Skip to main content

CyLab News

news image


CMU hackers give a glimpse into the hacker psyche
Today, billions of things are connected to the Internet – from smartphones and smart thermostats to critical infrastructure like the electric grid or water distribution systems. All of these “things” make up the so-called Internet of Things (IoT), and it’s growing at an unprecedented rate.

CyLab’s Lorrie Cranor stresses importance of user testing on privacy policies
Ten years ago, CyLab graduate student Aleecia McDonald walked into Lorrie Cranor’s office and asked, “What would happen if everybody read all of the privacy policies on all of the websites they visit?” Cranor swiftly responded, “Don’t be ridiculous, that would never happen.” McDonald’s question, however, piqued Cranor’s interest: Why would that never happen?

CyLab’s Manuel Blum advises: “Never memorize passwords. Compute them.”
“I never memorize passwords,” says Manuel Blum, a Turing Award-winning faculty in CyLab and a professor in the School of Computer Science at Carnegie Mellon University. “I may go to every other day, but I do not know my Amazon password. When I need it, I compute it.”

Carnegie Mellon celebrates International Data Privacy Day
Coming on the heels of a year of unprecedented data breaches, targeted ads and new ethical questions about data privacy, Carnegie Mellon University will host its fourth celebration of International Data Privacy Day on Friday, January 27th.

Students create app to help visually impaired identify email phishing attacks
Thanks to screen readers, 285 million visually impaired people worldwide are able to browse the Internet by responding to audio readings of image descriptions and text on websites. But how can these unique users avoid phishing attacks, malicious links disguised as innocuous ones? As one group of CyLab students will tell you: there’s an app for that, and they’re creating it.

Jahanian, Acquisti Deliver Calls To Action at NSF Meeting on Cybersecurity, Privacy
Carnegie Mellon University Provost Farnam Jahanian called for continuing investments in cybersecurity to meet the evolving challenges in securing cyberspace. He delivered his remarks during a keynote speech at the National Science Foundation's Secure and Trustworthy CyberSpace (SaTC) Principal Investigators' Meeting.

CyLab researchers are helping mobile game developers improve security by hacking them
Mobile games like Pokémon Go have millions of users’ faces glued to smartphone screens, so it may be little surprise that the mobile game industry pulled in over $40 billion globally in 2016. Protecting these games against hackers has been challenging, and a recent study by a group of Carnegie Mellon researchers shows how much work needs to be done.


Obituary: Internationally Acclaimed Statistician Stephen E. Fienberg Changed the Field and Brought Statistics to Science and Public Policy
Stephen E. Fienberg, University Professor of Statistics and Social Science at Carnegie Mellon University, died Wednesday, Dec. 14 in Pittsburgh. He was 74.

Carnegie Mellon’s PPP hacking team wins eighth straight NYU Cybersecurity Awareness Week Capture the Flag
For 36 hours in a large room at New York University, four members of Carnegie Mellon’s hacking team sat hunched over their laptops, furiously pecking away at their keyboards during a virtual game of capture the flag. At the contest’s end, the team, the Plaid Parliament of Pwning (PPP), extended their winning streak to eight years.

Experts Debate Cyber Deterrence, Internet Governance at Carnegie Colloquium
Technology and policy experts examined the complexities of cyber deterrence and internet governance in an increasingly digital world at the second session of the Carnegie Colloquium at Carnegie Mellon University Dec. 2.

CyLab researchers spoof state-of-the-art facial recognition algorithms with printable eyeglasses
Want to fool facial recognition algorithms into thinking you’re Russell Crowe? Just ask a team of CyLab researchers to print you a pair of paper eyeglasses.

CMU to host second session of Carnegie Colloquium to discuss digital governance
This Friday, December 2nd, Carnegie Mellon University and the Carnegie Endowment for International Peace will co-host the second session of the Carnegie Colloquium on digital governance and security. The event, which will be held in Rangos Hall in Carnegie Mellon’s University Center, is free and open to the public.

Skinner Joins Trump's National Security Council Transition Team
Kiron Skinner, founding director of the Institute for Politics and Strategy in the Dietrich College of Humanities and Social Sciences at Carnegie Mellon University, has joined President-Elect Donald J. Trump's transition team for the National Security Council.

Mobile App Behavior Often Appears at Odds With Privacy Policies
Analysis Shows Apps Don’t Always Seem To Do What They Say.

CyLab researchers create network traffic visualization tool to help thwart cyber attacks
Last month, tens of websites including Amazon, Netflix and others fell victim to one of the largest distributed denial of service (DDoS) attacks in history, temporarily crashing under the weight of huge amounts of fake traffic orchestrated by malicious hackers. At Carnegie Mellon, research out of the CyLab Security and Privacy Institute shows that the tools needed to thwart these kinds of attacks are on the horizon.

International leaders convene at inaugural Carnegie Colloquium to discuss cyber issues
After Carnegie Mellon president Subra Suresh exchanged a handshake with Carnegie Endowment for International Peace president Bill Burns in a crowded, brightly-lit conference room, both knew it was time to get down to business. The most pressing international cyber issues were up for discussion.

CyLab researchers create tool that can predict what you look like solely based on your eyes
When a criminal’s face is caught on camera, law enforcement has a huge advantage. This is an obvious reason that many criminals wear masks, covering everything except their eyes. However, ongoing work in the CyLab Biometrics Center has shown that a person’s face can be “hallucinated” based solely on a person’s eye-region.

CyLab graduate students awarded Presidential Fellowships
Last December, it was announced that CyLab would begin awarding Presidential Fellowships to high-achieving exemplary graduate students researching topics around security and privacy. Each fellowship covers one year of tuition, and up to six fellowships can be offered on a yearly basis. This year’s CyLab Presidential Fellowship recipients have just been announced.

CyLab’s Vyas Sekar is this year’s SIGCOMM “Rising Star”
CyLab’s Vyas Sekar, an assistant professor of Electrical and Computer Engineering, is this year’s recipient of SIGCOMM’s 2016 “Rising Star” Award, which recognizes a young researcher – no older than 35 – who has made outstanding research contributions to the field of communication networks during this early part of his or her career.

CyLab researchers win NSA’s 2016 Best Scientific Cybersecurity Paper Competition with paper on mitigating cloud side-channel attacks
Soo-Jin Moon, a Ph.D. student in the department of Electrical and Computer Engineering, and Vyas Sekar, a professor of Electrical and Computer Engineering, just won the NSA’s Best Scientific Cybersecurity Paper Competition with their paper, “Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration.” The researchers were chosen as winners from a pool of 54 total nominations and are invited to be recognized and present their work at NSA on November 2nd.

Industry cyber experts convene in Pittsburgh for CyLab’s 13th Partners Conference
Last week, CyLab hosted its 13th annual Partners Conference, bringing CyLab’s corporate partners to Carnegie Mellon’s main campus in Pittsburgh, PA. Attendance was limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab.

Gone phishin’: CyLab researchers expose how our ability to spot phishing emails is far from perfect
Each year, tens of millions of phishing emails make it to your inbox, uncaught by your email client’s spam filter. Of those, millions more slide past our own judgment and are clicked and opened. A recent study out of Carnegie Mellon’s CyLab Security and Privacy Institute has revealed just how likely we are to take the bait.

Carnegie Mellon researchers create new password strength meter that outperforms state-of-the-art meters and fits in a webpage
Is password1! a good password? Many browser-based password meters would say it is, but they’d be wrong. “It’s just one of many passwords that your typical password meter would classify as strong, when in fact it’s very weak,”

CyLab’s Jason Hong on keeping safe online during the 2016 Olympics
During the 2012 Olympics, cyber criminals ran online scams – offering fake memorabilia, discounts and even tickets – in order to steal personal information and money from the public. The 2016 Olympics will be no different.

Carnegie Mellon sweeps DefCon as team wins third ‘World Series of Hacking’ title in four years
Carnegie Mellon’s competitive computer security team, The Plaid Parliament of Pwning, just won its third title in four years at the DefCon Capture the Flag competition. The win comes on the heels of CMU-spinoff ForAllSecure’s win at the DARPA Cyber Grand Challenge just days earlier.

CMU-spinoff ForAllSecure wins $2 million top prize at the DARPA Cyber Grand Challenge
ForAllSecure, a Carnegie Mellon University spinoff startup, just took home $2 million in prize money as the winners of the DARPA Cyber Grand Challenge (CGC), a first-of-its-kind hacking contest in which all participants are autonomous computer systems. ForAllSecure was one of seven finalist teams in the contest, which took place on Thursday, August 4th, in Las Vegas, Nevada.

CMU-spinoff ForAllSecure to compete for grand prize in DARPA’s Cyber Grand Challenge
Four years ago, Carnegie Mellon professor David Brumley had an idea: automate the process of finding software bugs. These bugs are at an all-time high with the explosion of the Internet of Things—billions of connected devices, like smart thermostats or fitness trackers—which are manufactured with little attention paid to security. Now, building off research that began in Carnegie Mellon’s CyLab, Brumley is heading to a national stage to compete against the country’s best automated bug finders.

NSF awards CyLab’s Vyas Sekar over $1 million to help secure the Internet of Things
Over six billion connected devices in the so-called Internet of Things (IoT) will be in use by the end of 2016, according to a recent Gartner forecast. While the explosion of IoT has the power to transform society, many are concerned as security experts have exposed vulnerabilities in everything from Internet-connected Barbie dolls to SUVs.

It’s Automatic: CMU Smartphone App Manages Your Privacy Preferences
Chalk up one more task a smartphone app may do better than you: figuring out your privacy settings. A field study suggests a personalized privacy assistant app being developed at Carnegie Mellon University can simplify the chore of setting permissions for your smartphone apps. That’s a task that requires well over a hundred decisions, an unmanageable number for the typical user.

NATO partners with CyLab to increase password security
The North Atlantic Treaty Organization (NATO), with its 28 member nations from both sides of the Atlantic Ocean, strives for peace and stability for its members. In doing so, they deal with a myriad of passwords for their authentication systems, but NATO program manager John Boyd realizes its policies are imperfect. “We’re giving people mixed messages. We’re telling them to create great, strong passwords, but don’t fall in love with them because you’re going to have to change them again in a few months,” says Boyd. “People end up making bad passwords because they have no incentive to make good ones.”

Thanks to CyLab’s picoCTF, the Phillips Academy celebrates its own successful hacking contest
In April 2014, a small group of high school students in Andover, Massachusetts huddled around a table with their laptops. Curiously and cautiously, each gradually moved through their first hacking contest, picoCTF, hosted by CyLab’s Plaid Parliament of Pwning hacking team. None of the students imagined that two years later, they’d be launching their own wildly popular “Capture the Flag” (CTF) hacking contest.

CyLab Graduate Student Receives Best Student Paper Award at EUROSYS 2016
In services like cloud computing or supercomputing, thousands of computing tasks are sent for execution on clusters of servers each second. Coordinating the myriad of incoming requests a cluster receives (e.g. which machine should execute job X, how many machines should be used to run process Y, etc.) is a daunting task, and one that peaks the interest of CyLab Ph.D. student Alexey Tumanov.

Carnegie Mellon Transparency Reports Make AI Decision-Making Accountable
Figuring Out Why the Computer Rejected Your Loan Application

Users’ Perceptions of Password Security Do Not Always Match Reality
Think your password is secure? You may need to think again. People’s perceptions of password strength may not always match reality, according to a recent study by CyLab, Carnegie Mellon’s Security and Privacy Institute.

CyLab’s Vyas Sekar wins NSF CAREER Award to improve network security
“What’s critically lacking is a principled way to check if the network correctly implements a given suite of policies,” said CyLab faculty member Vyas Sekar, an assistant professor of Electrical and Computer Engineering. “This problem is already very challenging even for very basic policy intents. As networks and policies both become more complex, and with emerging technology trends like software-defined networking and network functions virtualization, the problem will only become worse.”

CyLab Students Sweep Microsoft Build the Shield Competition
Teams win first, second and third place in security contest

Three CyLab Graduate Students Receive Research Fellowships
Three CyLab Ph.D. students have just received fellowships for their graduate research. Both students work in the Carnegie Mellon Database Group, which focuses on high performance database architectures, experimental systems and graph mining, and the Parallel Data Lab, a storage systems research center.

Clarifying the record: teaching cybersecurity needs to be a national imperative
As Director of CyLab, Carnegie Mellon’s Security and Privacy Institute, I believe that it is imperative that we improve the state of cybersecurity education in America, something I recently wrote about in the Wall Street Journal. A national conversation has begun on this topic, and last week, security firm CloudPassage contributed by producing a report that was well intentioned but factually incorrect. Carnegie Mellon University offers over 50 courses in cybersecurity available both undergraduate and graduate students, including two required courses at the undergraduate level that have large cybersecurity components. However, the CloudPassage report wrongly assigns Carnegie Mellon a “D” rating, denoted as offering 0 required courses and 1-3 electives in cybersecurity. We reached out to the firm and provided them with accurate numbers, and they released a follow-up blog post noting our course offerings.

Recent CyLab research makes big push in improving network testing and verification
To date, network administrators have been challenged with checking whether a network configuration correctly implements a suite of intended security policies. This is hard even for basic reachability policies (e.g. Can X talk to Y?) in simple networks. In practice, network administrators would like to implement more complex security postures using more advanced network functions (e.g., web application firewalls, intrusion prevention systems). “The more complex the policy and the more advanced your network fucntions are, the harder it is to give the network administrator assurance that the policy is realized correctly in the network,” says Vyas Sekar, an assistant professor of Electrical and Computer Engineering (ECE) and principal investigator of the study. “But for the first time, we’ve made network testing for checking dynamic policies with stateful networks practical.”

CyLab Director David Brumley in Wall Street Journal: 'We need to embrace hacking as a pre-eminent skill necessary to secure our digital world'
CyLab Director David Brumley just published an Op-Ed in the Wall Street Journal on ways to address the inadequate pipeline of talent to fill thousands of unfilled cybersecurity jobs. Brumley’s comments about growing the cybersecurity talent pipeline stem from CyLab's long history of cybersecurity training. Through various programs like the Software Engineering Institute’s Federal Virtual Training Environment or Brumley’s picoCTF hacking competition, CyLab has trained over 180,000 people in the field of cybersecurity, more than any other institution.

Newly Released Website Sheds Light on Shortcomings of Privacy Policies, Paves Way for Semi-Automated Summarization of these Policies
Few people read privacy policies. Studies have projected that it would take an average user over 600 hours to read every privacy policy associated with every website they visited in one year. However, research conducted over the past two years by researchers at Carnegie Mellon University, Fordham University and Stanford University, is paving the way to a day where technology might be able to provide users with short summaries of privacy policies.

CyLab-inspired Curriculum Leads to 3rd “Cyberstakes” Hacking Competition for US Service Academies
With the help of CyLab Director David Brumley, Ragsdale created “Cyberstakes,” a full-fledged offense / defense hacking competition in which students from every United States service academy could participate in.

Carnegie Mellon, Stanford Researchers Devise Method To Share Password Data Safely
“This is the first time a major company has released frequency information on user passwords,” said CyLab faculty Anupam Datta, associate professor of computer science and electrical and computer engineering at CMU.

CyLab students hack their way to 3rd place in NSA’s Codebreaker Challenge
Three CyLab students finished in the top 25 individually, placing Carnegie Mellon University’s overall placement at 3rd in the NSA Codebreaking Challenge. Over 2,200 students from over 300 academic institutions participated in this year’s challenge.

Ed Felten Advocates Making Privacy Work for Everyone in Celebration of Data Privacy Day
Last week, Deputy U.S. Chief Technologist Ed Felten met with CyLab researchers and presented his keynote talk to a crowded Rangos Hall in Carnegie Mellon University’s Cohon University Center in celebration of CMU Privacy Day 2016.

CyLab’s Kyle Soska receives the Symantec Research Labs Graduate Fellowship
Kyle Soska, a CyLab Ph.D. student in the Department of Electrical and Computer Engineering, has received the Symantec Research Labs Graduate Fellowship. These fellowships are granted to two to three Ph.D. students each year who are conducting innovative research that has real-world value.

Better Design Improves Understanding of Online Privacy Notices: CyLab Researchers Outline Best Practices
Privacy policies for websites, smartphone apps and, especially, components of the emerging Internet of Things are usually ineffective or ignored by users, but CyLab researchers say properly designed privacy notices — pushed out to users at appropriate times — could help remedy that problem.

CyLab’s David Brumley to Co-Chair First Ever “Enigma” Conference
CyLab director David Brumley will co-chair Enigma -- a uniquely positioned vendor-neutral security conference. Enigma will be held January 25-27, 2016 featuring an impartial program presented by academic and industry experts offering immediately useful responses to security breaches.