September 25 - September 27: Conference
2017 CyLab Partners Conference
The CyLab Partners Conference will be held September 25-27 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab.
Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at ...@andrew.cmu.edu or 412-268-1870.August 17: CERT Training
Vulnerability Response Capability Development
This one-day course is designed for managers and project leaders who are trying to respond to vulnerabilities reported in their products. This course will provide a high-level overview of the key issues, processes, and decisions that must be made to build your organization's vulnerability response capability. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their vulnerability response capability.July 25 - July 27: CERT Training
Insider Threat Vulnerability Assessor Training
This 3-day course develops the skills and competencies necessary to perform an insider threat vulnerability assessment of an organization.
This training is based upon the research of the CERT Insider Threat Center of the Software Engineering Institute. The CERT Insider Threat Center has been researching the insider threat problem since 2001 in partnership with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.June 13 - June 15: CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.June 5 - June 9: CERT Training
Applied Cybersecurity, Incident Response, and Forensics
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience. Each participant will have direct administrative access to a wide variety of networked systems (Windows, Linux and Cisco), which will be modified and instrumented throughout the course. Instruction will consist of individual labs and team-based exercises modeled from real-world threat scenarios.May 8 - May 12: CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architecturesApril 24: Distinguished Seminar
Evaluation of Competing Threat Modeling Methodologies
Speaker: Nancy Mead
Failure to sufficiently identify computer security threats leads to missing security requirements and poor architectural decisions, resulting in vulnerabilities in cyber and cyber-physical systems.
Our prior research study evaluated three exemplar Threat Modeling Methods, designed on different principles, in order to understand strengths and weaknesses of each method. Our goal is to produce a set of tested principles which can help programs select the most appropriate TMMs. This will result in improved confidence in the cyber threats identified, accompanied by evidence of the conditions under which each technique is most effective. This presentation will describe the study, its results, and future plans.April 18 - April 21: Conference
Cyber-Physical Systems Week 2017
CPS Week is the premier event on Cyber-Physical Systems. It brings together five top conferences, HSCC, ICCPS, IoTDI, IPSN, and RTAS, multiple workshops, tutorials, summits, and various exhibitions from both industry and academia. Altogether the CPS Week program covers a multitude of complementary aspects of CPS, and reunites the leading researchers in this dynamic field. CPS Week welcomes IoTDI as the newest conference member.April 17: Distinguished Seminar
Cyberspies, Counterspies, and the Missing Validators
Speaker: Juan Andres Guerrero, Senior Security Researcher, Kaspersky Lab
As espionage becomes more prominent in cyberspace, a nascent industry has been born to investigate and mitigate cyberespionage campaigns. Financial incentives have established a structure for this industry that runs counter to the rules of the great game, by naming and shaming countries in their most sensitive operations. As these companies move their work under the cover of NDAs to avoid inflaming political sensitivities, who will rise to solve the validation crisis and keep threat intelligence producers honest? This talk will discuss the evolution of the threat intelligence production space and the role that academia can play within it.March 27: Distinguished Seminar
Dial One for Scam - A Large-Scale Analysis of Technical Support Scams
Speaker: Nick Nikiforakis, Assistant Professor, Stony Brook University
In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide remote machine access to the scammers, who will then "diagnose the problem", before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.
In this talk, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by technical support scams.March 20: Distinguished Seminar
Bringing Anthropology into Cybersecurity
Speaker: Xinming Ou, Associate Professor, University of South Florida
Researchers in cybersecurity often face two conundrums: 1) it is hard to find real-world problems that are interesting to researchers; 2) it is hard to transition cybersecurity research results into practical use. In this talk I will discuss how we overcome these two obstacles in our four-year and still on-going effort of using anthropological approach to study cybersecurity operationsMarch 6: Distinguished Seminar
Reasoning about Internet abuse through the eyes of DNS
Speaker: Manos Antonakakis, Assistant Professor, Georgia Institute of Technology
The Domain Name System (DNS) is a critical component of the Internet. The critical nature of DNS often makes it the target of direct cyber-attacks and other forms of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit network operations. For example, modern malware and Internet fraud techniques rely upon the DNS to locate their remote command-and-control (C&C) servers through which new commands from the attacker are issued, serve as exfiltration points for the information stolen from the victim's computer and to manage subsequent updates to their malicious toolset.
In this talk I will discuss how we can reason about Internet abuse using DNS. First I will argue why the algorithmic quantification of DNS reputation and trust is fundamental for understanding the security of our Internet communications. Then, I will examine how DNS traffic relates to malware communications. Among other things, we will reason about data-driven methods that can be used to reliably detect malware communications that employ Domain Name Generation Algorithms (DGAs) --- even in the complete absence of the malware sample. Finally, I will conclude my talk by proving a five year overview of malware network communications. Through this study we will see that (as network security researchers and practitioners) we are still approaching the very simple detection problems fundamentally in the wrong way.February 20: Distinguished Seminar
What if Computers Understood Privacy Policies? And, What if They Knew What We Care About?
Speaker: Norman Sadeh
In today’s data-centric economy issues of privacy are becoming increasingly complex to manage. This is true for users who are often feeling helpless when it comes to understanding and managing the many different ways in which their data can be collected and used. But it is also true for developers, service providers, app store operators and regulators. A significant source of frustration has been the lack of progress in formalizing the disclosure of data collection and use practices. These disclosures today continue to primarily take the form of long privacy policies, which very few people actually read.
What if computers could actually understand the text of privacy policies? In this talk, I will report on our progress developing techniques to do just that and will discuss the development and piloting of tools that build on these technologies. This includes an overview of a compliance tool for mobile apps. The tool automatically analyzes the code of apps and compares its findings with disclosures made in the text of privacy policies to identify potential compliance violations. I will report on a study of about 18,000 Android apps. Results of the study suggest that compliance issues are widespread.
In the second part of this talk, I will discuss how using machine learning we can also build models of people’s privacy preferences and help them manage their privacy settings. This will include an overview of our work on Personalized Privacy Assistants. These assistants are intended to selectively notify their users about data collection and use practices they may find egregious and are also capable of helping their users configure available privacy settings. We will review results of a pilot involving one such assistant developed to help users manage their mobile app permissions. I will conclude with a discussion of ongoing work to extend this functionality in the context of Internet of Things scenarios.
The Legacy of Export-grade Cryptography in the 21st Century
Speaker: Nadia Heninger, Assistant Professor, University of Pennsylvania
To comply with 1990s-era US export restrictions on cryptography, early versions of SSL/TLS supported reduced-strength ciphersuites that were restricted to 40-bit symmetric keys and 512-bit RSA and Diffie-Hellman public values. Although the relevant export restrictions have not been in effect since 2000, modern implementations often maintain support for these cipher suites along with old protocol versions.
In this talk, I will discuss recent attacks against TLS (FREAK, Logjam, and DROWN) demonstrating how server-side support for these insecure ciphersuites harms the security of users with modern TLS clients. These attacks exploit a combination of clever cryptanalysis, advances in computing power since the 1990s, previously undiscovered protocol flaws, and implementation vulnerabilities.January 27: Celebration
Privacy Day 2017
Join us on January 27, 2017 for CMU Privacy Day 2017 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with a schedule of privacy-related events.
Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.orgJanuary 23: Distinguished Seminar
Bottom Line Security - Improving Cybersecurity by Understanding Costs and Benefits
Speaker: Chris Kanich, Assistant Professor, University of Illinois at Chicago
Abstract and speaker bio forthcoming.