Anne Hennig is a Research Associate at the Karlsruhe Institute of Technology (KIT) and supervises the INSPECTION research project. At this year’s Internet Security Days (ISD) on 21 and 22 September, she will give a presentation on the project. Together with her colleague Dr Peter Mayer, she explains in an eco interview what INSEPCTION is and why it can be an effective addition to already existing IT security approaches.
You are involved in the INSPECTION research project. Can you explain what you are investigating in the project and what area of cybersecurity you are focusing on?
In the INSPECTION research project, three consortium partners are collaborating to investigate a specific type of SEO spam in the form of redirects to fake online shops. In other words, the INSPECTION project is essentially concerned with web security, whereby we are specifically taking a closer look at a certain type of attack on websites. MindUp Web & Intelligence GmbH is responsible for finding the hacked websites, BDO Wirtschaftsprüfungsgesellschaft AG deals with the forensic analysis of the hacked websites. We at the Security – Usability – Society (SECUSO) research group at the Karlsruhe Institute of Technology (KIT) are responsible for notifying the affected website owners.
How does INSPECTION work? And how does it differ from other security systems?
INSPECTION, by itself, is not a conventional “security system”. As previously mentioned, this project aims to provide a detailed description of a specific method of website attack. The challenges lies in the fact that this form of website hacking is a) relatively known, leaving many website owners unaware of how to counter this attack, and b) the attackers cleverly conceal their activities within the system, allowing the hacking to go undetected for a long time. It is not uncommon for websites to remain compromised for several years.
Our approach is more holistic: Firstly, our focus is on identifying hacked websites (“Find” section). MindUp Web & Intelligence GmbH has refined this mechanism over the past three years. In the coming months, we will provide a case-by-case tool on our German-language project website (web-inspection.de). This tool will enable website owners to test whether they are affected themselves. Obviously, this tool is specific to the type of website hacking we have been investigating and does not guarantee that the website is free of malware. Nonetheless, it serves as a valuable supplement to existing malware scanners, which may not detect the specific type of website hacking we have investigated.
Furthermore, it is imperative for us to analyse this type of website hacking in detail, to establish commonalities between the affected systems and thus to provide concrete solution proposals for those affected (“Treat” area). BDO Wirtschaftsprüfungsgesellschaft AG is currently still in the process of complementing these analyses with more data. The analysis is carried out using log files of compromised systems. Here, we are considerably dependent on the cooperation of the affected parties and can only meaningfully evaluate log files, for example, if they are also made available to us.
In this context, the notification of affected parties and, thus, the development of an effective notification procedure also plays a major role. As mentioned earlier, this type of hacking often remains undetected for a long time. At the SECUSO research group at KIT, we are conducting research to determine the most effective communication channels and information content for reaching those affected. Our goal is to ensure that the issue is both acknowledged and comprehended, leading to appropriate actions. Achieving this is not as straightforward as it may seem, as such notifications frequently get lost amid daily spam, and our information fails to reach the intended recipients.
These two areas shape the groundwork for the area of “prevention”. We are currently in the process of developing awareness materials to make website owners aware of the possible danger in advance. The focus is currently on two awareness videos, which will also be made available at the end of the project, as well as the case-by-case assessment tool.
How can the research results of INSPECTION be used further in the future? What do you hope to learn for future projects and research approaches?
As already described, all findings from the project will be publicly available. The focus will be on the case-by-case assessment tool and the two awareness videos. All information will also be made available to third parties. For example, we are in contact with the German Federal Office for Information Security (BSI), Deutschland sicher im Netz, nurmerous chambers of commerce and industry, chambers of skilled crafts and trade associations, the NRW Consumer Protection Centre, the Alliance for Security in Business (ASW), the German Federal and State Police Crime Prevention and, of course, the eco Association.
In addition to this concrete output, we as a university are, of course, also interested in the transferability of our results to other, possibly similar problems. For example, the question of how to effectively stand out from the “daily spam” with so-called vulnerability notifications. Within the framework of the INSPECTION project, we have been able to gain some valuable tips here, which we would like to look at more closely beyond the end of the project.
We are also concerned with the question of how target group-specific awareness materials have to be. Since our target group as “website owners and stakeholders around websites” is extremely diverse, but the actual problem is partly very individual, we had to watch out that we are sufficiently general and simultaneously specific enough in our materials. I think we have found a good middle ground here. But the general problem is how to deal with such knowledge gaps between different groups of people – this is also an exciting area of research beyond the cybersecurity sector.
Thank you very much for the interview!
Here you can find all information about the Internet Security Days.