Cyber-sleuthingSpotting potential targets of nefarious e-mail attacks

Published 20 February 2013

The weakest link in many computer networks is a gullible human. With that in mind, computer science researchers want to figure out how to recognize potential targets of nefarious e-mails and put them on their guard.

The weakest link in many computer networks is a gullible human. With that in mind, Sandia National Laboratories computer science researcher Jeremy Wendt wants to figure out how to recognize potential targets of nefarious e-mails and put them on their guard.

His goal is to reduce the number of visitors that cyberanalysts have to check as possible bad guys among the tens of thousands who search Sandia websites each day.

Ultimately, he wants to be able to spot spear phishing. Phishing is sending an e-mail to thousands of addresses in hopes a few will follow a link and, for example, fall for a scam offering millions of dollars to help a Nigerian prince wire money out of his country. Spear phishing, on the other hand, targets specific e-mail addresses that have something the sender wants.

A Sandia Lab release reports that Wendt has developed algorithms that separate robotic Web crawlers from people using browsers. He believes his work will improve security because it allows analysts to look at groups separately.

Even if an outsider gets into a Sandia machine that does not have much information, that access makes it easier to get into another machine that may have something, Wendt said.

“Spear phishing is scary because as long as you have people using computers, they might be fooled into opening something they shouldn’t,” he said.

Identifying malicious intent
Sandia cybersecurity’s Roger Suppona said the ability to identify the possible intent to send malicious content might enable security experts to raise awareness in a potential target. “More importantly, we might be able to provide specifics that would be far more helpful in elevating awareness than would a generic admonition to be suspicious of incoming email or other messages,” he said.

Wendt, in the final stretch of a two-year Early Career Laboratory Directed Research and Development grant, presented his work at a Sandia poster session.

Wendt has looked into behaviors of Web crawlers vs. browsers to see whether that matches how computers identify themselves when asking for a webpage. Browsers generally say they can interpret a particular version of HTML — HyperText Markup Language, the main language for displaying webpages — and often give browser and operating system information. Crawlers identify themselves by program name and version number. A small number Wendt labels “nulls” offer no identification, perhaps because the programmer omitted that information, perhaps because someone wants to hide.

What Wendt is looking for is a computer that does not