CERIAS Weekly Security Seminar - Purdue University

Software is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as incremental software development also pose challenges to software security. This talk discusses through a set of examples how empirical research can help to advance the state of the art of secure software engineering. About the speaker: Lotfi ben Othmane is a Lecturer (aka Teaching Assistant Professor) at Iowa State University, USA. He was the Head of the Department Secure Software Engineering at Fraunhofer Institute for Secure Information Technology, Germany. Dr. ben Othmane has extensive experience in industry and academia in Tunisia, Canada, USA, The Netherlands, and Germany. His research interests include the use of empirical research in secure software development, development of secure systems using an agile approach, and cyber-resilience in connected vehicles. He has about 40 peer-reviewed publications. Dr. ben Othmane received his Ph.D. degree from Western Michigan University, USA, in 2010; M.S. degree from University of Sherbrooke, Canada, in 2000; and B.S degree from University of Sfax, Tunisia, in 1995.

Software is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as incremental software development also pose challenges to software security. This talk discusses through a set of examples how empirical research can help to advance the state of the art of secure software engineering.

Password leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen from a Zipf’s law distribution and that Zipf’s Law accurately models the distribution of most user passwords. This dismal claim holds even if PBKDF2 is used with 100,000 hash iterations (10 times greater than NIST’s minimum recommendation). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

Password leaks have become an unfortunately common occurrence, with billions of records leaked in the past few years. In this work we develop and economic model to help predict how many user passwords such an attacker will crack after such a breach. Our analysis indicates that currently deployed key stretching mechanisms such as PBKDF2 and BCRYPT provide insufficient protection for user passwords. In particular, our analysis shows that a rational attacker will crack 100% of passwords chosen from a Zipf's law distribution and that Zipf's Law accurately models the distribution of most user passwords. This dismal claim holds even if PBKDF2 is used with 100,000 hash iterations (10 times greater than NIST's minimum recommendation). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2. About the speaker: Ben Harsha is a Computer Science Ph.D. student advised by Jeremiah Blocki. He currently works on password security and cryptographic hash functions. Before coming to Purdue in 2015 he also worked on distributed sensor networks at Argonne National Lab, as well as neural network optimization and computer science education methods at DePauw University. He has received a Masters from Purdue and a Bachelors from DePauw University.

Penetration testing, or "Ethical Hacking", is the practice of testing systems, environments, and even employees in the manner of a real-world hacker. As news of security breaches and wide-spread hacks increase, companies are increasingly pursuing penetration testing services. This talk will discuss what penetration testing is and different approaches that vendors bring to it, why penetration testing is so important to a security program, and how penetration tests are implemented to simulate real-world attacks.

Penetration testing, or "Ethical Hacking", is the practice of testing systems, environments, and even employees in the manner of a real-world hacker. As news of security breaches and wide-spread hacks increase, companies are increasingly pursuing penetration testing services. This talk will discuss what penetration testing is and different approaches that vendors bring to it, why penetration testing is so important to a security program, and how penetration tests are implemented to simulate real-world attacks. About the speaker: Nathaniel (Nat) Shere has a Master's of Science in Information Security from Columbia University. He has been working at Rook Security for three years as a Senior Information Security Consultant and specializes in web application penetration testing, network penetration testing, and social engineering assessments. In addition, Nat writes for Rook Security's blog and develops internal, automation tools.

Security technology has long been relegated as part of the IT stack, but the consistent stream of attacks on our government, corporations, and individuals alike have shown that the relationship between security technology and the business needs to be reconsidered. As we look at events such as manipulating news on Facebook, Equifax, WannaCry, NotPeta, and Uber, how do we engage a wider audience to be part of the conversation of understanding the challenges and solutions? What are the mechanisms that will stop companies from hiding the security gaps and events from investors, employees, and customers? This discussion will use current use cases intended to stimulate a dialogue on how we, as current and future leaders in cyber security, can better understand the broader risks and opportunities so that we can educate and inform on how to get ahead of the adversary.

Security technology has long been relegated as part of the IT stack, but the consistent stream of attacks on our government, corporations, and individuals alike have shown that the relationship between security technology and the business needs to be reconsidered. As we look at events such as manipulating news on Facebook, Equifax, WannaCry, NotPeta, and Uber, how do we engage a wider audience to be part of the conversation of understanding the challenges and solutions? What are the mechanisms that will stop companies from hiding the security gaps and events from investors, employees, and customers? This discussion will use current use cases intended to stimulate a dialogue on how we, as current and future leaders in cyber security, can better understand the broader risks and opportunities so that we can educate and inform on how to get ahead of the adversary. About the speaker: Kirsten Bay is redefining what it means to be a fearless leader in the technology industry. She is an accomplished, bilingual executive, transforming the cyber security space. As President and CEO of Cyber adAPT, she leverages more than 25 years of experience, leading her team with risk intelligence, information management, and policy expertise across a variety of sectors.Throughout her career, Kirsten has been appointed to a congressional committee developing cyber policies, initiatives and recommendations for the intelligence community. She has developed recommendations in partnership with the Center for North American Studies (CNAS) and Center for Strategic and International Studies (CSIS) for The White House energy policy, and collaborated on information studies for MIT-Harvard and several federal agencies. She has gone before a parliamentary subcommittee on recreating trust in the global economy, presented national security and critical infrastructure concepts at conferences such as Black Hat, Secured Americas, Enterprise Architecture Institute, SC World Congress, and the Eurim Information Management Committee. She has also spoken on applied economics and its relationship to both cyber and national security around the world.Kirsten is a self-proclaimed ‘serial student'. Her current membership of the Alliance of Chief Executives feeds her perpetual drive to learn and share insight with peers; an inspirational trait she models for her Cyber adAPT team.In previous executive roles for ISC8, Attensity Group, and iSIGHT Partners, she has led companies through corporate restructuring, risk and corporate intelligence product launches, and company turnarounds, respectively.With a BA in English and German from the University of Oregon, let's just say she will correct your grammar in multiple languages.

Intrusive online advertising has given birth to the trend of ad-blockers. Initially dismissed by the online advertising industry as inconsequential, ad-blockers have evolved from a mere plugin tool on browsers to full-fledged platforms that derive benefits from certifying quality of advertisers and reducing disutility of users from intrusive activities such as user tracking.  However, are ad-blocking platforms the optimal solution to improving user experience online? There is no clear answer. User experience advocates term this as yet another way to target users online. Industry advocates accuse ad-blockers of using an extortion-based business model, built on fleecing advertisers. Through our game theoretic model, we inform policy-makers on this problem and establish the optimal pricing policy for such ad-blocking platforms. In addition, we theorize the socially optimal pricing policies of advertising supported content platforms and establish how such platforms should price participation from users, given the obvious disutility of advertising they are exposed to.

Intrusive online advertising has given birth to the trend of ad-blockers. Initially dismissed by the online advertising industry as inconsequential, ad-blockers have evolved from a mere plugin tool on browsers to full-fledged platforms that derive benefits from certifying quality of advertisers and reducing disutility of users from intrusive activities such as user tracking. However, are ad-blocking platforms the optimal solution to improving user experience online? There is no clear answer. User experience advocates term this as yet another way to target users online. Industry advocates accuse ad-blockers of using an extortion-based business model, built on fleecing advertisers. Through our game theoretic model, we inform policy-makers on this problem and establish the optimal pricing policy for such ad-blocking platforms. In addition, we theorize the socially optimal pricing policies of advertising supported content platforms and establish how such platforms should price participation from users, given the obvious disutility of advertising they are exposed to. About the speaker: Abhishek Ray is a 4th year PhD candidate in Management Information Systems at Krannert School of Management, Purdue University. His research interests lie at the intersection of Economics, Digital Business & Engineering. He holds an MS in Economics and MS in Industrial Engineering from Purdue University.

Internet users around the world are facing censorship. To access blocked websites, they use circumvention services that most commonly consist VPN-like proxies. The censors, in turn, try to block such proxies, creating a sort of cat-and-mouse game. Refraction networking takes a different approach by placing refracting routers inside ISP networks. By spending a special signal, a user can ask a router to refract *any* connection that transits the ISP to another, blocked destination, in a process that is undetectable by the censor. To prevent such connections, the censor would need to block all traffic from reaching that ISP, which considerably raises the cost of censorship. I will discuss the design of refraction networking and how it achieves the properties above. I will also discuss the results of our a pilot deployment of refraction networking two ISPs handling an aggregate of nearly 100 Mbps traffic, which provided censorship circumvention to 50,000 users in a country with heavy Internet censorship. I will close by discussing some future research issues in the space.

Internet users around the world are facing censorship. To access blocked websites, they use circumvention services that most commonly consist VPN-like proxies. The censors, in turn, try to block such proxies, creating a sort of cat-and-mouse game. Refraction networking takes a different approach by placing refracting routers inside ISP networks. By spending a special signal, a user can ask a router to refract *any* connection that transits the ISP to another, blocked destination, in a process that is undetectable by the censor. To prevent such connections, the censor would need to block all traffic from reaching that ISP, which considerably raises the cost of censorship.I will discuss the design of refraction networking and how it achieves the properties above. I will also discuss the results of our a pilot deployment of refraction networking two ISPs handling an aggregate of nearly 100 Mbps traffic, which provided censorship circumvention to 50,000 users in a country with heavy Internet censorship. I will close by discussing some future research issues in the space. About the speaker: Nikita Borisov is an associate professor at the University of Illinois atUrbana-Champaign. His research is interests are online privacy and networksecurity, with recent work on anonymous communication, censorship resistance,analysis of encrypted traffic, and protocols for secure communication. He isthe co-designer of the Off-the-Record (OTR) instant messaging protocol and wasresponsible for the first public analysis of 802.11 security. He has been thechair of the Privacy Enhancing Technologies Symposium and the ACM Workshop onPrivacy in Electronic Society. He is also the recipient of the NSF CAREERaward. Prof. Borisov received his Ph.D. from the University of California,Berkeley in 2005 and a B.Math from the University of Waterloo in 1998.

Rebroadcast from the original Oct. 30 talk.WEST LAFAYETTE, Ind. — Mikhail Atallah, distinguished professor of computer science and a professor of electrical and computer engineering (courtesy), has been chosen as the 2017 Arden L. Bement Jr. Award recipient. One of Purdue University's top three research honors, the Bement Award is the most prestigious award the university bestows in pure and applied science and engineering. Atallah is being honored for his significant contributions in the design and implementation of efficient processing and security protections for computer-based technologies. “Dr. Atallah’s world-renowned work in algorithms, access hierarchies and information security combines deep theoretical approaches with solutions-based efficient designs to address the most challenging computer processing and security issues,” said Suresh Garimella, Purdue's executive vice president for research and partnerships and the Goodson Distinguished Professor of Mechanical Engineering, in announcing the winner. “His highly creative and innovative ideas and fresh viewpoints have had a major impact on the fields of distributed computing and cyber security.” Atallah will deliver the Arden L. Bement Jr. Distinguished Lecture on Oct. 30 in Stewart Center's Fowler Hall. The 1:30 p.m. lecture is free and open to the public. Among his accomplishments, Atallah settled longstanding open problems in data structuring for range-minimum queries and in data filtering with running-max filters. He designed an influential and award-winning technique for key management in access hierarchies and developed a divide-and-conquer technique to parallelize sequential algorithms, resulting in numerous optimal algorithms for solving complex geometric and combinatorial problems. Atallah co-founded Arxan Technologies Inc., to commercialize a software protection technology developed jointly with his doctoral student Hoi Chang. Used in more than 500 million computing devices today, the technology consists of injecting self-protective mechanisms in software that make it harder to hack. Atallah came to Purdue as an assistant professor of computer science in 1982 after earning a doctorate at Johns Hopkins University. He was named a full professor in 1989 and has been a distinguished professor since 2004. He is affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) and has a courtesy appointment in the School of Electrical and Computer Engineering. He is a fellow of both the Association for Computing Machinery and IEEE (Institute of Electrical and Electronics Engineers). His work on key management received the 2015 CCS Test of Time Award. He was the 2016 recipient of the Purdue Sigma Xi Faculty Research Award, and the 2013 recipient of the Purdue Outstanding Commercialization Award. He has lectured frequently around the nation and the world as a keynote and invited speaker and has served on editorial boards of top journals and on program committees of top conferences and workshops. The Arden L. Bement Jr. Award was established in 2015 by Purdue professor emeritus Arden Bement and his wife, Mrs. Louise Bement. The Bement Award recognizes Purdue faculty for outstanding and widely recognized contributions in the areas of pure and applied science and engineering. Winners of the Bement Award are nominated by colleagues, recommended by a faculty committee and named by the university president. Recipients receive a cash award and a small support grant for their university scholarly activities.

Rebroadcast from the original Oct. 30 talk.WEST LAFAYETTE, Ind. — Mikhail Atallah, distinguished professor of computer science and a professor of electrical and computer engineering (courtesy), has been chosen as the 2017 Arden L. Bement Jr. Award recipient. One of Purdue University's top three research honors, the Bement Award is the most prestigious award the university bestows in pure and applied science and engineering.Atallah is being honored for his significant contributions in the design and implementation of efficient processing and security protections for computer-based technologies."Dr. Atallah's world-renowned work in algorithms, access hierarchies and information security combines deep theoretical approaches with solutions-based efficient designs to address the most challenging computer processing and security issues," said Suresh Garimella, Purdue's executive vice president for research and partnerships and the Goodson Distinguished Professor of Mechanical Engineering, in announcing the winner. "His highly creative and innovative ideas and fresh viewpoints have had a major impact on the fields of distributed computing and cyber security."Atallah will deliver the Arden L. Bement Jr. Distinguished Lecture on Oct. 30 in Stewart Center's Fowler Hall. The 1:30 p.m. lecture is free and open to the public.Among his accomplishments, Atallah settled longstanding open problems in data structuring for range-minimum queries and in data filtering with running-max filters. He designed an influential and award-winning technique for key management in access hierarchies and developed a divide-and-conquer technique to parallelize sequential algorithms, resulting in numerous optimal algorithms for solving complex geometric and combinatorial problems.Atallah co-founded Arxan Technologies Inc., to commercialize a software protection technology developed jointly with his doctoral student Hoi Chang. Used in more than 500 million computing devices today, the technology consists of injecting self-protective mechanisms in software that make it harder to hack. Atallah came to Purdue as an assistant professor of computer science in 1982 after earning a doctorate at Johns Hopkins University. He was named a full professor in 1989 and has been a distinguished professor since 2004. He is affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) and has a courtesy appointment in the School of Electrical and Computer Engineering.He is a fellow of both the Association for Computing Machinery and IEEE (Institute of Electrical and Electronics Engineers). His work on key management received the 2015 CCS Test of Time Award. He was the 2016 recipient of the Purdue Sigma Xi Faculty Research Award, and the 2013 recipient of the Purdue Outstanding Commercialization Award. He has lectured frequently around the nation and the world as a keynote and invited speaker and has served on editorial boards of top journals and on program committees of top conferences and workshops.The Arden L. Bement Jr. Award was established in 2015 by Purdue professor emeritus Arden Bement and his wife, Mrs. Louise Bement. The Bement Award recognizes Purdue faculty for outstanding and widely recognized contributions in the areas of pure and applied science and engineering.Winners of the Bement Award are nominated by colleagues, recommended by a faculty committee and named by the university president. Recipients receive a cash award and a small support grant for their university scholarly activities.

The Department of Defense has mandated a risk management rather than risk avoidance approach in Cybersecurity. All Department of Defense programs are being directed to the Risk Management Framework (RMF) process. No Cyber system can be 100% secure. RMF mandates that we clearly determine the "value" of assets, such as information and intellectual property, and design systems to properly protect those assets. The commercial domain embraces the mantra that an organization should not spend more to protect the asset than the asset is worth. This presentation will provide an overview of RMF as applied to a specific publically available case study and highlight that utilizing commercial best practices can reduce cost of delivered systems to DoD.