Department of Computer Science and Electrical Engineering

The UMBC Cyber Dawgs will hold a cybersecurity Capture the Flag competition on Saturday, March 11th from 9am-5pm in the Public Policy building. The event will be a jeopardy-style competition where individual competitors answer questions about aspects of cybersecurity, including network forensics, reverse engineering, reconnaissance, and cryptography.

The competition is open to all current UMBC students, both beginners and experts alike. Participants will learn and execute both offensive and defensive security practices that are relevant in today’s computing environments using their laptops to access a system that provides hints and guidance on completing the challenges.

Top performers will receive prizes, including a new ChromeBook, a Wireless Pineapple Nano and a YARD Stick One. There will also be door prizes for a few randomly selected, lucky participants, including some Raspberry PIs. Breakfast and lunch will be provided. Some of the Cyber Dawg club’s sponsors will be at the event for students to network with, so bring your resumes.

Students who are interested must register online in advance and bring a laptop to the event. Registration and participation is free but space is limited.

Josiah Dykstra, Ph.D. ‘13, computer science, has received the prominent Presidential Early Career Award in Science and Engineering (PECASE) for his work on digital forensics cloud computing, with applications in tackling cybercrime.

While he was a graduate student at UMBC, Dykstra worked full-time at the National Security Agency, where he remains a cybersecurity researcher, but for his dissertation took a fresh path and selected an area of research very different from his projects at the agency. Dykstra worked in UMBC’s Cyber Defense Lab with Alan Sherman, professor of computer science and electrical engineering, and studied how crimes using computers are tracked through information stored on the computers themselves and in email accounts.

To determine whether and how a crime occurred, Dykstra explains, a law enforcement official may need to extract data from a phone or computer using a third party vendor. He looked at whether law enforcement could trust that the data they are having analyzed to have not been manipulated. The legal and trust issues associated with accessing such data, and the technical and legal challenges associated with information stored on electronics, formed the central focus of Dykstra’s graduate work.

Reflecting on his PECASE award, Dykstra shares, “I didn’t know when I was doing the work at UMBC that it was a possibility” to receive this kind of recognition. He hopes his achievement offers encouragement for students currently working through their dissertations, tackling challenging research questions. “It’s helpful for students to see people who have done work like this,” he says.

The PECASE is one of the highest honors the federal government can bestow on early-stage science and engineering researchers. PECASE award recipients are presented with their awards during a ceremony at the White House, which will be held in the coming months.

Other recent PECASE recipients from UMBC include Kafui Dzirasa ‘01, chemical engineering, now an assistant assistant professor of psychiatry and behavioral sciences at Duke University, who received the award in spring 2016, and Justin Jacobs ‘14 Ph.D., statistics, who was recognized in spring 2014.

Adapted from a UMBC News post. Header image by Geoff Livingston, CC by 2.0.  

Securing Networks by Detecting Logical Flaws in Protocol Implementations

Dr. Endadul Hoque
Postdoctoral Research Associate, Northeastern University

12:00pm Wednesday, 22 February 2017, ITE 325b, UMBC

Implementations of network protocols are integral components of various networked computing systems, spanning from Internet-of-Things (IoT) to enormous data centers. Research efforts to defend these implementations by introducing new designs for security and advocating best practices in secure programming are not always feasible, nor effective. Even rigorous analysis of the design of a protocol is not sufficient, as indicated by the frequent reports of bugs discovered in protocol implementations after deployment. Hence, it is crucial to develop automated techniques and tools to help programmers detect logical flaws in actual implementations of protocols.

In this talk, I will first present an automated compliance checker to analyze operational behavior of a protocol implementation for detecting semantic bugs, which cause the implementation fail to comply with its specifications. Next, I will present an automated testing tool to analyze robustness of a protocol implementation against malicious attacks mounted to degrade its runtime performance (e.g., throughput). Finally, I will conclude with several directions for future research to aid the development of secure networked systems.

Endadul Hoque is a Postdoctoral Research Associate in the College of Computer and Information Science at Northeastern University. He received his PhD in Computer Science from Purdue University in 2015. His research revolves around practical cybersecurity problems in the networking domain. His current research focuses on leveraging program analysis and formal verification techniques to create automated analysis tools for ensuring secure and reliable operations of networked systems. During his PhD, he received the Graduate Teaching Fellowship award in 2014 and the Bilsland Dissertation Fellowship award in 2015. His research on automated adversarial testing has also been integrated into course curriculum at Purdue University for teaching secure distributed systems programming.

UMBC Cybersecurity Program Cyber Talk

Cybersecurity and Cellular Technology

Joshua Franklin

6:00-8:00pm Thursday, 23 February 2017

The Universities at Shady Grove
Building III (Camille Kendall Academic Center) Room 3241
9636 Gudelsky Drive, Rockville, MD 20850

​​The UMBC Cybersecurity Program is proud to bring you Cyber Talk, a new speaker series that highlights special topics in Cybersecurity. ​Join us at The Universities at Shady Grove (USG) for an informative and engaging discussion on the operation of cellular networks and the threats posed to mobile technology. Participants will have the opportunity to ask questions and hear about the latest trends in industry.

Cellular technology plays an increasingly large role in society as it has become the primary portal to the internet for a large segment of the population. One of the main drivers making this change possible is the deployment of modern 4G LTE cellular technologies. This talk serves as a guide to the fundamentals of how cellular networks operate and explores the evolution of 2G GSM, 3G UMTS and 4G cellular security architectures. This is followed by an analysis of the threats posed to cellular networks and supporting mitigations. Although the talk discusses older GSM and UMTS technologies – it is heavily focused on LTE.

Joshua Franklin is a Security Engineer at the National Institute of Standards and Technology (NIST) focusing on cellular security, electronic voting, and public safety. Prior to NIST, Joshua worked at the U.S. Election Assistance Commission gathering extensive experience with voting technologies. After graduating from Kennesaw State University with a Bachelors of Science in Information Systems, he received a Masters of Science in Information Security and Assurance from George Mason University.

Towards End-to-End Security and Privacy: Accountability
and Data Privacy in the Life Cycle of Big Data

Taeho Jung
Department of Computer Science
Illinois Institute of Technology

11:00am Tuesday, 14 February 2017, ITE 325b, UMBC

The advent of big data has given birth to numerous innovative life-enhancing applications, but the big data is often called as a double-edged sword due to the increased privacy and security threats. Such threats, if unaddressed, will become deadly barriers to the achievement of big opportunities and success anticipated in the big data industry because they may arise at any part of the life cycle of the big data.

In this talk, I will describe my research which addressed various privacy and security issues in the big data life cycle: acquisition, storage, provisioning, and consumption. More specifically, I will briefly present how various types of data can be protected in their acquisition and consumption phases of the life cycle, and subsequently, I will introduce the theoretic foundations of the presented research. Finally, I will present how to make large-scale data trading accountable against dishonest users for the provisioning phase of big data, and this talk will be concluded with my future research agenda briefing.

Taeho Jung is a Ph.D. candidate in Computer Science at Illinois Institute of Technology. His research area, in general, includes privacy and security issues in data mining and provisioning in the big data life cycle. His paper has won a best paper award (IEEE IPCCC 2014), and two of his papers were selected as best paper candidate (ACM MobiHoc 2014) and best paper award runner up (BigCom 2015) respectively. He has served many international conferences as a TPC member, including IEEE DCOSS 2016, IEEE MSN 2016, IEEE IPCCC 2016, and BigCom 2016. He received his B.E. in Computer Software in Tsinghua University in 2011, and he will receive his Ph.D. in May 2017.

At a time when just 12 percent of information security analysts are black, Hispanic or Asian, and only 20 percent of information security analysts are women, successful student support programs like UMBC’s Cyber Scholars are poised to make a major impact on the field, suggests a new article in Diverse: Issues in Higher Education. The article focuses on this UMBC program as a model for increasing diversity in cyber-related fields through supporting the success of women and underrepresented minority students in cybersecurity, including providing them with opportunities to expand their professional networks.

The UMBC Cyber Scholars program currently includes 40 scholars and 10 associates, and over 97 percent of the scholars and associates in the program have graduated in their intended major, or are pursuing degrees in computer science, computer engineering or information systems, said Cindy Greenwood, assistant director of the program. Of those participating students, 53 percent are women and 40 percent are underrepresented minorities, in stark contrast to national averages for information security professions.

The Cyber Scholars program stands out in higher education because of the variety of elements offered to students, explained Anupam Joshi, professor and chair of computer science and electrical engineering, and director of the Center for Cybersecurity at UMBC. “Many other programs only focus on imparting technology training in cybersecurity,” he said. “Our program is part of formal degree requirements in computer science, computer engineering and information systems” and students can take a broad range of elective courses, which, Joshi noted, “mix instruction in the theory with hands-on projects.”

Each week, Joshi explained, the students in the Cyber Scholars program hear from industry leaders and government officials on topics such as professional development and technical aspects of the field. “They also conduct peer-led workshops in cybersecurity and work with faculty in research labs,” he added. “They are encouraged to do internships in the industry multiple times and get security clearances in the process.”

Alejandra Diaz ‘17, computer science, has been involved with the Cyber Scholars program since she was a freshman at UMBC, and described how the program has helped her grow and access new opportunities. After she met with UMBC President Freeman Hrabowski and Wes Bush, CEO of Northrop Grumman, Diaz interviewed for an internship with Northrop Grumman. Diaz has now interned twice with Northrop Grumman and plans to return to the company before pursuing her master’s degree.

Alejandra Diaz, left, with fellow Cyber Scholars. Photo by Marlayna Demond ’11 for UMBC.

Read “Programs Aim to Open Doors to Diversity in Cybersecurity” in Diverse: Issues in Higher Education.

Adapted from UMBC News; Header Image: The ITE building at UMBC. Photo by Marlayna Demond ’11 for UMBC.

Professor Anupam Joshi, chair of the CSEE Department and director of the UMBC Center for Cybersecurity

With a new administration in the White House, securing the president’s smartphone is a national security priority, but exactly what steps are taken to secure the phone are not made public. In a new article in The Conversation, Anupam Joshi, professor and chair of computer science and electrical engineering, and director of the Center for Cybersecurity at UMBC, discusses several likely ways President Trump’s security team is building protections into his phone, through everything from hardware to settings to app restrictions.

Limiting the number of people who have the president’s new phone number and keeping the unique International Mobile Equipment Identity number guarded can prevent potential attackers from accessing confidential information stored on the phone. This method is called “security by obscurity,” says Joshi.

Joshi also says the device Trump will use was likely made by a trusted manufacturer with carefully created and checked parts, explaining that this minimizes the “risk that the hardware would have any vulnerabilities that an attacker could exploit.”

Customizing the operating system, and allowing the phone to connect only with predetermined networks that are regularly monitored can also help protect against attacks, says Joshi. “Limiting its contact with the internet would, of course, by key,” he notes, “though that would also significantly limit the phone’s usefulness to a president whose routine involves constant connection.” Joshi says that limiting the number of apps on the phone, reducing the ability for additional apps to be downloaded and installed, and disabling automatic updates to the phone could keep the device even more secure.

While it is not certain which methods have been employed to secure the presidential smartphone, Joshi says that Trump trading in his commercial-grade phone for a government-secured device is an important first step in protecting the U.S. from hacks and attacks.

In another article in The Conversation, Rick Forno, assistant director of the UMBC Center for Cybersecurity and director of the Cybersecurity Graduate Program at UMBC, addresses the importance of addressing both short-term and long-term cybersecurity issues. He explains that ignoring underlying problems and only addressing small, attention-grabbing issues does not lead to lasting progress. “Cyber-fatigue,” explains Forno, is an “inability to think critically about what needs to happen for meaningful, lasting cybersecurity improvements while focusing only on near-term problems.”

He says that while it is important to evaluate the benefits, conveniences and savings that new products and services may offer, the potential risks and problems should be considered, too. “So instead of repeating the same guidelines and recommendations of the past, it’s time to take a new and unconventional look at our approach to technology and how we secure it,” Forno explains. “Unless we’re willing to go beyond our traditional cybersecurity ‘comfort zone’ and explore new solutions, our cyber-fatigue will worsen.”

Read “How to secure a smartphone for the tweeter-in-chief” and “Overcoming ‘cyber-fatigue’ requires users to step up for security” in The Conversation. Joshi’s piece also appeared in Mashable and Channel Newsasia, and together the articles have already been read over 36,000 times.

Adapted from UMBC News, photo by Marlayna Demond ’11 for UMBC.

 The UMBC Cyber Defense Lab presents

Lexumo Tech Talk: Continuous Open Source Code Security

Dr. Richard T. Carback III
Lexumo, Inc.

11:15am Friday, 16 December 2016, ITE 237, UMBC

Host: Alan T. Sherman ()

The UMBC Cyber Defense Lab (CDL) meets biweekly Fridays 11:15am-12:30pm in ITE 229, for research talks about cybersecurity.

MS Thesis Defense

Attacking and Defending the Automotive CAN Bus

Jackson Schmandt

12:30pm Thursday, 8 December, 2016, ITE 325b, UMBC

The scope and complexity of Automotive Computer Networks have grown drastically in the last decade. Once present only in high end vehicles, multi-use infotainment systems are now included in base models of some economy vehicles. Frequently connected to drivetrain components, these systems bring out multiple network access points, many of which are wireless. This unprecedented access has led to several high-profile exploits from both white-hat hackers and criminals. Although industry members are working toward long-term solutions, current systems suffer from inadequate protocol security and a lack of common-sense design practices. To address the security problem in the short term, this thesis describes a flexible Message Authentication Code that can be retrofitted with software only, as well as implementations on microcontrollers, an FPGA and an ASIC design. This work shows that on current embedded controllers, message authentication tags can be generated or verified in under 400 microseconds and in under 10 microseconds on a special-purpose ASIC.

Committee Members: Drs. Nilanjan Banerjee (chair), Alan Sherman (co-chair) and Anupam Joshi

Diana Parr, adjunct instructor in UMBC’s Cybersecurity Graduate Program, has been selected to participate in the highly competitive Brookings Legis Congressional Fellows Program. The year-long program allows professionals in the public and private sectors to work on Capitol Hill alongside individual members of the U.S. Congress or on a congressional committee to understand the policy-making side of government.

“I am most excited about the opportunity to work for a member of Congress and to learn how the legislative process flows. It will be a huge time for change on Capitol Hill—a new president and many newly elected officials. I would like to bring my technical knowledge to the Hill as those new officials discuss legislation relating to cybersecurity,” she said.

In addition to her role at UMBC, Parr is a cybersecurity technical leader for the National Security Agency. She anticipates that her work in Congress will focus on cybersecurity education.

“There are many opportunities for new legislation this year to make our nation stronger and safer,” Parr said. “My biggest hope is to build awareness of the need to grow educational opportunities for young people, especially young women, in the growing field of cybersecurity.”

More information about the Brookings Legis Congressional Fellows Program can be found on the Brookings Institution website.

Republished from UMBC News, header image by Robert Lyle Bolton (CC by 2.0), headshot by Marlayna Demond ’11 for UMBC.