Tuesday, November 22, 2011

CyLab Seminar Series: WhiteHat Security Founder and CTO Jeremiah Grossman on 4 Years and 4 Thousand Websites



CyLab Seminar Series: Four New iTunes and You Tube Videos Offer Glimpse into Compelling, Exclusive Content

Carnegie Mellon University CyLab is one of the world's premier academic research programs in the fields of cyber security and privacy research. With over fifty faculty members and over one hundred graduate students drawn from several colleges within CMU, CyLab research explores seven main research areas and seven cross-cutting research thrusts.

The CyLab program is fueled by the support of corporations and government agencies looking for both the vital research that delivers answers to difficult questions and the probing minds that articulate those answers.

Access to the weekly webcasts and on-line archive of Cylab Seminar Series is one of the exclusive benefits of membership in the CyLab's private sector consortium.

Every week, during the school year, the CyLab Seminar Series provides updates on the latest research by our faculty, as well as fby visiting scholars from other prestigious institutions. In addition to these academic research presentations, occasional Business Risks Forum events feature security experts from business and government to deliver invaluable insights on the facts on the ground in the operational environment.

Now CyLab is offering a rare glimpse into its Seminar Series with the release of four videos via both the CyLab You Tube Channel and CyLab at iTunesU; including this Business Risks Forum talk by WhiteHat Security founder and CTO Jeremiah Grossman.

Jeremiah Grossman on 4 Years and 4 Thousand Websites



As previously noted, these four videos are available both from the CyLab You Tube Channel and CyLab at iTunesU

Some Related Posts

CyLab Deepens & Enriches Online Content With Five New Videos For You Tube & ITunes

CyLab Chronicles: Anthony Rowe On Wireless Sensor Networks For Building Energy Management

Select CyLab Seminars Available Via ITunes And YouTube

CyLab Seminar Series: Lawrence Dietz - A Civilian Perspective on Cyber War

CyLab Seminar Series: Anthony Rowe on Wireless Sensor Networks for Building Energy Management



CyLab Seminar Series: Four New iTunes and You Tube Videos Offer Glimpse into Compelling, Exclusive Content

Carnegie Mellon University CyLab is one of the world's premier academic research programs in the fields of cyber security and privacy research. With over fifty faculty members and over one hundred graduate students drawn from several colleges within CMU, CyLab research explores seven main research areas and seven cross-cutting research thrusts.

The CyLab program is fueled by the support of corporations and government agencies looking for both the vital research that delivers answers to difficult questions and the probing minds that articulate those answers.

Access to the weekly webcasts and on-line archive of Cylab Seminar Series is one of the exclusive benefits of membership in the CyLab's private sector consortium.

Every week, during the school year, the CyLab Seminar Series provides updates on the latest research by our faculty, as well as fby visiting scholars from other prestigious institutions. In addition to these academic research presentations, occasional Business Risks Forum events feature security experts from business and government to deliver invaluable insights on the facts on the ground in the operational environment.

Now CyLab is offering a rare glimpse into its Seminar Series with the release of four videos via both the CyLab You Tube Channel and CyLab at iTunesU; including this talk by CyLab researcher Anthony Rowe.

Anthony Rowe on Wireless Sensor Networks for Building Energy Management



As previously noted, these four videos are available both from the CyLab You Tube Channel and CyLab at iTunesU

Some Related Posts

CyLab Deepens & Enriches Online Content With Five New Videos For You Tube & ITunes

CyLab Chronicles: Anthony Rowe On Wireless Sensor Networks For Building Energy Management

Select CyLab Seminars Available Via ITunes And YouTube

CyLab Seminar Series: Lawrence Dietz - A Civilian Perspective on Cyber War

CyLab Seminar Series: Nicolas Christin on Analyzing Search-Engine Manipulation Campaigns



CyLab Seminar Series: Four New iTunes and You Tube Videos Offer Glimpse into Compelling, Exclusive Content

Carnegie Mellon University CyLab is one of the world's premier academic research programs in the fields of cyber security and privacy research. With over fifty faculty members and over one hundred graduate students drawn from several colleges within CMU, CyLab research explores seven main research areas and seven cross-cutting research thrusts.

The CyLab program is fueled by the support of corporations and government agencies looking for both the vital research that delivers answers to difficult questions and the probing minds that articulate those answers.

Access to the weekly webcasts and on-line archive of Cylab Seminar Series is one of the exclusive benefits of membership in the CyLab's private sector consortium.

Every week, during the school year, the CyLab Seminar Series provides updates on the latest research by our faculty, as well as fby visiting scholars from other prestigious institutions. In addition to these academic research presentations, occasional Business Risks Forum events feature security experts from business and government to deliver invaluable insights on the facts on the ground in the operational environment.

Now CyLab is offering a rare glimpse into its Seminar Series with the release of four videos via both the CyLab You Tube Channel and CyLab at iTunesU, including this talk by CyLab researcher Nicolas Christin, who is also Associate Director of Institute of Information Networking (INI).

Nicolas Christin on Analyzing Search-Engine Manipulation Campaigns



As previously noted, these four videos are available both from the CyLab You Tube Channel and CyLab at iTunesU

Some Related Posts

CyLab Deepens & Enriches Online Content With Five New Videos For You Tube & ITunes

CyLab Chronicles: Anthony Rowe On Wireless Sensor Networks For Building Energy Management

Select CyLab Seminars Available Via ITunes And YouTube

CyLab Seminar Series: Lawrence Dietz - A Civilian Perspective on Cyber War

CyLab Seminar Series: Lorrie Cranor on 15 Years of Privacy Notice and Choice



CyLab Seminar Series: Four New iTunes and You Tube Videos Offer Glimpse into Compelling, Exclusive Content

Carnegie Mellon University CyLab is one of the world's premier academic research programs in the fields of cyber security and privacy research. With over fifty faculty members and over one hundred graduate students drawn from several colleges within CMU, CyLab research explores seven main research areas and seven cross-cutting research thrusts.

The CyLab program is fueled by the support of corporations and government agencies looking for both the vital research that delivers answers to difficult questions and the probing minds that articulate those answers.

Access to the weekly webcasts and on-line archive of Cylab Seminar Series is one of the exclusive benefits of membership in the CyLab's private sector consortium.

Every week, during the school year, the CyLab Seminar Series provides updates on the latest research by our faculty, as well as fby visiting scholars from other prestigious institutions. In addition to these academic research presentations, occasional Business Risks Forum events feature security experts from business and government to deliver invaluable insights on the facts on the ground in the operational environment.

Now CyLab is offering a rare glimpse into its Seminar Series with the release of four videos via both the CyLab You Tube Channel and CyLab at iTunesU, including this talk by Dr. Lorrie Cranor, Director of CyLab Usable Privacy and Security Lab.

Lorrie Cranor on 15 Years of Privacy Notice and Choice



As previously noted, these four videos are available both from the CyLab You Tube Channel and CyLab at iTunesU

Some Related Posts

CyLab Deepens & Enriches Online Content With Five New Videos For You Tube & ITunes

CyLab Chronicles: Anthony Rowe On Wireless Sensor Networks For Building Energy Management

Select CyLab Seminars Available Via ITunes And YouTube

CyLab Seminar Series: Lawrence Dietz - A Civilian Perspective on Cyber War

Tuesday, November 15, 2011

"One of Very Few Forums Where You Can Actually Bridge Practical With Theoretical & Shift Thinking Away from Day to Day to the Future."




CyLab SV Briefing 11/11/11: "One of Very Few Forums Where You Can Actually Bridge Practical With the Theoretical & the Shift Thinking Away from the Day to Day to the Future."

The Mayan calendar has ended, and that marvelous date 11/11/11 has come and gone. The world did not implode. We are still here. Which is what the Mayan elders assured those who had the common sense to actually consult them instead of tabloid mystics and pop culture pseudo-shaman. Of course, great changes are at hand, including the collapse of the planetary climate human civilization has been predicated upon for two millennia, but the human experiment continues.

Spending the morning of 11/11/11 at the Fall 2011 CyLab Silicon Valley Briefing immersed in the latest cyber security and privacy was a life-affirming exercise. Nothing is more vital to the future of that human experiment than information and information systems, nothing is more vital to the future of information and information systems than cyber security and privacy.

The CyLab Silicon Valley Briefing is a bi-annual event I developed to raise awareness of CyLab's presence at theCarnegie Mellon University Silicon Valley Campus (CMU SV), in NASA Research Park, Moffett Field, California. It is an invitation-only event that brings together a small group of twenty to thirty leaders in business, security technology, federal law enforcement and the news media to interact with a few of CyLab's fifty plus faculty members for research updates in several major research areas.

Our 11/11/11 event included attendees from Adobe Systems, Oracle, McAfee, Symantec, Microsoft Research, the U.S. Secret Service, the San Francisco Examiner and the Information Systems Security Association (ISSA) among other organizations, and featured updates from five CyLab researchers, followed by a sumptuous Middle Eastern luncheon in a relaxed atmosphere that allowed for meaningful engagement. I designed the CyLab Silicon Valley Briefing is to be sort of an anti-conference: free, paperless, intentionally small (the room can fit 40 but we keep at 30 so there is elbow room for everyone), no advertising, invitation only (all by direct one on one e-mail exchange), and only half a day.

Here are the perspectives of a couple of attendees.

Lawrence D. Dietz, COL (Retired), General Counsel and Managing Director of Information Security, TAL Global Corporation (San Jose, California): "The CMU CyLab events are a great investment of time. They are one of the very few forums where you can actually bridge the practical with the theoretical and shift your thinking away from the day to day to the future. The variety of presentations is attractive because invariably a nugget from each one will strike a responsive chord and give you something to take back to your colleagues. CyLab is able to apply theoretical research to practical problems. In my opinion, the work being done by Dr. Annapum Datta with respect to automating HIPAA compliance is nothing short of revolutionary. In an era of shrinking health care provider budgets and growing needs to protect patient information intelligent and sensitive automation combined with fail safe procedures and human safeguards have tremendous potential. While no one can envy the task of converting laws into machine language, a project such as Dr. Datta's is pioneering how health care providers will operate in the future to cost effectively insure that their patient's medical data remains private."

Greg Reber, CEO, Astech Consulting: "This was my first Cylab conference and I was quite impressed. Cylab is solving real-world problems that require cutting edge research into emerging technologies - exactly what I was looking for. The speakers were extremely knowledgeable in their fields, and the format allowed for group discussions and input. This was well worth the time, and I will make it a priority to attend future Cylab conferences."

Here is a look at the event's agenda, with links to the CyLab researchers bios and their 11/11/11 presentations:

Jonathan McCune spoke on Trustworthy Computing and Attestation McCune is one of three co-authors of Bootstrapping Trust in Modern Computers with CyLab Research Director Adrian Perrig and CMU PhD. Bryan Parno, winner of the 2010 Doctoral Dissertation Award from the Association for Computing Machinery (ACM). (See also Parno, McCune And Perrig Author Book On Bootstrapping Trust In Modern Computing.) Copies of the book, signed by McCune, were given to attendees as gifts.

Martin Griss, Dean of the CMU SV Campus and Director of the CyLab Mobility Research Center (MRC) spoke on CMU SV's Disaster Management Initiative (DMI).

Collin Jackson spoke on Web Security. (CMU is very much a global entity, and this reality was underscored as Jackson's presentation was delivered remotely from Seoul, where he had traveled for high-level meetings with an industry leader.)

Anupam Datta spoke on Principled Audit Mechanisms for Privacy

Patrick Tague spoke on Enabling Secure Mobile Disaster Communications

-- Richard Power

Some Related Posts

A Report on CyLab Silicon Valley Briefing (Spring 2011)

Spring 2011 CyLab Silicon Valley Briefing Focuses On Smart Grid, Healthcare And Web Platforms

A Report On The CyLab Silicon Valley Briefing (Spring 2010)

CyLab Experts Host Industry And Security-Related Briefing In Silicon Valley

Tuesday, October 25, 2011

CyLab Deepens & Enriches OnLine Content with Five New Videos for You Tube & iTunes; Glimpses into CyLab Partners Conference



CyLab Deepens & Enriches OnLine Content with Five New Videos for You Tube & iTunes; Glimpses into CyLab Partners Conferences

Carnegie Mellon University CyLab is one of the world's premier academic research programs in the fields of cyber security and privacy research. With over fifty faculty members and over one hundred graduate students drawn from several colleges within CMU, CyLab research explores seven main research areas and seven cross-cutting research thrusts.

The CyLab program is fueled by the support of corporations and government agencies looking for both the vital research that delivers answers to difficult questions and the probing minds that articulate those answers.

The annual Cylab Partners Conference is one of the exclusive benefits of membership in the CyLab's private sector consortium. Each year, representatives from CyLab's corporate partners gather to immerse themselves in the latest research with faculty updates and graduate student poster sessions.

This year, CyLab is offering a rare glimpse into its Partners Conference proceedings with the release of five videos via both the CyLab You Tube Channel and CyLab at iTunesU:

8th Annual CyLab Partners Conference: Bruno Sinopoli On the Security of Cyber-Physical Systems



8th Annual CyLab Partners Conference: Collin Jackson - Web Security



8th Annual CyLab Partners Conference: David Brumley - Safe Software



8th Annual CyLab Partners Conference: Alessandro Acquisti - Privacy in the Age of Augmented



Excerpts from the 8th Annual CyLab Partners Conference (NOTE: This sampler includes eight excerpts from engaging talks that emphasize CyLab's main research areas.



As previously noted, these five videos are available both from the CyLab You Tube Channel and CyLab at iTunesU

Some Related Posts

CyLab Chronicles: A Report From The 8th Annual CyLab Partners Conference

President Obama Honors CyLab Researcher Among Outstanding Early-Career Scientists

New Study Co-Authored By CyLab Researcher: Face Recognition Software And Social Media Result In Increased Privacy Risks

A Report on CyLab Silicon Valley Briefing (Spring 2011)

Tuesday, September 27, 2011

BSIMM3 Released: "An Excellent Tool for Devising a Software Security Strategy"





"BSIMM3 can be used as a measuring stick for software security. As such, it is useful for comparing software security activities observed in a target firm to those activities observed among the thirty firms (or various subsets of the thirty firms). A direct comparison using the BSIMM is an excellent tool for devising a software security strategy." Gary McGraw, InformIT, 9-27-11

BSIMM3 Released: "An Excellent Tool for Devising a Software Security Strategy"

By Richard Power

As I have noted over and over throughout the years, software security is a vital aspect of any holistic approach to cyber security; and as I have written in recent years, the Building Security in Maturity Model (BSIMM) is a useful resource for those engaged in advancing the development and application of software security. Of course, BSIMM is not a set of standards, it is a set of activities identified as integral to the most successful software security initiatives in the world. That's its strength; and that strength grows with each new year of aggregated data.

The third edition of Building Security in Maturity Model (BSIMM3) is now available.

Here are some highlights of BSIMM3:
  • Now includes forty-two firms
  • One hundred nine activities in twelve practices with two or more real examples for each
  • Eleven firms have been measured twice (giving us Longitudinal Study data) and the data show measurable improvement
  • Eighty-one distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
  • Describes the work of 786 SSG members working with a satellite of 1750 people to secure the software developed by 185,316 developers
CyBlog caught up with Gary McGraw, CTO, Cigital, who drives the BSIMM, and asked for his perspective on this year's report.

"The two most important things we learned in the BSIMM3 work are: 1) that each of the 42 firms has an explicit software security group (SSG) and an SSG has on average 2 full time people for every 100 developers, and 2) we now know much more about how software security initiatives evolve and change over time."

"The BSIMM remains the only measuring stick for software security initiatives based on science. It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results. Finally, FWIW, the government is woefully behind when it comes to software security."

Download BSIMM3.

Some Related Posts

Evolving Rapidly, BSIMM2 Offers Key Elements of Successful Software Security Initiatives Shared by 30 Major Corporations (2010)

CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security (2009)

From Biometrics to BSIMM , & "50 Hurricanes Hitting At Once!" -- A Report on the Sixth Annual Partners Conference (2009)

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives (2009)

Thursday, August 11, 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

Nektarios Leontiadis, Carnegie Mellon CyLab, speaking at USENIX Security Symposium 2011

USENIX Security 2011: Another Ring on the Tree Trunk for One of Cyber Security's Worthiest Gatherings, & A Strong CyLab Presence

The USENIX Security Symposium has been one of my favorite conferences to attend throughout my two decades in the realm of cyber security. I have been writing about it since my days as Editorial Director of the Computer Security Institute (CSI); and it has never disappointed me, either in terms of its content or its integrity. Incredibly, this year's Symposium is the twentieth, and it doesn't feel like USENIX getting old or selling out any time soon.

Here are some of my notes from Wednesday and Thursday, just two of the five days on the Symposium's agenda.

Hugo and Locus Reader Award winning Sci-Fi author Charles Stross gave the opening keynote on Network Security in the Medium Term: 2061–2561 AD.

What is network security going to be like, Stross asked, after Moore's Law has burnt out?

"By 2061 well over half of the world's populace will live in cities ... Governments not going to be as important as they used to be ... Mature nanotechnology all around us, but not be as life-like as people think ..."

Stross outlined these and other predictions about the nature of cyber/physical reality in 2061 and beyond, but then he did an about face: "Everything I just said is bunk, because it assumes nothing bad will happen ..."

For much of the rest of his musings, Stross focused on some specific future technologies and the potential impact and consequences.

Mobile phones? They already connect people not places, we are raising a generation of kids who won't know what its like to get lost. In the future, you will say I want to visit my cousin bill wherever he lives, and a cab will show up.

Where are we going to store it all? Memory diamonds, Stross predicted, a mesh with data bit encoded in each atom.

Life-logging will include face recognition on everything you see, and OCR on everything you read.

Life-logging will be mandated by insurers, for any employee involved in any work that's risk-related.

Home genome monitoring will deliver personal health benefits, provide health agencies with early warning

ID theft will be radically more drastic, it will capture human existence in 64 milligrams of memory diamond.

Is losing your health privacy an acceptable price to pay for avoiding a plague?


I asked friend and long-time colleague Rik Farrow, Editor of USENIX's bi-monthly magazine ;login, both for his savvy take on Stross' vision of of the "intermediate future," and for what jumped out at him from other sessions.

"Charlie Stross does an amazing job envisioning the future, both near term and further out. His predictions of two terabyte personal bandwidth seems a bit 'over-the-top', but then consider how some Conneticutt yankee with his proverbial time machine would consider the world of today. Stross was eloquent, intriguing, but dodged the thorny issues of the future of security. We've botched things terribly in our rush to just make things work. Critical systems, like the P25 radios described by Matt Blaze, have design flaws that make them easier to use incorrectly, without encryption, than with it enabled. Yet the ability to manage encryption keys and have systems that can use encryption without requiring a genius as operator are critical moving forward. Dave Aitel's invited talk, The Three Cyber-War Fallacies, opposite the papers track, also served notice on many security fantasies. Dave provided metrics to back up a lot of what he was saying, like attack is hard, or thae average useful likespan of a zero-day is 99 days! We need to move on from signature-based approaches to security, Dave said, and I strongly agree with him. The car hacking attack displayed the amazing perserverance seen in many of today's best researchers, and Steve Checkoway's demonstration (Comprehensive Experimental Analyses of Automotive Attack Surfaces) of remotely locating (with GPS), unlocking, and defeating the anti-theft measures using a hack embedded in an MP3 stream drew enthusiastic response from the audience. I really appreciated the work by Kevin Z. Snow (SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks) and others to test possible malicious data, like PDFs, for executable code by using a tiny operating system they had built, and run in a Linux VM for testing Windows exploits. Mindblowing."

The Matt Blaze study mentioned in Rik's remarks, is entitled Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System; co-authored by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze of University of Pennsylvania, it was one of two studies awarded "Outstanding Paper."

The other study to receive "Outstanding Paper" was Measuring Pay-per-Install: The Commoditization of Malware Distribution, co-authored by Juan Caballero, IMDEA Software Institute; and Chris Grier, Christian Kreibich and Vern Paxson, University of California, Berkeley, and ICSI.

CyLab had a strong presence at the 20th USENIX Security Symposium.

Two CyLab studies were among the refereed papers presented:
Alessandro Acquisti and Collin Jackson also delivered Invited Talks.

CyLab's Collin Jackson speaking at USENIX Security Symposium 2011

Collin Jackson's Invited Talk on Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors underscored why Jackson, based at Carnegie Mellon's Silicon Valley Campus, is a force to be reckoned in the space of browser security.

At the end of his talk, he even provided attendees with a list of "Controversial Things I Just Said" -

NoScript is a niche browser... not the browser of the future

Program committees actively harm good ideas

OCSP is risky.

SafeHistory is undeployable.

Breaking with sockets for six months was not a mistake.

You should crash Mozilla team meetings.





Nektarios Leontiadis, a Carnegie Mellon grad student conducting CyLab research, presented on Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade. This paper examines the latest findings in Nicolas Christin's compelling work in the space of Economics of Security and Cybercrime, etc. For more information on this study, see USENIX Security 2011: CyLab Researchers Release Study On Illicit Online Drug Trade And Attacks On Pharma Industry.




For more on Alessandro Acqusiti's latest study, Privacy in An Age of Augmented Reality, which was released last week at BlackHat Briefings 2011 in Las Vegas, see New Study Co-Authored By CyLab Researcher: Face Recognition Software And Social Media Result In Increased Privacy Risks, or or Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales, and my CSO Magazine interview with him Face recognition and social media meet in the shadows.

See Also

Voltaire Lives: A Report from USENIX Security Symposium 2010

Android Security, Naked Keystrokes, Selling Viagra, Crying Wolf & More! -- A Report from the 18th USENIX Security Symposium (Montreal, 2009)

Friday, August 5, 2011

Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales


Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales

By Richard Power


Here are my notes from Black Hat Briefings (USA) 2011, held at Caesar's Palace in Las Vegas, Nevada.

Mudge of DARPA

"Mudge of DARPA" sounds like the name of a character out of World of Warcraft, or some other massively multiplayer online role-playing game (MMORPG). But no, and although in the case of this analogy, truth is not stranger than fiction, it was indeed remarkable to see Peiter "Mudge" Zatko, legendary denizen of the L0pht, author of L0phtCrack, and founder of @Stake, truly one of the iconic figures of the cyber security counter culture, keynoting at Black Hat 2011, in his new role as Program Manager at the Defense Advanced Research Project Agency (yes, DARPA).
In his talk, Mudge offered glimpses into two of his initiatives: Analytic Framework for Cyber Security and Cyber Fast Track.

Touching on the Analytic Framework for Cyber Security, Mudge remarked, "Think of the cold war, and spending, right now we're looking pretty much like Russia."

Using a few fascinating graphs and charts, Mudge illuminated some of fundamental flaws in established approaches. For example, one of his charts, titled "We are Divergent with the Threat," compared average lines of code over a fifteen year period from 1985 to 2010: security software (currently at ten million lines) versus average lines of code in malware (holding consistently at one hundred twenty five lines of code).

The second of these two initiatives, the Cyber Security Fast Track (DARPA-RA-11-52), had just gone live.

According to Mudge, a single government cyber security project typically takes eighty-one months to reach completion.
"Six years. The threat landscape will be different by then. So rather than run one program for six years let's run hundreds with maker spaces and boutique security firms ... Small groups of motivated and like-minded researchers have repeatedly shown significant talent and capabilities."

He hopes to reach such entities with a streamlined funding application and approval process, vetted by four compatriots belonging to that same cyber security counter culture from which Mudge emerged.

"This relationship needs to be mutually beneficial. DARPA intends to cultivate relations and become a resource."

I do not know how the tale of Mudge of DARPA will end; but somehow it feels right to me that he's there, and I hope it leads to genuine breakthroughs. But I assure you, after twenty years in the wilderness that is cyber security, I could only be pleasantly surprised.


100% Out of Sync

In a panel discussion entitled Trillions of Lines of Code and Counting - Securing Applications At Scale, Jeremiah Grossman, founder and CTO of WhiteHat Security offered some insightful perspectives that echoed that kind of critical thinking Mudge had been advancing when talking about developing his Analytical Framework earlier in the day.

Grossman's views are worthy of attention. His street cred? WhiteHat performs weekly vulnerability assessments on four thousand high profile sites (.e.g, banks, insurance companies, healthcare providers, retailers, etc.), seven out of ten of those sites have serious vulnerabilities (i.e., the kind that would enable attackers to access customer information, or hack users accounts, or perform other headline-grabbing misdeeds).

"Whenever we discuss the software security problem, it is inevitably said that what we need to do is train developers to secure code, and it is difficult to argue against that position, especially in regard to people going through college and graduate school programs. But meanwhile there are seventeen million active developers, my guess is that less than one percent of them have formal software security training. How do you give remedial training to seventeen million developers? We don’t even have anywhere near the number of instructors that would be required. Computer-based training would be the only viable solution."

But according to Grossman, the loudly trumpeted issue of training developers hides a different problem, that is just as systemic and at least as damning.

"If you look at IT budgets, businesses investing in the network, host and application layers. Generally, organizations spend the least on routers and switches, and spend a little more on servers, desktops, commercial software, etc. But they spend the most on their own applications, they have legions of developers writing code. It is said that one of the major financial institutions has three developers for every banker. So that's where the business is investing. Now InfoSec likes to say it practices risk management aligned with business. And yet, where does InfoSec spend its money? It spends the most on firewalls and IDS, to protect what the business spends the least in building, followed by anti-virus and patch managements to protect the host, but very little protecting the apps where the business is spending the most. The way we do Infosec budgeting doesn't work. Congratulations, InfoSec, you are 100% out of sync!"


In the Age of Augmented Reality, the Ultimate "Wingman"

CyLab's Alessandro Acquisti broke some of the biggest news at Black Hat Briefings 2011; well, just prior to Black Hat 2011 actually, since The Economist (8-30-11) and the Wall Street Journal (8-1-11) ran exclusives leading up to his conference presentation.

In "Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be," Acquisti debuted the results of research conducted with two other Carnegie Mellon researchers, Ralph Goss and Fred Stutzman. This sensational work is a worthy follow-up to the blockbuster study on guessing social security number) Acquisti and Goss co-authored in 2009.


In the course of three experiments, Acquisti and his research colleagues investigated the "feasibility of combining publicly available online social network data with off-the-shelf face recognition technology for the purpose of large-scale, automated, peer-based ... individual re-identification, online and offline, and 'accretion' and linkage of online, potentially sensitive, data to someone’s face in the offline world."

What does this mean in practical terms. A lot. And in terms of individual privacy much of it disconcerting.

Imagine a smartphone app, with which a man in a bar could snap a photo of a woman he is talking to, and after a brief search have access to her dating site info; imagine at the same moment, she is accessing his credit score. Acquisti and a member of his team demonstrated how this would work with a little program amusingly named "Wingman."

The implications are staggering, as Acquisti articulates.

"Is the combination of technologies described [facial recognition and social media applications] going to provide these linkages [all your different, perhaps disguised on-line personas with your actual identity], where we are not simply giving a name to an anonymous face, but we actually blend together on-line and off-line data? ...[Guessing social security numbers] is just one example of what is going to happen, through this blending of on-line and off-line data, this convergence of personal and predictable information - in a way it is written on your face, even if you may not be aware of it. It may democratize surveillance, and i am not saying this in a good sense, I am saying it with concern. We are not talking just about constricted and restrained Web 2.0 applications that are limited to consenting, opt-in users, such as maybe Picasia or currently Facebook tagging. We are talking about a world in which anyone could, in fact, recognize your face and make these inferences, because the data is already out there, it is already publicly available. So what will our privacy mean in this kind of future of augmented reality? We have already created a de-facto Real ID infrastructure ... Nationally, Americans are against Real IDs, but we have already created one for the marketplace."

For better and worse, it will change our world.

"In fact, augmented reality may also carry deep‐reaching behavioral implications. Through natural evolution, human beings have evolved mechanisms to assign and manage trust in face‐to‐face interactions. Will we rely on our instincts, or on our devices, when mobile devices make their own predictions about hidden traits of a person we are looking at?"

For more insights on this important study, you can read my CSO Magazine interview with Acquisti, "Face recognition and social media meet in the shadows". And on Acquisti's own site, you will find an excellent Frequently Asked Questions (FAQ) on the Facial Recognition, as well as the Draft Slides for the Black Hat 2011 Presentation



Google This ...

In "Pulp Google Hacking: Next Generation Search Engine Hacking Arsenal," Fran Brown and Rob Ragan of Stach & Liu, LLC debuted a slew of sophisticated, new tools to optimize the use of Google searches for open source intelligence, including:
  • GoogleCodeSearchDiggity, which identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, etc. (loaded with 40 default searches that identify SQL injection, cross-site scripting, insecure remote and local file includes, hard-coded passwords, etc.)
  • DiggityDLP, which leverages Google and Bing to identify exposures of SSNs, credit card numbers and other sensitive information via common document formats such as .doc, .xls, and .pdf
  • FlashDiggity, which provides automated Google searching, downloading, decompiling and analysis of SWF files to identify Flash vulnerabilities and info disclosures
  • DroidDiggity, an smartphone app that delivers GoogleDiggity and BingDiggity to Android phones.
Here is just one of their numerous (and compelling) examples of such tools' powerful capabilities, and the implications thereof.

"Another interesting one that made the news last week or the week before ... I believe this was released by one of the members of Anonymous ... governmentsecuritybags.com ... this is a web site that sells bags with locks on them that you can use to carry around top secret or classified documents ... this has been removed now ... while they were good enough to remove it, thank you Google for cacheing it ... This made the news last week, I didn't even notice it until one of our searches with "Blvd" and "75th." So, basically, we are looking at the actual personal information, billing addresses, usernames and passwords that they registered with ... So if you want to go one-stop shopping for the e-mail addresses, passwords, billing addresses ... it even has a picture of the bag they purchased, so you know what to look for ... Here is a list of six hundred or so people you could go after, who are walking around with top secrets bags on them."

If intelligence gathering is something required in your work (and at this point, if you are in cyber security and it isn't already your skill set, you are way behind the curve), or if you or your organization are the likely target of intelligence gathering, whether it be corporate, state-sanctioned or lone wolf (and at this point who or what wouldn't be from some vector or another), then you ignore the Google Hacking Project at your own risk.



Why is the Water Commissioner's Hair on Fire?

In the developed world, when people turn on the tap, they expect the water to flow; and while they might prefer to drink bottled water, they also expect the tap water to be relatively safe. Of course, although these expectations are based on a lifetime's experience, it is also based on ignorance. Water is one of the most pressing sustainability issues that confronts the human race in the 21st Century. Furthermore, the infrastructures that delivers the water to our populations are, in many (if not most) cases, old, deteriorating and vulnerable to both bad actors and bad luck.

Of course, that's not stopping the push toward and smart water meter networks; and just as with the similar, albeit much more high-profile push toward a smart power grid, this push will open new vulnerabilities and aggravate some existing ones.

John McNabb of South Shore PC Services (Boston, MA.), has undertaken his own independent research into the potential risks and threats involved. For thirteen years, McNabb served as Water Commissioner for a small local water utility.

Speaking on "Vulnerabilities of Wireless Water Meter Networks" at Black Hat 2011, McNabb shared his insights.

There is a lot at stake and a lot at risk.

"Water is a $400 billion global industry ... Al Qaeda has repeatedly threatened to 'poison' U.S. drinking supplies ... the American Society of Civil Engineers gives the nation’s drinking water infrastructure a D- grade and estimates that an investment of $255 billion is needed to bring the system to needed standards."

Think of a water meter as a cash register, McNabb suggest.

"$40 billion, the annual income of US water utilities, comes mostly from meter information."

Thus, the threats and risks involve not only terrorists or some disgruntled ex-worker bent on sabotage, but also common criminality (yes, the kind of criminality that always rises in times of great economic hardship).

According to McNabb, theft through meter tampering is not only a big issue for energy suppliers ("electric utilities assume 10% loss each year from theft"), it is also an issue for water utilities (“Theft of water by tampering with or bypassing water meters costs BWSC [Boston] thousands of dollars a year & .. imposes costs every paying customer.”

There should be plenty of opportunity for everyone.

"The U.S. advanced metering infrastructure (AMI) market (electricity+gas+water) will grow from $2.54 billion in 2010 to $5.82 billion in 2015, an 18% compound annual growth rate." Although most US water meters are still read manually (only 28% have [Automatic Meter Reading] AMR meters). the worldwide installed base of smart water meters is expected to increase from 5.2 million in 2009 to 31.8 million by 2016."

Today, McNabb continued ,much of the data collection. even with smart meters, is done by walk-by and drive-by, but, of course, the fixed network is where it is all going.

"This takes the full capabilities of the wireless water meter and enables it to become a sensor network for the water utility that can allow almost continuous water usage readings (usually every 5-15 minutes). In the fixed network the signals from the single meter are transmitted and then collected in a central receiving station, if close enough, or to repeaters and then to the central receiving station. In most cases a star topology is used, but in some implementations a mesh topology is used to each meter can act as a repeater for any others within range."

McNabb cites numerous vulnerabilities in wireless water meters, ranging from design (e.g., low on-board memory) to lack of security awareness ("Badger gives out its default network username, password and wireless key on web site') to no encryption (even though "more of them are coming out with encryption now").

"Water meters are an integral component of the national drinking water infrastructure," McNabb concluded. "Tampering with water meters, either mechanically or electronically, cost s money for local water systems. Wireless water meters need to be better secured to prevent potential financial loss to water suppliers and to reduce potential security vulnerability to the water system."

Hopefully, his quest will prove to be more than Quixotic.

After all, there is the Maroochie incident, as McNabb reminded us in his presentation.

"The Maroochie incident in 2000, when a disgruntled former contractor used inside info to release 800,000 liters of sewage into the environment, using wireless network communications from his laptop, is an example of how insider threat could impact a wireless sensor network."

Related Posts

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

Thursday, July 28, 2011

SOUPS 2011 Advances Vital Exploration of Usability and Its Role in Strengthening Privacy and Security



SOUPS 2011 Advances Vital Exploration of Usability and Its Role in Strengthening Privacy and Security

The seventh annual Symposium On Usable Privacy and Security (SOUPS) was held in Pittsburgh, PA., July 20th thru July 23rd, 2011. SOUPS is an annual event that has evolved out of the work of the CyLab Usable Privacy and Security (CUPS) Lab. This year's SOUPS sessions included Security Warnings and Authentication to Privacy on Social Networks and Perceptions of Privacy and Security. It also included a day of tutorials and workshops, such as Usable Security Indicator Conventions and Experiment Design and Quantitative Methods for Usable Security Research.

The papers presented ranged from Using Data Type Based Security Alert Dialogs to Raise Online Security Awareness, presented by University of Munich, and Breaking Undercover: Exploiting Design Flaws and Nonuniform Human Behavior, presented by researchers from the National University of Science and Technology (Pakistan) and University of Split, (Croatia) to "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook, presented by Carnegie Mellon University researchers, and Indirect Content Privacy Surveys: Measuring Privacy Without Asking About It, presented by Google researchers.

The embeded video of a panel on The Battle Over Behavioral Advertising
Choice Mechanisms. (For more videos of CyLab seminars and conferences, visit our You Tube Channel.)

Dr. Lorrie Cranor, Director of CUPS, is the panel moderator. Panel participants included Alan Chapel (BlueKal), Manoj Hastak (American University), Aleecia McDonald (Carnegie Mellon CyLab) Brendan Riordan-Buttenworth, Harlan Yu (Princeton University).

The Battle Over Behavioral Advertising Choice Mechanisms (SOUPS 2011 panel)


For the full agenda and links to all the papers presented, visit SOUPS 2011.

For more information on CyLab's ongoing research into Usable Privacy and Security, visit CUPS.

See Also

SOUPS 2010: Insight into Usable Privacy & Security Deepens at 6th Annual Symposium

Reflections on SOUPS 2009: Between Worlds, Cultivating Superior Cleverness, Awaiting a Shift in Consciousness

Glimpses into the Fourth Annual Symposium on Usable Security and Privacy (SOUPS 2008)

For information on other aspects of CyLab's vital work, visit
http://www.cylab.cmu.edu/

Saturday, June 4, 2011

CyLab, CERIAS and CSAIL join Northrop Grumman for Cybersecurity Research Consortium Update

Photo Credits: Northrop Grumman
CyLab, CERIAS and CSAIL join Northrop Grumman for Cybersecurity Research Consortium Update

Northrop Grumman Corporation and three of the world's leading cybersecurity academic research programs, Carnegie Mellon University Cylab, Massachusetts Institute of Technology (MIT) CSAIL and Purdue University CERIAS came together recently for a briefing on the work of the Northrop Grumman Cybersecurity Research Consortium.

The briefing and panel discussion was held in the Edward R. Murrow Room at the National Press Club in Washington, D.C.

Northrop Grumman's vice president and chief technology officer, Dr. Robert Brammer, was joined on the panel by Eugene H. Spafford, executive director of Purdue's CERIAS, Professor Ronald L. Rivest, lead of MIT CSAIL and Richard Power, Distinguished Fellow at Carnegie Mellon CyLab.



Here are some excerpts from the Northrop Grumman press release, followed by a link to the full text.

As part of the Northrop Grumman Cybersecurity Research Consortium, this unique industry/academia partnership set out in December 2009 to advance research, facilitate collaboration among the nation's top scientists and accelerate solutions to counter the fast-changing cyber threats. ...

Representatives highlighted progress in several key areas including large-scale information systems operations, where the consortium has developed approaches to improve the security of cloud computing. The Consortium has also developed new approaches for organizing and evaluating experiments performed on cyber test ranges. This approach will allow customers to better evaluate large-scale cyber attack and defense strategies in a cost-effective manner.

"The Consortium has also developed automatic techniques to analyze computer software designs to look for potential cybersecurity vulnerabilities," added Brammer. "If successful on a large-scale, these techniques will significantly improve software security for customers while reducing the time and cost it takes to develop, certify and accredit these systems for government operations." ...

"Cybersecurity is vital to economic prosperity, personal privacy and national security; and academic research is vital to the advancement of cybersecurity," said Richard Power, Distinguished Fellow and Director of Strategic Communications for Carnegie Mellon CyLab. "The Northrop Grumman Cybersecurity Research Consortium provides us with a new research model, emphasizing technology transition. This process of transitioning academic innovation to industry delivers social value, for example creating jobs, spurring further innovation and of course, enhancing cybersecurity."

"The Cybersecurity Research Consortium, led by Northrop Grumman, plays a very important role in fostering the development of new security technologies in academia and facilitating their transition to real-world use," said Professor Ronald L. Rivest, lead of MIT's CSAIL. "We believe that such industry/academic collaboration is essential for successful action against the increasingly serious and effective cyber-attacks we are witnessing today."

"The Cybersecurity Research Consortium has proven to be a wonderful initiative," said Eugene H. Spafford, executive director of Purdue's CERIAS. "For more than two decades, Purdue has been leading research and education in information security. Our mission has been to build collaborative relationships with industry, government and other academic entities to advance the state of information assurance, security and privacy. Northrop Grumman has been our partner in these efforts for many years. This consortium has enabled us to work even more closely with them, as well as with a few of our academic peers, on solutions to current and future threats to cybersecurity. We are pleased to be part of this on-going, vital partnership devoted to advancing the states of knowledge and practice in cybersecurity."

Full Text of Northrop Grumman Press Release



Here are some links to media coverage of the event:

Cybersecurity Research Consortium: New Tech on the Way, PC World, 6-1-11

Northrop Grumman and Academia Cite Progress in Tackling Nation's Most Pressing Cybersecurity Threats, Market Watch, 6-1-11

New recovery system restores virus-infected computers, could be used by agencies, NextGov, 6-1-11

University projects to secure cyberspace could soon bear fruit; Five-year program funded by Northrop Grumman researching new technologies, GCN, 6-1-11

Northrop Grumman, Academic Partners Tout Progress In Cyber Security Research, Defense Daily, 6-2-11

See Also

Report from the Launch of the Northrop Grumman Cybersecurity Research Consortium

Tuesday, May 24, 2011

CyLab Researchers Analyze Trends in McAfee Mobility and Security Report

CyLab Researchers Analyze Trends in McAfee Mobility and Security Report

“Mobility and Security: Dazzling Opportunities, Profound Challenges” is McAfee's first comprehensive report on the security of mobile devices in businesses worldwide. In collaboration with Carnegie Mellon University CyLab, McAfee took a hard look at the topic of mobile security and the consumerization of IT. The global report explores issues in mobility and security from two perspectives—that of the company’s senior IT professional and the general end users of mobile devices in the workplace. The findings indicates that while an increasing number of consumers use mobile devices for both business and personal activities, large numbers are not familiar with their employer’s corporate policy on the use of mobile devices.

Written by Richard Power, CyLab Distinguished Fellow, the reports features the commentary of seven CyLab researchers:

The online surveys were administered by international research firm Vanson Bourne. More than 1500 respondents from 14 countries, including Australia, Brazil, Canada, China, France, Germany, India, Japan, Mexico, the Netherlands, Spain, Switzerland, the U.K., and the U.S., participated in the survey.

Key findings in the mobile report:

  • Almost seven in 10 organizations are more reliant on mobile devices than they were 12 months ago
  • Sixty-three percent of devices on the network are also used for personal activities
  • Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data
  • More than a third of mobile device losses have had a financial impact on the organization
  • Fewer than half of device users back up their mobile data more frequently than on a weekly basis
  • About half of device users keep passwords, pin codes or credit card details on their mobile devices
  • One in three users keep sensitive work-related information on their mobile devices
  • Ninety-five percent of organizations have policies in place in regard to mobile devices
  • Only one in three employees are very aware of their company’s mobile security policies

Key trends in the mobile report:

  • Consumeriziation of IT is here.
  • An increasing number of consumers use mobile devices for both business and personal activities.
  • There is a serious disconnect between businesses and mobile users. While an increasing number of consumers use mobile devices for both business and personal activities, large numbers are not familiar with their employer’s corporate policy on the use of mobile devices.
  • Loss or theft of a device are biggest concerns of both users and IT directors.
  • Lost and stolen mobile devices are seen as the greatest security concern in the mobile computing environment.

Related Links

Friday, April 1, 2011

Child Identity Theft; A Lot of Questions Need to Be Answered, But the Most Important One is "Has It Happened to Your Child?"


Child Identity Theft: A Lot of Questions Need to Be Answered, But the Most Important One is "Has It Happened to Your Child?"

By Richard Power

Wouldn't you want to know if your eight-year-old was in foreclosure on a home in another state? Wouldn't you want to know if your three-year-old was in collection for a huge utility bill across town? Wouldn't you want to know that if someone somewhere had a hunting license in the name of your five-year-old? Wouldn't you want to know that your nine-year-old had a driver's license and a car registered in his or her name? Wouldn't you rather find out now than on when he or she is applying for student loans on the eve of going away to college?

Late last year, knowing of CyLab's vital work in privacy and cyber security research, an identity protection company (AllClear ID, a.k.a. Debix) approached me about some data with disturbing implications. The story that jump out from the numbers is a compelling one. It suggest that not only are child identities exploited for various types of fraud, indeed child identities may be the hottest ticket in the underground market for stolen IDs.

In going through the data, two over-arching themes emerged:

1. The issues surrounding child identity theft (e.g., how prevalent is it in the general population, and is the threat a growing one) should be the subject of serious academic research; and that time and resources should be dedicated to a scientific analysis of this and similar data, to determine what it really means, and if the trends that seem to present themselves hold up under rigorous investigation.

2. Regardless of what the results of such serious scientific research prove, an existential threat exist. One that is tangible, and immediate for children and their parents. Child IDs are being stolen, and exploited to commit fraud, etc. If it happens to your child, it won't matter to you what the national average is, or if the problem is trending up or down.

While privacy and security researchers explore the data's broader implications from academic and scientific perspectives; as a journalist, I could certainly tell the simple story of what this data reveals in and of itself.

As someone who has studied the evolution of cyber crime over the last two decades, I could certainly address the existential threat and contribute to raising the level of public awareness.

And that's the origin of "Child Identity Theft: New Evidence Indicates Identity Thieves are Targeting Children for Unused Social Security Numbers."

To download the full report ...

Expert Perspectives

CyLab researcher Alessandro Acquisti, co-author of the blockbuster paper, Predicting Social Security Numbers from Public Data (Proceedings of the National Academy of Science, July 7, 2009), remarks that there is other evidence that child identity is an issue that demands further study.

"In our investigation of the predictability of Social Security numbers we found evidence of two trends that, combined, are particularly worrisome: criminals are increasingly targeting minors' (even infants') SSNs for identity theft, and the SSNs of younger US residents are much easier to predict than the SSNs of those born before the 1990s. Ultimately, this reminds us that our current identity-verification infrastructure is flawed and vulnerable, as it relies on authentication of numbers too widely available and too easy to compromise."

Dena Haritos Tsamitis, CyLab's Director of Education, Training and Outreach, and the developer of Carnegie Mellon University's www.MySecureCyberspace.com, a free educational resource on cyber security and privacy for children and their parents, concurs on the need for raising public awareness.

"With increased cyber-awareness, individuals are seeking ways to secure their personal financial information more than ever before. Based on this report, it's clear they need to go further and extend that protection for their children. Parents are already struggling to handle the threats of cyberspace, including securing their own computers and talking with their children about the many risks in cyberspace from online predators to cyber-bullying. The trend in child identity theft is added weight on their shoulders. Although it will be a challenge for them to manage, it is essential to safeguarding their children's futures."

Christopher Burgess, my co-author on Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, is also an online safety advocate (www.burgessct.com), with a particular focus on issues related to children on-line. I asked him to take a look at the report.

"The responsibility for the online safety and security of our families lay with the individual family. One should not expect anyone to have as vested an interest in the protection of your families data at a greater level than you. The malevolent criminal entity is attempting to monetize based on the availability of information. I've long advocated to teach our young that the internet is a reception device, and sharing of information, to include registration data should only be accomplished under the supervision of their parent. While online entities are required to acquire an attestation of age from their registrants in the United States, it does not require a provision of specific birth date. Too many overlook the ability of information aggregators to compile a complete profile based on disparate pieces of information, and with the collated data set subsequently compromise the identity of the individual. Additionally, how many different forms does a parent fill out for their child - any number of which could be compromised by an attack on the host - take for example the number of data breaches which occur at educational institutes - this data may be warehoused and bartered by the criminal elements for future aggregation. This data can and does provide the 'root' upon which to build the 'persona' at the level required to financially manipulate and thus commit identity theft fraud."

Looking into all too near future, Burgess sees even more serious issues stemming from such identity theft.

"The theft of our children's identities for manipulation in the financial world is tragic, but think of the tragedy which could occur when the identity theft is focused on medical identity. What effect would a change in blood type in the hospital's file do to a child with A+ blood being provided B+, because someone had stolen their medical identity in order to obtain medical services. As the costs of medical services becomes more dear, and the number of uninsured increases, the theft of identities for the purposes of obtaining medical care will increase. Unlike the monetary disruption which occurs with financial identity theft, the theft of one's identity could have mortal consequences. The topic of medical identity theft is an area requiring further investigation."