Cranor examines Google’s Titan Security Key
CyLab/EPP’s Lorrie Cranor spoke with Popular Science about a new product from Google that will enable two-factor authentication using a physical passkey. The Titan Security Key, says Cranor, is much safer and more secure than receiving an SMS verification. However, having a physical key is not without its drawbacks, says Cranor. “I think it’s good for security,” says Cranor, “but it’s not always the most convenient approach. It’s another thing to have to keep track of and manipulate.”
Savvides improves AI with Bossa Nova
Bossa Nova recently acquired CyLab/ECE’s Marios Savvides’ AI company HawXeye, and Savvides joined Bossa Nova as their chief AI scientist. Bossa Nova specializes in providing on-shelf product data in retail. The company also partnered with the CyLab Biometrics Center to advance their retail research in AI, analytics, robot perception, and autonomous navigation.
Carnegie Mellon spinoff Hawxeye, co-founded by CyLab/ECE’s Marios Savvides, has been acquired by inventory robot maker Bossa Nova Robotics to improve inventory object detection. Hawxeye’s work in computer vision and facial recognition software will be used to better recognize inventory on store shelves in both large stores like Walmart and smaller ones like CVS and Walgreens. Bossa Nova has also partnered with CyLab, and Savvides was named Bossa Nova’s chief AI scientist.
Tsamitis and Cranor featured on Motherboard
INI Director Dena Haritos Tsamitis and CyLab/EPP’sLorrie Cranor both appeared in a recent Motherboard article on a new type of hacking called SIM hijacking. By posing as victims or gaining access through a security exploit or employee, hackers are able to change their victims’ numbers to a new phone, locking them out and gaining access to accounts tied to their phone number. “The carriers are clearly not doing enough,” says Cranor. “They tell me that they're increasing what they're doing, and that maybe what happened to me wouldn’t have happened today, but I’m not convinced.”
Gotovchits detects Spectre vulnerabilities
The Register referenced a paper co-authored by CyLab’s Ivan Gotovchits on code that exploits the Spectre flaw in Intel computer chips. Spectre exploits a computer chip’s decision speculation to access unauthorized sensitive information. Gotovchits and his team developed an algorithm called “007” that detects 14 out of the 15 proposed code vulnerabilities related to Spectre. The algorithm could enhance understanding about how to patch the Spectre vulnerabilities.
Former Carnegie Mellon Professor Chenxi Wang is at the steering wheel of a new cybersecurity venture capital fund called Rain Capital. Wang spent five years teaching cybersecurity at Carnegie Mellon before holding vice president positions at CipherCloud, Intel Security, and Forrester Research. Wang hopes to use her position to enable greater diversity and more entrepreneurial opportunities for women within the male-dominated cybersecurity industry.
McDonald quoted on California’s digital privacy law
The New York Times
CMU-SV/INI’s Aleecia McDonald was quoted about California’s newly passed digital privacy law, which gives consumers the right to know what information companies are collecting about them, why they are collecting it, and with whom they are sharing it. The law also paves a smoother way for consumers companies for a data breach. “It’s a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps,” said McDonald, who also explained how the law is one of the most detailed and regulatory in the United States.
Cranor quoted on Facebook privacy settings
CyLab/EPP’s Lorrie Cranor was interviewed as a digital design privacy expert about a study on Facebook’s lingering privacy concerns following the Cambridge Analytica data scandal. According to the report, the social media company’s privacy settings continue to maximize data collection over user privacy and user-friendly consumption. “Facebook has a lot of privacy controls, and they’re not organized in a way that’s easy to find,” says Cranor.
CMU-Africa Professor Martin Saint teaches a course about the technology behind and importance of blockchain. The course instructs students about blockchain cryptography, networks, applications, and regulatory environments. Saint is especially proud of the students who have applied their knowledge beyond the course and have gone to receive seed funding and pilot lending platforms founded on blockchain technologies.
Sadeh unconvinced by Facebook’s new privacy measures
The New York Times
Public trust in Facebook continues to erode as the company apologizes for a bug that affected the privacy settings of as many as 14 million users. CyLab’s Norman Sadeh spoke with The New York Times about how recent successive privacy incidents have hurt the company. While the company has revamped its privacy controls, Sadeh says the changes are still confusing and recommends that “people should probably refrain from sharing too much sensitive information with these platforms.”
Telang in Popular Mechanic on Facebook ad targeting
Popular Mechanics interviewed CyLab’s Rahul Telang on whom Facebook reaps advertising revenue from. Telang says that Facebook tends to promote ads to users who appear educated and wealthy. Facebook also targets ads to users experiencing momentous life changes, such as a home purchase or marriage.
Co.Design reported ECE’s Yang Gao and Wenbo Zhao have researched how to detect occupants in a room by their breathing. The researchers investigated the personal and unique sounds produced during intra-speech inhalation, which the researchers used them to identify occupants in a room with 91.3% accuracy.
Datta quoted on privacy and encryption
Scientific American quoted ECE’s Anupam Datta on privacy and encryption issues with AI assistants. Companies like Apple and Google safeguard against privacy breaches by using multiple encryption methods, like locally differentiating data. This translates to adding carefully calibrated noise into mined data, Datta says. But he warns that local differentiation doesn’t entail complete privacy. “It’s a relative guarantee, not an absolute one.”
Hong quoted on privacy in apps
The Chicago Tribune interviewed CyLab’s Jason Hong on ensuring privacy on apps. Smartphone apps collect user data in many ways. A huge issue is third-party advertising libraries. Hong describes these libraries as scaffolding that developers use to create and gain revenue from apps. These libraries are intrusive because they prevent an app’s function if they don’t receive personal user data, which is then sold to advertisers. Hong offered some consumer precautions, such as waiting to see if an app causes privacy issues or paying for an app.
Jun Han pairing Iot devices by sensors
Electrical and Computer Engineering
CyLab’s Jun Han discussed how IoT devices could pair by detecting the same stimuli. Many IoT devices present integration challenges, given that fewer have interfaces to coordinate pairing. Han instead teaches devices to pair when they sense the same events. If both devices verify sensing a door opening, they can autonomously pair. Han also demonstrated that the system resists hacking, since a hacker cannot perfectly replicate the data a device receives from an environment.
Cranor sees change as GDPR nears implementation
The Washington Post
CyLab/EPP’s Lorrie Cranor spoke with The Washington Post about how many companies worldwide are scrambling to conform to the European Union’s new General Data Protection Regulation (GDPR). “The companies are realizing that it is not enough to get people to just click through,” says Cranor. “That they need to communicate so that people are not surprised when they find out what they consented to.” She attributes public outrage over data privacy to incidents such as the use of Facebook user data by Cambridge Analytica, which has led many consumers to feel they are signing away their rights.
Criminals known as “typosquatters” continue to grow in prevalence, using people’s common spelling mistakes (such as typing “.cm” instead of “.com”) to take them to fake websites, exposing them to cyber-attacks. “It’s low cost and high reward. And it does not require any technical expertise whatsoever,” says CyLab/EPP’s Nicolas Christin. “All you need to do is register the domain name that you’re targeting. For any given domain name there are a number of typos that are easy to derive from it.”
Cranor talks password protection with WSJ
The Wall Street Journal
CyLab/EPP’s Lorrie Cranor spoke to The Wall Street Journal on the increasing difficulty of remembering and securing an ever-growing list of passwords in the digital age. “As long as you’re using one of the well-known, reputable password managers, you are better off than using a smaller number of passwords everywhere,” advises Cranor. Password managers, although not without their own weaknesses, have emerged as an effective means of strengthening and protecting the laundry list of passwords most adults use on a daily basis.
Parno quoted by WSJ on Intel chip flaws
The Wall Street Journal
The Wall Street Journal quoted CyLab/ECE’s Bryan Parno about Intel’s Spectre and Meltdown chip flaws. Since the flaws’ discoveries, attention toward hardware hacking seems to have grown. Parno helped organize the IEEE annual security and privacy conference recently held in San Francisco and commented that its rate of papers submitted for computer hardware security jumped 30% from last year. He thinks the jump is caused by the flaw discoveries. Intel has since addressed the flaws with software updates.
With more companies within and outside of Europe feeling the effects of the European Union’s General Data Protection Regulation (GDPR), CSO turned to CyLab/EPP’s Lorrie Cranor for comment. “Even if their primary market isn't Europe, many companies are realizing that they’ll have to make some changes,” says Cranor. “Given the potential penalties, that’s where there is awareness. It’s waking them up.” A string of recent cybersecurity and privacy incidents has brought data security to the forefront as a high priority issue for many corporations.
Robert Xiao, a Ph.D. student in the Human-Computer Interaction Institute at CMU and member of PPP, exposed a major bug in LocationSmart’s phone tracking service. Xiao found that the service’s consent texts, which were supposed to be approved from the phone itself before tracking could be enabled, could be easily bypassed through a simple bug. The bug, which has since resulted in the site being temporarily pulled down, raises questions about the safety and security of allowing phone providers to sell location data to third parties. “The implication of this is that LocationSmart never required consent in the first place,” says Xiao. “There seems to be no security oversight here.”
Telang comments on Los Angeles County information breach
Los Angeles Times
211 LA County, the non-profit agency which handles Los Angeles County’s social services hotline, inadvertently exposed personal information of callers to a potential breach, according to cybersecurity firm UpGuard. As data breaches increasingly threaten average citizens, CyLab’s Rahul Telang speaks to the Los Angeles Times on the difficulties of securing data. “If you are in the business of keeping personally identifying information, you can pretty much be assured that you have a good chance of getting breached," Telang says.
CMU leading efforts to secure the IoT
Carnegie Mellon University is singled out by Ed Tech for leading the GloTTO initiative, a partnership with Google, Cornell, Stanford, and the University of Illinois at Urbana-Champaign to create a secure open source IoT platform. The team’s ultimate goal is to create a platform which will allow communication between IoT devices regardless of manufacturer, however the large amount of data collected and the lack of robust security measures makes the current IoT vulnerable to security threats.
CyLab report on child identity theft cited
A recent piece from NerdWallet cited a 2011 CyLab study which found that children were 50 times more at risk for identity theft than adults. The article noted that children are especially at risk of synthetic identity theft, an increasingly commonly form of identity theft in which thieves create an entirely new identity around an existing social security number (usually that of a child) in order to exploit it. The practice of stealing the identity of children has only become easier since the time of the study, due to changes made in the social security number issuance process.
WIRED quoted CyLab/EPP’s Lorrie Cranor about why “dragon” is such a common password. “One of the things we’ve seen is that people tend to create passwords about stuff they like,” says Cranor. She further explains that sites that have poor overall security often have weak passwords. “The sites that have the most complicated password policies don’t get leaked as often,” says Cranor. The result is that “dragon” gets leaked more often from sites that don't require users to use of things like special characters or numbers.
A team of CyLab researchers investigated CMU faculty and staff’s reception of two-factor authentication (2FA) to report that 2FA’s implementation was unexpectedly smooth. 2FA is increasingly used for data security and to combat phishing attacks. The researchers found that 2FA is reportedly easy to use, though slightly noisome, and causes users to believe their accounts are safer. The researchers also recommended that dispelling misconceptions about terrible 2FA experiences could influence whether more users adopt 2FA.
Cranor delivers keynote at The Web Conference
The Web Conference
CyLab/EPP’s Lorrie Cranor gave a keynote speech at The Web Conference on April 27. Her keynote concerned web users’ experiences with privacy and security. With a great flurry of regulations and industry efforts to improve online security, the tools given to users often prove difficult to use. Cranor shared her insights into matters of privacy and security through user studies.
CMU-Africa co-hosted a cybersecurity-themed hackathon with Facebook to identify security issues in Rwanda or other African countries. 65 students from many different countries consulted with Facebook engineers while working on projects. Three CMU-Africa students were named winners of the hackathon with their app that combats social engineering. The students were invited to Facebook’s “F8” conference.
PRISM quoted INI Director Dena Haritos Tsamitis in an article on the importance of educating students about cyber security. Since an estimated 3.5 million positions in cyber security will remain unfilled globally by 2021, educators are structuring curricula and educational practices in response. Tsamitis commented on the Information Networking Institute’s superb students and flexible M.S. degrees. “The program teaches principles of building secure systems and incorporates both offensive and defensive security,” Tsamitis said.
Cranor quoted on simple privacy policies
The Washington Post
Cylab/EPP’s Lorrie Cranor was quoted in The Washington Post in an article on the privacy breach in Facebook users’ data by Cambridge Analytica. For privacy policies, their simplicity affects whether social media users understand terms of service. Cranor and her fellow researchers found that participants in a study “comprehend[ed] simpler privacy policies better than long, complicated ones,” and that the participants expressed less frustration with simpler policies. Facebook has responded to recent privacy concerns by condensing their privacy settings onto a single page. Cranor was also quoted in CNET on the Facebook hearings.
ECE/CyLab’s Nicholas Christin was quoted in Wired on privacy flaws in he and collaborators discovered with Monero, a virtual currency. “People took the privacy guarantees of the currency at face value,” said Christin. “All indications show people were really using this for applications where they needed privacy. And those transactions were very, very vulnerable.”
Recently, former Speaker of the House Newt Gingrich visited Carnegie Mellon and remarked on the university’s technological leaps in artificial intelligent systems. Gingrich was amazed by voice analysis used for medical diagnostics and robotic assistance in heart surgery.
INI/CyLab’s Dena Haritos Tsamitis appeared on a recent live webcast of the WQED program “iQ: smartparent.” The episode focused on cyber-safety privacy and protections, as well as the latest cyber-safety laws affecting kids and families. Tsamitis discussed topics like safeguarding personally identifiable information, managing your online presence, and the importance of open communication between parents and their kids.
CMU-SV and CyLab’s Corina Pasareanu has been selected to receive the International Symposium on Software Testing and Analysis (ISSTA) 2018 Retrospective Impact Paper Award. Pasareanu co-authored a paper published in ISSTA 2004 Proceedings that showed how to perform efficient test input generation for code-manipulating complex data. At ISSTA 2018, Pasareanu and her co-authors, Sarfraz Khurshid from the University of Texas at Austin and Willem Visser from Stellenbosch University, will deliver a keynote address to discuss research that’s happened since 2004 on the symbolic execution component of the Java PathFinder tool discussed in their original paper. ISSTA 2018 will be held July 16-18 in Amsterdam.
EPP/CyLab’s Lorrie Cranor has been awarded this year’s Social Impact Award by the Association for Computing Machinery’s Special Interest Group on Computer Human Interaction (SIGCHI). The award is given annually to a mid or senior-level individual who promotes applying human-computer interaction research to pressing social needs. Cranor has focused her research on user-centered approaches to security and privacy, helping non-technical users protect themselves.
EPP/CyLab’s Lorrie Cranor and CyLab’s Norman Sadeh and Jason Hong founded Wombat Security Technologies a decade ago to leverage research on cyberattack prevention. Since then, the company has grown into a leader in cybersecurity awareness training. So much so that Proofpoint Inc. recently completed its acquisition of Wombat for $225 million. “You always have high expectations when you start a company, but there’s nothing more rewarding than to see results of your research having an impact on this scale,” said Sadeh. “Our research at CMU has effectively created an entirely new segment in the cybersecurity industry, one that focuses on the human element.”
Datta stresses internal processes of AI
ECE/CyLab’s Anupam Datta was featured in a story in The Economist discussing the push to understand why artificial intelligence (AI) agents make the decisions they do. Once deep learning neural networks are trained, it’s difficult to understand exactly how they do what they do. The fear, the article states, isn’t that AI won’t do what it’s told, but that it will do it in a way that’s incomprehensible. While a number of researchers are attempting to crack the “black box” of internal AI processes, Datta is focusing on stress-testing the outputs of trained AI systems. He feeds the systems input data and then examines output data for undesirable outcomes. According to the article, Datta’s approach “lets those who make and operate AI ensure they are basing decisions on the right inputs, and not harmful spurious correlations.”
Sekar quoted on Pyeongchang cyberattack
There were concerns about potential cyberattacks leading up to the 2018 Winter Olympics in Pyeongchang, South Korea. Those concerns were validated during the opening ceremonies when hackers hit Pyeongchang’s computer system with a destroyer malware attack. SC Magazine shares that forensic work has shown the intent of the attack was to disable the networks functionality and not steal data. While investigators know the ‘what,’ they’ve yet to discover the ‘who.’ “It's pretty easy for attackers to hide their origins or use VPNs etc., so the IOC is probably doing the right thing of not blaming until they are sure,” ECE/CyLab's Vyas Sekar told SC Magazine. “Forensics/attribution is really hard work especially given sophisticated attackers.”
ECE/CyLab associate professor Anthony Rowe is leading CONIX, a research project aimed at increasing the capabilities of future computing networks. The project will work to develop a programming language that places increased processing power at different points on a network removed from a central server. In a GeekWire article, Rowe compared the work CONIX will do to the central nervous system. The brain is responsible for most of our actions, but the spine plays a huge part in quick, real-time action that would be delayed if handled by the brain. It’s this real-time action that CONIX will work to improve. The creation of a language for edge computing necessitates the development of underlying infrastructures as well. “We’ll be steering more toward the really forward-looking architecture that are higher risk for companies to research on their own,” Rowe told GeekWire.
CyLab study cited by BuzzFeed
Research completed by CyLab’s Richard Power in 2011 was used in a BuzzFeed article titled “This Kid Became a Debtor Before He Could Count.” Powers’ research helped to determine the percentage of children who were in debt before turning 18, bringing to light how many children are subject to premature debt due to identity theft.
Christin quoted in New York Times about Bitcoin
New York Times
The price of Bitcoin recently dropped, but students and businesspeople alike are still showing great interest in the virtual currency. In fact, due to high demand, many colleges and universities around the country, including Carnegie Mellon, have added courses about Bitcoin and the blockchain to their curriculum. Developments in the field are happening so quickly that, even if the price of Bitcoin dropped to $2, EPP/CyLab’s Nicolas Christin says that he “[would] still think it’s very cool from a technical standpoint.” Christin is currently teaching a course at Carnegie Mellon called “Cryptocurrencies, Blockchains, and Applications.”
Rowe quoted on CMU students' contribution to IoT field
Since billions of smart devices are already connected to the Internet of Things (IoT), many colleges and universities, like Carnegie Mellon, have been training the next generation of leaders in the IoT world. According to ECE/CyLab’s Anthony Rowe, students at Carnegie Mellon are developing solutions for real-world IoT applications. “Students think of wild ideas,” says Rowe. “They are so comfortable with the internet and social media. They have always had a cell phone in their hands. So while the older generation might think, ‘What problems need to be solved?’ These students are thinking, ‘What can we use technology for to make our lives better?’”
Datta's study cited in New York Times book review
New York Times
A study conducted by ECE’s Anupam Datta and his colleagues was recently cited in a New York Times book review for Joanne Lipman’s book, titled That’s What She Said: What Men Need to Know (and Women Need to Tell Them) About Working Together. In his study, Datta found that, when an equal number of men and women visited 100 recruitment sites, men were shown ads for the highest-paying jobs six times more often than women.
Recently, Alphabet, Google’s parent company, developed a new cybersecurity platform called Chronicle that companies can use to help comprehend their own security data. Few details have been shared publicly, but this platform will most likely use machine learning to comb through data from a company’s security products and ultimately detect abnormal traffic on their network. Although machine learning is a powerful tool, ECE/CyLab’s Bryan Parno says in an article for Popular Science that, historically, its been challenging to use for security problems. “The Achilles Heel of anomaly detection has always been that attackers just say, 'Well, I’m just going to very carefully craft my attack so it looks like normal activity,’” he says.
ECE/CyLab’s Anthony Rowe will head the Computing on Network Infrastructure for Pervasive Perception, Cognition, and Action Research Center—CONIX—to work toward improving Internet of Things (IoT) networks. The new center, housed on Carnegie Mellon’s campus, received $27.5 million in funding from Semiconductor Research Corp. and the Defense Advanced Research Project Agency (DARPA). CONIX brings together researchers from six U.S. universities who will seek to develop faster, more secure, more robust networks for connecting smart devices to the cloud.
Brumley featured on SciTech Now
Recently, CyLab/ECE's David Brumley was featured on an episode of SciTech Now, where he talked about the importance of understanding basic cybersecurity concepts. “In our daily lives, one of our biggest problems is that most people have no idea how cybersecurity works,” said Brumley. “At Carnegie Mellon, one of the things that we have a big initiative on is a cyber aware generation. We think understanding basic cybersecurity is something everyone should know.”
ECE/CyLab’s Lujo Bauer and his research team recently developed eyeglasses that are capable of fooling facial recognition algorithms. In his recent study, Bauer and his team explain how they developed five pairs of glasses that 90% of the population could successfully wear to bypass surveillance systems. After concluding their study, Bauer and his team notified the Transportation Security Administration (TSA)—an organization that already uses facial recognition technology—of their findings, and recommended that they require subjects to remove things like hats and glasses before conducting facial recognition scans.
EPP/CyLab’s Lorrie Cranor spoke with 90.5 WESA about the danger of tech support messages claiming to be from prominent companies. “Companies like Microsoft are not actually going to call you to tell you about problems with your computer. If somebody calls you to tell you they’re from Microsoft, don’t believe them,” Cranor said. Bad actors use this tactic as a way to access victims’ computers, which they then infect with spyware or ransomware. With the number of IoT (Internet of Things) devices on the rise, it’s even more important to keep devices updated and secure and to be wary of scammers.
EPP/CyLab’s Lorrie Cranor offers her insight in an NBC News story examining how most Americans’ passwords are weak and easily hackable. With cybercrime on the rise, it’s more important than ever for passwords to be robust. As director of the CyLab Usable Privacy and Security Laboratory (CUPS), Cranor helped develop a set of guidelines to assist in creating strong passwords. From character length to the avoidance of patterns, few people realize what it takes to thwart a hacker. “What people don't realize is that the attackers don’t just sit down at a computer and make a few guesses. They use computer programs that can actually make millions or billions of guesses in minutes,” said Cranor.