If you spend any reasonable amount of time online, you’ve probably encountered this: A severe storm floods an urban area; reports of record rainfall start trickling in; someone posts a photo of a shark swimming on a highway, purportedly at the flood site; it gets shared widely, perhaps even by a sitting U.S. senator, and the proverbial lie makes its way around the world before the truth has a chance to catch up.
This particular piece of online misinformation — false information that is spread online regardless of intent, rather than disinformation, which is created with the explicit intent to deceive — has become known as “Hurricane Shark.” It first appeared online as far back as 2011 and appears to have been a compilation of two photos.
Understanding these online phenomena as well as the ways digital investigations work to debunk them is at the core of Kurt Luther’s work on human-computer interaction and intelligent interfaces, one of the four core research areas at the Virginia Tech Innovation Campus in Alexandria. And his methods have a wide, and growing, set of practical applications.
“What’s changed is human behavior is increasingly mediated through technology,” said Luther, associate professor in the Department of Computer Science in the College of Engineering and director of the Crowd Intelligence Lab. “More and more of what people are doing is online, and it’s leaving digital traces behind. Those can be really useful for investigators in many areas — journalism, law enforcement, human rights, you name it.”
The core skills Luther teaches are the stages of open-source investigation, or OSINT: discovery, analysis, verification, archiving, and presentation. If there’s a saying that encapsulates Luther’s work it might just be this one, which you’ve probably heard: “Think globally, act locally.” That adage was coined by environmentalist David Brower in the 1970s — unless it was actually French philosopher Jacques Ellul or Pulitzer Prize winner René Dubos or, according to a 1989 University of California, San Diego paper, American diplomat Harlan Cleveland. Or maybe it dates back as far as at least the early 20th Century to Scottish urban planner Patrick Geedes.
Sorting through the uncertain origin of such a thing, via the process of collecting, processing, debunking, preserving, and reporting this information is at the core of digital investigations. But so is the very sentiment of the saying itself.
Luther’s undergraduate students, led by Ph.D. candidate Anirban Mukhopadhyay, put that into practice earlier this year. Funded through the Department of Defense Senior Military College Cyber Institute grant from the National Security Institute, and the Commonwealth Cyber Initiative Workforce and Industry Engagement Program, team members used the skills they’d acquired and honed to offer cybersecurity assessments to local small businesses who were partnered with Arlington Economic Development as they tackled the new challenges of ecommerce spurred by the pandemic.
Essentially, they offered to conduct reconnaissance on ethically hacking the businesses, performing a security assessment by painstakingly poking holes in a company’s existing cyber defenses, providing a local service against the growing, global threat of cybercrime.
“Reconnaissance is learning as much as you can about the digital footprint of that target, and open-source intelligence is a really effective way to do that,” said Luther.
Tara Palacios, director of BizLaunch at Arlington Economic Development, had worked with Virginia Tech on other initiatives over the years. She had been working with local businesses to bridge the digital cybersecurity divide since the pandemic.
“It’s always on my mind,” said Palacios. “You have a small business owner that doesn’t have deep pockets like a larger corporation does, but they’re all on these same platforms. And if the larger corporations are struggling with security and ensuring that their data is protected, what about our small businesses?”
So when Luther was looking for a local partner, she saw an opportunity. Luther’s students literally went table-to-table at a few Arlington Economic Development events, pitching their free offering and explaining why small businesses are especially juicy targets for hackers. Lots of businesses had made an overnight transition from being mostly or entirely a brick-and-mortar shop to operating entirely online. That sometimes meant hastily constructed websites, with little or no IT support, save perhaps from an owner’s child or grandchild.
“When the pandemic hit, people were getting victimized,” said Palacios, who recalled one local small business owner getting charged $150 a month for a free Google business website and another paying 40 percent of the business’ revenue to an ecommerce vendor, both scenarios in which better information would have led to a better outcome.
Palacios said some hackers were more quiet, but also more nefarious, about their business, acquiring business owners’ social security numbers on the dark web and using them to apply for Paycheck Protection Program loans.
“The fact that Virginia Tech could come in and do a cyber audit to help them with this was priceless to me,” she said.
The ever-increasing glut of online information — including misinformation and disinformation — has made the task of sorting and verifying what is true much more difficult. But it also offers many more examples and opportunities for students studying OSINT, which relies entirely on publicly available information. As part of their cyber assessment, students performed brand monitoring, such as identifying sources of rumor and disinformation about the business, like fake online reviews. This “social cybersecurity” — securing minds, rather than computers, against attack — is a crucial component, as the most common attack vector in cybersecurity are human beings themselves, through attempts to trick an employee to share their password, versus some new technique for breaking encryption.
“On the one hand, that’s a grave concern, in that the public is being exposed to a lot more false narratives and influence operations than perhaps in the past,” said Luther. “On the other hand, from a research and educational perspective, it’s a great time to be teaching and researching about these topics.”
Initially, not everybody wanted the help that Luther and his students were offering, specifically because it was free — that in an age of internet scams, something that didn’t cost anything seemed too suspiciously good to be true. That wasn’t a problem for Savannah Mitchell, owner of Sunday Morning Coffee, a labor of love more than 25 years in the making. She understood how important it was to protect her dream.
“Something like this could destroy a company our size, with no chance of coming back,” she said.
As important as protecting her own information, Mitchell knows that as an online retailer, she is charged with keeping her customers’ information safe as well.
“I’ve been entrusted by our customers to ensure nothing’s going to go wrong with their information, and nothing has,” she said. “I want to be sure that continues.”
The students were up front with Mitchell that the assessment would take a couple of months, which it did. The team conducted a network discovery, looked for website vulnerabilities, identified third-party services and employee public information, monitored the brand’s online presence, and searched for data breaches as part of the assessment.
To manage this workload, team members used custom-built generative artificial intelligence (AI) tools to help them plan the investigation and organize their findings. Luther and Mukhopadhyay have written up this innovative approach as a research paper to share their findings with the broader cybersecurity community.
Mitchell received concrete next steps to help fortify her cybersecurity both now and in the future, and she felt comfortable going through a process that makes a lot of people feel quite the opposite.
“They were super easy to work with,” said Mitchell. “I think that’s important, especially when you’re looking at something such as cybersecurity, that has the connotation of so much uncertainty, concern, and even fear.”
The successful pilot program has made the issue of being proactive about cybersecurity that much more urgent for Palacios. She said the toughest thing to fight is the belief among business owners that getting hacked is inevitable.
“What I’m moving toward is, ‘No, this shouldn’t be happening,’” she said. “You don’t want this to happen. And we really need to make sure you plug up all the vulnerabilities you have.”
She’d love to expand the program and the relationship with Virginia Tech to reach more local businesses who still need to adapt to the changes in our digital world.
“Our society is so small. It’s global, but it’s getting smaller every day,” said Palacios. “For a community, and the universities we have, it’s so important for us to collaborate. That’s the way that we can have an impact.”
By Noah Frank