December 4: Distinguished Seminar
Speaker: Tudor Dumitras, Assistant Professor at University of Maryland
Abstract and speaker bio forthcomingNovember 27: Distinguished Seminar
Server-side verification of client behavior
Speaker: Mike Reiter, Professor at UNC Chapel Hill and Founding Technical Director of CyLab
Numerous exploits of client-server protocols and applications involve modifying clients to behave in ways that untampered clients would not, such as crafting malicious packets. In this talk, we summarize our research on a method for verifying the consistency of a client's messaging behavior with the program it is believed to be running, without knowing all of the client-side inputs driving its behavior. We then turn our attention specifically to cryptographic protocols, which present unique challenges to our method of behavioral verification. The toolchain we have constructed for verifying a client's messages explores multiple candidate execution paths in the client concurrently, an innovation that we show is both specifically useful for cryptographic protocol clients and more generally useful for client applications of other types, as well. In addition, our toolchain includes a novel approach to symbolically executing the client software in multiple passes that defers expensive functions until their inputs can be inferred and concretized. We demonstrate client verification on OpenSSL to show that, e.g., Heartbleed exploits can be detected without Heartbleed-specific filtering and within seconds of the first malicious packet, and that verification of legitimate clients can keep pace with, e.g., Gmail workloads.November 20: Seminar
Abstract and speaker bio forthcomingNovember 15: Seminar
Challenges and Approaches for a Trustworthy Power Grid Cyber Infrastructure
Speaker: William H. Sanders, Professor at University of Illinois at Urbana-Champaign
The vision for a modernized "Smart Grid" involves the use of an advanced computing, communication and control cyber infrastructure for enhancing current grid operations by enabling timely interactions among a range of entities. The coupling between the power grid and its cyber infrastructure is inherent, and the extent to which the Smart Grid vision can be achieved depends upon the functionality and robustness of the cyber infrastructure. This talk describes some of the research results from the DOE- and DHS-funded Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center which is aimed at ensuring that the power grid cyber infrastructure is protected both from accidental failures and malicious attacks from adversaries ranging from casual hackers to nation states. The goal of TCIPG was to provide resilience in the nation¹s electric grid cyber infrastructure such that it continues to deliver electricity and maintain critical operations even in the presence of cyber attacks. Achieving this goal will involve the extension, integration, design, and development of IT technologies imbibed with key properties of real-time availability, integrity, authentication and confidentiality.November 13: Distinguished Seminar
WebAssembly for security beyond the browser
Speaker: Jonathan Foote, Principal Security Architect at Fastly
Edge compute services, such as content delivery networks, mesh networks and edge cloud services, seek efficiency in engineering tradeoffs between performance, isolation, security and safety. WebAssembly has the potential to revolutionize edge compute engineering by providing performant, secure execution of untrusted code in arbitrary applications.
In this talk Jonathan Foote will cover salient aspects of WebAssembly, sandboxing technology, and early progress in research and development towards a security-hardened, high-performance sandbox design for running untrusted code on the server.November 6: Distinguished Seminar
The Decaying Art of Lying - Phooling, Phaking and Phishing
Speaker: Bud Mishra, Professor at NYU
Mark Twain wrote: "the Lie, as a recreation, a solace, a refuge in time of need, the fourth Grace, the tenth Muse, man's best and surest friend, is immortal, and cannot perish from the earth.” With advances of the Internet Technology, Governmental, Academic and Commercial institutions seemed to have joined forces to make Twain’s prediction all but true. We examine the nature of deception (in biology and technology) using the framework of signaling games.
- Information Asymmetry, Signaling Games, Risks and Deception
- Signaling Games On the Internet (& Biology)
- Costly Signaling, Block Chains, Verifiers and Recommenders
- Circulating Money via Signaling Games
- Value-Storing Money via Signaling Games
- Case Studies: Identity
- Data Science and Cyber Security
This talk will focus on Cyber Security and their implications for Privacy, Anonymity, Data Science, Finance and Market Micro-structure.October 9: Distinguished Seminar
Blockchain Privacy - Challenges, Solutions, and Unresolved Issues
Speaker: Aniket Kate, Assistant Professor at Purdue University
The hope that cryptography and decentralization together might ensure robust user privacy was among the strongest drivers of early success of Bitcoin's blockchain technology. A desire for privacy still permeates the growing blockchain user base today. Nevertheless, thanks to the inherent public nature of most blockchain ledgers, users' privacy is severely restricted, and a few deanonymization attacks have been reported so far. Several privacy-enhancing technologies have been proposed to solve this issues, and a few also have been implemented; however, some important challenges still remain to be resolved.
In this talk, we discuss privacy challenges, promising solutions, and unresolved privacy issues with the blockchain technology. In particular, we study prominent privacy attacks on Bitcoin and other blockchain solutions, analyze the existing privacy solution, and finally describe important unresolved challenges associated with the blockchain transaction privacy.September 25 - September 27: Conference
2017 CyLab Partners Conference
The CyLab Partners Conference will be held September 25-27 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University.
Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at ...@andrew.cmu.edu or 412-268-1870.September 14: Seminar
Protecting Analog Sensor Security - OR - Sending Mixed Signals on IoT Cybersecurity
Speaker: Kevin Fu, Associate Professor, EECS Department, The University of Michigan
Why are undergraduates taught to hold the digital abstraction as sacrosanct and unquestionable? Why do microprocessors blindly trust input from sensors, and what can be done to establish trust in unusual input channels in cyberphysical systems? Risks of analog sensor cybersecurity pose challenges to autonomous vehicles, medical devices, and the Internet of Things.August 17: CERT Training
Vulnerability Response Capability Development
This one-day course is designed for managers and project leaders who are trying to respond to vulnerabilities reported in their products. This course will provide a high-level overview of the key issues, processes, and decisions that must be made to build your organization's vulnerability response capability. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their vulnerability response capability.July 25 - July 27: CERT Training
Insider Threat Vulnerability Assessor Training
This 3-day course develops the skills and competencies necessary to perform an insider threat vulnerability assessment of an organization.
This training is based upon the research of the CERT Insider Threat Center of the Software Engineering Institute. The CERT Insider Threat Center has been researching the insider threat problem since 2001 in partnership with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.June 13 - June 15: CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.June 5 - June 9: CERT Training
Applied Cybersecurity, Incident Response, and Forensics
This five-day hands-on course is designed to increase the knowledge and skills of technical staff charged with administering and securing information systems and networks. Security topics such as vulnerability assessment, systems administration, network monitoring, incident response, and digital forensics will offer a comprehensive defense-in-depth experience. Each participant will have direct administrative access to a wide variety of networked systems (Windows, Linux and Cisco), which will be modified and instrumented throughout the course. Instruction will consist of individual labs and team-based exercises modeled from real-world threat scenarios.May 8 - May 12: CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architecturesApril 24: Distinguished Seminar
Evaluation of Competing Threat Modeling Methodologies
Speaker: Nancy Mead
Failure to sufficiently identify computer security threats leads to missing security requirements and poor architectural decisions, resulting in vulnerabilities in cyber and cyber-physical systems.
Our prior research study evaluated three exemplar Threat Modeling Methods, designed on different principles, in order to understand strengths and weaknesses of each method. Our goal is to produce a set of tested principles which can help programs select the most appropriate TMMs. This will result in improved confidence in the cyber threats identified, accompanied by evidence of the conditions under which each technique is most effective. This presentation will describe the study, its results, and future plans.April 18 - April 21: Conference
Cyber-Physical Systems Week 2017
CPS Week is the premier event on Cyber-Physical Systems. It brings together five top conferences, HSCC, ICCPS, IoTDI, IPSN, and RTAS, multiple workshops, tutorials, summits, and various exhibitions from both industry and academia. Altogether the CPS Week program covers a multitude of complementary aspects of CPS, and reunites the leading researchers in this dynamic field. CPS Week welcomes IoTDI as the newest conference member.April 17: Distinguished Seminar
Cyberspies, Counterspies, and the Missing Validators
Speaker: Juan Andres Guerrero, Senior Security Researcher, Kaspersky Lab
As espionage becomes more prominent in cyberspace, a nascent industry has been born to investigate and mitigate cyberespionage campaigns. Financial incentives have established a structure for this industry that runs counter to the rules of the great game, by naming and shaming countries in their most sensitive operations. As these companies move their work under the cover of NDAs to avoid inflaming political sensitivities, who will rise to solve the validation crisis and keep threat intelligence producers honest? This talk will discuss the evolution of the threat intelligence production space and the role that academia can play within it.March 27: Distinguished Seminar
Dial One for Scam - A Large-Scale Analysis of Technical Support Scams
Speaker: Nick Nikiforakis, Assistant Professor, Stony Brook University
In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide remote machine access to the scammers, who will then "diagnose the problem", before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.
In this talk, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by technical support scams.March 20: Distinguished Seminar
Bringing Anthropology into Cybersecurity
Speaker: Xinming Ou, Associate Professor, University of South Florida
Researchers in cybersecurity often face two conundrums: 1) it is hard to find real-world problems that are interesting to researchers; 2) it is hard to transition cybersecurity research results into practical use. In this talk I will discuss how we overcome these two obstacles in our four-year and still on-going effort of using anthropological approach to study cybersecurity operationsMarch 6: Distinguished Seminar
Reasoning about Internet abuse through the eyes of DNS
Speaker: Manos Antonakakis, Assistant Professor, Georgia Institute of Technology
The Domain Name System (DNS) is a critical component of the Internet. The critical nature of DNS often makes it the target of direct cyber-attacks and other forms of abuse. Cyber-criminals rely heavily upon the reliability and scalability of the DNS protocol to serve as an agile platform for their illicit network operations. For example, modern malware and Internet fraud techniques rely upon the DNS to locate their remote command-and-control (C&C) servers through which new commands from the attacker are issued, serve as exfiltration points for the information stolen from the victim's computer and to manage subsequent updates to their malicious toolset.
In this talk I will discuss how we can reason about Internet abuse using DNS. First I will argue why the algorithmic quantification of DNS reputation and trust is fundamental for understanding the security of our Internet communications. Then, I will examine how DNS traffic relates to malware communications. Among other things, we will reason about data-driven methods that can be used to reliably detect malware communications that employ Domain Name Generation Algorithms (DGAs) --- even in the complete absence of the malware sample. Finally, I will conclude my talk by proving a five year overview of malware network communications. Through this study we will see that (as network security researchers and practitioners) we are still approaching the very simple detection problems fundamentally in the wrong way.February 20: Distinguished Seminar
What if Computers Understood Privacy Policies? And, What if They Knew What We Care About?
Speaker: Norman Sadeh
In today’s data-centric economy issues of privacy are becoming increasingly complex to manage. This is true for users who are often feeling helpless when it comes to understanding and managing the many different ways in which their data can be collected and used. But it is also true for developers, service providers, app store operators and regulators. A significant source of frustration has been the lack of progress in formalizing the disclosure of data collection and use practices. These disclosures today continue to primarily take the form of long privacy policies, which very few people actually read.
What if computers could actually understand the text of privacy policies? In this talk, I will report on our progress developing techniques to do just that and will discuss the development and piloting of tools that build on these technologies. This includes an overview of a compliance tool for mobile apps. The tool automatically analyzes the code of apps and compares its findings with disclosures made in the text of privacy policies to identify potential compliance violations. I will report on a study of about 18,000 Android apps. Results of the study suggest that compliance issues are widespread.
In the second part of this talk, I will discuss how using machine learning we can also build models of people’s privacy preferences and help them manage their privacy settings. This will include an overview of our work on Personalized Privacy Assistants. These assistants are intended to selectively notify their users about data collection and use practices they may find egregious and are also capable of helping their users configure available privacy settings. We will review results of a pilot involving one such assistant developed to help users manage their mobile app permissions. I will conclude with a discussion of ongoing work to extend this functionality in the context of Internet of Things scenarios.
The Legacy of Export-grade Cryptography in the 21st Century
Speaker: Nadia Heninger, Assistant Professor, University of Pennsylvania
To comply with 1990s-era US export restrictions on cryptography, early versions of SSL/TLS supported reduced-strength ciphersuites that were restricted to 40-bit symmetric keys and 512-bit RSA and Diffie-Hellman public values. Although the relevant export restrictions have not been in effect since 2000, modern implementations often maintain support for these cipher suites along with old protocol versions.
In this talk, I will discuss recent attacks against TLS (FREAK, Logjam, and DROWN) demonstrating how server-side support for these insecure ciphersuites harms the security of users with modern TLS clients. These attacks exploit a combination of clever cryptanalysis, advances in computing power since the 1990s, previously undiscovered protocol flaws, and implementation vulnerabilities.January 27: Celebration
Privacy Day 2017
Join us on January 27, 2017 for CMU Privacy Day 2017 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with a schedule of privacy-related events.
Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.orgJanuary 23: Distinguished Seminar
Bottom Line Security - Improving Cybersecurity by Understanding Costs and Benefits
Speaker: Chris Kanich, Assistant Professor, University of Illinois at Chicago
Abstract and speaker bio forthcoming.