Thursday, October 8, 2009

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

"Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error." Michael Mimoso, Editor, Information Security Magazine

CyLab Technical Director Adrian Perrig Wins Information Security Magazine 2009 "Security 7" Award

Carnegie Mellon CyLab's Adrian Perrig was awarded a Security 7 Award from Information Security magazine for innovative cybersecurity research in academia.

Perrig, Technical Director of Carnegie Mellon CyLab, is also a professor in the departments of Electrical and Computer Engineering and Engineering and Public Policy, and the School of Computer Science. He will be recognized in the magazine's October issue. This is the fifth year of the awards program, which drew more than 150 nominations throughout North America.

"I am deeply honored by this award because it demonstrates the important contributions under way by academic researchers in critical areas of security decision-making and novel technologies designed to protect users from cyber attacks," Perrig said.

Michael S. Mimoso, editor of the Massachusetts-based Information Security magazine, said the awards recognize the achievements of security practitioners and researchers in a variety of industries, including education. "Professor Perrig is being recognized for attacking future threats by designing systems that cut down on user error," said Mimoso, a 2007 fellow at Carnegie Mellon's Information Technology Media Fellowship Program supported by the university's College of Engineering.

This year's other recipients include Jerry Freeze, Director of IT Security Engineering for American Electric Power (Utilities), Melissa Hathaway, Former Acting Senior Director for Cyberspace for the National Security Council (Government), Bruce Jones, CISO, Kodak (Manufacturing), Jon Moore, CISO, Humana, Inc. (Healthcare), Bernie Romaniski, IT Security Officer, Regis Corp. (Retail), and Tony Spinelli, CSO, Equifax (Financial Services).

Each of the recipients of the fifth annual Security 7 Awards were asked "to write a first-person essay on a subject matter they are passionate about."

Here are a few brief excerpts from Perrig's essay, Improve SSL/TLS Security Through Education and Technology, with a link to the full text:

Probably the most fundamental threat to SSL/TLS security is a so-called man-in-the-middle (MitM) attack, where an adversary interposes in a connection between a client and a server to eavesdrop on communication or inject malicious data. Such MitM attacks can be mounted by any entity handling network packets, and is usually mounted in wireless networks in public environments, e.g., in coffee shops, airports, conferences, etc. The SSL/TLS protocol is designed to protect against man-in-the-middle attacks.

Unfortunately, many real-world issues still enable adversaries to mount attacks ...

Over the past seven years, I have been teaching more than 100 students each year about the various issues with SSL/TLS ... In several instances, the lessons learned in class fell on fertile ground: the students immediately assessed the security of their banks' websites and informed their banks to report cases of inadequate security. In numerous instances, the banks listened to the students' feedback and promptly improved security. In some cases, it was as simple as fixing a typo by adding the critical "s" to complete the URL to "https" for the login page. In more difficult cases, students needed to convince the banks' security administrators that Javascript-based encryption loaded from a non-https page can be easily removed by a MitM attacker. In summary, by educating a critical mass of students that further disseminate security knowledge can result in real improved security for everyone.

Together with student education, technology that provides the user with additional information for improved security decision making can also enhance security. To improve security for https sites with self-signed certificates, as well as detect numerous attacks on https sites using bogus certificates, Dan Wendlandt, Dave Andersen and I designed and built Perspectives , a Firefox plug-in that connects to notary servers to assist in validating https credentials ...
Improve SSL/TLS Security Through Education and Technology, Information Security Magazine, 10-8-09

Text of press release