CERIAS Weekly Security Seminar - Purdue University

In this talk, we’ll explore how internet scan data layered with different open-source tools can start to make sense of what is publicly exposed and potentially a threat.  Predominantly, we’ll focus on three investigations:   1. how to find attacker infrastructure, using IOCs from MITRE and Web Application Logs 2. how to identify trends in common misconfigurations and vulnerabilities 3. how to find assets related to your organization  Throughout the talk, we’ll identify and use risk indicators to find relevant exposed devices.  We’ll also touch on historical trends that relate to different types of attacks, security risks that have surfaced in the past year, and what some of the challenges are in identifying rouge assets in the haystack of internet data.

In this talk, we'll explore how internet scan data layered with different open-source tools can start to make sense of what is publicly exposed and potentially a threat.  Predominantly, we'll focus on three investigations:  1. how to find attacker infrastructure, using IOCs from MITRE and Web Application Logs2. how to identify trends in common misconfigurations and vulnerabilities3. how to find assets related to your organization Throughout the talk, we'll identify and use risk indicators to find relevant exposed devices.  We'll also touch on historical trends that relate to different types of attacks, security risks that have surfaced in the past year, and what some of the challenges are in identifying rouge assets in the haystack of internet data. About the speaker: Morgan Princing is a solutions engineer at Censys, focused on identifying trends and tracking threat groups and vulnerabilities using Censys data.  Her career in cybersecurity began in botnet detection, where she worked to protect websites, APIs and mobile apps from bots by detecting anomalies in web traffic and interrogating user-identification systems. Morgan holds a Bachelor of Arts in Economics, Urban Studies from University of Michigan.  Morgan is a 2019 World IT Award Winner for Women in Security.

Trustworthy operation of industrial control systems depends on secure and real-time codeexecution on the embedded programmable logic controllers (PLCs). The controllers monitorand control the critical infrastructures, such as electric power grids and healthcare platforms,and continuously report back the system status to human operators. This talk is about Zeus, acontactless embedded controller security monitor solution that will ensure its execution controlflow integrity. Zeus leverages the electromagnetic emission by the PLC circuitry during theexecution of the controller programs. Zeus’s contactless execution tracking enables non-intrusive monitoring of security-critical controllers with tight real-time constraints. Thosedevices often cannot tolerate the cost and performance overhead that comes with additionaltraditional hardware or software monitoring modules. Furthermore, Zeus provides an airgapbetween the monitor (trusted computing base) and the target (potentially compromised) PLC.This eliminates the possibility of the monitor infection by the same attack vectors. Zeus monitors for control low integrity of the PLC program execution. Zeus monitors thecommunications between the human- machine interface and the PLC and captures the controllogic binary uploads to the PLC. Zeus exercises its feasible execution paths, and fingerprintstheir emissions using an external electromagnetic sensor. Zeus trains a neural network forlegitimate PLC execution and uses it at runtime to identify the control flow based on PLC’selectromagnetic emissions. Zeus was implemented on a commercial Allen Bradley PLC, which iswidely used in industry, and evaluated it on real-world control program executions. Zeus wasable to distinguish between different legitimate and malicious executions with 98.9% accuracyand with zero overhead on PLC execution by design.

Trustworthy operation of industrial control systems depends on secure and real-time code execution on the embedded programmable logic controllers (PLCs). The controllers monitor and control the critical infrastructures, such as electric power grids and healthcare platforms,and continuously report back the system status to human operators. This talk is about Zeus, a contactless embedded controller security monitor solution that will ensure its execution control flow integrity. Zeus leverages the electromagnetic emission by the PLC circuitry during the execution of the controller programs. Zeus's contactless execution tracking enables non-intrusive monitoring of security-critical controllers with tight real-time constraints. Those devices often cannot tolerate the cost and performance overhead that comes with additional traditional hardware or software monitoring modules. Furthermore, Zeus provides an air gap between the monitor (trusted computing base) and the target (potentially compromised) PLC.This eliminates the possibility of the monitor infection by the same attack vectors.Zeus monitors for control low integrity of the PLC program execution. Zeus monitors the communications between the human- machine interface and the PLC and captures the control logic binary uploads to the PLC. Zeus exercises its feasible execution paths, and fingerprints their emissions using an external electromagnetic sensor. Zeus trains a neural network for legitimate PLC execution and uses it at runtime to identify the control flow based on PLC's electromagnetic emissions. Zeus was implemented on a commercial Allen Bradley PLC, which is widely used in industry, and evaluated it on real-world control program executions. Zeus was able to distinguish between different legitimate and malicious executions with 98.9% accuracy and with zero overhead on PLC execution by design. About the speaker: Sriharsha Etigowni is a Post-Doctoral Research Associate at Purdue University.  He earned his PhD in Electrical and computer engineering from Rutgers University.  His research mainly focuses on security of cyber physical systems.  His research is to secure cyber physical systems by using physical and control in variants.  His research interests involve IoT embedded system security, trusted computing, secure boot, runtime monitoring and detection, physical side channels, and applied cryptography.Apart from academic research he also has industrial experience working for Bosch on automotive embedded systems specifically on In-vehicle communication protocols and working for Siemens on intelligent automated systems in manufacturing domain. His work spans in different areas of cyber physical systems such as power grids, drones, automotive, and critical manufacturing.

Smartspeakers, such as Amazon Echo, have been adopted by millions of users. However,the privacy impacts of smart speakers have not been well examined. We investigatethe privacy leakage of smart speakers under an encrypted traffic analysisattack, referred to as voice command fingerprinting. In this attack, anadversary eavesdrops encrypted voice traffic from and to a smart speaker andinfers which voice command a user says without decrypting encrypted traffic. Wedesign our attacks based on neural networks and collect two large-scaledatasets on Amazon Echo and Google Home by using an automatic traffic crawler. Ourexperimental results show disturbing privacy concerns. Specifically, comparedto 1% accuracy with random guessing, an attacker can infer 92% voice commandscorrectly on Amazon Echo and 99% voice commands correctly on Google Home. Wealso propose a defense to preserve user privacy against this attack with minimallatency and bandwidth overhead. Our simulations show that the proposed defensecan reduce attack accuracy to 1% if an attacker trains neural networks withoriginal traffic and 32% if an attacker adapts and trains neural networks withobfuscated traffic.  

Smartspeakers, such as Amazon Echo, have been adopted by millions of users. However,the privacy impacts of smart speakers have not been well examined. We investigatethe privacy leakage of smart speakers under an encrypted traffic analysisattack, referred to as voice command fingerprinting. In this attack, anadversary eavesdrops encrypted voice traffic from and to a smart speaker andinfers which voice command a user says without decrypting encrypted traffic. Wedesign our attacks based on neural networks and collect two large-scaledatasets on Amazon Echo and Google Home by using an automatic traffic crawler. Ourexperimental results show disturbing privacy concerns. Specifically, comparedto 1% accuracy with random guessing, an attacker can infer 92% voice commandscorrectly on Amazon Echo and 99% voice commands correctly on Google Home. Wealso propose a defense to preserve user privacy against this attack with minimallatency and bandwidth overhead. Our simulations show that the proposed defensecan reduce attack accuracy to 1% if an attacker trains neural networks withoriginal traffic and 32% if an attacker adapts and trains neural networks withobfuscated traffic.   About the speaker: Boyang Wang is atenure-track Assistant Professor in the Department of Electrical Engineeringand Computer Science at the University of Cincinnati. He received his Ph.D. inElectrical and Computer Engineering from the University of Arizona in 2017, hisPh.D. in Cryptography and B.S. in Information Security from Xidian University,China, in 2014 and 2007, respectively. He worked for Bosch Research andTechnology Center as a research intern in 2015. He was a visiting student atUtah State University from 2012 to 2013 and a visiting student at theUniversity of Toronto from 2010 to 2012. His current research focus on datasecurity and privacy, adversarial machine learning, encrypted traffic analysis,blockchain and applied cryptography. He is a member of IEEE and ACM.

Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users’ attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those (deleted) posts. Thus, deletions may leave users more vulnerable to attacks on their privacy in general. Users hoping to make their posts forgotten face a “damned if I do, damned if I don’t” dilemma. In this talk, we will look into two new proposed deletion mechanisms that provide privacy for the deletion of users. In the first approach, in the form of intermittent withdrawals, we present, Lethe, a novel solution to this problem of (really) forgetting the forgotten. If the next-generation social platforms are willing to give up the uninterrupted availability of non-deleted posts by a very small fraction, Lethe provides privacy to the deleted posts over long durations. Furthermore, we introduce Deceptive Deletion, a new decoy mechanism that minimizes the adversarial advantage. Our mechanism creates a two-player min-max game between, an adversary that seeks to classify damaging content among the deleted posts, and a challenger that employs decoy deletions to masquerade real damaging deletions. We evaluate the systems using the Twitter data samples and show that in the presence of a strong adversary our systems protect the privacy of the users' deletions.

Most social platforms offer mechanisms allowing users to delete their posts, and a significant fraction of users exercise this right to be forgotten. However, ironically, users' attempt to reduce attention to sensitive posts via deletion, in practice, attracts unwanted attention from stalkers specifically to those (deleted) posts. Thus, deletions may leave users more vulnerable to attacks on their privacy in general. Users hoping to make their posts forgotten face a "damned if I do, damned if I don't" dilemma.In this talk, we will look into two new proposed deletion mechanisms that provide privacy for the deletion of users.In the first approach, in the form of intermittent withdrawals, we present, Lethe, a novel solution to this problem of (really) forgetting the forgotten. If the next-generation social platforms are willing to give up the uninterrupted availability of non-deleted posts by a very small fraction, Lethe provides privacy to the deleted posts over long durations. Furthermore, we introduce Deceptive Deletion, a new decoy mechanism that minimizes the adversarial advantage. Our mechanism creates a two-player min-max game between, an adversary that seeks to classify damaging content among the deleted posts, and a challenger that employs decoy deletions to masquerade real damaging deletions.We evaluate the systems using the Twitter data samples and show that in the presence of a strong adversary our systems protect the privacy of the users' deletions. About the speaker: Mohsen Minaei is a Ph.D. candidate at Purdue University working with Professor Aniket Kate. His research focuses on designing and implementing better privacy-enhancing mechanisms for content deletion and using cryptocurrencies as covert channels to bootstrap the censor circumvention tools. Prior to joining Purdue, he received his bachelor's degree from Sharif University in Tehran.He has completed three internships with the fraud detection and Xbox teams at Microsoft and one with the blockchain team at Visa Research.

Anyone in this business knows how fun and exciting hacking can be, but also the emotional and physical toll it can take. Mental health is a longstanding dirty secret in the infosec community, and we are just now learning how to talk about it. The wear and tear of everyday stress combined with an 'always on' aspect of an operational environment creates a perfect storm for burning out. While stress can have a negative impact on job performance, my primary concern is on the health and safety of infosec professionals themselves. Not only does stress have short term effects on cognitive abilities and performance, but recurrent acute stress can have long term effects on health (mental and physical) as well as burnout and turnover. There are many sources of stress in infosec operations, some of which can be managed while others are simply the nature of the job. Activities that require long periods of vigilance and creativity will deplete cognitive resources and increase fatigue. Some of these activities have unpredictable results that can increase frustration. Other times, external factors unrelated to the activity itself may introduce new sources of stress that are not normally present. A certain level of stress is to be expected in these operations because they are considerably difficult, have a high risk vs. reward trade-off, and require a significant amount of knowledge and skill. But, how much stress can you take on and still be a happy hacker? In this talk I will discuss why infosec is so stressful, how this stress affects you and your network, and some things you can do about it. I will also discuss lessons learned from my research study of tactical cyber operations that studied fatigue, frustration, and cognitive workload in operators.

Anyone in this business knows how fun and exciting hacking can be, but also the emotional and physical toll it can take. Mental health is a longstanding dirty secret in the infosec community, and we are just now learning how to talk about it. The wear and tear of everyday stress combined with an 'always on' aspect of an operational environment creates a perfect storm for burning out. While stress can have a negative impact on job performance, my primary concern is on the health and safety of infosec professionals themselves. Not only does stress have short term effects on cognitive abilities and performance, but recurrent acute stress can have long term effects on health (mental and physical) as well as burnout and turnover. There are many sources of stress in infosec operations, some of which can be managed while others are simply the nature of the job. Activities that require long periods of vigilance and creativity will deplete cognitive resources and increase fatigue. Some of these activities have unpredictable results that can increase frustration. Other times, external factors unrelated to the activity itself may introduce new sources of stress that are not normally present. A certain level of stress is to be expected in these operations because they are considerably difficult, have a high risk vs. reward trade-off, and require a significant amount of knowledge and skill. But, how much stress can you take on and still be a happy hacker? In this talk I will discuss why infosec is so stressful, how this stress affects you and your network, and some things you can do about it. I will also discuss lessons learned from my research study of tactical cyber operations that studied fatigue, frustration, and cognitive workload in operators. About the speaker: Dr. Celeste Lyn Paul is a senior researcher for the National Security Agency where she studies the impact of human factors on cybersecurity.

The Internet of Things (IOT) is a potential massive market. However, the deployment of IOT brings forth many challenges across the dimensions of the business side (efficient supply chain) as well as the technical side (secure deployment). In order for the IOT promise to deliver massive volume, the marketplace must have secure, efficient, and effective ways to deploy and secure billions of devices in the market. The security threats to end points and devices has never been greater and will continue to evolve. Join us for a talk on how Intel and the industry are working together to deliver fast, secure, zero-touch, late binding onboarding for any device to any cloud in a safe and secure manner to advance the Internet of Things. About the speaker: Senior Director & General Manager, Security Architecture and Engineering, Intel Security Architecture and Technologies Group, Intel CorporationJames Cole, Senior Director & General Manager of Security Architecture and Engineering at Intel Corporation is responsible for various aspects of Intel's security portfolio along with strategic alignment and leadership across the company for security related technologies. Mr. Cole has over 22 years of experience as a senior technical and business leader at Intel in a variety of business units and functional roles from strategy and marketing to technical leadership positions. Mr. Cole and his team currently drive security strategy, define the security solutions spanning the Intel product lines and business units as well as provide software for highly secure security functionality for Intel products. James is the Intel Board of Directors lead for the FIDO Alliance and is a frequent speaker and lecturer at various schools and conferences. Mr. Cole has a BS in Computer Science from Purdue University along with an MBA from the Fuqua School of Business at Duke University.

The Internet of Things (IOT) is a potential massive market. However, the deployment of IOT brings forth many challenges across the dimensions of the business side (efficient supply chain) as well as the technical side (secure deployment). In order for the IOT promise to deliver massive volume, the marketplace must have secure, efficient, and effective ways to deploy and secure billions of devices in the market. The security threats to end points and devices has never been greater and will continue to evolve. Join us for a talk on how Intel and the industry are working together to deliver fast, secure, zero-touch, late binding onboarding for any device to any cloud in a safe and secure manner to advance the Internet of Things.

Cryptocurrencies are the latest in a series of market bubbles that demonstrate irrational exuberance. In this lecture, Mitch Parker, CISO of IU Health, will go over previous market bubbles, and compare and contrast the differences between the security controls in two peer to peer exchange methods, the current US federal banking system, and Bitcoin. Through this, Mitch will demonstrate the need to have security built into both the technical and non-technical controls of a financial system, and that the power of the system is not just based upon backing by a central bank, but by the series of controls and measures used by the central bank and accounting standards to provide customers the assurance that they are protected. About the speaker: Mitchell Parker, CISSP, is the Executive Director of Information Security and Compliance at IU Health. Mitch has done a significant amount of work in researching the effects of cloud and distributed computing, network-based threats, compliance, and privacy and security requirements on connected health devices. Mitch works collaboratively with a number of EMR and biomedical equipment vendors to improve their security postures and provide a better quality of service. He currently resides in Carmel, IN, with his wife, two children, and two cats.

Cryptocurrencies are the latest in a series of market bubbles that demonstrate irrational exuberance. In this lecture, Mitch Parker, CISO of IU Health, will go over previous market bubbles, and compare and contrast the differences between the security controls in two peer to peer exchange methods, the current US federal banking system, and Bitcoin. Through this, Mitch will demonstrate the need to have security built into both the technical and non-technical controls of a financial system, and that the power of the system is not just based upon backing by a central bank, but by the series of controls and measures used by the central bank and accounting standards to provide customers the assurance that they are protected.

GDPR/ NYDFS/ CCPA and other State, Federal and Supra-regional regulations coming online quickly. Governments are driving Security, Privacy & Compliance throughout the world. Since there is not an overriding set of Federal laws such as GLBA, many organizations in the US are unprepared for the upcoming deluge of regulations. Gain an understanding of what is coming and learn ways that you can help future organizations cope with and plan for a "50 States" strategy in an uncertain future. As well as prepare yourself for an uncertain future. About the speaker: Leon Ravenna, CISO - KAR Auction Services - Leon has over 25 years' experience in Healthcare, Financial Services and Technology companies. He leads Global Security Strategy, Execution, Privacy and Compliance services.Leon is currently CISO of a $2.4B multi-national company in the auto auction, salvage and financial services space. Providing Security, Privacy & Compliance expertise for over 17,000 employees. Leon has led nationwide support, Web & CRM development efforts, data center builds, heavy infrastructure for SaaS companies in the medical and financial space.Leon has extensive experience in Regulatory, Compliance & Privacy having managed ISO27001, HIPAA, SSAE-16, PCI and NIST system builds and audits. In addition to holding a PMP, Leon is one of a very small group world-wide to hold 6 major Global Privacy certifications including CIPM, CIPP/C and CIPP/E, CIPP/G, CIPP/US and FIP.