CERIAS Weekly Security Seminar - Purdue University

Abe Baggili, "Immersive Virtual Insanity: Exploring Immersive Virtual Reality Security and Forensics"

The Virtual Reality (VR) market could surpass $ 40 Billion by 2020. The U.S. Military recently closed a deal worth $ 480 Million for the Microsoft HoloLens Mixed Reality (MR) device. Oculus has already released the first immersive VR system that is mobile with no wires and no need for a high-end gaming PC for $399. While these are exciting times, an important question needs to be investigated: Are we ensuring the security and privacy of these systems? In this talk I will present v...

Morgan Princing, "Identifying Security Risks Using Internet-Wide Scan Data"

In this talk, we’ll explore how internet scan data layered with different open-source tools can start to make sense of what is publicly exposed and potentially a threat.  Predominantly, we’ll focus on three investigations:   1. how to find attacker infrastructure, using IOCs from MITRE and Web Application Logs 2. how to identify trends in common misconfigurations and vulnerabilities 3. how to find assets related to your organization  Throughout the talk, we’ll identify and use risk indi...

Morgan Princing, Identifying Security Risks Using Internet-Wide Scan Data

In this talk, we'll explore how internet scan data layered with different open-source tools can start to make sense of what is publicly exposed and potentially a threat.  Predominantly, we'll focus on three investigations:  1. how to find attacker infrastructure, using IOCs from MITRE and Web Application Logs2. how to identify trends in common misconfigurations and vulnerabilities3. how to find assets related to your organization Throughout the talk, we'll identify and use risk indicators to ...

Sriharsha Etigowni, Contactless Control Flow Monitoring via Electromagnetic Emanations

Trustworthy operation of industrial control systems depends on secure and real-time code execution on the embedded programmable logic controllers (PLCs). The controllers monitor and control the critical infrastructures, such as electric power grids and healthcare platforms,and continuously report back the system status to human operators. This talk is about Zeus, a contactless embedded controller security monitor solution that will ensure its execution control flow integrity. Zeus leverages t...

Sriharsha Etigowni, "Contactless Control Flow Monitoring via Electromagnetic Emanations"

Trustworthy operation of industrial control systems depends on secure and real-time codeexecution on the embedded programmable logic controllers (PLCs). The controllers monitorand control the critical infrastructures, such as electric power grids and healthcare platforms,and continuously report back the system status to human operators. This talk is about Zeus, acontactless embedded controller security monitor solution that will ensure its execution controlflow integrity. Zeus leverag...

Boyang Wang, Fingerprinting Encrypted Voice Commands on Smart Speakers

Smartspeakers, such as Amazon Echo, have been adopted by millions of users. However,the privacy impacts of smart speakers have not been well examined. We investigatethe privacy leakage of smart speakers under an encrypted traffic analysisattack, referred to as voice command fingerprinting. In this attack, anadversary eavesdrops encrypted voice traffic from and to a smart speaker andinfers which voice command a user says without decrypting encrypted traffic. Wedesign our attacks based on neura...

Boyang Wang, "Fingerprinting Encrypted Voice Commands on Smart Speakers"

Smartspeakers, such as Amazon Echo, have been adopted by millions of users. However,the privacy impacts of smart speakers have not been well examined. We investigatethe privacy leakage of smart speakers under an encrypted traffic analysisattack, referred to as voice command fingerprinting. In this attack, anadversary eavesdrops encrypted voice traffic from and to a smart speaker andinfers which voice command a user says without decrypting encrypted traffic. Wedesign our attacks based on neu...

Mohsen Minaei, Forgetting the Forgotten: Conceal Content Deletions from Persistent Observers

Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users' attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those (deleted) posts. Thus, deletions may leave users more vulnerable to attacks on their privacy in general. Users hoping to make their posts forgotten face a "damned if I do, damned if...

Mohsen Minaei, "Forgetting the Forgotten: Conceal Content Deletions from Persistent Observers"

Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users’ attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those (deleted) posts. Thus, deletions may leave users more vulnerable to attacks on their privacy in general. Users hoping to make their posts forgotten face a “damned if I do, d...

Celeste Paul, Hacking Stressed: Frustration, burnout, and the pursuit of happiness

Anyone in this business knows how fun and exciting hacking can be, but also the emotional and physical toll it can take. Mental health is a longstanding dirty secret in the infosec community, and we are just now learning how to talk about it. The wear and tear of everyday stress combined with an 'always on' aspect of an operational environment creates a perfect storm for burning out. While stress can have a negative impact on job performance, my primary concern is on the health and safety of ...

Celeste Paul, "Hacking Stressed: Frustration, burnout, and the pursuit of happiness"

Anyone in this business knows how fun and exciting hacking can be, but also the emotional and physical toll it can take. Mental health is a longstanding dirty secret in the infosec community, and we are just now learning how to talk about it. The wear and tear of everyday stress combined with an 'always on' aspect of an operational environment creates a perfect storm for burning out. While stress can have a negative impact on job performance, my primary concern is on the health and sa...

James Cole, "Securing the Internet of Things"

The Internet of Things (IOT) is a potential massive market. However, the deployment of IOT brings forth many challenges across the dimensions of the business side (efficient supply chain) as well as the technical side (secure deployment). In order for the IOT promise to deliver massive volume, the marketplace must have secure, efficient, and effective ways to deploy and secure billions of devices in the market. The security threats to end points and devices has never been greater and ...

James Cole, Securing the Internet of Things

The Internet of Things (IOT) is a potential massive market. However, the deployment of IOT brings forth many challenges across the dimensions of the business side (efficient supply chain) as well as the technical side (secure deployment). In order for the IOT promise to deliver massive volume, the marketplace must have secure, efficient, and effective ways to deploy and secure billions of devices in the market. The security threats to end points and devices has never been greater and will ...

Mitch Parker, Bitcoin and other dreams of utopian thinking-what happens when they meet reality?

Cryptocurrencies are the latest in a series of market bubbles that demonstrate irrational exuberance. In this lecture, Mitch Parker, CISO of IU Health, will go over previous market bubbles, and compare and contrast the differences between the security controls in two peer to peer exchange methods, the current US federal banking system, and Bitcoin. Through this, Mitch will demonstrate the need to have security built into both the technical and non-technical controls of a financial system, a...

Mitch Parker, "Bitcoin and other dreams of utopian thinking-what happens when they meet reality?"

Cryptocurrencies are the latest in a series of market bubbles that demonstrate irrational exuberance. In this lecture, Mitch Parker, CISO of IU Health, will go over previous market bubbles, and compare and contrast the differences between the security controls in two peer to peer exchange methods, the current US federal banking system, and Bitcoin. Through this, Mitch will demonstrate the need to have security built into both the technical and non-technical controls of a financial sys...

Leon Ravenna, "Your Privacy has been Breached"

GDPR/ NYDFS/ CCPA and other State, Federal and Supra-regional regulations coming online quickly. Governments are driving Security, Privacy & Compliance throughout the world. Since there is not an overriding set of Federal laws such as GLBA, many organizations in the US are unprepared for the upcoming deluge of regulations. Gain an understanding of what is coming and learn ways that you can help future organizations cope with and plan for a “50 States” strategy in an uncertain future. ...

Leon Ravenna, Your Privacy has been Breached

GDPR/ NYDFS/ CCPA and other State, Federal and Supra-regional regulations coming online quickly. Governments are driving Security, Privacy & Compliance throughout the world. Since there is not an overriding set of Federal laws such as GLBA, many organizations in the US are unprepared for the upcoming deluge of regulations. Gain an understanding of what is coming and learn ways that you can help future organizations cope with and plan for a "50 States" strategy in an uncertain future. As w...

Andrew Rozema, 'Networking' Skills for Cybersecurity

Sure, you may know how to subnet a class "C" network into 64 different networks, but how about where to go to learn about technology that has yet to make it into a textbook? Or to find your next job? Or just somewhere where you can commensurate with someone who understands what you mean when you say, "That APT left the MSSP DOA!" This presentation will outline the OSINT and TTP's cyber security practitioners use in industry to connect, build, and maintain networks, with an eye towards how Boi...

Andrew Rozema, "'Networking' Skills for Cybersecurity"

Sure, you may know how to subnet a class "C" network into 64 different networks, but how about where to go to learn about technology that has yet to make it into a textbook? Or to find your next job? Or just somewhere where you can commensurate with someone who understands what you mean when you say, "That APT left the MSSP DOA!" This presentation will outline the OSINT and TTP's cyber security practitioners use in industry to connect, build, and maintain networks, with an eye towards...

Chet Hosmer, Forensic Identification of Fake Digital Photographs

The global impact resulting from the distribution of doctored digital photographs has reached an epidemic proportion. These digitally altered photos are distributed through social media, news outlets, traditional web resources and are making their way into the mainstream media. The impact of these photos can dramatically change the way people think, act, react, believe and can ultimately cause harm. At the simplest level they represent visual fraud.During this presentation, I will convey re...

Chet Hosmer, "Forensic Identification of Fake Digital Photographs"

The global impact resulting from the distribution of doctored digital photographs has reached an epidemic proportion. These digitally altered photos are distributed through social media, news outlets, traditional web resources and are making their way into the mainstream media. The impact of these photos can dramatically change the way people think, act, react, believe and can ultimately cause harm. At the simplest level they represent visual fraud. During this presentation, I will c...

Chris Jenkins, Moving Target Defense for a Serial Communication Protocol

Nation-state adversaries have shown the ability to disrupt critical infrastructure through cyber-attacks targeting systems of networked, embedded computers. This knowledge raises concern that space systems could face similar threats. This project will research and develop moving target defense algorithms that will add cyber resilience to space systems by improving their ability to withstand cyber-attacks. Most proposed cyber resilience solutions focus on or require detection of threats before...

Chris Jenkins, "Moving Target Defense for a Serial Communication Protocol"

Nation-state adversaries have shown the ability to disrupt critical infrastructure through cyber-attacks targeting systems of networked, embedded computers. This knowledge raises concern that space systems could face similar threats. This project will research and develop moving target defense algorithms that will add cyber resilience to space systems by improving their ability to withstand cyber-attacks. Most proposed cyber resilience solutions focus on or require detection of threat...

Aritra Mitra, A New Approach to Distributed Hypothesis Testing and Non-Bayesian Learning: Improved Learning Rate and Byzantine Resilience

Consider a scenario where a group of agents, each receiving partially informative private signals, aim to learn the true underlying state of the world that explains their collective observations. These agents might represent a group of individuals interacting over a social network, a team of autonomous robots tasked with detection, or even a network of processors trying to collectively solve a statistical inference problem. To enable such agents to identify the truth from a finite set of hypo...

Aritra Mitra, "A New Approach to Distributed Hypothesis Testing and Non-Bayesian Learning: Improved Learning Rate and Byzantine Resilience"

Consider a scenario where a group of agents, each receiving partially informative private signals, aim to learn the true underlying state of the world that explains their collective observations. These agents might represent a group of individuals interacting over a social network, a team of autonomous robots tasked with detection, or even a network of processors trying to collectively solve a statistical inference problem. To enable such agents to identify the truth from a finite set...

Luke Butcher, "Connected Intelligence"

While made famous for the work that was done on the physical plastic cards many of carry around in our wallets, Mastercard is thinking way beyond those cards for the future. We’ll walk through how Mastercard deploys its assets creating simple, safe and secure experiences for customers whether it is for payments or their identities.

Luke Butcher, Connected Intelligence

While made famous for the work that was done on the physical plastic cards many of carry around in our wallets, Mastercard is thinking way beyond those cards for the future.We'll walk through how Mastercard deploys its assets creating simple, safe and secure experiences for customers whether it is for payments or their identities.

Steve Lodin, "The Golden Rules of Security and Assurance"

This session provides observations regarding the process of moving the datacenter assets of a Top100 bank fully into the cloud. The Golden Rules providing security and assurance will be described. The gotchas, surprises, lessons learned, and resulting strategic changes are presented to raise awareness and prevent future mistakes by attendees.

Steve Lodin, The Golden Rules of Security and Assurance

This session provides observations regarding the process of moving the datacenter assets of a Top100 bank fully into the cloud. The Golden Rules providing security and assurance will be described. The gotchas, surprises, lessons learned, and resulting strategic changes are presented to raise awareness and prevent future mistakes by attendees. About the speaker: Steve Lodin is the Senior Director of Cyber Security Operations in Corporate Security at Sallie Mae. Mr. Lodin is focused on managing...

Eugene Spafford, "Rethinking Cyber Security"

Despite over 50 years of intensive research and experimentation, we still are plagued with systems that are fragile, compromised, and impossible to fully trust. There is near-daily news of compromises and losses, from criminals, nation-state actors, and vandals. The cyber ecosystem we have developed and upon which society is increasingly reliant appears to develop (or have exposed) a new vulnerability as soon as a current one is patched, and old problems keep being introduced. Why do...

Eugene Spafford, Rethinking Cyber Security

Despite over 50 years of intensive research and experimentation, we still are plagued with systems that are fragile, compromised, and impossible to fully trust. There is near-daily news of compromises and losses, from criminals, nation-state actors, and vandals. The cyber ecosystem we have developed and upon which society is increasingly reliant appears to develop (or have exposed) a new vulnerability as soon as a current one is patched, and old problems keep being introduced. Why do we hav...

Lauren Featherstun, Shivam Trivedi, Brian Werts, Erik Gough, "The Purdue Live Security Analyzer (PULSAR)"

As more disciplines leverage computational and data-driven modeling, the security of campus cyberinfrastructure is becoming increasingly important in order to protect intellectual property and secure a competitive advantage for researchers. Funded by the NSF Cybersecurity Innovation for Cyberinfrastructure (CICI) program, the Purdue Live Security Analyzer (PULSAR) project aims to enhance the cybersecurity of Purdue’s campus cyberinfrastructure by developing a cyber attack detection an...

Lauren Featherstun, Shivam Trivedi, Brian Werts, Erik Gough, The Purdue Live Security Analyzer (PULSAR)

As more disciplines leverage computational and data-driven modeling, the security of campus cyberinfrastructure is becoming increasingly important in order to protect intellectual property and secure a competitive advantage for researchers. Funded by the NSF Cybersecurity Innovation for Cyberinfrastructure (CICI) program, the Purdue Live Security Analyzer (PULSAR) project aims to enhance the cybersecurity of Purdue's campus cyberinfrastructure by developing a cyber attack detection and respon...

Robert Mundt, "Protecting your online Identity in a world of modern application architecture"

Learn about common attacks against online accounts, ways to protect your accounts against malicious actors, and the next generation of Identity standards and application architecture.

Robert Mundt, Protecting your online Identity in a world of modern application architecture

Learn about common attacks against online accounts, ways to protect your accounts against malicious actors, and the next generation of Identity standards and application architecture. About the speaker: Rob Mundt, is an Enterprise Security Architect at Eli Lilly and Company focused on the identity domain. Rob has been at Lilly for 18 years with a majority of that time focused on information security. Rob graduated from Purdue University in 2001 with a degree in Computer Technology with a fo...

Jim Routh, "The Rise of Unconventional Security Controls"

Jim Routh, The Rise of Unconventional Security Controls

About the speaker: Jim Routh is the Chief Security Officer for CVS Health and leads the Global Security function focused on cyber security for CVS Health businesses and converged security for the Aetna business division. He is former CSO for Aetna and the former Chair of the H-ISAC Board. He serves as a member of the Advisory Board of the ClearSky Security Fund. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC ...

Krishna Kavi, "Hardware Cybersecurity Attacks and Some Solutions"

Recent reports on how side-channel attacks can be used to obtain secret information stored in Cache memories and how current processors that rely on speculative execution of code aids in these side-channel attacks have caught the attention of everyone. Names such as Spectre and Meltdown describe how a well-resourced attacker can discover secret information such as passwords and cyber keys. Since these attacks are applicable most to current processors, made by Intel, AMD and ARM; almos...

Krishna Kavi, Hardware Cybersecurity Attacks and Some Solutions

Recent reports on how side-channel attacks can be used to obtain secret information stored in Cache memories and how current processors that rely on speculative execution of code aids in these side-channel attacks have caught the attention of everyone. Names such as Spectre and Meltdown describe how a well-resourced attacker can discover secret information such as passwords and cyber keys. Since these attacks are applicable most to current processors, made by Intel, AMD and ARM; almost all c...

Wei Jiang, "Efficient and Constant-Round Secure Comparison through Function Transformation, Dynamic Group Switching and Asymmetric Computation"

Within recent years, secure comparison protocols have been proposed using binary decomposition and properties of algebraic fields. These protocols have become increasingly efficient, but their performance has seemingly reached a plateau. We propose a new approach to this problem that transforms the comparison function into comparing specialized summations and takes advantage of dynamically switching domains of secret shares and asymmetric computations for intermediate calculations amo...

Wei Jiang, Efficient and Constant-Round Secure Comparison through Function Transformation, Dynamic Group Switching and Asymmetric Computation

Within recent years, secure comparison protocols have been proposed using binary decomposition and properties of algebraic fields. These protocols have become increasingly efficient, but their performance has seemingly reached a plateau. We propose a new approach to this problem that transforms the comparison function into comparing specialized summations and takes advantage of dynamically switching domains of secret shares and asymmetric computations for intermediate calculations among the p...

Wei Jiang, " Efficient and Constant-Round Secure Comparison through Function Transformation, Dynamic Group Switching and Asymmetric Computation"

Within recent years, secure comparison protocols have been proposed using binary decomposition and properties of algebraic fields. These protocols have become increasingly efficient, but their performance has seemingly reached a plateau. We propose a new approach to this problem that transforms the comparison function into comparing specialized summations and takes advantage of dynamically switching domains of secret shares and asymmetric computations for intermediate calculations amo...

Sathish Kumar, "Securing IoT-based Cyber-Physical Human Systems against diverse attacks"

In this talk the concept of Cyber Physical Human Systems security in the context of aviation systems will be introduced. The talk will also cover the proposed security framework involving the detecting and responding to the attacks. In addition, the talk will describe the results of vulnerability assessment experiments from Aviations Cyber-Physical Systems pespective and the simulation experiments conducted for several attacks in the context of Internet of Things (IoT).

Sathish Kumar, Securing IoT-based Cyber-Physical Human Systems against diverse attacks

In this talk the concept of Cyber Physical Human Systems security in the context of aviation systems will be introduced. The talk will also coverthe proposed security framework involving the detecting and responding to the attacks. In addition, the talk will describe the results of vulnerability assessment experiments from Aviations Cyber-Physical Systems pespective and the simulation experiments conducted for several attacks in the context of Internet of Things (IoT). About the speaker: Dr. ...

Charles Kamhoua, Game Theoretic Modeling of Cyber Deception in the Internet of Battlefield Things

Most sophisticated cyber attack follow the well-known cyber kill chain. The first step of the cyber kill chain is the reconnaissance phase where attacker probe the network in search of weakness, misconfiguration, vulnerabilities, and identify potential targets before the actual attack start. To this end, the attacker need to collect important information about the characteristics of each devices (i.e., hardware, operating system, applications), the network topology, the different subnet, fire...

Charles Kamhoua, "Game theoretic modeling of cyber deception in the Internet of Battlefield Things"

Most sophisticated cyber attack follow the well-known cyber kill chain. The first step of the cyber kill chain is the reconnaissance phase where attacker probe the network in search of weakness, misconfiguration, vulnerabilities, and identify potential targets before the actual attack start. To this end, the attacker need to collect important information about the characteristics of each devices (i.e., hardware, operating system, applications), the network topology, the different subn...

Bowei Xi, A Game Theoretic Approach for Adversarial Machine Learning -- When Big Data Meets Cyber Security

Nowadays more and more data are gathered for detecting andpreventing cyber attacks. Unique to the cyber securityapplications, learning models face active adversaries that try todeceive learning models and avoid being detected. Hence futuredatasets and the training data no longer follow the samedistribution. The existence of such adversarial samplesmotivates the development of robust and resilient adversariallearning techniques. Game theory offers a suitable framework tomodel the conflict betw...

Bowei Xi, "A Game Theoretic Approach for Adversarial Machine Learning -- When Big Data Meets Cyber Security"

Nowadays more and more data are gathered for detecting and preventing cyber attacks. Unique to the cyber security applications, learning models face active adversaries that try to deceive learning models and avoid being detected. Hence future datasets and the training data no longer follow the same distribution. The existence of such adversarial samples motivates the development of robust and resilient adversarial learning techniques. Game theory offers a suitable framework to ...

Meng Yu, Protection against Compromised Operating Systems on ARM Cortex-A Architecture

ARM possessors are being widely used on mobile devices and smart IoT devices. Despite the best efforts, an operating system is too hard to be absolutely secured on both x86 and ARM platforms. We addresse the problem of executing an unmodified application in a compromised OS for ARM platforms. Existing protection mechanisms mainly focus on x86 platform, utilizing SGX of Intel Processors or a hypervisor which is running below an operating system. However, SGX is not available for ARM platform, ...

Meng Yu, "Protection against Compromised Operating Systems on ARM Cortex-A Architecture"

ARM possessors are being widely used on mobile devices and smart IoT devices. Despite the best efforts, an operating system is too hard to be absolutely secured on both x86 and ARM platforms. We addresse the problem of executing an unmodified application in a compromised OS for ARM platforms. Existing protection mechanisms mainly focus on x86 platform, utilizing SGX of Intel Processors or a hypervisor which is running below an operating system. However, SGX is not available for ARM pl...