Impact case study database

Malware (malicious computer code) is one of the biggest threats to the internet; for instance, the Zeus malware steals hundreds of thousands of credit card numbers every year, and, in 2017, the WannaCry ransomware malware crippled organisations across the world, including the NHS. Anti-virus companies have developed effective ways to detect and stop single infections by well-known malware on a single computer, however, to proactively find and defend against new, advanced malware infections from websites, new unknown malware must be detected and millions of websites must be scanned.

Cova’s research made fundamental steps in solving these challenges, contributing to innovation and entrepreneurial activity through the design and delivery of new products. In 2014, Cova moved full-time to the company Lastline in order to commercialise his research, which resulted in Lastline’s flagship Lastline Defender product [S3] that proactively defends organisations from malware, including new and evasive malware.

Lastline Defender is a practical tool that can proactively detect and stop highly advanced, evasive malware. This new product has stopped very damaging attacks against a wide range of large companies, including potentially devastating ransomware attacks [S4]. Lastline’s product is often ranked as the best by independent testers [S5]. Cova’s research was key to making this product viable, as the Chief Technological Officer and co-founder of Lastline writes:

Dr Cova’s technologies allow us to process possible malware several orders of magnitude faster than would otherwise be possible. His research has been the cornerstone of our efforts to detect evasive malware that is becoming increasingly common and cannot be detected by normal scanning methods. Dr Cova’s research has made a fundamental contribution to our current product line. [S6]

In another testimonial, the Chief Product Officer and co-founder of Lastline writes:

A key insight provided by Dr Cova’s Revolver work was that evasive malware could be detected by looking for code that is shared, or similar to, other known malware. The contribution of the Revolver work was to show that this works in practice, and it is now a technique we use to scan millions of documents every year […] We considered this research so important to the success of our company that we took every effort to ensure that Dr Cova joined Lastline as part of the founding team. [S7]

Products that use Cova’s technology are used by 1,000s of customers across the world including telecoms providers, payment card processors, shipping companies and global banks, to protect more than 20 million individual users [S4, S5]. Lastline has worked with more than 20 leading security product providers, including some of the biggest anti-virus companies such as Sophos and Symantec [S8] to ensure that products that use Cova's technology can be integrated with their offerings. The consulting companies KPMG, PWC and Dell Secureworks have all recommended Lastline products to their customers and seven leading managed security service providers use Lastline’s product [S8].

In a leading 2018 study, Lastline’s product detected 100% of the evasive malware tested, unlike products from some of the largest advanced malware detection companies, such as FireEye, whose product detection rate was only 80%. A key reason for Lastline’s excellent performance was the technique for identifying evasive malware presented in Cova’s REVOLVER research [R2]. Lastline’s product also proved to be one of the most cost-effective advanced malware detection solutions. A key reason for this is the fast filtering techniques developed by Cova in his PROPHILER research [R1].

These extremely strong test results for the implementation of Cova’s research are borne out by first-hand accounts from Lastline’s customers. The product has been adopted for use in multiple sectors worldwide, protecting banking and finance, aerospace, education, telecommunications, maritime security and the media. For example, the chief security architect at the Gwinnett County school board in the US, who uses Lastline Defender to protect 190,000 students, teachers and administrators, writes:

Lastline provides us with deeper visibility and insight into web downloads and malicious attachments embedded within ‘accepted’ business applications and protocols, and ‘passed-through’ by traditional perimeter security solutions. Lastline also provides us with ‘post-infection’ awareness to quickly detect and remediate compromised endpoint systems that are ‘calling home’ to criminal networks. [S9]

One of the largest wireless telecommunications networks in the United States who uses Lastline to protect services to millions of customers and 911 emergency service calls writes:

The corporate email security team loves Lastline because it catches stuff that two of our other security solutions miss. When I was looking for a sandbox utility for email, I performed a side-by-side comparison between Lastline and those other tools. Lastline outperformed both of them by a large margin. [S10]

The Head of Service at GTMaritime (a maritime communication company) writes:

Within days of the launching GTMailPlus, we felt the service from Lastline was so security critical, we now integrate the Lastline solution as a compulsory element of our service. We are in the process of rolling this out to our entire customer base, so we are assured our end-users and systems are protected. It’s ‘win-win’ all around. [S10]

Other customer case studies and quotes can be found on our supporting website [S10].

The take up of Lastline is further evidenced by its success as a company. Since Cova joined Lastline in 2014, it has grown to over 100 employees and received direct investment of US$52.5 million, including funding from Dell and the venture capital firms e.ventures and Redpoint Ventures [S11]. Lastline has won dozens of industry awards for the performance of its product, these include, in 2018 alone, awards for “Most Promising Cybersecurity Provider”, “Game Changer of the Year” and “Best Network Protection” [S12]. Inc. magazine named Lastline, “the leader in advanced threat protection”, eighth among security companies on its 37^th annual Inc. 5000, “the most prestigious ranking of the nation’s fastest-growing private companies” [S13].

Accessibility tools provided by SRE have improved educational inclusion and improved equality of access to educational opportunities. They have been adopted by global companies and thus contributed to innovation and to the improvement of standard industry practices in science publishing. This collectively benefits millions of impaired users around the world. As a WeBWorK co-founder stated, “I cannot think of any developments in recent years that have had a bigger impact on STEM education and on-line mathematics communication in general” [S2].

Improving inclusion through access to educational and research STEM resources for visually impaired users by provision of free, open-source tools

MathJax [S3.1] is an open-source JavaScript platform for rendering mathematics in web browsers. SRE [S3.2] forms a core feature of its inbuilt Assistive Technology Extension [S3.3]. SRE’s inclusion in MathJax [S3.1] led to it becoming a preferred accessibility solution. It is used in educational tools (e.g. WeBWorK, Moodle), online scientific publishing (see below), informational websites (e.g. Wikipedia, StackExchange), and blogging sites (e.g. PhysicsForums). The MathJax Lead Developer and Project Manager stated that “Because of [Sorge’s] work, all of these are accessible with no extra work on the part of the site administrators; if they are using MathJax, the accessibility comes automatically. The importance of this technology to both education and scientific research cannot be overstated” [S1]. The American College Board, based in USA and associating educational institutions in over 85 countries worldwide, recommended the use of MathJax and its Assistive Technology Extension for students with disabilities as an accessibility solution for stay-home exams during the Covid-19 pandemic.

WeBWorK is an open-source online homework system for STEM courses used at over 1000 institutions worldwide [S3.4]. Accessibility for mathematics is provided by ChromeVox and MathJax. The co-founder of the The WeBWorK project states: “The work of Dr Sorge [...] has undoubtedly provided a vital benefit for STEM students with visual disabilities. [The] accessibility options are now ubiquitous for on-line mathematics material. The widespread advantage for mathematicians with visual impairments is enormous and continues to improve” [ S2]. WeBWorK is supported by Mathematical Association of America and the National Science Foundation.

Bringing innovation into commercial educational products and online services for the visually impaired through the adoption of new technology

Businesses with global reach have recognised the value of the SRE to their markets and incorporated it into their accessible products.

SRE has been incorporated as a core element of ChromeVox, a built-in screen reader for Google Chromebooks, which are widely used in education. They have an estimated 40 million users worldwide and over 20% market share in Europe. Google estimates that in the US around 1.5 million of visually impaired Chromebook users benefit from improved general educational inclusion and access to mathematics in the STEM subjects [S4]. As Chromebooks currently dominate primary and secondary education in the US, SRE is the dominant solution to make maths accessible for visually impaired or dyslexic high school students.

Texthelp is a market leader in assistive learning solutions whose technology is used by millions of people around the world [S5]. It uses SRE in its mathematics editor EquatIO®: “SRE is not an ordinary screen reader — it ‘understands’ formulae [...] Our users say that this makes a real difference [...] All this gives us competitive edge in the market. We [...] can confirm that the software has been deployed to over 3 million Google accounts” [S5].

Mathshare, Benetech’s interactive environment for mathematics in high schools, has employed SRE as its integral part since 2018 [S6]. SRE and MathJax also form the back-end of MathML Cloud platform — a free, open-source, web-based tool used by major publishers: “People from at least 81 countries, including India, UK and Germany, have accessed and used MathML Cloud. Over 5000 users have visited the site” [S6]. SRE-based technologies are also available via Benetech’s DIAGRAM Center, an R&D organisation disseminating best-practice accessible educational tools: “We believe that a proportion of [disabled] population has already benefited from the accessibility tools such as provided by SRE by gaining fair and equal access to scientific materials” [S6].

Improving standard practices in STEM publishing through the adoption of new technology to enhance provision for the visually impaired research community

At least 19 STEM publishers provide accessible mathematics for some of their online journals through the MathJax enabled browsers. They include the Institute of Electrical and Electronics Engineers (IEEE: as of 2018, the world’s largest association of technical professionals with more than 419,000 members in over 160 countries), The Optical Society of America (OSA), Elsevier, Oxford University Press, Institute of Physics (IOP) Publishing, and 17 others [S7].

IEEE provides web access to over 3 million documents with more than 8 million downloads each month. MathJax’s Assistive Technology tools “have become an invaluable, irreplaceable part of our publishing ecosystem, facilitating inexpensive and unmatched quality in online presentation of accessible math for our journals. There is no better solution to fully accessible math-on-the-web” [S8].

All OSA journals support accessible mathematics. MathJax and its Accessibility Extensions “provide tools and features that lend themselves well to the presentation of the math [...] making the math notation easier to read and understand. We found MathJax Accessibility Extensions particularly effective when we developed our EPUB article format, which was aimed specifically at providing improved visual and aural navigation for visually impaired users” [S9]. OSA readership spans 218 countries, with over 10,000 known institutions accessing OSA content.

Elsevier has been employing MathJax on its ScienceDirect platform since 2013. The Product Manager for SEO and Accessibility stated, “While we do not collect data on the use of accessibility features, we know that improved rendering and accessibility via MathJax is particularly valued by our customers and benefits millions of users on our site. On ScienceDirect, over 550 journals contain more than 1,000 articles with MathML elements. In 2019, those titles saw 288M visits from 95M unique visitors, for a total of 514M article page views” [S10].

The following recent statistics (13 October 2020) illustrate the scope and continuing active interest in the MathJax and its Assistive Technology Extension [S3.5]:

• 1.7 billion monthly hits for all versions of MathJax on jsDelivr (a Content Delivery Network);

• 9th most popular package on jsDelivr;

• 7 million hits for the A11y extensions of the latest version only of MathJax v2.7.5;

and in the Speech-Rule-Engine alone:

• 380 million monthly hits for all versions of SRE on jsDelivr [S3.6];

• 45th most popular package on jsDelivr [S3.6];

• 29,300 monthly downloads of the SRE software via Facebook’s package manager Yarn [S3.7];

• over 8,000 weekly downloads of SRE from Node Package Manager (NPM), 1,738,160 total downloads since SRE was first published on NPM [S3.8].

We have directly benefited global banks, stock traders, cryptocurrency and VPN service providers, and their millions of customers across four continents by developing an automated tool, Spinner, which detects cryptographic protocol failures in security applications. Spinner has significantly mitigated against future losses by improving methods in security-critical applications and improving existing technology. This commercial and economic impact is a consequence of the responsible disclosure we made to banks, with the support of the Government Communications Headquarters (GCHQ) and the Centre for the Protection of National Infrastructure (CPNI), of the vulnerabilities identified by the underpinning research [KF1, KF2].

As we move towards a cashless society, the security of our internet banking infrastructure is becoming more critical. The magnitude and likelihood of potential losses due to security failures is enormous. In 2019, more than 25,000 incidents of internet banking fraud amounted to losses of over £111M in the UK alone [S1]. Besides the economic impact on the banks, there is also a socioeconomic aspect, as banks typically refuse to refund transactions where the right credentials have been input [S2]. We have shown that existing flaws in the banks’ own apps enable fraud [KF1]. [text removed for publication] Our research and subsequent intervention prevented this negative impact and protected tens of millions of customers globally from falling victim to fraud.

Table 1 shows the apps that we identified as vulnerable in the underpinning research [KF2] together with their respective numbers of users. They all had insecure TLS connections that exposed their users’ credentials, and therefore their bank accounts, to attackers and fraudsters.

Table 1: Vulnerable banking apps identified by the underpinning research

After identifying these flaws, we initiated a process of responsible disclosure that directly led to changes in existing technologies (the apps) and the adoption of improved security methods. Using the knowledge and recommendations we provided to them, financial and VPN service providers were able to patch their software.

We first informed [text removed for publication] on 27 February 2015 of the vulnerabilities in their app. These vulnerabilities, identified using Spinner [KF2], had been missed by two pentesting companies. One week later, [text removed for publication] pushed a fix. Afterwards, a similar process was carried out with [text removed for publication]. After these disclosures, it was evident that a more scalable approach to vulnerability disclosure was needed. [text removed for publication]

The reach and significance of our work is attested by improvements across global banking and financial service providers and by the stimulation of policy debate between [text removed for publication] and the UK financial sector on responsible disclosure. [text removed for publication]

As a result of our disclosures, all of the affected apps have been fixed, to the benefit of both the respective banks and their customers. Some of the largest affected banks have made public statements acknowledging our contribution to fixing their apps, including HSBC: ‘We thank the University of Birmingham for the opportunity to work together, and we have already taken steps to address this’ [S4] and Bank of America: ‘The vulnerability identified in this report [R1] was resolved in Bank of America’s health app in January 2016’ [S4].

To ensure the continued impact of our research, we released the Spinner tool as open source in December 2017 so that pentesting companies are free to use it. Spinner’s availability and a wide range of national media coverage in late 2017 [S5, S6, S7, S8, S9], led to international recognition of the importance of our research and impact. [text removed for publication]

Taken together, we have improved the security of mobile apps across the sector, benefiting companies, customers and the economy more broadly. A measurement study of 20 banking apps conducted by one of our students shows a sharp increase in the prevalence of certificate pinning [S10, section 3.2.2]. Significantly, the study quantifies the impact by showing that each of the banking apps using certificate pinning in 2019 does so correctly and securely [S10, section 3.4].