As both a security researcher and a victim of poor security practices, EPP/CyLab's Lorrie Cranor was once victim to a mobile phone hijacking plot against her family—one she's confident could have been prevented with 2-factor authentication. "In that scenario, the carrier should have texted the phone, and it would have solved the problem," Cranor says. "The thief didn't have the old phone. It was in my hand."
Franchetti quoted on AI chip startups
Recently, a growing belief has emerged among some investors that AI could be a unique opportunity to create significant new semiconductor companies. As companies continue to invest heavily in hardware to run deep-learning systems, the limitations of existing chips, such as Nvidia’s graphic chips, are being exposed. Despite having been tweaked to adapt, they soak up a lot of energy when working in parallel. CMU has had to ask its researchers to throttle back their chip use due to the strain they placed on the university’s power system. ECE/CyLab’s Franz Franchetti says that CMU is looking for an alternative power source; companies like Graphcore, Mythic, Wave Computing, intend to answer precisely to that need, developing newer chips tailored for AI applications.
Zarate writes on the importance of hacking
Fourth-year undergrad Carolina Zarate recently wrote an article commenting on the recent Equifax security breach, presenting the incident as proof that elementary and secondary educational systems should implement computer science programs to teach kids how to hack at an earlier age. “To prevent attacks from happening,” Zarate writes, “one makes take the role of an attacker to understand what the offensive attack would look like and how it would work.”
Though facial recognition is on the rise, the technology is far from perfect, susceptible to innovative hacks from researchers everywhere. At CMU CyLab, researchers created oversize colored glasses that not only masked the wearer's identity but also made the software think the person was a celebrity. While the technology still isn't as good as it is in the movies, with computers instantaneously identifying every individual in a huge crowd, it's not that far off. "From a technological perspective, the ability to successfully conduct mass-scale facial recognition in the wild seems inevitable," says CyLab’s Alejandro Acquisti. “Whether we as a society will accept that technology, however, is another story.”
CyLab study sourced on facial recognition article
Facial recognition software is pushing towards a high-security threshold, where the false acceptance rate (FAR) must be 1:1,000,000. With every advancement, however, researchers find counter-hacks to thwart the system. Researchers at CyLab successfully triggered false acceptance and rejection on state-of-the-art facial recognition systems by printing out eyeglasses with different visual characteristics.
Datta study cited in article about fairness in AI
Recent advancements in artificial intelligence have revealed the presence of bias within the learning processes of neural networks. ECE's Anupam Datta conducted a study in 2015 that offers proof: in certain settings, Google ads that promised help for applicants in getting jobs with salaries greater than $200,000 were shown to significantly fewer women than men. A vital concern, then, is developing a system that can adjust neural networks to provide fairness in an unfair world.
Cranor comments on recent phone scam
EPP & Cylab’s Lorrie Cranor was the unfortunate victim of a phone hijacking. Using a fake ID in her name, the thief purchased two new iPhones on her account in a store in Ohio. “I was on the phone, and suddenly my phone cut out,” said Cranor. Based on her past research on passwords and security, Cranor recommends setting up an extra PIN or password to avoid situations like these.
Zhang receives Test of Time Award 2017
ECE/INI associate research professor Pei Zhang recently received the ACM SenSys Test of Time Award (ToTA) 2017 for his 2004 research paper, “Hardware design experiences in ZebraNet.” The paper, which Zhang co-authored, examines techniques for supplying power to wireless sensor networks as well as methods for managing both energy consumption and peripheral devices in those networks. Zhang was honored at the 15th Association for Computing Machinery (ACM) Conference on Embedded Networked Sensor Systems (SenSys 2017), held November 5-8 in Delft, The Netherlands. The ToTA is awarded to research papers that are at least a decade old and have had lasting academic, industrial, and/or societal impacts on networked embedded sensing science and engineering.
Neural network developed by CyLab researchers mentioned
A neural network developed by CyLab researchers Lorrie Cranor, Lujo Bauer, and Nicolas Christin was mentioned in Science Magazine in relation to new GAN technology that guesses users’ passwords in an effort to beat cybercriminals at their own game. The neural network uses simple machine learning techniques to crack passwords, and may be more efficient than the GAN technology.
A 2011 study by CyLab’s Alessandro Acquisti was referenced in an article on ACLU.org on Apple’s new phone that unlocks using facial recognition. The new technology in use by the new phone raised various concerns about privacy and security. Showing what facial recognition technology can do, Acquisti’s study “showed that face recognition could be combined with social networking data to identify people walking around in public and provide instant information about their interests based on their social media data.”
Recently, Apple released its newest device, the iPhone X, with a price tag of nearly $1,000. The new iPhone uses facial recognition technology instead of fingerprint detection to help customers secure their data. But is there something even more reliable we could be using? According to ECE’s Marios Savvides in an article for Mic, an iris would be the best and strongest password because it’s incredibly precise and more private, which means that it’s nearly impossible to reproduce. “Your face is out there [online], but your iris is not,” says Savvides. To break into your phone, “[hackers] would have to actively try to capture your iris or find an extremely high-resolution picture of your face.” Although iris-scanning seems like the best way to secure data, the technology is currently too big and expensive to use for small devices.
Datta quoted on machine bias
CyLab/ECE’s Anupam Datta was quoted in Science News on machine bias. With increased dependence on machine-learning, algorithms also pick up biases along the way. But is it possible to get a completely unbiased algorithm? “We have to think about forms of unfairness that we may want to eliminate, rather than hoping for a system that is absolutely fair in every possible dimension,” says Datta.
Bauer, Sharif, and Bhagavatula’s facial-recognition fooling glasses mentioned
Quartz, MSN, New Scientist, Motherboard
ECE/CyLab’s Lujo Bauer, Mahmood Sharif, and Sruit Bhagavatula created glasses with a pattern custom-built to fool facial-recognition algorithms. The glasses were mentioned in Quartz, MSN, New Scientist, and Motherboard articles. AI’s capabilities now allow facial recognition technology to identify people who have concealed their identities by wearing hats, sunglasses, or scarves. But the researchers’ glasses were able to confuse facial recognition algorithms into misidentifying the wearer as someone else.
CyLab faculty write article about password security
“As researchers into password security, we’ve known for years that most password advice was not actually based on scientific knowledge,” says CyLab’s Lorrie Cranor, Lujo Bauer, and Nicholas Christin in an article for The Conversation. “To address this, we have been conducting experiments about the effects of password requirements on security and usability.” Cranor, Bauer, Christin, and their colleagues from the University of Maryland and the University of Chicago say that users need to go beyond creating passwords that are merely “hard to guess.” To defend themselves against hackers, they must now create passwords that are difficult for computers to figure out.
CyLab’s Lorrie Cranor, Nicolas Christin, Lujo Bauer, and their former students Blase Ur and Michelle Mazurek had an article on their password research published in The Washington Post. In the article, the authors share ways that users can create stronger passwords, based on their research findings. Their recommendations include making your passwords at least 12 characters long and avoiding names of people, pets, places you've lived, and common words or phrases.
Cranor presents at Black Hat USA 2017
At the end of July, CyLab/EPP’s Lorrie Faith Cranor presented at Black Hat USA 2017, the world’s largest information security event. During her presentation, Cranor talked about security usability testing and the empirical data her team at CyLab collected on the usability of common controls such as complex password policies and multi-factor authentication requirements.
Acquisti quoted on facial recognition technology
Over the years, computers have gotten better at recognizing faces because of more advanced 3-D technologies, which offer higher resolution data. As facial technology grows more sophisticated, some people worry that their sense of security and privacy will be compromised. Other people, however, are embracing the technology, saying that it could potentially be used to help find lost pets, identify criminals, and increase students' attentiveness. Despite the concerns about this technology, CyLab’s Alessandro Acquisti says that it will continue to advance and eventually overcome the challenges standing in its way. “From a technological perspective, the ability to successfully conduct mass-scale facial recognition in the wild seems inevitable,” he says in an article for Smithsonian.com. “Whether as a society we will accept that technology, however, is a different story.”
Fischhoff co-chairs cybersecurity research committee
EPP’s Baruch Fischhoff recently co-chaired the Committee on Future Research Goals and Directions for Foundational Science in Cybersecurity, a committee formed by the National Academies of Sciences, Engineering, and Medicine. The committee, made up of 14 experts from industry and academia, compiled a report that identified key research opportunities in the cybersecurity field. In the report, the committee members ultimately state that computer scientists need to collaborate more closely with their counterparts in the natural and social sciences to solve cybersecurity challenges. According to the committee, a more interdisciplinary approach would help advance cybersecurity research. "The strategies and procedures to secure cyber technologies would be improved through a better understanding of the social, behavioral, and decision sciences because people are an integral component—in designing technologies, operating them, allocating security resources—and in attacking them," said Fischhoff.
Acquisti quoted about microchip implantation
The New York Times and NPR
On August 1, more than 50 out of 80 employees at a technology company in Wisconsin volunteered to have a microchip implanted between their thumb and forefinger. Now, they can do things like enter buildings and pay for food with a wave of their hand. Although some people are excited by this emergence of new technology, other people are concerned about their privacy. “Companies often claim that these chips are secure and encrypted,” says CyLab’s Alessandro Acquisti. “But ‘encrypted’ could include anything from a truly secure product to something that is easily hackable,” he says in an article for The New York Times and NPR. Acquisti says that another potential problem with this advancement is that technology designed for one purpose can be used for something different in the future. Today, the microchips are used to grant access to buildings, but tomorrow, they could be used to track an employee’s movements without their knowledge. “Once [the microchips] are implanted, it’s very hard to predict or stop a future widening of their usage,” says Acquisti.
Recently, a team at BitClave built a decentralized search advertising platform that eliminates the need for intermediaries like Google, Facebook, and Amazon. Instead of paying middlemen to promote their advertisements online, businesses can now make offers directly to consumers who have chosen to participate in the program. In this system, consumers have more control over the information they share with advertisers. They also have the opportunity to earn money for viewing ads online. ECE’s Patrick Tague (BitClave CTO) explains in MediaPost that the technology powering the platform focuses on the idea of consumer control, privacy, and protection.
Tsamitis quoted in Pittsburgh Business Times and Fast Company
INI Director Dena Haritos Tsamitis was recently quoted in two major publications: Pittsburgh Business Times and Fast Company. In the Pittsburgh Business Times article, titled "Filling the gap: Cybersecurity worker shortage means there's 'six jobs to everyone person applying,'" Tsamitis comments on the shortage of employees working in the cybersecurity field. “Although demand has grown significantly in the market in both private and public spaces—government has a great demand, industry has a great demand—there is a severe shortage of talent,” she says. In the article for Fast Company, titled "How to Steal A Phone Number (And Everything Linked To It)," Tsamitis details her experience as a victim of fraud and cellphone hacking.
Christin comments on size of AlphaBay in New York Times
The New York Times
AlphaBay, the largest online black market for drugs, was recently shut down by law enforcement officials, causing buyers and sellers to reallocate their business on the dark net. Researchers say that AlphaBay had grown into the world’s largest black market by far. According to unpublished statistics from EPP’s Nicolas Christin, the site was bringing in $600,000 to $800,000 in transactions daily earlier this year.
As law enforcement officials continue fighting the opioid crisis in the US, they must learn how to conquer the uncontrollable and often untraceable nature of the dark web. Since 2013, numerous online anonymous marketplaces have cropped up, making drugs like fentanyl readily available to thousands of people. Although federal agencies haven’t released any data that reveals the amount of drugs ordered online, a research paper written by CyLab’s Kyle Soska and Nicolas Christin indicates that today’s sites are doing much more business than Silk Road, the first successful online anonymous marketplace. An article in The New York Times cites their paper, which presents a long-term measurement analysis of a portion of the online anonymous marketplace ecosystem over more than a two-year timespan.
INI Students place third in MITRE Embedded Capture the Flag
A team of Information Networking Institute (INI) students placed third overall in the semester-long MITRE Embedded Capture the Flag (CTF) held January 18 - April 14. The semester-long competition required each team to assume the role of defender and attacker on a self-driving car. For 14 weeks, the team’s design successfully withstood attacks and did not lose a single flag to adversaries who had physical access to the team’s provisioned chip and the full source code, earning them the Iron Flag Award.
Recently, companies have been claiming that their facial recognition technology can not only identify people, but also recognize their emotional state, age, gender, and criminal tendencies. In an article for Vocativ, ECE’s Lujo Bauer indicates that these capabilities have been available for a while now, including in the systems he created with his colleagues at Carnegie Mellon.
Due to the rise of social media, technological devices and facial recognition databases, more than half of the U.S. adult population can be identified in public spaces by simply showing their face. To combat this encroachment on public anonymity, and to thwart facial recognition databases, engineers have been creating technology of their own. But according to ECE’s Lujo Bauer in Vocativ, “There’s no approach that ‘just works,’ or anything close to it.” For individuals to remain anonymous, anti-facial recognition devices must be able to avoid detection from all possible camera angles and distances.
Savvides quoted on the benefits of iris scanners
Vocative and The Week
In an article published by Vocativ and The Week, ECE/CyLab’s Marios Savvides explained how iris scanners can help make smart phones more secure. “It’s harder to spoof irises than it is to spoof fingerprints, and they’re thought to be stable over a person’s lifetime,” said Savvides. “In that sense, I think iris scanning will help remove some of that hackability.” However, even though iris prints will provide an extra layer of security, experts still advise people to use more than one authentication method on their devices because “nothing is fool-proof.”
CMU’s picoCTF, a computer security game targeted at middle and high school students, was recently featured on 90.5 WESA. The two-week contest features a series of challenges, which participants must solve either by decryption, breaking, reverse engineering, or hacking—whatever it takes. One goal of the contest is to tackle the common misconception that hacking is a bad thing; in reality, people skilled in hacking are highly sought out by companies looking to strengthen their cybersecurity. “What we're trying to do is educate and bring up a culture of people who are experts at computer security who can make those systems more safe,” says David Brumley, director of CyLab.
Ad settings study featured in The Atlantic
A 2015 study by ECE Ph.D. student Amit Datta and ECE Associate Professor Anupam Datta, titled “Automated Experiments on Ad Privacy Settings,” was featured in The Atlantic. The study was cited in an article that explored the problem of discriminatory online advertising. The study found instances of discrimination, opacity, and choice in targeted Google ads; for example, the researchers found that men were much more frequently targeted for ads offering high-paying jobs than women were.
EPP/CyLab’s Nicolas Christin has been named a Center for Strategic and International Studies (CSIS) 2017 Cyber Fellow in Advanced Cyber Studies. As one of approximately 20 fellows, Christin will participate in the 12-month fellowship program that begins in March with a kickoff conference in Washington D.C. The fellowship gives future leaders in government, industry, and academia the chance to engage in interdisciplinary programs that sharpen analytical capabilities and deepen technical and policy skills for cyber issues. In addition to completing a term-long research project, Christin will attend at least four two-day conferences in Washington D.C., Silicon Valley, and New York City.
Datta publishes article on automated decision-making tasks
ECE’s Anupam Datta recently published an article in The Conversation on automated decision-making tasks. Specifically, Datta explored the issue of using machine learning algorithms for credit decisions. Under federal law, people who apply for a loan from a bank or credit card company, and are turned down, are owed an explanation of why that happened. “Getting an answer wasn't much of a problem in years past, when humans made those decisions. But today, as artificial intelligence systems increasingly assist or replace people making credit decisions, getting those explanations has become much more difficult,” writes Datta. He explains how his research group developed a method to better understand how these algorithms make complex decisions.
Tsamitis speaks at conference on diversity in cybersecurity
International Consortium of Minority Cybersecurity Professionals
INI Director Dena Haritos Tsamitis will serve on a panel at the International Consortium of Minority Cybersecurity Professionals (ICMCP) Second Annual National Conference on March 15 - 16. Her session, “Women to Women - Diversity Obstacles Impacting Advancement,” will address innovative strategies to tackling cybersecuritys diversity challenges.
Tsamitis speaks at first China-US Cybersecurity Technology Forum
INI Director Dena Haritos Tsamitis presented at the first China-US Cybersecurity Technology Forum co-sponsored by Tsinghua University and Microsoft on February 15, 2017. Her talk focused on securing diversity in cybersecurity during a session about the challenges and opportunities of developing cyber talent.
EPP/CyLab’s Lorrie Cranor was interviewed by CBS Sunday Morning regarding her research on usable privacy and security. Commenting on the increasing unreliability of password-based security, Cranor, alongside other experts from the University of Toronto, discussed possible replacements for passwords, such as fingerprints or heart rhythms. “We have so many rules about how [passwords] have to be complicated, and hard to guess,” Cranor said. “And then we’re supposed to have a different one for every account we have, and we’re not supposed to write them down. And that’s just really difficult for people to deal with.”
EPP/CyLab’s Lorrie Cranor was elected to the CHI Academy, an honorary group of individuals who have made substantial contributions to the field of human-computer interaction. Individuals are elected to the CHI Academy based on the following criteria: cumulative contributions to the field, impact on the field through development of new research directions and/or innovations, influence on the work of others, and active participation in the ACM SIGCHI community. Cranor, along with the other SIGCHI award recipients, will be honored at CHI 2017 in Denver, Colorado.
Recently, scammers targeted Netflix customers, sending them fake email notifications that prompted them to update their membership by reentering their personal information. People might think they can detect a phishing scam when they see one, but CMU researchers proved just how complicated these scams can be. During an experiment, researchers taught people how to spot scams and then presented them with a pile of both fake and genuine emails. Even with their newly acquired knowledge, people still struggled to identify the scams. According to researcher Casey Canfield, “the only way to stay safe is to be a bit paranoid.”
ECE’s David Brumley was featured in CyberScoop because of his knack for teaching students how to hack into technological devices, ultimately transforming them into top-notch employees for tech companies like Microsoft, Google, Facebook, and the National Security Agency (NSA). Brumley’s unique academic program produces experienced graduates that are “coveted by the federal and private sectors alike. Competition to secure their services is fierce.”
Cranor, Bauer quoted in Consumer Reports on password managers
EPP/CyLab’s Lorrie Cranor and ECE/CyLab’s Lujo Bauer were quoted in a Consumer Reports article on password managers. Cranor and Bauer recommend that everyone should use a password manager service that generates, retrieves, and protects all your passwords in one secure, convenient place.
Tsamitis quoted in Safertech
INI Director Dena Haritos Tsamitis was quoted in an article on Safertech.com about privacy issues and Google Vault. “In the past decade, rapid advances in workplace technology have often come at the expense of privacy and security. On one hand, we have enterprise-level software and applications like Google Vault offering incredible opportunities for collaboration and communication. On the other, we have the threat of compromising the privacy of employees. The balance lies in an organization’s commitment to understand how these tools work and educate its employees on safe and secure practices,” said Tsamitis.
Cranor quoted in IBT on password security
International Business Times
CyLab/EPP’s Lorrie Cranor was quoted in International Business Times on password security. Cranor suggests that one way to improve your password is to put digits, symbols, and capital letters in the middle of your password, not at the beginning or end.
Savvides gives talk at IDGA conference
ECE/CyLab’s Marios Savvides was invited to give a talk at the Institute for Defense and Government Advancement (IDGA) Biometrics in Government and Law Enforcement conference in Washington, DC from January 23-25. Savvides joined an impressive lineup of speakers that included many government directors and program managers.
Datta quoted on lack of diversity in AI industry
ECE’s Amit Datta was quoted in Digital Trends about the lack of diversity in the artificial intelligence industry. Last year, Datta and other researchers found that women were shown far fewer Google ads for high paying jobs than men. Researchers believe that this data reveals the gender biases entrenched within artificial intelligence systems. According to Kate Crawford, a researcher at Microsoft, “artificial intelligence will reflect the values of its creators. So inclusivity matters… Otherwise, we risk constructing machine intelligence that mirrors a narrow and privileged vision of society, with its old, familiar biases and stereotypes.”
INI Director Dena Haritos Tsamitis has been appointed to the advisory board of the Executive Women’s Forum (EWF) on Information Security, Risk Management, and Privacy. In 2007, Tsamitis established a partnership between the EWF and INI to offer a full scholarship to an incoming INI student. The partnership has been renewed after 10 years and will continue to offer invaluable networking and mentorship opportunities to develop women leaders in information security and privacy.