Thursday, April 21, 2016

TRUST researcher Deirde Mulligan receives IAPP Privacy Leadership Award

TRUST researcher Deirdre Mulligan has been awarded the prestigious IAPP Privacy Leadership Award for 2016, along with Professor Kenneth Bamberger, also at Berkeley. The two received the honor from the International Association of Privacy Professionals in recognition for their groundbreaking research on the unwritten laws of privacy — the way privacy professionals steer the internal governance of privacy within companies — and their book Privacy on the Ground.

The award recognizes global leaders in the field of privacy and data protection who have demonstrated an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues, and advancing the growth and visibility of the privacy profession.

Wednesday, November 25, 2015

Former TRUST REU Student Wins Silver Award in ACM Research Competition for Undergrads

Luther Martin, a NERSC Student Assistant via the UC Berkeley TRUST-REU program, won the silver award in the ACM Student Research Competition for undergraduates for his poster on Optimization Strategies for Materials Science Applications on CORI: An Intel Knights Landing, Many Integrated Core Architecture.” The competition provides support to help undergraduates experience the research world and gain recognition from ACM and the greater computing community. Martin, who currently attends Jackson State University in Jackson, Mississippi, spent the summer interning at NERSC. He was one of 25 students selected to present their posters at SC15 out of 64 submissions.

Tuesday, November 24, 2015

Former TRUST REU Student to Participate in FTC conference on Privacy and Technology

Ibrahim Altaweel, a participant in the TRUST Center’s 2014REU program, has been selected to present research at PrivacyCon, a conference organized by the Federal Trade Commission (FTC) to discuss the latest research and trends related to consumer privacy and data security. Altaweel worked with Berkeley Professor Nathan Good at the School of Information to develop his research, which provided an update to ongoing work to “web privacy census.” The census measures online tracking and provides a framework for policymakers to advocate for more privacy rights for consumers.

Altaweel will be one of just 20 researchers presenting at the event.

Tuesday, August 25, 2015

Stanford to Offer Course in CryptoCurrency

As part of its new graduate certificate program in cybersecurity, Stanford University is offering a course titled, “Crypto Currencies: Bitcoin and Friends,” taught by TRUST researcher and Stanford Professor of Computer Science Dan Boneh and launching in September 2015. Boneh will also be extending the course online to professionals enrolled in the program.

Boneh and others in the field feel the time is right to develop on online course to help others learn about the opportunities and challenges created by virtual currencies, including Bitcoin. The course will explore ways to ensure that new payment technologies are designed to secure privacy while also protecting digital assets.

Wednesday, August 12, 2015

Summer Camp for Cybersecurity

High school students in the San Francisco Bay Area had a special opportunity to learn more about cybersecurity this summer, thanks to CYBEAR, a summer camp funded by the NSA and the National Science Foundation and hosted by the TRUST Center. The camp is part of a system of 43 camps nationwide that seeks to address an extreme shortage of cybersecurity workers needed in both government and industry. In addition to including a number of UC Berkeley faculty and students as instructors, the program also collaborated with the International Computer Science Institute (ICSI), and the Lawrence Berkeley National Laboratory to develop curriculum.

Participants in CYBEAR were introduced to basic concepts about conducting research, learned about secure programming and principles of privacy, and were provided with information to help them define a path to careers in cyber security and privacy. The camp was successful in attracting significant numbers of underrepresented minorities (camp population was 55% female and 64% underrepresented minorities) and in reaching schools that do not offer any teacher-led computer science program.
The program was featured in a number of media outlets.

Tuesday, March 31, 2015

TRUST Researcher Dan Boneh to Receive 2014 ACM-Infosys Foundation Award


The Association for Computing Machinery (ACM) has named TRUST researcher Dan Boneh the recipient of the 2014 ACM-Infosys FoundationAward in the Computing Sciences for ground-breaking contributions to the development of pairing-based cryptography and its application in identity-based encryption. The award recognizes the finest recent innovations by young scientists and system developers in the computing field. Boneh's work helped establish the field of pairing-based cryptography, a dominant area in cryptography for the last decade, by demonstrating the use of pairing functions to solve a wide variety of problems in cryptography. Boneh, with Matt Franklin, showed how pairings could be used to develop a fully functional identity-based encryption scheme (IBE).
Dan Boneh is professor of Computer Science and Electrical Engineering at Stanford University, and leads the applied cryptography group there. He will be honored at ACM's annual awards banquet on June 20, 2015 in San Francisco.

Thursday, February 05, 2015

Have You Read Your Privacy Policy?


If you’re like most people, you probably haven’t read a word of the many privacy policies encountered online. And, as TRUST researcher Alessandro Acquisti argues, that’s not a good thing if you want to protect your personal data. Acquisti and other researchers at Carnegie Mellon are using their research on privacy and technology as evidence to recommend implementation of a federal consumer privacy bill of rights.


Researchers found that current technological advances are outpacing written privacy policies, leading to inadequate protection against the latest threats. Privacy "approaches that rely exclusively on informing or 'empowering' the individual are unlikely to provide adequate protection against the risks posed by recent information technologies," CMU’s Alessandro Acquisti, Laura Brandimarte and George Loewenstein wrote.

Thursday, December 04, 2014

San Jose State Designated Cyber Security Center of Excellence

TRUST Center partner institution San Jose State University was recently designated a National Center of Academic Excellence in Information Assurance/Cybersecurity Education by the U.S. Department of Homeland Security and the National Security Agency's U.S. Cyber Command.

SJSU is the first Bay Area institution to receive such a CoE designation. Covering 2014-2019, the designation builds on more than a decade of research and education at SJSU in information assurance and related fields, including close collaboration with the TRUST Center.

Congratulations to Prof. Sigurd Meldal and his colleagues for this recognition! A full press release from the university can be read here.

Tuesday, November 25, 2014

Best Paper Award for TRUST Medical Informatics Research

The work of TRUST researchers at Vanderbilt University and their colleagues was recognized at the American Medical Informatics Association Annual Symposium, winning the Homer Warner Award for best paper. The paper, titled "SOEMPI: A Secure Open Enterprise Master Patient Index Software Toolkit for Private Record Linkage,” describes a software tool based on OpenEMPI for privacy preserving record linkage that is engineered to be extensible and support the PRL lifecycle, including the distribution of cryptographic keys and the communication between the participating organizations. This project was initiated, and is currently maintained, by the Health Information Privacy Laboratory at Vanderbilt University.

The paper authors are Csaba Toth (Vanderbilt University), Elizabeth Durham (Vanderbilt University), Murat Kantarcioglu (University of Texas at Dallas), Yuan Xue (Vanderbilt University), and Bradley Malin (Vanderbilt University). More information on SOEMPI is available here.

Wednesday, September 24, 2014

Password Managers Pose Security Risk

Password managers may not be as effective as you think. While these tools provide convenience and (ostensibly) peace of mind, a recently released report from UC Berkeley researchers, including TRUST researcher Dawn Song, found that the five popular password managers tested all had critical vulnerabilities. In fact, the researchers found that for four of the five companies studied an attacker would be able steal arbitrary credentials, at the time of the report.

Researchers reported their findings to the companies reviewed, and most responded to the disclosures and fixed the vulnerabilities. However, their research points to the importance of always considering possible weaknesses and not taking security for granted.

Wednesday, July 16, 2014

Privacy Can Be Good for Business

These days, most consumers are not surprised to learn that their online browsing habits or personal cell phone usage are mined by companies for targeted marketing practices. However, as TRUST researcher Steve Wicker at Cornell University argues, privacy can be good for business too.

Dr. Wicker is just one of many experts urging firms to offer consumers options which do not leave them vulnerable to the hacking or misuse of databases. A service which promises to keep users’ data for a day instead of a year or more is, he believes, something that people would be willing to pay extra for.

Although change is slow, trust in how a business protects personal privacy increasingly translates to customer loyalty, opening up the potential for a big market in privacy products.

Tuesday, April 15, 2014

Is the Internet Our Friend?

Just how safe is the Internet? TRUST researcher Nicolas Christin was one of the participants who explored this question in a debate and panel discussion at Carnegie Mellon University.

The discussion, supported by the Ford Foundation, highlighted concerns that arise as governments around the world attempt to deal with the increasing free flow of information in a world where Twitter posts can ignite revolution.

From online shopping to managing energy grids, our society is dependent on secure Internet connections. However, as one panelist pointed out, the challenge is to maintain security while allowing for transparency and ease of communication.

Friday, March 14, 2014

Few clues found in collapse of Mt. Gox bitcoin exchange

Despite online sleuthing and crowdsourcing, it is unlikely that those who suffered losses when bitcoin exchange Mt. Gox was hacked will be able to trace the path of their investments, comments TRUST researcher Emin Gun Sirer of Cornell University.

The problem, Gun Sirer and others say, is two-fold: users of such forums are not always methodical or disciplined in their research on one hand, and on the other, bitcoin's combination of transparency and complexity invites the unwary to draw false conclusions. The collapse of the world's biggest bitcoin exchange highlights the need for enhanced infrastructure in developing digital currency.

Tuesday, December 17, 2013

SJSU Establishes Center for Cyber Security and Big Data Studies

TRUST partner institution San Jose State announced the establishment of a new Center for Cyber Security and Big Data Studies, to be led by TRUST researcher Professor Sigurd Meldal.

The university will hire nine new faculty members who will work with their colleagues to develop and deliver curricula and research that will enable industry and other partners to design, build, and operate trustworthy information systems for the region's and the nation's critical infrastructure. This cohort will represent diverse areas of expertise and interests, not limiting the focus to technical competencies but reaching out to and including business and the humanities.

Thursday, November 14, 2013

Studying Wiretaps to Big Data - Cornell moves into the MOOC world

TRUST researcher Prof. Steve Wicker of Cornell University will be teaching one of Cornell's first Massive Open Online Courses (MOOC) beginning in March 2014. The course, titled "Wiretaps to Big Data: Privacy and Surveillance in the Age of Complete Interconnection" is one of four selected for Cornell's first MOOC offering. The course will explain how cellular technology makes surveillance possible, how surveillance affects how we use cellular and other technologies, cellular user’s rights and how this system affects our democratic institutions. It is scheduled to begin in March 2014. Cornell will be partnering with edX, a MOOC platform founded by the Massachusetts Institute of Technology and Harvard University to offer online, university-level courses in a wide range of disciplines to a worldwide audience free of charge.

Thursday, October 17, 2013

Online Hackers Beware: GOTCHA!

Worried about the robustness of the ubiquitous CAPTCHA in preventing online attacks? TRUST researchers Jeremiah Blocki, Manuel Blum, and Anupam Datta at Carnegie Mellon University think they have the solution: GOTCHAs, or Generating panOptic Turing Tests to Tell Computers and Humans Apart. GOTCHAs introduce a new twist on the use of human-only solvable puzzles (such as CAPTCHAs) by having the interaction between humans and computers use Inkblot images and associated phrases used to describe the images. A user is presented with an image and asked to describe that image with a short phrase. Later, when logging in online the user is shown the same image and challenged to provide the matching phrase that describes it. For a human, successfully completing both steps is easy. For a computer, not so much. Hence GOTCHA's effectiveness.

See MIT Technology Review and Gizmodo Australia for coverage of this research. The full research paper is available here.

Saturday, October 12, 2013

"Fingerprinting" of Mobile Devices

A team led by TRUST researcher and Stanford computer science Professor Dan Boneh has identified a method of effectively "fingerprinting" mobile devices. By exploiting tiny errors in each device's sensors, including the accelerometer and microphone, the team showed how their results could be used to uniquely identify a mobile device.

A more in-depth article on the research is available at the SFGate Tech Chronicles.

Thursday, October 03, 2013

Online privacy concerns growing

There's a privacy arms race under way online, a continuing struggle among consumers, Internet companies, advocates and policymakers to assert greater control over personal data.

Following recent NSA spying regulations, many people disabled browser cookies or took other steps to protect their privacy. Cookies are still popular with online advertisers, but they have been developing and using more refined methods for some time, including authenticated tracking, browser fingerprinting, cross-device tracking and more.

"Google knows exactly who you are because there is so much authentication built into Google's services," Chris Hoofnagle, director of the information privacy programs at the Berkeley Center for Law & Technology, said in an e-mail. "We are moving to an authenticated Web where one is always signed in, and that authentication, even if on the surface (it's) pseudonymous, typically indicates the user's identity."
See full article at SFGATE.

Wednesday, October 02, 2013

Your Digital Trail: Private Company Access

As the second story in a four-part series examining one's digital trail and who potentially has access to it, NPR broadcast this episode of All Things Considered on October 1st.

Though news reports have focused on the National Security Administration's efforts to monitor people's phone calls and online activities, private companies are also tracking what we are doing, nearly everywhere we leave a digital footprint.

This story looks at how data-tracking companies are monitoring online behavior.

Researchers explore underground market of Twitter spam and abuse

Data presented at the 22nd USENIX Security Symposium by researchers at ICSI (International Computer Science Institute)from a project exploring the underground market of spam and abuse on Twitter. Vern Paxson of ICSI and Chris Grier of UC Berkeley led a group that tracked the criminal market on Twitter, which sells access to accounts that are later used to push spam, malicious links (including Phishing and malware) as well as inflation of follower accounts. The research of 10 months was limited to Twitter because the researchers were unable to get permission from Facebook, Google, and Yahoo, social networks the reserachers observed as being actively abused by merchants responsible for several million fraudulent accounts. See complete article at CSO - Security and Risk.

Wiretap Extension Will Help Crooks & Terrorists

By extending the existing US wiretap laws to give federal agencies easier backdoor access to Internet Communications, the country's enemies and cyberthieves also receive aid and technical assistance for their own nefarious objectives.

This ominous warning is set forth in a compelling paper signed by 20 academic and private sector security experts, including heavy hitters like BT's Bruce Schneier and Professor David Wagner of EECS Berkeley.

The core issue is that the government is expected to mandate either centralized wiretap access to the Internet communications that continue to elude the FBI's grasp, or access at user endpoints.

More information: internet evolution.

Monday, December 17, 2012

2013 Summer Program Applications Now Open

The TRUST REU is a nine-week summer residential program that offers rising juniors and seniors in computer science or electrical engineering programs the opportunity to conduct research in Cybersecurity, Privacy and Trustworthy Systems. Participants of this program undertake cutting edge research projects. They also have access to enrichment activities including seminars, field trips, one-on-one advice regarding graduate school, and a subsidized GRE prep course. More information can be found on the TRUST REU Website: www.truststc.org/education/reu/index.html
Application Deadline: 2/15/2013

STAR is a nine-week summer residential program for California Community College Students. STAR aims to increase the number of eligible transfer students to four-year programs in computer science and electrical engineering. Participants of this program undertake cutting edge computer science and electrical engineering research projects. They have access to enrichment activities including seminars, field trips, and one-on-one advising sessions. Upon completion of this program students will be better prepared to apply for transfer to a four-year program in computer science or engineering. More information can be found on the STAR Website: www.truststc.org/education/star/index.html
Application Deadline: 2/15/2013

SECuR-IT, the Summer Experience, Colloquium and Research in Information Technology is a ten-week paid internship program for M.S. and Ph.D. students in computer science and electrical engineering. The topic for the intern experience is Cybersecurity, Privacy and Trustworthy Systems. The internship experience includes leading Silicon Valley network security companies, such as eBay, PayPal, Juniper Networks, SalesForce, Symantec and others. More information can be found on the SECuR-IT Website: www.truststc.org/education/securit/index.html
Application Deadline: 3/1/2013

Wednesday, September 26, 2012

NSF Awards $10 Million Grant to ICSI and Collaborators to Study Human Element of Cybercrime

The International Computer Science Institute (ICSI), along with the University of California, San Diego and George Mason University have received $10 million in a 5-year grant from the National Science Foundation to examine the roles played by economics and social interactions in Internet security. While security research has focused primarily on those technologies that defend against Internet attacks, the new project led by ICSI Project Leader and UC Berkeley Professor Vern Paxson and Stefan Savage of UC San Diego concentrates on the profit motive in most Internet attacks along with the complex marketplaces supporting them and the relational interdependence of cybercriminals involved in such attacks.
“During our earlier work on analyzing the factors that go into making spam a profitable form of cybercrime, we were deeply struck by the significance of the human side of the equation,” said Paxson, “Non-technical considerations span business concerns, issues of trust-amongst-thieves, and the rise of social media as both a new domain that cybercrime is expanding into, and a way to track interactions amongst the criminals themselves.”
This large multi-institutional award comes in the form of a "Frontier" project, titled Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives as proposed by Prof. Paxson and TRUST investigators Chris Hoofnagle and Deirdre Mulligan among others.

See NSF award announcement and ICSI press release for more information.

Tuesday, June 12, 2012

Johannes Gerke of Cornell University wins IEEE Award

Johannes Gerke, computer science professor at Cornell University, is one of 14 prominent technologists to be honored at the IEEE Computer Society's annual awards dinner in Seattle. Professor Gerke will receive the 2011 Technical Achievement Award for his pioneering contributions to data mining and distributed query processing techniques.

"For the IEEE Computer Society, the awards ceremony represents an opportunity to acknowledge these innovators for their sizable contributions to the field of computing,” said David A. Bader, chair of the IEEE Computer Society Awards Committee and professor in the School of Computational Science and Engineering at Georgia Institute of Technology. “This year’s honorees come from diverse backgrounds, and include pioneers in parallel processing, data-mining, database theory, Web applications, computer standards, and many other specialties that are central to the further advancement of computing technology. On behalf of the IEEE Computer Society, I applaud them for their accomplishments."
See seattle pi for more information.

Thursday, May 03, 2012

How Al Qaeda Hid Secrets in a Video

A May 1, 2012 Discovery News article, "How Al Qaeda Hid Secrets In a Porn Video" discusses using steganography to hide documents within a video. UC Berkeley Professor and TRUST participant David Wagner was used as a source in the article. The article states:
"Wagner said that human rights workers have been using steganography to hide testimony by exploited workers or political prisoners from government security forces. The testimony is encrypted onto a file on a cellphone, which can then be scanned at a customs checkpoint without revealing the hidden documents."
See also the Slashdot discussion and the original CNN article

Wednesday, April 18, 2012

Secretary Of Homeland Security Speaks At San Jose State

On April 16th, Professor and TRUST campus Principal Investigator at San Jose State University Sigurd Meldal participated in hosting a visit by Secretary of Homeland Security Janet Napolitano to the University.

Napolitano spoke to students about cybersecurity and students' future in this field. As students' lives become more involved with the internet, Napolitano said students may find themselves with opportunities in areas of the nation's online defenses.
“To minimize the risks of a successful cyberattack we need everyone,” Napolitano said. “The cyberdomain has become inseparable from our daily lives.”

See article in the Spartan Daily and video coverage of Napolitano's appearance at SJSU on Monday, April 14th.

Saturday, February 25, 2012

Web Firms to Adopt 'No Track' Button.

Support for a do-not-track button by a coalition of Internet giants, including Google, has emerged as part of the White House's call for Congress to pass a "privacy bill of rights" giving people more control over personal data collected about them.

Google and others had been working around the privacy settings of millions of people that use Apple's Safari web browser on their iPhones and computers. The code Google was using to bypass the privacy settings was noticed by Stanford researcher Jonathan Mayer, CS/law student with Professor John Mitchell.

Google disabled its code after being contacted by the Wall Street Journal. A Google spokesman said that
Our updated Privacy Policy will make our privacy practices easier to understand, and it reflects our desire to create a seamless experience for our signed-in users.


See the Wall Street Journal Technology articles on Google's iPhone tracking and No-Track Button for details.

Saturday, January 21, 2012

Internet is still vulnerable to cyber-criminals

A January 21, 2012 San Francisco Chronicle article "Internet is still vulnerable to cyber-criminals" by James Temple discusses Mark Bowden's book "Worm: The First Digital World War," which describes the October 21, 2002 attack on the Internet Domain Name Servers.

The SF Chronicle article states:

Internet Protocol version 6, will create more root name servers and add other security protections.

"But the general consensus today is that it's still pretty fragile," said Doug Tygar, professor of computer science at UC Berkeley.




See also the October 3, 2011 review of 'Worm'.

Tuesday, December 13, 2011

Android apps and advertising: A bit too cozy

A Tech Republic blog entry "Android apps and advertising: A bit too cozy" features the research of TRUST Ph.D. student Adrienne Porter Felt.

Adrienne asked non-computer scientists: “Do you think the advertiser can use the app’s permissions?” Twelve people answered with:

Yes: 5
No: 2
I don’t know: 5

It turns out that the answer is not that simple.

Adrienne's blog entry "Advertising and Android Permissions" states:


"Can an advertiser use an app’s permissions?"

"When you see an advertisement in an application, there are three parties. First, there’s the application itself, which asks the user for permissions. Second, there’s the advertising library, which is shoved into the application and therefore gains access to all of the app’s permissions. Third, the advertising library displays the advertisement itself. The advertisement can’t directly use any of the permissions, but the advertising library might share information with the company that is running the ad. So if you see an REI ad while playing a game, you should know that the invisible ad library gets all of the game’s permissions, and it might share information like your location with REI."


Adrienne is a student of Berkeley Professor David Wagner.

Labels:

Monday, December 05, 2011

Carrier IQ cell phone monitor software is a nightmare

TRUST Professor Stephen Wicker was quoted in a NetworkWorld article, "Cornell Prof: Carrier IQ affair 'my worst nightmare'". Carrier IQ is software present on various cell phones that provides call quality and other feedback to cell phone companies.

The article quotes Professor Wicker:


"This is my worst nightmare," says Stephen Wicker, a professor of electrical and computer engineering at Cornell. "As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.

"Carrier IQ claims that the collected data is 'anonymized.' Let's give this a moment's thought -- about all that it deserves. How hard would it be to 'de-anonymize' a pile of text messages between me and my wife? My mother? My children? Banking IDs with passwords?"



The article was also picked picked in a Slashdot article.

Wednesday, October 05, 2011

White House Honors Cornell's Salman Avestimehr with PECASE

TRUST investigator and Cornell Professor Salman Avestimehr was named a recipient of the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the United States government on science and engineering professionals in the early stages of their research careers.

Nominated by the National Science Foundation, Prof. Avestimehr was recognized as one of the Nation's "most meritorious scientists and engineers whose early accomplishments show the greatest promise for assuring America's preeminence in science and engineering and contributing to the awarding agencies' missions." The award includes a multi-year research grant.

The press release from the White House, which includes the full list of recipients, is available here. A press release from the Cornell University School of Electrical and Computer Engineering is available here.

Tuesday, August 09, 2011

"The Science of Cyber Security"

US News and World Report's article, "The Science of Cyber Security" by Marlene Cimons gives an overview of the Team for Research in Ubiquitous Secure Technology (TRUST). Dean Shankar Sastry is quoted:

"“We no longer can afford to be reactive in our attitudes about cyber security,” ...

“Our current approach is bolt-on, rather than built-in patches, bolted on, like an afterthought. We need to be proactive.”

Erika Chin: "Seven ways to hang yourself with Google Android"

The research work of Erika Chin, an EECS graduate student studying smartphone security was featured in a Consumer Reports online magazine article titled "Def Con 19: Android apps ask for too much power". Erika and principal researcher Yekaterina Tsipenyuk O’Neil reported that after studying dozens of Android apps, 30 percent of them were over privileged and creates a larger security risk to your personal information and phone.
(Based on text by Miyoko Tsubamoto)

Monday, June 13, 2011

Stanford's Dan Boneh Receives Dean's Award for Industry Education Innovation

TRUST researcher and Stanford University Professor Dan Boneh was awarded the School of Engineering Dean's Award for Industry Education Innovation. The award is given for "outstanding teaching and exemplary leadership in industry education" and Dan was recognized for his leadership of the Stanford Advanced Computer Security Certificate program as well as teaching courses on computer systems security and cryptography. These courses are offered by the Stanford Center for Professional Development which focuses on connecting working professionals worldwide to the research and teaching of Stanford University faculty in the School of Engineering and related academic departments.

Friday, June 10, 2011

TRUST Researchers to Lead Intel Security Center

Intel Labs announced the creation of the Intel Science and Technology Center for Secure Computing (ISTCSC) to be led by UC Berkeley with partner institutions Carnegie Mellon, Drexel, Duke, and Illinois.


The center's work will focus on making personal computers safer from malware, securing mobile devices, and protecting personal data when it is distributed across the Internet by giving people more control over it. The center is the second announced by Intel as part of their 5-year, $100 million ISTC program that will increase university research, accelerate innovation, and encourage tighter collaboration between university thought leaders and Intel. The ISTCSC will be funded at a level of $2.5 million per year for five years.

The center will be co-led by TRUST investigator and UC Berkeley Professor David Wagner and Intel Senior Principal Engineer John Manferdelli. Among the faculty researchers participating in the center are TRUST investigators Anthony Joseph, Vern Paxson, Dawn Song, and Doug Tygar from UC Berkeley and Adrian Perrig from Carnegie Mellon.

Intel released a press statement announcing the creation of the center and the center’s website contains a white paper describing the center’s research agenda.

Friday, June 03, 2011

Audio Captchas defeated

Stanford Professor John Mitchell, postdoctoral research Elie Bursztein and their colleagues have developed a way to defeat the audio version of Captchas. See The Register and the Stanford News coverage.

Friday, April 22, 2011

Stephen Wicker on iOS user privacy

Professor Stephen Wicker was quoted in Network World's article "Cornell prof warns iPhone, iPad users: "We're selling our privacy" about the recently reported location logging by the iPhone and iPad. The Network World article quotes Professor Wicker:

"It is vitally important to recognize that cellular telephony is a surveillance technology, and that unless we openly discuss this surveillance capability and craft appropriate legal and technological limits to that capability, we may lose some or all of the social benefits of this technology, as well as a significant piece of ourselves," says Stephen Wicker, Cornell professor of electrical and computer engineering. "Most people don't understand that we're selling our privacy to have these devices."

Saturday, February 26, 2011

Doug Tygar on the LinkedIn outage in China

Bloomberg's February 25, 2011 article
"LinkedIn Service Is Restored in Beijing After `Jasmine' 24-Hour Disruption" discusses how LinkedIn was blocked in China after a user posted comments about how "Tunisia’s Jasmine Revolution should spread to the Asian nation that’s been ruled by the Communist Party since 1949." The article quotes TRUST's Doug Tygar:

“Often, this is done as a sort of a warning signal -- sort of a shot across the bow,” said Doug Tygar, professor of computer science at the University of California at Berkeley. “A portion of that is symbolic.”

The quote was also printed on page D-1 of the San Francisco Chronicle, "Business Report - The Chronicle with Bloomberg."

Wednesday, February 23, 2011

Cornell's Hakim Weatherspoon Awarded Sloan Fellowship

TRUST investigator and Cornell University Prof. Hakim Weatherspoon was named a recipient of the 2011 Sloan Research Fellowship of the Alfred P. Sloan Foundation.

Sloan Research Fellowships seek to stimulate fundamental research by early-career scientists and scholars of outstanding promise and are awarded yearly to researchers in recognition of distinguished performance and a unique potential to make substantial contributions to their field.

A press release of the 2011 fellowship awards is available here.

Tuesday, January 18, 2011

Car Theft by Antenna

According to new research to be presented at the Network and Distributed System Security Symposium next month in San Diego, California, car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key.

Researchers successfully attacked eight car manufacturers' passive keyless entry and start systems—wireless key fobs that open a car's doors and start the engine by proximity alone. Because a car won't open or start if the signal from its key takes too long to arrive, the researchers devised a way to speed communication between their their antennas. They were able to keep the signals in analog format, which reduced their delay from microseconds to nanoseconds, making their attack more difficult to detect.

David Wagner,professor of computer science at the University of California at Berkeley who has studied the cryptographic systems used in keyless entry systems, says the research "should help car manufacturers improve auto security systems in the future." Wagner doesn't think the research ought to make car owners anxious. "There are probably easier ways to steal cars," he says. But, he adds, a "nasty aspect of high-tech car theft" is that "it doesn't leave any sign of forced entry," so if a thief did use this method to steal a car, he says, it might be hard for police and insurance companies to get sufficient evidence of what happened. Wagner believes that manufacturers, police, and insurance companies all need to prepare for this eventuality.

See full article in Technology Review, published by MIT.

Friday, January 07, 2011

Commerce announces new shop to oversee online security

NextGov.com's article "Commerce announces new shop to oversee online security" covers Commerce Secretary Gary Locke's announcement that

The Obama administration is creating an office that will coordinate with the private sector to establish a secure pathway for people, organizations and computer programs to execute online transactions...

Locke spoke at an industry forum sponsored by many groups, including TRUST.

Tuesday, November 16, 2010

White House Honors Vanderbilt's Bradley Malin

TRUST investigator and Vanderbilt University Professor Bradley Malin was named a recipient of the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the United States government on science and engineering professionals in the early stages of their research careers.

Nominated by the National Institutes of Health and Department of Health and Human Services, Prof. Malin was recognized as one of the Nation's "most meritorious scientists and engineers whose early accomplishments show the greatest promise for assuring America's preeminence in science and engineering and contributing to the awarding agencies' missions." The award includes a multi-year research grant.

The press release from the Office of Science and Technology Policy (OSTP), which includes the full list of recipients, is available here.

Thursday, October 21, 2010

"Fabric" To Weave Security into Code

Cornell computer science faculty, Fred Schneider and Andrew Meyers are developing a new computer platform, dubbed Fabric, that offers a way to build security into computer systems from the start by incorporating security in the language used to write the programs.

Professor Schneider states that until now, computer security has been reactive; when hackers discover a way in, we patch it.
"Our defenses improve only after they have been successfully penetrated," he explained.
Fabric's programming language, an extension of the widely used Java language, builds in security as the program is written. Fabric is still a prototype, being tested on a database of Cornell computer science students.

Schneider and Myers plan to scale it up for very large distributed systems, provide for more complex security restrictions on objects and enable "mobile code" — programs that can reside on one node of a network and be run on another with assurance that they are safe and do what they claim to do. And perhaps most important (and perhaps hardest), they hope to provide formal mathematical proof that a system is really secure.

See article in
Dr. Dobb's, The World of Software Development.

Wednesday, September 29, 2010

UC Berkeley's Dawn Song Awarded MacArthur Fellowship

TRUST researcher and UC Berkeley Professor Dawn Song was named a 2010 MacArthur Fellow by the John D. and Catherine T. MacArthur Foundation.

The so-called "genius award" is given to individuals "who have shown extraordinary originality and dedication in their creative pursuits and a marked capacity for self-direction" as well as "exceptional creativity, promise for important future advances based on a track record of significant accomplishment, and potential for the fellowship to facilitate subsequent creative work." Prof. Song, one of 23 recipients of this year's award, was cited for her work in applying "rigorous theoretical methods to understand the deep interactions of software, hardware, and networks that make computer systems vulnerable to attack or interference."

Details on Prof. Song's work and her award are available here.

Tuesday, September 21, 2010

TRUST Autumn 2010 Conference: Nov. 10-11, 2010

The next TRUST Conference will be held November 10-11, 2010 at the Jen-Hsun Huang Engineering Center on the campus of Stanford University. The conference will run from approximately 8:00 AM to 5:00 PM both November 10 and 11.

This event will provide attendees with an opportunity to hear firsthand about the work of TRUST faculty and students-specifically activities that:
  • Advance a leading-edge research agenda to improve the state-of-the art in cyber security and critical infrastructure protection;

  • Develop robust education and diversity plans to teach the next generation of computer scientists, engineers, and social scientists; and

  • Pursue knowledge transfer opportunities to transition TRUST results to end users within industry and the government.

For more information, see the TRUST Autumn 2010 Conference Page.

Monday, September 20, 2010

WSJ: "J.P. Morgan Wrestles Web Snarl

UC Berkeley Professor Doug Tygar was quoted in a September 15, 2010 Wall Street Journal website article, "J.P. Morgan Wrestles Web Snarl." The article discusses an outage at chase.com. Professor Tygar is quotes as stating, ""if they have so much trouble with a software failure, what happens with an actual attack?"

Wednesday, August 18, 2010

UC Berkeley's Pamela Samuelson wins IP3 Award

UC Berkeley Law Professor and renowned scholar Pamela Samuelson is one of four winners of this year's IP3 Award from the Washington-based public interest group Public Knowledge.

As a director of the Berkeley Center for Law & Technology, Samuelson is being acknowledged for her work in information policy, particularly in such areas as privacy, copyright, freedom of expression, intellectual property and consumer protection.
"Public Knowledge has been the most important voice for public-spirited intellectual property and Internet policy,” says Samuelson. “I’m pleased that this organization believes I have made contributions to these same policies worthy of being named to this award."

See more in the Berkeley Law News Archive.

Tuesday, August 10, 2010

Web add-ons compromise 'private browsing'

A study by Dan Boneh of Stanford University claims that many browser add-ons or website security measures stop the 'private browsing' mode from working correctly.

Boneh and team examined the private browsing functions on Mozilla's Firefox, Microsoft Internet Explorer, Google Chrome and Apple's Safari and discovered all four were affected. Moreover, they discovered that all browsers retained the generated key pair even after private browsing ends which could leak the site's identity to an attacker.
"We found that private browsing was more popular at adult web sites than at gift shopping sites and news sites, which shared a roughly equal level of private browsing use," Boneh said in the report.

"This observation suggests that some browser vendors may be mischaracterising the primary use of the feature when they describe it as a tool for buying surprise gifts."

Boneh and his researchers say they believe they are the first to show that 'private browsing' can be compromised.

See full article at PC Advisor. Related articles appear at THIN!.co.uk and BBC NEWS.

Monday, June 28, 2010

Patents seen as low priority for software firms

Tom Abate's San Francisco Chronicle article, "Patents seen as low priority for software firms" discusses the paper written by Stuart J. H. Graham, Robert P. Merges, Pamela Samuelson and Ted M. Sichelman, "High Technology Entrepreneurs and the Patent System: Results of the 2008 Berkeley Patent Survey."

The article quotes Pamela Samuelson:
"More than 80 percent of the biotech, medical device and hardware firms we surveyed have or have applied for patents. . . About two-thirds of software firms have no patents and have not applied for any."

The study is also discussed by Phyorg, Broadbandbreakfast and Canadaviews.

Monday, May 31, 2010

Vanderbilt medical researchers, engineers play major role in new national center established to secure the privacy of electronic health information

The Vanderbilt University News Network released an article on Friday announcing the $15 million awarded to create a new center for health information and privacy. The center, headquartered at the University of Illinois, will include researchers from Vanderbilt University; University of California, Berkeley; Carnegie Mellon University; Dartmouth College; Harvard Medical School; Johns Hopkins University; Northwestern Memorial Hospital; Stanford University; University of Massachusetts, Amherst and the University of Washington.

It is one of four health care research centers established and funded for four years with American Recovery and Reinvestment Act of 2009 funds as part of the $60 million Strategic Healthcare Information Technology Advanced Research Projects on Security (SHARPS) program.
“Our participation in the new SHARPS center reflects the fact that Vanderbilt has become highly visible in the field of health care security and privacy,” said Janos Sztipanovits, director of the Institute for Software Integrated Systems (ISIS) at Vanderbilt’s School of Engineering.
Vanderbilt has gained experience in this area through its participation in the TRUST Science and Technology Center founded in 2006 by the National Science Foundation. The $40 million TRUST Center, whose core members are the University of California, Berkeley; Carnegie Mellon University; Cornell University; Stanford University; and Vanderbilt University, is one of the nation’s leading research consortiums focusing on the scientific foundations of system security and privacy. Vanderbilt has headed up TRUST’s health-care-related program.

See full article at VUCast.

Thursday, May 20, 2010

Andrew Myers net radio interview: "Build security into applications"

Cornell Associate Professor Andrew Myers was interviewed on FederalNewsRadio about "Build security into applications":

"His theme: Software developers generally go about writing programs all wrong, when it comes to cyber security."

"He has come up with a concept called 'secure by design and construction' that designs out cybersecurity vulnerabilities."

"He recently presented his research to the House Subcommittee on Science and Technology."

Tuesday, April 13, 2010

Keeping Medical Data Private

Researchers at Vanderbilt University have developed an algorithm that simultaneously protects privacy of patients while allowing medical records to be used for research on the genetics of disease.

The new method, published online April 12 in the Proceedings of the National Academy of Sciences, simply disguises parts of the medical history data that are not relevant to a geneticist’s specific research question using an algorithm that looks through health records and makes some aspects of them more general.
“We’re hoping that it’s a game-changer,” says Bradley Malin, a biomedical informatics specialist from Vanderbilt University in Nashville who helped develop the method. The problem is, it's not all that difficult to follow a specific set of codes backward and identify a person, says Malin.

See articles in Science News and MIT's Technology Review.

Monday, April 12, 2010

Loose Clicks Sink Ships

Since it is possible to analyze audio recordings of keystrokes, computer scientists have been able to reconstruct accurate transcripts of what is being typed, including passwords. By contrast with more sophisticated types of espionage, it is very easy to do. All that is needed is a cheap microphone and a desktop computer.

While past attempts at writing software to decipher the recorded keyboard sounds have only been at most 80% successful, Doug Tygar and colleagues at the University of California, Berkeley have developed software that achieves 96% accuracy. The software can decode anything, including scrambled ten-character passwords.

Dr. Tygar suggests simply turning up the radio to thwart these auditory invasions. However, since background noise will be ultimately overcome with more sophisticated recording, Tygar recommends that typed passwords be phased out, to be replaced with biometric checks or multiple types of authorization that combine a password with silent verification (e.g., clicking on a pre-selected image in an array of images).

See full article in The Economist.

Friday, April 09, 2010

"How Lenders Overlook the Warning Signs of ID Theft"

Brad Stone's NY Times Blog entry "How Lenders Overlook the Warning Signs of ID Theft" discusses Chris Hoofnagle's paper "Internalizing Identity Theft. The abstract for that paper says:

"Why has identity theft remained so prevalent, in light of the development of ever more sophisticated fraud detection tools? Identity theft remains at 2003 levels – 9.9 million Americans fell victim to the crime in 2009."

"One faction explains the identity theft as a problem of a lack of control over personal information. Another argues conversely that identity theft may be caused by a lack of access to personal information by credit grantors. This article presents data from a small sample of identity theft victims to explore a different dimension of the crime, one that suggests alternative interventions."

"Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts."



Stone's article gives an overview of how lenders approved credit applications, "one victim found four of six fraudulent applications submitted in her name contained the wrong address; two contained the wrong phone number and one the wrong date of birth."

Stone's article was also picked up by Slashdot

Thursday, April 01, 2010

'MULE' Prototype Uses Location for Authentication

Researchers at CMU (Carnegie Mellon University) have constructed a location-based encryption model for protecting data in lost or stolen laptops with little or no user interaction or IT administrative overhead.

The so-named Mobile User Location Specific Encryption (MULE) method encrypts only sensitive files on a user's laptop.

In a paper entitled Mobile User Location-specific Encryption (MULE): Using Your Office as Your Password researchers say
Our goal is to remove user effort associated with encryption technology while achieving the same or better security comparedto traditional password-based approaches. For example, with MULE, a user can securely store encrypted copies of bank records and tax returns on a laptop, and automatically gain access when opening those files in the home office, CMU CyLab technical director Adrian Perrig and CMU graduate student Ahren Studer write in their paper on MULE. "After a thief steals the laptop, the only way to recover the files is to break into the user's home."

See Tech Center: Insider Threat article in Dark Reading .

Tuesday, February 09, 2010

Security flaw exposed on Home Shopping Network

When a possible security flaw exposing customers of a large television shopping network to credit card fraud was encountered by a user, ABC's 7 On Your Side contacted computer security expert at UC Berkeley Doug Tygar, who suggested that they find out for themselves if her fears were founded.

The customer tried the 'Shop by Remote' feature on Home Shopping Network but directed her order to be shipped to her sister's address and found she could do so without her sister even knowing about it. This result was brought back to Tygar.
"I didn't believe it," he said. "I was shocked that you could do that, that such an obvious and large hole would be left open."
Tygar says requiring passwords is an industry standard. It is true that HSN requires both a user name and password when customers shop online. However, neither are required with HSN's "Shop by Remote" feature.
"I would imagine they would be able to deploy a password mechanism in a matter of days. It shouldn't take that much effort," Tygar said.

See full article at 7 on Your Side .