CERIAS Weekly Security Seminar - Purdue University

David Ebert, Trustable Information for Security Applications: Visual Analytics for Reliable, Effective Decision Making

Information, not just data, is key to today's security challenges. To solve these security challenges requires not only advancing computer science and big data analytics but requires new analysis and decision-making environments that enable reliable, decisions from trustable, understandable information. These environments are successful when they effectively couple human decision making with advanced, guided analytics in human-computer collaborative discourse and decision making (HCCD). Our ...

David Ebert, "Trustable Information for Security Applications: Visual Analytics for Reliable, Effective Decision Making"

Information, not just data, is key to today’s security challenges. To solve these security challenges requires not only advancing computer science and big data analytics but requires new analysis and decision-making environments that enable reliable, decisions from trustable, understandable information. These environments are successful when they effectively couple human decision making with advanced, guided analytics in human-computer collaborative discourse and decision making (HCCD...

Sanjay Madria, Secure Information Forwarding through Fragmentation in Delay- tolerant Networks

In application environments like international military coalitions or multi-party relief work in a disaster zone, passing secure messages using a Delay Tolerant Network (DTN) is challenging because the existing public-private key cryptographic approaches may not be always accessible across different groups due to the unavailability of Public Key Infrastructure (PKI). In addition, connectivity may be intermittent so finding reliable routes is also difficult. Thus, instead of sending a complete...

Sanjay Madria, "Secure Information Forwarding through Fragmentation in Delay- tolerant Networks"

In application environments like international military coalitions or multi-party relief work in a disaster zone, passing secure messages using a Delay Tolerant Network (DTN) is challenging because the existing public-private key cryptographic approaches may not be always accessible across different groups due to the unavailability of Public Key Infrastructure (PKI). In addition, connectivity may be intermittent so finding reliable routes is also difficult. Thus, instead of sending a ...

Chris Clifton, A Data Privacy Primer

One of the reasons we care about information security is protectingprivacy, and satisfying requirements of privacy law. But whatexactly is meant by privacy? Is security sufficient to provideprivacy? This talk looks at some background on data privacy,and techniques for privacy protection including anonymity anddifferential privacy.

Chris Clifton, "A Data Privacy Primer"

One of the reasons we care about information security is protecting privacy, and satisfying requirements of privacy law. But what exactly is meant by privacy? Is security sufficient to provide privacy? This talk looks at some background on data privacy, and techniques for privacy protection including anonymity and differential privacy.

Haotian Deng, CEIVE: Combating Caller ID Spoofing on 4G Mobile Phones Via Callee-Only Inference & Verification

Caller ID spoofing forges the authentic caller identity, thus making the call appear to originate from another user. In this paper, we propose CEIVE (Callee-only inference and verification), an effective and practical defense against caller ID spoofing. It is a victim callee only solution without requiring additional infrastructure support or changes on telephony systems. We implement CEIVE on Android phones and test it with all top four US mobile carriers, one landline and two small carriers...

Haotian Deng, "CEIVE: Combating Caller ID Spoofing on 4G Mobile Phones Via Callee-Only Inference & Verification"

Caller ID spoofing forges the authentic caller identity, thus making the call appear to originate from another user. In this paper, we propose CEIVE (Callee-only inference and verification), an effective and practical defense against caller ID spoofing. It is a victim callee only solution without requiring additional infrastructure support or changes on telephony systems. We implement CEIVE on Android phones and test it with all top four US mobile carriers, one landline and two small ...

Yousra Aafer, "Normalizing Diverse Android Access Control Checks for Inconsistency Detection"

Access control systems are known to be vulnerable to anomalies in security policies, such as inconsistency. Android Security model is no exception. This talk presents a new approach aiming to unveil Android inconsistent access controls enforced across multiple instances of the same resource. ​To address the complex nature of Android security checks (e.g., semantic similarity of syntactically different enforcements), the presented approach detects inconsistencies through modeling and n...

Yousra Aafer, Normalizing Diverse Android Access Control Checks for Inconsistency Detection

Access control systems are known to be vulnerable to anomalies in security policies, such as inconsistency. Android Security model is no exception. This talk presents a new approach aiming to unveil Android inconsistent access controls enforced across multiple instances of the same resource. ​To address the complex nature of Android security checks (e.g., semantic similarity of syntactically different enforcements), the presented approach detects inconsistencies through modeling and normaliz...

James Lerums, "Developing a Public/Private Cybersecurity Scorecard for the State of Indiana"

How do you assess the cybersecurity status of public and private organization in a State? The NIST has a comprehensive framework for assessing cybersecurity but for small companies with limited expertise or funding, this process is not possible to reasonably complete. Indiana Governor’s Executive Council on Cybersecurity and Purdue University collaborated in conducting a Cybersecurity Scorecard Pilot to aid the improvements in cybersecurity across their state. The Cybersecurity Scorecard in...

James Lerums, Developing a Public/Private Cybersecurity Scorecard for the State of Indiana

How do you assess the cybersecurity status of public and private organization in a State? The NIST has a comprehensive framework for assessing cybersecurity but for small companies with limited expertise or funding, this process is not possible to reasonably complete. Indiana Governor's Executive Council on Cybersecurity and Purdue University collaborated in conducting a Cybersecurity Scorecard Pilot to aid the improvements in cybersecurity across their state. The Cybersecurity Scorecard incl...

Courtney Falk, Enemy Perspectives: When Nation-States Meet Cybercriminals

Threat intelligence is interested in the entire kill chain from tools to victims. Chief among these interests are the threat actors themselves who carry out attacks and campaigns. Many different schemes exist on how to classify differet types of threat actors in order to more easily describe and understand them. This presentation focuses on the nation-state and cybercriminal classes of threat actors, how they differ, and how they overlap. Real world examples are provided to illustrate new...

Courtney Falk, "Enemy Perspectives: When Nation-States Meet Cybercriminals"

Threat intelligence is interested in the entire kill chain from tools to victims. Chief among these interests are the threat actors themselves who carry out attacks and campaigns. Many different schemes exist on how to classify differet types of threat actors in order to more easily describe and understand them. This presentation focuses on the nation-state and cybercriminal classes of threat actors, how they differ, and how they overlap. Real world examples are provided to illustrate...

Jason Ortiz, IoT Security: Living on the Edge

This talk will explore the enormous threat landscape presented by the IoT ecosystem and examine the state of IoT security with a bit of humor. We will look at everything from individual devices, to conceptual challenges, as well as potential solutions to the most challenging security question we have ever had to answer. About the speaker: Jason is Sr. Integration Engineer and has worked in related roles for 9 years since graduating from Purdue University with a BS in Computer Science in 2009....

Jason Ortiz, "IoT Security: Living on the Edge"

This talk will explore the enormous threat landscape presented by the IoT ecosystem and examine the state of IoT security with a bit of humor. We will look at everything from individual devices, to conceptual challenges, as well as potential solutions to the most challenging security question we have ever had to answer.

Meng Xu, "Precise and Scalable Detection of Double-Fetch Bugs in Kernels"

During system call execution, it is common for operating system kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched userspace memory is subject to change across these reads, i.e., a race condition, which is known as a double-fetch bug. Prior works have attempted to detect these bugs both statically and dynamically. However, due to their improper assumptions and imprecise definitions regarding double-fetch bugs, their multiread detecti...

Meng Xu, Precise and Scalable Detection of Double-Fetch Bugs in Kernels

During system call execution, it is common for operating system kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched userspace memory is subject to change across these reads, i.e., a race condition, which is known as a double-fetch bug. Prior works have attempted to detect these bugs both statically and dynamically. However, due to their improper assumptions and imprecise definitions regarding double-fetch bugs, their multiread detection is in...

Mark Loepker, "80/20 Rule-Cyber Hygiene"

Hygiene - it's good for your body and it's good for your computer/network. We will explore the simplicity of cyber hygiene and the insider/outsider threats that take advantage of poor hygiene. It is all a matter of focus and attention to threat actors. In addition, we will introduce you to the Cyber Center for Education and Innovation, Home of the National Cryptologic Museum (CCEI-NCM). This is a unique national value proposition to bring together cybersecurity education and invite co...

Mark Loepker, 80/20 Rule-Cyber Hygiene

Hygiene - it's good for your body and it's good for your computer/network. We will explore the simplicity of cyber hygiene and the insider/outsider threats that take advantage of poor hygiene. It is all a matter of focus and attention to threat actors. In addition, we will introduce you to the Cyber Center for Education and Innovation, Home of the National Cryptologic Museum (CCEI-NCM). This is a unique national value proposition to bring together cybersecurity education and invite collab...

Ryan Goldsberry, Applied Cyber and Mobile Security Consulting

Cyber security for increasingly mobile clients is an increasing and never ending challenge. Companies of the future are adopting agile systems and cross-functional processes to respond to these challenges. About the speaker: Mr. Goldsberry is a Specialist Leader in Deloitte's Transportation Strategy and Operations group. Ryan has over 20 years of leadership experience in industrial and automotive companies. He uses his background in both Strategic Marketing and Supply Chain to assist clients ...

Ryan Goldsberry, "Applied Cyber and Mobile Security Consulting"

Cyber security for increasingly mobile clients is an increasing and never ending challenge. Companies of the future are adopting agile systems and cross-functional processes to respond to these challenges.

Jessy Irwin, "Double the Factors, Double the Fails: How Usability Obstacles Impact Adoption of Strong Authentication Habits"

Jessy Irwin, Double the Factors, Double the Fails: How Usability Obstacles Impact Adoption of Strong Authentication Habits

About the speaker: Jessy Irwin is Head of Security at Tendermint, where she excels at translating complex cybersecurity problems into relatable terms, and is responsible for developing, maintaining and delivering comprehensive security strategy that supports and enables the needs of her organization and its people. Prior to her role at Tendermint, she worked to solve security obstacles for non-expert users as a strategic advisor, security executive, consultant and former Security Empress at ...

Shiqing Ma, Kernel-Supported Cost-Effective Audit Logging for Causality Tracking

The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It features a ...

Shiqing Ma, "Kernel-Supported Cost-Effective Audit Logging for Causality Tracking"

The Linux Audit system is widely used as a causality tracking system in real-world deployments for problem diagnosis and forensic analysis. However, it has poor performance. We perform a comprehensive analysis on the Linux Audit system and find that it suffers from high runtime and storage overheads due to the large volume of redundant events. To address these shortcomings, we propose an in-kernel cache-based online log-reduction system to enable high-performance audit logging. It fea...

Jillean Long Battle, "What's Private: Exploring Reasonable Expectation of Privacy in the Age of Modern Innovation"

Millions of people spend their day chatting away on their cellphones, ordering groceries from Amazon’s Alexa, making calendar appointments with Apple’s Siri, or posting on Facebook about the last concert they attended. Sharing our personal information via social media platforms or providing it to third party companies has become so common place in our routines that it begs the question, “What, if anything, in our personal lives is really private?” As we grow more comfortable using mod...

Jillean Long Battle, What's Private: Exploring Reasonable Expectation of Privacy in the Age of Modern Innovation

Millions of people spend their day chatting away on their cellphones, ordering groceries from Amazon's Alexa, making calendar appointments with Apple's Siri, or posting on Facebook about the last concert they attended. Sharing our personal information via social media platforms or providing it to third party companies has become so common place in our routines that it begs the question, "What, if anything, in our personal lives is really private?" As we grow more comfortable using modern tech...

Doug Rapp, Breaching Water Treatment Plants: Lessons Learned from Complex Exercises

US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 – 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as "sleeper cells" are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be used duri...

Doug Rapp, "Breaching Water Treatment Plants: Lessons Learned from Complex Exercises"

US cybersecurity experts determined that Russian hacking group Dragonfly targeted the United States and European utilities with a cyber espionage campaign from 2015 – 2017. This government sponsored group was able to successfully infiltrate core control systems. Cold War espionage methodologies such as “sleeper cells” are now being executed in the cyber domain. Industrial firms including power and water providers have proven to be susceptible to attacks and disruptions that could be u...

Ryan Elkins, "Hacking your security career: strategies that college did not teach me"

The field of Information Security is broad with many career paths. The high demands and low supply for security expertise is constantly in the news. How do we fix this? Many people are either intimidated by security or do not realize that their expertise and talent would be a perfect fit for the security industry even if they are in a different field. This talk will bridge that gap and help identify the opportunities available to you. Common questions will be answered such as how to g...

Ryan Elkins, Hacking Your Security Career: Strategies That College Did Not Teach Me

The field of Information Security is broad with many career paths. The high demands and low supply for security expertise is constantly in the news. How do we fix this? Many people are either intimidated by security or do not realize that their expertise and talent would be a perfect fit for the security industry even if they are in a different field. This talk will bridge that gap and help identify the opportunities available to you. Common questions will be answered such as how to get start...

Abe Clements, "Protecting Bare-metal Embedded Systems from Memory Corruption Attacks"

Embedded systems are used in every aspect of modern life. The Internet of Things is comprised of millions of these interconnected systems many of which are low cost bare-metal systems, executing without an operating system. These systems rarely employ security protections. Their development assumptions of unrestricted access to all memory and instructions and constraints on runtime, energy, and memory makes applying protections particularly challenging. I will present recent two recen...

Abe Clements, Protecting Bare-metal Embedded Systems from Memory Corruption Attacks

Embedded systems are used in every aspect of modern life. The Internet of Things is comprised of millions of these interconnected systems many of which are low cost bare-metal systems, executing without an operating system. These systems rarely employ security protections. Their development assumptions of unrestricted access to all memory and instructions and constraints on runtime, energy, and memory makes applying protections particularly challenging. I will present recent two recent techn...

Cristina Ledezma, DoD Cyber Requirements and Directives

The field of cyber engineering is relatively new as compared to other engineering disciplines such as software, mechanical, and systems. However, as we consistently hear and read about, cyber has rapidly become all-encompassing for every industry, including the Department of Defense. Specifically for DoD and weapons systems, the application of cyber engineering and cyber solutions must account for the entirety of the system life cycle. This requires a cyber test and evaluation strategy be def...

Cristina Ledezma, "DoD Cyber Requirements and Directives"

The field of cyber engineering is relatively new as compared to other engineering disciplines such as software, mechanical, and systems. However, as we consistently hear and read about, cyber has rapidly become all-encompassing for every industry, including the Department of Defense. Specifically for DoD and weapons systems, the application of cyber engineering and cyber solutions must account for the entirety of the system life cycle. This requires a cyber test and evaluation str...

Leon Ravenna, "Personally Identifiable Data and the Specter of Customer Privacy"

As more and more Personally Identifiable data is collected or created, the specter of customer privacy issues are looming large. Enterprises need to take a long hard look at the information they are capturing and determine whether the potential value outweighs the potential risk.  How do your current Privacy practices match up against upcoming laws soon to Europe?  Are you prepared to deal with new laws that with fines up to 4% of global revenue? If not, how do you start?  Are you pre...

Leon Ravenna, Personally Identifiable Data and the Specter of Customer Privacy

As more and more Personally Identifiable data is collected or created, the specter of customer privacy issues are looming large. Enterprises need to take a long hard look at the information they are capturing and determine whether the potential value outweighs the potential risk.  How do your current Privacy practices match up against upcoming laws soon to Europe?  Are you prepared to deal with new laws that with fines up to 4% of global revenue? If not, how do you start?  Are you prepared to...

Debajyoti Das, Anonymity Trilemma : Strong Anonymity, Low Bandwidth Overhead, Low Latency – Choose Two.

Over the last three decades, several anonymous communication (AC) protocols have been proposed towards improving users' privacy over the internet. Among those, the Tor protocol has been particularly successful. Thanks to its low communication latency and low bandwidth overhead, Tor today is employed by millions of users worldwide. Nevertheless, its anonymity is known to be broken in the presence of global adversaries. AC protocols like the dining cryptographers network provide anonymity even ...

Debajyoti Das, "Anonymity Trilemma : Strong Anonymity, Low Bandwidth Overhead, Low Latency – Choose Two."

Over the last three decades, several anonymous communication (AC) protocols have been proposed towards improving users' privacy over the internet. Among those, the Tor protocol has been particularly successful. Thanks to its low communication latency and low bandwidth overhead, Tor today is employed by millions of users worldwide. Nevertheless, its anonymity is known to be broken in the presence of global adversaries. AC protocols like the dining cryptographers network provide anonymi...

Josh Corman, Symposium Closing Keynote - Bits & Bytes, Flesh & Blood, and Adapting for the Next 20 Years

Symposium Closing Keynote - Bits & Bytes, Flesh & Blood, and Adapting for the Next 20 Years About the speaker: Joshua Corman is a Founder of I am The Cavalry (dot org), and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. He previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, and other senior roles. He co-founded RuggedSoftware and I am The Cavalry to encourage new security approa...

Chris Reed, Leveraging DevSecOps to Escape the Hamster Wheel of Never-ending Security Fail

Security is often implemented through bolt-on assessments including periodic testing that only happens once in a release or even annually. Manual security processes can no longer keep up in today's fast paced world of agile development, devops and constant vulnerabilities. DevSecOps, or Security as Code, is an approach that allows security staff to multiply resources and increase agility and speed. Executed properly it also provides the audit trail necessary to demonstrate control even in the...

Chris Reed, "Leveraging DevSecOps to Escape the Hamster Wheel of Never-ending Security Fail"

Security is often implemented through bolt-on assessments including periodic testing that only happens once in a release or even annually. Manual security processes can no longer keep up in today's fast paced world of agile development, devops and constant vulnerabilities. DevSecOps, or Security as Code, is an approach that allows security staff to multiply resources and increase agility and speed. Executed properly it also provides the audit trail necessary to demonstrate control e...

Pedro Moreno-Sanchez, Mind Your Credit: Assessing the Health of the Ripple Credit Network

The Ripple credit network has emerged as the payment backbone withindisputable advantages for financial institutions and the remittanceindustry. Ripple's market capitalization is currently third only toBitcoin and Ethereum. Its path-based IOweYou (IOU) settlements acrossdifferent currencies conceptually distinguishes the Ripple blockchainfrom the cryptocurrencies (such as Bitcoin) and makes it highly suitableto an orthogonal yet vast set of applications in the remittance worldand beyond. In t...

Pedro Moreno-Sanchez, "Mind Your Credit: Assessing the Health of the Ripple Credit Network"

The Ripple credit network has emerged as the payment backbone with indisputable advantages for financial institutions and the remittance industry. Ripple’s market capitalization is currently third only to Bitcoin and Ethereum. Its path-based IOweYou (IOU) settlements across different currencies conceptually distinguishes the Ripple blockchain from the cryptocurrencies (such as Bitcoin) and makes it highly suitable to an orthogonal yet vast set of applications in the remittance w...

Nathan Burrow, "CFIXX -- Object Type Integrity for C++"

C++ relies on object type information for dynamic dispatch and casting. The association of type information to an object is implemented via the virtual table pointer, which is stored in the object itself. As C++ has neither memory nor type safety, adversaries may therefore overwrite an object’s type. If the corrupted type is used for dynamic dispatch, the attacker has hijacked the application’s control flow. This vulnerability is widespread and commonly exploited. Firefox, Chrome, and...

Nathan Burrow, CFIXX -- Object Type Integrity for C++

C++ relies on object type information for dynamic dispatch and casting. The association of type information to an object is implemented via the virtual table pointer, which is stored in the object itself. As C++ has neither memory nor type safety, adversaries may therefore overwrite an object's type. If the corrupted type is used for dynamic dispatch, the attacker has hijacked the application's control flow. This vulnerability is widespread and commonly exploited. Firefox, Chrome, and other m...

Courtney Falk, Threats and Risks in Cryptocurrencies

Cryptocurrencies have exploded in popularity in the last few years. These cryptographic systems aim to provide freedom from government-backed fiat currencies. This presentation examines the traditional and novel risks to cryptocurrency systems. Special attention is paid to documented attacks on cryptocurrency infrastructure, criminal use of cryptocurrencies, and the policies affecting cryptocurrency systems. About the speaker: Dr. Courtney Falk is an information security professional with ...

Courtney Falk, "Threats and Risks in Cryptocurrencies"

Cryptocurrencies have exploded in popularity in the last few years. These cryptographic systems aim to provide freedom from government-backed fiat currencies. This presentation examines the traditional and novel risks to cryptocurrency systems. Special attention is paid to documented attacks on cryptocurrency infrastructure, criminal use of cryptocurrencies, and the policies affecting cryptocurrency systems.

Mitchell Parker, "Lessons Learned From the Retrocomputing Community"

The purpose of this presentation is to show that successful retrocomputing projects and groups which currently exist follow patterns we can use to help low-resource and industrial organizations that need to secure their devices. Can retrocomputing breathe new life into older technology to help secure the enterprise?