Friday, November 20, 2009

Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

U.S. Capital Building

I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Rep. Mike Doyle (D-PA)

Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing

The work of Carnegie Mellon CyLab faculty and students was cited today in remarks by Rep. Mike Doyle (D-PA.) during hearings on Exploring the Offline and Online Collection and Use of Consumer Information held by the Committee on Energy and Commerce's Subcommittee on Commerce, Trade and Consumer Protection. Doyle also quoted CyLab researcher Alessandro Acquisti directly.

Here is a transcript of Rep. Doyle's remarks (thanks to CUPS' Aleecia McDonald).

"Thank you, Mr. Chairman, for holding this hearing today. Trading and selling of personal information began as long ago as 1899. Two brothers created the retail credit company to track the credit worthiness of Atlanta grocery and retail customers. Some people know that company now as Equifax. Since then, the cost of storing and manipulating information has fallen sharply, and now organizations capture increasing amounts of data about individuals' behavior. Consumers hunger for personalization, product services, websites that cater to them. That causes them to reveal information about themselves. Ordering off a catalog reveals other information. Using a credit card yields more. And thinking you have to send in that warrantee card can reveal almost your entire life to other parties.
But that information probably delivers better products, more targeted services, and a more enjoyable Internet experience. As Alessandro Acquisti of Carnegie Mellon writes, 'Is there a combination of economic incentives and technological solutions to privacy issues that is acceptable for the individual and beneficial to society?' In other words is there a sweet spot that satisfies the interests of all parties? And then, what are the rules of the road that we need to put in place to make sure consumers' privacy is protected and that commerce flourishes. That's what I hope to learn more about in today's hearing. I want to credit the work dozens of dedicated faculty and students working on consumers' data privacy at Carnegie Mellon University, located in the heart of my district, have done. [Carnegie Mellon University], the data privacy lab and CyLab have all greatly contributed to the academic literature, commercial consciousness, public awareness, and my understanding of this issue. Thank you, Mr. Chairman, I yield back."

Details and video of the hearing are available from the Committee on Energy and Commerce Subcomittee Note: Video starts at 17:40 with audio starting at 18:26 -- nothing but a title screen before that. Representative Doyle begins speaking at 43:29.

Tuesday, November 10, 2009

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

Image: CyLab Biometrics Center

From Biometrics to BSIMM, & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference

by Richard Power

Throughout 2009, I have made a point of attending some important security conferences and delivering reports on what I saw and heard, some of these reports are posted here on CyBlog and in the Intelligence Briefing section of the CyLab Partners-Only Portal. The events covered include RSA, Black Hat Briefings and USENIX Security Symposium, as well as our own SOUPS and Mobile Health Workshop. (I have included a listing of the summary reports below in “Conference Coverage.”)

It is wonderful to finish off the series with a report on the CyLab Partners Conference. It is an event accessible via invitation only, and developed as an opportunity for CyLab’s corporate partners to immerse themselves in an audacious program. The conference's agenda, like CyLab's research program itself, is sweeping in its scope and impressive in its implications.

The sixth annual CyLab Corporate Partners Conference, held on the main campus of Carnegie Mellon University (Pittsburgh, Pennsylvania) from Wednesday, October 14 to Friday, October 16, offered a deep dive into one of the world’s premier cyber security research programs. Over the span of two and a half days, attendees immersed themselves in presentations and panel discussions on a broad spectrum of research areas, including:

• Corporate Governance
• Secure Home Computing
• Usability of Security and Privacy Techniques
• Security of Cyber-Physical Systems
• Secure Mobile Systems and Networks
• Trusted Computing Platforms and Devices
• Secure Software Engineering
• Digital Forensics

The rich conference agenda also featured two keynotes, one from former White House aide Melissa Hathaway, and the other from Gary McGraw, CTO of Citigal, Inc.

In her remarks at lunch on Wednesday, Hathaway spoke of the vital role of business, government and the individual and emphasized the threat to critical infrastructure:

The specter of a "digital 9/11" is what still keeps the former U.S. acting cybersecurity czar up at night, Melissa Hathaway told a gathering of Carnegie Mellon University's CyLab corporate partners ...
To illustrate one possibility, Hathaway referred to the relatively low-level denial-of-service attacks that hit some federal Web sites for several days beginning over the July Fourth weekend.
A more powerful barrage that used more points of attack, perhaps against private-sector targets, could cause $700 billion in damage, she said.
"That's the equivalent of 50 hurricanes hitting at once," Hathaway said.
Mike Cronin, Partners of Carnegie Mellon's CyLab warned that 'digital 9/11' threat growing, Pittsburgh Tribune Review, 10-15-09

At dinner on Thursday, McGraw championed the Building Security in Maturity Model (BSIMM) that McGraw's Citigal developed and is now promoting with SANS Institute, through BSIMM Begin

BSIMM is based on large-scale software security initiatives in nine enterprises: four financial services companies, three independent software vendors and two technology companies.

As McGraw remarked in his keynote, "BSIMM is not about good or bad ways to eat bananas or banana best practices. BSIMM is about observations."

The power of the observations offered by McGraw and his colleagues is in their practicality: e.g., "Ten Surprising Things," including "Nobody uses WAFs," "QA can't do software security," "PEN testing is diminishing," etc., and "Ten Things Everybody Does," including "Evangelist role,""SSG does ARA" and "good network security," etc.

BSIMM will help you know where your enterprise stands, and what direction you might want maneuver it. Perhaps most important, through BSIMM Begin, it is intended to be ongoing and participatory:

"BSIMM Begin aims to significantly broaden data collection. To keep the survey manageable, the scope has been limited to the BSIMM Level 1 activities. The goals of this survey are two-fold: to provide participants with a solid understanding of where they stand with respect to foundational software security activities; and to provide an understanding of where they stand relative to everyone else that participates. BSIMM Begin will broaden the collective understanding of what "keeping up" really means." Software Security Self-Measurement with BSIMM Begin Introduced by Cigital and The SANS Institute, 10-8-09

The BSIMM Begin survey can be accessed from the landing site:

For more information, read McGraw's Software [In]security: The Building Security In Maturity Model (BSIMM) in InformIT (3/16/09).

The body of the conference was devoted to updates on the diverse aspects of Cylab's bold research program.

For example, Marios Savvides, Director of Cylab’s Biometrics Center, and one of the four scientists of the Office of the Director of National Intelligence Center of Academic Excellence in S&T in Identity Sciences, delivered a report on his team's "Multi-Biometrics Research Effort."

Savvides' compelling presentation showcased how his research is tackling some of the field's most urgent and vital challenges, from Long Range Iris Recognition on the Move to Soft Biometrics to Automatic Landmarking Frontal Faces to 3-D Face Reconstruction from Single Images.

In his summary, Savvides outlined his Center's current status and goals, including:

-- Developed several key technologies of HIGHEST interest to the USG.

-- Already transitioning one technology to USG (FBI’s Universal Face Workstation)

-- Working with MIT-LL to develop Government Owned Face Recognition (GOTS-FR).

-- Working on refining and developing Iris acquisition and other technology to the USG for two more success transition stories.

"We collaborate and bridge across many USG agencies," Savvides concluded, "Our goal is to support the USG in developing key enabling technologies to deter terrorism and aid the war fighter."

The three presentations briefly cited here offer only a few glimpses into the scope of the sessions stretching over the two and a half day conference.

NOTE: A full archive of presentations, student posters, photo gallery and videos is accessible to CyLab Partners only from the Partners Portal.

Conference Coverage

A Report from the 18th USENIX Security Symposium: Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More!

A Report from BlackHat Briefings (Las Vegas 2009): From Parking Meters to the Cloud, from SMS to Smart Grids, “Everything is Broken …”

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

RSA Conference 2009: Summary of Posts

CyLab MRC's Martin Griss Declares,"I Do Not Want Us to be Just Another Big Consortium, I Want Us to Do Something"

NOTE: Full texts of my reports from USENIX, Blackhat and the Sixth Annual CyLab Partners Conference are available to CyLab corporate partners via the Partners Portal.

Saturday, November 7, 2009

CyLab Dispatch: On the Road for Cyber Security Month

Image: United States at Night (NASA)

CyLab Dispatch: On the Road for Cyber Security Month

by Richard Power

Over the last two years, I have been addressing these and related issues in industry outreach through presentations and publications.

Last year, to observe Computer Security Day, I traveled to island nation of Mauritius, in the Indian Ocean, off the coast of Africa. (CyLab corporate partners can read more about in Culture of Security: A Message from Mauritius.)

This year, to observe Cyber Security Awareness Month, I delivered “Starting Over after a Lost Decade: In Search of a Bold New Vision for Cyber Security” first in the Midwest, then in the South, then in the North and then in the West:

* CERIAS, Purdue University, West Lafayette, IN
* ISSA InfoSecCon, Raleigh, NC
* Carnegie Mellon CyLab, Pittsburgh, PA
* SecureWorld Seattle, Bellevue, WA

At SecureWorld Seattle, I also delivered a presentation on “Secrets Stolen, Fortunes Lost: Preventing Economic Espionage & Intellectual Property Theft in the 21s Century,” with Christopher Burgess, with whom I co-authored the book by the same title.

Here is a link to the video of my seminar at CERIAS. (CyLab corporate partners can also view the video of my Pittsburgh seminar, along with a .pdf of the full presentation, in the Business Risks Forum section of the Partners Portal.)

In 2009, I also continued writing for CSO Magazine, and increased the frequency of my columns to bi-monthly:

* Red pill? Blue pill? Beyond Fear, Doubt, and “Broken.” Ruminations on the Intersection of Inner Space and Cyber Space
* Cyber Security, the Nuclear Threat and You: Cassandra's Guide to the 21st Century
* This Profound Moment in Cybersecurity, & Three Challenges that Frame It
* To Govern or Not to Govern
* A Corporate Strategy for Coping with the Climate Crisis
* Industrial Espionage: Secrets Stolen, Fortunes Lost

[NOTE: CyLab partners can read the full text of this CyLab Dispatch in the Culture of Security section of our Partners Only Portal.]