Haining Wang: Closing Cyber Vulnerabilities
Introducing Haining Wang
- Joined ECE August 2019
- Professor, University of Delaware, 2014-2019
- Assistant then associate professor of computer science, College of William and Mary, 2003-2014
- Ph.D., computer science and engineering, University of Michigan, 2003
Closing Cyber Vulnerabilities
Everything that happens on the internet, all of the information stored on it, is vulnerable to hackers. We are reminded of this almost weekly, as more and more data breaches and cyberattacks are announced.
“We keep suffering from these attacks, and they're getting more complicated,” notes Haining Wang, who recently joined the ECE faculty in the greater Washington D.C., metro area. His research focuses on discovering and resolving these increasingly intricate cybersecurity vulnerabilities.
Cloud computing, data center power infrastructures, DNS-based security and privacy issues, password protection, and email security are just a few of the topics Wang is exploring. “I’m really excited to produce meaningful solutions that have an impact on people’s daily lives,” he says.
Wang is trying to fix weaknesses in a system not designed for its current uses—the internet. “It was designed without considering security,” he explains. “At the beginning, it was just used for basic communication.,” but since we now use the internet to conduct business transactions, ecommerce, stock trading, and banking, “it has become really critical to secure internet communications.”
Power infrastructure security
With demand for servers skyrocketing as cloud computing becomes more popular, data centers are facing new security challenges. One of these challenges is from the power infrastructure, explains Wang. “The increasing demand of cloud services requires the rapid deployment of high end servers,” he notes, “but as data centers add more servers, their power infrastructure could end up servicing more machines than they are able to handle at their best.”
This might not be a problem during normal operation, “as most servers would not consume the power at their peaks, but a malicious attacker could stress enough of the servers, consuming the power at the peak simultaneously,” Wang explains. The generated power spike could trip circuit breakers and shut down the data center. “It’s similar to a more advanced Denial of Service attack,” says Wang. “It could happen.” And it’s his job to protect against it.
Wang is also investigating new methods to prevent attacks that exploit a domain name system (DNS) for information leakage. Although there are many people making DNS more secure, notably by running DNS over a Transport Layer Security (TLS) protocol, a malicious agent can still infer important information through DNS traffic patterns.
Visiting a website generates a sequence of DNS packets, Wang explains, and “we can infer which website was visited by modeling the temporal patterns of packet sizes.” This is possible even if padded DNS messages are used. Now that his team has characterized the threat, they will work to negate it.
Password and email security
Passwords remain one of the greatest sources of insecurity—and angst. We all face the constant challenge of securing personal information while minimizing the chances of forgetting a password. “There are password management tools and ways to use your behavior to authenticate who you are,” says Wang, who has explored some of these methods in the past.
One area this will particularly affect is account recovery. Most online accounts use a registered email address to recover an account when users inevitably forget their passwords. However, “this creates a single point of failure if that email account is compromised,” notes Wang. Strong email passwords is one way to mitigate this challenge, but Wang is also exploring others.
Wang and his team are proposing an email security enhancement called Secure Email Account Recovery (SEAR). SEAR would require email providers to add an extra layer of authentication specifically for password recovery emails. This layer might be a text message, secure push notification, or other secondary authentication. With SEAR, users would not have to share additional information with potentially insecure websites, but could still enjoy the added security of dual-factor authentication when they reset a password. It would not, however, add the complexity of dual-factor authentication to a regular email access, striking a balance between usability and security.
Many cybersecurity threats remain, and new ones emerge as the internet takes on new applications, as happened with cloud computing. “These are hard to predict, because the internet itself is an open system,” notes Wang. There will always be demand for new research in the area, he stresses, because the role of the internet in our daily lives is always changing and expanding.