and deleted the app thinking that whatever activity they were doing, you’re saying the little notes that Android is keeping will give an indication of what they’re doing even if they’ve deleted the app?
Brendan Saltaformaggio: Let me give you a case study that we did in my lab—we simulated all this, of course; this is not a real crime being committed. But let’s say you had a self-driving car and you turned on the self-driving feature, and then you opened up Netflix on your phone and started watching a movie—
[dialog from Plan 9 from Outer Space begins]
Paula Trent: Now toddle off and fly your flying machine, Darling. But if you see any more flying saucers, will you tell them to pick another house to buzz? Be careful. Don’t worry about me!
Jeff Trent: Oh, you’re the only thing I do worry about.
[dialog from Plan 9 from Outer Space ends]
Brendan Saltaformaggio: This is illegal in every state, of course. But, you then get in to an accident. The police can, once they receive a warrant, get those little notes that Android has been jotting down. Even if you were smart enough to uninstall Netflix before the police came to your window, they’d still be able to find that you had done these activities.
Steve McLaughlin: Maybe you could say a little bit more about the so-called malware where I believe someone would, unknown to you, install software on your device. Can you say a little bit more about what that is, the kind of work that might be going on in your group, and kind of what the cutting edge of understanding that malware?
Brendan Saltaformaggio: So malware is a piece of computer code that’s written specifically by an attacker with some kind of malicious intent; they’re really looking to do harm to you or to your systems in a way that you definitely don’t want them to be able to do. In my lab, we’re looking at kind of tearing these malware samples down and figuring out, at the lowest levels, what are they trying to do? What’s the goal of this large scale cyberattack? So some techniques that we’ve been looking at are how do you take a malware sample—just this piece of computer code—and actually analyze it in a way that human investigators can get ahead of the attack. They can get some idea of why the attacker wanted to infect their systems. What was the motive of this attack? What was the end goal of this attack? And this is strangely a very related and orthogonal problem to the cyber forensics work that we talked about before in that now you’re basically interrogating a piece of computer code instead of interrogating a human suspect.
Steve McLaughlin: And I understand that you’ve developed some tools to help companies like Apple find and maybe even analyze malware. Can you say something about that?
Brendan Saltaformaggio: So something that my group’s been looking at for a while is being able to remove malware that has infected legitimate applications. So a company like Apple or Google—they host these big app stores where you go and you download the apps, and regular consumers need to be able to trust that, when they download these apps, they are safe and they’re doing exactly what they say they’re doing. If I’m an attacker, I want to undermine that trust and try to get my malicious code into these apps that you think are safe. And so my group is working on ways of pulling apart these apps and basically distilling out the safe pieces and removing the malicious pieces if they’ve been able to work their way in. And this can help big companies like Apple and Google because they would want to deploy these sorts of techniques at the app store level so that even before an application gets down to users, they can vet it and they can make sure that it’s safe.
Steve McLaughlin: Can you say a little bit more about privacy and the work that might be going on in your group in that area?
Brendan Saltaformaggio: Personal data is really becoming the new digital currency. Companies which can collect the most data on their users and explain their user’s behavior and understand their users best, this is really going to be the competitive advantage of the future. And so a lot of the work going on in my group is trying to protect that personal data that people are either sharing or unknowingly sharing with companies.
Steve McLaughlin: I say privacy might be dead, well, mostly because you hear about Facebook and you hear about all of these ways of people finding out your private information. What kind of advice would you give to people to better protect their privacy?
Brendan Saltaformaggio: Yeah, you hit the nail on the head, Steve. We’ve all gotten so used to giving over our data en masse to companies like Facebook and Google—we post pictures of our kids and what we had for breakfast. This data is being collected by these companies and used, basically, to build profiles of everyone—a lot of times just for good so that they can better suggest where you should go eat dinner tonight based on, maybe, what you had for breakfast, but also sometimes for reasons that you wouldn’t expect just in the beginning as a normal Facebook user; you would see cases where big companies are selling this data to analytics branches to try to predict who you may vote for or other uses that you wouldn’t have condoned ahead of time. You’re right in saying that privacy may be on its last leg because we are giving up so much information. If you are cautious about this, you just have to be very thoughtful about what you share and how you share it.
Steve McLaughlin: One of the things that happened in Atlanta just a couple weeks ago was a ransomware attack. Can you highlight was ransomware attacks are and maybe what kind of work is going on in your lab around preventing or identifying it?
Brendan Saltaformaggio: Sure. Ransomware is a very hot, new trend, you could say, in cyberattacks. So just like I mentioned that personal data is the new currency for companies which may be interested in knowing more about their users, users are also willing to pay large sums of money in some cases in order to protect their data from attackers, and that’s exactly what ransomware gets at. This is a piece of malware that, when it infects your computer, it goes through and steals and encrypts all of the personal data that it can find on your system, and then, literally, asks you for a ransom in order to get your own data back. And this can be a problem infecting just a normal person’s computer, but we’ve seen these attacks targeting cities like the City of Atlanta or hospitals or entire corporations. And when you’ve got that kind of critical data under the control of an attacker, your hands are really tied as to what you can do.
So my lab has been aggressively looking into techniques to thwart these sorts of attacks before they can really take place, looking at ways to detect, ahead of time, large amounts of data being stolen or being looked at, being sized up, perhaps, for a future ransomware attack. And by going off of those triggers, we can inoculate the systems against these sorts of attacks ahead of time. And this can really give an advantage to a large computer network like, say, the City of Atlanta who definitely does not want to have their data ransomed ever again.
Steve McLaughlin: The ransomware attacks that you’re talking about are really, really scary. Back to, and you described previously, the work on malware where you have tools to go in and identify parts of software that are, you know, not doing the right thing. Is the ransomware really dissimilar to that in terms of just identifying portions of code that are doing things that lead towards ransom? Is that really what happens in this or does it require a more specialized skill?
Brendan Saltaformaggio: That’s a really great question. Let me tell you about a cool project that’s going on in my lab right now: So let’s say you have this piece of malware that you are not sure exactly what it does, but you want to learn ahead of time what it does so you can detect when it’s infecting a system. I have some Ph.D. students and master’s students collaborating right now to build an environment where you can run that malware and actually watch it execute in a controlled environment. And then, based on the traces of that execution, apply machine learning and artificial intelligence techniques to automatically build a model of that malware’s behavior so that in the future, if you see those same models popping up on a network, you can get out ahead of that attack and start stopping the spread of that malware before it becomes a big problem.
Steve McLaughlin: All of that work sounds incredibly interesting. What are the kinds of agencies or companies that you’re working with that have interest in this?
Brendan Saltaformaggio: So we work very closely with a number of antivirus companies. In particular, we have connections to Symantec and the research labs that are out there as well as the endpoint protection division over at Microsoft. And these are really large corporations who specialize in detecting and preventing these sorts of cyberattacks, and they look to new techniques like the ones coming out of my group to just keep pushing forward that state-of-the-art in virus detection.
Steve McLaughlin: You know, I have to say whether we’re talking about malware, whether we’re talking about privacy, all that is really, really scary stuff. For my generation we’re really used to the kind of privacy. You know my son, because he grew up in the Facebook generation, is less concerned about privacy, so I get that. Looking into your crystal ball, what do you see 5 or 10 or 20 years down the road? What does the world really look like in terms of the tools to combat cybercrime as well as protecting individual’s privacy? Where do you see we’re headed?
Brendan Saltaformaggio: So that sounds like a two-part question and I’m going to give you a two-part answer. First, in the future for privacy, I do see companies getting much better about giving control back to consumers, and allowing you to choose what personal information they store on you. This is a good thing for everybody because everyone’s going to want to continue to share this information with the companies and continue to use their applications and their tools. This is really improving the world in many different ways, but we are going to have to address this double edged sword of what data do we allow the companies to store on us and how can we get control back.
On the flip side, the current state of cyber-attack prevention is a bit bleak. We’re in a very reactive state right now where an attack will happen, and then investigators will get called, and then we’ll have to figure out what happened after the glass is already on the floor. This doesn’t make much sense. And in the future, research like mine, I hope, will give us the ability to detect and prevent these attacks before they become widespread and really take down entire networks.
Steve McLaughlin: Well, the future in terms of privacy and cybercrime, you paint a hopeful picture. If you had just two or three things to give to a high school student or to a college student or to any one of our listeners, what would you suggest in terms of both protecting privacy and avoiding cybercrime?
Brendan Saltaformaggio: One of the best things you can do to protect yourself in the cyber world is just be cognizant of the data that you are sharing. You never want to reuse passwords or give them out. Any link that you click, be sure you know what website is on the other side of that link. And, really, this does hint at a larger shift in the way that we think about interacting with computers. One of the best things you can practice is just being responsible with the data that you share. So a good example of this is Microsoft will never call you and ask you for your password. Sharing this type of very sensitive data should never be done.
Steve McLaughlin: Can you say a little bit about how you chose engineering and how you became an electrical engineer, computer scientist? Can you share a little bit about your own personal path?
Brendan Saltaformaggio: It actually did begin in elementary school. I remember my family had one of those old-school modems that you would hear from a block away dialing up when you were connecting to the internet. And I was just full of curiosity of what these sounds were and why was it making them. And I guess it was from that age that I became an engineer because I quickly tore that thing apart in order to figure that out. From there I learned how to code, and that gave me the ability to really create these new software applications that were in my head but just didn’t exist before. It wasn’t until under graduate that I developed an interest in cybersecurity when I realized that the code we were writing contained so many vulnerabilities that we just weren’t aware of. Most programming courses focus on the fundamentals and how to build systems, and only spend a little bit of time on actually coding securely. And from there I developed my interest in how we can protect these systems from cyberattacks.
Steve McLaughlin: And, finally, I know our listeners would love to know—What makes you an Uncommon Engineer?
Brendan Saltaformaggio: [laughing] Well I’m not sure how “uncommon” it is, but I was born and raised in New Orleans, and so I can’t go a year without getting back there for Mardis Gras!
[field recording of a tour guide directing a crowd of people begins]
Male Speaker: Have a good time now! Welcome to paradise! Best golf course in the world! Watch the alligators!
[field recording ends]
Steve McLaughlin: Well thanks so much to Professor Brendan Saltaformaggio for your time here today talking about cybercrime, cybersecurity.
Brendan Saltaformaggio: Thanks for having me.
Steve McLaughlin: Be sure to tune in next month where we’ll talk to Professor Pat Mokhtarian about sustainable transportation and travel behavior.
[instrumental Ramblin’ Wreck from Georgia Tech fight song]
Audio & Captions
[analog radio tuner scanning stations]
[big band swing rendition of Ramblin' Wreck from Georgia Tech]
[interposed voices of Steve McLaughlin] ...sounds incredibly complex...it sounds like...to have abilities that span...I'm really geeking out here.
[applause and laugh track]
[big band swing rendition of Ramblin' Wreck from Georgia Tech]
Steve McLaughlin: Say a little bit more about the kinds of students that are in your lab, because I think many of the listeners are Georgia Tech engineers, engineers as well, or maybe even some high school students thinking about studying engineering. What kinds of tools or experience or background do your students have and what's a typical kind of activity for the students in your group?
Brendan Saltaformaggio: So my group, we work with a range of students, everything from first-, second-year undergraduates who have an interest in cybersecurity all the way up to, you know, the most advanced Ph.D. students that I have who are leading and proposing new projects. The normal skill set that I'd be looking for is definitely an interest in protecting devices or investigating devices. Someone who's, you know, really interested in tearing down these kind of complex systems and seeing what kind of evidence exists within them.
In general, this is someone with a computer science or computer engineering background, generally would know how to program or be interested in data analytics maybe even some machine learning. We have done a little bit of that in my lab as well. But really anyone with a curiosity for cybersecurity is welcome to join.
Steve McLaughlin: And so I know a little bit. There was a day where I wrote a lot of computer code, but I know that some of our listeners have thought about coding or maybe even done some coding themselves but probably at a small scale. You know, some of these programs that you're talking about are thousands, hundreds of thousands, of lines of code long. And so can you say how you detect the malware, because you don't have a human going in and looking line-by-line looking for the good lines of code and the bad lines of code? Can you say are a little bit more about that for folks that maybe know a little bit about coding and have done some coding? How do you detect the malware?
Brendan Saltaformaggio: So that's actually one of the hardest parts of doing our research in a cybersecurity research group; you have these very large complex applications and you have to now figure out the little, tiny kernels of it that might be malicious or at least might be suspicious and warrant looking at. One of the ways we do this is we look at the good behavior of an application. So say, you definitely want your camera application to take pictures for you; that's a good behavior. But you don't want your camera application to then send those pictures out over the internet to someone else. And if we can run this camera application enough and we can figure out all the different executions that it can do, sometimes we will see it sending these pictures out over the internet and we can isolate the code that's doing this malicious behavior.
Steve McLaughlin: And so then in cases like that, you would need a human to try to define, you know, unacceptable behavior for a particular application, but then you translate that into some automatic way of detecting that. Is that kind of how you do it?
Brendan Saltaformaggio: You would be surprised. I have some brilliant Ph.D. students that can get very creative. So I’ll give you an example: When you download an application, there's always a little blurb about what exactly that application does. Now that blurb says this application takes pictures and takes pictures only. Maybe I can automatically figure out what the app is supposed to be doing, and then identify things that are not described in that blurb. For example, maybe your application takes pictures but is requesting permission to the internet. Why would an application that only takes pictures request permission for the internet? And in these sorts of cases we can automatically figure out what the good behavior is and what the bad behavior might be.
Steve McLaughlin: Are you thinking about the malware detection research that you're doing—are you thinking about commercializing that technology?
Brendan Saltaformaggio: I'm very glad to be at Georgia Tech. There's a huge infrastructure here to support startup companies by Ph.D. students or master’s students or even very bright senior undergraduates that come up with these brilliant ideas. And in my lab, I'm always supporting any of my students that want to spin off some of these great malware detection or cyber forensics techniques into a little startup company or even seek other entrepreneurial opportunities. For so many years now, these companies have just been growing and growing and growing, and they've been trying to develop new applications and new tools that are going to make consumers happy, that people are going to be interested in, that people are going to pay money for without much concern for privacy being built in from the ground up. And so now you're seeing situations where companies are finding themselves on huge stockpiles of personal information that people have shared with them because of how useful their products are; Facebook is a great example. Google is a great example.
But now that we're seeing problems arise with access to this personal information, companies are having to go back and rethink how they protect users’ information that they've been storing all this time. One of the best ways we've seen recently is companies just being more transparent, being able to tell you all the information that they know about you and then allow you to give them feedback— “Yes, I want you to know this about me.” “No, perhaps you should delete this from your database.” And this is a great way to give control of that personal data back to consumers and back to the users of these products.
That and, yeah, what a alley-oop to ransomware, right?
[Ramblin' Wreck from Georgia Tech marching band rendition]