Tuesday, December 1, 2009

Report from the Launch of the Northrop Grumman Cybersecurity Research Consortium





"We require leap-ahead technology developments to improve the position of defenders. Our NGCRC is all about creating leap-ahead technologies to implement on a large-scale."

Report from the Launch of the Northrop Grumman Cybersecurity Research Consortium

By Richard Power


At the National Press Club in Washington, D.C., Northrop Grumman announced the formation of its Cybersecurity Research Consortium (NGCRC), which involves three of the leading programs in the field: Carnegie Mellon's CyLab as well as Purdue University's CERIAS and M.I.T.'s CSAIL.

In his remarks, Robert F. Brammer, VP for Advanced Technology and CTO for Northrop Grumman Information Systems cited the motivating factors behind the Consortium:

"First, the values of information systems and networks have never been greater. Second, cybersecurity threats have never been greater."

"We are moving from an internet of people and computers to an internet of things. This technology will transform electric power, automobiles, real estate, home appliances, health care, and other industries."

"We require leap-ahead technology developments to improve the position of defenders. Our NGCRC is all about creating leap-ahead technologies t0 implement on a large-scale."

Following Brammer's opening statement, representatives from the three academic research programs offered glimpses into what some of that "leap-ahead" technology will look like.

Dr. Howard Shrobe, Principal Research Scientist at M.I.T. CSAIL (Computer Science and Artificial Intelligence Lab) spoke on his "Meta-Computing" project:

"Computers are vulnerable because they have no idea what they're doing; they can't tell right from wrong ... Our fix to this is to design a new style of computer architecture ..."

Dr. Adrian Perrig, CyLab's Technical Director briefly outlined the seven major CyLab research thrusts and then highlighted work being done in the area of Trustworthy Computing Platforms & Devices.

This research focuses on the Trusted Platform Module (TPM). In 2008, over 100 million laptops & desktops shipped with TPM; in 2010, it is estimated to be over 200 million. But, as of today, it is an under-utilized opportunity to deepen security. CyLab is working on numerous projects that provide means to establish trustworthy computing in an insecure environment. The challenge is in an increasingly virtual world, how can we obtain assurance WHO and WHICH DEVICE we are communicating with? CyLab is developing easy-to-understand and intuitive mechanisms for secure device pairing and personal trust setup mechanisms: e.g., Perspectives, TrustVisor, Flicker and SPATE.

Perrig also offered a brief overview of three research projects CyLab will be pursuing as its contribution to the NGCRC:

"Detection Mechanisms for Integrity Attacks on Sensing & Control Software Systems" will be led by Dr. Bruno Sinopli. The work is aimed at detecting integrity attacks on distributed control software systems. Has software on embedded devices been modified? Are there discrepancies between sensed & expected behavior? What do they indicate?

"Towards Minimizing the Attack Window for Exploitable Bugs" will be led by Dr. David Brumley. It aims at developing techniques, attack models, & theoretical foundations for finding new bugs, for prioritizing bugs by their exploitability, & for safely distributing patches that fix exploitable bugs

"Real-Time Execution Trace Recording & Analysis" is led by Dr. Perrig himself along with Amit Vasudevan. It aims at enabling real-time forensics, which would otherwise be impossible. Did attackers exploit vulnerability to compromise systems; if yes, what operations did they perform?

Dr. Eugene Spafford Executive Director of CERIAS (Center for Education and Research in Information Assurance and Security) spoke of four NGCRC projects:

"Fast Forensics"

"Watermarking and Provenance of Data Streams for the Cyber-Range"

"Partitioning Network Experiments for the Cyber-Range"

"Context-Based, Adaptable Defense Against Collaborative Attacks in Service-Oriented Architectures"

"In the Fast Forensics," Spafford explained, "we will be investigating how to provide investigators in the field with timely support to examine cellphones, PDAs, and other portable devices containing evidence of criminal activity."

Spafford described the NGCRC as a "unique opportunity for the community to work together looking ahead to the future for a change instead of being reactive serve as an example for other organizations to step forward and take the threat more seriously."

As a long-time champion of academic research into cybersecurity, I concur.

Academic research into cybersecurity is vital to national security and global security.

Partnerships with industry and government are vital to the success of academic research into cybersecurity.

Bringing Northrop-Grumman, CyLab, CERIAS & MIT together in this consortium is an opportunity to advance both of these vital agendas.

The aim of all such collaborations is to accelerate the development of security technologies and strategies.Our work can make such technologies and strategies available sooner than they would have been otherwise.

Related Links:

Carnegie Mellon University Press Release

Northrop Grumman Press Release

Friday, November 20, 2009

Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

U.S. Capital Building

I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Rep. Mike Doyle (D-PA)

Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

The work of Carnegie Mellon CyLab faculty and students was cited today in remarks by Rep. Mike Doyle (D-PA.) during hearings on Exploring the Offline and Online Collection and Use of Consumer Information held by the Committee on Energy and Commerce's Subcommittee on Commerce, Trade and Consumer Protection. Doyle also quoted CyLab researcher Alessandro Acquisti directly.

Here is a transcript of Rep. Doyle's remarks (thanks to CUPS' Aleecia McDonald).

"Thank you, Mr. Chairman, for holding this hearing today. Trading and selling of personal information began as long ago as 1899. Two brothers created the retail credit company to track the credit worthiness of Atlanta grocery and retail customers. Some people know that company now as Equifax. Since then, the cost of storing and manipulating information has fallen sharply, and now organizations capture increasing amounts of data about individuals' behavior. Consumers hunger for personalization, product services, websites that cater to them. That causes them to reveal information about themselves. Ordering off a catalog reveals other information. Using a credit card yields more. And thinking you have to send in that warrantee card can reveal almost your entire life to other parties.
But that information probably delivers better products, more targeted services, and a more enjoyable Internet experience. As Alessandro Acquisti of Carnegie Mellon writes, 'Is there a combination of economic incentives and technological solutions to privacy issues that is acceptable for the individual and beneficial to society?' In other words is there a sweet spot that satisfies the interests of all parties? And then, what are the rules of the road that we need to put in place to make sure consumers' privacy is protected and that commerce flourishes. That's what I hope to learn more about in today's hearing. I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Thank you, Mr. Chairman, I yield back."


Details and video of the hearing are available from the Committee on Energy and Commerce Subcomittee Note: Video starts at 17:40 with audio starting at 18:26 -- nothing but a title screen before that. Representative Doyle begins speaking at 43:29.

Tuesday, November 10, 2009

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

Image: CyLab Biometrics Center


From Biometrics to BSIMM, & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

by Richard Power


Throughout 2009, I have made a point of attending some important security conferences and delivering reports on what I saw and heard, some of these reports are posted here on CyBlog and in the Intelligence Briefing section of the CyLab Partners-Only Portal. The events covered include RSA, Black Hat Briefings and USENIX Security Symposium, as well as our own SOUPS and Mobile Health Workshop. (I have included a listing of the summary reports below in “Conference Coverage.”)

It is wonderful to finish off the series with a report on the CyLab Partners Conference. It is an event accessible via invitation only, and developed as an opportunity for CyLab’s corporate partners to immerse themselves in an audacious program. The conference's agenda, like CyLab's research program itself, is sweeping in its scope and impressive in its implications.

The sixth annual CyLab Corporate Partners Conference, held on the main campus of Carnegie Mellon University (Pittsburgh, Pennsylvania) from Wednesday, October 14 to Friday, October 16, offered a deep dive into one of the world’s premier cyber security research programs. Over the span of two and a half days, attendees immersed themselves in presentations and panel discussions on a broad spectrum of research areas, including:

• Corporate Governance
• Secure Home Computing
• Usability of Security and Privacy Techniques
• Security of Cyber-Physical Systems
• Secure Mobile Systems and Networks
• Trusted Computing Platforms and Devices
• Secure Software Engineering
• Digital Forensics

The rich conference agenda also featured two keynotes, one from former White House aide Melissa Hathaway, and the other from Gary McGraw, CTO of Citigal, Inc.

In her remarks at lunch on Wednesday, Hathaway spoke of the vital role of business, government and the individual and emphasized the threat to critical infrastructure:

The specter of a "digital 9/11" is what still keeps the former U.S. acting cybersecurity czar up at night, Melissa Hathaway told a gathering of Carnegie Mellon University's CyLab corporate partners ...
To illustrate one possibility, Hathaway referred to the relatively low-level denial-of-service attacks that hit some federal Web sites for several days beginning over the July Fourth weekend.
A more powerful barrage that used more points of attack, perhaps against private-sector targets, could cause $700 billion in damage, she said.
"That's the equivalent of 50 hurricanes hitting at once," Hathaway said.
Mike Cronin, Partners of Carnegie Mellon's CyLab warned that 'digital 9/11' threat growing, Pittsburgh Tribune Review, 10-15-09

At dinner on Thursday, McGraw championed the Building Security in Maturity Model (BSIMM) that McGraw's Citigal developed and is now promoting with SANS Institute, through BSIMM Begin

BSIMM is based on large-scale software security initiatives in nine enterprises: four financial services companies, three independent software vendors and two technology companies.

As McGraw remarked in his keynote, "BSIMM is not about good or bad ways to eat bananas or banana best practices. BSIMM is about observations."

The power of the observations offered by McGraw and his colleagues is in their practicality: e.g., "Ten Surprising Things," including "Nobody uses WAFs," "QA can't do software security," "PEN testing is diminishing," etc., and "Ten Things Everybody Does," including "Evangelist role,""SSG does ARA" and "good network security," etc.

BSIMM will help you know where your enterprise stands, and what direction you might want maneuver it. Perhaps most important, through BSIMM Begin, it is intended to be ongoing and participatory:

"BSIMM Begin aims to significantly broaden data collection. To keep the survey manageable, the scope has been limited to the BSIMM Level 1 activities. The goals of this survey are two-fold: to provide participants with a solid understanding of where they stand with respect to foundational software security activities; and to provide an understanding of where they stand relative to everyone else that participates. BSIMM Begin will broaden the collective understanding of what "keeping up" really means." Software Security Self-Measurement with BSIMM Begin Introduced by Cigital and The SANS Institute, 10-8-09

The BSIMM Begin survey can be accessed from the landing site: http://bsi-mm.com/begin/

For more information, read McGraw's Software [In]security: The Building Security In Maturity Model (BSIMM) in InformIT (3/16/09).

The body of the conference was devoted to updates on the diverse aspects of Cylab's bold research program.

For example, Marios Savvides, Director of Cylab’s Biometrics Center, and one of the four scientists of the Office of the Director of National Intelligence Center of Academic Excellence in S&T in Identity Sciences, delivered a report on his team's "Multi-Biometrics Research Effort."

Savvides' compelling presentation showcased how his research is tackling some of the field's most urgent and vital challenges, from Long Range Iris Recognition on the Move to Soft Biometrics to Automatic Landmarking Frontal Faces to 3-D Face Reconstruction from Single Images.

In his summary, Savvides outlined his Center's current status and goals, including:

-- Developed several key technologies of HIGHEST interest to the USG.

-- Already transitioning one technology to USG (FBI’s Universal Face Workstation)

-- Working with MIT-LL to develop Government Owned Face Recognition (GOTS-FR).

-- Working on refining and developing Iris acquisition and other technology to the USG for two more success transition stories.

"We collaborate and bridge across many USG agencies," Savvides concluded, "Our goal is to support the USG in developing key enabling technologies to deter terrorism and aid the war fighter."

The three presentations briefly cited here offer only a few glimpses into the scope of the sessions stretching over the two and a half day conference.

NOTE: A full archive of presentations, student posters, photo gallery and videos is accessible to CyLab Partners only from the Partners Portal.

Conference Coverage

A Report from the 18th USENIX Security Symposium: Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More!

A Report from BlackHat Briefings (Las Vegas 2009): From Parking Meters to the Cloud, from SMS to Smart Grids, “Everything is Broken …”

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts

CyLab MRC's Martin Griss Declares,"I Do Not Want Us to be Just Another Big Consortium, I Want Us to Do Something"

NOTE: Full texts of my reports from USENIX, Blackhat and the Sixth Annual CyLab Partners Conference are available to CyLab corporate partners via the Partners Portal.

Saturday, November 7, 2009

CyLab Dispatch: On the Road for Cyber Security Month


Image: United States at Night (NASA)

CyLab Dispatch: On the Road for Cyber Security Month

by Richard Power


Over the last two years, I have been addressing these and related issues in industry outreach through presentations and publications.

Last year, to observe Computer Security Day, I traveled to island nation of Mauritius, in the Indian Ocean, off the coast of Africa. (CyLab corporate partners can read more about in Culture of Security: A Message from Mauritius.)

This year, to observe Cyber Security Awareness Month, I delivered “Starting Over after a Lost Decade: In Search of a Bold New Vision for Cyber Security” first in the Midwest, then in the South, then in the North and then in the West:

* CERIAS, Purdue University, West Lafayette, IN
* ISSA InfoSecCon, Raleigh, NC
* Carnegie Mellon CyLab, Pittsburgh, PA
* SecureWorld Seattle, Bellevue, WA

At SecureWorld Seattle, I also delivered a presentation on “Secrets Stolen, Fortunes Lost: Preventing Economic Espionage & Intellectual Property Theft in the 21s Century,” with Christopher Burgess, with whom I co-authored the book by the same title.

Here is a link to the video of my seminar at CERIAS. (CyLab corporate partners can also view the video of my Pittsburgh seminar, along with a .pdf of the full presentation, in the Business Risks Forum section of the Partners Portal.)

In 2009, I also continued writing for CSO Magazine, and increased the frequency of my columns to bi-monthly:

* Red pill? Blue pill? Beyond Fear, Doubt, and “Broken.” Ruminations on the Intersection of Inner Space and Cyber Space
* Cyber Security, the Nuclear Threat and You: Cassandra's Guide to the 21st Century
* This Profound Moment in Cybersecurity, & Three Challenges that Frame It
* To Govern or Not to Govern
* A Corporate Strategy for Coping with the Climate Crisis
* Industrial Espionage: Secrets Stolen, Fortunes Lost

[NOTE: CyLab partners can read the full text of this CyLab Dispatch in the Culture of Security section of our Partners Only Portal.]

Thursday, October 8, 2009

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award



"Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error." Michael Mimoso, Editor, Information Security Magazine

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

Carnegie Mellon CyLab's Adrian Perrig was awarded a Security 7 Award from Information Security magazine for innovative cybersecurity research in academia.

Perrig, Technical Director of Carnegie Mellon CyLab, is also a professor in the departments of Electrical and Computer Engineering and Engineering and Public Policy, and the School of Computer Science. He will be recognized in the magazine's October issue. This is the fifth year of the awards program, which drew more than 150 nominations throughout North America.

"I am deeply honored by this award because it demonstrates the important contributions under way by academic researchers in critical areas of security decision-making and novel technologies designed to protect users from cyber attacks," Perrig said.

Michael S. Mimoso, editor of the Massachusetts-based Information Security magazine, said the awards recognize the achievements of security practitioners and researchers in a variety of industries, including education. "Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error," said Mimoso, a 2007 fellow at Carnegie Mellon's Information Technology Media Fellowship Program supported by the university's College of Engineering.

This year's other recipients include Jerry Freeze, Director of IT Security Engineering for American Electric Power (Utilities), Melissa Hathaway, Former Acting Senior Director for Cyberspace for the National Security Council (Government), Bruce Jones, CISO, Kodak (Manufacturing), Jon Moore, CISO, Humana, Inc. (Healthcare), Bernie Romaniski, IT Security Officer, Regis Corp. (Retail), and Tony Spinelli, CSO, Equifax (Financial Services).

Each of the recipients of the fifth annual Security 7 Awards were asked "to write a first-person essay on a subject matter they are passionate about."

Here are a few brief excerpts from Perrig's essay, Improve SSL/TLS Security Through Education and Technology, with a link to the full text:

Probably the most fundamental threat to SSL/TLS security is a so-called man-in-the-middle (MitM) attack, where an adversary interposes in a connection between a client and a server to eavesdrop on communication or inject malicious data. Such MitM attacks can be mounted by any entity handling network packets, and is usually mounted in wireless networks in public environments, e.g., in coffee shops, airports, conferences, etc. The SSL/TLS protocol is designed to protect against man-in-the-middle attacks.

Unfortunately, many real-world issues still enable adversaries to mount attacks ...

Over the past seven years, I have been teaching more than 100 students each year about the various issues with SSL/TLS ... In several instances, the lessons learned in class fell on fertile ground: the students immediately assessed the security of their banks' websites and informed their banks to report cases of inadequate security. In numerous instances, the banks listened to the students' feedback and promptly improved security. In some cases, it was as simple as fixing a typo by adding the critical "s" to complete the URL to "https" for the login page. In more difficult cases, students needed to convince the banks' security administrators that Javascript-based encryption loaded from a non-https page can be easily removed by a MitM attacker. In summary, by educating a critical mass of students that further disseminate security knowledge can result in real improved security for everyone.

Together with student education, technology that provides the user with additional information for improved security decision making can also enhance security. To improve security for https sites with self-signed certificates, as well as detect numerous attacks on https sites using bogus certificates, Dan Wendlandt, Dave Andersen and I designed and built Perspectives , a Firefox plug-in that connects to notary servers to assist in validating https credentials ...
Improve SSL/TLS Security Through Education and Technology, Information Security Magazine, 10-8-09

Text of press release

Thursday, September 24, 2009

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition



Our Hackjam will consist of 10 challenges which relate to Binary Analysis, Reverse Engineering, Exploitation, Web Security, Forensics, and all the other materials that are required to be a hacker. I can guarantee that these problems are not like other CTF's where they have to solve non-sense puzzle, instead of true hacking. We tried to create challenges that greatly resemble real world scenarios and environments, at the same time, adding fun and educational ingredients to them. Trust me, you won't regret it. Sapheads Hackjam

Carnegie Mellon's Capture the Flag Team Excels in Hackjam Competition

By Richard Power


Carnegie Melllon University's "Capture The Flag" (CTF) team, a.k.a. "Plaid Parliament Of Pwning" won third place in a recent Sapheads Hackjam competition.

CyLab researcher David Brumley, the team's faculty sponsor, provides some context: "Capture the Flag is a long running tradition at hacker conventions. It pits teams of security researchers against each other on the same network. There were 100 teams from all over the world, so this is quite an accomplishment. They were top in the US, and solved as many problems as the top two winners."

Brumley also cited CyLab's strong contributor on the success of the effort: "JonghHyup is a visiting scholar at CyLab. Jiyong, Sang Kil, and Ed are all funded by Cylab, and CyLab providing resources and space for the team. Symantec, one of CyLab's corporate partners, was also a sponsor."

Here's the proud roster of Plaid Parliament Of Pwning:

Joseph Ceirante (MS, INI)
Jonathon Cooke (MS, INI)
Brian Pak (Undergrad, CSD)
Sang Kil Cha (MS ECE)
Jiyong Jang (PhD ECE)
JongHyup Lee (Postdoc, ECE)
Ed Schwartz (PhD ECE)
Andrew Wesie (Undergrad, CSD)

Here is my interview with the team.

CyBlog: Describe the nature of this particular CTF contest? And what level of teamwork was required?

Plaid Parliament Of Pwning: General format and rules were similar to other CTF contests, where we need to find a key string to proceed to next stage. However, Sapheads – host of HackJam – claimed that they have differentiated their problem sets from others. Unlike usual CTF contests, they tried to relate problems to real world scenarios.
As problems got harder to solve, teamwork became more critical. The more brains that are coming up with ideas, the more successful you are going to be. It is possible that one person to do entire competition, but doing as a team is more effective and faster.

CyBlog: Give us an example or two of the kinds of problems you had to solve?

Plaid Parliament Of Pwning: Most of the problems required a mixture of several categories of techniques. These categories include binary reverse engineering/exploitation, web hacking, and forensic.
First, for an example of a binary exploitation, we needed to exploit a binary with stack protection that was running on the target server. Specifically, it was checking the integrity of the stack.
Also, as an example of a web hacking, we had to use XSS (Cross Site Scripting) and PHP code injection to access confidential data (in this case, the key phrase).
Third, we also had a forensic problem, where we needed to analyze captured network packets and extract various types of data such as zip and VoIP that gives a hint for password.

CyBlog: What was the most challenging problem you solved successfully and how did you do it?

Plaid Parliament Of Pwning: A problem that was both very interesting and challenging involved reconstructing an OpenSSH private key, that was being used for public key authentication, from the core dump of ssh-agent. This problem was unique because we weren't trying to exploit some bug or reverse a program, since it involved an open source program whose source code was readily available. Instead, it required you to be able to understand the source code quickly, relate it to what was in memory, and extract the information you needed.
Finding the key in memory wasn't too hard. You just needed to follow a couple of pointers and you were at the bytes you need. What made it difficult is the format the key was in: arrays of integers. How does a couple arrays of integers represent the components of an encryption key. Thanks to the source code and Wikipedia, it was trivial to see that each array represented one big number. Then, after sifting through the openSSL source code, which is quite a mess, one can start to imagine how these integers end up representing some really big numbers. And then it is a simple matter of constructing a private key file. Though it was not easy to find documentation for the OpenSSH private keys. Thankfully, after some time, another open source program plus a little luck resulted in a working private key.
Moral of the story, and one that is in the version of openSSH I looked at, letting a program that has your private keys core dump is a really bad idea.

CyBlog: What do such contests teach you about the nature of developing attacks and countermeasures?

Plaid Parliament Of Pwning: One of the ways that the problems got harder is that they started to implement some countermeasures against buffer overflow attacks. Obviously these countermeasures weren't perfect, but they definitely made it more challenging. And this is somewhat realistic: any one with enough time and resources is going to find a way to break your system, the best you can do, for now, is to make it as difficult as you possibly can.

CyBlog: Do you discern any differences in style, skill levels, etc., between hackers from different countries or regions?

Plaid Parliament Of Pwning: What determines the style and skill level between hackers is their past experiences. While the country or region they are from can influence this, it definitely is not a major difference.

Thursday, September 17, 2009

Google Acquires ReCaptcha, Spin-Off Based on CyLab Research



"Google is the best fit for reCAPTCHA," von Ahn said. "From the very start,
people often assumed the project was connected to Google, so it only makes
sense that reCAPTCHA Inc. ultimately would find a home within Google."
Reuters, 9-16-09

CyLab News – Google Acquires ReCaptcha, Spin-Off Based on CyLab Research

Once again, the fruits of research from within the creative matrix of Carnegie Mellon University CyLab has grabbed headlines across the mainstream, business and IT media; this time, its Luis von Ahn and ReCaptcha.

Here are a few excerpts from sample news stories, with links to the full texts:

Acknowledging once again that humans are better than computer algorithms at some tasks, Google said on Wednesday that it had acquired ReCaptcha, a start-up that grew out of a research project at Carnegie Mellon, for an undisclosed amount. New York Times, 9-16-09

"The words in many of the captchas provided by reCaptcha come from scanned archival newspapers and old books," wrote Luis von Ahn, co-founder of reCaptcha, and Will Cathcart, a Google product manager, in a blog post. "Computers find it hard to recognise these words because the ink and paper have degraded over time, but by typing them in as a captcha, crowds teach computers to read the scanned text. In this way, reCaptcha's unique technology improves the process that converts scanned images into plain text, known as Optical Character Recognition (OCR). This technology also powers large scale text scanning projects like Google Books and Google News Archive Search. Telegraph/UK, 9-17-09

Google says reCaptcha's technology can help it with some of its high-profile initiatives, like scanning books and newspapers to create searchable archives. As users type in the words, they help teach computers to read scanned text, improving computer accuracy when converting scanned images into plain text, a process known as optical character recognition.
"Having the text version of documents is important because plain text can be searched, easily rendered on mobile devices and displayed to visually impaired users," Google said in a blog post about the deal.
Wall Street Journal, 9-16-09

Google has no shortage of errors to correct. One of the company's Book Search engineers recently acknowledged that there are millions of errors in the metadata used to describe the books scanned for Google Book Search. No doubt the company's OCR output isn't perfect either.
But such problems look a lot less daunting when one can leverage CAPTCHA input to correct errors.
Information Week, 9-16-09

Tuesday, August 25, 2009

CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security



Patrick Kelly of Tonawanda, N.Y., also said the new program will dovetail nicely with his privacy research. "I'm looking at how to improve the often arcane privacy policies all shoppers experience when surfing the Internet," said Kelly, a Ph.D. student at the Institute for Software Research in the School of Computer Science. "We would ultimately like to create a standard format for privacy rules."



CUPS Director Lorrie Cranor Receives NSF Funding For Interdisciplinary Doctoral Program in Privacy and Security

Carnegie Mellon University’s Lorrie Cranor and her colleagues received a five-year, $3 million grant from the National Science Foundation (NSF) to establish a Ph.D. program in usable privacy and security.
“Carnegie Mellon’s CyLab Usable Privacy and Security (CUPS) Doctoral Training Program will offer Ph.D. students a new cross-disciplinary training experience that helps them produce solutions to ongoing tensions between security, privacy and usability,” said Cranor, associate professor in the Institute for Software Research, the Department of Engineering and Public Policy and Carnegie Mellon CyLab — one of the largest university-based cybersecurity education and research centers in the world.
Cranor said the CUPS doctoral training program is designed to give students both classroom learning as well as collaborative research training with teams of mentors from different disciplines, internships and summer seminars …
The new CUPS program funded through the NSF’s Integrative Graduate Education and Research Traineeship program is now available to Ph.D. students across the university, including the programs in Computation, Organizations and Society, Engineering and Public Policy, Human Computer Interaction, Computer Science, Electrical and Computer Engineering, and Public Policy and Management.
Core faculty in the program include Alessandro Acquisti, an assistant professor of information technology and policy in the H. John Heinz III College and CyLab researcher; Lujo Bauer, a research scientist with Carnegie Mellon CyLab and the Electrical and Computer Engineering Department; Nicolas Christian, associate director in the Information Networking Institute and CyLab researcher; Julie Downs, a research scientist in the Social and Decision Sciences Department; Jason Hong, an assistant professor in the Human Computer Interaction Institute; Norman Sadeh, a professor in the Institute for Software Research and CyLab researcher; and Marios Savvides, director of the Carnegie Mellon CyLab Biometrics Center and a research scientist in the Department of Electrical and Computer Engineering.

Full text of the press release

For more information

Some Related Posts

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

CyLab's Cranor Publishes in Scientific American --"How to Foil Phishing Scams"

CyLab Research on the Cost of Reading Privacy Policies Makes Waves

CyLab Chronicles: Q&A with Lorrie Cranor

Sunday, August 16, 2009

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Montreal Harbor, 1889


The city proper covers most of the of the Island of Montreal at the confluence of the Saint Lawrence and Ottawa Rivers. The port of Montreal lies at one end of the Saint Lawrence Seaway, which is the river gateway that stretches from the Great Lakes into the Atlantic Ocean.[36] Montreal is defined by its location in between the St. Lawrence river on its south, and by the Rivière des Prairies on its north. The city is named after the most prominent geographical feature on the island, a three-head hill called Mount Royal, topped at 232 m above sea level. Wikipedia

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

By Richard Power


The 18th USENIX Security Symposium was held in Montreal, Quebec (August 10-14, 2009). This conference always provides an excellent opportunity to catch up on the thinking of some impressive minds and delivers the most technical content of all the major security-focused IT conferences.

USENIX distinguishes itself by being a non-profit organization, and acting like one. Seventy-nine students were given stipends to attend this year’s Security Symposium, at a cost of approximately $100,000. This is how USENIX spent the contributions of its sponsors, as well as a significant chunk of its own funds. None of the commercial conferences can lay claim to any such altruism.

I asked legendary login editor Rik Farrow (well, he is the Editor, and kept up the publication’s high standards for many years, enough to qualify as a legend in this field, and yes, he is my friend) how he would distinguish USENIX Security Symposium from the other major cyber security conferences?

“USENIX Sec is one of four top tier security research conferences, and certainly my favorite because accepted papers must include an implementation. So this goes well beyond theory.”

Rich Cannings, Android Security Leader at Google delivered the keynote, “Securing a Mobile Platform from the Ground Up.”

Here are my notes from the talk --

Cannings started off by breaking down the numbers:

-- 6.77 billion human beings on the planet.
-- 1.48 billion Internet-enabled PCs
-- 4.10 billion mobile phones, with a 12-18 month average replacement rate.
-- 1 billion mobile phone purchases per year

“And 13.5% of them are smart phones. This number will soon compare with the number of Internet enabled PCs, and they will become major security targets.”

Next, Cannings gave some background on Android:

Google’s Android is free, open source mobile program, intended to “empower both users and developers.”

It has a Linux kernel. It relies upon 90+ open source libraries (e.g., SQLite for structured data storage, OpenSSL, etc.). It supports common codes for sound, image, etc.

Android is also “designed to protect battery life.”

Developers don’t understand battery life
Users do.

In outlining Google’s security philosophy in regard to Android, Cannings articulated some of the premises with which they approach the issue:

-- Finite time and resources
-- Humans have difficulty understanding risk
-- Safer to assume that most developers do not understand security
-- Most users do not understand security

The cornerstones of the Android security philosophy, as formulated by Cannings, emphasize some basic needs:

-- Need to prevent security breaches from occurring
-- Need to detect them when they occur
-- Need to minimize their impact
-- Need to react to both to vulnerabilities and breaches swiftly

Cannings went on to explore each of these elements as they came into play in the development, roll-out and support of Android.

No one with serious experience in cyber security could argue with Cannings’ guiding principle: “Security is an ongoing process, not a checkbox.”

But of course, Android means “five millions lines of new code,” utilizing, as I mentioned earlier, one hundred open source libraries. And since Android is open source, Cannings remarked, it “can’t rely on obscurity.”

There are tremendous challenges ahead.

Farrow elaborates.

“I liked the keynote, as I am very concerned about the security of mobile devices. The obvious trend is for people to use their smart phones as their primary method for interacting with the Internet, and I would love to see the security of phone software fare MUCH better than Windows has in this area. Rich Canning did a good job of describing the Android security model, but I was left feeling that there are real weaknesses in the Android security model largely because the Android team is being rushed, and layering their security on top of ancient UNIX security features. The notion of relying on users to permit applications based on the number and importance of privileges required is flawed, as most people make poor security decisions (and there is lots of research to back this up).

“Android does present a chance to create a secure environment,” Farrow adds, “but it must also satisfy both developers and users if it is to be successful.”

The program committee received one hundred seventy submissions for this year’s Symposium, only twenty-six papers were accepted.

Martin Vuagnoux and Sylvain Pasini of LASEC/EPFL received an “Outstanding Paper” award for “Compromising Electromagnetic Emanations of Wired and Wireless Keyboards.” These students cobbled together a system capable of converting broad spectrum radio emissions of keyboards into actual keystrokes.

Roxana Geambasu, Tadayoshi Kohno, Amit A. Levy, and Henry M. Levy of University of Washington also received an “Outstanding Papers” awards for “Vanish: Increasing Data Privacy with Self-Destructing Data.”

Carnegie Mellon University was represented by Joshua Sunshine, who presented “Crying Wolf: An Empirical Study of SSL Warning Effectiveness,” headline-grabbing research conducted with Serge Egelman, Hazim Almuhimedi, and Neha Atri, under the guidance of Lorrie Cranor, Director of CyLab’s Usability of Privacy and Security Lab.

Of course, CyBlog covered this compelling research, recently, when the story broke. (See CyLab CUPS Researchers Release Study on SSL Warning Effectiveness)

CyLab corporate partners can read my full report on the 2009 USENIX Security Symposium, including my notes on Vern Paxson's “How the Pursuit of Truth Led Me to Selling Viagra” and interview with Metronics 4.0 chair, Jennifer Bayuk, in the Intelligence Briefing section of the CyLab partners-only portal.

Sunday, August 9, 2009

Report from An Ancient Future: Auspicious Day of Celebration for the 7th Graduating Class of Carnegie Mellon’s Silicon Valley Campus



“Over the next twenty, thirty, forty years, when the Carnegie Mellon leadership looks back at this campus, and at 2008 … Some- times, when you look back at a decision, you say, ‘What was I thinking when I did this?’ But with this decision people are going to look back, and say, ‘Was the person a genius who did this?’ That is the kind of impact this campus is going to create.” Pradeep Khosla, 8-7-09

Report from An Ancient Future: Auspicious Day of Celebration for the 7th Graduating Class of Carnegie Mellon’s Silicon Valley Campus

By Richard Power


For the ancient Greek philosopher Pythagoras, all the numbers were sacred and carried spiritual meaning, but he considered seven the “perfect number,” because it contained both the triangle and the square; and he saw it as the basis for his “Music of the Spheres.” Down through history, from pagan pantheons of pre-Christian Europe to the pages of Genesis, from the fortune-tellers of the Roma to the blues artists of the Mississippi Delta, and from the symbolism of the Masons to the gaming tables from Monaco to Macau, seven has been known as a “lucky number.”

So it is not surprising, and certainly worthy of note that the circumstances surrounding the seventh graduating class of Carnegie Mellon’s Silicon Valley campus strike the careful observer as particularly auspicious.

Consider the perspective of Pradeep Khosla, Dean of the College of Engineering and founder of Carnegie Mellon CyLab, shared with over one hundred Silicon Valley alumni at a gathering on the eve of the graduation ceremony.

“Even though it is just only one building, a very small campus in relation to Pittsburgh, but nonetheless, it is a high-impact campus. The people that come here as students are typically non-traditional students; these are not typically 22-year-old students coming here to get their Master’s, these are people of experience, with a clear zeal for what they do, and a clear goal for what they want to accomplish.

“Over the next twenty, thirty, forty years, when the Carnegie Mellon leadership looks back at this campus, and at 2008 … Sometimes, when you look back at a decision, you say, ‘What was I thinking when I did this?’ But with this decision people are going to look back, and say, ‘Was the person a genius who did this?’ That is the kind of impact this campus is going to create.”

“Over the last year and a half, several changes have happened: there are several new programs on this campus, instead of just being a part-time evening campus, there are full-time programs. Now if you come here during the day you see people running around … there is a new, state-of-the-art distance learning class-room that has been built, and two more are going to be built. These changes are all coupled to our vision of being an international campus … We have several international locations – Portugal, Greece, Japan, Korea, Australia, and right now we are working on a project for Africa, in Rwanda. I look at this campus as one of the transit points, one of the stations that many of our international students will visit during their two years in our international programs. There is no better place than Silicon Valley to show the world what America is all about, what entrepreneurship is all about, what a can-do culture is all about. This campus really epitomizes that.”

Martin Griss, who has taken over as Director of the Silicon Valley Campus , added some granularity to the bold strokes of Dean Khosla’s vision:

“We have started a full-time software engineering program. Tomorrow we will graduate nine students who are part of our full-time program. We will graduate 44 part-time students. The incoming class is really exciting. We will have 21 full-time students, and seventy-one part-time students. We have started a PhD. program, which is a bi-coastal with ECE – something we have already wanted to have. We will have 8 PhD. students by December.”

“What I see as our mission moving forward is to continue strengthening and growing education, it’s doing great but we want to expand it, while building up research even more, we have a good research program, which started in Mobility last year, and we want to do more in that area, and we are particularly excited about growing entrepreneurship outreach, growing the program both inside the campus and connecting more to Silicon Valley.”

In their remarks, both Khosla and Griss honored founder Jim Morris.

Khosla described Morris’ effort as “revolutionary and impactful.”

Griss added, “When Jim started there was nothing here but his vision.”

Underscoring the theme of Carnegie Mellon’s commitment to globalism, Mara Barker, Director for Regional Programs, Alumni Relations, spoke of the Multidimensional Global Perspective:

“We have campuses and programs all over the world, but it is more than that. We have faculty and students from all over the world. And when you mix global campuses, global students, global faculty and global research, you have global impact. That is something quite powerful and wonderful that many universities don’t have.”

The graduation ceremony was held in a large white tent on a grassy field, under yet another azure sky. Over 45 students from 10 countries stepped to the stage to receive their hard-earned diplomas. They were led to the ceremony by a bagpiper in kilt.

The precise historical origin of the bagpipe is as yet undetermined; its visage began to appear in the iconography of Europe early in the second Millennium, and they are mentioned in the Canterbury Tales, i.e., approximately, 1380 (although it is quite possible that it is as ancient as Pythagorean science of numbers).

However they found their way into this world, whenever they are heard, they have a powerful effect on the listener. The stirring sound bagpipe is an integral element of formal occasions within the Carnegie Mellon University tradition, reflecting the influence of Andrew Carnegie’s Scottish roots. (Indeed, Carnegie Mellon is one of the few universities in the U.S. to offer a degree in bagpipes.)

The keynote speaker for the graduation ceremony was Liz King, a Vice-President and General Manager for Hitachi.

“Throughout her career,” Griss said in his introduction,” she has been responsible for building relationships with strategic alliance partners on a global basis, and for leveraging those relationships to drive new growth of both existing and new markets and has successfully assisted companies in world-wide strategies and international business development.”

King shared some insights from her rich experience, exhorting the graduates to cultivate both a strong network of colleagues and a fiercely open mind:

“A deep and active people network will provide you with a dazzling array of opportunities and choices.”

“The best way to cope with this chaotic world is to have an open mind. Conscious or unconscious constraints on how we view ourselves, our employers, our products and our competitors, everything needs to be critically examined on a real-time basis.”

But King also cautioned against trying to be successful running 20th Century strategies in a 21st Century world:

“How do you navigate through this dynamic high-tech world? Years ago, when the world was much more linear, the conventional wisdom was to set specific goals and manage to them. Well, anyone with a pulse-rate over 50 knows today life outcomes are more closely modeled by quadratic equations and pathways that look more like a strand of DNA than a straight line. The modern world is anything but linear, so stay in friendly relationship with that fact. Why don’t you replace the goal orientation with the vector orientation. Go ahead and set your goals, but detach from the outcomes, and focus on the vector, the path … For every one goal you would like to achieve there exist many others of equal or greater value that you can’t even imagine.”

Ray Bareiss, Director of Educational Programs, presented two of the graduating students with awards.

Alok Rishi received the Dean’s Return on Education Award:

“Having worked for Sun Microsystems for 19 years, this year’s recipient of the Return on Education Award joined the Carnegie Mellon Software Management program, seeking to ‘step out of his comfort zone.’ Shortly after enrolling in the program, he was able to gain the skills and confidence to begin thinking and behaving like a leader. His actions were clearly recognized by his global peer group of 1,500 engineers at Sun, who nominated him to be Principle Engineer. But he didn’t stop there … he left Sun after nearly 21 years to start Yunteq, a software company developing key enabling technology for Cloud computing … By continuing to tell his own story of transformation to his peers, he hopes to inspire others to make similar changes in their own professional lives.”


Daniel Maycock received the Outstand- ing Service Award:

“Dan has been a great ambass- ador for Carnegie Mellon at Boeing in Washing- ton State and tirelessly worked to help us set up inform- ation sessions, promote our programs, and connect with the larger Boeing community ... He serves as an admissions ambassador, speaking with prospective students and answering questions about the Master’s degree program and curriculum …. His enthusiasm for the school and for his program is contagious and generates excitement among his classmates and colleagues, several of whom have applied to the program as a direct result of his outreach.”
Here are some of the many faces of this year’s graduating class, the seventh in the young life of Silicon Valley. Many of you will soon be hearing their names, investing in their ideas, leveraging their work, and vying for their vision, energy and skills.

They are after all the sons and daughters of the seventh year.




Monday, August 3, 2009

CyLab CUPS Researchers Release Study on SSL Warning Effectiveness



"People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09



CyLab CUPS Researchers Release Study on SSL Warning Effectiveness

Josh Sunshine will be presenting the paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness at the USENIX 2009 Security Symposium.

Co-authored by with Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor, Crying Wolf is another compelling example of how Carnegie Mellon University CyLab is helping to both frame the dialogue and deliver the goods on how best to raise awareness and deliver effective user education:

We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL warnings.
We then designed two new warnings using warnings science principles and lessons learned from the survey … Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign situations.
Crying Wolf: An Empirical Study of SSL Warning Effectiveness

Dr. Cranor, Director of the CyLab Center for Usable Privacy and Security (CUPS), was quoted in several news media stories breaking the study’s results.

Here is a sampling with links to the full texts:

After studying the behavior of more than 400 Internet users, Carnegie Mellon University computer researchers concluded that because users encounter so many pop-up warnings in benign situations, they have become immune to the messages … People get pop-ups in their browsers and they say something about security and they don't know what they are, so they swat them away," said Lorrie Cranor, associate professor of computer science and engineering at Carnegie Mellon. "Nothing bad happened before and they think nothing bad will happen again." ABC News, 7-30-09

“The big takeaway is that computer security warnings are not an effective way of addressing computer security,” study researcher and co-author Lorrie Faith Cranor, an associate professor of computer science, engineering and public policy at Carnegie Mellon University, told SCMagazineUS.com on Tuesday. “People don't read warnings and don't understand them when they do read them” … In addition, researchers also surveyed experts – those with an IT-related degree, computer security work experience or programming knowledge – to see if they would behave any differently when receiving a warning. Researchers found that even experts often ignored the warnings, indicating that the system of relying on warnings to communicate computer security risks is “fundamentally broken,” Cranor said. SC Magazine, 7-28-09

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was … hey found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites. "That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy." Computerworld, 7-24-09

Friday, July 31, 2009

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

Las Vegas Strip at Night from the International Space Station (NASA)

Seem like every time you stop and turn around
Something else just hit the ground
Broken cutters, broken saws,
Broken buckles, broken laws,
Broken bodies, broken bones,
Broken voices on broken phones.
Take a deep breath, feel like you're chokin',
Everything is broken
– Bob Dylan


From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

-- Richard Power


From legendary billionaire Howard Hughes to legendary Gonzo journalist Hunter Thompson , Las Vegas has worked its strange magic on many talented people, including cyber security conference entrepreneur Jeff Moss. Back in 1993, Moss held the first DEFCON hackers convention in Las Vegas, and a few years later, in 1997, spun-off Black Hat Briefings, which has, arguably, become what its hype trumpets, the "world's premier technical security conference." And although BlackHat now go on tour to Tokyo, Amsterdam and Washington, D.C., Las Vegas is still home to the main event, both for DEFCON and Black Hat.

Robert Lentz, Chief Security Officer for the US Department of Defense, was one of BlackHat's 2009 keynote speakers. Lentz articulated the goal of a "resilient cyber eco-system." Lentz cited the need for "culture changing in cyberspace." He stressed the role of education in achieving this goal, citing not only the CAE but also Cyber U.S. Cyber Challenge and the Dc3 Digital Forensics Challenge. He even alluded to the green movement, and the passion it evoked, and called for "a cyber-green movement." "That is something we could all rally around," he added. It was encouraging to hear the bold vision and the high values, but of course when working within an entity as huge, complex and long-established as the US federal government, delivering is the challenge.

The sessions in the body of this year's Briefings ranged from sessions on attacking everything from SMS to "the Smart Grid," and from parking meters to "the Cloud."

Dan Kaminsky, a cyber security researcher typically breaks news at BlackHat, not only broke news this year (see Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat) was himself breaking news this year:

Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.
The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.
Wired, 7-29-09

Carnegie Mellon CyLab's Alessandro Acquisti spoke on his team's recent headline-grabbing revelation on the accuracy of predicting of social security numbers, using publicly available information.

Acquisti's message --

The vulnerability presented here is not based on some secret bug hidden inside some software. It is based purely on publicly available data . This reflects the unexpected/unintended consequences of the interaction of complex information systems (i.e., combination of SSN issuance patterns, SSDI, EAB, SSNVS, and availability of personal information) and highlights the need to think past SSNs as authenticators.

(For more on this research, see There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide.)

Moxie Marlinspike offered "More Tricks for Defeating SSL."

His conclusions --

We have a MITM attack that will intercept communication for almost all SSL/TLS implementations.
In the case of NSS (Firefox, Thunderbird, Evolution, AIM, Pidgin) we only need a single certificate.
We've defeated the OCSP protocol as implemented.
We've hijacked the Mozilla auto-updates for both applications and extensions.
We've got an exploitable overflow.
In short, we've got your passwords, your communication, and control over your computer.


(Marlinspike recently spoke at CyLab, see CyLab Seminar Series Notes: The Evolution of A Hacking Tool, Moxie Marlinspike on SSLstrip)

There were two other sessions that I found particularly interesting: Nathan Hamiel and Shawn Moyer on “Weaponizing the Web -- More Attacks on User-Generated Content," and Cormac Herley and Dinei Florencio on “Economics and the Underground Economy.” More on them can be found in my full report on Black Hat, available only to CyLab partners in the Intelligence Briefing section of the partners-only portal.

I will also have more to say about Black Hat 2009 as well as the upcoming USENIX Security Symposium in my article for CSO Magazine (August 2009).

Wednesday, July 22, 2009

CyLab News: CyLab & INI Host Information Assurance Capacity Building Program to Boost Nation’s Cyber Security


"As one of the nation's largest cybersecurity research and education centers, Carnegie Mellon CyLab can offer a wealth of highly relevant topics and research findings to the faculty who engage in the IACBP," said Virgil Gligor, co-director of Carnegie Mellon CyLab, a multidisciplinary research center pioneering development of leading-edge cybersecurity tools.

CyLab News: CyLab & INI Host Information Assurance Capacity Building Program to Boost Nation’s Cyber Security

Carnegie Mellon University's CyLab and its Information Networking Institute (INI) are hosting six faculty members for the seventh annual federally funded Information Assurance Capacity Building Program (IACBP) through July 24.

"This comprehensive program is designed to foster outstanding programs that support the nation's cybersecurity needs and educate future information security leaders and faculty," said Dena Haritos Tsamitis, INI director and director of education, training and outreach for Carnegie Mellon CyLab.

This year, select faculty will spend two weeks participating in a combination of lectures and lab exercises designed to help them develop cutting-edge curricula to educate tomorrow's information security leaders.

"It's been so helpful because we are learning how to simulate situations on the Internet, which helps us convey complex information to our classes," said Gail Finley, an associate professor in the Computer Science Department at the University of the District of Columbia in Washington, D.C.

Thorna Humphries, associate professor in the Department of Computer Science at Norfolk State University in Norfolk, Va., said the program is outstanding because it gives participants insight into the future. "We've been exposed to everything from cryptography to secure software," she said. Other 2009 participants come from Hampton State University and Bowie State University.

Humphries and Finley join 36 other faculty members from 11 academic institutions that have participated in the IACBP. Since 2002, more than $1.1 million has gone toward the IACBP, which is designed to guide faculty from minority-serving institutions, including Historically Black Colleges and Hispanic-Serving Institutions, to develop curricula with academic enrichment from Carnegie Mellon CyLab and the INI.

"As one of the nation's largest cybersecurity research and education centers, Carnegie Mellon CyLab can offer a wealth of highly relevant topics and research findings to the faculty who engage in the IACBP," said Virgil Gligor, co-director of Carnegie Mellon CyLab, a multidisciplinary research center pioneering development of leading-edge cybersecurity tools.

Tsamitis said the combined efforts of Carnegie Mellon and the program participants will ultimately translate into new courses and educational initiatives at the participating institutions. In the past seven years, program participants have created 11 new courses, seven new degree options and 14 certificate programs, workshops and symposia.

"Programs such as the IACBP are designed to strengthen information assurance education at campuses nationwide," said Tsamitis, who was instrumental in gaining recognition for the university at an awards ceremony in Seattle, Wash., where Carnegie Mellon was re-designated as a National Center of Academic Excellence in Information Assurance Education and designated for the first time as a Center for Academic Excellence in Research.

The National Security Agency and the Department of Homeland Security jointly sponsor the National Centers of Academic Excellence programs. This partnership was formed in 2004 to protect the nation's critical infrastructures, which are essential to maintaining a strong economy and our national security.

Friday, July 17, 2009

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness



"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." -- Albert Einstein

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

-- Richard Power


The success of the fifth annual Symposium on Usable Privacy and Security (SOUPS) -- more papers submitted than ever before, more papers accepted than ever before, more attendees registered than ever before -- is an affirmation of the usability concept and its vital role in the development of security and privacy strategies.

On the third and final day of SOUPS 2009, Lorrie Cranor, the driving force behind both SOUPS and the CUPS from whence it poured, was unable to attend the morning session, she was across town, keynoting on "Teaching Johnny Not to Fall for Phish" at the Sixth Conference for E-Mail and Anti-Spam.

The research of Cranor and her CUPS colleagues demonstrates that user education can indeed play a critical role in the fight against phishing, etc., IF the tools utilized are engaging, enlightening and designed to exploit the "teachable moment." It has also led to the formation of Wombat Security Technologies.

In the technical paper session on Passwords and Authentication, Alexander De Luca of the Media Informatics Group at University of Munich presented Look into my Eyes! Can you guess my Password?, co-authored with his University of Munich colleagues Martin Denzel and Heinrich Hussmann.

In the same session, Stuart Schechter of Microsoft presented 1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication, co-authored with his Microsoft colleague, Robert Reeder.

The work of De Luca, Denzell and Hussman explored the potential of having users authenticate themselves, particularly at terminals in public places, by drawing shapes with their eyes.

The work of Schechter and Reeder explored the issues involved in user-chosen challenge questions (e.g., the kind you answering when you've lost your password or user ID in Hotmail or G-mail), and showed that somewhat better results were achieved if the user had to take an exam and get a passing grade.

These and other presentations I attended were fascinating.

Our problem is, however, that the challenge in cyber security and privacy is not one of cleverness, but one of consciousness.

We are still between worlds, really.

The Information Age that Alvin Toffler heralded as the "Third Wave" has already broken over our heads, it has already swept us away; but, in many ways, our minds are still on the shore, or reaching back toward the shore, wanting to somehow, impossibly, to take it with us.

In the 1990s, the news was that the periphery between the network and the Internet no longer existed. Here and now, at the end of the first decade of the 21st Century, the news is that the periphery between the mind and the World Wide Web is gone.

The implications are profound.

Some months ago, at dinner with a colleague from inside the US intelligence community's own attempt to comprehend this Brave New World, we discussed these issues at great depth, and both came to the same conclusion: most of the human race will not recognize the world in which they live and work even as soon as ten years from now.

Most of what we are trying to accomplish in cyber security and privacy is based on a paradigm that has been eclipsed; no, not an IT-related paradigm, an old paradigm of the human psyche and its relationships to both the natural world and the digital world, and the interpenetration of all three.

There is something profoundly new coming in the realm of cyber security and privacy.

You and I will recognize it when we see it because not only will we not have seen it before, it will change the way we perceive problems and approach solutions.

It may well come from such academic research. That's why participating in conference such as SOUPS is of great importance.

But it will not reflect superior cleverness, it will signal a shift in consciousness.

Of course, meanwhile, we must rely on superior cleverness, and that too is a reason to participate in SOUPS, etc.

For more commentary on SOUPS 2009, go to the CUPS Blog.

Speaking of which, I will be blogging from Blackhat later this month and from the USENIX Security Symposium in August. Stay tuned.

Summary of SOUPS 2009 Posts:

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

SOUPS 2009 Mental Modes Session: Study Demonstrates that Pursuit of Seamless Security can Lead to New Dangers, Particularly for Mobile Users

SOUPS 2009 Best Paper Award Goes to "Ubiquitous Systems and the Family: Thoughts about the Networked Home"

SOUPS 2009 Tutorial Explores Challenges of Evaluating Usable Security and Privacy Technology

CUPS Related Posts:

CyLab Seminar Series Notes: User-Controllable Security and Privacy -- Norman Sadeh asks, "Are Expectations Realistic?"

CyLab Research Update: Locaccino Enables the Watched to Watch the Watchers

CyLab Chronicles: Wombat, the Latest CyLab Success Story

CyLab Chronicles: Q&A w/ Norman Sadeh

CyLab Chronicles: Q&A w/ Lorrie Cranor

Culture of Security: CUPS Research Takes on Both Widespread Attack Method & Dangerous Meme (Available to Cylab Partners Only)

Thursday, July 16, 2009

SOUPS 2009 Mental Modes Session: Study Demonstrates that Pursuit of Seamless Security can Lead to New Dangers, Particularly for Mobile Users



"The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an incorrect mental model of the protection provided by the firewall." Fahimeh Raja, University of British Columbia

SOUPS 2009 Mental Modes Session: Study Demonstrates that Pursuit of Seamless Security can Lead to New Dangers, Particularly for Mobile Users

Paul Van Oorschot of Carelton University in Ottawa chaired the Mental Models session.

Fahimeh Raja of University of British Columbia (Vancouver) presented Revealing Hidden Context: Improving Mental Models of Personal Firewall Users, co-authored with her colleagues, Kirstie Hawkey and Konstantin Beznosov.

The goal of the study was to investigate the impact of adding contextual information to the Vista Firewall Basic Interface. The researchers looked at the impact of Vista Firewall functionality on users' mental models, as well as the impact of Vista Firewall configuration on users' understanding.

"The Windows Vista personal firewall provides its diverse users with a basic interface that hides many operational details. However, concealing the impact of network context on the security state of the firewall may result in users developing an incorrect mental model of the protection provided by the firewall."

Raja and her colleagues determined that because the security technology makes changes in the users' security state, it is important to somehow communicate these changes to users; "otherwise, these users can be left in dangerous situations; for example, only protected in the current network context but believing themselves to be protected for future network contexts."

Users could think that their firewall was turned on when it was turned off, or conversely, that their firewall was turned off when it was turned on.

"Users need to understand the effect of the configuration on the system's security state. We argue as users become more mobile, it is increasingly important to understand the security state for both current and future contexts of use."

They concluded that the design of the Vista Firewall Basic Interface does not provide enough context for mobile users. If unaware that configuration changes only apply to current network location, users may be left with dangerous misconceptions. The researchers also concluded that users' mental models can be supported by revealing context.

The implications of this study are important, i.e., it may be possible to balance complexity and security.

Two other papers were presented in this session:

Andrew Besmer of University of North Carolina (Charlotte) presented Social Applications: Exploring A More Secure Framework, a paper co-authored with colleagues Heather Richter Lipford, Mohamed Shehab and Gorrell Cheek, also from the Department of Software and Information Systems.

Ponnurangam Kumaraguru of Carnegie Mellon University CyLab presented on School of Phish: A Real-Word Evaluation of Anti-Phishing Training, a paper co-authored with fellow Carnegie Mellon researchers Justin Cranshaw, Alessandro Acquisti, Lorrie Cranor, Jason Hong, Mary Ann Blair and Theodore Pham.

Some Related Posts:

SOUPS 2009 Best Paper Award Goes to "Ubiquitous Systems and the Family: Thoughts about the Networked Home"

SOUPS 2009 Tutorial Explores Challenges of Evaluating Usable Security and Privacy Technology

CyLab Seminar Series Notes: User-Controllable Security and Privacy -- Norman Sadeh asks, "Are Expectations Realistic?"

CyLab Research Update: Locaccino Enables the Watched to Watch the Watchers

CyLab Chronicles: Wombat, the Latest CyLab Success Story

CyLab Chronicles: Q&A w/ Norman Sadeh

CyLab Chronicles: Q&A w/ Lorrie Cranor

Culture of Security: CUPS Research Takes on Both Widespread Attack Method & Dangerous Meme (Available to Cylab Partners Only)

For further commentary on SOUPS 2009, go to the CUPS Blog.

-- Richard Power