What Keeps NYU-Poly’s Student Cyber Geniuses Awake Worrying?

Hardware Trojans, Bad Code and Consumer Ignorance Top List of Cyber Security Threats

Students preparing for careers in information security spend their days learning how to outsmart cyber criminals, but some threats loom larger than others, posing the greatest challenges to the safety of a wired world. As part of Cyber Security Awareness Month in October, students at the Information Systems and Internet Security (ISIS) Lab at the Polytechnic Institute of New York University (NYU-Poly) identify their top cyber security threats and offer insight into what may be done to stop them.

Later this month, the group—which consists of undergraduate, graduate and doctoral candidates—will host more than 300 elite computer science students from around the world on the NYU-Poly Brooklyn campus for the Cyber Security Awareness Week (CSAW) games. Participants will solve a series of simulated security crises and compete for prizes and scholarship funds.

What keeps a cyber security ninja awake at night? According to the team, the biggest threats to online safety are:

Developers are the biggest threat. When developers write bad code, we’re all vulnerable. Developers write code for the Operating System you use, for the browser where you enter your personal information, and for the web application that stores all your information. We are constantly seeing these platforms plagued with security vulnerabilities.  Developers need to be educated about how security problems appear in code and how to prevent these problems.” Julian Cohen, Sophomore – Computer Science; Team: Capture the Flag Application Security Challenge

Supply chain attacks. With the ever-increasing number of suppliers from around the world, it is harder to know and trust either everyone along a product’s supply chain.  For example, do you really know where your digital picture frame has been? Although hardware and software manufacturers and suppliers often work hard to preserve their reputation, an individual within the organization may be untrustworthy. Use common sense when purchasing:  If the price is too good to be true, it probably is.  Use vendors committed to protecting their whole global supply chain.” Efstratios Gavas, Doctoral Candidate – Computer Science; Team: Cyber Forensics Challenge

“I see the shift from traditional computing toward ‘software as a service’ (SaaS), ‘infrastructure as a service’ (IaaS) and ‘platform as a service’ (PaaS) as a time bomb. The move is happening too fast, and many companies are blindly moving to them for cost savings. However, the standards are not mature for these services. We do not even know what the proper security requirements should be, let alone how to provide them. It is just a matter of time before we see catastrophic vulnerabilities of these services discovered by people with bad intentions.” Luis E. Garcia II, Graduate Student – Computer Science; Team: Capture the Flag Application Security Challenge

“The biggest threat is the average user's ignorance of security practices. People will friend others on Facebook whom they barely know and leave their personal social networking details on the public settings. Attackers can gather a fair amount of information about a person that they can exploit with little effort.” Michael J. Harris, Graduate Student – Computer Science; Team: Awareness Video Challenge

Public computers. I am always worried whether there are any keyloggers on the public computers I use. I am not sure most people know that software can track their typing, or if they are even aware of simpler precautions like cookie settings that prevent caching of passwords.  That is why most users should avoid public computers for anything involving credit cards, Social Security numbers or any service that requires them to enter a password.” Liyun Li, Doctoral Candidate – Computer Science; Team: AT&T Best Research Paper

Financial cybercrime. The ability to affect stock prices and personal bank accounts is a growing threat with very serious consequences. Criminals are finding it more effective to rob financial institutions from within the safety of a botnet instead of with a gun.” Sankar Ponnusamy, Master’s – Management Science; Team: CSAW

Hardware trojans. I find the possibility of malicious trojans embedded in hardware to be the most frightening. These can cause anything from subtle disturbances to catastrophic effects. Examples include leaking PIN information from an ATM or changing the target location for missiles.  None of the current malicious software detection/prevention techniques can protect against such attacks.” Jeyavijayan Rajendran, Graduate Student – Electrical and Computer Engineering; Team: Embedded Systems Challenge

“What frightens me is the plethora of gadgets entering the market every day, all of them connected to the Internet–tablets, smartphones, GPS and even home security systems. Many of them may have been designed in haste with little or no thought to security. If one of these devices is compromised, it can have a ripple effect—an infected smart phone can steal your personal information, a hacked home router can corrupt your entire home network and redirect all traffic towards a malicious server.” Sen Yang, Graduate Student – Computer Science; Team: Quiz Tournament

About Polytechnic Institute of New York University

Polytechnic Institute of New York University (formerly Polytechnic University), an affiliate of New York University, is a comprehensive school of engineering, applied sciences, technology and research, and is rooted in a 156-year tradition of invention, innovation and entrepreneurship: i2e. The institution, founded in 1854, is the nation’s second-oldest private engineering school. In addition to its main campus in New York City at MetroTech Center in downtown Brooklyn, it also offers programs at sites throughout the region and around the globe. Globally, NYU-Poly has programs in Israel, China and is an integral part of NYU's campus in Abu Dhabi.

Note to Editors: To download images, go to http://research.poly.edu/~resourcespace/?c=145&k=6bb17f9f6a