Computer Security in the New Year with Matthew Hicks

(music)

Travis

With a new year, comes no shortage of lists of activities that we would either like to begin or maybe improve at in ways that will enhance and make better our lives. When I began to look at 2025, I started to become curious of how I might be a little bit safer when it comes to the online environments that are an ever-growing part of my everyday life. From spam emails to different applications that I'm constantly downloading, am I doing that in the safest way possible? I'm not really sure, but I'd like to get better at it, and thankfully Virginia Tech's Matthew Hicks was kind enough to give me some tips on how I might do that.

Matthew is an associate professor of computer science at Virginia Tech and also holds a courtesy appointment in the Bradley Department of Electrical and Computer Engineering. His research interests include software, hardware, and embedded system security, as well as the Internet of Things and energy harvesting.

Matthew and I chatted a little about what he sees as the most pressing computer security challenges coming in 2025. He also shared his insight as to security concerns the average computer user might be overlooking, especially when it comes to extensions and applications that we might download, and he provided a little bit of guidance on how we might best navigate that topic.

Matthew and I also discussed a little about some of the more popular scams that are out there. Have you ever received an email from a prince claiming that he needed you to help him get money? Well, if you have, you're not alone, and we discussed that and what the more modern version of that looks like and there's also references to MySpace, Clippy, and a purple gorilla, so you're gonna need to listen to the podcast so you understand how all of those tie into this story.

I'm Travis Williams and this is Virginia Tech's Curious Conversations.

(music)

Travis

Looking at a new year, what are some things that maybe you as a computer scientist kind of see coming in the new year that may present some challenges to computer security in general?

Matthew

Yeah, if we're looking at the of the frontier of kind of computer security, you know, this whole idea of AI and generative AI, as most people know through like chat GPT, these other large language models are all terms that people might have heard floating about. But they fit under the umbrella of generative AI, meaning AI that can create new content. And that's great in some respects for writing or other kind of things, but it can also be used maliciously. For example, I could, you know, take all of my lectures, train a artificial intelligence AI model with my lectures, and then it could actually create new lectures that and even say nefarious things, things that would get me in trouble, things that would misinform, misrepresent my stance for geotech stance, the government stance. And it would be from a lay person's perspective, indistinguishable from if I actually said it myself. And so that is using genera of ad, not just for text, but for audio and video. And we are starting to see examples of this. For example, Kolo got in a recent controversy because they did an entirely AI generated commercial, a Christmas commercial, was entirely AI generated. And people were upset that that put people out of work. But really what you see is if it's good enough for them to make that huge of investment into the Christmas season, that means that technology is pretty immature. And we're going to start seeing these ideas and they're called like deep fakes versions that are using this kind of AI technology to fake audio, fake video. there's a lot of burgeoning work in it using that to attack people. Social engineering is an example of how it may impact you. You may no longer just receive emails from, in our case here at Virginia Tech, President Sands. You know, sends me a surprising lot of emails that don't actually sound like they're coming from him, but now maybe videos from him. And it's like, well, I can see he's, it's his voice, it's his image saying these things. maybe he actually, maybe that is, it increases my confidence, especially if I'm more like security naive, that that actually did come from him. And maybe I'm going to give him my personally identifiable information, my credit card number, some other poor form of private information. And so really for the next decade, we are going to see a surge in attacks. And then a surgeon defenses, researchers are trying to get in front of this, but oftentimes we need to see what malicious adversaries are going to do attack wise before we get defenses that are actually are effective. So that's something I'm most worried about in the frontier because there currently isn't an obvious limit to the technology and how it could be used by adversaries to, you know, compromise even our, you know, normal person security.

Travis

That's fascinating. So it sounds like that I need to be aware if I get an email from President Sands asking me to buy gift cards that may not be that may not be even if it's a video.

Matthew

Yeah, I mean, especially you actually use a gift card example. So a few years ago, I use this in my class on my undergraduate class on computer security. I have a fishing it's called a fishing attack where you get an email from somebody purporting to be somebody you know, convince you in many cases to buy gift cards. I got one from my department chair at the time asking me to buy Xbox gift cards or Steam gift cards. obviously being a security professor, knew that while it had a lot of material that knew it came from an academic environment, talking about conferences and explaining why he couldn't call me directly and a lot of environment to know that I was a Virginia Tech, affiliated with Virginia Tech and a professor. My department chair being in the generation he's from, very unlikely that he is asking me, he even knows what a Steam gift card is, much less asking me to buy them via email. And so it's very real that in the future, yeah, I'll get a video. You could see it on a video clip in my inbox or a TikTok, Instagram, whatever the social media all different avenues or phone call. Like we get get spam phone calls all the time. Now what if you pick up a spam call and the voice on the other end is someone you recognize? Right? So how do you distinguish these, you know, it's very possible. So I'd say you hit on the perfect response that anybody can do is awareness. And that's what I teach in my class, lecture one throughout is you have to have what I call rational paranoia. You have to understand that it is possible for somebody to fake a video. and fake audio that kind of impersonates somebody that you know. And so with that awareness, you can put that together like, well, maybe I shouldn't trust this 100%. And if I put this together with other red flags, steam gift cards, that I might be able to determine that this is, maybe I'm gonna reconnect to this person with other channels and verify that, you know, they sent this so they did not send this. So yeah. That's the best response you can do. It doesn't take any technology. It just takes awareness that this is something that an attacker could do.

Travis

Yeah, it's a little bit fascinating to me that it's almost like a more high tech version, a lot of ways of the emails that I used to get in college, which was decades ago, that were from the prints of a country. And there was money and we had to help him get the money out, I think.

Matthew

Yeah, that's a Nigerian. Yeah, that's labeled as Nigerian scams, 419 scams. Yeah, and certainly we're probably we're similar vintage in that, I would imagine. And I'm still get these through my VT account, my students still get these and we talk about them in my security class. And they are much more advanced nowadays than they were. They're more targeted. And that's called spearfishing. That is when you're going you know, fishing in general, you just imagine casting a net and get whatever you can get.

Spear phishing is a little bit more targeted, takes more work on the attacker. like, I'm gonna attack all people fillied with VT. That way with spear phishing, it's more targeted. They can use, it's not necessarily a prince of Nigeria who needs to exfiltrate money from the company. It is my department chair that needs me to help them out and they use language that would be more familiar to me. And generative AI can even make those emails more advanced. Hey, chat GPT, write me an email that comes from a professor, a department chair to a professor that makes it clear why they can't use their phone, but they need to help them get a birthday gift for someone, right? And so now, even just using text generative AI, text-based generative AI, they can even craft more targeted, more believable spearfishing emails.

Travis

With some of these phishing attacks, is there anybody that has quantified that you know of how successful they are, like is there, must be a percentage they must be working. Someone must be have been answering the Nigerian Prince email.

Matthew

I have a slide in my class about the different levels. So there's just regular fishing, which is I'm the Prince of Nigeria need to have money. That is that I think the response rate is the people that respond back to that because you get a tier. So more interaction. So I see this, for example, I see the subject line and I delete the email you know, let's say 90 % of the people do that, the remaining 10%, they've at least opened the email. And then, you know, 1 % of 1 % may respond back to the email, oh, is this really thing? When you get down to it is like one in 10,000 to one in 100,000 actually give money to the attacker. Now, the trade off is we have, you know, that has a very low return rate and very low effort.

Now attackers would do what we call spearfishing, which are targeted attacks. like on a target people affiliated with Virginia Tech, that is a much smaller pool of people. Let's say that's roughly 50,000 people with active, actively check their VTE email. Okay. That's much smaller than the United States population or the world population, but I can write a more convincing email that now probably 50 % of people open the emails, spear phishing emails that they get through their VT accounts just to check, well, what is it? Did President Sands really send me something? Then from that, it's, lower will actually respond and then lower will do it. But now instead of one in a hundred thousand, it could be one in 10,000. And then you might be able to get more out of individual victims. So the attackers play in the game of the more targeted the email is, the more convincing, the higher the success rate of the attack. And so, and I see these and I, you know, I monitor the DT affiliated Reddit page, which where students go to find out what's going on in the community, understand the students perspective. And I see a lot of people, is this really a job opportunity that exists? did President Sands really send this? And, you know, it's like That's the level we are at nowadays. didn't send an email, you didn't send a Facebook, let's say back in the day, or X or whatever it is, or Meta now, whatever, saying, did the Jaren Prince really send me this email asking, right? But it's so advanced and so hard to deduce for a lot of people that it really is a discourse going on. Like, is this a real email? And they need the community to be like, no, this is not, this is a phishing email. Don't respond to it.

Travis

I think my community might have gone all the way back to MySpace for a little bit.

Matthew

I was there too. was in there. Which one's better, MySpace or Facebook?

Travis

MySpace you had to rank your eight friends and that always felt a lot of pressure there. If you dropped out of somebody else's eight friends, like man, that was a bad day. I'm curious, what are some other overlooked aspects of maybe a personal device, whether it be a computer or a phone that the average person just doesn't, doesn't think about when it comes to security?

Matthew

 I would think that, you know, we hear a lot nowadays about security. I think the average person, the one thing that they should be aware of that's really worth them being like, because there's not many things that are worth them being aware of. But that they should be aware of and that they're not is the idea that every time you install an application on your phone or even a web browser. Web browser extensions are probably the number one thing you should be aware of. That's actually worse than applications. I'll start there. Web browser, it's like an application that is implanted in your browser that can see everything that you see, record it, and send it off to anywhere in the world.

So for example, I use a password manager. I also use an ad block extension. How these work is they basically read every web page that you get and they read every bit of text, every file you upload. They have the ability to read all this information, alter all of this information and just know that every time you install a browser extension, that you are giving them the key. So all the other security we have to protect web pages as they go across the world to make sure that nobody can read them and nobody can modify them, that we are talking to Google or whoever the endpoint is. That's all undone when it goes to the browser. And when you install an extension, a browser extension, that actually is able to do everything. They can read, they can modify without you having any knowledge that they are doing this.

So you should trust every extension that you insert. that's, know, some of these have been known to mine Bitcoin on your computer, wasting your resources, degrading the performance of your computer. Some of them have been known to basically capture passwords and send them back so people will try to steal your identity account information. So you have to, you, you should have a reason why you install everything and you should only install from reputable sources. So the applications that I have are some of the most widely used application. And in that case, since it has such a wide user base, if there is an issue, it's very likely that the community will find that issue and it will be brought out. But I only have two browser extensions in the same realm, but a little bit less because it's not as tightly in the browser are just general applications, whether it be on your phone or on your other personal computing device like a laptop, a desktop, tablet, whatever. That creates an additional interface that the attacker can use to kind of compromise your security on your machine though it exposes new potential connections with the outside world. It's new software that could have vulnerabilities that are exploited by attackers. So one thing that I like to do periodically, definitely during the new year between semesters, is go through my systems and do kind of like a spring cleaning. But it's a, you know, between semester cleaning for me and say like, what apps do I have? Do I need these anymore? Right? What programs? What browser extensions? Let me just clean things up.

And that reduces what we call the attack surface. So that's what the attacker sees of your system, what they can interact with. The fewer applications, extensions you have, the less potential there is for an attacker to compromise your system. That's like the number one thing that you can do as a user.

Travis

Whether it's extensions or whether it's applications, how do you go about vetting what you do and don't use? The number one thing is kind of reputation.

Matthew

So I make sure that what I'm installing comes from reputable sources. So mainstream companies, they have a wide user base. When I was younger, I might've done things that were not as come from reputable places because message boards form. So it's like, look at this great thing. If you install this, you can get some advantage. And it turns out some of those things were basically malware. I was giving access to my system that I teach about now in my course. Because I thought, there's this cool, like, we said, he's like a Clippy is an example from the old Microsoft days where you'd have like this virtual assistant in the late 90s, early 2000s. And they had one of these things called Banzai Buddy that would like, oh, I'm a purple gorilla, and I'm going to help you do certain tasks on your system. It turns out it was spyware the whole time. so, you know, and I saw, oh, that's cute. Let's just see what's going to happen. So I'm a little bit less like, is it really worth it every time? And then there's kind of a very critical security principle that's called least privilege, which is the idea that I only need to have the minimum things that I need on my system for the minimum amount of time to do some sort of job. you know, every semester or between every, after every semester, I essentially go through and then look and like, do I need this application to do my job or did I just need it for a timeframe? And so that's kind of a system that I that I go through. And obviously, nowadays, we have automatic updates on. So that's kind of good to make sure things are updated. But the best thing you can do is kind of like this computer security version version of reuse, reduce, recycle. It's like, you know, it's it's great to redo the best thing you can do is not use something. But if you use it, it's best to read if you do use it best to reuse it as many times you can. And if you can no longer reuse it, you should recycle. That's kind of like the idea. Same thing with computer. Don't install something in the first place is the best thing you can do. If you do install it, you should get rid of it as soon as you can possibly get rid of it. And if you can't, if you still need it, you can't get rid of it, you better make sure that it's continually updated. guess as we get older, it's a little bit less tempting to download, you know, the cute purple gorilla applications that are less appear. I have real work to do. So it's like, I don't have time to, you know.

Travis

If you were to drill all of kinds of what you've shared down maybe into like one resolution that I can have moving forward into 2025. What might that be?

Matthew

My resolution would be increased awareness. So whether that be of what the capabilities, what attackers can do to fake text, videos, audio, or where that's just awareness of basically what your system interface, attack surface, your system is exposing to the outside world. It's just good to increase your awareness. Try to increase your awareness of what things are installed in your browser, what applications are there, and then what attackers can kind of do at a very high level. You don't need to understand how things work, just need to understand that, hey, everything that I have in my browser, you know, puts me at can read whatever is going on inside the browser. Everything I add to my system is more code that attacker can leverage to compromise my system. You know, all the media, by the way, all the media that I put out there, you know, can be used by an attacker to create a deep fake of me. So, you know, all these podcasts, you know, realistically, you know, very easy to train a generative AI model of you and they can, you know, create artificial podcasts or whatever. I might be able to order pizza as you later on today. So I'm going to hijack your Papa John's personal account that you have there. So get free pizza.

Travis

I will say that you and only you are allowed to order a pizza as me only later today and only if you share it. So.

Matthew

OK. Well, I'm going to the expensive stuff for us. So good luck.

(music)

Travis

And thanks to Matthew for helping us better understand how we can be little more secure with our computers and online activities in the new year. If you or someone you know would make for a great curious conversation, email me at traviskw at vt.edu. I'm Travis Williams and this has been Virginia Tech's Curious Conversations.

(music)