CERIAS Weekly Security Seminar - Purdue University

The Diem blockchain, which was initiated in 2018 by Facebook, includes a novel programming language called Move for implementingsmart contracts. The correctness of Move programs is especially important because the blockchain will host large amounts of assets, those assets are managed by smart contracts, and because there is a history of large losses on other blockchains because of bugs in smart contracts. The Move language is designed to be as safe as we can make it, and it is accompanied by a formal specification and automatic verification tool, called the Move Prover. A project to specify and formally verify as many important properties of the Move standard library is now well underway. This talk will be about the goals of the project and the most interesting insights we've had as of the time of the presentation. The entire blockchain implementation, including the Move language, virtual machine, the Move Prover, and near-final various Move modules are available on http://github.com/libra

The Diem blockchain, which was initiated in 2018 by Facebook, includes a novel programming language called Move for implementingsmart contracts. The correctness of Move programs is especially important because the blockchain will host large amounts of assets, those assets are managed by smart contracts, and because there is a history of large losses on other blockchains because of bugs in smart contracts. The Move language is designed to be as safe as we can make it, and it is accompanied by a formal specification and automatic verification tool, called the Move Prover. A project to specify and formally verify as many important properties of the Move standard library is now well underway. This talk will be about the goals of the project and the most interesting insights we've had as of the time of the presentation. The entire blockchain implementation, including the Move language, virtual machine, the Move Prover, and near-final various Move modules are available on http://github.com/libra About the speaker: David L. Dill is a Lead Researcher at Facebook, working on the Libra blockchain project. He is also Donald E. Knuth Professor, Emeritus, in the School of Engineering at Stanford University. He was on the faculty in the Department of Computer Science at Stanford from 1987 until going emeritus in 2017. Prof. Dill's research interests include formal verification of software, hardware, and protocols, with a focus on automated techniques, as well as voting technology and computational biology. For his research contributions, he has received a CAV award and Alonzo Church award. He is an IEEE Fellow, an ACM Fellow and a member of the National Academy of Engineering and the American Academy of Arts and Sciences. He also received an EFF Pioneer Award for his work in voting technology and is the founder of VerifiedVoting.org, an organization that champions trustworthy elections.

Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulties of designing and securing facilities vital to our national and economic security.

Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulties of designing and securing facilities vital to our national and economic security. About the speaker: Dr. David Henthorn is an expert in biomaterials, biosensors, and polymers in medical application. His research focuses on 3D printing of biomaterials, and he is working with two fellow faculty members on a project to develop an electronic badge system to document student professional development. Dr. Henthorn also does research in the modernization of industrial control systems, including the major push to enhance the cybersecurity of our critical infrastructure

Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: “How do wesecure it?” By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems.

Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: "How do wesecure it?" By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems. About the speaker: Winn has lived Cyber Security since 1983, and now says, "I think, maybe, I'm just starting to understand it." His predictions about the internet & security have been scarily spot on. He coined the term "Electronic Pearl Harbor" while testifying before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future. He was named the "Civilian Architect of Information Warfare," by Admiral Tyrrell of the British MoD. His new book, "Analogue Network Security" is a mathematical, time-based and probabilistic approach to justifiable security. His goal is to provide a first set of tools and methods to "fix security and the internet", including fake news, spam, phishing, DDoS and more. It will twist your mind.

This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years.  By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes. 

This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years.  By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes.  About the speaker: Dr. Neil Daswani is Co-Director of the Stanford Advanced Security Certification program and is President of Daswani Enterprises, his security consulting and training firm. He has served in a variety of research, development, teaching, and executive management roles at Symantec, LifeLock, Twitter, Dasient, Google, Stanford University, NTT DoCoMo USA Labs, Yodlee, and Telcordia Technologies (formerly Bellcore).  At Symantec, he was Chief Information Security Officer (CISO) for the Consumer Business Unit, and at LifeLock he was the company-wide CISO.  Neil is also a co-author of two books Big Breaches: Cybersecurity Lessons for Everyone (Apress ISBN 978-1484266540) and Foundations of Security: What Every Programmer Needs to Know (Apress ISBN 978-1590597842). Neil's DNA is deeply rooted in security research and development, he has dozens of technical articles published in top academic and industry conferences (ACM, IEEE, USENIX, RSA, BlackHat, and OWASP), and he has been granted over a dozen US patents. He frequently gives talks at industry and academic conferences, and has been quoted by publications such as The New York Times, USA Today, and CSO Magazine. He earned PhD and MS degrees in computer science at Stanford University, and he holds a BS in computer science with honors with distinction from Columbia University.

Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology stands today, its commercialization and hardware engineering challenges, and potential pathways for a quantum future.

Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology stands today, its commercialization and hardware engineering challenges, and potential pathways for a quantum future. About the speaker: Laura Thomas is the Senior Director of National Security Solutions at ColdQuanta, a quantum sensing and computing company. She is a former U.S. Central Intelligence Agency (CIA) case officer and Chief of Base who led sensitive programs at CIA Headquarters and abroad in multiple, international assignments. She is a subject matter expert on the intersection of emerging technology and national security. She has served over 15 years in national security and leadership roles, working extensively across the U.S. intelligence community, National Security Council, U.S. Department of State, U.S. Department of Defense, U.S. Congress, and with foreign partners.

Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This mixed methods study uses surveys and interviews conducted with social engineering pen testers to examine their pathways into the field, what personality traits contribute to success, what skills and abilities are necessary and what challenges these professionals commonly face. The results are used to make recommendations for training.

Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This mixed methods study uses surveys and interviews conducted with social engineering pen testers to examine their pathways into the field, what personality traits contribute to success, what skills and abilities are necessary and what challenges these professionals commonly face. The results are used to make recommendations for training. About the speaker: Dr. Ida Ngambeki is an Assistant Professor of Computer and Information Technology at Purdue University. She is the Executive Director of the Purdue Cybersecurity Education Training Network and Resources and Director of the Cybersecure Behavior Lab. Dr. Ngambeki graduated from Smith College with a B.S. in Engineering and from Purdue University with a PhD in Engineering Education. Dr. Ngambeki's key areas of research interest include: cybersecure behavior, social engineering, cybersecurity education, cybersecurity policy, and cybersecurity workforce development. Dr. Ngambeki's current research projects include: developing of curriculum guidance documents and a hub and spoke infrastructure for Industrial Control Systems Security, developing a self-directed learning platform for secure programming, developing a cybersecurity apprenticeship program, and developing an AI based humor integrated social engineering training tool. Dr. Ngambeki has developed courses in Social Engineering, Cyber Law and Cyber Ethics.

Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation.  However, due to its distributed nature, federated learning is vulnerable to malicious clients.  In this talk, we will discuss local model poisoning attacks to federated learning, in which malicious clients send carefully crafted local models or their updates to the server to corrupt the global model. Moreover, we will discuss our work on building federated learning methods that are secure against a bounded number of malicious clients. 

Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation. However, due to its distributed nature, federated learning is vulnerable to malicious clients. In this talk, we will discuss local model poisoning attacks to federated learning, in which malicious clients send carefully crafted local models or their updates to the server to corrupt the global model. Moreover, we will discuss our work on building federated learning methods that are secure against a bounded number of malicious clients.  About the speaker: Neil Gong is an Assistant Professor in the Department of Electrical and Computer Engineering and Department of Computer Science (secondary appointment) at Duke University. He is broadly interested in cybersecurity with a recent focus on the intersections between security, privacy, and machine learning. He received a B.E. from the University of Science and Technology of China (USTC) in 2010 and a Ph.D in Computer Science from the University of California at Berkeley in 2015. He has received an NSF CAREER Award, an Army Research Office (ARO) Young Investigator Award, Rising Star Award from the Association of Chinese Scholars in Computing, an IBM Faculty Award, and multiple best paper or best paper honorable mention awards.

Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles.