The Cyber Security Club is proud to present David O’Connor giving a talk on "The Emerging Threat of Financial Crimes" on Wednesday, October 13, 2010 in room JAB473.

We would also like to inform everyone about our new website: https://sites.google.com/site/polycybersecurityclub/, where we will be posting a schedule of talks, and be providing content for each talk afterwards. This is solves the problem of members not knowing about upcoming talks, and will allow members to be able to obtain materials for each talk afterwards.

View full press release.

Full Reuters CSAW Article

Thomson Security Newsletter No. 13

Description: Collaborative Research in Information Security and Privacy (CRISP) is a workshop for discussing the relationship between security research and related fields such as law, economics, business, health, and public safety.

Alex Sotirov, an independent security researcher with more than ten years of experience with vulnerability research, reverse engineering and advanced exploitation techniques, will be giving a free 4-week reversing seminar through NYU:Poly's ISIS lab. Starting on April 1st, Alex will cover and go beyond many of the topics presented in NYU:Poly's successful "Penetration Testing and Vulnerability Analysis" course. Material will be presented on common binary patterns, dynamic analysis techniques, and complex malware analysis.

Alex's most recent work includes exploiting MD5 collisions to create a rogue Certificate Authority, bypassing the exploitation mitigations on Windows Vista and developing the Heap Feng Shui browser exploitation technique. His professional experience includes positions as a security researcher at Determina and VMware. Currently he is working as an independent security consultant in New York. He is a regular speaker at security conferences around the world, including CanSecWest, BlackHat and Recon. Alexander is a program chair of the USENIX Workshop on Offensive Technologies and is one of the founders of the Pwnie Awards.

Please join us for this unique opportunity at NYU:Poly's ISIS lab. All are welcome.

More information:
http://www.phreedom.org
http://isis.poly.edu
http://www.poly.edu/directions/

Abstract: I will describe two areas in computer security that demonstrate the wide range of techniques, from both theory and practice, we need to make impact. First, I treat privacy and security in Radio Frequency Identification (RFID). RFID refers to a range of technologies where a small device with an antenna, or "tag", is attached to an item and can be queried later wirelessly by a reader. While proponents of RFID promise security and efficiency benefits, the technology also raises serious security concerns. I will describe my work on practical security analysis of RFID in library books and the United States e-passport deployments. These deployments in turn uncover a new theoretical problem, that of "scalable private authentication", I will describe the first solution to this problem that scales sub-linearly in the number of RFID tags.

Second, I describe recent work in "whitebox fuzz testing", a new approach to finding security bugs. Security bugs cost millions of dollars to patch after the fact, so we want to find and fix them as early in the deployment cycle as possible. I review previous fuzz testing work, how fuzzing has been responsible for serious security bugs, and classic fuzz testing's inability to deal with "unlikely" code paths. I then show how marrying the idea of dynamic test generation with fuzz testing overcomes these shortcomings, but raises significant scaling problems. Two recent tools, SAGE at Microsoft Research, and SmartFuzz at Berkeley, overcome these scaling problems; I present results on the effectiveness of these tools on commodity Windows and Linux media playing software. Finally, I close with directions for leveraging cloud computing to improve developers' testing and debugging experience. The talk describes joint work with Ari Juels and David Wagner (RFID), and with Patrice Godefroid, Michael Y. Levin, Xue Cong Li, and David Wagner (Fuzzing).

Abstract: Although several research efforts have been devoted to the issue, the effective analysis of policy based security systems remains a significant challenge. Policy analysis should at least (i) be expressive (ii) take account of obligations and authorizations, (iii) include a dynamic system model, and (iv) give useful diagnostic information. I will present a logic-based policy analysis framework which satisfies these requirements, showing how properties such as modality conflicts, separation of duties, and others can be analyzed. We give details of a prototype implementation.

Bio: Jorge Lobo joined IBM T. J. Watson Research Center in 2004. Previous to IBM he was principal architect at Teltier Technologies, a start-up company in the wireless telecommunication space acquired by Dynamicsoft and now part of Cisco System. Before Teltier he was an Associate Professor of CS at the University of Illinois at Chicago and a member of the Network Computing Research Department at Bell Labs. At Teltier he developed a policy server for the availability management of Presence Servers. The servers were successfully tested inside two GSM networks in Europe. He also designed and co-developed PDL, one of the first generic policy languages for network management. A policy server based on PDL was deployed for the management and monitoring of Lucent's first generation of softswitch networks.

Jorge Lobo has more than 50 publications in international journals and conferences in the areas of Networks, Databases and AI. He is co-author of an MIT Press book on logic programming and an IBM Press book on policy technologies for self-managing systems. He is co-founder and member of the steering committee for the IEEE International Symposium on Policies for Distributed Systems and Networks. He has a PhD in CS from the University of Maryland at College Park, and an MS and a BE from Simon Bolivar University, Venezuela.

The talk will describe several of the security techniques that do not get a lot of publicity, but been found quite effective within our organization. Some of the techniques are quite simple, such as providing developers with a checklist, and asking the right questions to determine where to focus efforts. Together, they enable a rational process of security management within a large heterogeneous environment.

Speaker Bio: Joel Rosenblatt has been in IT at Columbia University for the last 31 years. He is currently the head of the Computer and Network security group, part of the Columbia Information Security Office. He is responsible for overseeing the security for the approximately 65,000 nodes that make up the Columbia University network. Additional responsibilities include DMCA compliance and investigations involving law enforcement. Joel is the Chair of the Security Metrics Project Team of the EDUCAUSE/Internet2 Computer and Network Security Task Force and a member of Infraguard, NYECTF and other organizations that he can neither confirm or deny the existence of.

Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. Such security devices are usually thought to add security to the enterprise network, while increased client side attack surface from required mobile code (ActiveX/Java) goes ignored.

This presentation will discuss programming and infrastructure flaws permitting abuse of the server, remote code execution on vulnerable clients, as well as appropriate countermeasures.

Mike Zusman is a Senior Consultant for the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other clients. Mike has also founded a number of successful entrepreneurial ventures including Global Uplink Solutions Incorporated (hosting division acquired by Flare Technologies in 2005) and Dish Uplink LLC, a leader in satellite TV subscription activations in the US. Mike holds the CISSP certification.

Sherard Bailey will give a talk in the psychology of deception and a group discussion will follow.

Topics to be addressed are:

• What is deception?
• Properties/Classification/Examples
• Defining a psychology of deception
• define the strong/weak "sense" of psychology and how the psychology of deception fits into this
• review of published articles by
  • Jastrow (illusory inferences on knowledge based on sensory info),
  • Dessoir (invited inference, psychological kernel),
  • Binet and Triplett (sociobiology, deception/natural selection) that form a broad collection of ideas on the topic

Networked Systems for the Developing World Computer Science research over the past several decades has predominantly focused on addressing important computing problems in the developed world with little focus on the developing world. However, the sad reality is that a large majority of the world's population does not have access to basic digital communications - If this issue is not addressed, the digital divide is bound to significantly grow in the upcoming years.

In this talk, I will elaborate upon how the development of appropriate Information and Communication Technologies (ICT) has the potential to solve some of the pressing problems in developing countries including improving healthcare, education, financial services, supply-chain services etc. I will elaborate on the computer science research challenges that arise in addressing these problems many of which are motivated by the operational environments in these regions. These challenges are spread across a wide range of topics within computer science.

Seminar Summary: We present our design and implementation of a remote authentication framework called TUBA which collects, extracts features, analyzes, and classifies a computer owner's character- istic keystroke patterns. A comprehensive security analysis on the attacks and defenses of our framework is presented.

A sufficiently motivated attacker will almost always compromise a target environment, given the complex attack surface of today's enterprises. This talk analyzes why this is so, and discusses what the implications are for enterprise security personnel, penetration testers, and the military.

• Overall grade: A
• Value: A
• Positive career impact: A
• Relevance to actual career activities: A

The article lists Poly's security program as one of the key strengths of Poly, and has an interview with an ISIS alum, Stanislav Nurilov. See the full article on the Computerworld site.

The paper is here: Detecting File Fragmentation Point using Sequential Hypothesis Testing

Abstract: File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the frag- mentation point of a file by sequentially comparing adjacent pairs of blocks from the start- ing block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

Time and Location: Monday 07/07 at 11am in LC400

Abstract: The digitization of our daily lives has led to unprecedented collections of sensitive personal data (e.g., census data, medical records) by governments and corporations. Such data is often released for research purposes, which, however, may pose a risk to individual privacy. To address this issue, numerous techniques have been proposed to anonymize the data before its publication. Somewhat surprisingly, all existing anonymization techniques assume that the adversary has no or limited knowledge of the anonymization algorithm, and fail to protect privacy when this assumption does not hold. In other words, a data publisher that adopts these techniques must take up the difficult responsibility of keeping the algorithm confidential, which severely limits the applicability of these techniques in practice.

In this talk, I will present a solution that remedies the above problem. I will start from an analytical model for evaluating disclosure risks, against an adversary who knows everything in the anonymization process, except the data to be published. Based on the model, I will discuss three anonymization algorithms that can ensure privacy protection against the adversary we consider. The effectiveness and efficiency of these algorithms will be demonstrated through experimental results. Finally, I will conclude the talk with my plan for future research.

Bio: Xiaokui Xiao obtained the Bachelor and Master degrees in Computer Science from the South China University of Technology in July 2001 and June 2004, respectively. He is currently a PhD student in the Department of Computer Science and Engineering of the Chinese University of Hong Kong.

Short Abstract:
We will talk about existing trusted hardware devices and how they can be deployed to make the world a safer and more private place.

Bio:
Radu Sion is an assistant professor of Computer Science in Stony Brook University, heading the Network Security and Applied Cryptography Laboratory. His research focuses on data security and information assurance mechanisms. Collaborators and funding partners include Motorola Labs, the Center of Excellence in Wireless and Information Technology CEWIT, the Stony Brook Office for the Vice-President for Research and the National Science Foundation. Sion also directs the Stony Brook Trusted Hardware Laboratory, a central expertise and research knowledge repository on secure hardware.

Radu Sion's Webpage
NSAC Lab

Abstract:
Devising effective Content Protection mechanisms and building satisfactory Digital Rights Management systems have been top priorities for the Publishing and Entertainment Industries in recent years. Corporate DRM efforts have so far attempted to address this challenge with systems characterized by a tight control over the user media platform. This approach, however, brings about rigid limitations on the user experience (e.g., restrictions on the creation of back-up copies of purchased copyrighted content), ultimately resulting in an unhappy customer base. Research advances over the last few years show that Cryptography holds promise for the development of flexible tools that could enable fair DRM solutions. In this talk, I will provide an overview of my investigations along this direction, and I will then focus on the case of transmission of live events, where the sensitivity of the content under distribution decreases with time. For this setting, I will present a scheme in which unauthorized disclosure of access control credentials can be traced back to the leaker(s), thus discouraging piracy by the threat of detection. The proposed solution improves upon the state of the art both in communication performance and in security guarantees. Before concluding, I will briefly discuss some of my other cryptographic research, including an on-going project that was recently funded by DARPA in the context of the "System F6" initiative.

Bio:
Nelly Fazio earned her M.Sc. ('03) and Ph.D. ('06) in Computer Science from New York University. During her studies, she also conducted research at Stanford University, Ecole Normale Superieure (France) and Aarhus University (Denmark). In 2003, she was awarded the NYU CIMS Sandra Bleistein prize, for "notable achievement by a woman in Applied Mathematics or Computer Science." Her Ph.D. thesis was nominated with honorable mention for the NYU J. Fabri prize, awarded yearly for the "most outstanding dissertation in Computer Science." Dr. Fazio's research interests are in cryptography and information security, with a focus on digital content protection. Since July 2006, she is part of the Content Protection group at IBM Almaden Research Center, where she has been conducting research on advanced cryptographic key management, tracing technologies, and authenticated communications in dynamic federated environments. Currently, she is a visiting research scientist in the Security group at IBM T.J. Watson Research center, working on security issues of decentralized enironments such as sensor networks.

Abstract:
In the last few years, Internet users have seen the rapid expansion of phishing, man-in-the-middle, malware and other attacks that attempt to trick users into revealing sensitive data. We have also seen the introduction of new authentication and identity management systems across the Web. The scale and complexity, combined with the privacy and security requirements of these systems, create steep challenges for usability. To design systems and interfaces to shield users from attacks, it is important to know which kinds of attack strategies are successful and why users are deceived. In this talk, I posit seven flaws or design challenges that must be met for authentication and identity management systems to be usable and accepted by the general public.

Bio:
Rachna Dhamija is a Postdoctoral Fellow at the Center for Research on Computation and Society at Harvard University. Rachna's research interests span the fields of computer security, human computer interaction and information policy. She received a Ph.D. from U.C. Berkeley, where her thesis focused on the design and evaluation of usable security systems. Previously, Dhamija worked on electronic payment system privacy and security at CyberCash. Her research has been featured in the New York Times, the Wall Street Journal, the Economist and CNN.

Abstract: Bertrand will present several concrete research problems related to the communication of information through parallel or hidden channels (watermarking and steganography) and to the securing of information communication for specific purposes (fingerprinting and authentication).

Bio: Bertrand Haas is Principal Engineer in the Secure Systems research group of the Advanced Concepts and Technology division at Pitney Bowes. He joined this group in 2001 and has been working, since then, on cryptography, coding theory, image processing, graphic security and has more recently been involved in developing solutions for mail voting applications. Bertrand received his Ph.D. in Mathematics from the University of Basel in Switzerland in 1998. He spent a postdoctoral year at the Fields Institute and UofT in Toronto, a year at the Mathematical Science Research Institute and UC in Berkeley and then taught two years at Michigan State University before beginning his corporate career at Pitney Bowes.

Abstract: Wietse analyzes a very small program that is obviously correct, yet completely fails to perform as expected, for more reasons than many people can think of. The audience is expected to have some programming experience, but detailed knowledge of C, UNIX or Windows is not required.

Bio: Wietse Venema is known for his software such as the TCP Wrapper and the POSTFIX mail system. He co-authored the SATAN network scanner and the Coroner's Toolkit (TCT) for forensic analysis, as well as a book on Forensic Discovery. Wietse received awards from the System Administrator's Guild (SAGE), the Netherlands UNIX User Group (NLUUG), as well as a Sendmail innovation award. He served a two-year term as chair of the international Forum of Incident Response and Security Teams (FIRST). Wietse currently is a research staff member at the IBM T. J. Watson research center. After completing his Ph.D. in physics he changed career to computer science and never looked back.

This talk discusses the work to date of the Drives Project, a 9-year (and counting) effort that is creating a large-scale collection of real disk drive images, open source tools, and new techniques for automatically processing data recovered from disk drives and other kinds of storage devices. Today the Drives Project has assembled a corpus of more than 1000 forensically interesting images from hard drives and USB storage devices that were collected all over the world. We have created open source formats, tools and algorithms for automatically analyzing this data in bulk and rapidly producing answers to questions that are relevant to the Defense, Intelligence and Law Enforcement communities. The Project is now in the process of dramatically expanding the global reach of data being acquired and exploring new research opportunities for using this data.

Large scale use of digital identity systems that cross institutional boundaries does not seem to be gaining traction. What are the issues that are holding this back? Technology, cost, usability, scalability, cross-institutional trust models? The focus of this workshop is on technologies that will foster development and deployment of digital identity systems, particularly at a system and infrastructure level, not on point technologies.

The presentation will provide an overview of data mining, the various types of threats and then discuss the applications of data mining for malicious code detection and cyber security. Then we will discuss the consequences to privacy.

Bio: Dr. Bhavani Thuraisingham joined The University of Texas at Dallas in October 2004 as a Professor of Computer Science and Director of the Cyber Security Research Center in the Erik Jonson School of Engineering and Computer Science.

Seminar topics will include:

• Cryptography
• Firewalls
• IPS's / IDS's
• Authentication Mechanisms
• Vulnerabilities and Exploits
• Regulatory & Compliance Issues
  • Sarbanes-Oxley
  • GLBA
  • HIPAA
  • FISMA
  • SB1386

Topic of talk: Email graphs have been used to illustrate general properties of social networks of communication and collaboration. However, increasingly, the majority of email traffic reflects opportunistic, rather than symbiotic social relations. Here we use e-mail data drawn from a large university to construct directed graphs of email exchange that quantify the differences between social and antisocial behaviors in networks of communication. We show that while structural characteristics typical of other social networks are shared to a large extent by the legitimate component they are not characteristic of antisocial traffic.

Cisco has given a product grant worth $150,000 to the ISIS Lab. The equipment includes 10Gbit/s switches, routers, and advanced firewalls. The hardware will be used for research and teaching.

The Information Systems and Internet Security (ISIS) Laboratory at Polytechnic University, Brooklyn is hosting a Cisco Systems-sponsored Security Bootcamp for faculty and staff. Please see here for more details.