Skip to main content

Events and Seminars Archive

calendar graphic

All seminars start at noon ET and are held in the CIC building in Pittsburgh, PA. Seminars are open to faculty, students, staff and general public. Webinars are provided for CyLab partners only, accessible live in the Partners Portal, and afterward via the Seminar Archive.
Research talks are informal sessions held for faculty and students. These talks are not webcast, nor recorded, due to informal nature and topic relevance.
CERT and SEI Training schedules, as well as other related events can also be found on this list.

2016

December 5:  Distinguished Seminar
Balancing Privacy and Functionality - Secure Communication with Middleboxes
Speaker: David Naylor, PhD Candidate in the School of Computer Science
We are clearly moving toward an Internet where encryption is ubiquitous—by some estimates, more than half of all Web traffic is HTTPS, and the number is growing. This is a win in terms of privacy and security, but it comes at the cost of functionality and performance, since encryption blinds middleboxes (devices like intrusion detection systems or web caches that process traffic in the network). In this talk I will describe two recent and ongoing projects exploring techniques for including middleboxes in secure sessions in a controlled manner. The first is a protocol, developed in collaboration with Telefónica Research and called Multi-Context TLS (mcTLS), that adds access control to TLS so that middleboxes can be added to a TLS session with restricted permissions. The second, which is ongoing work with Microsoft Research, explores bringing trusted computing technologies like Intel SGX to network middleboxes.

November 28:  Distinguished Seminar
Instinctive Computing - A Biomorphic Approach for Security, Privacy and Intelligence
Speaker: Yang Cai
Algorithms in nature are simple and elegant yet ultimately sophisticated. All behaviors are connected to the basic instincts we take for granted. The biomorphic approach attempts to connect artificial intelligence to primitive intelligence. It explores the idea that a genuinely intelligent computers will be able to interact naturally with humans. To form the bridge, computers need the ability to recognize, understand, and even have instincts similar to living creatures. In this talk, I will introduce the theoretical models in my new book "Instinctive Computing" and a few real-world applications, including visual analytics of dynamic patterns of malware spreading, SQL and DDOS attacks, IoT data analysis in a smart building, speaker verification on mobile phones, privacy algorithms for the microwave imaging in airports and the privacy-aware smart windows for the autonomous light-rail transit vehicles in downtown Singapore.

November 7:  Distinguished Seminar
CARDINAL - Similarity Analysis to Defeat Malware Compiler | Glowworm: A Fast Hash for Jam-Resistant Communication
Speaker: Martin Carisle, Director of Academic Affairs and Teaching Professor, INI
Authors of malicious software, or malware, have a plethora of options when deciding how to protect their code from network defenders and malware analysts. For many static analyses, malware authors do not even need sophisticated obfuscation techniques to bypass detection, simply compiling with different flags or with a different compiler will suffice. We propose a new static analysis called CARDINAL that is tolerant of the differences in binaries introduced by compiling the same source code with different flags or with different compilers. We accomplished this goal by finding an invariant between these differences. The effective invariant we found is the number of arguments to a call, or callsite parameter cardinality (CPC). Per function, we concatenate all CPC's together and add the result into a Bloom filter. Signatures constructed in this manner can be quickly compared to each other using a Jaccard index to obtain a similarity score. We empirically tested our algorithm on a large corpus of transformed malware and found that using a threshold value of 0.15 for determining a positive or negative match yielded results with a 11% false negative rate and a 11% false positive rate. Overall, we both demonstrate that CPC's are a telling feature that can increase the efficacy of static malware analyses and point the way forward in static analyses.

October 31:  Distinguished Seminar
Internet privacy - Towards more transparency
Speaker: Balachander Krishnamurthy, Researcher at AT&T Labs
Internet privacy has become a hot topic recently with the radical growth of Online Social Networks (OSN) and attendant publicity about various leakages. For the last decade we have examined aggregation of user's information by a steadily decreasing number of entities as unrelated Web sites are browsed. I will present results from several studies on leakage of personally identifiable information (PII) via Online Social Networks and popular non-OSN sites. Linkage of information gleaned from different sources presents a challenging problem to technologists, privacy advocates, government agencies, and the multi-billion dollar online advertising industry. Economics might hold the key in increasing transparency of the largely hidden exchange of data in return for access of so-called free services. I will also talk briefly about transient online social networks and doing privacy research at scale. Recently we have been pursuing data transparency by directly funding research projects around the world.

October 24:  Distinguished Seminar
When Electronic Privacy Gets Physical - Privacy in the Age of Sensors
Speaker: Apu Kapadia, Associate Professor at Indiana University Bloomington
As high-fidelity sensors such as always-on cameras and microphones become more common place, we will need to reconsider our notions of privacy. How will people react to constant surveillance by their peers ("sousveillance") and what technical solutions can enhance privacy in this new age? I will highlight some of our interdisciplinary research on answering and addressing these questions in the context of wearable cameras. I will also talk about how cameras can enhance privacy, e.g., by aiding populations with visual impairments with a visual assessment of their surroundings.

October 17:  Distinguished Seminar
Ironclad - Full Verification of Complex Systems
Speaker: Bryan Parno, Researcher, Security & Privacy Research Group, Microsoft Research
The Ironclad project at Microsoft Research is using a set of new and modified tools based on automated theorem proving to build Ironclad services.  An Ironclad service guarantees to remote parties that every CPU instruction the service executes adheres to a high-level specification, convincing clients that the service will be worthy of their trust.  To provide such end-to-end guarantees, we built a full stack of verified software.  That software includes a verified kernel; verified drivers; verified system and cryptography libraries including SHA, HMAC, and RSA; and four Ironclad Apps.  As a concrete example, our Ironclad database provably provides differential privacy to its data contributors.  In other words, if a client encrypts her personal data with the database's public key, then it can only be decrypted by software that guarantees, down to the assembly level, that it preserves differential privacy when releasing aggregate statistics about the data.

October 10:  Distinguished Seminar
The Three T’s of a Cyber Security Program
Speaker: Jim Routh, CSO, Aetna
This session introduces essential ingredients for any cyber security program called the Three T’s of Cyber Security: Talent, Tools and Techniques. Jim Routh, the CSO for Aetna and board member of both the NH-ISAC and FS-ISAC will share his perspective on which of the three T’s is the most significant. He will share specific processes and methods in place today for Aetna demonstrating the importance of “un-conventional” controls to change the rules for threat adversaries providing specific examples of innovative use of early stage technology solutions. 

October 3:  Distinguished Seminar
Characterizing and Mitigating AS-based Timing Attacks on the Tor Network
Speaker: Phillipa Gill, Assistant Professor, University of Massachusetts
Traffic correlation attacks to de-anonymize Tor users are possible when an adversary is in a position to observe traffic entering and exiting the Tor network. Recent work has brought attention to the threat of these attacks by network-level adversaries (e.g., Autonomous Systems). We perform a historical analysis to understand how the threat from AS-level traffic correlation attacks has evolved over the past five years. We find that despite a large number of new relays added to the Tor network, the threat has grown. This points to the importance of increasing AS-level diversity in addition to capacity of the Tor network. We identify and elaborate on common pitfalls of AS-aware Tor client design and construction. We find that succumbing to these pitfalls can negatively impact three major aspects of an AS-aware Tor client -- (1) security against AS-level adversaries, (2) security against relay-level adversaries, and (3) performance. Finally, we propose and evaluate a Tor client -- Cipollino -- which avoids these pitfalls using state-of-the-art in network-measurement. Our evaluation shows that Cipollino is able to achieve better security against network-level adversaries while maintaining security against relay-level adversaries and performance characteristics comparable to the current Tor client.

September 26 - September 28:  Conference
2016 CyLab Partners Conference
The CyLab Partners Conference will be held September 26-28 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab. Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at mlisanti@andrew.cmu.edu or 412-268-1870.

September 25:  Conference
CyLab Recruitment Reception
An opportunity for partners to meet and recruit CyLab students. Early access to recruit CyLab students is a benefit of partnership. This pilot event will help showcase CyLab's security and privacy students from the Information Networking Institute, Electrical and Computer Engineering department, and Computer Science department. Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at  mlisanti@andrew.cmu.edu or 412-268-1870.

September 14 - September 16:  CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT. 

September 13 - June 13:  CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT. 

July 14:  Research Talk
Retrofitting Privacy into Traditional Operating Systems
Speaker: Kaan Onarlioglu, PhD Student at Northeastern University
With the scale of sensitive information processed and stored on computers today, implementing and maintaining application-specific privacy features is inefficient and bug prone. While it would be a relatively straightforward task to build a secure computing environment from the ground up, a significant challenge is to design privacy-enhancing techniques compatible with already widely-deployed operating systems, which also do not require modifications to existing user space software. In this talk I will present two systems to retrofit novel, application-agnostic privacy features into traditional operating systems: 1) PrivExec is an operating system service that allows a "private browsing mode-like" execution platform for arbitrary applications. 2) Overhaul is a user-driven access control architecture, where access to privacy-sensitive resources is mediated based on the temporal proximity of user inputs to access requests. I will present operating system-independent designs for the two systems, and then demonstrate with concrete Linux implementations that low-complexity, low-overhead, and high-usability privacy defenses can be integrated into existing operating systems.

June 21 - June 23:  CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.

June 7 - June 8:  CERT Training
ATAM Evaluator Training
The SEI Architecture Tradeoff Analysis Method (ATAM) is a proven, highly effective method for systematically evaluating software architectures for fitness of purpose. The ATAM exposes architectural risks that potentially inhibit the achievement of quality attribute goals and the system's business/mission goals. Government and industry organizations have used the ATAM for more than 10 years to improve communication, expose architectural risks, clarify requirements, and produce better systems. 

May 25 - May 26:  CERT Training
Software Architecture Design and Analysis
This two-day course provides in-depth coverage of the concepts needed to effectively design and analyze a software architecture. The essential considerations for defining any architecture are carefully examined and then illustrated through application of the SEI Attribute-Driven Design (ADD) software architecture design method. This course also explores architecture analysis in-depth and introduces the SEI Quality Attribute Workshop (QAW) and the SEI Architecture Tradeoff Analysis Method (ATAM). Through multiple exercises, participants study an application of these methods and get a chance to apply them to sample problems. 

May 16 - May 20:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

April 25:  Distinguished Seminar
Using Malware Analysis Results to Identify Overlooked Security Requirements
Speaker: Nancy Mead
Despite the reported attacks on critical systems, operational techniques such as malware analysis are not used to inform early lifecycle activities, such as security requirements engineering.  In our CERT research, we speculated that malware analysis reports (found in databases such as Rapid 7), could be used to identify misuse cases that pointed towards overlooked security requirements.  If we could identify such requirements, we thought they could be incorporated into future systems that were similar to those that were successfully attacked.  We defined a process, and then sponsored a CMU MSE Studio Project to develop a tool.   We had hoped that the malware report databases were amenable to automated processing, and that they would point to flaws such as those documented in the CWE and CAPEC databases.  It turned out to not be so simple.  This talk will describe our initial proposal, the MSE Studio project and tool, student projects at other universities, and the research remaining to be done in both the requirements and architecture areas.  

April 18:  Distinguished Seminar
Thinking Better
Speaker: Colonel Mary Lou Hall, United States Army War College Fellow in ISP, Dietrich College
The strategic miscalculation of Iraq’s Weapons of Mass Destruction (WMD) threat in 2003 provides a staggering example of how even very experienced leaders can be blinded by the foundational psychological effects that give rise to bias.  This historical example further begs the question, ‘Could modern predictive analytics, such as machine learning, close the WMD information gap, if faced today?’ Army leaders want to understand the benefits and limitations of advancements in predictive analytics as well as in behavioral psychology in order to understand the implications for decision-making competence.  U.S. commanders need both a structured approach for decision-making (ways), and the ability to leverage advanced analytical capability (means) in order to achieve operational understanding (ends).  This talk offers a structured approach to decision-making that embeds a methodology for Red Teaming to address foundational behavioral psychology effects.  In addition, I will offer a strategy for deploying tailored technical teams to provide commanders with access to relevant data, resources and skills to perform advanced analytical methods, including machine learning.  It is in applying technological advances in big data to the crucible of ground combat that the Army can fulfill its role for the nation, and maintain competitive advantage.   

April 4:  Distinguished Seminar
Indoor Localization or - How I learned to stop worrying and love the clock
Speaker: Anthony Rowe
In this talk, I will provide a brief overview of the state-of-the-art with respect to indoor location tracking and discuss two new systems that that are able to precisely localize mobile phones as well as low-power tags.  The first is a hybrid Bluetooth low-energy and near ultrasonic beaconing platform that is able to provide sub-meter accuracy to standard smartphones.  The platform leverages the phone’s IMU as well as constraints derived from building floor plans to not only localize its self, but also apply range-based SLAM techniques for bootstrapping its own infrastructure. The second platform leverages emerging Chip Scale Atomic Clocks (CSACs) and ultra wide-band (UWB) radios to create distributed networks that are able to coordinate at a level that used to be only possible with large, power-hungry and cost prohibitive atomic clocks. With sub-nanosecond time synchronization accuracy and extremely low drift rates, it is possible to dramatically reduce communication guard-bands and perform accurate speed-of-light Time-of-Arrival (TOA) measurements across distributed wireless networks.

March 28:  Distinguished Seminar
Using Unsupervised Big-Data Analytics to Detect Sleeper Cells Among Billions of Users
Speaker: Yinglian Xie, CEO and Founder, DataVisor
Today’s consumer-facing online services are measured by the size and growth of their user account base, as users are both contributors of content as well as a channel for monetization.  Despite being their backbone, these user accounts are also their “Achilles heel” — well-organized crime rings leverage compromised or fraudulent accounts to hide amongst billions of benign users, waging a variety of large-scale attacks.  In this talk, I will present the anatomy of modern attacks and the sophisticated attack techniques that we have observed across a number of services, including social networking, gaming, financial, ecommerce and other vertical markets.  I will then discuss the new challenges we face to defend against these attacks in the billion user era.  Finally I’ll outline the directions pursued by DataVisor through unsupervised big data analytics to detect and mitigate large attack campaigns early, without prior knowledge of attack patterns. 

March 21:  Distinguished Seminar
Making Password Checking Systems Better
Speaker: Tom Ristenpart, Associate Professor, Cornell Tech
Most computing systems still rely on user-chosen passwords to authenticate access to data and systems.  But passwords are hard to use, easy to guess, and tricky to securely store.  In practice one sees high failure rates of (legitimate) password login attempts, as well as a never-ending stream of damaging password database compromises.  I will present a sequence of new results that target making password authentication systems better.  We will look at how to address concerns in three areas: (1) usability by way of easy-to-deploy typo-tolerant password authentication validated using experiments at Dropbox; (2) hardening password storage against cracking attacks via our new Pythia crypto service; and, time allowing, (3) building cracking-resistant password vaults via a new cryptographic primitive called honey encryption.  The talk will cover joint work with Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, and Ari Juels.

February 29:  Distinguished Seminar
ISSTAC - Integrated Symbolic Execution for Space-Time Analysis of Code
Speaker: Corina Pasareanu
Abstract and Speaker Bio Forthcoming.Attacks relying on the inherent space-time complexity of algorithms used for building software systems are gaining prominence. When an adversary can inexpensively generate inputs that induce behaviors with expensive space-time resource utilization at the defender's end, in addition to mounting denial-of-service attacks, the adversary can also use the same inputs to facilitate side-channel attacks in order to infer some secret from the observed system behavior. Our project, ISSTAC: Integrated Symbolic Execution for Space-Time Analysis of Code, aims to develop automated analysis techniques and implement them in an industrial-strength tool that allows the efficient analysis of software (in the form of Java bytecode) with respect to these problems rapidly enough for inclusion in a state-of-the-art development process.

February 15:  Distinguished Seminar
Building a Software Security Program - Effective Risk Management for IT Security
Speaker: Steve Lipner, former Partner Director of Software Security, Microsoft
The growing frequency and severity of cybersecurity incidents has led government and private sector organizations to seek better ways to protect their systems and information. Many of these organizations have begun by adopting risk management frameworks as a way of structuring their approach to security. But risk management is only effective if it is informed by deep understanding of attacks and the ways to defend against them. The history and structure of successful software security programs shows how technical understanding can be integrated into risk management decisions. This talk will summarize the history of a typical software security program and outline principles by which understanding of attacks and defenses combined with continuous improvement leads to effective risk management.

February 8:  Distinguished Seminar
The Global DDoS Threat Landscape
Speaker: Scott Iekel-Johnson, Sr. Product Manager, Arbor Networks
Distributed Denial of Service (DDoS) attacks continue to grow in size, frequency, and complexity, and can affect any resource on the Internet, from the largest to the smallest, at any time.  Motivations for attacks vary widely, from the personal to online activism to political or economic espionage to organized crime.  In spite of their pervasiveness, the commercial or political sensitivities of DDoS attack targets often mean that the precise nature and impact of these attacks are hidden from view.  Likewise, network operators are frequently reluctant to share details of their defense strategies for fear of giving attackers an added advantage.  While understandable, this results in a siloing of expertise, preventing effective collaboration between network operators and the security research community to provide better strategies to defeat these attacks. Arbor Networks has been working with network operators, both service providers and enterprises, for the last 15 years to develop effective protection strategies for these attacks.  This talk will pull back the curtain on DDoS attack experience and practice, providing an overview of Arbor Network's latest research into DDoS attack trends and discuss current operational best practices for how global network operators detect and mitigate DDoS attacks.  

January 28:  Celebration
Data Privacy Day 2016
Join us on January 28, 2016 for CMU Privacy Day 2016 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with an exciting schedule of privacy-related events. Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.org

January 25:  Distinguished Seminar
Don’t Be Tomorrow’s Boiled Frog - Cyber Risk Appetite for Executives
Speaker: Earl Crane, Founder and CEO, Emergent Network Defense, Inc.
The past few years have seen a focus on cybersecurity risk management by executive leadership that increasingly have a fiduciary requirement to establish a risk appetite and manage their cybersecurity risk profile. High-profile retail breaches like Target demonstrated the inherent risks of third party connections. Destructive corporate breaches like those at Sony, Sands Casino, and Saudi Aramco demonstrated the initiative of nation-states to attack private corporations for political reasons. The root cause of every one of these breaches can be attributed not to technical failures, but to a failure in governance—a shortcoming to manage cybersecurity risks. Cybersecurity risk appetite is quickly becoming an integrated function to an organizations holistic enterprise risk management program. Organizations frequently have many of the right technical tools deployed to manage cybersecurity risk, but are not instrumented and deployed in the most effective way. This talk will provide real-world insights to instrumenting cybersecurity risk appetite as a risk management tool.

2015

December 15 - December 17:  CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.

December 7:  Distinguished Seminar
Talkographics - Using What Viewers Say Online to Measure TV and Brand Audiences
Speaker: Shawndra Hill, Senior Researcher at Microsoft Research and Adjunct Associate Professor at the University of Pennsylvania
Viewers of TV shows are increasingly taking to online sites like Facebook and Twitter to comment about the shows they watch as well as to contribute content about their daily lives. We present a novel recommendation system (RS) based on the user-generated content (UGC) contributed by TV viewers via the social networking site Twitter. In our approach, a TV show is represented by all of the tweets of its viewers who follow the show on Twitter. These tweets, in aggregate, enable us to reliably calculate the affinity between TV shows and to describe how and why certain shows are similar in terms of their audiences in a privacy friendly way. 

December 2:  CERT Training
DevOps in Practice Workshop
This DevOps workshop is intended to offer a comprehensive, hands-on review of DevOps topics and process, and to identify techniques for project planning, development, and deployment from start to finish. Specifically, this workshop will expose attendees to reference architectures and hands-on experience with Continuous Integration (CI) tools and practices, including technical demonstrations and practical scenarios. Students who attend the workshop will be provided a Certificate of Completion and also be awarded 0.5 CEUs.

November 16:  Distinguished Seminar
Protecting Consumers from Themselves - Tales from the Real World
Speaker: Bob Sullivan, author and investigative journalist
Ready or not, the Internet of Things has arrived, bringing with it massive growth in consumers’ ability to hurt themselves.  The age of poking fun at dumb computer users must now end, and be replaced by gadgets that are safe to use out of the box.  This will be perhaps the biggest challenge of our decade, certainly no less a challenge than the auto safety standards movement in the 1960s. A discussion of where things have gone wrong, and how they can go right, from the consumer’s point of view.

November 9:  Distinguished Seminar
Securing the Future
Speaker: Darren Shou, Director of Symantec Research Labs Core Research team
While predicting the future may be a fool’s errand, there are several potential disruptions on the horizon that will impact the very nature of business and the structure of industries. I will discuss several of these shifts and how each presents unique challenges and opportunities for the security domain. The emergence of 3D printing will be used as an example of how the nature of production may be disrupted and how that presents new intellectual property protection challenges and security needs. And as we journey through several disruptive innovations, we will examine whether security will be a standalone function or a feature of new technologies.

November 2:  Distinguished Seminar
Building a Network Security Analysis Toolbox - Problems of Vantage, Narrative and Action
Speaker: Michael Collins, Chief scientist at RedJack, LLC
Information security research is unique in that we have an adversary; if we do our job well, we will make attacker's lives miserable. To do our job well, we need to transfer research into operations -- everything in security research -eventually- ends up on the ops floor. For the majority of my career I have been focused on taking security research and turning it into actionable analysis on networks comprising hundreds of millions of IP addresses. In this talk, I will discuss the process of doing so, and the headaches we've encountered en route.

October 26:  Talk
The Role of the US Military in Cyberspace
Speaker: Admiral Mike Rogers, commander of U.S. Cyber Command and director of the National Security Agency (NSA)
The ever-increasing reliance on information technology systems and networked operations has saturated almost every aspect of our daily lives. This dependence, which does have many advantages, also creates dangerous vulnerabilities. Admiral Mike Rogers, commander of U.S. Cyber Command and director of the National Security Agency (NSA), will discuss cybersecurity issues at Carnegie Mellon University. Admiral Rogers’ talk is free and open to the public; however registration is required. Please email instisa@andrew.cmu.edu to reserve your seat.

October 26:  Seminar
Assessment of Risk Perception in Security Requirements Composition
Speaker: Hanan Hibshi, Ph.D. candidate, Carnegie Mellon University
Security requirements analysis depends on how well-trained analysts perceive security risk, understand the impact of various vulnerabilities, and mitigate threats. When systems are composed of multiple machines, configurations, and software components that interact with each other, risk perception must account for the composition of security requirements. In this paper, we report on how changes to security requirements affect analysts risk perceptions and their decisions about how to modify the requirements to reach adequate security levels. 

October 13:  Research Talk
Securing the Perimeter at LinkedIn - Approaches to Registration and Login Defense
Speaker: David Freeman, Head of Anti-Abuse Engineering at LinkedIn
As the world's largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn's Anti-Abuse Team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we'll explore various types of abuse we see at LinkedIn and discuss some of the solutions we've built to defend against them. We'll focus on perimeter defense: keeping bad guys from creating fake accounts at registration or from taking over real members' accounts at login.

October 12:  Distinguished Seminar
Remote Exploitation of an Unaltered Passenger Vehicle
Speaker: Chris Valasek, Security Lead, UBER Advanced Technologies Center
Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we're all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks.

October 6:  Research Talk
Empirical Investigations of Secure Development Practices
Speaker: Sam Weber, Senior Research Scientist at SEI
As a community, we’ve now had almost a half-century of experience in attempting to build secure systems. Although in general we’ve made incredible progress in cybersecurity, I argue that we’ve not made proportionate advances in creating and evaluating secure development processes. In this talk, I’ll describe two of my current research projects which aim to address this deficiency by empirically measuring and comparing development practices. The first of these projects investigates API design decisions which lead to more secure code, while the second compares competing threat modeling methodologies. Ultimately, the goal is to allow validation and rational improvement of secure development techniques.

October 5:  Distinguished Seminar
Blackmarket-driven Interventions: From Research to Practice
Speaker: Kurt Thomas, Security & Abuse Researcher, Google
Internet crime has become increasingly dependent on the underground economy: a loose federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem. While migration to this marketplace streamlines for-profit scams, it also exposes participants to a range of new countermeasures that disrupt criminal supply chains. In this talk, we discuss how Google is translating blackmarket-driven research into a practical tool for fighting bulk account creation, fake engagement, cloaking, ad fraud, and unwanted software. We demonstrate how underground services yield a wealth of training data on emerging threats as well as serve as a canary for failures in Google's defenses. However, this approach is not without pitfalls: we highlight challenges in interacting with blackmarket segments, sanitizing polluted data, and ultimately measuring the impact of interventions. We argue that researchers and industry can leverage our techniques to make a drastic departure from focusing solely on protecting users and systems (tantamount to a fire fight) and instead disrupt cost-sensitive dependencies that pin up entire abuse verticals.

September 29 - September 30:  Conference
2015 CyLab Partners Conference
The CyLab Partners Conference will be held September 29-30 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab. Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at mlisanti@andrew.cmu.edu or 412-268-1870.

September 28:  Conference
CyLab Recruitment Reception

September 16 - September 18:  CERT Training
Managing Computer Security Incident Response Teams
This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team. The course provides insight into the work that CSIRT staff may be expected to handle. The course also provides prospective or current managers with an overview of the incident handling process and the types of tools and infrastructure needed to be effective. 

September 15:  CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT. 

September 14:  Distinguished Seminar
An Introduction to Security and Privacy Research at CMU
Speaker: David Brumley
In this talk, I'll discuss how we view security and privacy research at CMU.  I'll give an overview of the great activities going on, give some advice to new researchers in the field, and discuss my own research in software security.

August 18 - August 21:  CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats andBuilding an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.

July 22 - July 24:  Symposium
Symposium on Usable Privacy and Security (SOUPS) 2015
The eleventh Symposium on Usable Privacy and Security (SOUPS) will be held July 22-24, 2015 at Carleton University in Ottawa, Canada. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program features technical papers, workshops and tutorials, a poster session, panels and invited talks, and lightning talks. SOUPS 2015 will be held in cooperation withUSENIX and ACM SIGCHI. Visit the SOUPS 2015 website for details.

June 9 - June 11:  CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.

June 2 - June 4:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. Next, students will be introduced to the CERT Defense-in-Depth Framework: eight operationally focused and interdependent management components which will be synergistically applied to a fictitious organization's Information Technology (IT) enterprise (see "Topics" below). Through lectures, demonstrations, scenario-based exercises, small group activities, and open discussions, students will learn high-level best practices for effectively integrating each of these eight components into all aspects of IT operations. Further, the course scenario is used extensively to reinforce these best practices with technical information security implementations. 

May 18 - May 22:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. Building on the methods and tools discussed in the Fundamentals of Incident Handling course, this course provides guidance that incident handlers can use in responding to system compromises at the privileged (root or administrator) level. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyze a set of events and then propose appropriate response strategies. 

May 12 - May 15:  CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats and Building an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.

May 11:  Seminar
Quantifying the Security Advantage of Password Expriation Policies
Speaker: Paul C. van Oorschot, Professor at Carleton University
Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less.  We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?".  We find that the benefits are far less than expected.   

May 11 - May 13:  CERT Training
Introduction to the CERT Resilience Management Model
his three-day course introduces a model-based process improvement approach to managing operational resilience using the CERT® Resilience Management Model (CERT-RMM) v1.1. CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk. By improving operational resilience processes (such as vulnerability analysis, incident management, and service continuity), an organization can use the model to improve and sustain the resilience of mission-critical assets and services.

April 27:  Seminar
Algorithmic Logic-Based Verification
Speaker: Temesghen Kahsai, Research Scientist at NASA Ames Research Center
Developing new tools for automated software verification is a tedious and very difficult task. First, due to the undecidability of the verification problem, tools must be highly tuned and engineered to provide reasonable efficiency and precision trade-offs. Second, different programming languages comes with very diverse assortments of syntactic and semantic features. Third, the diverse encoding of the verification problem makes the integration with other powerful solvers and verifiers difficult. To mitigate these challenges, in this talk, I will present SeaHorn, an LLVM-based software verification framework that allows the decoupling of programming language syntax and semantics from the underlying verification technique. Such framework uses Horn Clauses as the intermediate formal language for the verification task. Horn Clauses are a uniform way to encode verification conditions. SeaHorn solves much of the programming language complexities by borrowing techniques and implementation from an optimizing compiler. SeaHorn is versatile and highly customizable framework which allows researchers to easily build or experiment their particular verification techniques of interest. I will also illustrate experimental evaluation that demonstrate the competitiveness of SeaHorn in verifying safety properties.

April 20:  Seminar
SafeSlinger - Usable Key Verification Roadmap
Speaker: Michael Farb
SafeSlinger is the result of research into several protocols, designed to subvert the bane of public-key cryptography, the man-in-the-middle attack. This solution easily bootstraps secure communication, in-person or remote, with a device most people already own - their phone. SafeSlinger is designed to allow users to securely exchange any data, such as a public key, for later use. When users run SafeSlinger, they enter a pair of short numbers and confirm a 3-word phrase matches that displayed by other users' phones.  This talk will provide a short overview of current SafeSlinger exchange properties, user experience, and our roadmap. We’ll discuss: ongoing integration efforts with other open source end-to-end encryption projects, user experiences, use cases we target, and many open questions about how we can improve user experience intuition, anonymity, alternate wireless exchange channels, desktop design, and provide better incentives for users to verify digital contacts. We’re looking for collaborators interested in usable security and networking.

April 18:  Panel
INI 25th Anniversary - "Women's Impact on Technology. Beyond Participation. Leading the Way"
Speaker: Dena Haritos Tsamitis, Director, Information Networking Institute; Founding Director, Education, Training and Outreach, CyLab, Carnegie Mellon University
Mavens of technology discuss the talents and influence that carry professionals into leadership roles and how women have made an impact on innovation and cultural change in the field. As the Women@INI (WINI) student organization celebrates 10 years, the INI will host industry leaders, faculty and alumni to discuss and celebrate the dramatic progress gained by promoting diversity in the technology field at all levels, from student life to the executive circle. Engage in the conversation and hear the stories as the panelists share personal and professional perspectives on women's leadership in technology. For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/

April 18:  Panel
INI 25th Anniversary - "Emerging Technology"
Speaker: James H. Garrett Jr, Dean and Thomas Lord Professor, College of Engineering, Carnegie Mellon University
Great minds in engineering and computing will discuss advancements that are having an impact on everyday life. Having prepared technology leaders for 25 years through a dynamic blend of interdisciplinary studies, the Information Networking Institute (INI) will host panelists to discuss what's around the next corner in an exploration of the latest developments in networking, security and mobility. Industry leaders, faculty and alumni will reflect on new innovations in information technology and their impact on society. Join us for an invigorating discussion on this fascinating and ever-changing topic. For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/

April 18:  Keynote
INI 25th Anniversary - "Connected. How Networks are Transforming Everything"
Speaker: Hooman Radfar (INI, ’04)
The INI's 25th Anniversary kicks off with a fast-paced presentation on trends in networks and computing and what lies ahead. Entrepreneur Hooman Radfar (INI, 2004, MS14) will be the featured keynote speaker. For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/

April 13:  Seminar
Beyond Silk Road: Developments in Online Anonymous Marketplaces
Speaker: Nicolas Christin
Founded in 2011, Silk Road was the first online anonymous marketplace, in which buyers and sellers could transact with anonymity guarantees far superior to those available in online or offline alternatives. Business on Silk Road, primarily involving narcotics trafficking, was brisk and before long competitors appeared. After Silk Road was taken down by law enforcement, a dynamic ecosystem of online anonymous marketplaces emerged. Building up on efforts I previously presented in the CyLab seminar series, I will describe preleminary insights regarding this ecosystem, highlighting the scientific and---to a lesser extent---ethical challenges in collecting such data at scale.

April 6:  Seminar
Building Secure Reliable Hardware Roots-of-Trust: Are PUFs Enough?
Speaker: Ken Mai
Hardware roots-of-trust are often regarded as the bedrock upon which the rest of the system securities lies. They perform basic security critical functions such as cryptographic key storage/generation, hardware and software authentication, secure data storage, and data encryption/hashing. Further, these blocks must be resistant to various forms of non-invasive and invasive attacks and tampering. We will examine the necessary features and characteristics of hardware roots-of-trust and if current technologies can meet those needs. Specifically, we will focus on the design and implementation of physical unclonable functions (PUFs) and whether they are suitable for hardware roots-of-trust. 

March 30:  Seminar
The Security of Cyber-Physical Systems
Speaker: Bruno Sinopoli
Cyber Physical Systems (CPS) refer to the embedding of widespread sensing, computation, communication, and control into physical spaces. Application areas are as diverse as aerospace, chemical processes, civil infrastructure, energy, manufacturing and transportation, most of which are safety-critical. The availability of cheap communication technologies such as the internet makes such infrastructures susceptible to cyber security threats, which may affect national security as some of them, such as the power grid, are vital to the normal operation of our society.  Any successful attack may significantly hamper the economy, the environment or may even lead to loss of human life. As a result, security is of primary importance to guarantee safe operation of CPS.In an offensive perspective, attacks of this sort can be carried out to disrupt the functionality of the enemy's critical infrastructures without destroying it or even be directly identified. Stuxnet, the malware at the root of the destruction of centrifuges employed to enrich uranium in Iran's nuclear facilities, is a clear example of how strategically important is to gain a deep understanding of CPS security. In this talk I will provide an introduction to CPS security, give an overview of recent results from our research group as well as directions for future work.

March 23:  Seminar
On the Roots of Privacy Concerns
Speaker: Alessandro Acquisti
Human beings have evolved to detect and react to threats in their physical environment, and have developed perceptual systems to assess physical, sensorial stimuli for current, material risks. In cyberspace, those stimuli can be absent, subdued, or deliberately manipulated by antagonistic third parties. Security and privacy concerns that would normally be activated in the offline world, therefore, can remain muted, and defense behaviors can be hampered, online. In order to start understanding the interrelationships between online and offline threat detection and online decision making, we investigate the extent to which "visceral" stimuli in the physical world can impact security and privacy behavior in cyberspace. In particular, we present the design and results of a stream of controlled human subject experiments that explore the influence of sensorial stimuli (indicating the presence of other human beings in the proximal space of a subject) on subjects' online disclosure of personal, and highly sensitive, behaviors.

March 16:  Seminar
Saving SSL – Usable Security for Administrators and Developers
Speaker: Matthew Smith, Professor, Rheinische Friedrich-Wilhelms-Universität Bonn, Germany
Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or migrate entirely to less secure but more usable systems. Problems with usability are a major contributor to many recent high-profile security failures. The research domain of usable security & privacy addresses these issues. However, until now the main focus of researchers in this field have been end users. After giving a brief introduction into the field, the presenter will argue that usability issues for administrators and developers also need to be taken into account. The talk will use SSL as an example to illustrate usable security and privacy issues for all actors involved in the SSL ecosystem.  

March 2:  Seminar
What is a Cookie Worth?
Speaker: Rahul Telang
Recent technological advances have enabled detailed tracking of an individual user’s online browsing and transaction behavior through the use of digital cookies. Marketers now routinely use this information to deliver customized online advertisements to internet users based on their recent browsing history. Advertisers argue that using such information leads to better targeting users with relevant ads at appropriate times resulting in higher sales, making both the consumer and the seller better-off. Privacy advocates, on the other hand, claim that the cost of such privacy intrusion is too high and support strong restriction on such targeting.   We seek to inform this debate by providing empirical evidence that quantifies the value of different types of information that cookies can track and their impact on advertising effectiveness. 

February 23:  Seminar
The IEEE Cybersecurity Initiative — Accelerating Innovation in Security & Privacy Technologies
Speaker: Greg Shannon, Chief Scientist, CERT Division at CMU Software Engineering Institute
As highlighted at the White House Summit on Cybersecurity and Consumer Protection, cyber security & privacy (S&P) are pervasive and growing concerns that affect individuals, companies, and nations.  Many IEEE members created, sustain, and grow the Internet, and IEEE has a decades-long history of forming and leading technical communities dedicated to engineering a cyberspace that provides security and privacy.  To more directly address these challenges, IEEE has launched a multi-year Cybersecurity Initiative (CybSI); its goal is to accelerate innovative research, development and use of efficient cyber security & privacy technologies that protect commerce, innovation and expression.

February 16:  Seminar
What Are They Doing With Your Data?
Speaker: Augustin Chaintreau, Assistant Professor, Columbia University
Today's Web services‒including Google, Amazon, and Facebook‒leverage user data for personalizing recommendations, targeting advertisements, and adjusting prices. Users currently have little insight, and at best coarse information, to monitor how and for which purposes their data are being used. What if we could tell exactly which item - whether an email you wrote, a search you made, or a webpage you visit - is being used to decide on a targeted ad or a recommended product for you? But how can we track data in an environment we do not control? In this talk, we argue that without web transparency the exciting world open with your data threatens to become a breeding ground for data misuse, privacy negligence, or even unfair and predatory practices, discriminating the most vulnerable. Furthermore, we prove web transparency may be restored by building XRay, the first fine-grained, robust, and scalable tracking system for personal data the Web. XRay diagnoses which clue (i.e. emails, viewed products) is being used as trigger to which outputs (i.e. targeted ads, recommended products, or differentiated prices). XRay is service agnostic, easy to instantiate, and leverage a novel and simple mechanism that, surprisingly at first, shows that as data in our web profile expands, the amount of resource required for transparency grows only logarithmically. (joint work with Mathias Lécuyer, Roxana Geambasu, Riley Spahn, Guillaume Ducoffe, Andrei Papancea, and Theofilos Petsios)

February 9:  Seminar
The Art of Privacy
Speaker: Lorrie Cranor
Privacy is an abstract concept that can be difficult to visualize. However, privacy visualizations can offer interesting insights into how people conceptualize privacy. In this talk I will explore privacy through art. I will begin by showing some examples of privacy-related artwork created by myself and by other artists. Then I will discuss our Privacy Illustrated project (http://cups.cs.cmu.edu/privacyillustrated/), in which we invite everyday people to draw pictures of privacy and what it means to them.

February 2:  Seminar
Dancing with the Adversary: a Tale of Wimps and Giants
Speaker: Virgil Gligor
A system without accurate and complete adversary definition cannot possibly be insecure. Without such definitions, (in)security cannot be measured, risks of use cannot be accurately quantified, and recovery from penetration events cannot have lasting value. Conversely, accurate and complete definitions can help deny the adversary any attack advantage over a system defender and, at least in principle, secure system operation can be achieved.  In this talk, I argue that although the adversary’s attack advantage cannot be eliminated in large commodity software (i.e., for “giants”), it can be rendered ineffective for small software components with rather limited function and high-assurance layered security properties, which are isolated from giants; i.e., for “wimps.” 

January 28:  Celebration
Data Privacy Day 2015
Join us on January 28, 2015 for CMU Privacy Day 2015 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with an exciting schedule of privacy-related events. Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.org

2014

December 9 - December 12:  CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats and Building an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.

December 8 - December 12:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

December 2:  CERT Training
Big Data - Architectures and Technologies
This one-day course is designed for architects and technical stakeholders such as product managers, development managers, and systems engineers involved in the development of big data applications. It focuses on the relationship among application software, data models, and deployment architectures, and how specific technology selection relates to all of these. While we touch briefly on data analytics, the course focuses on the distributed data storage and access infrastructure, and the architecture tradeoffs needed to achieve scalability, consistency, availability, and performance. We illustrate these architecture principles with examples from selected NoSQL product implementations.

December 1:  Seminar
Tree-based Oblivious RAMs and their Applications
Speaker: Elaine Shi, Assistant Professor at the University of Maryland
Oblivious RAM (ORAM), originally proposed by Goldreich and Ostrovsky, is a powerful cryptographic primitive for provably obfuscating a program’s execution behavior. Since the initial proposal of Oblivious RAM, two biggest questions remain: 1) whether ORAM can be made practical; and 2) whether the well-known logarithmic ORAM lower bound is tight. In this talk, I will describe a new, tree-based paradigm for constructing ORAMs. This tree-based paradigm yields constructions that are conceptually simple, amenable to implementation, and orders of magnitude faster. Tree-based ORAMs have allowed us to prototype the first ORAM-capable secure processor, and have also allowed us to demonstrate that certain stronger interpretations of the ORAM lower bound are indeed tight. I will further describe programming language techniques for memory-trace oblivious program execution. Finally, I will describe our vision of building a unifying programming framework for modern cryptography.

November 17:  Seminar
Hardware Security
Speaker: Olivier Benoit, Senior Staff Engineer at Qualcomm Inc.
The talk on "Hardware Security" will address vulnerabilities beyond software in embedded system. We will first go over general security properties and underlying cryptographic mechanisms. We will then investigate the so called Side-channel analysis as well as fault attack threats. We will conclude with the various countermeasures available to mitigate hardware attacks.

November 10:  Viewing
Excerpts from the 11th Annual Partners Conference
Speaker: CyLab
Join us as we present two excerpts from the 11the Annual CyLab Partners Conference. We will watch presentations from Nicolas Christin and Ken Mai.

November 3:  Seminar
Exciting Security Research Opportunity - Next-Generation Internet
Speaker: Adrian Perrig
Given the diverse nature of constituents in today's Internet, another important challenge is how to scale authentication of entities (e.g., AS ownership for routing, name servers for DNS, or domains for TLS) to a global environment. Currently prevalent PKI models (monopoly and oligarchy) do not scale globally because mutually distrusting entities cannot agree on a single trust root, and because everyday users cannot evaluate the trustworthiness of each of the many root CAs in their browsers. To address these issues, we study the design of a next-generation Internet that is secure, available, and offers privacy by design; that provides appropriate incentives for a transition to the new architecture; and that considers economic and policy issues at the design stage. 

October 30:  Seminar
Passwords - A Guide to the Ruins and Lessons for Improvement
Speaker: Cormac Herley, Principal Researcher, Microsoft Research
We review some of our recent work on authentication and search for lessons on why problems here have proved so persistent. First, considering a user who has, not one but dozens of accounts to maintain, we find that the common advice (choose random passwords and one per account) is not merely difficult but impossible in the absence of memory aids. We show that weak passwords and password re-use, far from being shameful manifestations of user failings, are essential tools in allocating effort as portfolio size grows. Second, we examine the gap between the effort needed to withstand online and offline attacks, and find it to be enormous: probable safety occurring when a password resists 106 and 1014 guesses respectively. This implies that many common practices guarantee large-scale waste of user effort. These include exceeding the online while falling short of the offline threshold, and encouraging users to resist offline guessing at sites where passwords are stored plaintext or reversibly encrypted. Finally, we seek lessons. How do we end up insisting on the necessity of things that prove impossible? Why do we keep getting things wrong? What will it take to move things forward?

October 20:  Seminar
Towards More Secure and Usable Text Passwords
Speaker: Lujo Bauer
Despite numerous shortcomings and attacks, text-based passwords remain the dominant authentication method in computer systems. For several years, we've been studying how to help users create passwords that are hard for attackers to crack, but are still easy to remember and use. We developed a data-collection and analysis methodology that allowed us to study the strength and usability properties of passwords created by over 40,000 online study participants. Using this methodology, we explored the effectiveness of password-composition policies, password-strength meters, and detailed and step-by-step feedback and guidance during the password creation policies. In this talk I'll give a broad overview of our progress, focusing on more recent results.

October 10:  Seminar
Side Channels in Multi-Tenant Environments
Speaker: Mike Reiter, Professor at UNC Chapel Hill and Founding Technical Director of CyLab
With the growth of cloud computing, the security provided by public clouds to their tenants is increasingly being scrutinized, in part because these clouds arrange for mutually distrustful tenants to simultaneously execute tasks on the same hardware.  In this talk we explore a long-suspected but, to date, largely hypothetical attack vector in public clouds, namely "side-channel attacks" in which one tenant might learn sensitive information about another tenant simply by running on the same hardware with it, but without violating the logical access control enforced by the cloud's isolation software (hypervisor or operating system).  Specifically, we demonstrate the practicality of damaging cross-tenant side-channel attacks on modern hypervisors and operating systems, including some that we have demonstrated on commercial public clouds.  We will then describe various approaches we have developed to defend against side-channel attacks in cloud environments, both inexpensive defenses against our specific attacks and more holistic but expensive protections.

October 7 - October 8:  Conference
Carnegie Mellon University CyLab Partners Conference
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects. To learn more about attending the conference or becoming a partner, contact Associate Director of Partnership Development, Michael Lisanti at mlisanti@andrew.cmu.edu or 412-268-1870.

September 29:  Seminar
Narrowing the gap between verification and systematic testing
Speaker: Maria Christakis, Doctoral Student at ETH Zurich
The first part of the talk focuses on combining static program checking with systematic testing. We propose a technique for collaborative verification and testing that makes compromises of static checkers explicit such that they can be compensated for by complementary checkers or testing. In the second part of the talk, I will present how to use systematic testing to achieve verification. As a result of this work, we are able to prove, for the first time, that a Windows image parser is memory safe, that is, free of any buffer-overflow security vulnerabilities.

September 22:  Seminar
Simplifying Middlebox Policy Enforcement Using SDN
Speaker: Vyas Sekar
This talk will describe our work on a SDN-based policy enforcement system called SIMPLE for efficient middlebox-specific “traffic steering”. In designing SIMPLE, we take an explicit stance to work within the constraints of legacy middleboxes and existing SDN interfaces. To this end, we address key algorithmic and system design challenges and demonstrate the feasibility of using SDN to simplify middlebox traffic steering. In doing so, we also take a significant step toward addressing industry concerns surrounding the ability of SDN to integrate with existing infrastructure and support L4–L7 capabilities. 

September 15:  Seminar
Trends and Concerns in Enterprise Information Security
Speaker: Anish Bhimani, Chief Information Officer, Corporate Technology and Risk at JP Morgan Chase
The landscape of technology in corporate environments is dramatically changing. While new technologies create exciting opportunities for organizations that embrace them, those same organizations are faced with an exponentially growing list of threats, both externally and internally.

September 8:  Seminar
A Primer on Cyber Threat Intelligence
Speaker: Michael Susong, Co-Founder of iSight Partners
Cyber Threat Intelligence:  It’s the latest trend and marketing phrase.  How is it really new or different? How is it distinct from threat feeds?  How does the IT security organization use intelligence to defend and be proactive?  This talk will be an operations level discussion of how an end to end cyber threat intelligence program works.  And how cyber threat intelligence flows across the enterprise.

August 18 - August 22:  CERT Training
Secure Coding in C and C++Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

July 22 - July 24:  CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. 

July 14 - July 18:  CERT Training
Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident handling work. 

July 9 - July 11:  Symposium
Symposium on Usable Privacy and Security (SOUPS) 2014
The tenth Symposium on Usable Privacy and Security (SOUPS) will be held July 9-11, 2014 at Facebook Headquarters in Menlo Park, California. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. Visit the SOUPS 2014 website for details.

June 27:  Workshop
Workshop on the Future of Privacy Notice and Choice
In this workshop we will explore the future of privacy notice and choice, examining the needs of end users, how technology can be used to better meet user needs, and relevant public policy space. The workshop will include invited speakers; panels focussing on users, technology, and public policy; and a research poster session.

June 9:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-DepthCreating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT.

May 19 - May 21:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.

May 12 - May 16:  CERT Training
Applied Cybersecurity, Incident Response and Forensics
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience.

May 9:  Alumnus Book Signing
Core Software Security: Security at the Source
Speaker: Anmol Misra
Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. Whatever development method is employed, software must be secured at the source.

May 1:  Research Talk
SocioPhone - Mobile interaction sensing system and its applications
Speaker: Youngki Lee, Assistant Professor, Singapore Management University
In this talk, I will first introduce SocioPhone, a mobile system for face-to-face interaction monitoring. Then, I will introduce a novel Sociophone application, TalkBetter, in more detail. TalkBetter is a mobile in-situ intervention service for everyday clinical care for children with language delay, which is firmly grounded on extensive collaboration with speech-language pathologists.

April 28:  Seminar
Converses for Information Theoretic Cryptography
Speaker: Himanshu Tyagi, Postdoctoral Fellow at the Information Theory and Applications Center, UCSD
In this talk, we will review some simple schemes (based on error correcting codes and efficient hashing) for accomplishing the central cryptographic goals of secret key generation and secure computing.

April 21:  Seminar
Measuring and Defending Against Search-Result Poisoning
Speaker: Nicolas Christin
Search-result poisoning---the technique of fraudulently manipulating web search results---has become over the past few years a primary means of advertisement for operators of questionable websites.

April 14:  Seminar
Social Cybersecurity
Speaker: Jason Hong
There has been a tremendous amount of past work demonstrating many powerful and subtle ways of how social factors can influence people's behaviors and inclination to adopt innovations. However, little of this work has been adapted for cybersecurity. In this talk, I will discuss some of our team's work in progress here. 

April 7:  Seminar
SafeSlinger: Easy-to-Use and Secure Public-Key Exchange
Speaker: Michael Farb
SafeSlinger is the result of research into several protocols, designed to subvert the bane of public-key cryptography, the man-in-the-middle attack.  This solution easily bootstraps secure communication in-person with a device most people already own - their phone. SafeSlinger is designed to allow users to securely exchange any data, such as a public key, for later use.

March 31:  Seminar
Analytic Modernization for the National Security Agency and the Intelligence Community
Speaker: Dr. Patrick Dowd, Chief Technical Officer and Chief Architect, NSA/CSS
How can we create an environment that is still operate-able while under attack?  How can we be certain our data is used according to our legal authorities? This talk will outline a shift in our analytic operating model that was motivated by the desire to improve our analytic product and the security of our environment.

March 24:  Seminar
The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value
Speaker: Michelle Dennedy, VP, Chief Privacy Officer, McAfee
This talk will address a cross functional view on How we got to where we are in the world of taglines like "Big Data" "The Information Age" "Quantified Self" and "IoT".

March 17:  Seminar
Do Search Engines Influence Media Piracy? Evidence from a Randomized Field Study
Speaker: Rahul Telang
The goal of this study is to use a randomized field study to analyze whether search results can influence consumers choices for piracy versus legal consumption channels.

March 3:  Seminar
Verifying Networking Protocols Using Declarative Networking
Speaker: Limin Jia
In this talk, I will present our work on leveraging NDlog, a declarative networking language, to build a unified framework for implementing, formally verifying, and empirically evaluating network protocols.

February 24:  Seminar
Designing Secure and Reliable Wireless Sensor Networks
Speaker: Osman Yagan
In this talk, we will present our approach that addresses this problem by considering WSNs that employ a randomized key predistribution scheme and deriving conditions to ensure the k-connectivity of the resulting network.

February 17:  Seminar
Privacy through Accountability
Speaker: Anupam Datta
Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled audit and accountability mechanisms with provable properties that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame and punishing violators.

February 10:  Seminar
Senior Online Safety - An Imperative
Speaker: Christopher Burgess, CEO, Prevendra, Inc.
The imperative comes with a push to make senior online safety a reality, bring long term health care facilities into the fold with defined security awareness program; implementation strategies for senior citizen protected network solutions, solutions with family engagement and moderation.

February 3:  Seminar
Toward Self-Managing, Context-Aware Networked Systems
Speaker: Patrick Tague
In this talk we'll describe how this deeply integrated context-awareness can be applied to robust wireless communication, efficient mobile/cellular networking, privacy-preserving sensing in smart environments, and adversarial settings.

January 20:  Seminar
The Password That Never Was
Speaker: Ari Juels, roving chief scientist specializing in computer security
Honeywords are decoys designed to be indistinguishable from legitimate passwords. When seeded in a password database, honeywords offer protection against an adversary that compromises the database and cracks its hashed passwords.

January 13:  Seminar
The SAFE Machine: An Architecture for Pervasive Information Flow
Speaker: Benjamin Pierce, Professor, University of Pennsylvania
The CRASH/SAFE project is building a network host that is highly resiliant to cyber-attack. At the lowest level, the SAFE hardware offers fine-grained tagging and efficient support for propagating and combining tags on each instruction dispatch.

2013

November 18:  Seminar
Virtual Realpolitik and Cyber Detente
Speaker: Keith Rhodes, Chief Technology Officer, QinetiQ N.A.

November 11:  Seminar
Application-Sensitive Access Control Evaluation
Speaker: Adam Lee, Assistant Professor, University of Pittsburgh

November 6:  Research Talk
New Security Extensions for the Intel Processor
Speaker: Carlos Rozas, Senior Security Researcher, Intel Labs

November 4:  Seminar
Mobile App Security and Privacy: An Overview of Recent Research Results and their Implications
Speaker: Norman Sadeh

October 28:  Seminar
PlaceRaider: Virtual Theft in Physical Spaces with Smartphones
Speaker: Apu Kapadia, Assistant Professor, Indiana University Bloomington

October 21:  Seminar
The Security of Cyber-Physical Systems
Speaker: Bruno Sinopoli

October 14:  Seminar
Cyber-Security Overview of Critical Infrastructure Substations
Speaker: Virgil Gligor

October 7:  Seminar
Privacy Nudges and Self-Censorship on Social Media
Speaker: Lorrie Cranor

October 1 - October 2:  Conference
Carnegie Mellon CyLab Partners Conference

September 23:  Seminar
Holistic Privacy: from Location Privacy to Genome Privacy
Speaker: Jean-Pierre Hubaux, Professor at École Polytechnique Fédérale de Lausanne

September 17 - September 18:  CERT Training
Insider Threat Workshop
The CERT Program at Carnegie Mellon University's Software Engineering Institute has been researching insider threats since 2002. We have compiled a database containing hundreds of actual insider threat cases. Our insider threat research focuses on both technical and behavioral aspects of actual compromises; our goal is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization. 

September 16:  Seminar
Operation Olympic Games: History and Future Impact
Speaker: Rick Howard, CISO, TASC

September 9:  Celebration
CyLab's 10th Anniversary
CMU CyLab marks its first ten years of leadership in cybersecurity research and education in 2013. The event will include a special faculty panel on "CyLab and the next ten years," followed by a poster session and reception. The panelists will include Virgil Gligor, Nicolas Christin, Lorrie Cranor, and Anupam Datta. This special event is not open to the public and attendance is by invitation only. For details, please contact Nichole Dwyer at nichole@cmu.edu.

July 8 - July 12:  CERT Training
Information Security for Technical Staff
This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations.

June 11 - June 13:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. Next, students will be introduced to the CERT Defense-in-Depth Framework: eight operationally focused and interdependent management components which will be synergistically applied to a fictitious organization's Information Technology (IT) enterprise.

May 20 - May 24:  CERT Training
Applied Cybersecurity, Incident Response and Forensics
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience

May 13 - May 17:  CERT Training
Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident handling work.

April 29:  Seminar
Addressing Intractable Optimization and Verification Problems in Access Control
Speaker: Mahesh Tripunitara, Assistant Professor, University of Waterloo

April 22:  Seminar
Analyzing the Privacy and Security Behaviors of Smartphone Apps
Speaker: Jason Hong

April 15:  Seminar
An Experiment In Hiring Discrimination Via Online Social Networks
Speaker: Alessandro Acquisti

April 8:  Seminar
The Middlebox Manifesto: Enabling Innovation in Middlebox Deployment
Speaker: Vyas Sekar, Assistant Professor, Stony Brook University

April 1:  Seminar
Locating Mobile Devices with Sound and Light
Speaker: Anthony Rowe

March 25:  Seminar
CANCELLED
Speaker: Douglas Maughan, Cyber Security Division Director, Department of Homeland Security

March 18:  Seminar
Can You Trust Your Cars? Security and Privacy Vulnerabilities of In-Car Wireless Sensor Networks
Speaker: Wenyuan Xu, Asst. Professor, Dept. Computer Science and Engineering, University of South Carolina

March 4:  Seminar
SenSec: Mobile Application Security through Passive Sensing
Speaker: Joy Zhang

March 4 - March 8:  CERT Training
Information Security for Technical Staff
This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. 

February 25:  Seminar
DGA-based Botnets: Discovery, Classification, and Tracking
Speaker: Robert Perdisci, Assistant Professor at the University of Georgia

February 18:  Seminar
SafeSlinger: Easy-to-Use and Secure Public-Key Exchange
Speaker: Yue-Hsun Lin

February 11:  Seminar
The need for science and engineering disciplines to move the information protection field forward
Speaker: Fred Cohen, President of California Sciences Institute and CEO of a Federal contractor and a private consulting company

February 4:  Seminar
Chasing Telephony Security: Where the Wild Things... Are?
Speaker: Patrick Traynor, Assistant Professor, Georgia Institute of Technology

January 28:  Seminar
A Decoy Substrate for Information Security
Speaker: Angelos Keromytis, Associate Professor of Computer Science, Director of the Network Security Lab at Columbia University

January 21:  Seminar
Secure Control of Cyber-Physical Systems
Speaker: Bruno Sinopoli

January 14:  Seminar
Exploring System Security and Dependability through Big Data Techniques
Speaker: Tudor Dumitras, Symantec Research Labs

2012

November 11:  Seminar
TBA
Speaker: Adam Lee, Assistant Professor, University of Pittsburgh

December 10:  Seminar
Safe Software
Speaker: David Brumley

December 10 - December 14:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

December 3:  Seminar
Run-Time Enforcement of Information-Flow Properties on Android
Speaker: Limin Jia

November 26:  Seminar
C-MART: Benchmarking the Cloud
Speaker: Hyong Kim

November 12:  Seminar
Cyberwar: You're Doing It Wrong!
Speaker: Marcus Ranum, Chief Security Officer, Tenable

November 5:  Viewing
Broadcast of the Code 2600 Panel Discussion

October 29:  Seminar
Helping Users Create Better Passwords
Speaker: Lujo Bauer

October 22:  Seminar
Spoofing Operating System Security Interfaces to Study User Security Behaviors
Speaker: Lorrie Cranor

October 19:  Research Talk
Measuring Cybercrime
Speaker: Richard Clayton, Security researcher at the University of Cambridge

October 15:  Seminar
Collaborative Distributed Inferencing - Intelligent Control of Data and Networks
Speaker: Christopher Burgess, COO and CSO, Atigeo

October 12:  Viewing
Code 2600
Speaker: Jeremy Zerechak and Lorrie Cranor

October 12:  Panel Discussion
Code 2600
Speaker: Jeremy Zerechak, Lorrie Cranor, Nicolas Christin and Norman Sadeh.

October 8:  Seminar
Traveling the Silk Road: A measurement analysis of a large online anonymous marketplace
Speaker: Nicolas Christin

October 2 - October 3:  Conference
Carnegie Mellon CyLab Partners Conference
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects. 

September 24:  Seminar
On the Foundations of Trust in Networks of Humans and Computers
Speaker: Virgil Gligor

September 17:  Seminar
Dynamic Jamming Avoidance
Speaker: Yih-Chun Hu, Associate Professor, University of Illinois

September 10:  Research Talk
Usable and Secure Password Management
Speaker: Jeremiah Blocki, Graduate Student, Carnegie Mellon University

July 26:  Research Talk
Illumination Invariant Face Recognition using Gamma Normalization and Sobel Edge Detection
Speaker: Augusto Sarti, Associate Professor at Politecnico di Milano
 

July 11 - July 13:  Symposium
Symposium on Usable Privacy and Security (SOUPS) 2012
The eigth Symposium on Usable Privacy and Security (SOUPS) will be held July 11th through July 13th at the AAAS building in Washington, DC. SOUPS brings together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. Visit the SOUPS 2012 website for details.

June 19:  Research Talk
The Persistence of Passwords and Evaluating Authentication Alternatives
Speaker: Paul C. Van Oorschot, Professor, Carleton University

June 9:  Celebration
CMU Silicon Valley 10th Anniversary Celebration
Join us on Saturday, June 9, 2012 to celebrate the rich history of CMU and its impact on the west coast! We will host the 10th anniversary event on the campus at Moffett Field beginning at 3:30 PM. All attendees are welcome to participate in the festivities. 

May 15 - May 17:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. This course is designed for individuals charged with implementing information security throughout the IT enterprise. Therefore, this course is an ideal pursuit for IT and Security managers, and/or system administrators and IT security personnel who would like to step up to the management level.

May 14:  Research Talk
Current topics and research activities at Darmstadt IT-security research cluster
Speaker: Dr. Michael Waidner, Chair Professor for Security in IT, Technische Universität Darmstadt

May 7 - May 11:  CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

April 30:  Seminar
Crowdsourcing for Privacy and Security
Speaker: Jason Hong

April 23:  Seminar
Awareness and Adaptation for Robust Wireless Communications
Speaker: Patrick Tague

April 19:  Research Talk
Evaluating Mobile Smartphone Security: The First Four Years
Speaker: Patrick McDaniel, Professor, Penn State University

April 16:  Seminar
Business Risks Forum: Privacy by Design for our Technology and Our Future - Why the Future Still Needs Us
Speaker: Michelle Dennedy, VP and Chief Privacy Officer, McAfee

April 9:  Seminar
Techniques for Enhancing Reliability of Physical Unclonable Functions
Speaker: Ken Mai

April 2:  Seminar
Supply Chain Security: Do you know who your insiders are?
Speaker: Bob Hutchinson, Senior Manager, Sandia National Laboratories’ Information Security Sciences Group

March 26:  Seminar
New Software Security Research Directions
Speaker: Nancy Mead

March 22:  Research Talk
Towards Verifiably Safe Machine Code
Speaker: Dr. Gang Tan, assistant professor at Lehigh University

March 19:  Seminar
SafeSlinger: Applied Ad-hoc Smartphone Trust Establishment
Speaker: Michael Farb

March 5:  Seminar
Multiple Uses of Correlation Filters for Biometrics
Speaker: Vijayakumar Bhagavatula

February 27:  Seminar
Application Of Intelligence Principles To Raise IT Security To The Next Level
Speaker: Mike Susong, co-founder of iSIGHT

February 22:  Research Talk
Integrity and Consistency for Untrusted Services
Speaker: Christian Cachin, IBM Research

February 21:  Research Talk
Evolving the Internet with Declarative Networking
Speaker: Boon Thau Loo, Assistant Professor, University of Pennsylvania

February 20:  Seminar
Verifying the Integrity of Peripherals' Firmware
Speaker: Jonathan McCune

February 17:  Seminar
Toughest Challenges and Our Solutions to Tackling Unconstrained Long Range Biometric Identification
Speaker: Marios Savvides

February 6:  Seminar
SensorFly and Beyond: Flying Sensing Systems in the Wild
Speaker: Pei Zhang

January 30:  Seminar
Business Risks Forum: The Internet in Intelligence and Investgations
Speaker: Edward Appel, Principal, iNameCheck

January 23:  Seminar
A Very Short Course on Secure Programming in Java
Speaker: Dr. Dean Sutherland, Senior Software Security Engineer, SEI/CERT

January 16:  Seminar
When Friendship Isn't Enough: Investigating access control strategies and mishaps on social networking websites
Speaker: Serge Egelman, Postdoctoral Researcher, University of California, Berkeley

2011

December 5:  Seminar
Auditing in an Incomplete and Imperfect World
Speaker: Limin Jia

November 28:  Seminar
The eXpressive Internet Architecture
Speaker: Dave Andersen

November 21:  Seminar
Cloud Security: New Challenges, New Opportunities
Speaker: Xiaofeng Wang, Associate Professor, Indiana University

November 14:  Seminar
Making Sound Design Decisions using Quantitative Security Metrics
Speaker: Bill Sanders, Professor, University of Illinois

November 7:  Seminar
Analyzing Search-Engine Manipulation Campaigns
Speaker: Nicolas Christin

October 31:  Seminar
Measuring the Security and Usability of Password-Composition Policies
Speaker: Lujo Bauer

October 24:  Seminar
Business Risks Forum - 4 Years and 4 Thousand Websites: What Have We Learned about Hacking Websites?
Speaker: Jeremiah Grossman. Founder and CTO, WhiteHat Security

October 17:  Seminar
Wireless Sensor Networks for Building Energy Management
Speaker: Anthony Rowe

October 10:  Seminar
Do Security Certifications work? Evidence from Common Criteria Certification
Speaker: Rahul Telang

October 3:  Seminar
15 Years of Privacy Notice & Choice
Speaker: Lorrie Cranor

September 26 - September 27:  Conference
Carnegie Mellon CyLab Partners Conference
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects. 

September 19:  Seminar
The Architecture of Cyberdefense
Speaker: R. Bhaskar

September 15:  Research Talk
Location Information Scrambling for Protection of Smartphone Users’ Privacy
Speaker: Kang Shin, Professor, University of Michigan

September 12:  Seminar
The Challenge of Privacy Protection for Statistical Network Data
Speaker: Stephen Fienberg

September 7 - September 9:  CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. Next, students will be introduced to the CERT Defense-in-Depth Framework: eight operationally focused and interdependent management components which will be synergistically applied to a fictitious organization's Information Technology (IT) enterprise.

August 15 - August 19:  CERT Training
Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident handling work. 

August 9 - August 11:  CERT Training
Assessing Information Security Risk Using the OCTAVE Approach
In this three-day course, participants learn to perform information security risk assessments using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach. 

July 20 - July 22:  Symposium
Symposium on Usable Privacy and Security (SOUPS) 2011
The seventh Symposium on Usable Privacy and Security (SOUPS) will be held July 20-22, 2011 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. Visit the SOUPS 2011 website for details.

July 11 - July 22:  Workshop
IA Capacity Building 2011
The Information Assurance Capacity Building Program (IACBP) is an intensive, in-residence summer program to help build Information Assurance education and research capacity at colleges and universities designated as Minority Serving Institutions.

June 22 - June 24:  Conference
TRUST 2011
TRUST 2011 is an international conference on the technical and soci-economic aspects of trustworthy infrastructures. It provides an excellent interdisciplinary forum for researchers, practitioners, and decision makers to explore new ideas and discuss experiences in building, designing, using and understanding trustworthy computing systems. Find out more at the TRUST 2011 website.

June 19 - June 23:  Workshop
Trusted Infrastructure Workshop 2011
The Trusted Infrastructure Workshop (TIW) is aimed at all researchers in the field of IT security with an interest in systems and infrastructure security, as well as younger master's or PhD students who are new to the field.

May 9:  Seminar
SCION: Scalability, Control, and Isolation On Next-Generation Networks
Speaker: Adrian Perrig

April 28:  Seminar
SEI Webinar: Assurance Cases for Medical Devices
Speaker: Chuck Weinstock
Recently the U.S. Food and Drug Administration (FDA) issued guidance to infusion pump manufacturers recommending the use of an assurance case to justify claims of safety. This presentation will include a brief introduction to assurance cases, why they are useful, how they are developed, and how they can be used to help assure the safety of medical devices.

April 25:  Seminar
The Dependability of Complex Socio-Technical Infrastructure
Speaker: Ross Anderson, Professor of Security Engineering, Cambridge University

April 21:  Seminar
Deception in the Networked Age: A Psychological Approach
Speaker: Jeffrey Hancock

April 20:  Seminar
Secure Computation in the Real(ish) World
Speaker: David Evans, Associate Professor, University of Virginia

April 19:  Seminar
Random Graph Modeling of Key Distribution Schemes for Wireless Sensor Networks
Speaker: Osman Yagan

April 18:  Seminar
HIPAA Security: The Reality of Technical Vulnerabilities in Health Care Organizations
Speaker: Greg Porter, Adjunct Faculty, Carnegie Mellon University

April 13:  Seminar
Towards a Highly Available Internet
Speaker: Thomas Anderson

April 12:  Seminar
Wiki Surveys: Open, Adaptive, and Quantifiable Social Data Collection
Speaker: Mathew Salganik, Princeton University

April 11:  Seminar
System Health Management using Bayesian Networks
Speaker: Ole Mengshoel

April 8:  Seminar
Wireless Location Privacy: Depersonalization Techniques and Connected Vehicle Applications
Speaker: Marco Gruteser

April 4:  Seminar
Secure and Efficient Coexistence with Primary Users in the White Space TV Band Spectrum
Speaker: Thomas Moscibroda

March 28:  Seminar
Understanding online criminals: Two years of trawling for drugs and pornography on the Internet
Speaker: Nicolas Christin

March 21:  Seminar
Big Data, New Physics, and Geospatial Super-Food
Speaker: Jeff Jonas

March 18:  Seminar
Automated Detection of Guessing and Denial of Service Attacks in Security Protocols
Speaker: Marius Minea
This talk presents an approach to modeling two types of security flaws for which limited or no prior support for automated detection exists. 

March 17:  Seminar
SEI Webinar: Architecture+TSP = High Quality+Fast
Speaker: Felix H. Bachmann
The purpose of architecture centric engineering (ACE) is to ensure that a system is built that fulfills the stakeholder’s needs by satisfying its business and quality-attribute goals. The team software process (TSP) ensures the development and delivery of the software in increments on time and in high quality. 

March 14:  Seminar
Can Social Networking and Privacy be Reconciled?
Speaker: Norman Sadeh

February 22 - February 24:  Course
CERT: Introduction to the CERT Resilience Management Model
This three-day course introduces a model-based process improvement approach to managing operational resilience using the CERT® Resilience Management Model (CERT-RMM) v1.1. CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk.

February 21:  Seminar
Location Privacy for Mobile Computing
Speaker: Jason Hong

February 14:  Seminar
Building Cyber Capability and Capacity to Meet Navy's Maritime Challenges
Speaker: CDR James H. Mills USN

February 14 - February 18:  Course
CERT: Malware Analysis Apprenticeship
This five-day hands on course provides participants with an opportunity to learn best practices for analyzing malicious code. Participants will acquire a fundamental understanding of a variety of malware analysis tools and techniques which can directly support their organization's incident response efforts and increase performance in their functional role(s).

February 7:  Seminar
Advancements in Unconstrained Biometric Identification
Speaker: Marios Savvides

January 31:  Seminar
Proving Voltaire Right: Security Blunders Dumber Than Dog Snot
Speaker: Roger Johnston

January 26:  Symposium
Data Privacy Day 2011
Speaker: Alessandro Acquisti

January 24:  Seminar
Cyber Underground - The Underground Economy
Speaker: Keith Mularski

2010

December 13 - December 17:  Course
CERT: Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

December 6 - December 10:  Course
CERT: Information Security for Technical Staff
This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. 

November 30:  Course
CERT: Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). 

November 15:  Seminar
What’s Smart Got To Do With It? A technical overview of Advanced Metering Infrastructure and its associated deployment challenges
Speaker: Seth Bromberger, Executive Vice President, Energy Sector Security Consortium

November 15 - November 18:  Course
CERT: Advanced Information Security for Technical Staff
This four-day course is designed to increase the depth of knowledge and skills of technical staff charged with administering and securing information systems and networks.

November 10:  Seminar
Abuse Control for Anonymous Networking
Speaker: Nick Hopper

November 8:  Seminar
SQUARE and Privacy Requirements Engineering
Speaker: Nancy R. Mead

November 1:  Seminar
Coping with Malice in Wireless and Vehicular Networks
Speaker: Yih-Chun Hu

October 25:  Seminar
A Civilian Perspective on Cyber War
Speaker: COL (R) Lawrence D. Dietz, Esq.

October 25 - October 29:  Course
CERT: Malware Analysis Apprenticeship
This five-day hands on course provides participants with an opportunity to learn best practices for analyzing malicious code.

October 12 - October 14:  Course
CERT: Assessing Information Security Risk Using the OCTAVE Approach
In this three-day course, participants learn to perform information security risk assessments using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach. 

October 11:  Seminar
Monitoring Strategies for Detection of Insider Threats
Speaker: Michael P. Hanley and Christopher K. King

October 4:  Conference
Media Summit: The Rise of (Private) Niche News Model
Speaker: Moderator: Ted Selker

September 29 - October 1:  Conference
Carnegie Mellon CyLab Partners Conference
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects. 

September 28 - October 1:  Course
CERT: Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
Through lectures, demonstrations, scenario-based exercises, small group activities, and open discussions, students will learn high-level best practices for effectively integrating each of eight components into all aspects of IT operations.

September 21:  Seminar
Confessions of a Browser Developer
Speaker: Robert O'Callahan
In this talk I will analyze Firefox development, talking both about successes (e.g. fuzz testing) and ongoing problems (e.g. nondeterministic test failures).

September 20:  Seminar
Cloud Computing and Software Security
Speaker: Ulfar Erlingsson

September 20 - September 24:  Course
CERT: Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

September 13:  Seminar
Dangerous Optimizations and a Loss of Causality
Speaker: Robert Seacord

August 16 - August 20:  Course
CERT: Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident handling work. 

August 3 - August 6:  Course
CERT: Introduction to the CERT Resilience Management Model
This four-day course introduces a model-based process improvement approach to managing operational resilience using the CERT® Resilience Management Model (CERT-RMM) v1.0. 

July 21 - July 23:  Course
CERT: Managing Computer Security Incident Response Teams
This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team. 

July 20:  Course
CERT: Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT)

July 12 - July 23:  Workshop
IA Capacity Building 2010
The Information Assurance Capacity Building Program (IACBP) is an intensive, in-residence summer program to help build Information Assurance education and research capacity at colleges and universities designated as Minority Serving Institutions.

June 21 - June 25:  Course
CERT: Information Security for Technical Staff
This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. 

June 9 - June 11:  Conference
Symposium on Access control Models and Technologies 2010
Sponsored by CyLab, SACMAT 2010 a premier forum for presentation of research on leading edge issues of access control, including models, systems, applications, and theory.

June 7 - June 11:  Workshop
Trusted Infrastructure Workshop 2010
The Trusted Infrastructure Workshop (TIW) is aimed at all researchers in the field of IT security with an interest in systems and infrastructure security, as well as younger master's or PhD students who are new to the field.

June 2:  Seminar
Proving that you are who you say you are, even if you've lost your password
Speaker: Stuart Schechter, Researcher, Microsoft Research

May 18 - May 21:  Course
CERT: Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
Through lectures, demonstrations, scenario-based exercises, small group activities, and open discussions, students will learn high-level best practices for effectively integrating each of eight components into all aspects of IT operations. 

May 17:  Seminar
Using Influence to Understand Complex Systems
Speaker: Adam Oliner

May 17 - May 21:  Course
CERT: Malware Apprenticeship Program
This five-day hands on course provides participants with an opportunity to learn best practices for analyzing malicious code.

May 10:  Seminar
Understanding Cyberattack as an Instrument of U.S. Policy
Speaker: Herb Lin, Chief Scientist, CS and Telecommunications Board of the National Academies

May 3 - May 7:  Course
CERT: Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures. 

April 26:  Seminar
Everything You Know about Cybercrime is Wrong
Speaker: Cormac Herley, Principal Researcher, Microsoft Research

April 20 - April 22:  Course
CERT: Assessing Information Security Risk Using the OCTAVE Approach
In this three-day course, participants learn to perform information security risk assessments using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach. 

April 19:  Seminar
Symantec’s Customer-Centric Approach to Innovation
Speaker: Mark Bregman, Executive Vice President, Chief Technology Officer, Symantec

April 17:  Symposium
INI 20th Anniversary Celebration
Come together with alumni, faculty, students and friends of the INI as we commemorate two decades of academic excellence and innovation.

April 12:  Seminar
Smart Bridges, Smart Tunnels: Transforming Wireless Sensor Networks from Research Prototypes into Robust Engineering Infrastructure
Speaker: Frank Stajano, CyLab Visiting Scholar

April 12 - April 15:  Course
CERT: Advanced Information Security for Technical Staff
This four-day course is designed to increase the depth of knowledge and skills of technical staff charged with administering and securing information systems and networks

April 5:  Seminar
Managing Business Breaches and Suspected Nation State Attacks
Speaker: Jody Westby

March 29:  Seminar
Operational Resilience: Why Process Maturity Matters
Speaker: Richard Caralli, Technical Manager, CERT Resilient Enterprise Management Team

March 23 - March 24:  Course
CERT: Insider Threat Workshop
Our insider threat research focuses on both technical and behavioral aspects of actual compromises; our goal is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization. 

March 22:  Seminar
Manipulation of Digital Evidence in Investigations
Speaker: Ed Stroz, Stroz Friedberg
This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

March 22 - March 26:  Course
CERT: Fundamentals of Incident Handling
This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work.

March 18:  Seminar
Hacking Comes of Age: Climategate, Cyber-Espionage and iWar
This special panel will explore the changing nature of computer hacking by highlighting some recent cases that have made headlines and raised dire questions about computer security as a new infrastructure problem.

March 8:  Seminar
Architecture Is Policy: The Legal and Social Impact of Technical Design Decisions
Speaker: CUPS Lab Special Event
CUPS Lab Special Event at CMU Featuring Electronic Frontier Foundation Board Members

March 1:  Seminar
RFDump: What is in the Ether?
Speaker: Peter Steenkiste

February 24:  Seminar
Detecting DDoS Attacks and Worms using Randomness Check
Speaker: Heejo Lee, Associate Professor, Dept of Computer Sci & Eng, Korea University

February 22:  Seminar
Modularity in Computer Security
Speaker: Anupam Datta

February 16 - February 19:  Course
CERT: Introduction to CERT Resiliency Management Model
This four-day course introduces a model-based process improvement approach to managing operational resiliency using the CERT® Resiliency Management Model (CERT RMM) v1.0. 

February 15:  Seminar
SplitScreen: Insights from Embedded Systems Speed Signature Matching
Speaker: Dave Andersen

February 9 - February 12:  Course
CERT: Secure Coding in C and C++
This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.

February 1:  Seminar
Why Usability Can't Be Just Skin Deep
Speaker: Lujo Bauer

January 25:  Seminar
Common Sense Approach to Social Media
Speaker: Christopher Burgess, senior security advisor to the chief security officer of Cisco®
This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

January 15:  Seminar
MS in Information Technology –Software Engineering Management
Speaker: Dr. Phil Miller, SEI Senior Member
Join Dr. Phil Miller, Senior Member of the Operational Staff at the Software Engineering Institute for a webinar on the MS-IT - Software Engineering Management program.

January 11:  Seminar
Compression, Correction, Confidentiality, and Comprehension: A Modern Look at Commercial Telegraph Codes
Speaker: Dr. Steven Bellovin

2009

December 14 - December 16:  Conference
ASIAN '09 Conference
ASIAN '09 Conference - Xinjiang University Campus, Urumqi, China

November 16:  Seminar
"Information Sharing vs. Privacy - Is it a Celebrity Death Match?"
Speaker: Erin Kenneally
Erin Kenneally This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

November 9:  Seminar
"I Agreed to What?!" Re-envisioning License Agreements and Privacy Statements
Speaker: Michael Terry

October 26:  Seminar
Business Risks Forum: "Starting Over After A Lost Decade; In Search of a Bold New Vision for Cyber Security"
Speaker: Richard Power, CyLab Distinguished Fellow
Richard Power, CyLab Distinguished Fellow

October 21:  Seminar
Online Social Networks: Research Challenges & Results
Speaker: Peter Marbach, Associate Professor, Computer Science, University of Toronto
 

October 20:  Conference
Creating a Computer Security Incident Response Team
 

October 19:  Seminar
Security vs. Costs and Energy in Clouds
Speaker: Dr. Radu Sion, Assistant Professor, Computer Science, SUNY Stony Brook
Dr. Radu Sion, Assistant Professor, Computer Science, SUNY Stony Brook

October 14 - October 16:  Conference
Carnegie Mellon CyLab Partners Conference
Speaker: Gene Hambrick
The CyLab Partners Conference is an annual gathering of CyLab's corporate partners to meet with CyLab researchers and review their current projects.

October 5:  Seminar
Recent results for random key graphs: Connectivity, triangles, etc.
Speaker: Armand Makowski, Professor, Electrical Engineering, University of Maryland
Armand Makowski, Professor, Electrical Engineering, University of Maryland

September 28:  Seminar
"Enterprise Security for the Executive: Setting the Tone From the Top"
Speaker: Jennifer Bayuk
Jennifer Bayuk, Information Security Specialist, www.bayuk.com This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

September 21:  Seminar
Cryptographic Hash Functions
Speaker: Charanjit Jutla, IBM T. J. Watson Research Center

September 16 - September 17:  CERT Training
Insider Threat Workshop
CERT Training (SEI Arlington, VA) Insider Threat Workshop

September 14:  Seminar
Design Intent: A Principled Approach to Application Security
Speaker: Jonathan Aldrich
 

August 17 - August 21:  CERT Training
Fundamentals of Incident Handling
CERT Training (SEI Arlington, VA) Fundamentals of Incident Handling

July 15 - July 17:  Symposium
Symposium on Usable Privacy and Security (SOUPS)
The fifth Symposium on Usable Privacy and Security (SOUPS) will be held July 15-17, 2009 at Google in Mountain View, CA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. Visit the SOUPS 2009 website for details.

July 13 - July 24:  Workshop
Building Capacity
The Information Assurance Capacity Building Program (IACBP) is an intensive, in-residence summer program to help build Information Assurance education and research capacity at colleges and universities designated as Minority Serving Institutions. The IACBP will be held at CyLab HQ in the CIC building in Pittsburgh, PA.

July 8 - July 11:  Conference
CSF 2009: 22nd IEEE Computer Security Foundations Symposium
Carnegie Mellon CyLab is supporting CSF 2009. CSF is an annual conference for researchers in computer security to examine current theories of security, the formal models that provide a context for those theories, and techniques for verifying security. Over the past two decades, many seminal papers and techniques have been presented first at CSF. Visit the CSF 2009 website for details.

June 22:  Conference
Portugal Conference & Summer Academy
The First Annual Carnegie Mellon | Portugal Conference, entitled “Economy 3.0: Re-Boot and Re-Connect” is sponsored by the Fundação para a Ciência e Tecnologia and will take place on June 22, 2009, at Palácio da Bolsa, Porto, Portugal. Visit the CMU|Portugal Conference 2009 website for details.

June 15 - June 16:  Workshop
Instinctive Computing 2009
In this workshop, participants will explore transformational developments in Instinctive Computing, including the building blocks for instinctive computing systems and potential applications such as security, privacy, human-computer interaction, next generation networks, and product design. Visit the Instinctive Computing 2009 website for details.

June 8 - June 12:  Workshop
Trusted Infrastructure Workshop: Advanced Summer School on Architectures for Trustworthy Computing
The TIW is aimed at all researchers in the field of IT security with an interest in systems and infrastructure security, as well as younger master's or PhD students who are new to the field. Visit the TIW 2009 website for details.

May 18:  Seminar
Tricks For Defeating SSL In Practice
Speaker: Moxie Marlinspike, Fellow, Institute for Disruptive Studies
Moxie Marlinspike, Fellow, Institute for Disruptive Studies

May 11:  Seminar
Inside Theft of Intellectual Property in Organizations
Speaker: Andrew Moore
Andrew Moore, Senior Technical Staff Member, CERT

May 4:  Seminar
Sensing, Estimation and Control of Cyber-Physical Systems
Speaker: Bruno Sinopoli
Bruno Sinopoli, Faculty, CyLab

May 1 - May 2:  CERT Training
Information Security for Technical Staff

April 27:  Seminar
Hide and Seek with Hacker Data
Speaker: Justin Peltier, Senior Security Consultant with Peltier Associates
Justin Peltier, Senior Security Consultant with Peltier Associates

April 25:  Seminar
Business Risks Forum: the blurring of man and machine
Speaker: Don Burke, Directorate of Science and Technology, CIA
This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

April 10 - April 11:  CERT Training
Security Challenges in an Evolving World

April 6:  Seminar
Of Frogs and Herds
Speaker: Alessandro Acquisti
Alessandro Acquisti, Faculty, CyLab

March 23:  Seminar
Implantable Medical Devices
Speaker: Kevin Fu, Assistant Professor, University of Massachusetts Amherst
  Kevin Fu, Assistant Professor, University of Massachusetts Amherst

March 16:  Seminar
User-Controllable Security and Privacy
Speaker: Norman Sadeh
Norman Sadeh, Faculty, CyLab

March 2:  Seminar
Teaching Johnny Not to Fall for Phish
Speaker: Lorrie Cranor
Lorrie Cranor, Director, CyLab Usable Privacy and Security Laboratory

February 23:  Seminar
Convergence of Information Security, Privacy & Compliance
Speaker: Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI
This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

February 16:  Seminar
Super-Resolution for Face Recognition
Speaker: Vijayakumar Bhagavatula
Vijayakumar Bhagavatula, Faculty, CyLab

February 3:  Seminar
Safe Passage for Passwords and Other Sensitive Data
Speaker: Jonathan McCune
Jonathan McCune, Systems Scientist, CyLab

February 2:  Seminar
Instinctive Computing
Speaker: Yang Cai
Yang Cai, Director, Instinctive Computing Lab; Senior Systems Scientist, CyLab

January 26:  Seminar
Electronic Crime Ecosystem
Speaker: Mike Susong, Vice President for Intelligence Operations, iSIGHT Partners
Mike Susong, Vice President for Intelligence Operations, iSIGHT Partners This presentation is part of unique CyLab sponsored series related to the CyLab Intelligence Briefings and Culture of Security. Richard Power, Distinguished Fellow – CyLab, will host the series.

January 23:  Seminar
Health Communication Paradigms for Cyber-Security
Speaker: Dr. Robert LaRose
Robert LaRose, Professor, Department of Telecommunication, Information Studies, and Media at Michigan State University

January 19:  Seminar
Secure or Insure? A Game-Theoretic Analysis
Speaker: Nicolas Christin

January 12:  Seminar
Identity-Based Key Exchange Protocols
Speaker: Rosario Gennaro, Staff Membe, IBM T.J. Watson Research Center

2008

December 1 - December 5:  CERT Training
Information Security for Technical Staff
Information Security for Technical Staff

November 17 - November 21:  CERT Training
Advanced Incident Handling
Advanced Incident Handling

November 10 - November 14:  CERT Training
Mobile and Pervasive Computing Services for Technology Executives
Mobile and Pervasive Computing Services for Technology Executives

November 3 - November 7:  Symposium
Fundamentals of Incident Handling
Fundamentals of Incident Handling

November 3 - November 7:  CERT Training
Advanced Information Security for Technical Staff
Advanced Information Security for Technical Staff

October 23:  Symposium
AFIO 2008 Fall Intelligence Symposium: Threats to U.S. Security - Technology Theft, Insider Threats, Economic Espionage and International Organized Crime
AFIO 2008 Fall Intelligence Symposium: Threats to U.S. Security - Technology Theft, Insider Threats, Economic Espionage and International Organized Crime (held at the Mitre Corporation) The keynote address will be delivered by CyLab Distinguished Fellow Richard Power and Christopher Burgess, co-authors of the book "Secrets Stolen/Fortunes Lost."

October 21 - October 23:  CERT Training
Assessing Information Security Risk Using the OCTAVE Approach
Assessing Information Security Risk Using the OCTAVE Approach

October 14:  CERT Training
Creating a Computer Security Information Response Team
Creating a Computer Security Information Response Team

October 6 - October 8:  Conference
Partners Conference
CyLab Partner Conference, Carnegie Mellon, Pittsburgh, PA