Skip to main content

CyLab News

news image

2017

Making the Internet of Things smarter than its attackers
A web-based service called IFTTT (an initialism of If This Then That) is hosting user-generated applets available to download that connect Internet of Things (IoT) devices to streamline various processes. If this happens (e.g. you “Like” a photo on Facebook), then do that (e.g. save that photo to your Google Drive). There are thousands of others free for download. But security experts are concerned that some of these applets may introduce vulnerabilities to users and their IoT devices. What if a particular applet, which automatically saves new email attachments to all of your back-up storage devices, performs this task with a malicious email attachment? The malicious material just spread itself to several of your other devices without you even lifting a finger.

Announcing Prof. Doug Sicker as Interim Director of CyLab
A year after winning the top prize at DARPA’s Cyber Grand Challenge (CGC), a hacking competition between autonomous super computers, David Brumley will be taking a one-year leave of absence as Director of CyLab to focus on growing the startup behind the CGC-winning technology, ForAllSecure, where he serves as Founder and CEO. Brumley’s leave became effective September 1st.

CyLab’s Bryan Parno shares Distinguished Paper Award win with demonstration of verifiable security
Chances are, you’re reading this article on a web browser that uses HTTPS, the protocol over which data is sent between a web browser and the website users are connected to. In fact, nearly half of all web traffic passes through HTTPS. Despite the “S” for security in “HTTPS,” this protocol is far from perfectly secure.

SCS Students Captain Winning Teams at C2C Competition
School of Computer Science students captained teams that finished first and second in the Cambridge2Cambridge (C2C) three-day cybersecurity competition that ended July 27 at the University of Cambridge.

Accountable decision systems that respect privacy and fairness
Increasingly, decisions and actions affecting people's lives are determined by automated systems processing personal data. Excitement about these systems has been accompanied by serious concerns about their opacity and threats they pose to privacy, fairness, and other values. Examples abound in real-world systems: Target’s use of predicted pregnancy status for marketing; Google’s use of health-related search queries for targeted advertising; race being associated with automated predictions of recidivism; gender affecting displayed job-related ads; race affecting displayed search ads; Boston’s Street Bump app focusing pothole repair on affluent neighborhoods; Amazon’s same day delivery being unavailable in black neighborhoods; and Facebook showing either “white” or “black” movie trailers based upon “ethnic affiliation.”

CyLab researchers ask: What privacy concerns do you have in an IoT world?
Imagine walking into a store, and your phone buzzes to notify you that a nearby surveillance camera is able to use facial-recognition software to capture your identity. Your phone then presents you with options: you can allow or deny the store the ability to save your identity in their database.

Making sense of Internet censorship using automation
Depending on which country you are in, various parts of the Internet may be censored for various reasons – some lawful and some not. Currently, the life of an Internet censorship researcher is a hard one; the process of finding out which websites are censored and which ones are not can be an incredibly cumbersome process.

Carnegie Mellon hacking team emerges as strongest in DefCon history with fourth win

Carnegie Mellon hacking team looks to take unprecedented fourth win at DefCon “World Series of Hacking”

Dept. of Homeland Security awards CyLab $206K to develop new tool to study online crime
The United States Department of Homeland Security (DHS) Science and Technology Directorate just awarded CyLab’s Nicolas Christin $206K to develop a tool that will enhance the ability to study online crime.

Skip the password; share your “secret knock” with your family for group authentication
In the days of prohibition in the United States, thirsty men and women entered speakeasies with a secret knock at the door. In some unwanted cases, onlookers who were prohibited from entering the speakeasy studied the secret knock from afar, and used it to enter the building.

How safe is your online behavior? Carnegie Mellon researchers say it depends on where you’re from
Selecting a password or deciding whether an email is a phishing email or not are among countless security decisions you make on a regular basis. Are you making the right decisions? Do you consider your online behavior safe? According to the latest research out of Carnegie Mellon University’s CyLab, it actually depends on where you’re from.

INI students place third in MITRE Embedded CTF
A team of Information Networking Institute (INI) students placed third overall in the MITRE Embedded Capture the Flag (CTF) held January 18-April 14.

Strengthening network security with agility, isolation and awareness
Despite the U.S. government’s $7.3 billion investment towards IT infrastructure last year, the state of operational network security remains abysmal. While many devices can be entry points to network breaches, printers and other IoT devices have recently been receiving a lot of bad press.

Top high school hackers from picoCTF 2017 receive awards at CMU
A team of five California high school students is now $5,000 richer. Last week, the winning team from this year’s picoCTF hacking competition visited Carnegie Mellon to receive their prize.

Researchers unveil new password meter that will change how users make passwords
One of the most popular passwords in 2016 was “qwertyuiop,” even though most password meters will tell you how weak that is. The problem is no existing meters offer any good advice to make it better—until now.

$6.2 Million MURI Grant To Fund Cybersecurity Project
Carnegie Mellon University’s Cleotilde (Coty) Gonzalez, Christian Lebiere and Lujo Bauer are part of a team that has received a $6.2 million Multidisciplinary University Research Initiative (MURI) grant from the Department of Defense to prevent cyber attacks.

INI Director Receives Barbara Lazarus Professorship in Information Networking
Dena Haritos Tsamitis, director of the Information Networking Institute, is the first recipient of the newly established Barbara Lazarus Professorship in Information Networking.

Members of the National Academy of Engineering discuss cybersecurity at CMU
The National Academy of Engineering (NAE) gathered for a regional meeting and symposium at Carnegie Mellon University's Software Engineering Institute to discuss cybersecurity, which is now one of the greatest challenges in the 21st century.

Over 18,000 high school students learned to hack in this year’s picoCTF hacking competition
The cybersecurity workforce, which is currently struggling to fill seats with qualified talent, may have some newfound optimism. Over the past two weeks, upwards of 18,000 middle and high school students from across the United States learned and honed computer security skills in this year’s picoCTF online hacking contest, hosted by Carnegie Mellon University’s CyLab Security and Privacy Institute. The competition officially ended Friday, April 14, 2017.

CyLab’s Nicolas Christin receives 2017 CSIS Fellowship
Nicolas Christin, a CyLab faculty member in the departments of Engineering and Public Policy and the Institute for Software Research, has received the Fellowship in Advanced Cyber Studies from the Center for Strategic & International Studies.

Many apps fail to disclose the collection and sharing of sensitive data
If you use an Android phone and its apps, a coin-flip can likely tell you whether your location is being tracked without disclosing the practice in the app’s privacy policy, if it even has one.

Carnegie Mellon’s CyLab challenges high school students to give hacking a try
Carnegie Mellon University aims to build a talent pipeline into the cyber workforce by introducing computer security skills to middle and high school students through picoCTF, a free, online hacking contest that starts March 31, 2017. Now in its third year, the virtual game of capture the flag (CTF) has previously drawn nearly 30,000 people.

CyLab Distinguished Fellow Howard Schmidt dies at 67
Dr. Howard Schmidt, a former White House cybersecurity coordinator, executive director of SAFECode and a CyLab Distinguished Fellow, passed away on March 2, 2017 in his home in Muskego, Wisconsin. Dr. Schmidt served as a CyLab Distinguished Fellow for over a decade. After being appointed to the White House as a cybersecurity advisor by George W. Bush, Dr. Schmidt was later named Chief of Cybersecurity by President Barack Obama. Serving over 31 years in public service, Dr. Schmidt was well respected for his work at the intersection of computer security and national security.

CMU hackers give a glimpse into the hacker psyche
Today, billions of things are connected to the Internet – from smartphones and smart thermostats to critical infrastructure like the electric grid or water distribution systems. All of these “things” make up the so-called Internet of Things (IoT), and it’s growing at an unprecedented rate.

CyLab’s Lorrie Cranor stresses importance of user testing on privacy policies
Ten years ago, CyLab graduate student Aleecia McDonald walked into Lorrie Cranor’s office and asked, “What would happen if everybody read all of the privacy policies on all of the websites they visit?” Cranor swiftly responded, “Don’t be ridiculous, that would never happen.” McDonald’s question, however, piqued Cranor’s interest: Why would that never happen?

CyLab’s Manuel Blum advises: “Never memorize passwords. Compute them.”
“I never memorize passwords,” says Manuel Blum, a Turing Award-winning faculty in CyLab and a professor in the School of Computer Science at Carnegie Mellon University. “I may go to Amazon.com every other day, but I do not know my Amazon password. When I need it, I compute it.”

Carnegie Mellon celebrates International Data Privacy Day
Coming on the heels of a year of unprecedented data breaches, targeted ads and new ethical questions about data privacy, Carnegie Mellon University will host its fourth celebration of International Data Privacy Day on Friday, January 27th.

Students create app to help visually impaired identify email phishing attacks
Thanks to screen readers, 285 million visually impaired people worldwide are able to browse the Internet by responding to audio readings of image descriptions and text on websites. But how can these unique users avoid phishing attacks, malicious links disguised as innocuous ones? As one group of CyLab students will tell you: there’s an app for that, and they’re creating it.

Jahanian, Acquisti Deliver Calls To Action at NSF Meeting on Cybersecurity, Privacy
Carnegie Mellon University Provost Farnam Jahanian called for continuing investments in cybersecurity to meet the evolving challenges in securing cyberspace. He delivered his remarks during a keynote speech at the National Science Foundation's Secure and Trustworthy CyberSpace (SaTC) Principal Investigators' Meeting.

CyLab researchers are helping mobile game developers improve security by hacking them
Mobile games like Pokémon Go have millions of users’ faces glued to smartphone screens, so it may be little surprise that the mobile game industry pulled in over $40 billion globally in 2016. Protecting these games against hackers has been challenging, and a recent study by a group of Carnegie Mellon researchers shows how much work needs to be done.

2016

Obituary: Internationally Acclaimed Statistician Stephen E. Fienberg Changed the Field and Brought Statistics to Science and Public Policy
Stephen E. Fienberg, University Professor of Statistics and Social Science at Carnegie Mellon University, died Wednesday, Dec. 14 in Pittsburgh. He was 74.

Carnegie Mellon’s PPP hacking team wins eighth straight NYU Cybersecurity Awareness Week Capture the Flag
For 36 hours in a large room at New York University, four members of Carnegie Mellon’s hacking team sat hunched over their laptops, furiously pecking away at their keyboards during a virtual game of capture the flag. At the contest’s end, the team, the Plaid Parliament of Pwning (PPP), extended their winning streak to eight years.

Experts Debate Cyber Deterrence, Internet Governance at Carnegie Colloquium
Technology and policy experts examined the complexities of cyber deterrence and internet governance in an increasingly digital world at the second session of the Carnegie Colloquium at Carnegie Mellon University Dec. 2.

CyLab researchers spoof state-of-the-art facial recognition algorithms with printable eyeglasses
Want to fool facial recognition algorithms into thinking you’re Russell Crowe? Just ask a team of CyLab researchers to print you a pair of paper eyeglasses.

CMU to host second session of Carnegie Colloquium to discuss digital governance
This Friday, December 2nd, Carnegie Mellon University and the Carnegie Endowment for International Peace will co-host the second session of the Carnegie Colloquium on digital governance and security. The event, which will be held in Rangos Hall in Carnegie Mellon’s University Center, is free and open to the public.

Skinner Joins Trump's National Security Council Transition Team
Kiron Skinner, founding director of the Institute for Politics and Strategy in the Dietrich College of Humanities and Social Sciences at Carnegie Mellon University, has joined President-Elect Donald J. Trump's transition team for the National Security Council.

Mobile App Behavior Often Appears at Odds With Privacy Policies
Analysis Shows Apps Don’t Always Seem To Do What They Say.

CyLab researchers create network traffic visualization tool to help thwart cyber attacks
Last month, tens of websites including Amazon, Netflix and others fell victim to one of the largest distributed denial of service (DDoS) attacks in history, temporarily crashing under the weight of huge amounts of fake traffic orchestrated by malicious hackers. At Carnegie Mellon, research out of the CyLab Security and Privacy Institute shows that the tools needed to thwart these kinds of attacks are on the horizon.

International leaders convene at inaugural Carnegie Colloquium to discuss cyber issues
After Carnegie Mellon president Subra Suresh exchanged a handshake with Carnegie Endowment for International Peace president Bill Burns in a crowded, brightly-lit conference room, both knew it was time to get down to business. The most pressing international cyber issues were up for discussion.

CyLab researchers create tool that can predict what you look like solely based on your eyes
When a criminal’s face is caught on camera, law enforcement has a huge advantage. This is an obvious reason that many criminals wear masks, covering everything except their eyes. However, ongoing work in the CyLab Biometrics Center has shown that a person’s face can be “hallucinated” based solely on a person’s eye-region.

CyLab graduate students awarded Presidential Fellowships
Last December, it was announced that CyLab would begin awarding Presidential Fellowships to high-achieving exemplary graduate students researching topics around security and privacy. Each fellowship covers one year of tuition, and up to six fellowships can be offered on a yearly basis. This year’s CyLab Presidential Fellowship recipients have just been announced.

CyLab’s Vyas Sekar is this year’s SIGCOMM “Rising Star”
CyLab’s Vyas Sekar, an assistant professor of Electrical and Computer Engineering, is this year’s recipient of SIGCOMM’s 2016 “Rising Star” Award, which recognizes a young researcher – no older than 35 – who has made outstanding research contributions to the field of communication networks during this early part of his or her career.

CyLab researchers win NSA’s 2016 Best Scientific Cybersecurity Paper Competition with paper on mitigating cloud side-channel attacks
Soo-Jin Moon, a Ph.D. student in the department of Electrical and Computer Engineering, and Vyas Sekar, a professor of Electrical and Computer Engineering, just won the NSA’s Best Scientific Cybersecurity Paper Competition with their paper, “Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration.” The researchers were chosen as winners from a pool of 54 total nominations and are invited to be recognized and present their work at NSA on November 2nd.

Industry cyber experts convene in Pittsburgh for CyLab’s 13th Partners Conference
Last week, CyLab hosted its 13th annual Partners Conference, bringing CyLab’s corporate partners to Carnegie Mellon’s main campus in Pittsburgh, PA. Attendance was limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab.

Gone phishin’: CyLab researchers expose how our ability to spot phishing emails is far from perfect
Each year, tens of millions of phishing emails make it to your inbox, uncaught by your email client’s spam filter. Of those, millions more slide past our own judgment and are clicked and opened. A recent study out of Carnegie Mellon’s CyLab Security and Privacy Institute has revealed just how likely we are to take the bait.

Carnegie Mellon researchers create new password strength meter that outperforms state-of-the-art meters and fits in a webpage
Is password1! a good password? Many browser-based password meters would say it is, but they’d be wrong. “It’s just one of many passwords that your typical password meter would classify as strong, when in fact it’s very weak,”

CyLab’s Jason Hong on keeping safe online during the 2016 Olympics
During the 2012 Olympics, cyber criminals ran online scams – offering fake memorabilia, discounts and even tickets – in order to steal personal information and money from the public. The 2016 Olympics will be no different.

Carnegie Mellon sweeps DefCon as team wins third ‘World Series of Hacking’ title in four years
Carnegie Mellon’s competitive computer security team, The Plaid Parliament of Pwning, just won its third title in four years at the DefCon Capture the Flag competition. The win comes on the heels of CMU-spinoff ForAllSecure’s win at the DARPA Cyber Grand Challenge just days earlier.

CMU-spinoff ForAllSecure wins $2 million top prize at the DARPA Cyber Grand Challenge
ForAllSecure, a Carnegie Mellon University spinoff startup, just took home $2 million in prize money as the winners of the DARPA Cyber Grand Challenge (CGC), a first-of-its-kind hacking contest in which all participants are autonomous computer systems. ForAllSecure was one of seven finalist teams in the contest, which took place on Thursday, August 4th, in Las Vegas, Nevada.

CMU-spinoff ForAllSecure to compete for grand prize in DARPA’s Cyber Grand Challenge
Four years ago, Carnegie Mellon professor David Brumley had an idea: automate the process of finding software bugs. These bugs are at an all-time high with the explosion of the Internet of Things—billions of connected devices, like smart thermostats or fitness trackers—which are manufactured with little attention paid to security. Now, building off research that began in Carnegie Mellon’s CyLab, Brumley is heading to a national stage to compete against the country’s best automated bug finders.

NSF awards CyLab’s Vyas Sekar over $1 million to help secure the Internet of Things
Over six billion connected devices in the so-called Internet of Things (IoT) will be in use by the end of 2016, according to a recent Gartner forecast. While the explosion of IoT has the power to transform society, many are concerned as security experts have exposed vulnerabilities in everything from Internet-connected Barbie dolls to SUVs.

It’s Automatic: CMU Smartphone App Manages Your Privacy Preferences
Chalk up one more task a smartphone app may do better than you: figuring out your privacy settings. A field study suggests a personalized privacy assistant app being developed at Carnegie Mellon University can simplify the chore of setting permissions for your smartphone apps. That’s a task that requires well over a hundred decisions, an unmanageable number for the typical user.

NATO partners with CyLab to increase password security
The North Atlantic Treaty Organization (NATO), with its 28 member nations from both sides of the Atlantic Ocean, strives for peace and stability for its members. In doing so, they deal with a myriad of passwords for their authentication systems, but NATO program manager John Boyd realizes its policies are imperfect. “We’re giving people mixed messages. We’re telling them to create great, strong passwords, but don’t fall in love with them because you’re going to have to change them again in a few months,” says Boyd. “People end up making bad passwords because they have no incentive to make good ones.”

Thanks to CyLab’s picoCTF, the Phillips Academy celebrates its own successful hacking contest
In April 2014, a small group of high school students in Andover, Massachusetts huddled around a table with their laptops. Curiously and cautiously, each gradually moved through their first hacking contest, picoCTF, hosted by CyLab’s Plaid Parliament of Pwning hacking team. None of the students imagined that two years later, they’d be launching their own wildly popular “Capture the Flag” (CTF) hacking contest.

CyLab Graduate Student Receives Best Student Paper Award at EUROSYS 2016
In services like cloud computing or supercomputing, thousands of computing tasks are sent for execution on clusters of servers each second. Coordinating the myriad of incoming requests a cluster receives (e.g. which machine should execute job X, how many machines should be used to run process Y, etc.) is a daunting task, and one that peaks the interest of CyLab Ph.D. student Alexey Tumanov.

Carnegie Mellon Transparency Reports Make AI Decision-Making Accountable
Figuring Out Why the Computer Rejected Your Loan Application

Users’ Perceptions of Password Security Do Not Always Match Reality
Think your password is secure? You may need to think again. People’s perceptions of password strength may not always match reality, according to a recent study by CyLab, Carnegie Mellon’s Security and Privacy Institute.

CyLab’s Vyas Sekar wins NSF CAREER Award to improve network security
“What’s critically lacking is a principled way to check if the network correctly implements a given suite of policies,” said CyLab faculty member Vyas Sekar, an assistant professor of Electrical and Computer Engineering. “This problem is already very challenging even for very basic policy intents. As networks and policies both become more complex, and with emerging technology trends like software-defined networking and network functions virtualization, the problem will only become worse.”

CyLab Students Sweep Microsoft Build the Shield Competition
Teams win first, second and third place in security contest

Three CyLab Graduate Students Receive Research Fellowships
Three CyLab Ph.D. students have just received fellowships for their graduate research. Both students work in the Carnegie Mellon Database Group, which focuses on high performance database architectures, experimental systems and graph mining, and the Parallel Data Lab, a storage systems research center.

Clarifying the record: teaching cybersecurity needs to be a national imperative
As Director of CyLab, Carnegie Mellon’s Security and Privacy Institute, I believe that it is imperative that we improve the state of cybersecurity education in America, something I recently wrote about in the Wall Street Journal. A national conversation has begun on this topic, and last week, security firm CloudPassage contributed by producing a report that was well intentioned but factually incorrect. Carnegie Mellon University offers over 50 courses in cybersecurity available both undergraduate and graduate students, including two required courses at the undergraduate level that have large cybersecurity components. However, the CloudPassage report wrongly assigns Carnegie Mellon a “D” rating, denoted as offering 0 required courses and 1-3 electives in cybersecurity. We reached out to the firm and provided them with accurate numbers, and they released a follow-up blog post noting our course offerings.

Recent CyLab research makes big push in improving network testing and verification
To date, network administrators have been challenged with checking whether a network configuration correctly implements a suite of intended security policies. This is hard even for basic reachability policies (e.g. Can X talk to Y?) in simple networks. In practice, network administrators would like to implement more complex security postures using more advanced network functions (e.g., web application firewalls, intrusion prevention systems). “The more complex the policy and the more advanced your network fucntions are, the harder it is to give the network administrator assurance that the policy is realized correctly in the network,” says Vyas Sekar, an assistant professor of Electrical and Computer Engineering (ECE) and principal investigator of the study. “But for the first time, we’ve made network testing for checking dynamic policies with stateful networks practical.”

CyLab Director David Brumley in Wall Street Journal: 'We need to embrace hacking as a pre-eminent skill necessary to secure our digital world'
CyLab Director David Brumley just published an Op-Ed in the Wall Street Journal on ways to address the inadequate pipeline of talent to fill thousands of unfilled cybersecurity jobs. Brumley’s comments about growing the cybersecurity talent pipeline stem from CyLab's long history of cybersecurity training. Through various programs like the Software Engineering Institute’s Federal Virtual Training Environment or Brumley’s picoCTF hacking competition, CyLab has trained over 180,000 people in the field of cybersecurity, more than any other institution.

Newly Released Website Sheds Light on Shortcomings of Privacy Policies, Paves Way for Semi-Automated Summarization of these Policies
Few people read privacy policies. Studies have projected that it would take an average user over 600 hours to read every privacy policy associated with every website they visited in one year. However, research conducted over the past two years by researchers at Carnegie Mellon University, Fordham University and Stanford University, is paving the way to a day where technology might be able to provide users with short summaries of privacy policies.

CyLab-inspired Curriculum Leads to 3rd “Cyberstakes” Hacking Competition for US Service Academies
With the help of CyLab Director David Brumley, Ragsdale created “Cyberstakes,” a full-fledged offense / defense hacking competition in which students from every United States service academy could participate in.

Carnegie Mellon, Stanford Researchers Devise Method To Share Password Data Safely
“This is the first time a major company has released frequency information on user passwords,” said CyLab faculty Anupam Datta, associate professor of computer science and electrical and computer engineering at CMU.

CyLab students hack their way to 3rd place in NSA’s Codebreaker Challenge
Three CyLab students finished in the top 25 individually, placing Carnegie Mellon University’s overall placement at 3rd in the NSA Codebreaking Challenge. Over 2,200 students from over 300 academic institutions participated in this year’s challenge.

Ed Felten Advocates Making Privacy Work for Everyone in Celebration of Data Privacy Day
Last week, Deputy U.S. Chief Technologist Ed Felten met with CyLab researchers and presented his keynote talk to a crowded Rangos Hall in Carnegie Mellon University’s Cohon University Center in celebration of CMU Privacy Day 2016.

CyLab’s Kyle Soska receives the Symantec Research Labs Graduate Fellowship
Kyle Soska, a CyLab Ph.D. student in the Department of Electrical and Computer Engineering, has received the Symantec Research Labs Graduate Fellowship. These fellowships are granted to two to three Ph.D. students each year who are conducting innovative research that has real-world value.

Better Design Improves Understanding of Online Privacy Notices: CyLab Researchers Outline Best Practices
Privacy policies for websites, smartphone apps and, especially, components of the emerging Internet of Things are usually ineffective or ignored by users, but CyLab researchers say properly designed privacy notices — pushed out to users at appropriate times — could help remedy that problem.

CyLab’s David Brumley to Co-Chair First Ever “Enigma” Conference
CyLab director David Brumley will co-chair Enigma -- a uniquely positioned vendor-neutral security conference. Enigma will be held January 25-27, 2016 featuring an impartial program presented by academic and industry experts offering immediately useful responses to security breaches.