October 24, 2023

A Q&A with Director of ASU's Center for Cybersecurity and Trusted Foundations Adam Doupé

Adam Doupé’s cybersecurity journey began with mischief.

Upon learning he could connect to an email server and spoof sender addresses, a high school-aged Doupé amused himself by sending his friends chiding emails from [email protected]. With all that fun came a realization: Online systems aren’t always designed securely — and those insecurities create opportunities to use systems in unintended ways.

Today, Doupé is still looking for insecurities in online systems, but not to prank his friends. He leads the Center for Cybersecurity and Trusted Foundations (CTF) in the Global Security Initiative at Arizona State University, which searches for vulnerabilities and creates ways to protect people online. He’s also an associate professor in the School of Computing and Augmented Intelligence, one of the Ira A. Fulton Schools of Engineering.

In this Q&A for Cybersecurity Awareness Month, Doupé discusses the importance of vigilance online, the time he fell for a phishing attack and his favorite — and scariest — cybersecurity "monsters."

Question: Were there some cybersecurity challenges you thought would be very challenging when you entered the field that ended up being solved relatively easily?

Answer: When I first entered the field, one of the major problems was drive-by downloads. These were attacks that exploited a vulnerability in your browser or computer system when you visited a sketchy website and downloaded malware onto your local device. If you were around then, you might remember seeing lots of pop-ups on a relative’s very slow computer who wasn’t very tech savvy — it was probably because the computer was riddled with malware.

However, drive-by downloads have almost been solved now. The browser security has increased so significantly that vulnerabilities for major browsers are rare and worth millions on the black market. The threat exists, but attackers probably aren’t spending millions to target your average consumer with a drive-by download anymore.

Q: Moving on from problems that are mostly solved, what about cybersecurity threats on the horizon? What are some emerging threats that you think people should be aware of?

A: What we've seen is a recent shift towards scam websites — websites that aren't trying to steal your username and password, but instead are pretending to sell things that don't exist. They're not a real business, but they want to charge your credit card and then never ship you any items. This is a big emerging threat that we're seeing nowadays.

Q: What is ASU's CTF doing to address threats like these?

A: At the Center for Cybersecurity and Trusted Foundations, we focus on keeping people safe while they're online, because computing is such an important part of our lives. We're trying to accomplish this in many different ways.

One way is addressing that super-high-value vulnerability marketplace by finding those impactful vulnerabilities before the bad guys. We do so through research with DARPA and other government agencies, and develop tools and techniques to help people and companies analyze software to identify security vulnerabilities and automatically fix them. The exciting part about doing this stuff automatically is that we’re trying to proactively prevent these security breaches. By creating automated systems, we can make sure that every time a company is changing their code, it can be analyzed to see if that's introducing a security bug.

We’re also really focused on cybercrime and how can we combat it at all different levels. One of the big things we've done is taken a closer look at the anti-phishing ecosystem the cybersecurity community created. We started around 2018, and we found that the defenses weren't as good as we thought. As soon as your browser detects a phishing website, you get a big scary warning saying, “Don’t go any further.” But we noticed that the latency between submitting a phishing website to Google or Microsoft and being blocked can be extended by cybercriminals by hours or days. So we've been working with those companies to improve their systems to reduce that timeframe so as soon as the ecosystem knows something is bad, it gets blocked.

Q: You mentioned how you look for vulnerabilities before attackers can find them. That sounds a bit like Halloween; you’re pretending to be something you’re not by playing the role of an attacker and trying to think like them.

A: So this is one of the key concepts of cybersecurity in general, and specifically cybersecurity education. You can't do defense if you don't know offense. Fundamentally, if you don't know what an attacker is capable of and what tricks they use, you're never going to be able to stop them. It's actually very similar to sports. Some of the best people to analyze and understand a defense are the offense people and vice versa. And so — this is really core to CTF and our education mission — we want to train people at ASU to be really good in defensive cyber techniques, but offensive techniques as well, because they overlap so much and you can't properly do defense without understanding offense.

Q: Speaking of Halloween, what is the most memorable costume you had as a kid, and did it reflect an interest of yours that eventually led you to cybersecurity?

A: One of my most memorable Halloween costumes as a kid was the Riddler. Obviously, Jim Carrey is hilarious, and was a great Riddler, so that's what I wanted to be.

But looking back on that Halloween, you can draw a lot of parallels between cybersecurity and the Riddler. When you're trying to solve a cybersecurity problem, it's a lot of riddles and questions. Thinking logically is the way you get around somebody who's very riddle focused. And this is what we try to also teach our students who are studying cybersecurity — give them the skills, techniques and tools so that they can tackle these riddles.

Q: Can you tell us about one of your biggest cybersecurity scares?

A: There was a time I almost fell for a phishing attack. So I’m in the airport, waiting to board a flight, and I got an email that looked like it was from Dean Kyle Squires. They used his name and email footer, but the email client I was using on my phone hid the exact address. So it looked legitimate. This email says, “Hey, I need to talk to you about something, but not over email.”

Now, there are cases where you don't want to put things in email, so I replied, “Oh, I'm just about to board a flight right now. Please call me on my phone. Here's my phone number.” I waited for the call, and then two minutes later, I got an email back saying “I'm in a meeting, but I need you to go get me iTunes gift cards. Go get 10 of those and then send me the codes, that would be great.” And that's when I realized I fell victim to a scam — and I gave a scammer my phone number!

First, I thought, “How can I be so stupid?” But my second thought was, “Oh, this is how people fall victim.” I was in this scenario where I had time pressure, the technology wasn't helping me and the attacker was impersonating somebody who's in charge of my career. And so, all these cosmic forces aligned so I would be the perfect victim for this phishing attack.

And this whole story is a great example of why Cybersecurity Awareness Month is so important. At the end of the day, we're all human, we all make mistakes. But being aware of these things, understanding what common scams look like, understanding what to look out for, will help keep you safe — and equally important is what you do after you’ve been scammed. Because after I fell for that phishing attack, and recognized it, I followed the cybersecurity training we all take at ASU. I forwarded the email to [email protected], I let them know this scam email was going around and what was compromised.

Q: A text or an email today can feel much like a trick-or-treater. Is it innocent or is it devious? How can we tell who's knocking at our inbox?

A: When you receive a text message from a random number, we really don't know what they're up to. It could be our friend texting us from a new number, or it could be a criminal who's trying to get us to click on a link and scam us. Applying some common sense to these messages goes a long way. How would somebody contact me? Would the IRS just text me that I am behind on my tax returns and I'm going to be audited? No, the IRS will send you a certified mail letter.

Another way to keep yourself safe that I find very helpful is to remember these attacks aren't just towards you. They're very broad attacks that are trying to scam a lot of people, so there will be discussions on the internet about it. If you're ever unsure, don't click the link or engage at all, but copy some of the text and search for it on the internet with the word “scam.” And usually what happens is you’ll see the same text that you got, and you’ll know not to engage.

Q: Much like an isolated cabin in the woods or a dark basement, are there certain settings online that should prompt people to be extra vigilant?

A: In the physical world, we've developed intuition about what's safe and unsafe. If you're in a residential neighborhood walking on the sidewalk and the cars are going 25 miles an hour, you feel pretty safe. But if you were on the side of a highway and cars are going past at 65, 80 miles an hour, even though it's technically the same situation, you would feel unsafe.

When you're using your computer or your phone, it's really difficult to have similar intuition. The key thing is to be more vigilant. If you're getting emails, messages about things you're not expecting, that's definitely something to be wary of.

It's always safe to use what we call an out-of-band channel — basically another mode of communication. If you got an email from your boss that says, “Hey, I need you to check the HR report of the salaries of everyone in our department,” and there's a link or an attachment there, your natural instinct is to go check that out. But maybe it's worth a text or a message to your boss to confirm they sent it.

Q: Looking at our "monsters" of cybersecurity — the Horde, the Vampire, the Werewolf, the Phisherman and the Snatcher — who’s your favorite to outsmart and fight?

A: My favorite is probably the Phisherman, just because those types of scams have a very long history. It’s something that has always been part of human nature — impersonating a trusted entity to trick others. For example, there's a story about a guy who sold the Brooklyn Bridge 10 or 20 times to that many different people in the late 1800s, just by impersonating an entity who could.

So I admire it because it's a very old scam and it will never completely go away. It's a never-ending fight, which makes it interesting, but it also has something to do with human nature, which makes it so hard.

Q: What about the scariest? Who’s the scariest monster of cybersecurity to you?

A: The Snatchers, the ransomware operators — the ones that get into your system and encrypt all your data so you can't access it. Either give up all your data or pay them. And that's what people do.

Because they've been so successful monetizing this type of attack means that they have much more incentive to continue. The amount of money involved makes them more organized and effective. So they've been able to go from scamming normal people for one to two Bitcoins to leveraging organizations for millions of dollars.

Now, that, to me, is scary because it doesn't seem like a problem that's going to go away tomorrow.

Top photo of Director of the Center for Cybersecurity and Trusted Foundations at Arizona State University Adam Doupé by Deanna Dent/ASU