Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

U.S. Capital Building

I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Rep. Mike Doyle (D-PA)

Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

The work of Carnegie Mellon CyLab faculty and students was cited today in remarks by Rep. Mike Doyle (D-PA.) during hearings on Exploring the Offline and Online Collection and Use of Consumer Information held by the Committee on Energy and Commerce's Subcommittee on Commerce, Trade and Consumer Protection. Doyle also quoted CyLab researcher Alessandro Acquisti directly.

Here is a transcript of Rep. Doyle's remarks (thanks to CUPS' Aleecia McDonald).

"Thank you, Mr. Chairman, for holding this hearing today. Trading and selling of personal information began as long ago as 1899. Two brothers created the retail credit company to track the credit worthiness of Atlanta grocery and retail customers. Some people know that company now as Equifax. Since then, the cost of storing and manipulating information has fallen sharply, and now organizations capture increasing amounts of data about individuals' behavior. Consumers hunger for personalization, product services, websites that cater to them. That causes them to reveal information about themselves. Ordering off a catalog reveals other information. Using a credit card yields more. And thinking you have to send in that warrantee card can reveal almost your entire life to other parties.
But that information probably delivers better products, more targeted services, and a more enjoyable Internet experience. As Alessandro Acquisti of Carnegie Mellon writes, 'Is there a combination of economic incentives and technological solutions to privacy issues that is acceptable for the individual and beneficial to society?' In other words is there a sweet spot that satisfies the interests of all parties? And then, what are the rules of the road that we need to put in place to make sure consumers' privacy is protected and that commerce flourishes. That's what I hope to learn more about in today's hearing. I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Thank you, Mr. Chairman, I yield back."

Details and video of the hearing are available from the Committee on Energy and Commerce Subcomittee Note: Video starts at 17:40 with audio starting at 18:26 -- nothing but a title screen before that. Representative Doyle begins speaking at 43:29.

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

Image: CyLab Biometrics Center


From Biometrics to BSIMM, & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

By Richard Power

Throughout 2009, I have made a point of attending some important security conferences and delivering reports on what I saw and heard, some of these reports are posted here on CyBlog and in the Intelligence Briefing section of the CyLab Partners-Only Portal. The events covered include RSA, Black Hat Briefings and USENIX Security Symposium, as well as our own SOUPS and Mobile Health Workshop. (I have included a listing of the summary reports below in “Conference Coverage.”)

It is wonderful to finish off the series with a report on the CyLab Partners Conference. It is an event accessible via invitation only, and developed as an opportunity for CyLab’s corporate partners to immerse themselves in an audacious program. The conference's agenda, like CyLab's research program itself, is sweeping in its scope and impressive in its implications.

The sixth annual CyLab Corporate Partners Conference, held on the main campus of Carnegie Mellon University (Pittsburgh, Pennsylvania) from Wednesday, October 14 to Friday, October 16, offered a deep dive into one of the world’s premier cyber security research programs. Over the span of two and a half days, attendees immersed themselves in presentations and panel discussions on a broad spectrum of research areas, including:

• Corporate Governance
• Secure Home Computing
• Usability of Security and Privacy Techniques
• Security of Cyber-Physical Systems
• Secure Mobile Systems and Networks
• Trusted Computing Platforms and Devices
• Secure Software Engineering
• Digital Forensics

The rich conference agenda also featured two keynotes, one from former White House aide Melissa Hathaway, and the other from Gary McGraw, CTO of Citigal, Inc.

In her remarks at lunch on Wednesday, Hathaway spoke of the vital role of business, government and the individual and emphasized the threat to critical infrastructure:

The specter of a "digital 9/11" is what still keeps the former U.S. acting cybersecurity czar up at night, Melissa Hathaway told a gathering of Carnegie Mellon University's CyLab corporate partners ...
To illustrate one possibility, Hathaway referred to the relatively low-level denial-of-service attacks that hit some federal Web sites for several days beginning over the July Fourth weekend.
A more powerful barrage that used more points of attack, perhaps against private-sector targets, could cause $700 billion in damage, she said.
"That's the equivalent of 50 hurricanes hitting at once," Hathaway said. Mike Cronin, Partners of Carnegie Mellon's CyLab warned that 'digital 9/11' threat growing, Pittsburgh Tribune Review, 10-15-09

At dinner on Thursday, McGraw championed the Building Security in Maturity Model (BSIMM) that McGraw's Citigal developed and is now promoting with SANS Institute, through BSIMM Begin

BSIMM is based on large-scale software security initiatives in nine enterprises: four financial services companies, three independent software vendors and two technology companies.

As McGraw remarked in his keynote, "BSIMM is not about good or bad ways to eat bananas or banana best practices. BSIMM is about observations."

The power of the observations offered by McGraw and his colleagues is in their practicality: e.g., "Ten Surprising Things," including "Nobody uses WAFs," "QA can't do software security," "PEN testing is diminishing," etc., and "Ten Things Everybody Does," including "Evangelist role,""SSG does ARA" and "good network security," etc.

BSIMM will help you know where your enterprise stands, and what direction you might want maneuver it. Perhaps most important, through BSIMM Begin, it is intended to be ongoing and participatory:

"BSIMM Begin aims to significantly broaden data collection. To keep the survey manageable, the scope has been limited to the BSIMM Level 1 activities. The goals of this survey are two-fold: to provide participants with a solid understanding of where they stand with respect to foundational software security activities; and to provide an understanding of where they stand relative to everyone else that participates. BSIMM Begin will broaden the collective understanding of what "keeping up" really means." Software Security Self-Measurement with BSIMM Begin Introduced by Cigital and The SANS Institute, 10-8-09

The BSIMM Begin survey can be accessed from the landing site: http://bsi-mm.com/begin/

For more information, read McGraw's Software [In]security: The Building Security In Maturity Model (BSIMM) in InformIT (3/16/09).

The body of the conference was devoted to updates on the diverse aspects of Cylab's bold research program.

For example, Marios Savvides, Director of Cylab’s Biometrics Center, and one of the four scientists of the Office of the Director of National Intelligence Center of Academic Excellence in S&T in Identity Sciences, delivered a report on his team's "Multi-Biometrics Research Effort."

Savvides' compelling presentation showcased how his research is tackling some of the field's most urgent and vital challenges, from Long Range Iris Recognition on the Move to Soft Biometrics to Automatic Landmarking Frontal Faces to 3-D Face Reconstruction from Single Images.

In his summary, Savvides outlined his Center's current status and goals, including:

-- Developed several key technologies of HIGHEST interest to the USG.

-- Already transitioning one technology to USG (FBI’s Universal Face Workstation)

-- Working with MIT-LL to develop Government Owned Face Recognition (GOTS-FR).

-- Working on refining and developing Iris acquisition and other technology to the USG for two more success transition stories.

"We collaborate and bridge across many USG agencies," Savvides concluded, "Our goal is to support the USG in developing key enabling technologies to deter terrorism and aid the war fighter."

The three presentations briefly cited here offer only a few glimpses into the scope of the sessions stretching over the two and a half day conference.

NOTE: A full archive of presentations, student posters, photo gallery and videos is accessible to CyLab Partners only from the Partners Portal.

Conference Coverage

A Report from the 18th USENIX Security Symposium: Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More!

A Report from BlackHat Briefings (Las Vegas 2009): From Parking Meters to the Cloud, from SMS to Smart Grids, “Everything is Broken …”

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts

CyLab MRC's Martin Griss Declares,"I Do Not Want Us to be Just Another Big Consortium, I Want Us to Do Something"

NOTE: Full texts of my reports from USENIX, Blackhat and the Sixth Annual CyLab Partners Conference are available to CyLab corporate partners via the Partners Portal.

CyLab Dispatch: On the Road for Cyber Security Month

Image: United States at Night (NASA)

CyLab Dispatch: On the Road for Cyber Security Month
by Richard Power

Over the last two years, I have been addressing these and related issues in industry outreach through presentations and publications.

Last year, to observe Computer Security Day, I traveled to island nation of Mauritius, in the Indian Ocean, off the coast of Africa. (CyLab corporate partners can read more about in Culture of Security: A Message from Mauritius.)

This year, to observe Cyber Security Awareness Month, I delivered “Starting Over after a Lost Decade: In Search of a Bold New Vision for Cyber Security” first in the Midwest, then in the South, then in the North and then in the West:

* CERIAS, Purdue University, West Lafayette, IN
* ISSA InfoSecCon, Raleigh, NC
* Carnegie Mellon CyLab, Pittsburgh, PA
* SecureWorld Seattle, Bellevue, WA

At SecureWorld Seattle, I also delivered a presentation on “Secrets Stolen, Fortunes Lost: Preventing Economic Espionage & Intellectual Property Theft in the 21s Century,” with Christopher Burgess, with whom I co-authored the book by the same title.

Here is a link to the video of my seminar at CERIAS. (CyLab corporate partners can also view the video of my Pittsburgh seminar, along with a .pdf of the full presentation, in the Business Risks Forum section of the Partners Portal.)

In 2009, I also continued writing for CSO Magazine, and increased the frequency of my columns to bi-monthly:

* Red pill? Blue pill? Beyond Fear, Doubt, and “Broken.” Ruminations on the Intersection of Inner Space and Cyber Space
* Cyber Security, the Nuclear Threat and You: Cassandra's Guide to the 21st Century
* This Profound Moment in Cybersecurity, & Three Challenges that Frame It
* To Govern or Not to Govern
* A Corporate Strategy for Coping with the Climate Crisis
* Industrial Espionage: Secrets Stolen, Fortunes Lost

[NOTE: CyLab partners can read the full text of this CyLab Dispatch in the Culture of Security section of our Partners Only Portal.]

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

"Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error." Michael Mimoso, Editor, Information Security Magazine

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

Carnegie Mellon CyLab's Adrian Perrig was awarded a Security 7 Award from Information Security magazine for innovative cybersecurity research in academia.

Perrig, Technical Director of Carnegie Mellon CyLab, is also a professor in the departments of Electrical and Computer Engineering and Engineering and Public Policy, and the School of Computer Science. He will be recognized in the magazine's October issue. This is the fifth year of the awards program, which drew more than 150 nominations throughout North America.

"I am deeply honored by this award because it demonstrates the important contributions under way by academic researchers in critical areas of security decision-making and novel technologies designed to protect users from cyber attacks," Perrig said.

Michael S. Mimoso, editor of the Massachusetts-based Information Security magazine, said the awards recognize the achievements of security practitioners and researchers in a variety of industries, including education. "Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error," said Mimoso, a 2007 fellow at Carnegie Mellon's Information Technology Media Fellowship Program supported by the university's College of Engineering.

This year's other recipients include Jerry Freeze, Director of IT Security Engineering for American Electric Power (Utilities), Melissa Hathaway, Former Acting Senior Director for Cyberspace for the National Security Council (Government), Bruce Jones, CISO, Kodak (Manufacturing), Jon Moore, CISO, Humana, Inc. (Healthcare), Bernie Romaniski, IT Security Officer, Regis Corp. (Retail), and Tony Spinelli, CSO, Equifax (Financial Services).

Each of the recipients of the fifth annual Security 7 Awards were asked "to write a first-person essay on a subject matter they are passionate about."

Here are a few brief excerpts from Perrig's essay, Improve SSL/TLS Security Through Education and Technology, with a link to the full text:

Probably the most fundamental threat to SSL/TLS security is a so-called man-in-the-middle (MitM) attack, where an adversary interposes in a connection between a client and a server to eavesdrop on communication or inject malicious data. Such MitM attacks can be mounted by any entity handling network packets, and is usually mounted in wireless networks in public environments, e.g., in coffee shops, airports, conferences, etc. The SSL/TLS protocol is designed to protect against man-in-the-middle attacks.

Unfortunately, many real-world issues still enable adversaries to mount attacks ...

Over the past seven years, I have been teaching more than 100 students each year about the various issues with SSL/TLS ... In several instances, the lessons learned in class fell on fertile ground: the students immediately assessed the security of their banks' websites and informed their banks to report cases of inadequate security. In numerous instances, the banks listened to the students' feedback and promptly improved security. In some cases, it was as simple as fixing a typo by adding the critical "s" to complete the URL to "https" for the login page. In more difficult cases, students needed to convince the banks' security administrators that Javascript-based encryption loaded from a non-https page can be easily removed by a MitM attacker. In summary, by educating a critical mass of students that further disseminate security knowledge can result in real improved security for everyone.

Together with student education, technology that provides the user with additional information for improved security decision making can also enhance security. To improve security for https sites with self-signed certificates, as well as detect numerous attacks on https sites using bogus certificates, Dan Wendlandt, Dave Andersen and I designed and built Perspectives , a Firefox plug-in that connects to notary servers to assist in validating https credentials ... Improve SSL/TLS Security Through Education and Technology, Information Security Magazine, 10-8-09

Text of press release

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

Our Hackjam will consist of 10 challenges which relate to Binary Analysis, Reverse Engineering, Exploitation, Web Security, Forensics, and all the other materials that are required to be a hacker. I can guarantee that these problems are not like other CTF's where they have to solve non-sense puzzle, instead of true hacking. We tried to create challenges that greatly resemble real world scenarios and environments, at the same time, adding fun and educational ingredients to them. Trust me, you won't regret it. Sapheads Hackjam

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

By Richard Power

Carnegie Melllon University's "Capture The Flag" (CTF) team, a.k.a. "Plaid Parliament Of Pwning" won third place in a recent Sapheads Hackjam competition.

CyLab researcher David Brumley, the team's faculty sponsor, provides some context: "Capture the Flag is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. There were 100 teams from all over the world, so this is quite an accomplishment. They were top in the US, and solved as many problems as the top two winners."

Brumley also cited CyLab's strong contributor on the success of the effort: "JonghHyup is a visiting scholar at CyLab. Jiyong, Sang Kil, and Ed are all funded by Cylab, and CyLab providing resources and space for the team. Symantec, one of CyLab's corporate partners, was also a sponsor."

Here's the proud roster of Plaid Parliament Of Pwning:

Joseph Ceirante (MS, INI)
Jonathon Cooke (MS, INI)
Brian Pak (Undergrad, CSD)
Sang Kil Cha (MS ECE)
Jiyong Jang (PhD ECE)
JongHyup Lee (Postdoc, ECE)
Ed Schwartz (PhD ECE)
Andrew Wesie (Undergrad, CSD)

Here is my interview with the team.

CyBlog: Describe the nature of this particular CTF contest? And what level of teamwork was required?

Plaid Parliament Of Pwning: General format and rules were similar to other CTF contests, where we need to find a key string to proceed to next stage. However, Sapheads – host of HackJam – claimed that they have differentiated their problem sets from others. Unlike usual CTF contests, they tried to relate problems to real world scenarios.
As problems got harder to solve, teamwork became more critical. The more brains that are coming up with ideas, the more successful you are going to be. It is possible that one person to do entire competition, but doing as a team is more effective and faster.

CyBlog: Give us an example or two of the kinds of problems you had to solve?

Plaid Parliament Of Pwning: Most of the problems required a mixture of several categories of techniques. These categories include binary reverse engineering/exploitation, web hacking, and forensic.
First, for an example of a binary exploitation, we needed to exploit a binary with stack protection that was running on the target server. Specifically, it was checking the integrity of the stack.
Also, as an example of a web hacking, we had to use XSS (Cross Site Scripting) and PHP code injection to access confidential data (in this case, the key phrase).
Third, we also had a forensic problem, where we needed to analyze captured network packets and extract various types of data such as zip and VoIP that gives a hint for password.

CyBlog: What was the most challenging problem you solved successfully and how did you do it?

Plaid Parliament Of Pwning: A problem that was both very interesting and challenging involved reconstructing an OpenSSH private key, that was being used for public key authentication, from the core dump of ssh-agent. This problem was unique because we weren't trying to exploit some bug or reverse a program, since it involved an open source program whose source code was readily available. Instead, it required you to be able to understand the source code quickly, relate it to what was in memory, and extract the information you needed.
Finding the key in memory wasn't too hard. You just needed to follow a couple of pointers and you were at the bytes you need. What made it difficult is the format the key was in: arrays of integers. How does a couple arrays of integers represent the components of an encryption key. Thanks to the source code and Wikipedia, it was trivial to see that each array represented one big number. Then, after sifting through the openSSL source code, which is quite a mess, one can start to imagine how these integers end up representing some really big numbers. And then it is a simple matter of constructing a private key file. Though it was not easy to find documentation for the OpenSSH private keys. Thankfully, after some time, another open source program plus a little luck resulted in a working private key.
Moral of the story, and one that is in the version of openSSH I looked at, letting a program that has your private keys core dump is a really bad idea.

CyBlog: What do such contests teach you about the nature of developing attacks and countermeasures?

Plaid Parliament Of Pwning: One of the ways that the problems got harder is that they started to implement some countermeasures against buffer overflow attacks. Obviously these countermeasures weren't perfect, but they definitely made it more challenging. And this is somewhat realistic: any one with enough time and resources is going to find a way to break your system, the best you can do, for now, is to make it as difficult as you possibly can.

CyBlog: Do you discern any differences in style, skill levels, etc., between hackers from different countries or regions?

Plaid Parliament Of Pwning: What determines the style and skill level between hackers is their past experiences. While the country or region they are from can influence this, it definitely is not a major difference.

Google Acquires ReCaptcha, Spin-Off Based on CyLab Research

"Google is the best fit for reCAPTCHA," von Ahn said. "From the very start,
people often assumed the project was connected to Google, so it only makes
sense that reCAPTCHA Inc. ultimately would find a home within Google." Reuters, 9-16-09

CyLab News – Google Acquires ReCaptcha, Spin-Off Based on CyLab Research

Once again, the fruits of research from within the creative matrix of Carnegie Mellon University CyLab has grabbed headlines across the mainstream, business and IT media; this time, its Luis von Ahn and ReCaptcha.

Here are a few excerpts from sample news stories, with links to the full texts:

Acknowledging once again that humans are better than computer algorithms at some tasks, Google said on Wednesday that it had acquired ReCaptcha, a start-up that grew out of a research project at Carnegie Mellon, for an undisclosed amount. New York Times, 9-16-09

"The words in many of the captchas provided by reCaptcha come from scanned archival newspapers and old books," wrote Luis von Ahn, co-founder of reCaptcha, and Will Cathcart, a Google product manager, in a blog post. "Computers find it hard to recognise these words because the ink and paper have degraded over time, but by typing them in as a captcha, crowds teach computers to read the scanned text. In this way, reCaptcha's unique technology improves the process that converts scanned images into plain text, known as Optical Character Recognition (OCR). This technology also powers large scale text scanning projects like Google Books and Google News Archive Search. Telegraph/UK, 9-17-09

Google says reCaptcha's technology can help it with some of its high-profile initiatives, like scanning books and newspapers to create searchable archives. As users type in the words, they help teach computers to read scanned text, improving computer accuracy when converting scanned images into plain text, a process known as optical character recognition.
"Having the text version of documents is important because plain text can be searched, easily rendered on mobile devices and displayed to visually impaired users," Google said in a blog post about the deal. Wall Street Journal, 9-16-09

Google has no shortage of errors to correct. One of the company's Book Search engineers recently acknowledged that there are millions of errors in the metadata used to describe the books scanned for Google Book Search. No doubt the company's OCR output isn't perfect either.
But such problems look a lot less daunting when one can leverage CAPTCHA input to correct errors. Information Week, 9-16-09

CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security

Patrick Kelly of Tonawanda, N.Y., also said the new program will dovetail nicely with his privacy research. "I'm looking at how to improve the often arcane privacy policies all shoppers experience when surfing the Internet," said Kelly, a Ph.D. student at the Institute for Software Research in the School of Computer Science. "We would ultimately like to create a standard format for privacy rules."



CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security

Carnegie Mellon University’s Lorrie Cranor and her colleagues received a five-year, $3 million grant from the National Science Foundation (NSF) to establish a Ph.D. program in usable privacy and security.
“Carnegie Mellon’s CyLab Usable Privacy and Security (CUPS) Doctoral Training Program will offer Ph.D. students a new cross-disciplinary training experience that helps them produce solutions to ongoing tensions between security, privacy and usability,” said Cranor, associate professor in the Institute for Software Research, the Department of Engineering and Public Policy and Carnegie Mellon CyLab — one of the largest university-based cybersecurity education and research centers in the world.
Cranor said the CUPS doctoral training program is designed to give students both classroom learning as well as collaborative research training with teams of mentors from different disciplines, internships and summer seminars …
The new CUPS program funded through the NSF’s Integrative Graduate Education and Research Traineeship program is now available to Ph.D. students across the university, including the programs in Computation, Organizations and Society, Engineering and Public Policy, Human Computer Interaction, Computer Science, Electrical and Computer Engineering, and Public Policy and Management.
Core faculty in the program include Alessandro Acquisti, an assistant professor of information technology and policy in the H. John Heinz III College and CyLab researcher; Lujo Bauer, a research scientist with Carnegie Mellon CyLab and the Electrical and Computer Engineering Department; Nicolas Christian, associate director in the Information Networking Institute and CyLab researcher; Julie Downs, a research scientist in the Social and Decision Sciences Department; Jason Hong, an assistant professor in the Human Computer Interaction Institute; Norman Sadeh, a professor in the Institute for Software Research and CyLab researcher; and Marios Savvides, director of the Carnegie Mellon CyLab Biometrics Center and a research scientist in the Department of Electrical and Computer Engineering.

Full text of the press release

For more information

Some Related Posts

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

CyLab's Cranor Publishes in Scientific American --"How to Foil Phishing Scams"

CyLab Research on the Cost of Reading Privacy Policies Makes Waves

CyLab Chronicles: Q&A with Lorrie Cranor