Tuesday, March 24, 2009

CyLab Partners Speak Out on the Benefits of Partnernship


“We couldn’t be happier with our membership than we are.” Christopher Martin, Bosch

“With our external collaborations, we are seeking two things -- the best and the brightest people, and the best and the brightest ideas. That’s what brings us to CyLab.” Dennis Shou, Symantec

“That Carnegie Mellon brand goes along way, we advertise our association with CyLab on our web site, and as a cyber security company, we look at it as a strong halo effect on our brand.” Michael Concordia, BitArmor

“As we look at technology and innovation, there are always unintended consequences, CyLab acts as that branch or arm that allows us to respond proactively to those unintended consequences.” Jay Srini, University of Pennsylvania Medical Center (UPMC)

CyLab Partners Speak Out on the Benefits of Partnernship

CyLab is a world-class academic research program, with a unique multi-disciplinary approach, pursuing a vital goal: "Confidence in a Networked World."

Along the way, "CyLab harnesses the future to secure the present."

And what do we offer leaders in industry, technology and government?

"Partnering with CyLab sharpens the cutting edge."

In our ongoing efforts to communicate the reality of CyLab, how we chose to articulate our own mission is, of course, important; but the insights of our corporate partners are, arguably, at least as important.

So here are four brief videos featuring CyLab partners answering four vital questions. Take a few moments to listen to these voices of experiences.

For more information on the CyLab Partners program, click here.

-- Richard Power

Why Partner with CyLab?



What is the Future of CyLab?



What are the Benefits of Partnership?



What is the CyLab Differential?

Sunday, March 22, 2009

Will Economic Hard Times Heighten the Insider Threat? The Safe Assumption is "Yes."


Police chiefs in the United States say the economic downturn is fueling a rise in crime and warn that cuts to their budgets could handcuff their efforts to tackle it ... Of 233 police agencies surveyed by the Police Executive Research Forum, a Washington-based law enforcement organization, 44 percent reported a rise in certain types of crime they attributed to the United States' worst economic and financial crisis in decades. Reuters, 1-27-09

Will Economic Hard Times Heighten the Insider Threat? The Safe Assumption is "Yes."

Economic hard times result in a rise in crime rates on the streets of physical space, and there is reason to expect a similar rise in crime rates on the digital street, particularly, in regard to insider attacks.

A recent indictment has drawn renewed attention to the issue:

An IT contract employee who formerly worked at an oil and gas production company in Long Beach, Calif., was indicted yesterday on charges of sabotaging a computer system he helped set up because the company did not offer him a permanent job.
The case is the latest to highlight the challenge that businesses face in trying to protect corporate systems and networks from rogue insiders and those with privileged access to systems, such as contractors and business partners. Security analysts have warned about the heightened threats such users pose to corporations because of the broader disgruntlement resulting from layoffs and other belt-tightening steps companies have taken during the recession.
Computerworld, 3-18-09

To read the indictment, click here.

To brush up on your knowledge of the insider threat and how to address it proactively, look into the third edition of CERT's Common Sense Guide to Prevention and Detection of Insider Threats, and its empirically-based insider threat risk assessment diagnostic. (These resources and other elements of CERT's insider threat research have received significat CyLab funding.)

As Dawn Cappelli, technical lead on CERT's insider threat research, explained in a CyLab Chronicles interview: "The insider threat diagnostic enables organizations to gain a better understanding of actual insider threat activity and an enhanced ability to assess and manage associated risks. It merges technical, organizational, personnel, and business security and process issues into a single, actionable framework."

For the full interview, and links to relevant publications and other resources, click here.

-- Richard Power

Saturday, March 21, 2009

Cyberstalking is Real, so is Cyberbullying; Awareness & Education that Actually Reaches Youth is Vital



An army contractor who worked on a U.S. military base in Iraq hacked into the computers of teenage girls to harass and extort sexually explicit images from them, authorities allege. Police say he and an accomplice targeted some 4,000 young women around the world, including six Florida teens -- one of whom he cyberstalked for years, beginning when she was 14, and showed up at her work place. Wired, 3-19-09

Cyberstalking is Real, so is Cyberbullying; Awareness & Education that Actually Reaches Youth is Vital

Nine years ago, I was asked to fly to New York City to deliver a briefing on personal cyber security threats at a dinner for some C-level executives at the 21 Club.

I had not given much thought to the problem at that point, and so on the flight across country, I set my mind to conjuring a list of the nastiness that could plausibly be perpetrated on-line, directly and personally, using known exploits, freely available resources, etc.

By the time the wheels hit the runway, I had a compelling list:

Identity theft
Financial fraud
Cyber vandalism
Cyber stalking
Cyber voyeurism
Recon for physical theft
Recon for physical violence
Character assassination
Intel gathering for blackmail
Intel gathering for social engineering attacks

When I got into my hotel room, I did some research and verified at least one or two open source stories for each of these evil deeds.

In the years since, I have tracked the personal cyber security story line along with the two other story lines I was already following, i.e., the cyber security of government and business.

As this recent cyberstalking news item illustrates, such personal threats are real:

A victim in Florida told investigators that in 2002 when she was 14, she began chatting online with someone who identified himself as Patrick Connolly. ... After they'd been in touch a while, Connolly allegedly demanded that she send him sexual videos of herself. When she refused, he sent suggestive photos of her to her boyfriend. In 2004, she told investigators, he popped up in Florida at her job and said he wanted to take her to Universal Studios. She refused and he left but continued to harass her online. When she tried to end contact, Connolly allegedly threatened to send some of the explicit videos she'd given him to her grandmother. The harassment stopped for a while, but in January of this year, someone contacted her through a Facebook account and demanded more images of her under threat that he'd post the ones she'd previously sent him online. Wired, 3-19-09

Of course, there is also the phenomena of "cyberbullying," as the tragic story of Megan Meier highlighted.

I do not have patience for those who downplay such stories and prattle on about statistical insignificance. The statistics really don't matter, at least they shouldn't matter to the parent of a child or a young women who has been targeted by a cyberstalker or persecuted by a cyberbully. Even if instances are rare (and they are not so rare), if that instance involved someone you loved, you would not go easy on yourself if you had not done all you could to prepare them for life in cyberspace.

Cyberstalking and cyberbullying should be factored into awareness and education programs oriented toward children and their parents, and these awareness and education programs should be better funded.

MySecureCyberspace is a worthy example of a such a program. An online resource from Carnegie Mellon University, which evolved out of the shared space of CyLab and INI, MySecureCyberspace provides some excellent resources on cyberbullying, as well as many other vital security and privacy issues for children and families. It provides news and tips geared toward general populace, and features a game called Carnegie Cyber Academy

If your organization hasn't already integrated MySecureCyberspace and Carnegie Cyber Academy into your awareness and education program in some way, you should seriously consider it.

-- Richard Power

Wednesday, March 18, 2009

What Do March Madness, the Economic Crisis & Corporate Branding Have in Common? All are Opportunities for Cybercrime, & for Raising Security Awareness



Cybercriminals are poisoning top Google search results related to March Madness to lure users into visiting fake anti-virus sites ... SC Magazine, 3-17-09

The economy remains the main topic spammers focus on to lure users into opening emails with malicious links ... SC Magazine, 3-17-09

According to the latest MarkMonitor Brandjacking Index, cybersquatting grew by 18 percent in 2008, proving that it continues to be a lucrative mode of exploitation ... CSO Magazine, 3-17-09

What Do March Madness, the Economic Crisis & Corporate Branding Have in Common? are Opportunities for Cybercrime, & for Raising Security Awareness

Three recent, somewhat obscure news stories highlight the richness and diversity of nefarious activities undertaken in the shadows of cyberspace.

These stories also illustrate some ways in which the perpetrators exploit human emotions (e.g., fear and enthusiasm) and net resources (e.g., search engine optimization and social networking applications) to carry out their insidious schemes.

But perhaps of most importance, these three stories serve as a reminder that every 24 hours in cyberspace, there is something else to use as grist for the mills of user awareness and education. Cybercrime is 24x7 and global, user awareness and education should also be 24x7 and global.

Here are brief excerpts from all three, with links to the full texts and to relevant reports.

-- Richard Power

Cybercriminals are poisoning top Google search results related to March Madness to lure users into visiting fake anti-virus sites, Stephan Chenette, manager of security research at security firm Websense told SCMagazineUS.com Tuesday. Attackers are using deceptive search engine optimization (SEO) to get their malicious sites to the top of results on Google and other search engines, Angela Moscaritolo, SC Magazine, 3-17-09

The economy remains the main topic spammers focus on to lure users into opening emails with malicious links, according to Symantec's March 2009 "State of Spam" report. ... One of the more egregious spam messages Symantec found looked like a rejection letter. ... A URL in the message pointed back to a legitimate site, but the message said: “We have attached a copy of your application you sent for us.” If a user clicked on the attachment, an attack was launched involving the Hacktool.Spammer virus – a program that hackers use to attack inboxes by flooding them with email. Chuck Miller, SC Magazine, 3-17-09

According to the latest MarkMonitor Brandjacking Index, cybersquatting grew by 18 percent in 2008, proving that it continues to be a lucrative mode of exploitation, according to MarkMonitor officials. ... MarkMonitor's research found a total of 440,584 instances of cybersquatting were identified in Q4, followed by 86,837 instances of false association and 33, 614 instances of pay-per-click abuse.
"... brandjackers are increasingly leveraging trademarks as they make use of best practices in search engine optimization to divert traffic to illegitimate or unauthorized sites," said MarkMonitor officials in a statement on the findings. ... Communication platforms and social networking sites like Twitter and Habbo are increasingly becoming vehicles for abuse ...
Joan Goodchild, CSO Magazine, 3-17-09

To read Symantec's monthly State of Spam report, click here. (Symantec is one of CyLab's corporate partners.)

To read MarkMonitor's Brandjacking Index, click here.

Friday, March 13, 2009

New INI Track Offers Cyber Forensics



NOTE: CyLab is a dynamic matrix that includes not only its own internal programs, e.g., CyLab Biometrics, CUPS, CyLab Mobility Research Center (MRC), etc., but also extends to closely associated resources, e.g., Computer Emergency Response Team (CERT), Information Networking Institute (INI), etc., which have evolved within the same space. In particular, INI is an important factor in the fulfillment of CyLab's commitment to personnel capacity building. So CyBlog not only carries news of CyLab developments, it also carries news of major INI developments.

New INI Track Offers Cyber Forensics

Here is some breaking news --

In Fall 2009, the INI will launch the Forensics Track to educate top talent in the cyber security field on how to conduct forensically sound digital investigations. It will be an option for students in Pittsburgh who are enrolled in either the Master of Science in Information Networking program or the Master of Science in Information Security Technology Management program. The INI offers the track in partnership with Carnegie Mellon's Software Engineering Institute (SEI), whose CERT® Program has long been at the side of government and law enforcement agencies when it comes to cyber forensics. ... Students who choose the Forensics Track as part of their master's program will obtain the skills and knowledge required to perform the investigations on computers and systems for which CERT has earned its reputation. CERT faculty, using state-of-the-art software, will teach each of the courses in the track and will include projects that give students hands-on experience. Upon completion, students will earn a certificate sanctioned by CERT, in addition to a master's degree in their program of choice.
The Forensics Track is the latest incentive offered at the INI to attract students who are interested in the field of information security. Another program, Scholarship for Service, provides a full scholarship to students who are U.S. citizens and willing to work for the government after graduation. The INI in partnership with Alta Associates also offers the Executive Women's Forum Fellowship, a full scholarship offered to an American minority student who will study information security.


To read the full story, click here.

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives


By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
* 1. Strategy and metrics
* 2. Compliance and policy
* 3. Training
* 4. Attack models
* 5. Security features and design
* 6. Standards and requirements
* 7. Architecture analysis
* 8. Code review
* 9. Security testing
* 10. Penetration testing
* 11. Software environment
* 12. Configuration and vulnerability management
Bill Brenner, CSO Magazine, 3-10-09

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives

Software security is one of Carnegie Mellon CyLab's cross-cutting research thrusts, and an area of great focus here, so we are always on the lookout for meaningful work in the field to highlight on CyBlog (especially when it is undertaken by one of our corporate partners, in this case, Fortify).

Brian Chess, Co-Founder and Chief Scientist for Fortify, and Gary McGraw, Chief Technology Officer for Cigital, are in the news, promoting a set of best practices called the Building Security In Maturity Model (BSIMM).

The Wall Street Journal's Digits blog provides some background:

The authors developed the model by studying the security practices at Google, Microsoft, Adobe, and other tech companies, as well as non-tech companies that write their own software like Wells Fargo, and Depository Trust & Clearing Corp. ... When Chess and co-author Gary McGraw studied companies known for taking security seriously they found some practices in common, which became the basis for their model. For example, there’s never even been an accepted best practice for how large a security team should be, says McGraw. The new model recommends one dedicated security person for every 100 software developers a company keeps on staff. WSJ Digits, 3-4-09

BSIMM is a worthy contribution intended for IT leaders, and it is free.

To download it, click here.

Thursday, March 12, 2009

CyLab on You Tube: "CyLab is a unique organization that covers a space that nobody else does in the world today."




CyLab on You Tube

"CyLab is a unique organization that covers a space that nobody else does in the world today ... Our researchers have a mission to work on problems that others don't, that the industry hasn't addressed yet. We are two or three steps ahead of industry." Virgil Gligor, CyLab Co-Director

Take a few moments to become acquainted with some of the voices and faces of Carnegie Mellon University CyLab by viewing this recent video --

Sunday, March 8, 2009

CyLab Research Update: Basic Instincts in the Virtual World?


"Instinctive computing is an emerging framework for a new kind of operating systems. Instead of making patches on an existing system, we want to make a new platform that integrates security, privacy and visual thinking in one place. Yang Cai, PhD., CyLab Instinctive Computing Lab, 2009

CyLab Research Update: Basic Instincts in the Virtual World?

On-line access to the CyLab weekly seminar series is one of the benefits of the CyLab Partners program. This access enables CyLab's corporate partners to expose their own teams to the latest developments in our ongoing research program.

The research being conducted at CyLab is both breathtaking in its vision and powerful in its practicality.

From time to time, CyBlog will offer you a glimpse behind the curtain.

Here is your first peek --

Are there digital pheromones?

In nature, pheromones are used for identification, alarm, trail and information, but a CyLab team is applying the concept to cyberspace.

"Whenever we do a google search we leave a trail, we actually leave our digital pheromones," says Yang Cai, founder of CyLab's Ambient Intelligence Lab. "This pheromone metaphor will combine a lot of elements together, e.g., digital, analog, physical and on-line community. It is a new way to think about different technologies, e.g., positioning, wireless networks, sensing, search, database retrieval. We can integrate a lot of technologies under this concept."

In a recent CyLab partners program seminar, Yang Cai gave a mind-expanding talk on "Instinctive Computing," and the concept of "digital pheromones" was just one aspect of his presentation.

"Instinctive Computing is a rethinking of overall computing, AI and network technologies and a new paradigm for the integrated security and privacy," according to Cai. "Instinctive Computing is a biologically and cognitively inspired computing that minimizes information overhead and maximizes security, privacy, efficiency and reliability. ... Five years ago, at the birth of Cylab, the founding director Pradeep Khosla pointed out that the ultimate goal of security research here is to catalyze the revolutionary technologies for next generation computing and networking. Instinctive Computing is a brand new field created in Cylab."

"Recently, in the field of Cybernetics and AI, there have been quite a few studies about Subconsciousness, e.g., Perceptual Intelligence (Pentland) looks at the perceptual models of humans and animals, and Affective Computing (Picard/Minsky) proposes an emotional machine. According to them, emotions plays a major role in human decision-making and control a lot of our mental resources during decision-making. There is even one PhD. thesis on daydreaming, i.e., how to create a script that simulates daydreaming. It is very unique research. Here at our lab, we are trying to build an instinctive operating system. It is an ambitious goal, but we are trying to build it from very small pieces."

Cai's research is focused on developing technologies in three areas of "Instinctive Computing": Soft Biometrics, Videometrics and Intelligence.

Soft Biometrics: "Soft biometrics is not meant to replace conventional biometrics, but to compliment and assist the traditional methods. The idea behind Soft Biometrics is that in our daily life we do not look at people's irises or fingerprints. We normally very vaguely look at proportion, color, height, gesture, etc. This kind of fuzzy input could be used to identify a person, or discover a pattern. Soft Biometrics would be good for fast-screening. It is non-invasive, because you can do it from videos. And it is also affordable, because a lot of video is free."

Videometrics: "There is a lot of video, but not enough people to look at it all. Most of the video is just thrown away. Here we try to retrieve those videos by words and eye-gazing, so the network will only send the sensory data that the operator is interested in, and the rest will be in low resolution. So we have a multi-resolution video stream. It saves a lot of bandwidth. We tested this on a mobile phone, and sent only the face in high resolution and the rest of the image on low resolution; and this reduced the size of the image sent from a 220K to only 2K. It is a big saving in bandwidth. We also applied this to surveillance videos, and the reduction is significant. So this is very practical for a digital video network, because the big problem is the scalability problem. You have very sophisticated, high resolution cameras but you do not have the bandwidth to pass this to the command center."

Intelligence: We are working with several companies on this project. We try to analyze the sensor data. NASA, for example, has something like fourteen years of data on the ocean and eighteen years of satellite data, but most of the data just sits in the server. There is no time to look at it. We are doing data mining to look at it, and create visualization tools to help the analysts look at it in a very quick way. We really need to see the patterns. This is called spatial-temporal data mining, and this will be very meaningful."

Cai and his team are producing promising results, including:

"The visual instinct-based object segmentation yields robust and fast results."

"The multi-resolution video stream can reduce the network bandwidth significantly."

"We found that a highly selective security system can reduce the concerns of privacy."

"Finally, a security system may be usedful for healthcare research or affordable diagnoses."

If you are interested in learning more, click here to find out about the Instinctive Computing Workshop that Cai is hosting on June 15-16, 2009 at Carnegie Mellon University CyLab in Pittsburgh, Pennsylvania.

Friday, March 6, 2009

CyLab Research Update: Locaccino Enables the Watched to Watch the Watchers

[Image: www.softpedia.com]


Mr. Sadeh's research focuses on whether location-tracking services can be run in a way that doesn't creep people out. Jeffrey R. Young, Now You Can Track Colleagues and Students on Your Laptop, Chronicles of Higher Education, 2-27-09

CyLab Research Update: Locaccino Enables the Watched to Watch the Watchers

Do you remember the Marauders Map from the Harry Potter series? It was one of the most powerful magical objects in Potter's possession; and was entrusted to him by the free-spirited Weasley twins, Fred and George.

At first glance, the Map is simply a blank piece of parchment; but when the user points their wand at the Map and says, "I solemnly swear that I am up to no good," the message "Messrs Moony, Wormtail, Padfoot and Prongs, purveyors of aids to magical mischief-makers, are proud to present the Marauders Map," and a detailed layout of Hogwarts Castle appears.[HP3] Saying, "Mischief managed!" returns the map to its original blank state.[HP3] The Map displays the entire contents of Hogwarts, including its occupants, secret passageways (and instructions on how to access them), and other mysteries ... Magical Objects in Harry Potter, Wikipedia

Well, much of what is called magic is actually science that has yet to be explained.

As Jeffrey Young remarks in his recent Chronicle of Higher Education article, "The technology to track your every move is already here."

"Google announced a service just this month called Latitude," Young adds, "which uses information from your cellphone or from your laptop's Internet connection to home in on your location and let you share it with friends."

CyLab researcher Professor Norman Sadeh and his team have developed Loccacino, a location-centered social application that addresses some of the privacy qualms related to such technology by empowering the user in ways that are both meaningful and practical.

Indeed, Loccacino is a project which exemplifies the work of the CyLab Usable Privacy and Security Laboratory (CUPS).

"The problem with most of the location trackers on the market is that they don't give people enough control over who can see them, and under what conditions, Mr. Sadeh says. ... Most of his test subjects started out reluctant to share their every move, even with friends. But users generally warmed to the system after they found the "hide my location" button for when they wanted to drop off the map. ...
One of the features Mr. Sadeh is most proud of in his own system is called "Who's Viewed Me," which, as the name suggests, lists every moment in the recent past when another user on the system saw your location.
Jeffrey R. Young, Now You Can Track Colleagues and Students on Your Laptop, Chronicles of Higher Education, 2-27-09

To learn more about Loccacino, and to join its Facebook application, click here.

Monday, March 2, 2009

CyLab Mobility Research Center's YINZCAM Offers Sports Franchises a Powerful Edge to Off-Set the Impact of Hard Times


Pittsburgh’s tech-savvy Penguins are on the cutting edge with a one-of-a-kind fan experience that takes you right to the heart of the action—the Yinz Cam. Pop City, 3-2-09

CyLab Mobility Research Center's YINZCAM Offers Sports Franchises a Powerful Edge to Off-Set the Impact of Hard Times

With economic hardship pressing in from every side, many of us need the great distraction of sporting events more than ever before. Getting your mind off layoffs and stock market losses is a little easier when you can throw yourself into the thrills and chills of your beloved team's hot pursuit of participation in the Super Bowl, the World Series, the NBA Championships or the Stanley Cup.

But economic hardship also means even the most die-hard fans are tempted to simply stay at home, and lose themselves in their big screen TVs (while they still have them). It is, after all, much more expensive to go to the game.

Whether to watch the game at home or at the stadium is always a tough choice, even when the economy is booming and the extra cost isn't an issue. There are trade-offs.

At the stadium, you are inside the roaring of the crowd, you are not just viewing the drama, you are engulfed in it, and yes, it is always possible that you will actually be present for some historic moment.

On the other hand, at home, you can not only save money, you can put Cayenne or Spirulina all over your own big bowl of popcorn, you can control the heat, and you can stretch out on your own sofa. But arguably, for the most fanatical of sports fans, the deciding factor in choosing to stay at home is the ability to study replays, get multiple camera angles and hear the play by play analysis.

Well, CyLab Mobility Research Center Co-Director Priya Narasimhan and her team have developed a technology that gives sports franchises a powerful edge to counteract the impact of hard times, by removing this most persuasive argument for staying at home.

YINZCAM empowers the fan in the stadium. It gives fans the capability to design their own personalized multi-media experience of the game, live, via wi-fi from inside the arena:

Simply bring your IPod Touch, your IPhone, your Blackberry Bold to the next Penguins home game. Get on the wifi network inside the Arena and you can then catch real-time action replays, rewind a live camera feed yourself (creating your own action replay) on your wifi device ... Techburg, 2-27-09

Fans using Yinzcam can "check live scores from [NHL] games and even choose camera angles, to focus on one section of the ice or on certain players." The service also is "designed to allow ticket-holders to view the nearest concession stand or restroom line from their seats, so they can better time their trips." Street and Smith's Sports Business Daily, 10-24-08

YinzCam is currently under pilot with the Pittsburgh Penguins at Mellon Arena.

Follow YinzCam on http://twitter.com/yinzcam to get game-time updates, e.g., info about special camera angles for that game, promotional giveaways, etc.

To follow the progress of YINZCAM on Facebook, click here.

For directions on how to try out YinzCam at a Penguins home game, click here.

Hopefully, though, you will soon be able to benefit from YINZCAM at other venues throughout professional sports.