CERIAS Weekly Security Seminar - Purdue University
1,160 episodes - English - Latest episode: about 1 month ago - ★★★★ - 6 ratingsCERIAS -- the Nation's top-ranked interdisciplinary academic education and research institute -- hosts a weekly cyber security, privacy, resiliency or autonomy speaker, highlighting technical discovery, a case studies or exploring cyber operational approaches; they are not product demonstrations, service sales pitches, or company recruitment presentations. Join us weekly...or explore 25 years of archives for the who's-who in cybersecurity.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Ed Finkler, "A Multi-layered Approach to Web Application Defense"
September 06, 2006 20:30 - 170 MB VideoDefending against attacks on a web application is by nature is complex process, one that must address everything from coding practices to user management to network architecture. This talk will describe a number of techniques that, used in concert, will make your web app a much tougher cookie to crack. Primary focus will be on open-source "XAMP" setups, but the concepts should be applicable to most other systems.
Sid Stamm, "Invasive Browser Sniffing and Countermeasures"
August 30, 2006 20:30 - 234 MB VideoWe describe the detrimental effects of browser cache/ history sniffing in the context of phishing attacks, and detail an approach that neutralizes the threat by means of URL personalization; we report on an implementation performing such personalization on the fly, and analyze the costs of and security properties of our proposed solution.
Sid Stamm, Invasive Browser Sniffing and Countermeasures
August 30, 2006 20:30 - 41 minutes - 234 MB VideoWe describe the detrimental effects of browser cache/ history sniffing in the context of phishing attacks, and detail an approach that neutralizes the threat by means of URL personalization; we report on an implementation performing such personalization on the fly, and analyze the costs of and security properties of our proposed solution. About the speaker: Sid Stamm is a PhD candidate in Computer Science at Indiana University where he earned his MS in 2005. He is currently investiga...
Ehab Al-Shaer, Ph.D., "Toward Autonomic Security Policy Management"
August 23, 2006 20:30 - 197 MB VideoThe assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configure...
Ehab Al-Shaer, Ph.D., Toward Autonomic Security Policy Management
August 23, 2006 20:30 - 34 minutes - 197 MB VideoThe assurance of network security is dependent not only on the protocols but also on polices that determine the functional behavior of network security devices. Network security devices such as Firewalls, IPSec gateways, IDS/IPS operate based on locally configured access control policies. However, the complexity of managing security polices, particularly in enterprise networks, poses many challenges for deploying effective security. For example, security policies are usually configured in iso...
Virgil D. Gligor, "On the Evolution of Adversary Models for Security Protocols - from the Beginning to Sensor Networks"
April 26, 2006 05:00 - 175 MB VideoInvariably, new technologies introduce new vulnerabilities which, in principle, enable new attacks by increasingly potent adversaries. Yet new systems are more adept at handling well-known attacks by old adversaries than anticipating new ones. Our adversary models seem to be perpetually out of date: often they do not capture adversary attacks enabled by new vulnerabilities and sometimes address attacks rendered impractical by new technologies. In this talk, I provide a brief overview ...
Virgil D. Gligor, On the Evolution of Adversary Models for Security Protocols - from the Beginning to Sensor Networks
April 26, 2006 05:00 - 53 minutes - 175 MB VideoInvariably, new technologies introduce new vulnerabilities which, in principle, enable new attacks by increasingly potent adversaries. Yet new systems are more adept at handling well-known attacks by old adversaries than anticipating new ones. Our adversary models seem to be perpetually out of date: often they do not capture adversary attacks enabled by new vulnerabilities and sometimes address attacks rendered impractical by new technologies. In this talk, I provide a brief overview o...
John Black, "Recent Attacks on MD5"
April 19, 2006 05:00 - 137 MB VideoCryptology is typically defined as cryptography (the construction of cryptographic algorithms) and cryptanalysis (attacks on these algorithms). Both are important, but the latter is more fun. Cryptographic hash functions are one of the core building blocks within both security protocols and other application domains. In the last few decades a wealth of these functions have been developed, but the two in most widespread usage are MD5 and SHA1. Recently, there has been a great deal of a...
John Black, Recent Attacks on MD5
April 19, 2006 05:00 - 57 minutes - 137 MB VideoCryptology is typically defined as cryptography (the construction of cryptographic algorithms) and cryptanalysis (attacks on these algorithms). Both are important, but the latter is more fun. Cryptographic hash functions are one of the core building blocks within both security protocols and other application domains. In the last few decades a wealth of these functions have been developed, but the two in most widespread usage are MD5 and SHA1. Recently, there has been a great deal of acti...
David Carroll, "Identity Management Strategies and Integration Perspectives"
April 12, 2006 05:00 - 201 MB VideoFor large government agencies and corporations there can be significant value in the use of identity, access, and rights management infrastructures or IDM. The organizations investment in directory services, authorization services, rights management, and public key systems all combine to form a sometimes complex infrastructure. The products that are deployed may be based upon standards such as WS-Security, SAML, and X509.3 but many are still hampered by proprietary vendor implementati...
David Carroll, Identity Management Strategies and Integration Perspectives
April 12, 2006 05:00 - 1 hour - 201 MB VideoFor large government agencies and corporations there can be significant value in the use of identity, access, and rights management infrastructures or IDM. The organizations investment in directory services, authorization services, rights management, and public key systems all combine to form a sometimes complex infrastructure. The products that are deployed may be based upon standards such as WS-Security, SAML, and X509.3 but many are still hampered by proprietary vendor implementation, la...
Dave Ford, "Chaos,Complexity, Cybernetics and Therminator:"
April 05, 2006 05:00 - 216 MB VideoIn the days after Presidential Decision Directive 63 "Therminator: was born at NSA. This talk gives an overview of the applications of strategies from non-linear dynamics, complexity theory and elements from cybernetics in the context of reducing high-dimensional data sets (e.g. internet traffic) and explains why simple equilibrium thermodynamics is the weapon of choice.
Dave Ford, Chaos,Complexity, Cybernetics and Therminator:
April 05, 2006 05:00 - 50 minutes - 216 MB VideoIn the days after Presidential Decision Directive 63 "Therminator: was born at NSA. This talk gives an overview of the applications of strategies from non-linear dynamics, complexity theory and elements from cybernetics in the context of reducing high-dimensional data sets (e.g. internet traffic) and explains why simple equilibrium thermodynamics is the weapon of choice. About the speaker: Dave Ford is a TAM graduate of the University of Illinois. He has worked at NSA and now is a professor ...
Minaxi Gupta, Spoofing-resistant Packet Routing for the Internet"
March 29, 2006 05:00 - 56 minutes - 215 MB VideoThe forgery of source IP addresses, called IP spoofing, is commonly exploited to launch damaging denial-of-service (DoS) attacks in the Internet. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. We will presents a hop-wise packet marking approach that equips the routers to drop spoofed packets close to their ...
Minaxi Gupta, "Spoofing-resistant Packet Routing for the Internet""
March 29, 2006 05:00 - 215 MB VideoThe forgery of source IP addresses, called IP spoofing, is commonly exploited to launch damaging denial-of-service (DoS) attacks in the Internet. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. We will presents a hop-wise packet marking approach that equips the routers to drop spoofed packets close to ...
Julie Earp, "Privacy Policies in Web-based Healthcare"
March 22, 2006 05:00 - 216 MB VideoThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) has resulted in the presence of very descriptive privacy policies on healthcare websites. These policies are intended to notify users about the organization's privacy practices; however, they are typically not easy to read, leading few people to actually read them. Given the fact that these policies are not optional, but required by HIPAA, they should be presented in a clear and concise manner that encourages cons...
Julie Earp, Privacy Policies in Web-based Healthcare
March 22, 2006 05:00 - 44 minutes - 216 MB VideoThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) has resulted in the presence of very descriptive privacy policies on healthcare websites. These policies are intended to notify users about the organization's privacy practices; however, they are typically not easy to read, leading few people to actually read them. Given the fact that these policies are not optional, but required by HIPAA, they should be presented in a clear and concise manner that encourages consumers ...
Marina Blanton, Dynamic and Efficient Key Management for Access Hierarchies
March 08, 2006 05:00 - 48 minutes - 147 MB VideoHierarchies arise in the context of access control whenever the set of users can be modeled as a set of partially ordered classes (i.e., represented as a directed graph). In such systems, a user that belongs to a particular class inherits privileges of all of its descendant classes. The problem of key management for an access hierarchy then consists in assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via an efficient key derivation process. ...
Marina Blanton, "Dynamic and Efficient Key Management for Access Hierarchies"
March 08, 2006 05:00 - 147 MB VideoHierarchies arise in the context of access control whenever the set of users can be modeled as a set of partially ordered classes (i.e., represented as a directed graph). In such systems, a user that belongs to a particular class inherits privileges of all of its descendant classes. The problem of key management for an access hierarchy then consists in assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via an efficient key derivation pro...
Rafae Bhatti, "A Policy Engineering Framework for Federated Access Management"
March 01, 2006 05:00 - 159 MB VideoFederated systems are an emerging paradigm for information sharing and integration. Such systems require access management policies that not only protect user privacy and resource security but also allow scalable and seamless interoperation. Current solutions to distributed access control generally fail to simultaneously address both dimensions of the problem. This talk describes the design of a policy-engineering framework, called xFederate, for specification and enforcement of acces...
Rafae Bhatti, A Policy Engineering Framework for Federated Access Management
March 01, 2006 05:00 - 48 minutes - 159 MB VideoFederated systems are an emerging paradigm for information sharing and integration. Such systems require access management policies that not only protect user privacy and resource security but also allow scalable and seamless interoperation. Current solutions to distributed access control generally fail to simultaneously address both dimensions of the problem. This talk describes the design of a policy-engineering framework, called xFederate, for specification and enforcement of access manage...
Mike Burmester, Provable security in mobile ad hoc networks
February 15, 2006 05:00 - 54 minutes - 199 MB VideoMobile ad hoc networks (MANETs) are collections of wireless mobile nodes with links that are made or broken in an arbitrary way. Communication is achieved via routes whose node relay packets. Several routing algorithms have been proposed in the literature. These focus mainly on efficiency with security relegated to weak adversary models. In this talk we consider the security of distributed MANET applications in malicious adversary models. We model a MANET by a stochastic finite state machine ...
Mike Burmester, "Provable security in mobile ad hoc networks"
February 15, 2006 05:00 - 199 MB VideoMobile ad hoc networks (MANETs) are collections of wireless mobile nodes with links that are made or broken in an arbitrary way. Communication is achieved via routes whose node relay packets. Several routing algorithms have been proposed in the literature. These focus mainly on efficiency with security relegated to weak adversary models. In this talk we consider the security of distributed MANET applications in malicious adversary models. We model a MANET by a stochastic finite state ...
Brian Carrier, "Categories of Digital Forensic Investigation Techniques"
February 08, 2006 05:00 - 190 MB VideoThis talk examines formal concepts of digital forensic investigations. To date, the field has had an applied focus and little theory exists to formally define analysis techniques and requirements. This work defines an extended finite state machine (FSM) model and uses it to describe a computer's history, which contains the primitive and abstract states and events that existed and occurred. Using this model, categories of analysis techniques can be defined. This talk describes the mode...
Brian Carrier, Categories of Digital Forensic Investigation Techniques
February 08, 2006 05:00 - 53 minutes - 190 MB VideoThis talk examines formal concepts of digital forensic investigations. To date, the field has had an applied focus and little theory exists to formally define analysis techniques and requirements. This work defines an extended finite state machine (FSM) model and uses it to describe a computer's history, which contains the primitive and abstract states and events that existed and occurred. Using this model, categories of analysis techniques can be defined. This talk describes the mod...
Abhilasha Bhargav-Spantzel, Digital Identity Management and Theft Protection
February 01, 2006 05:00 - 51 minutes - 208 MB VideoDigital identity management technology is fundamental in customizing user experience, protecting privacy, underpinning accountability and compliance in today About the speaker: Abhilasha Bhargav-Spantzel is Computer Science PhD Student in Purdue University. She received her bachelors in Computer Science and Mathematics from Purdue in 2002. Her primary research interest is in Identity Management and Theft Protection. Her research aims to provide a strong theoretical foundation on which the so...
Abhilasha Bhargav-Spantzel, "Digital Identity Management and Theft Protection"
February 01, 2006 05:00 - 208 MB VideoDigital identity management technology is fundamental in customizing user experience, protecting privacy, underpinning accountability and compliance in today
Paul Thompson, Semantic Attacks and Security
January 25, 2006 05:00 - 52 minutes - 191 MB VideoAttacks on computer and other networked systems can be categorized as physical, syntactic and semantic. Physical attacks seek to destroy hardware, while syntactic attacks, such as computer worms and viruses, target the network infrastructure. Semantic attacks are directed at the mind of the user of a computer system, or, more generally, any decision process in an automated system. For example, a false, or misleading, discussion group posting which leads readers of the posting to become vict...
Paul Thompson, "Semantic Attacks and Security"
January 25, 2006 05:00 - 191 MB VideoAttacks on computer and other networked systems can be categorized as physical, syntactic and semantic. Physical attacks seek to destroy hardware, while syntactic attacks, such as computer worms and viruses, target the network infrastructure. Semantic attacks are directed at the mind of the user of a computer system, or, more generally, any decision process in an automated system. For example, a false, or misleading, discussion group posting which leads readers of the posting to becom...
Jean Camp, Net Trust: Identification Through Social Context
January 18, 2006 05:00 - 53 minutes - 209 MB VideoIn the nineties the disconnection between physical experience and the digital networked experience was celebrated - individuals are said to move into cyberspace, become virtual and leave the constraints of the physical realm. The increase in fraud, difficulties in securing email, and increasing prevalent browser-based attacks illustrate that the lack physical signaling information can also be costly. I introduce a trust that evaluation system, Net Trust. The trust evaluation system offered i...
Jean Camp, "Net Trust: Identification Through Social Context"
January 18, 2006 05:00 - 209 MB VideoIn the nineties the disconnection between physical experience and the digital networked experience was celebrated - individuals are said to move into cyberspace, become virtual and leave the constraints of the physical realm. The increase in fraud, difficulties in securing email, and increasing prevalent browser-based attacks illustrate that the lack physical signaling information can also be costly. I introduce a trust that evaluation system, Net Trust. The trust evaluation system of...
Simson Garfinkel, Cross-Drive Forensic Analysis
January 11, 2006 05:00 - 49 minutes - 91 MB VideoThis talk introduces cross-drive analysis (CDA), a new approach for performing analysis of forensic data sets that are too large or complex to be analyzed with today's existing tools. CDA works by performing systematic information extraction and cross-correlation across an entire data set. CDA was used to analyze 182 disk drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records and three pairs of drives, e...
Simson Garfinkel, "Cross-Drive Forensic Analysis"
January 11, 2006 05:00 - 91 MB VideoThis talk introduces cross-drive analysis (CDA), a new approach for performing analysis of forensic data sets that are too large or complex to be analyzed with today's existing tools. CDA works by performing systematic information extraction and cross-correlation across an entire data set. CDA was used to analyze 182 disk drives acquired on the secondary market; it automatically identified drives containing a high concentration of confidential financial records and three pairs of driv...
Jelena Mirkovic, Clouseau: A practical IP spoofing defense through route-based filtering
December 07, 2005 05:00 - 53 minutes - 133 MB VideoIP spoofing accompanies many malicious activities and is even means for performing reflector DDoS attacks. Route-based filtering (RBF) enables a router to filter spoofed packets based on their incoming interface - this information is stored in an incoming table. Packets arriving on the expected incoming interface for their source address are considered legitimate, while all the other packets are filtered as spoofed. Past research has shown that RBF can be very effective when deployed at the v...
Jelena Mirkovic, "Clouseau: A practical IP spoofing defense through route-based filtering"
December 07, 2005 05:00 - 133 MB VideoIP spoofing accompanies many malicious activities and is even means for performing reflector DDoS attacks. Route-based filtering (RBF) enables a router to filter spoofed packets based on their incoming interface - this information is stored in an incoming table. Packets arriving on the expected incoming interface for their source address are considered legitimate, while all the other packets are filtered as spoofed. Past research has shown that RBF can be very effective when deployed ...
Stanislaw Jarecki, Secret Handshakes
November 30, 2005 05:00 - 53 minutes - 154 MB VideoSecret Handshake is an authentication protocol with non-standard and strong anonymity property: Namely, the secrecy of the *affiliations* (i.e. the certificates) of party A who engages in this authentication protocol with party B will be protected against any B* (i.e. a malicious party which pretends to be B) who does not meet A's authentication criteria. This strong secrecy and anonymity protection turns out to be possible, and quite efficiently so, based on various standard cryptographic ...
Stanislaw Jarecki, "Secret Handshakes"
November 30, 2005 05:00 - 154 MB VideoSecret Handshake is an authentication protocol with non-standard and strong anonymity property: Namely, the secrecy of the *affiliations* (i.e. the certificates) of party A who engages in this authentication protocol with party B will be protected against any B* (i.e. a malicious party which pretends to be B) who does not meet A's authentication criteria. This strong secrecy and anonymity protection turns out to be possible, and quite efficiently so, based on various standard cryptogr...
Shouhuai Xu, "Privacy-preserving Policy-driven Access Control with Mixed Credentials"
November 16, 2005 05:00 - 105 MB VideoAccess control in decentralized systems is an important problem that has not been fully understood, except perhaps that it should be based on credentials. There are mainly two research approaches towards this goal: one is to pursue powerful individual credentials yet without necessarily considering flexible access control policies, the other is to consider flexible policies yet without necessarily accommodating the useful credential schemes that have become available. This paper propo...
Shouhuai Xu, Privacy-preserving Policy-driven Access Control with Mixed Credentials
November 16, 2005 05:00 - 47 minutes - 105 MB VideoAccess control in decentralized systems is an important problem that has not been fully understood, except perhaps that it should be based on credentials. There are mainly two research approaches towards this goal: one is to pursue powerful individual credentials yet without necessarily considering flexible access control policies, the other is to consider flexible policies yet without necessarily accommodating the useful credential schemes that have become available. This paper propo...
Anna Squicciarini, Privacy and anonymity in Trust Negotiations".
November 09, 2005 05:00 - 45 minutes - 220 MB VideoTrust negotiation is an emerging approach for establishing trust in open systems, where sensitive interactions may often occur between entities with no prior knowledge of each other. Although several proposals today exist of systems for the management of trust negotiation, none of them provides a comprehensive approach to the problem of privacy preservation. Trust negotiation systems, however, by their very nature may represent a threat to privacy. Credentials, exchanged during negotiations, ...
Anna Squicciarini, "Privacy and anonymity in Trust Negotiations"."
November 09, 2005 05:00 - 220 MB VideoTrust negotiation is an emerging approach for establishing trust in open systems, where sensitive interactions may often occur between entities with no prior knowledge of each other. Although several proposals today exist of systems for the management of trust negotiation, none of them provides a comprehensive approach to the problem of privacy preservation. Trust negotiation systems, however, by their very nature may represent a threat to privacy. Credentials, exchanged during negoti...
Bryant G. Tow, "A Demonstration in the Need for a Layered Security Model"
October 26, 2005 04:00 - 219 MB VideoBryant G. Tow, A Demonstration in the Need for a Layered Security Model
October 26, 2005 04:00 - 1 hour - 219 MB VideoAbout the speaker: Bryant has over 15 years of experience in the IT industry both as an entrepreneur and corporate executive and has successfully built 3 high tech companies. As the current Director of Managed Security Services - North America for Unisys Corp. Bryant is responsible for all aspect of growing the security business including: thought leadership in the area of security strategy and planning, development of the security solutions, go to market strategies and the quality of delive...
Dr. Angelos D. Keromytis, Toward Self-healing Software
October 19, 2005 04:00 - 50 minutes - 204 MB VideoAs systems grow in size and complexity, our ability to protect them through manual intervention or static defenses degrades. We believe that, in addition to proper design principles and proactive mechanisms, automated reactive approaches must be employed to close the gap in the attacker vs. defender capabilities. Toward this goal, we have been examining the possibility of software systems that self-diagnose and repair themselves in the presence of previously unknown attacks and failures, with...
Dr. Angelos D. Keromytis, "Toward Self-healing Software"
October 19, 2005 04:00 - 204 MB VideoAs systems grow in size and complexity, our ability to protect them through manual intervention or static defenses degrades. We believe that, in addition to proper design principles and proactive mechanisms, automated reactive approaches must be employed to close the gap in the attacker vs. defender capabilities. Toward this goal, we have been examining the possibility of software systems that self-diagnose and repair themselves in the presence of previously unknown attacks and failur...
Dan Massey, "Securing the Internet's Domain Name System"
October 05, 2005 04:00 - 102 MB VideoThis talk considers security challenges facing the Internet's Domain Name System (DNS). The DNS is one of the most widely used and least secure Internet systems. Viirtually every Internet application relies on the DNS to convert names into IP addresses and the DNS provides a wide range of other critical mappings such as identifying mail servers and locate services. But despite its importance, the original DNS design gave very little thought to security and a variety of misdirection an...
Dan Massey, Securing the Internet's Domain Name System
October 05, 2005 04:00 - 45 minutes - 102 MB VideoThis talk considers security challenges facing the Internet's Domain Name System (DNS). The DNS is one of the most widely used and least secure Internet systems. Viirtually every Internet application relies on the DNS to convert names into IP addresses and the DNS provides a wide range of other critical mappings such as identifying mail servers and locate services. But despite its importance, the original DNS design gave very little thought to security and a variety of misdirect...
Ting Yu, "A Framework for Identifying Compromised Nodes in Sensor Networks"
September 21, 2005 04:00 - 183 MB VideoSensor networks are vulnerable to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it, and introduce arbitrary false information into the network. Most existing techniques focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. We propose an application-independent framework for identifying compromise...
Ting Yu, A Framework for Identifying Compromised Nodes in Sensor Networks
September 21, 2005 04:00 - 51 minutes - 183 MB VideoSensor networks are vulnerable to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it, and introduce arbitrary false information into the network. Most existing techniques focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. We propose an application-independent framework for identifying compromised senso...
Peter Bajcsy, "Toward Hazard Aware Spaces: Knowing Where, When and What Hazards Occur"
September 14, 2005 04:00 - 211 MB VideoWhile considering all existing hazards for humans due to (a) natural disastrous events, (b) failures of human hazard attention or (c) intentional harmful behaviors of humans, we address the problem of building hazard aware spaces (HAS) to alert innocent people. We have researched and developed components of a prototype HAS system for detecting fire using wireless "smart" micro electro-mechanical systems (MEMS) sensors, such as, the MICA sensors, and spectral cameras, for instance, the...