December 7: Distinguished Seminar
Speaker: Shawndra Hill, Assistant Professor at the University of Pennslyvania
Abstract forthcoming.November 30: Distinguished Seminar
Abstract and speaker bio forthcoming.November 16: Distinguished Seminar
Speaker: Bob Sullivan, author and investigative journalist
Abstract forthcoming.November 9: Distinguished Seminar
Securing the Future
Speaker: Darren Shou, Director of Symantec Research Labs Core research team
While predicting the future may be a fool’s errand, there are several potential disruptions on the horizon that will impact the very nature of business and the structure of industries. I will discuss several of these shifts and how each presents unique challenges and opportunities for the security domain. The emergence of 3D printing will be used as an example of how the nature of production may be disrupted and how that presents new intellectual property protection challenges and security needs. And as we journey through several disruptive innovations, we will examine whether security will be a standalone function or a feature of new technologies.November 2: Distinguished Seminar
Speaker: Michael Collins, Chief scientist at RedJack, LL
Abstract forthcoming.October 26: Distinguished Seminar
Speaker: Travis Breaux, Assistant Professor, Carnegie Mellon University
Abstract forthcoming.October 16: Research Talk
Securing the Perimeter at LinkedIn - Approaches to Registration and Login Defense
Speaker: David Freeman, Head of Anti-Abuse Engineering at LinkedIn
As the world's largest professional network, LinkedIn is subject to a barrage of fraudulent and/or abusive activity aimed at its member-facing products. LinkedIn's Anti-Abuse Team is tasked with detecting bad activity and building proactive solutions to keep it from happening in the first place. In this talk we'll explore various types of abuse we see at LinkedIn and discuss some of the solutions we've built to defend against them. We'll focus on perimeter defense: keeping bad guys from creating fake accounts at registration or from taking over real members' accounts at login.October 12: Distinguished Seminar
Remote Exploitation of an Unaltered Passenger Vehicle
Speaker: Chris Valasek, Security Lead, UBER Advanced Technologies Center
Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we're all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks.October 6: Research Talk
Empirical Investigations of Secure Development Practices
Speaker: Sam Weber, Senior Research Scientist at SEI
As a community, we’ve now had almost a half-century of experience in attempting to build secure systems. Although in general we’ve made incredible progress in cybersecurity, I argue that we’ve not made proportionate advances in creating and evaluating secure development processes. In this talk, I’ll describe two of my current research projects which aim to address this deficiency by empirically measuring and comparing development practices. The first of these projects investigates API design decisions which lead to more secure code, while the second compares competing threat modeling methodologies. Ultimately, the goal is to allow validation and rational improvement of secure development techniques.October 5: Distinguished Seminar
Blackmarket-driven Interventions: From Research to Practice
Speaker: Kurt Thomas, Security & Abuse Researcher, Google
Internet crime has become increasingly dependent on the underground economy: a loose federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem. While migration to this marketplace streamlines for-profit scams, it also exposes participants to a range of new countermeasures that disrupt criminal supply chains. In this talk, we discuss how Google is translating blackmarket-driven research into a practical tool for fighting bulk account creation, fake engagement, cloaking, ad fraud, and unwanted software. We demonstrate how underground services yield a wealth of training data on emerging threats as well as serve as a canary for failures in Google's defenses. However, this approach is not without pitfalls: we highlight challenges in interacting with blackmarket segments, sanitizing polluted data, and ultimately measuring the impact of interventions. We argue that researchers and industry can leverage our techniques to make a drastic departure from focusing solely on protecting users and systems (tantamount to a fire fight) and instead disrupt cost-sensitive dependencies that pin up entire abuse verticals.September 29 - September 30: Conference
2015 CyLab Partners Conference
The CyLab Partners Conference will be held September 29-30 at the main CMU campus in Pittsburgh, PA. Attendance is limited, exclusively, to representatives of CyLab's corporate partners and Carnegie Mellon University CyLab.
Not a CyLab partner? There is still time to experience this unique conference and learn how your company can benefit from becoming a CyLab partner. Contact Associate Director of Partnership Development, Michael Lisanti at ...@andrew.cmu.edu or 412-268-1870.September 28: Conference
CyLab Recruitment Reception
Abstract forthcoming.September 16 - September 18: CERT Training
Managing Computer Security Incident Response Teams
This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team.
The course provides insight into the work that CSIRT staff may be expected to handle. The course also provides prospective or current managers with an overview of the incident handling process and the types of tools and infrastructure needed to be effective.September 15: CERT Training
Creating a Computer Security Incident Response Team
This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their CSIRT.September 14: Distinguished Seminar
An Introduction to Security and Privacy Research at CMU
Speaker: David Brumley
In this talk, I'll discuss how we view security and privacy research at CMU. I'll give an overview of the great activities going on, give some advice to new researchers in the field, and discuss my own research in software security.August 18 - August 21: CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats andBuilding an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.July 22 - July 24: Symposium
Symposium on Usable Privacy and Security (SOUPS) 2015
The eleventh Symposium on Usable Privacy and Security (SOUPS) will be held July 22-24, 2015 at Carleton University in Ottawa, Canada. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program features technical papers, workshops and tutorials, a poster session, panels and invited talks, and lightning talks. SOUPS 2015 will be held in cooperation withUSENIX and ACM SIGCHI. Visit the SOUPS 2015 website for details.June 9 - June 11: CERT Training
Advanced Forensic Response and Analysis
The CERT Advanced Forensic Response and Analysis course is designed for computer forensic professionals who are looking to build on a solid knowledge base in incident response and forensic analysis. The course builds on core forensic topics to provide a process for conducting more complete incident response and forensic analysis investigations. The goal of the course is to advance collection and processing skills of the students by outlining a structured process or flow to an incident response and intrusion investigation. Students will learn the pros and cons of common evidence collection measures and forensic analysis steps, methods for organizing analysis to identify relevant evidentiary data, and common areas containing items of evidentiary value to further their investigations.June 2 - June 4: CERT Training
Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth
This three-day course begins with a brief review of the conceptual foundations of information security. Next, students will be introduced to the CERT Defense-in-Depth Framework: eight operationally focused and interdependent management components which will be synergistically applied to a fictitious organization's Information Technology (IT) enterprise (see "Topics" below). Through lectures, demonstrations, scenario-based exercises, small group activities, and open discussions, students will learn high-level best practices for effectively integrating each of these eight components into all aspects of IT operations. Further, the course scenario is used extensively to reinforce these best practices with technical information security implementations.May 18 - May 22: CERT Training
Advanced Incident Handling
This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures.
Building on the methods and tools discussed in the Fundamentals of Incident Handling course, this course provides guidance that incident handlers can use in responding to system compromises at the privileged (root or administrator) level. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyze a set of events and then propose appropriate response strategies.May 12 - May 15: CERT Training
Insider Threat Program Implementation and Operation
This three and a half day course builds upon the initial concepts presented in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats and Building an Insider Threat Program. The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program. It discusses various techniques and methods to develop, implement, and operate program components.May 11: Seminar
Quantifying the Security Advantage of Password Expriation Policies
Speaker: Paul C. van Oorschot, Professor at Carleton University
Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less. We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?". We find that the benefits are far less than expected.May 11 - May 13: CERT Training
Introduction to the CERT Resilience Management Model
his three-day course introduces a model-based process improvement approach to managing operational resilience using the CERT® Resilience Management Model (CERT-RMM) v1.1.
CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk. By improving operational resilience processes (such as vulnerability analysis, incident management, and service continuity), an organization can use the model to improve and sustain the resilience of mission-critical assets and services.April 27: Seminar
Algorithmic Logic-Based Verification
Speaker: Temesghen Kahsai, Research Scientist at NASA Ames Research Center
Developing new tools for automated software verification is a tedious and very difficult task. First, due to the undecidability of the verification problem, tools must be highly tuned and engineered to provide reasonable efficiency and precision trade-offs. Second, different programming languages comes with very diverse assortments of syntactic and semantic features. Third, the diverse encoding of the verification problem makes the integration with other powerful solvers and verifiers difficult.
To mitigate these challenges, in this talk, I will present SeaHorn, an LLVM-based software verification framework that allows the decoupling of programming language syntax and semantics from the underlying verification technique. Such framework uses Horn Clauses as the intermediate formal language for the verification task. Horn Clauses are a uniform way to encode verification conditions. SeaHorn solves much of the programming language complexities by borrowing techniques and implementation from an optimizing compiler. SeaHorn is versatile and highly customizable framework which allows researchers to easily build or experiment their particular verification techniques of interest. I will also illustrate experimental evaluation that demonstrate the competitiveness of SeaHorn in verifying safety properties.April 20: Seminar
SafeSlinger - Usable Key Verification Roadmap
Speaker: Michael Farb
SafeSlinger is the result of research into several protocols, designed to subvert the bane of public-key cryptography, the man-in-the-middle attack. This solution easily bootstraps secure communication, in-person or remote, with a device most people already own - their phone. SafeSlinger is designed to allow users to securely exchange any data, such as a public key, for later use. When users run SafeSlinger, they enter a pair of short numbers and confirm a 3-word phrase matches that displayed by other users' phones.
This talk will provide a short overview of current SafeSlinger exchange properties, user experience, and our roadmap. We’ll discuss: ongoing integration efforts with other open source end-to-end encryption projects, user experiences, use cases we target, and many open questions about how we can improve user experience intuition, anonymity, alternate wireless exchange channels, desktop design, and provide better incentives for users to verify digital contacts. We’re looking for collaborators interested in usable security and networking.April 18: Panel
INI 25th Anniversary - "Women's Impact on Technology. Beyond Participation. Leading the Way"
Speaker: Dena Haritos Tsamitis, Director, Information Networking Institute; Founding Director, Education, Training and Outreach, CyLab, Carnegie Mellon University
Mavens of technology discuss the talents and influence that carry professionals into leadership roles and how women have made an impact on innovation and cultural change in the field.
As the Women@INI (WINI) student organization celebrates 10 years, the INI will host industry leaders, faculty and alumni to discuss and celebrate the dramatic progress gained by promoting diversity in the technology field at all levels, from student life to the executive circle. Engage in the conversation and hear the stories as the panelists share personal and professional perspectives on women's leadership in technology.
For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/April 18: Panel
INI 25th Anniversary - "Emerging Technology"
Speaker: James H. Garrett Jr, Dean and Thomas Lord Professor, College of Engineering, Carnegie Mellon University
Great minds in engineering and computing will discuss advancements that are having an impact on everyday life. Having prepared technology leaders for 25 years through a dynamic blend of interdisciplinary studies, the Information Networking Institute (INI) will host panelists to discuss what's around the next corner in an exploration of the latest developments in networking, security and mobility. Industry leaders, faculty and alumni will reflect on new innovations in information technology and their impact on society.
Join us for an invigorating discussion on this fascinating and ever-changing topic.
For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/April 18: Keynote
INI 25th Anniversary - "Connected. How Networks are Transforming Everything"
Speaker: Hooman Radfar (INI, ’04)
The INI's 25th Anniversary kicks off with a fast-paced presentation on trends in networks and computing and what lies ahead. Entrepreneur Hooman Radfar (INI, 2004, MS14) will be the featured keynote speaker.
For more information, visit the anniversary website at http://www.ini.cmu.edu/ini25/
April 13: Seminar
Beyond Silk Road: Developments in Online Anonymous Marketplaces
Speaker: Nicolas Christin
Founded in 2011, Silk Road was the first online anonymous marketplace, in which buyers and sellers could transact with anonymity guarantees far superior to those available in online or offline alternatives. Business on Silk Road, primarily involving narcotics trafficking, was brisk and before long competitors appeared. After Silk Road was taken down by law enforcement, a dynamic ecosystem of online anonymous marketplaces emerged. Building up on efforts I previously presented in the CyLab seminar series, I will describe preleminary insights regarding this ecosystem, highlighting the scientific and---to a lesser extent---ethical challenges in collecting such data at scale.April 6: Seminar
Building Secure Reliable Hardware Roots-of-Trust: Are PUFs Enough?
Speaker: Ken Mai
Hardware roots-of-trust are often regarded as the bedrock upon which the rest of the system securities lies. They perform basic security critical functions such as cryptographic key storage/generation, hardware and software authentication, secure data storage, and data encryption/hashing. Further, these blocks must be resistant to various forms of non-invasive and invasive attacks and tampering. We will examine the necessary features and characteristics of hardware roots-of-trust and if current technologies can meet those needs. Specifically, we will focus on the design and implementation of physical unclonable functions (PUFs) and whether they are suitable for hardware roots-of-trust.March 30: Seminar
The Security of Cyber-Physical Systems
Speaker: Bruno Sinopoli
Cyber Physical Systems (CPS) refer to the embedding of widespread sensing, computation, communication, and control into physical spaces. Application areas are as diverse as aerospace, chemical processes, civil infrastructure, energy, manufacturing and transportation, most of which are safety-critical. The availability of cheap communication technologies such as the internet makes such infrastructures susceptible to cyber security threats, which may affect national security as some of them, such as the power grid, are vital to the normal operation of our society. Any successful attack may significantly hamper the economy, the environment or may even lead to loss of human life. As a result, security is of primary importance to guarantee safe operation of CPS.In an offensive perspective, attacks of this sort can be carried out to disrupt the functionality of the enemy's critical infrastructures without destroying it or even be directly identified. Stuxnet, the malware at the root of the destruction of centrifuges employed to enrich uranium in Iran's nuclear facilities, is a clear example of how strategically important is to gain a deep understanding of CPS security. In this talk I will provide an introduction to CPS security, give an overview of recent results from our research group as well as directions for future work.March 23: Seminar
On the Roots of Privacy Concerns
Speaker: Alessandro Acquisti
Human beings have evolved to detect and react to threats in their physical environment, and have developed perceptual systems to assess physical, sensorial stimuli for current, material risks. In cyberspace, those stimuli can be absent, subdued, or deliberately manipulated by antagonistic third parties. Security and privacy concerns that would normally be activated in the offline world, therefore, can remain muted, and defense behaviors can be hampered, online. In order to start understanding the interrelationships between online and offline threat detection and online decision making, we investigate the extent to which "visceral" stimuli in the physical world can impact security and privacy behavior in cyberspace. In particular, we present the design and results of a stream of controlled human subject experiments that explore the influence of sensorial stimuli (indicating the presence of other human beings in the proximal space of a subject) on subjects' online disclosure of personal, and highly sensitive, behaviors.March 16: Seminar
Saving SSL – Usable Security for Administrators and Developers
Speaker: Matthew Smith, Professor, Rheinische Friedrich-Wilhelms-Universität Bonn, Germany
Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or migrate entirely to less secure but more usable systems. Problems with usability are a major contributor to many recent high-profile security failures. The research domain of usable security & privacy addresses these issues. However, until now the main focus of researchers in this field have been end users. After giving a brief introduction into the field, the presenter will argue that usability issues for administrators and developers also need to be taken into account. The talk will use SSL as an example to illustrate usable security and privacy issues for all actors involved in the SSL ecosystem.March 2: Seminar
What is a Cookie Worth?
Speaker: Rahul Telang
Recent technological advances have enabled detailed tracking of an individual user’s online browsing and transaction behavior through the use of digital cookies. Marketers now routinely use this information to deliver customized online advertisements to internet users based on their recent browsing history. Advertisers argue that using such information leads to better targeting users with relevant ads at appropriate times resulting in higher sales, making both the consumer and the seller better-off. Privacy advocates, on the other hand, claim that the cost of such privacy intrusion is too high and support strong restriction on such targeting.
We seek to inform this debate by providing empirical evidence that quantifies the value of different types of information that cookies can track and their impact on advertising effectiveness.February 23: Seminar
The IEEE Cybersecurity Initiative — Accelerating Innovation in Security & Privacy Technologies
Speaker: Greg Shannon, Chief Scientist, CERT Division at CMU Software Engineering Institute
As highlighted at the White House Summit on Cybersecurity and Consumer Protection, cyber security & privacy (S&P) are pervasive and growing concerns that affect individuals, companies, and nations. Many IEEE members created, sustain, and grow the Internet, and IEEE has a decades-long history of forming and leading technical communities dedicated to engineering a cyberspace that provides security and privacy. To more directly address these challenges, IEEE has launched a multi-year Cybersecurity Initiative (CybSI); its goal is to accelerate innovative research, development and use of efficient cyber security & privacy technologies that protect commerce, innovation and expression.February 16: Seminar
What Are They Doing With Your Data?
Speaker: Augustin Chaintreau, Assistant Professor, Columbia University
Today's Web services‒including Google, Amazon, and Facebook‒leverage user data for personalizing recommendations, targeting advertisements, and adjusting prices. Users currently have little insight, and at best coarse information, to monitor how and for which purposes their data are being used. What if we could tell exactly which item - whether an email you wrote, a search you made, or a webpage you visit - is being used to decide on a targeted ad or a recommended product for you? But how can we track data in an environment we do not control?
In this talk, we argue that without web transparency the exciting world open with your data threatens to become a breeding ground for data misuse, privacy negligence, or even unfair and predatory practices, discriminating the most vulnerable. Furthermore, we prove web transparency may be restored by building XRay, the first fine-grained, robust, and scalable tracking system for personal data the Web. XRay diagnoses which clue (i.e. emails, viewed products) is being used as trigger to which outputs (i.e. targeted ads, recommended products, or differentiated prices). XRay is service agnostic, easy to instantiate, and leverage a novel and simple mechanism that, surprisingly at first, shows that as data in our web profile expands, the amount of resource required for transparency grows only logarithmically.
(joint work with Mathias Lécuyer, Roxana Geambasu, Riley Spahn, Guillaume Ducoffe, Andrei Papancea, and Theofilos Petsios)February 9: Seminar
The Art of Privacy
Speaker: Lorrie Cranor
Privacy is an abstract concept that can be difficult to visualize. However, privacy visualizations can offer interesting insights into how people conceptualize privacy. In this talk I will explore privacy through art. I will begin by showing some examples of privacy-related artwork created by myself and by other artists. Then I will discuss our Privacy Illustrated project (http://cups.cs.cmu.edu/privacyillustrated/), in which we invite everyday people to draw pictures of privacy and what it means to them.February 2: Seminar
Dancing with the Adversary: a Tale of Wimps and Giants
Speaker: Virgil Gligor
A system without accurate and complete adversary definition cannot possibly be insecure. Without such definitions, (in)security cannot be measured, risks of use cannot be accurately quantified, and recovery from penetration events cannot have lasting value. Conversely, accurate and complete definitions can help deny the adversary any attack advantage over a system defender and, at least in principle, secure system operation can be achieved. In this talk, I argue that although the adversary’s attack advantage cannot be eliminated in large commodity software (i.e., for “giants”), it can be rendered ineffective for small software components with rather limited function and high-assurance layered security properties, which are isolated from giants; i.e., for “wimps.”January 28: Celebration
Data Privacy Day 2015
Join us on January 28, 2015 for CMU Privacy Day 2015 at Carnegie Mellon University. CMU Privacy Day celebrates the International Data Privacy Day with an exciting schedule of privacy-related events.
Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint. For more information, please visit StaySafeOnline.org