ADVANCE COMPUTES TRICKS: 2013

Purdue Team Receives High Honors in International Digital Forensics Challenge

Posted: 10 Dec 2013 06:07 AM PST

(Purdue University News) A team of four computer and information technology graduate students recently won high honors in the international 2013 Defense Cyber Crime Center (DC3) Digital Forensics Challenge. The Purdue team, named Or11, took fifth place overall and first place in the graduate student team category. The team also received grand champion status, given to the top 317 achieving teams in the competition. Members of the Purdue team were William Ellis, Jacob Kambic, Eric Katz and Sydney Liles. Advising the team was Sam Liles, associate professor of computer information technology. The team will receive a plaque and medal for their achievements. The 10 1/2 month contest, which began in December 2012 and ended Nov. 1, involved more than 1,000 teams from 49 states and 49 countries. Each team consisted of one to four members, and each team was categorized as general, including civilian and commercial teams, or academic, including graduate and undergraduate teams. Winners were announced Dec. 1. In this annual challenge, teams gain points by tackling digital exercises from novice challenges worth 100 points to developer-level challenges worth 500 points. DC3 is a wide-ranging group that provides digital services for the U.S. Department of Defense. Writer: Amanda Hamon, ahamon@purdue.edu, 49-61325

The Passing of A Pioneer

Posted: 25 Nov 2013 09:24 PM PST

Willis H. Ware, a highly respected and admired pioneer in the fields of computing security and privacy, passed away on November 22nd, 2013, aged 93. Born August 31,1920, Mr. Ware received a BSEE from the University of Pennsylvania (1941), and an SM in EE from MIT (1942). He worked on classified radar and IFF electronic systems during WWII. After the war he received his Ph.D. in EE from Princeton University (1951) while working at the Institute for Advanced Studies for John von Neumann, building an early computer system. Upon receiving his Ph.D., Dr. Ware took a position with North American Aviation (now part of Boeing Corporation). After a year, he joined the RAND Corporation (in 1952) where he stayed for the remainder of his career -- 40 more years — and thereafter as an emeritus computer scientist. His first task at RAND was helping to build the "Johnniac," an early computer system. During his career at RAND he advanced to senior leadership positions, eventually becoming the chairman of the Computer Science Department. Willis was influential in many aspects of computing. As an educator, he initiated and taught one of the first computing courses, at UCLA, and wrote some of the field's first textbooks. In professional activities, he was involved in early activities of the ACM, and was the founding president of AFIPS (American Federation of Information Processing Societies). From 1958-1959 he served as chairman of the IRE Group on computers, a forerunner of the current Computer Society of the IEEE. He served as the Vice Chair of IFIP TC 11 from 1985-1994. At the time of his death he was still serving as a member of the EPIC Advisory Board. Dr. Ware chaired several influential studies, including one in 1967 that produced a groundbreaking and transformational report for ARPA (now DARPA) that was known thereafter as "The Ware Report." To this day, some of the material in that report could be applied to better understand and protect computing systems security. The follow-on work to that study eventually led, albeit somewhat indirectly, to the development of the NCSC "Rainbow Series" of publications. In 1972, Dr. Ware was tapped to chair the Advisory Committee on Automated Personal Data Systems for the HEW (now HHS) Secretary. That report, and Willis's subsequent paper,"Records, Computers, and the Rights of Citizens," established the first version of the Code of Fair Information Practices. That, in turn, significantly influenced the Privacy Act of 1974, and many subsequent versions of fair information practices. The Privacy Act mandated the creation of the Privacy Protection Study Commission, of which Dr. Ware was vice chair. Willis was the first chairman of the Information System and Privacy Advisory Board, created by the Computer Security Act of 1987. He remained chairman of that board for 11 years following its establishment. Over the years, Dr. Ware served on many other advisory boards, including the US Air Force Scientific Advisory Board, the NSA Scientific Advisory Board, and over 30 National Research Council boards and committees. Willis Ware was one of the most honored professionals in computing. He was a Member of the National Academy of Engineering. He was a Fellow of the AAAS, Fellow of the IEEE, and Fellow of the ACM (perhaps the first person to accrue all four honors). He was a recipient of the IEEE Centennial Medal in 1984, the IEEE Computer Pioneer Award in 1993, and a USAF Exceptional Civilian Service Medal in 1979. He was the recipient of the NIST/NSA National Computer System Security Award in 1989, the IFIP Kristian Beckman Award in 1999, a lifetime achievement award from the Electronic Privacy Information Center (2012), and was inducted into the Cyber Security Hall of Fame in 2013. Dr. Willis H. Ware was truly a pioneer computer scientist, an early innovator in computing education, one of the founders of the field of computer security, and an early proponent of the need to understand appropriate use of computing and the importance of privacy. His dedication to the field and the public interest was both exceptional and seminal. (Any updates or corrections will be posted here as they become available.)

Saurabh Bagchi Recognized as a Distinguished Scientist by ACM

Posted: 22 Nov 2013 08:03 AM PST

Saurabh Bagchi, Professor of Electrical and Computer Engineering and CERIAS Fellow, has been selected for Individual Achievements and Contributions to International Computing Community by the Association for Computer Machinery (ACM). Press Release, NEW YORK, NY, November 20, 2013—ACM (the Association for Computing Machinery) has named 40 Distinguished Members for their individual contributions and their singular impacts on the vital field of computing. Their achievements have advanced the science, engineering, and education of computing, and highlight the widening role that computing plays in a range of disciplines and domains around the globe. The 2013 Distinguished Members hail from universities in Denmark, Japan, Israel, Italy, China, and the United Kingdom in addition to North America, and from leading international corporations and research institutions. ACM President Vinton G. Cerf described the recipients as "the problem solvers, prophets, and producers who are powering the future of the digital age." He noted that these ACM members "are the driving force for enabling the computing community to change how we live and work. They demonstrate the advantages of ACM membership, which empowers self-improvement and inspires a bold vision for their own careers as well as their impact on the future." The ACM Distinguished Member program can recognize the top 10 percent of ACM worldwide membership based on professional experience as well as significant achievements in the computing field. ACM's current worldwide membership exceeds 100,000. Seventy percent of the 2013 recipients are from leading international academic institutions around the world. Another 30 percent represent prominent corporate and national research laboratories from North America, the UK, Europe and India. Their achievements in critical areas of computing include high performance computing, computer architecture, data management, user interface, cybersecurity, wireless network management, software engineering, and innovative instruction. For more information about the selection criteria and the 2013 Distinguished Members, click on http://awards.acm.org/distinguished_member/. Prof. Bagchi's research interests include dependable distributed systems, network security, reliable high performance computing, and embedded wireless networks. He is a Senior Member of IEEE and ACM, a Distinguished Speaker for ACM, an IMPACT Faculty Fellow at Purdue (2013-14), and a Fellow of the CERIAS security center at Purdue.

Marc Rogers Receives AAFS Case Study Award

Posted: 19 Nov 2013 12:15 PM PST

Marcus K. Rogers, Professor of CIT and CERIAS Fellow, has been named as the recipient AAFS Digital and Multimedia Sciences Outstanding Case Study Award for 2014. AAFS is the American Association of Forensic Sciences — the major professional association of investigators across all types of investigations. The award will be presented in February 2014 at the annual AAFS meeting in Seattle, WA. Professor Rogers is an internationally recognized expert in digital investigation techniques and cybercrime. He is an innovator in this area at Purdue, working with CERIAS personnel and students on advanced research topics and certification as a national center of excellence. Questions may be directed to Professor Rogers at mkr@cerias.purdue.edu

Thoughts—Some Random, Some Structured

Posted: 14 Nov 2013 05:09 PM PST

On October 9th, 2013, I delivered one of the keynote addresses at the ISSA International Conference. I included a number of observations on computing, security, education, hacking, malware, women in computing, and the future of cyber security. You can see a recording of my talk on YouTube or view it here. You might find it somewhat amusing. See the old guy with the bow tie ramble on. (If you work in cyber security, you should think about joining the ISSA.) (Also, if you didn't know, I have two other blogs. One blog is a Tumblr blog feed of various media stories about security, privacy and cybercrime. The other blog is about various personal items that aren't really related to CERIAS, or even necessarily to cyber security — some serious, some not so much.)

Purdue Experts Part Of Electric Grid Cyberattack Drill

Posted: 13 Nov 2013 12:39 PM PST

Marc Rogers, director of Purdue's Cyberforensics Lab and CERIAS Fellow, says the drill will recreate everything from a partial shutdown of electricity across North America to a virtual blackout affecting all of the U-S, Canada, and Mexico. "They will look at how vulnerable (the grid is) or what the weaknesses are, how would these things be identified; could they be identified in time; once they were identified and once there were bad things happening to the grid, how would the grid recover, and how long it would take to recover," said Rogers. More information »

BSIMM-V Released

Posted: 11 Nov 2013 08:48 AM PST

The BSIMM-V project provides insight into 67 of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga. More information »

Privacy and Civil Liberties Oversight Board, Second Afternoon Hearing

Posted: 05 Nov 2013 04:39 AM PST

Prof. Spafford participated as a panelist on the Privacy & Civil Liberties Oversight Board hearing. The topic was potential reform of the laws that govern NSA domestic surveillance. More information »

How a grad student trying to build the first botnet brought the Internet to its knees

Posted: 05 Nov 2013 04:38 AM PST

More information »

Feds Proving Internet-Adept and Inept at same Time

Posted: 31 Oct 2013 11:29 AM PDT

More information »

Bertino Named Editor-in-Chief of Top IEEE Journal

Bertino Named Editor-in-Chief of Top IEEE Journal
Lessons from the First Major Computer Virus
The Evolution of IT Security Ethics

Bertino Named Editor-in-Chief of Top IEEE Journal

Posted: 30 Oct 2013 10:54 AM PDT

Elisa Bertino, a CERIAS Fellow, professor of computer science at Purdue University and acting research director for the Center for Education and Research in Information Assurance and Security, was named editor-in-chief of IEEE Transactions on Secure and Dependable Computing. Bertino received the IEEE Computer Society Technical Achievement Award in 2002 for outstanding contributions to database systems and database security and advanced data management systems, and the 2005 Tsutomu Kanai Award for pioneering and innovative research contributions to secure distributed systems. IEEE Computer Society produces peer-reviewed, technical journals, magazines, books, and conference publications, in addition to online courses, certification programs, conferences, career development services, and networking opportunities. IEEE Computer Society publications are led and governed by the Publications Board, which includes operations committees for each publishing line. The IEEE Computer Society provides up-to-date, easily accessible information for computing professionals, and serves as a source for technology information, inspiration and collaboration.

Lessons from the First Major Computer Virus

Posted: 30 Oct 2013 10:53 AM PDT

Eugene Spafford, one of the first to analyze the Morris Worm, says we haven't learned from it or other major security breaches since. More information »

The Evolution of IT Security Ethics

Posted: 30 Oct 2013 10:52 AM PDT

Purdue's Spafford on Building Trust with the Public More information »

Spafford calls for more manager, employee accountability (Federal News Radio)

Posted: 16 Oct 2013 11:14 AM PDT

The one action that may make the most difference in how federal agencies secure their computer networks involves no new whiz-bang technology. It has no up-front real-dollar costs either. More information »

Spaf on Security

Posted: 16 Oct 2013 11:10 AM PDT

He was one of the first computer scientists to dissect the game-changing worm that hit the Internet 25 years ago and took down thousands of computers. He's also credited for defining software forensics and shaping other security technologies. But Eugene "Spaf" Spafford says security still isn't taken seriously enough today. More information »

Sypris Expands Indiana-based Research Center

Posted: 11 Oct 2013 06:15 AM PDT

John Walsh, president of Sypris Electronics LLC, speaks during the dedication of the company's cybersecurity research center in the Purdue Research Park of West Lafayette. (Purdue News) TAMPA, Fla. And WEST LAFAYETTE, Ind. -Sypris Electronics LLC, a subsidiary of Sypris Solutions Inc., announced Thursday (Oct. 10) the opening of its newly expanded Sypris Research Center (SRC). Sypris Electronics dedicated the office in its new location in the Purdue Research Park in West Lafayette, Ind. The newly expanded office will continue to focus on advancements in cybersecurity as well as other innovative research in the areas of network protection and critical infrastructure for government and commercial entities through its partnerships with Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS), government, and industry. "Sypris' expansion near Purdue, one of our premier university partners, is a solid testament to our commitment to advancing research in the areas of security and information assurance, not just for our government and commercial allies, but for the benefit of our worldwide partners as well," said John Walsh, president of Sypris Electronics. "I am proud to be a part of the grand opening event and I would like to thank our Indiana-based partners who helped make our expansion a seamless transition." Joseph Hornett, senior vice president, treasurer and COO of the Purdue Research Foundation, spoke at the dedication. "Purdue University and Sypris Electronics have a long history of research collaborations and the dedication of Sypris' offices in the Purdue Research Park of West Lafayette is another step in further developing this positive relationship," Hornett said. "It also is a good example of how Greater Lafayette can attract high-tech and defense companies to this area." Joel Rasmus, director of strategic relations for CERIAS, said that the expansion will provide additional opportunities for research collaborations. "Sypris has a strong reputation of doing innovative information assurance and security work, and this newly opened research and development facility has already begun to open new avenues for joint research collaboration and timely tech transfer from academia to industry," Rasmus said. "It is also affording many of our students the opportunity to work for an innovative industry leader." About Sypris Electronics Sypris Electronics is a world-class, integrated systems solutions provider. Our ruggedized electronic products, advanced engineering services and complete electronic manufacturing capabilities are aligned to provide our customers the best people, practices and technologies to continually exceed expectations. We consistently promote an agile, innovative culture by strategically partnering with leading-edge technology companies, agencies and universities. With over 40 years of experience, Sypris Electronics is proud to develop, manufacture and integrate leading technologies into mission critical electronics systems that secure America's interest. Visit www.sypriselectronics.com for additional information. Contacts: Jennifer L. Limeri, Sypris Electronics, 813-972-6486 Cynthia Sequin, Purdue Research Foundation, 765-588-3340, casequin@prf.org Sources: John Walsh, (813) 972-6486 Joseph Hornett, (765) 588-1040, jbhornett@prf.org Joel Rasmus, (765) 494-7806, jrasmus@purdue.edu

Spafford on Educating Executives

Posted: 09 Oct 2013 08:50 AM PDT

To mark his induction into the National Cyber Security Hall of Fame, Purdue University Computer Science Professor Eugene Spafford offers insights on key challenges, including overcoming senior executives' misperceptions about key issues. More information »

Arxan Technologies Announces Major Investment from TA Associates

Posted: 07 Oct 2013 12:26 PM PDT

West Lafayette, Ind. (Dept. of Computer Science) Arxan, an application security company specializing in software protection, was recently sold to TA Associates, one of the largest private equity firms. Founded by members of the Computer Science Department and local entrepreneur, Eric Davis, in 2001, the company grew out of efforts by Distinguished Professor and CERIAS Fellow Mikhail (Mike) Atallah, his graduate student, Hoi Chang, Distinguished Professor John Rice, and Assistant Head Tim Korb, working together to develop the technology for a business that grew into one of the leading providers of software security solutions. The technology protects from attacks in distributed or untrusted environments and is used in more than 200 million computing devices, providing protection from hackers by linking "guards" at different points within software code. Purdue supported their efforts with the Trask fund and also paid for the legal expenses of the patents. "Purdue was very helpful, providing some initial funding, filing for patents, renting to the company its initial space at the Research Park under advantageous conditions, and eventually licensing the technology to the company. Before Arxan was founded in 2001, both the CS Department and the CERIAS center provided facilities for research, and an environment conducive to generating the results that were eventually licensed to Arxan. After Arxan was founded in 2001, Purdue also gave us the flexibility and encouragement to pursue this venture," Atallah said. The ultimate decision to sell Arxan was driven by the board of directors, with regard to market conditions. Atallah added, "The recent rapid growth of mobile computing gave a boost to Arxan, because mobile devices are so easily compromised and we were positioned to protect the apps in such situations." Both Atallah and Korb will continue to serve on the technical advisory board, along with Professor Eugene Spafford, who is also the founder and director for the Center for Education and Research in Information Assurance and Security (CERIAS). TA Associates was founded in 1968 and is one of the largest global, middle-market growth, private equity firms in the world. The firm has invested in more than 430 companies and has raised $118 billion in capital with offices in Boston, Menlo Park, London, Mumbai, and Hong Kong. TA leads the world in buyouts and minority recapitalizations of profitable growth companies in technology, financial services, business services, health care and consumer industries. More information about Arxan is available at http://www.arxan.com/ Writer: Jesica E. Hollinger, (765) 494-0996, jehollin@purdue.edu Sources: Mikhail Atallah, (765) 494-6010 Tim Korb, (765) 494-6184 Related websites: http://www.ta.com/News/Arxan-Technologies-Press-Release.aspx

Happy Anniversary—Bang My Head Against A Wall

Posted: 06 Oct 2013 12:22 PM PDT

Over the last month or two I have received several invitations to go speak about cyber security. Perhaps the up-tick in invitations is because of the allegations by Edward Snowden and their implications for cyber security. Or maybe it is because news of my recent awards has caught their attention. It could be it is simply to hear about something other than the (latest) puerile behavior by too many of our representatives in Congress and I'm an alternative chosen at random. Whatever the cause, I am tempted to accept many of these invitations on the theory that if I refuse too many invitations, people will stop asking, and then I wouldn't get to meet as many interesting people. As I've been thinking about what topics I might speak about, I've been looking back though the archive of talks I've given over the last few decades. It's a reminder of how many things we, as a field, knew about a long time ago but have been ignored by the vendors and authorities. It's also depressing to realize how little impact I, personally, have had on the practice of information security during my career. But, it has also led me to reflect on some anniversaries this year (that happens to us old folk). I'll mention three in particular here, and may use others in some future blogs. In early November of 1988 the world awoke to news of the first major, large-scale Internet incident. Some self-propagating software had spread around the nascent Internet, causing system crashes, slow-downs, and massive uncertainty. It was really big news. Dubbed the "Internet Worm," it served as an inspiration for many malware authors and vandals, and a wake-up call for security professionals. I recall very well giving talks on the topic for the next few years to many diverse audiences about how we must begin to think about structuring systems to be resistant to such attacks. Flash forward to today. We don't see the flashy, widespread damage of worm programs any more, such as what Nimda and Code Red caused. Instead, we have more stealthy botnets that infiltrate millions of machines and use them for spam, DDOS, and harassment. The problem has gotten larger and worse, although in a manner that hides some of its magnitude from the casual observer. However, the damage is there; don't try to tell the folks at Saudi Aramaco or Qatar's Rasgas that network malware isn't a concern any more! Worrisomely, experts working with SCADA systems around the world are increasingly warning how vulnerable they might be to similar attacks in the future. Computer viruses and malware of all sorts first notably appeared "in the wild" in 1982. By 1988 there were about a dozen in circulation. Those of us advocating for more care in design, programming and use of computers were not heeded in the head-long rush to get computing available on every desktop (and more) at the lowest possible cost. Thus, we now we have (literally) tens of millions of distinct versions of malware known to security companies, with millions more appearing every year. And unsafe practices are still commonplace -- 25 years after that Internet Worm. For the second anniversary, consider 10 years ago. The Computing Research Association, with support from the NSF, convened a workshop of experts in security to consider some Grand Challenges in information security. It took a full 3 days, but we came up with four solid Grand Challenges (it is worth reading the full report and (possibly) watching the video): Eliminate epidemic-style attacks within 10 years Viruses and worms SPAM Denial of Service attacks (DOS) Develop tools and principles that allow construction of large-scale systems for important societal applications that are highly trustworthy despite being attractive targets. Within 10 years, quantitative information-systems risk management will be at least as good as quantitative financial risk management. For the dynamic, pervasive computing environments of the future, give endusers security they can understand and privacy they can control. I would argue -- without much opposition from anyone knowledgeable, I daresay -- that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two. Why is that? Largely economics, and bad understanding of what good security involves. The economics aspect is that no one really cares about security -- enough. If security was important, companies would really invest in it. However, they don't want to part with all the legacy software and systems they have, so instead they keep stumbling forward and hope someone comes up with magic fairy dust they can buy to make everything better. The government doesn't really care about good security, either. We've seen that the government is allegedly spending quite a bit on intercepting communications and implanting backdoors into systems, which is certainly not making our systems safer. And the DOD has a history of huge investment into information warfare resources, including buying and building weapons based on unpatched, undisclosed vulnerabilities. That's offense, not defense. Funding for education and advanced research is probably two orders of magnitude below what it really should be if there was a national intent to develop a secure infrastructure. As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment. I no longer cringe when I hear someone who is adept at crafting system exploits referred to as a "cyber security expert," but so long as that is accepted as what the field is all about there is little hope of real progress. As J.R.R. Tolkien once wrote, "He that breaks a thing to find out what it is has left the path of wisdom." So long as people think that system penetration is a necessary skill for cyber security, we will stay on that wrong path. And that is a great segue into the last of my three anniversary recognitions. Consider this quote (one of my favorite) from 1973 -- 40 years ago -- from a USAF report, Preliminary Notes on the Design of Secure Military Computer Systems, by a then-young Roger Schell: …From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality. That was something we knew 30 years ago. To read it today is to realize that the field of practice hasn't progressed in any appreciable way in three decades, except we are now also stressing the wrong skills in developing the next generation of expertise. Maybe I'll rethink that whole idea of going to give a talks on security and simply send them each a video loop of me banging my head against a wall. PS -- happy 10th annual National Cyber Security Awareness Month -- a freebie fourth anniversary! But consider: if cyber security were really important, wouldn't we be aware of that every month? The fact that we need to promote awareness of it is proof it isn't taken seriously. Thanks, DHS! Now, where can I find I good wall that doesn't already have dents from my forehead....?

U.S. Agencies Revamp Standards for Cybersecurity Program (Chronicle.com)

Posted: 30 Sep 2013 01:54 PM PDT

More information »

Stephen Elliott Interviewed by NBC’s Today Show (Video)

Posted: 26 Sep 2013 06:45 AM PDT

NBC's Today show visited the International Center for Biometric Research at Purdue. Stephen Elliott, Associate Professor in Technology Leadership & Innovation and CERIAS Fellow, demoed the latest in biometric technologies and discussed how fingerprint and iris reading are increasingly replacing passwords as the preferred computer security method. Visit NBCNews.com for breaking news, world news, and news about the economy

Blog Archive