CyLab researchers quoted in NYT
The New York Times
CyLab's Marios Savvides, Lujo Bauer, Jason Hong, Kathleen Carley, Martin Carlisle, and Carolina Zarate were featured in a New York Times piece about various ongoing research thrusts in CyLab to help combat cyberattacks. “More than 300 researchers and graduate students are working or studying at CyLab this year, making it among the largest cybersecurity training centers in the world,” the article says.
Libert comments on health privacy
Australian Broadcasting Corporation
CyLab’s Tim Libert was recently interviewed by the Australian Broadcasting Corporation on health privacy. Many search engines and websites share users’ browsing data, something Libert says companies primarily use for advertising purposes. However, Libert thinks that tracking health data could lead to a “shadow form of discrimination,” causing people with certain browsing data to have problems applying for jobs, bank loans, or insurance.
Rowe discusses FCC's proposed plans to quicken Wi-Fi
The Federal Communications Commission (FCC) has announced potential plans to make a new part of the wireless spectrum available to Wi-Fi devices. According to ECE’s Anthony Rowe, this change—which would allow devices to access the 6 gigahertz (GHz) region in addition to the 2.4 and 5 GHz regions already available—would provide faster Wi-Fi, nearly tripling the available bandwidth. If pursued, this plan would ultimately quicken download and upload speeds, especially for users in crowded public places where everyone is trying to use the same network.
Savvides comments on biometrics in airports
Popular Science quoted CyLab/ECE’s Marios Savvides in an article on biometric tech in airports. The article states that TSA plans to incorporate more biometrics, such as facial recognition, to streamline airport security. There is a negative stigma against biometrics, but Savvides says that we are already “ok with computer systems recognizing who we are by using their sensors.” Savvides approves of TSA’s plans, saying that a streamlining tool is “what biometrics was always meant to be.”
WIRED interviewed CyLab’s Vipul Goyal about HTC’s new “blockchain phone,” which, though a commerical product, acts more as an experimental prototype to explore the future of blockchain technology on phone security. “A private key protected by special hardware architecture and OS interface can be far more secure than one stored by a wallet app downloaded from an app store,” said Goyal, who also added that another advantage of blockchain phones is battery efficiency.
Savvides voices support for TSA biometrics
The TSA announced a plan to increase its use of biometrics, such as facial recognition, to streamline the airport security process. ECE/CyLab’s Marios Savvides voiced his support, stating that automated facial recognition is similar to human judgement and the public is prepared for its implementation. Improving processes such as air travel “is what biometrics was always meant to be,” Savvides says.
ECE’s Giulia Fanti, along with researchers from MIT and the University of Illinois, developed a privacy protocol that has been implemented by the cryptocurrency Zcoin. The protocol, called Dandelion++, bounces transactions to a random location before they propagate across the network, thereby preventing malicious agents from finding users’ IP addresses.
Yang comments on hacking risks of GDPR
Due to the EU’s General Data Protection Regulation (GDPR), large tech companies are installing features that allow users to download their personal data. CyLab’s Jean Yang comments that these features give hackers access to more detailed information than ever before. “There’s more at stake when hackers get into accounts because they can now request all of your data, or they can request to delete your data,” Yang says.
Cranor part of larger password debate stoked by Kanye West’s lock code
The Washington Post
CyLab/EPP’s Lorrie Cranor was recently involved in a discussion on password security in The Washington Post, prompted by the recent on-air discovery that Kanye West’s phone password is “000000.” Experts differ in opinion on the matter, with some blaming users for the prevalence of such weak passwords, while others placed responsibility more on companies for placing too much of the security burden on the user. “The notion that people could actually follow all the password rules we’re given is ludicrous,” says Cranor.
At the IEEE Cybersecurity Development Conference, ECE/CyLab’s Lujo Bauer, EPP/CyLab’s Nicolas Christin, and EPP/CyLab’s Lorrie Cranor received the IEEE Cybersecurity Award for Practice for their research on how to make passwords easier for users but harder for hackers to guess.
Cranor comments on password security
The New York Times
The New York Times quoted CyLab/EPP’s Lorrie Cranor in an article about major credit reporting bureaus changing their approaches to security credit freezes. Instead of using easily-lost personal identification numbers, or PINs, customers of certain companies can now use passwords. Cranor says passwords are harder to guess, but no system is perfect. Instead of reusing old passwords, Cranor recommends using password-generating software to create random, more secure passwords.
Sekar on ransomware attacks and cybersecurity
ECE/CyLab’s Vyas Sekar was interviewed about the March 2017 ransomware attack on the Pennsylvania Senate Democratic Caucus. It was recently revealed that the attack cost the caucus $703,697. Attacks from hackers are increasingly common among public sector agencies and businesses, which are faced with the choice to pay the ransom or not. “There is a possibility that paying the ransom is the cheaper option, but the FBI says it sets a bad precedent for future incidents, and you are more likely to be attacked again. And if you already have a ransomware strategy and recovery mechanism in place, the cost of repair might not be that high,” Sekar said.
McDonald interviewed about California’s new privacy law
The Chicago Tribune interviewed CMU-SV’s Aleecia McDonald about California’s new internet privacy law. McDonald says, “Consumers will…have the right to know when their personal information is being sold to a third party…and to opt out of that sale.” She thinks it is “entirely plausible” that other states will adopt a similar law and consumers everywhere might start to see buttons on sites allowing them to opt out of their personal data being sold.
CyLab partners with Infineon on IoT security
CMU’s CyLab Security and Privacy Institute is partnering with Infineon on a new IoT initiative. The groups will work together to create new privacy and security solutions for IoT users, focusing on large, city-scale IoT ecosystems. The collaborative Security Research Group will also test prototypes in a living lab to ensure effectiveness and applicability.
CyLab/ECE’s Vyas Sekar and Anthony Rowe will co-direct the Secure and Private Internet of Things Initiative, recently launched by CyLab. They will work on this initiative with CMU faculty and students, Amazon Web Services, Infineon Technologies, and Nokia Bell Labs. They aim to make the Internet of Things more secure by developing hardware and software that address speed, cost, safety, reliability, privacy, and more. The work created through this initiative will be released under permissive open-source licenses.
Carnegie Mellon researchers fooled AI facial recognition system
The Wall Street Journal
AI systems can outperform people in an increasing number of ways, but they still make obvious mistakes. In an article about AI’s future, The Wall Street Journal referenced Carnegie Mellon researchers who have figured out how to fool an AI facial recognition system with specifically designed eyeglass frames. By wearing the eyeglasses, a male researcher consistently tricked the system into thinking he was actress Milla Jovovich.
Cranor comments on arrest of SIM hacker
CyLab/EPP’s Lorrie Cranor spoke with Mercury News in a story on one of the first successful arrests in the U.S. of a SIM hacker. While authorities were able to track down the hacker responsible for millions in theft, cases of SIM hacking have often left victims and local law enforcement with few ways to respond. “Right now when you’re a victim, in most cases when you go to local law enforcement, they’re not going to do much for you,” said Cranor. “Maybe if there’s a physical store where the SIM swapping is happening, but short of that, they don’t seem to get involved.”
Diller, Krishnan, and Thomas awarded 2018 Innovation Fellowship
Swartz Center for Entrepreneurship
Three members of the College of Engineering were named 2018 Innovation Fellows by the Swartz Center for Entrepreneurship. Stuart Diller (MechE Ph.D. candidate) was chosen for his work developing new actuator hardware and control algorithms to make robots more dynamic, safe, and energy-efficient. Ashwati Krishnan (ECE postdoctoral researcher) received the fellowship for her work on the instrumentation and hardware development of ultra-high density electroencephalography (EEG). Jeremy Thomas (CyLab software engineer) was selected for his efforts to develop a continuous monitoring software system to collect data from online anonymous marketplaces throughout the "dark web" and other various “surface” web platforms.
Cranor comments on GPS tracking teens
The New York Times
The New York Times quoted CyLab/EPP’s Lorrie Cranor on the ethics of parents tracking their teenagers through GPS. Though only a quarter of parents track their kids’ movements via their smartphones, the availability of GPS-tracking offers a tool for remote parental monitoring. Cranor decided against tracking her two teens, citing a common concern that she didn’t want her kids to feel that she constantly followed them. This mirrors research concluding that overt monitoring damages trust in parent-child relationships.
Cranor quoted by NYT on parents GPS tracking their children
The New York Times
CyLab/EPP’s Lorrie Cranor was recently quoted by The New York Times for her take as a parent on tracking teens’ locations via GPS. Cranor admits that, as a parent, it’s tempting to track a child’s location to ensure that they’re safe. However, she personally does not do so, out of fear that her own children would “feel like their parents are following them around all the time.”
McDonald discusses data privacy and the California Consumer Privacy Act
Capital Public Radio
INI’s Aleecia McDonald gave an in-depth look at data privacy and California’s new Consumer Privacy Act. “In the U.S., it’s really been the wild west for a really long time,” said McDonald on regulation. The California act now represents the most comprehensive attempt by any state to regulate data privacy and could soon be followed by similar regulations by other states or—less likely—the federal government.
Internet bots have developed a bad reputation for their role in Russia’s influence over the 2016 presidential election, but they remain necessary for research on online discrimination. A Carnegie Mellon University study used bots to analyze the variation in advertisements between men and women. The study found that Google ads treated men and women differently, but “we can’t be 100 percent sure why it happened,” said ECE’s Anupam Datta, one of the study’s authors, in Politico. Though social media companies are increasingly regulating “fake” accounts, they continue to be crucial for internet research.
CNBC interviewed ECE/CyLab’s Vyas Sekar on the myths about cybersecurity employment. Over the next three years, three and a half million cybersecurity jobs worldwide will go unfilled due to a skills gap. Sekar emphasizes that those with analytical skill sets can excel in the cybersecurity field, since the jobs often require experience in solving puzzles, quantifying risks, and strategizing through communication.
Carley detects malicious social media bots
CyLab’s Kathleen Carley and her team are identifying and studying the behavior of malicious Twitter bots. Bots, found on almost all social media platforms, are automated accounts that generate and spread targeted messages. They can influence opinions, spread rumors, and even spark real world violence. Carley hopes to detect and terminate them with the help of machine learning, creating a more honest online environment.
Datta on discriminatory algorithms
Techfestival reported on ECE’s Anupam Datta’s research illuminating discriminatory biases in algorithms. He has shown that the predictive algorithms used by Google ads display prestigious job opportunities six times more to men than women. These algorithms determine the ads shown to internet users based on race and gender, which can limit certain users in job searches.
CMU’s competitive hacking team, the Plaid Parliament of Pwning (PPP), claimed second place at the annual DEFCON hacking competition. In the past six years, PPP has received second place twice and won the competition four times. This year’s theme, capture the flag, asked competitors to break into other teams’ servers while also defending their own, a task applicable to real life security issues.
Cranor examines Google’s Titan Security Key
CyLab/EPP’s Lorrie Cranor spoke with Popular Science about a new product from Google that will enable two-factor authentication using a physical passkey. The Titan Security Key, says Cranor, is much safer and more secure than receiving an SMS verification. However, having a physical key is not without its drawbacks, says Cranor. “I think it’s good for security,” says Cranor, “but it’s not always the most convenient approach. It’s another thing to have to keep track of and manipulate.”
CyLab’s Maggie Oates spent the past few months analyzing 366 illustrations based on the concept of privacy. The illustrations, created by volunteers of all ages and education levels, gave insight into what metaphors people use to understand privacy, from locks to bathrooms to turtles. She and her team presented the study at the Privacy Enhancing Technologies Symposium and received the Andreas Pfitzmann Best Student Paper Award.
Savvides improves AI with Bossa Nova
Bossa Nova recently acquired CyLab/ECE’s Marios Savvides’ AI company HawXeye, and Savvides joined Bossa Nova as their chief AI scientist. Bossa Nova specializes in providing on-shelf product data in retail. The company also partnered with the CyLab Biometrics Center to advance their retail research in AI, analytics, robot perception, and autonomous navigation.
Carnegie Mellon spinoff Hawxeye, co-founded by CyLab/ECE’s Marios Savvides, has been acquired by inventory robot maker Bossa Nova Robotics to improve inventory object detection. Hawxeye’s work in computer vision and facial recognition software will be used to better recognize inventory on store shelves in both large stores like Walmart and smaller ones like CVS and Walgreens. Bossa Nova has also partnered with CyLab, and Savvides was named Bossa Nova’s chief AI scientist.
Tsamitis and Cranor featured on Motherboard
INI Director Dena Haritos Tsamitis and CyLab/EPP’sLorrie Cranor both appeared in a recent Motherboard article on a new type of hacking called SIM hijacking. By posing as victims or gaining access through a security exploit or employee, hackers are able to change their victims’ numbers to a new phone, locking them out and gaining access to accounts tied to their phone number. “The carriers are clearly not doing enough,” says Cranor. “They tell me that they're increasing what they're doing, and that maybe what happened to me wouldn’t have happened today, but I’m not convinced.”
Gotovchits detects Spectre vulnerabilities
The Register referenced a paper co-authored by CyLab’s Ivan Gotovchits on code that exploits the Spectre flaw in Intel computer chips. Spectre exploits a computer chip’s decision speculation to access unauthorized sensitive information. Gotovchits and his team developed an algorithm called “007” that detects 14 out of the 15 proposed code vulnerabilities related to Spectre. The algorithm could enhance understanding about how to patch the Spectre vulnerabilities.
Former Carnegie Mellon Professor Chenxi Wang is at the steering wheel of a new cybersecurity venture capital fund called Rain Capital. Wang spent five years teaching cybersecurity at Carnegie Mellon before holding vice president positions at CipherCloud, Intel Security, and Forrester Research. Wang hopes to use her position to enable greater diversity and more entrepreneurial opportunities for women within the male-dominated cybersecurity industry.
McDonald quoted on California’s digital privacy law
The New York Times
CMU-SV/INI’s Aleecia McDonald was quoted about California’s newly passed digital privacy law, which gives consumers the right to know what information companies are collecting about them, why they are collecting it, and with whom they are sharing it. The law also paves a smoother way for consumers companies for a data breach. “It’s a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps,” said McDonald, who also explained how the law is one of the most detailed and regulatory in the United States.
Cranor quoted on Facebook privacy settings
CyLab/EPP’s Lorrie Cranor was interviewed as a digital design privacy expert about a study on Facebook’s lingering privacy concerns following the Cambridge Analytica data scandal. According to the report, the social media company’s privacy settings continue to maximize data collection over user privacy and user-friendly consumption. “Facebook has a lot of privacy controls, and they’re not organized in a way that’s easy to find,” says Cranor.
CMU-Africa Professor Martin Saint teaches a course about the technology behind and importance of blockchain. The course instructs students about blockchain cryptography, networks, applications, and regulatory environments. Saint is especially proud of the students who have applied their knowledge beyond the course and have gone to receive seed funding and pilot lending platforms founded on blockchain technologies.
Sadeh unconvinced by Facebook’s new privacy measures
The New York Times
Public trust in Facebook continues to erode as the company apologizes for a bug that affected the privacy settings of as many as 14 million users. CyLab’s Norman Sadeh spoke with The New York Times about how recent successive privacy incidents have hurt the company. While the company has revamped its privacy controls, Sadeh says the changes are still confusing and recommends that “people should probably refrain from sharing too much sensitive information with these platforms.”
Telang in Popular Mechanic on Facebook ad targeting
Popular Mechanics interviewed CyLab’s Rahul Telang on whom Facebook reaps advertising revenue from. Telang says that Facebook tends to promote ads to users who appear educated and wealthy. Facebook also targets ads to users experiencing momentous life changes, such as a home purchase or marriage.
Co.Design reported ECE’s Yang Gao and Wenbo Zhao have researched how to detect occupants in a room by their breathing. The researchers investigated the personal and unique sounds produced during intra-speech inhalation, which the researchers used them to identify occupants in a room with 91.3% accuracy.
Datta quoted on privacy and encryption
Scientific American quoted ECE’s Anupam Datta on privacy and encryption issues with AI assistants. Companies like Apple and Google safeguard against privacy breaches by using multiple encryption methods, like locally differentiating data. This translates to adding carefully calibrated noise into mined data, Datta says. But he warns that local differentiation doesn’t entail complete privacy. “It’s a relative guarantee, not an absolute one.”
Hong quoted on privacy in apps
The Chicago Tribune interviewed CyLab’s Jason Hong on ensuring privacy on apps. Smartphone apps collect user data in many ways. A huge issue is third-party advertising libraries. Hong describes these libraries as scaffolding that developers use to create and gain revenue from apps. These libraries are intrusive because they prevent an app’s function if they don’t receive personal user data, which is then sold to advertisers. Hong offered some consumer precautions, such as waiting to see if an app causes privacy issues or paying for an app.
Jun Han pairing Iot devices by sensors
Electrical and Computer Engineering
CyLab’s Jun Han discussed how IoT devices could pair by detecting the same stimuli. Many IoT devices present integration challenges, given that fewer have interfaces to coordinate pairing. Han instead teaches devices to pair when they sense the same events. If both devices verify sensing a door opening, they can autonomously pair. Han also demonstrated that the system resists hacking, since a hacker cannot perfectly replicate the data a device receives from an environment.
Cranor sees change as GDPR nears implementation
The Washington Post
CyLab/EPP’s Lorrie Cranor spoke with The Washington Post about how many companies worldwide are scrambling to conform to the European Union’s new General Data Protection Regulation (GDPR). “The companies are realizing that it is not enough to get people to just click through,” says Cranor. “That they need to communicate so that people are not surprised when they find out what they consented to.” She attributes public outrage over data privacy to incidents such as the use of Facebook user data by Cambridge Analytica, which has led many consumers to feel they are signing away their rights.
Criminals known as “typosquatters” continue to grow in prevalence, using people’s common spelling mistakes (such as typing “.cm” instead of “.com”) to take them to fake websites, exposing them to cyber-attacks. “It’s low cost and high reward. And it does not require any technical expertise whatsoever,” says CyLab/EPP’s Nicolas Christin. “All you need to do is register the domain name that you’re targeting. For any given domain name there are a number of typos that are easy to derive from it.”
Cranor talks password protection with WSJ
The Wall Street Journal
CyLab/EPP’s Lorrie Cranor spoke to The Wall Street Journal on the increasing difficulty of remembering and securing an ever-growing list of passwords in the digital age. “As long as you’re using one of the well-known, reputable password managers, you are better off than using a smaller number of passwords everywhere,” advises Cranor. Password managers, although not without their own weaknesses, have emerged as an effective means of strengthening and protecting the laundry list of passwords most adults use on a daily basis.
Parno quoted by WSJ on Intel chip flaws
The Wall Street Journal
The Wall Street Journal quoted CyLab/ECE’s Bryan Parno about Intel’s Spectre and Meltdown chip flaws. Since the flaws’ discoveries, attention toward hardware hacking seems to have grown. Parno helped organize the IEEE annual security and privacy conference recently held in San Francisco and commented that its rate of papers submitted for computer hardware security jumped 30% from last year. He thinks the jump is caused by the flaw discoveries. Intel has since addressed the flaws with software updates.
With more companies within and outside of Europe feeling the effects of the European Union’s General Data Protection Regulation (GDPR), CSO turned to CyLab/EPP’s Lorrie Cranor for comment. “Even if their primary market isn't Europe, many companies are realizing that they’ll have to make some changes,” says Cranor. “Given the potential penalties, that’s where there is awareness. It’s waking them up.” A string of recent cybersecurity and privacy incidents has brought data security to the forefront as a high priority issue for many corporations.
Robert Xiao, a Ph.D. student in the Human-Computer Interaction Institute at CMU and member of PPP, exposed a major bug in LocationSmart’s phone tracking service. Xiao found that the service’s consent texts, which were supposed to be approved from the phone itself before tracking could be enabled, could be easily bypassed through a simple bug. The bug, which has since resulted in the site being temporarily pulled down, raises questions about the safety and security of allowing phone providers to sell location data to third parties. “The implication of this is that LocationSmart never required consent in the first place,” says Xiao. “There seems to be no security oversight here.”
Telang comments on Los Angeles County information breach
Los Angeles Times
211 LA County, the non-profit agency which handles Los Angeles County’s social services hotline, inadvertently exposed personal information of callers to a potential breach, according to cybersecurity firm UpGuard. As data breaches increasingly threaten average citizens, CyLab’s Rahul Telang speaks to the Los Angeles Times on the difficulties of securing data. “If you are in the business of keeping personally identifying information, you can pretty much be assured that you have a good chance of getting breached," Telang says.
CMU leading efforts to secure the IoT
Carnegie Mellon University is singled out by Ed Tech for leading the GloTTO initiative, a partnership with Google, Cornell, Stanford, and the University of Illinois at Urbana-Champaign to create a secure open source IoT platform. The team’s ultimate goal is to create a platform which will allow communication between IoT devices regardless of manufacturer, however the large amount of data collected and the lack of robust security measures makes the current IoT vulnerable to security threats.
CyLab report on child identity theft cited
A recent piece from NerdWallet cited a 2011 CyLab study which found that children were 50 times more at risk for identity theft than adults. The article noted that children are especially at risk of synthetic identity theft, an increasingly commonly form of identity theft in which thieves create an entirely new identity around an existing social security number (usually that of a child) in order to exploit it. The practice of stealing the identity of children has only become easier since the time of the study, due to changes made in the social security number issuance process.
WIRED quoted CyLab/EPP’s Lorrie Cranor about why “dragon” is such a common password. “One of the things we’ve seen is that people tend to create passwords about stuff they like,” says Cranor. She further explains that sites that have poor overall security often have weak passwords. “The sites that have the most complicated password policies don’t get leaked as often,” says Cranor. The result is that “dragon” gets leaked more often from sites that don't require users to use of things like special characters or numbers.
A team of CyLab researchers investigated CMU faculty and staff’s reception of two-factor authentication (2FA) to report that 2FA’s implementation was unexpectedly smooth. 2FA is increasingly used for data security and to combat phishing attacks. The researchers found that 2FA is reportedly easy to use, though slightly noisome, and causes users to believe their accounts are safer. The researchers also recommended that dispelling misconceptions about terrible 2FA experiences could influence whether more users adopt 2FA.
Cranor delivers keynote at The Web Conference
The Web Conference
CyLab/EPP’s Lorrie Cranor gave a keynote speech at The Web Conference on April 27. Her keynote concerned web users’ experiences with privacy and security. With a great flurry of regulations and industry efforts to improve online security, the tools given to users often prove difficult to use. Cranor shared her insights into matters of privacy and security through user studies.
CMU-Africa co-hosted a cybersecurity-themed hackathon with Facebook to identify security issues in Rwanda or other African countries. 65 students from many different countries consulted with Facebook engineers while working on projects. Three CMU-Africa students were named winners of the hackathon with their app that combats social engineering. The students were invited to Facebook’s “F8” conference.
PRISM quoted INI Director Dena Haritos Tsamitis in an article on the importance of educating students about cyber security. Since an estimated 3.5 million positions in cyber security will remain unfilled globally by 2021, educators are structuring curricula and educational practices in response. Tsamitis commented on the Information Networking Institute’s superb students and flexible M.S. degrees. “The program teaches principles of building secure systems and incorporates both offensive and defensive security,” Tsamitis said.
Cranor quoted on simple privacy policies
The Washington Post
Cylab/EPP’s Lorrie Cranor was quoted in The Washington Post in an article on the privacy breach in Facebook users’ data by Cambridge Analytica. For privacy policies, their simplicity affects whether social media users understand terms of service. Cranor and her fellow researchers found that participants in a stud