Conference Program

How is healthcare IT security different from all other application? Let me count the ways. You’ve got doctors with god complexes, regulators who sometimes do and sometimes don’t understand the impact of their decisions, patients who want access to their medical data in real time on their mobile device (and make sure nobody else can see it), and entrepreneurs churning out new devices, systems and protocols at warp speed. At the same time, health data is moving to the cloud, medical devices are connecting to the Internet, and technology has become wearable. How are we supposed to secure anything in this environment?!? We’ll talk.

There is a thriving ecosystem of online counterfeit websites that utilize abusive spam based advertising and compromised websites to promote their websites. Third-party entities, who I call rogue payment facilitators, have emerged that offer bullet-proof credit card processing services to online merchants selling trademark infringing goods, such as counterfeit electronics and luxury goods. These bullet-proof credit card processing services have become essential for the continued profitability of these abusive online merchants as brand holders have intensified their efforts to disrupt the credit card processing abilities of online counterfeit shops with the assistance of the International AntiCounterfeiting Coalition (IACC) and law firms.

In this talk, I will first describe the process of disrupting counterfeit credit card processing which involves placing a test purchase with an online counterfeit website to trace the merchant account accepting payments and then filing a complaint with the card holder association, such as Visa or MasterCard. This need for a test purchase to identify the merchant account has led to the rogue payment processors building systems that attempt to filter test purchases while allowing actual customer orders to complete. These systems are often built out of a combination of traditional anti-fraud systems that block suspicious purchases and custom blacklists that are shared between rogue payment facilitators.

The Trustworthy Data Engineering Laboratory (TRUST Lab) has been working with the World Bank, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the City of Cincinnati to help solve a common problem faced by many organizations involved in data driven investigations: companies and entities that attempt to disguise malicious activities through attacks on the integrity of available data.

In this talk we will explore the challenge of assuring data integrity in heterogenous data systems that face the challenges of velocity, variety, and volume that accompany the domain of Big Data. We will examine real case studies in debarrment and corruption in international procurement with the World Bank, investigations into violations of the Foreign Corrupt Practices Act with the FBI, cases of violations of the Resource Conservation and Recovery Act with the EPA, and human rights abuses of low income citizens by corporate slum-lords in the city of Cincinnati. In each of these cases we will show how malicious actors manipulated the data collection and data analytics process either through misinformation, abuse of regional corporate legal structures, collusion with state actors, or knowledge of underlying predictive analytics algorithms to damage the integrity of data used by machine learning and predictive analytic processes, or the outcomes derived from these processes, to avoid regulatory oversite, sanctions, and investigations launched by national and multi-national authorities.

The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud, cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts, credit card data, and fullz, I want us to look at how they get their grubby paws on that cold hard cash. Let's dig into the tools, techniques, and procedures used by this new generation of e-launderers and cyber hustlers.

Understanding the lifecycle of a financially motivated cybercrime is an important part of successfully and efficiently defending against them. When we have insight into the tools, techniques, procedures, motivations, methods, and ecosystems driving these attacks, we are afforded the opportunity to build defense in depth that specifically targets the weaknesses and load-bearing assumptions of the attackers. This talk is not a general hand-waving at the topic of "cybercrime," but instead an in-depth exposition showing currently active tools and methods, non-public case study information, and defense tactics that are actively and successfully being employed right now.

The research world is filled with new ideas about how to increase the security of shipping products. Many of these ideas, however, never manage to make it into production. Some ideas form the core for other technologies that do end up making it, some are relegated to a footnote in subsequent academic papers, and some disappear into obscurity.

In this presentation, I’ll provide a case-study of several features developed either in the academic community or internally at BlackBerry. At least one of these features has made it into a shipping product, while others have been left on the cutting-room floor. I’ll explore how the core idea morphed and was adapted before it managed to make it into product.

While TLS is considered a “best practice” for security, deploying the underlying PKI at scale for cloud applications presents many challenges. This starts with the need to securely bootstrap secrets into each instance. The challenges continue at runtime with the need for insight into the continued trustworthiness of each instance. Unfortunately, in practice, it can be difficult to deploy and maintain such a PKI. In an effort to solve both scale and management challenges, some advocate for the use of short-­lived certificates in lieu of revocation lists. The idea is that a compromised private key is less valuable because it will only work for a limited timespan. But what is really required to deploy such a system?

This talk will take a deep dive into the world of PKI deployments at scale. We will start with a brief overview of PKIs in general before drilling into the specific use case of protecting internally facing microservices using TLS with mutual authentication. From here we will explore the pros and cons of using short-­lived certificates. Then we will look at the operational challenges around such deployments, including scaling certificate authority services, handling reloading of certificates into services at run­time, and determining if an instance is trustworthy enough to receive renewed credentials. We will close with some parting thoughts about the remaining challenges in this space.

In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser’s useragent. We find that we can achieve good accuracy using only user login history and reputation systems; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.

Computers are now integrating into everyday objects, from medical devices to children's toys. This integration of technology brings many benefits. Without the appropriate checks and balances, however, these emerging technologies also have the potential to compromise our digital and physical security and privacy. This talk will explore case studies in the design and analysis of computer systems for several types of everyday objects, including wireless medical devices, children's toys, and automobiles. I will discuss the discovery of security risks with leading examples of these technologies, the challenges to securing these technologies and the ecosystem leading to their vulnerabilities, and new directions for security and privacy. For example, I will discuss efforts (in collaboration with UC San Diego) to compromise the computers in an automobile from a thousand miles away, and the implications and consequences of this and other works. I will also discuss directions for mitigating computer security and privacy risks, including both technical directions and education.

Everyone wants to build software that's both usable and secure, yet the world is full of software that falters at this intersection. How does this happen? I experienced the disconnect firsthand, when the Chrome security team redid Chrome's security UI to conform to best practices for usable security. In the process, we learned how hard it is to actually adhere to oft-cited wisdom about usable security when faced with real-world constraints and priorities. With a set of case studies, I'll illustrate the limitations we encountered when trying to apply common wisdom to a browser with more than a billion users—and discuss what has actually worked for us in practice, which might work for other practitioners too.

Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or migrate entirely to less secure but more usable systems. Problems with usability are a major contributor to many recent high-profile security failures. The research domain of usable security and privacy addresses these issues. However, the main focus of researchers in this field has been on the “non-expert” end-user. After placing this issue in context of current research, the presenter will argue that we need to push the frontiers of usable security research to include the human aspects of system security and the administrators and developers involved in it. The talk will use TLS as an example to illustrate usable security and privacy issues across all levels and for all actors involved in the system.

Firmware attacks, mostly those that allow unauthenticated BIOS/UEFI changes, disable kernel and OS security features. These unauthenticated attacks have been proven trivially easy with physical access, and difficult but achievable remotely or though software-only channels. Recent data breaches have revealed in-the-wild firmware-based persistence and reinfection payloads. The firmware landscape has the same fragmentation problem as Android devices, but suffers from more opaque security update announcement methods and authenticated automated update processes. Combine these issues with a culture landscape that still likens secure boot to an extinction level event, and it is obvious our enterprises are in danger.

This presentation takes a different approach to hardware and firmware security by exploring how our enterprise defenders can recognize vulnerable systems, detect, and respond to compromise. Defense begins with visibility, that means baselining kernel drivers, kernels, boot loaders, ACPI table content, SMBIOS metadata, Option ROMs, UEFI drivers, and other boot related platform code; it then continues into logging run time OS API-generated hardware events. This data and pipeline can fuel existing correlation and indicators of compromise (IOC) collections to identify known good and eventually known bad. Creating production deployable and repeatable recipes for these somewhat esoteric features is essential. We will present a summary of immediate tools and actions for “deep systems defense," an analysis of where our defenders remain blind to compromise, and recommendations on where our industry can focus tailored effort to generate massive impact.

Protecting high-risk individuals has always been a problem for the security industry. While many enterprises focus on mitigating scenarios that will affect the greatest number of their users, harm from attacks is not distributed proportionally. Cyber-attacks on high-risk individuals in dangerous situations can lead to torture, kidnapping, and worse. But dealing with targeted attacks is time-consuming and resource intensive. This problem is exacerbated when the target is an individual or small NGO rather than a large enterprise. This talk will discuss the challenges of protecting high-risk, targeted users using the experience of the speakers in assisting targeted NGOs and individuals.

The tabs you open shouldn't keep tabs on you.  Luckily, you can protect yourself.  The set of information left by the browser is only identifying because it is distinct from other users.  By employing a few privacy-enhancing techniques, users can effectively 'blend in' by being indistinguishable from others browsing the web.  This talk will address different fingerprinting metrics that are employed by sites, and specific mitigation behaviors that you can use to protect yourself invasive web trackers.

Social media is ubiquitous in our society. Our profiles may provide a window into our lives for prospective employers or potential lovers, and if we're not careful, they can also provide valuable information to those who wish to do us harm. Fortunately, with a proper threat model, and a little bit of effort, it is possible to mitigate many of the dangers presented by maintaining an online presence. This talk will help identify some of the threats the average social media user may face, as well as some basic strategies for circumventing those threats.

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates.

We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

Project Zero has a simple mission—"make 0day hard." To achieve this goal we use our own attack research to improve software and design new defenses. This talk describes some of the technologies and trends that Project Zero researchers have recently encountered that in our view have made vulnerability discovery and exploitation fundamentally harder.

The Sanitizers (AddressSanitizer and friends) is a family of dynamic testing tools for C and C++ based on compile-time instrumentation. They find bugs like use-after-free, buffer overflows, data races, uses of uninitialized memory, integer overflows, and many other kinds of bugs both in the user space and in the kernel. These tools are only as good as your test coverage, and so we’ll also discuss libFuzzer, a library for in-process contol- and data-flow guided fuzzing. Finally, even if these tools miss some of the bugs there is one more line of defense: security hardening of production binaries using compiler instrumentation. Control Flow Integrity will halt the program if a VPTR or an indirect function pointer looks corrupt, and Safe Stack will protect the return address from stack buffer overflow.

The world of competitive hacking can be a strange and confusing place. However, the growing importance of cybersecurity and need for professionals with hands-on experience make these exercises relevant for students, experts, and recruiters. We will discuss competitive hacking in the form of Capture the Flag contests with an emphasis on how to build an effective team, based on Carnegie Mellon's Plaid Parliament of Pwning. With this guidance, we hope to make participating in CTFs more fun and friendly for everyone.

Year after year, we see reports on an ever increasing gap, both in the public and private sectors, between the number of computer security professional we need and the number we expect to produce. While the reasons for this trend are varied and systemic, there is a perception, particularly among those new to computing, that security can be asocial and isolating, that it is void of creativity and individual expression, and lacks positive social relevance. But, as we all know, security can inherently have all of these qualities, which perhaps manifest themselves most clearly in cybersecurity games. Indeed, the freedoms of play inherent in games may directly address the qualities deficient in security pedagogy, with many educators now turning to security games, in and out of the classroom, as a meaningful tool for outreach and education. In this talk, we take a critical look at the use of games in cybersecurity education, and explore some of the ways games can (and cannot) fix computer security education.

Internet voting has the potential to ease voter participation and provide a high-tech upgrade to traditional polling methods. Unfortunately, it also raises some of the most difficult challenges in computer security, due to the need to safeguard election servers and voters' computers against powerful attackers, while simultaneously protecting the secret ballot. How well can election technology defend against modern security threats? To find out, colleagues and I performed in-depth security evaluations of Internet voting systems used in the U.S. and around the world. We found staggering gaps in system designs and operational procedures—problems that would allow attackers to change votes, compromise privacy, disrupt returns, or cast doubt on election results. These case studies illustrate the practical obstacles to securing Internet voting and carry lessons for any locality considering adopting such systems.

The Ancient Greeks could vote securely and privately with bronze disks and a wooden urn, so why can't we get it right using a sophisticated technology like the Internet? End-to-end verifiability gives voters the opportunity to verify that their vote matches their intention and is accurately included in a correct count. In this talk I'll explain what it is, how it works and why it can help us to run supervised poll site e-voting more flexibly and securely than paper alone. I'll describe its first deployment in a state election: the vVote project in Victoria, Australia. Then I'll discuss the open problems that need to be solved before we can safely run government elections over the Internet.

From his role as the Chief of NSA's Tailored Access Operation, home of the hackers at NSA, Mr. Joyce will talk about the security practices and capabilities that most effectively frustrate people seeking to exploit networks.