How LinkedIn should have protected your password

Coulda, Woulda, Shoulda.

If you have a LinkedIn account, you probably noticed the news that 6.5 million of their passwords were leaked. While the passwords were encrypted, it's still a major problem for all LinkedIn users. In his column in the latest issue of ACM Queue, LinkedIn Password Leak: Salt Their Hide, security expert Poul-Henning Kamp, explains the flaws in LinkedIn's password management process and the simple steps that can make it much more secure.

Of course, this is more than just about LinkedIn. Similar password leaks from eHarmoney and last.fm were reported this week.  If you use any of these popular Web services, you probably should change your password, especially if you use the same password on other Internet sites and services.

If you find this interesting, you should check out the monthly ACM Queue magazine.  It is a good resource for people interested in computing and software engineering. Here's how it describes its mission.

"Queue is the ACM's magazine for practicing software engineers. Written by engineers for engineers, Queue focuses on the technical problems and challenges that loom ahead, helping readers to sharpen their own thinking and pursue innovative solutions. Queue does not focus on either industry news or the latest "solutions." Rather, Queue takes a critical look at current and emerging technologies, highlighting problems that are likely to arise and posing questions that software engineers should be thinking about."

Update 6/9: The League of Legends reports that their password database was compromised. It’s not clear how they were storing the passwords.

Flame spy malware infiltrating Middle East computers

Russia-based anti-virus firm Kaspersky Labs has described a new cyber attack toolkit dubbed Flame (Worm.Win32.Flame) which they describe as "what might be the most sophisticated cyber weapon yet." Their analysis suggests that Flame is a state-supported effort rather than one created by hacktivists or cybercriminals.

"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar 'super-weapons' currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

Flame appears to be designed "to systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on." Initial infection can be from an infected USB drive, spear phishing or an infected web site. Here’s a map of the top seven affected countries.

More information is available in articles on Wired (Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers) and the BBC (Flame: Massive cyber-attack discovered, researchers say).

Privacy Engineering

We've starting to see advertisements for a new kind of position: privacy engineer.

If you've seen the classic movie, The Graduate, you'll remember the conversation that recent college graduate Benjamin Braddock has with a friend of his father, who says "I just want to say one word to you. Just one word. … Are you listening? … Plastics.". Today, 45 years later, that one word might be Privacy.

Our lives are increasingly being lived online through social media systems, cloud based services, smart phones and other ubiquitous computing and sensing devices. Your smart phone, it's common to hear, knows more about you than your spouse or Mom. Data about us is being collected minute by minute, aggregated, integrated, analyzed, bought and sold.  At the same time, we have develped powerful new datamining and machine learning techniques that, together with parallel computing, can  extract surprising amounts of information and knowledge from the data. 

This data can be put to good uses, such as providing you with better services, but can also result in a loss of privacy. Businesses and other organizations want to avoid a backlash in which they lose customers concerned about their privacy. We've seen recent ads for privacy engineers, such as these from Apple , Google and Intel. This is just a sample, many more exist, although the job title may be different.

The job of a privacy engineer doesn't yet have a well defined consensus description, but the focus is on designing an organization's information privacy policy and helping to ensure that it is accurately described and enforced.  High level tasks include (i) protecting data from unauthorized access, use or disclosure (ii) providing users with appropriate tools to both understand and control what information is collected and how it is shared and used; and (iii) recognizing how the data can be usefully mined without revealing private information.

What courses can a UMBC undergraduate take to prepare for positions like these? After getting a good grounding in the required computer science or computer engineering courses, undergrads can take classes in the fundamentals of security (CMSC 426 and CMSC 487), information assurance (CMSC 444), and cryptography (CMSC 443), take a course in databases (CMSC 461),  datamining and machine learning (CMSC 478) and/or visualization (CMSC 436), and perhaps mobile computing (CMSC 628). Interested students should also look for special topics course, like Security and Privacy in a Mobile Social World which is being offered this semester.  We also have several research labs that work in privacy-related areas, including the Cyber Defense, Coral, Ebiquity, Diadic and Maple labs.

 

UMBC Cyberdawgs are recruiting

UMBC's Cyber Defense Team is looking for new members. This semester the team competed in the Collegiate Cyber Defense Championship. In this competition, each team defended a mock corporate network against a horde of professional hackers in a fast-paced, real-time event over the course of two days. These competitions are a great way to network with government agencies and key companies in the security industry.

The UMBC Cyber Defense Team provides a great opportunity to gain practical, hands-on experience in information security, intrusion detection, cybersecurity, and network security. The team practices both penetration and defense of isolated networks similar to real business environments. The group meets at 7:00pm on Mondays in ITE 367 and will have special events that will be announced also. No experience is required, but you should be motivated to learn about computer networks and systems security.

You can find additional information and how to join our mailing list at the UMBC Cyberdawgs website. Contact Marc Warfield (marc9 at umbc.edu) for more information.

talk: Securing Cyber-Physical Systems, 3/26

 

Securing Cyber-Physical Systems

Alvaro Cardenas
Fujitsu Laboratories of America

1:00pm Monday 26 March 2012, ITE 325b, UMBC

Our critical infrastructure systems are being modernized with information and communication technologies to face the operational requirements and efficiency challenges of the 21st century. The smart grid in particular, will introduce millions of new intelligent components to the electric grid, buildings, and homes within the next decade. While this modernization will bring many operational benefits to infrastructure systems, it will also introduce new vulnerabilities, a larger attack surface, and raise privacy concerns.

This presentation will be divided in three parts. The first part of the talk will cover the unique and fundamentally new challenges and solutions required for securing cyber-physical systems. The second part of the talk will focus on new mechanisms for securing cyber-physical systems. The final part of the talk will cover my other research interests in intrusion detection and future plans for big-data security.

Alvaro A. Cárdenas is a research staff engineer at Fujitsu Laboratories of America. Prior to this he was a postdoctoral fellow at the University of California, Berkeley working in securing critical infrastructure systems. His research focuses on network security, the smart grid and other cyber-physical systems, intrusion detection and big data security. He has received numerous awards for his research including a best paper award from the U.S. Army Research Office, a best presentation award from the IEEE, a fellowship from the University of Maryland, and a Distinguished Assistantship from the Institute of Systems Research. He has also been an invited visiting professor at the University of Cagliari. Alvaro holds M.S. and Ph.D. degrees from the University of Maryland, College Park, and a B.S. from Universidad de los Andes.

See http://www.csee.umbc.edu/talks for more information

talk: Analytics for Detecting Web and Social Media Abuse

Analytics for Detecting Web and Social Media Abuse

Dr. Justin Ma, UC Berkeley

1:00pm Friday 16 March 2012, ITE 325, UMBC

The Web and online social media provide invaluable communication services to a global Internet user base. The tremendous success of these services, however, has also created valuable opportunities for criminals and other miscreants to abuse them for their own gain. As a result, it is both an important yet challenging problem to detect, monitor, and curtail this abuse. However, the large scale and diversity of these services, combined with the tactics used by attackers, make it difficult to discern one clear and robust signal for detecting abuse. One approach, relying on domain expertise, is to construct a small set of well-crafted heuristics, but such heuristics tend to rapidly become obsolete. In this talk, I will describe more robust approaches based on machine learning, statistical modeling, and large-scale analytics of large data sets.

First I will describe online learning approaches for detecting malicious Web sites (those involved in criminal scams) using lexical and host-based features of the associated URLs. This application is particularly appropriate for online algorithms as the size of the training data is larger than can be efficiently processed in batch and because the features that typify malicious URLs evolve continuously. Motivated by this application, we built a real-time system to gather URL features and analyze them against a source of labeled URLs from a large Web mail provider. Our system adapts in an online fashion to the evolving characteristics of malicious URLs, achieving daily classification accuracies up to 99% over a balanced data set.

Next I will describe our ongoing efforts for creating analytics for detecting social media abuse. Deciding on a universal definition of social media abuse is difficult, as abuse is often in the eye of the beholder. In light of this challenge, we explore a more formal definition based on information theory. In particular, we hypothesize that messages with low information content are likely to be abusive. From this, we develop a measure of content complexity to identify abusive users that shows promise in our early evaluations.

In addition to our own experiments in the lab, this work has found success in practice as well. Companies serving hundreds of millions of users have adopted these ideas to improve abuse detection within their own services.

Justin Ma is a postdoc in the UC Berkeley AMPLab. His primary research is in systems security, and his other interests include applications of machine learning to systems problems, systems for large-scale machine learning, and the impact of energy availability on computing. He received B.S. degrees in Computer Science and Mathematics from the University of Maryland in 2004, and he received his Ph.D. in Computer Science from UC San Diego in 2010.

Host: Anupam Joshi
See http://www.csee.umbc.edu/talks for more information

Cyberdawgs make it to CyberWatch regional competition

Photo courtesy www.midatlanticccdc.org

 

This weekend, UMBC’s Cyber Defense club, the Cyberdawgs, will be one of eight schools vying for the win at the CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (CCDC) Regional Finals. The competition, the first of its kind to focus on the operational aspects of protecting and managing an existing “commercial” network infrastructure, will take place at the Johns Hopkins University Applied Physics Lab from March 14–18, according to the CCDC website.

“I always get excited for these types of competitions,” says Marc Warfield, president of the Cyberdawgs. A Junior Information Systems major, Warfield hopes to eventually pursue a career in software development with a focus in network and computer security. “I enjoy the field because it’s so dynamic and keeps everyone on their toes.”

In late February, Warfield and his teammates competed against twenty-five schools during a three-hour virtual qualifying round. “We had to secure five different virtual machines and complete tasks that they assigned us during the three hours of scoring,” he explains.

Now only eight schools from the region are left; among them Towson University, Capitol College, and Howard County Community College. Warfield and seven of his teammates will represent UMBC. “We sadly didn’t make it to regionals last year, so it feels good to make it there this year,” he says. “I’m excited to meet people that are already working in the field and considered to be “rockstars” in the computer security discipline.”

Conceived in 2006, the CCDC is funded by CyberWatch, an Advanced Technological Education (ATE) Center. Since then, the center’s mission has been to “improve the quantity and quality of the nation’s information assurance (IA) workforce,” says the website.This year, the competition’s theme is “Healthcare IT.” During the competition, the teams must “ensure the systems supply the specified services while under attack from a volunteer Red Team" and  “satisfy periodic “injects” that simulate business activities IT staff must deal with in the real world.”

Warfield explains that his preparation strategy includes “Redbull and long weekend nights.” “We practice securing machines and setting up web applications along with learning to configure them,” he says.  

This year’s CCDC is the first to include a Speaker Symposium that’s free and open to the public. Kicking off Wednesday morning, the symposium features founder and CEO of Oculis Labs, Bill Anderson with a speech entitled “Causes of Data Breaches in Healthcare? Just Look Around,” and Larry Pesce and Darren Wigley, members of the PaulDotCom Security Weekly podcast, whose presentation is called “MEDIC! Building and Rules of the 2012 Badges.”

If Warfield and his teammates place in the competition this weekend, they will make it to the National competition which will take place in San Antonio, Texas in mid-April. Schools currently slated to compete in the Nationals include the University of Alaska Fairbanks, the Air Force Academy, UNC Charlotte, Rochester Institute of Technology, and Texas A&M University.

 

 

talk: Self-sustainable Cyber-physical System Design

Self-sustainable Cyber-physical System Design

Dr. Nilanjan Banerjee
University of Arkansas Fayetteville

1:00pm Tuesday 13 March 2012, ITE 325b UMBC

Renewable energy can enable diverse self-sustainable cyber-physical systems with applications ranging from healthcare to off-grid home energy management. However, there are several challenges that need to be addressed before such systems can be realized. For instance, how do we balance the small and often variable energy budgets imposed by renewables with system functionality? How can we design sensitive physical sensors and efficient harvesting circuits for mW energy sources such as sound and indoor light? For systems such as off-grid homes that interact with humans, how do we balance demand and supply while being cognizant to usability needs?

In this talk, I will present techniques that address these challenges. Specifically, I will propose a Hierarchical Power Management paradigm that combines platforms with varied energy needs to balance energy consumption and functionality, the design of an efficient harvester for sound scavenging, and sensitive ECG sensors. I will also present a measurement study that reveals the energy management challenges faced by off-grid home residents. Finally, I will conclude with the design of a solar replayer platform that allows immense flexibility in evaluating solar panel driven systems, and works for a wide range of panels.

Nilanjan Banerjee is an Assistant Professor in the department of Computer Science and Computer Engineering at University of Arkansas Fayetteville. He graduated with a M.S. and a Ph.D. from the University of Massachusetts at Amherst in 2009 and a BTech. (Hons.) from IIT Kharagpur in 2004. He has won the Yahoo! Outstanding dissertation award at UMass, a best undergraduate thesis award at IIT Kharagpur, and an Outstanding Researcher award at University of Arkansas. He is a 2011 NSF Career awardee and has won three other NSF awards (including the NSF I-Corp grant). His research interests span renewable energy driven systems, healthcare systems, and mobile systems.

Host: Anupam Joshi
See http://www.csee.umbc.edu/talks for more information

talk: Using Static Analysis to Diagnose Misconfigured Open Source Systems Software

Using Static Analysis to Diagnose
Misconfigured Open Source Systems Software

Ariel Rabkin, UC Berkeley

1:00pm Monday 5 March 2012, ITE 325b UMBC

Ten years ago, few software developers worked on distributed systems. Today, developers often run code on clusters, relying on large open-source software stacks to manage resources. These systems are challenging to configure and debug. Fortunately, developments in program analysis have given us new tools for managing the complexity of modern software. This talk will show how static analysis can help users configure their systems. I present a technique that builds an explicit table mapping a program's possible error messages to the options that might cause them. As a result, users can get immediate feedback on how to resolve configuration errors.

Ari Rabkin is a PhD student in Computer Science at UC Berkeley working in the AMP lab. His current research interest is the software engineering and administration challenges of big-data systems. He is particularly interested in applying program analysis techniques to tasks like log analysis and configuration debugging. His broader interests focus on systems and security, including improving system usability by making systems easier to understand, the connections between computer science research and technology policy, developing program analysis techniques that work acceptably well on large, complex, messy software systems.

Host: Anupam Joshi
See http://www.csee.umbc.edu/talks for more information

Stripe capture the flag wargame

Stripe, a San Francisco startup with an online-payment system, is hosting a simple online cybersecurity capture the flag (CTF) challenge. See their blog post for the details.

“The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it’s hard to appreciate just how exploitable they are until you’ve written a SQL injection of your own.

We built Stripe Capture the Flag, a security wargame inspired by SmashTheStack’s IO, to help the community (as well our team!) practice identifying and exploiting common security problems.

After completing our CTF, you should have a greatly improved understanding of how attackers will try to break your code (and hopefully will have fun in the process!).”

If you can crack their system, they’ll send you a t-shirt. Since security is important to their business, maybe they will also talk to you about a job.

1 38 39 40 41 42 43