Cylab News

Print

CyLab Experts Discuss "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar," A University Lecture Series Event

posted by Richard Power
March 25, 2010

A testimonial on just how uniquely situated Carnegie Mellon University really is, the event underscored the importance of CyLab's role within the University, cultivating, both the human factor and the technological edge.

On March 18, 2010, six distinguished speakers participated in a Carnegie Mellon University Lecture Series (ULS) panel on "Hacking Comes of Age: Climategate, Cyber-Espionage and iWar." The panel explored these issues with uncommon depth and uncommon clarity.

This event was a testimonial on just how uniquely situated Carnegie Mellon University really is, to serve as a vital national resource; the event also underscored the importance of CyLab's role within the University, cultivating, as it does, both the human factor and the technological edge. (Indeed, five of the six panel participants have some CyLab affiliation.)

The panel was moderated by Peter Madsen, Distinguished Service Professor for Ethics and Social Responsibility, Office of the Vice Provost for Education and Heinz College, and included Richard Pethia, Director of the CERT Program, Software Engineering Institute Fellow and CyLab Co-Director, Paul Fischbeck, Professor of Social and Decision Sciences and of Engineering and Public Policy, Dawn Cappelli, Senior Member of the Technical Staff in CERT, Software Engineering Institute, Jason Hong, Assistant Professor, School of Computer Science, Human Computer Interaction Institute, and Richard Power, Distinguished Fellow and Director of Strategic Communications, CyLab.

At the opening of the session, panel moderator Peter Madsen, Distinguished Service Professor for Ethics and Social Responsibility, Office of the Vice Provost for Education and Heinz College, provided some background on how the session came about: "It originated with a request from University President Jared Cohon to Dr. Indira Nair, our Vice-Provost of Education, in the wake of the so-called "Climate Gate" affair. There was a great deal of consternation about the hacking that went on at the University of East Anglia. President Cohon thought it would be appropriate for our community to take a look at the issues surrounding hacking. He must have been prescient, because since then issues have arisen, such as Google alleging that China was hacking its proprietary information, and just the other day, Iran has claimed that the United States, since the days of President George W. Bush, has been running a cyber war attack against it, trying to de-stabilize the country. They made the claim that $400 million dollars was allocated by President Bush for this cyber war ..."cyber war

Richard Pethia, Director of the CERT Program, Software Engineering Institute Fellow and CyLab Co-Director, served up "A Brief History of Hacking" (.pdf) from the ARPAnet and Morris Worm attacks in the 1980s, through the rise of an electronic crime infrastructure in the 1990s, to some significant attacks on U.S. Defense Department (DoD) and Defense industrial base computers in recent years. (NOTE: Pethia's remarks begin 00:03:33 minutes into the video recording.)

Next, Paul Fischbeck, Professor of Social and Decision Sciences and of Engineering and Public Policy spoke on "Climate Gate: A Case of Hacking or Whistleblowing?"

Fischbeck's presentation focused on the inside politics of the climate science dispute that lead up to the "Climate Gate" disclosures. In the course of his remarks, he identified the key players, shared insights on the contents of the e-mail, and offered a frame for the ethical and statistical issues behind the dispute.

Fischbeck also articulated some lessons learned for scientific researchers, stressing that the affair will have a "huge impact on science." (NOTE: Fischbeck's remarks start 00:16:16 into the video recording.)

Dawn Cappelli, Senior Member of the Technical Staff in CERT, Software Engineering Institute spoke on CERT's Insider Threat Research. Offering a high-level overview, Cappelli started off with insights into some actual cases, including the story of staggering $700 million financial fraud. Cappelli also gave a glimpse into the scope of the data that CERT's Insider Threat Research has collected (including 112 cases of sabotage, 129 cases of financial fraud, 132 cases of espionage, and 62 cases of intellectual property theft), and summarized some best practices. (NOTE: Cappelli's remarks begin 00:29:19 into the video recording.)phishing

CyLab research Jason Hong spoke on "Phishing and Espionage." (.pdf) Hong is an Assistant Professor, School of Computer Science, Human Computer Interaction Institute, as well as one of the Co-Founders of Wombat Security Technologies (along with fellow CyLab researchers Lorrie Cranor and Norman Sadeh).  In his remarks, Hong outlined the ways in which Phishing is increasing in sophistication: e.g., spear-phishing, targeting specific groups or individuals, using information about your organization or information specifically about you, such as fake e-mails from friends or fake videos of you using publicly available information, all with the intent to install malware or steal your passwords. In regard to what can be done to mitigate this threat, Hong cited a range of solutions, and stressed that all are needed in order to make a significant impact. (NOTE: Jason Hong's remarks begin 00:39:35 into the video recording.)

Richard Power spoke on China's Alleged Hacking on Google (.pdf). To provide some context in regard to China's cyber activities over the last few years, he touched on nineteen open source stories related to economics, politics, intelligence and cybercrime, e.g.:

Global economy

If you read Google's explanation about why it threatened to withdraw from China, you might think it's all about a recent Chinese cyber-attack and Google's anger over being made complicit in the persecution of human rights activists. But cyber experts and China hands alike point to a much broader issue: The Chinese government has adapted the tactics it has used for military cyber espionage for corporate purposes and is now using them on a wide scale. Foreign Policy, 1-14-10

MI5 has accused China of bugging and burgling UK business executives and setting up “honeytraps” in a bid to blackmail them into betraying sensitive commercial secrets … In 2007 Jonathan Evans, the director-general of MI5, had written privately to 300 chief executives of banks and other businesses warning them that their IT systems were under attack from “Chinese state organisations”. Times (London), 1-31-10 

(NOTE: Power's remarks begin 00:53:12 into the video recording.)

The presentations were followed up with a lively Q & A with the audience.

Video Recording of ULS Panel: View online | Download

[Viewers will need to have the Windows Media 9 player or higher to view this webcast. Mac users will need to download the flip4mac for QuickTime plugin from Microsoft.]

 

CyLab in the headlines

CMU professor tells Congress Social Security IT should embrace the cloud - May 10, 2012
"In the 30 years since many of the existing (Social Security Administration) systems were first stood up, storage capacities, network bandwidth, processing power, and the cost of these things have all improved by between 4 and 6 orders of magnitude," Carnegie Mellon CyLab researcher William Scherlis said in written testimony. "That’s a factor of a million. If skyscrapers increased in height by that factor, they would scrape the moon."

The Post-Cash, Post-Credit-Card Economy - April 28, 2012
Alessandro Acquisti, a researcher at Carnegie Mellon CyLab smiled. If today all you need to do is enter your phone number and PIN when you visit a store, perhaps tomorrow, he said, that store will be able to detect your phone by its unique identifier as soon as you enter. Perhaps in the not-too-distant future, he went on, you won’t have to shop at all. Your vast piles of shopping data would be instead collected, analyzed and used to tell you exactly what you need: a new motorcycle from Ducati, perhaps, or purple rain boots in the next size for your growing child. Money will be seamlessly taken from your account. A delivery will arrive at your doorstep.

Big Mac Attack: Apple Security Bruised after OS X Infections - April 25, 2012
"In the computer community we've been saying for five, six, seven years that Mac is not more immune to computer viruses than Windows PCs or even Linux boxes, " says Nicolas Christin, researcher at Carnegie Mellon CyLab. "The only reason Macs were not massively targeted is that they didn't have enough of a market share to make them interesting for a hacker to devote resources to try to compromise those machines. Now that they've acquired a fairly sizeable market share, it makes sense that the bad guys would focus some attention on the Mac platform."

[see all the headlines]

Upcoming events

May 15, 2012: CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth

This three-day course begins with a brief review of the conceptual foundations of information security. This course is designed for individuals charged with implementing information security throughout the IT enterprise. Therefore, this course is an ideal pursuit for IT and Security managers, and/or system administrators and IT security personnel who would like to step up to the management level.

June 9, 2012: Celebration
CMU Silicon Valley 10th Anniversary Celebration

Join us on Saturday, June 9, 2012 to celebrate the rich history of CMU and its impact on the west coast! We will host the 10th anniversary event on the campus at Moffett Field beginning at 3:30 PM. All attendees are welcome to participate in the festivities. 

June 19, 2012: Research Talk
The Persistence of Passwords and Evaluating Authentication Alternatives
Paul C. Van Oorschot, Professor, Carleton University

[see all events]