Attacks on Smart Cards, RFIDs and Embedded Systems

Prof. Keith Mayes
Royal Holloway University of London

10-11:00am Tuesday, 10 October 2017, ITE 325, UMBC

Smart Cards and RFIDs exist with a range of capabilities and are used in their billions throughout the world. The simpler devices have poor security, however, for many years, high-end smart cards have successfully been used in a range of systems such as banking, passports, mobile communication, satellite TV etc. Fundamental to their success is a specialist design to offer remarkable resistance to a wide range of attacks, including physical, side-channel and fault. This talk describes a range of known attacks and the countermeasures that are employed to defeat them.

Prof. Keith Mayes is the Head of the School of Mathematics and Information Security at Royal Holloway University of London. He received his BSc (Hons) in Electronic Engineering in 1983 from the University of Bath, and his PhD degree in Digital Image Processing in 1987. He is an active researcher/author with 100+ publications in numerous conferences, books and journals. His interests include the design of secure protocols, communications architectures and security tokens as well as associated attacks/countermeasures. He is a Fellow of the Institution of Engineering and Technology, a Founder Associate Member of the Institute of Information Security Professionals, a Member of the Licensing Executives Society and a member of the editorial board of the Journal of Theoretical and Applied Electronic Commerce Research (JTAER).

The post talk: Keith Mayes on Attacks on Smart Cards, RFIDs and Embedded System appeared first on Department of Computer Science and Electrical Engineering.

CHMPR Distinguished Lecture Series

Predictability and Prediction of Asian Summer Monsoon

Dr. Jagadish Shukla, George Mason University

2:30pm Tuesday, October 10, 2017, ITE 325, UMBC
Coffee & Tea at 2:00pm

The chaotic nature of the atmosphere puts an upper limit of about two weeks for deterministic prediction of weather. Yet, there is evidence for predictability in the midst of chaos. Societally beneficial dynamical seasonal predictions of short-term climate variations are routinely being made by modeling the interactions among atmosphere, ocean, and land processes. The first part of the seminar will review the evolution of our field from weather prediction to climate prediction.

The second part of the seminar will describe the results for prediction of Asian Summer Monsoons. It will be shown that after 50 years of climate modeling, the fidelity of climate models has improved so that it is possible to produce a skillful prediction of Asian Summer Monsoon rainfall. The seminar will give a historical overview of monsoon forecasting and will present the results of re-forecasting summer monsoon rainfall in the past 57 years (1958-2014) using the NCEP Climate Forecast System. It will be shown that if the modern day coupled climate models were available during the 1970’s, even with the limited ocean observations at that time, it should have been possible to predict the 1972-73 ENSO event and the associated severe monsoon drought over India. Finally, the prospects and future challenges for skillful dynamical seasonal prediction will be described.

J. Shukla was born in 1944 in a small village (Mirdha) in the Ballia district of Uttar Pradesh, India. This village had no electricity, no roads or transportation, and no primary school building. Most of his primary school education was received under a large banyan tree. He passed from the S.R.S. High School, Sheopur, in the first class with distinction in Mathematics and Sanskrit. He was unable to study science in high school because none of the schools near his village included science education. His father, the late Shri Chandra Shekhar Shukla, asked him to read all the science books for classes 6 through 10 during the summer before he was admitted to the S.C. College, Ballia, to study science. After passing the twelfth grade from S.C. College, he went to Banaras Hindu University (B.H.U.) where, at the age of 18, he passed BS (honors) with Physics, Mathematics, and Geology in the first class and then earned the MS in Geophysics in the first class in 1964. He received Ph.D. in Geophysics from BHU in 1971 and ScD in Meteorology from MIT in 1976

The post talk: Shukla on Predictability and Prediction of Asian Summer Monsoon, 2pm Tue 10/10 appeared first on Department of Computer Science and Electrical Engineering.

HackUMBC hackathon, Saturday-Sunday 7-8 October 2017

HackUMBC is a 24-hour tech innovation marathon where students across the East Coast collaborate on new ideas to build mobile, web and hardware projects. HackUMBC invites diverse groups of students, undergraduate, graduate and high school students over 18, to enjoy a weekend of hacking, workshops, tech talks, networking, and other fun activities. At the end of 24 hours, projects are presented and judged for different prize categories from sponsors and other organizations.

What if I don’t have a team or an idea?: No problem! You can find a team once you arrive. Most hackers arrive without a team. You will often find inspiration for ideas at the hackathon.

What if I don’t code?: This is the perfect opportunity to learn something new! There will be workshops geared towards beginners and mentors to help you throughout the event.

What can I build?: Anything! Web, mobile, desktop, and hardware projects are all welcome. Projects will be judged based on creativity, technical difficulty, polish, and usefulness.

Will there be hardware? HackUMBC has partnered with MLH to provide hardware hacking resources to all hackers. Check out the full list of hardware.

How much does it cost? HackUMBC is free! Food, beverages, swag, workspaces, and sleeping areas will be provided. You just have to travel to the event and we will take care of the rest!

The event starts in Meyerhoff 030 at 10:00am on Saturday, October 7 and ends at 3:30pm on Sunday, October 8. Visit the HackUMBC site for complete details and to register.

The post HackUMBC hackathon, Saturday-Sunday 7-8 October 2017 appeared first on Department of Computer Science and Electrical Engineering.

Lecture by James Clapper, former US Director of Intelligence, 12-1pm Fri. Oct. 6 at UMBC

James R. Clapper, former US Director of Intelligence, will give a public lecture on Friday, 6 October 2017 in the lecture hall (room 132) of the Performing Arts & Humanities Building at UMBC.

The Honorable James R. Clapper served as the fourth US Director of Intelligence from August 9, 2010 to January 20, 2017. In this position, Mr. Clapper led the United States Intelligence Community and served as the principal intelligence advisor to President Barack Obama.

Mr. Clapper retired in 1995 after a distinguished career in the U.S. Armed Forces. His career began in 1961 when he enlisted in the U.S. Marine Corps Reserve and culminated as a lieutenant general in the U.S. Air Force and Director of the Defense Intelligence Agency. His intelligence-related positions over his 32 years in uniform included Assistant Chief of Staff for Intelligence at Headquarters, US Air Force during Operations Desert Shield/Desert Storm, and Director of Intelligence for three combatant commands: US Forces, Korea; Pacific Command, and Strategic Air Command. He served two combat tours during the Southeast Asia conflict, and flew 73 combat support missions in EC-47’s over Laos and Cambodia.

Directly following his retirement, Mr. Clapper worked in industry for six years as an executive in three successive companies with the Intelligence Community as his business focus. He also served as a consultant and advisor to Congress and to the Departments of Defense and Energy, and as a member of a variety of government panels, boards, commissions, and advisory groups. He was a senior member of the Downing Assessment Task Force which investigated the Khobar Towers bombing in 1996, was vice chairman of a commission chaired by former Governor Jim Gilmore of Virginia on the subject of homeland security, and served on the NSA Advisory Board.

Mr. Clapper returned to the government two days after 9/11 as the first civilian director of the National Imagery and Mapping Agency (NIMA). He served in this capacity for almost five years, transforming it into the National Geospatial-Intelligence Agency (NGA) as it is today.

Prior to becoming the Director of National Intelligence, Mr. Clapper served for over the three years in two Administrations as the Under Secretary of Defense for Intelligence, where he served as the principal staff assistant and advisor to the Secretary and Deputy Secretary on intelligence, counterintelligence, and security matters for the Department. In this capacity, he was also dual-hatted as the Director of Defense Intelligence for the DNI.

Mr. Clapper earned a bachelor’s degree in government and politics from the University of Maryland, a master’s degree in political science from St. Mary’s University, San Antonio, Texas, and an honorary doctorate in strategic intelligence form the then Joint Military Intelligence College.

His awards include three National Intelligence Distinguished Service Medals, two Defense Distinguished Service Medals, the Air Force Distinguished Service Medal, the Coast Guard’s Distinguished Public Service Award, three Department of Defense Distinguished Civilian Service Awards, the Presidentially-conferred National Security Medal, and many other U.S. civilian and military, as well as foreign government awards and decorations.

He is married to the former Susan Terry, and they have two grown children and four grandchildren

The post talk: James R. Clapper, former US Director of Intelligence, 12-1pm Fri. Oct 6, 132 PAHB, UMBC appeared first on Department of Computer Science and Electrical Engineering.

Equifax breach is a reminder of society’s larger cybersecurity problems

Richard Forno, University of Maryland, Baltimore County

The Equifax data breach was yet another cybersecurity incident involving the theft of significant personal data from a large company. Moreover, it is another reminder that the modern world depends on critical systems, networks and data repositories that are not as secure as they should be. And it signals that these data breaches will continue until society as a whole (industry, government and individual users) is able to objectively assess and improve cybersecurity procedures.

Although this specific incident is still under investigation, the fact that breaches like this have been happening – and getting bigger – for more than a decade provides cybersecurity researchers another opportunity to examine why these events keep happening. Unfortunately, there is plenty of responsibility for everyone.

Several major problems need to be addressed before people can live in a truly secure society: For example, companies must find and hire the right people to actually solve the overall problems and think innovatively rather than just fixing the day-to-day issues. Companies must be made to get serious about cybersecurity – at a time when many firms have financial incentives not to, also. Until then, major breaches will keep happening and may get even worse.

Finding the right people

Data breaches are commonplace now, and have widespread effects. The Equifax breach affected more than 143 million people – far more than than the 110 million victims in 2013 at Target, the 45 million TJX customers hit in 2007, and significantly more than the 20 million or so current and former government employees in the 2015 U.S. Office of Personnel Management incident. Yahoo’s 2016 loss of user records, with a purported one billion victims, likely holds the dubious record for most victims in a single incident.

In part, cybersecurity incidents happen because of how companies – and governments – staff their cybersecurity operations. Often, they try to save money by outsourcing information technology management, including security. That means much of the insight and knowledge about how networks and computer systems work isn’t held by people who work for the company itself. In some cases, outsourcing such services might save money in the short term but also create a lack of institutional knowledge about how the company functions in the long term.

Generally speaking, key cybersecurity functions should be assigned to in-house staff, not outside contractors – and who those people are also matters a lot. In my experience, corporate recruiters often focus on identifying candidates by examining their formal education and training along with prior related work experience – automated resume scanning makes that quite easy. However, cybersecurity involves both technical skills and a fair amount of creative thinking that’s not easily found on resumes.

Moreover, the presence (or absence) of a specific college degree or industry certification alone is not necessarily the best indicator of who will be a talented cybersecurity professional. In the late 1990s, the best technical security expert on my team was fresh out of college with a degree in forest science – as a self-taught geek, he had not only the personal drive to constantly learn new things and network with others but also the necessary and often unconventional mindset needed to turn his cybersecurity hobby into a productive career. Without a doubt, there are many others like him also navigating successful careers in cybersecurity.

Certainly, people need technical skills to perform the basic functions of their jobs – such as promptly patching known vulnerabilities, changing default passwords on critical systems before starting to use them and regularly reviewing security procedures to ensure they’re strong and up to date. Knowing not to direct panicked victims of your security incident to a fraudulent site is helpful, too.

But to be most effective over the long term, workers need to understand more than specific products, services and techniques. After all, people who understand the context of cybersecurity – like communicating with the public, managing people and processes, and modeling threats and risks – can come from well beyond the computing disciplines.

Being ready for action

Without the right people offering guidance to government officials, corporate leaders and the public, a problem I call “cyber-complacency” can arise. This remains a danger even though cybersecurity has been a major national and corporate concern since the Clinton administration of the 1990s.

One element of this problem is the so-called “cyber insurance” market. Companies can purchase insurance policies to cover the costs of response to, and recovery from, security incidents like data breaches. Equifax’s policy, for example, is reportedly more than US$100 million; Sony Pictures Entertainment had in place a $60 million policy to help cover expenses after its 2014 breach.

This sort of business arrangement – simply transferring the financial risk from one company to another – doesn’t solve any underlying security problems. And since it leaves behind only the risk of some bad publicity, the company’s sense of urgency about proactively fixing problems might be reduced. In addition, it doesn’t address the harm to individual people – such as those whose entire financial histories Equifax stored – when security incidents happen.

Cybersecurity problems do not have to be just another risk people accept about using the internet. But these problems are not solved by another national plan or government program or public grumbling about following decades-old basic cybersecurity guidelines.

Rather, the technology industry must not cut corners when designing new products and administering systems: Effective security guidelines and practices – such as controlling access to shared resources and not making passwords impossible to change in our “internet of things” devices – must become fundamental parts of the product design process, too. And, cybersecurity professionals must use public venues and conferences to drive innovative thinking and action that can help fundamentally fix our persistent cybersecurity woes and not simply sell more products and services.

Making vulnerability unprofitable

Many companies, governments and regular people still don’t follow basic cybersecurity practices that have been identified for decades. So it’s not surprising to learn that in 2015, intelligence agencies were exploiting security weaknesses that had been predicted in the 1970s. Presumably, criminal groups and other online attackers were, too.

Therefore, it’s understandable that commercialism will arise – as both an opportunity and a risk. At present, when cybersecurity problems happen, many companies start offering purported solutions: One industry colleague called this the computer equivalent of “ambulance chasing.” For instance, less than 36 hours after the Equifax breach was made public, the company’s competitors and other firms increased their advertising of security and identity protection services. But those companies may not be secure themselves.

There are definitely some products and services – like identity theft monitoring – that, when properly implemented, can help provide consumers with reassurance when problems occur. But when companies discover that they can make more money selling to customers whose security is violated rather than spending money to keep data safe, they realize that it’s profitable to remain vulnerable.

With credit-reporting companies like Equifax, the problem is even more amplified. Consumers didn’t ask for their data to be vacuumed up, but they are faced with bearing the consequences and the costs now that the data have gotten loose. (And remember, the company has that insurance policy to limit its costs.)

Government regulators have an important role to play here. Companies like Equifax often lobby lawmakers to reduce or eliminate requirements for data security and other protections, seek to be exempted from liability from potential lawsuits if they minimally comply with the rules and may even try to trick consumers into giving up their rights to sue. Proper oversight would protect customers from these corporate harms.

Making a commitment

I’ve argued in the past that companies and government organizations that hold critical or sensitive information should be willing to spend money and staff time to ensure the security and integrity of their data and systems. If they fail, they are really the ones to blame for the incident – not the attackers.

A National Institute of Standards and Technology researcher exemplified this principle when he recently spoke up to admit that the complex password requirements he helped design years ago don’t actually improve security very much. Put another way, when the situation changes, or new facts emerge, we must be willing to change as necessary with them.

Many of these problems indeed are preventable. But that’s true only if the cybersecurity industry, and society as a whole, follows the lead of that NIST researcher. We all must take a realistic look at the state of cybersecurity, admit the mistakes that have happened and change our thinking for the better. Only then can anyone – much less everyone – take on the task of devoting time, money and personnel to making the necessary changes for meaningful security improvements. It will take a long time, and will require inconvenience and hard work. But it’s the only way forward.

Richard Forno, Senior Lecturer, Cybersecurity & Internet Researcher, University of Maryland, Baltimore County

This article was originally published on The Conversation. Read the original article.

The post Equifax breach is a reminder of society’s larger cybersecurity problems appeared first on Department of Computer Science and Electrical Engineering.

UMBC Cyber Defense Lab

Tech Talk with the Defense Information Systems Agency (DISA)

James Curry

Lead Engineer – Cyber Security Range
IDC – Cyber Workforce Development Division
Defense Information Systems Agency (DISA)

12:00–1:00pm, Friday, 22 September 2017, ITE 228, UMBC

A broad reaching brief on some of the technical aspects of DISA’s role as a combat support agency within the Department of Defense. Topics will include Scalability and the challenges of Big Data Analytics, Interoperability of systems, Visualization, Incident Response and Digital Forensics, Challenges with Classification Guidance, Supply Chain Risk Management, and Software Defined Networks/Infrastructure as a Service. Attendees are highly encouraged to ask questions.

James Curry is DISA’s Lead Engineer for the Cyber Security Range (CSR), which is chartered to develop and host a realistic DoD Information Network (DODIN) environment for Training, Testing, or Exercises. In this position, he has designed and built fully virtual implementations of DISA’s Internet Access Points (IAPs) and its Joint Regional Security Stack (JRSS), enabling the DoD Workforce to train in an IaaS on-demand environment that realistically matches DISA’s core infrastructure. He is a Scholarship for Service (SFS) recipient (2008-2009) and received his Masters and Bachelors of Science in Computer Science from New Mexico Tech. Email: *protected email*

Host: Alan T. Sherman, *protected email*

The UMBC Cyber Defense Lab meets biweekly Fridays. All meetings are open to the public.

The post Talk: Role of the Defense Information Systems Agency, 12p Fri 9/22 appeared first on Department of Computer Science and Electrical Engineering.

HackUMBC hackathon, Saturday-Sunday 7-8 October 2017

HackUMBC is a 24-hour tech innovation marathon where students across the East Coast collaborate on new ideas to build mobile, web and hardware projects. HackUMBC invites diverse groups of students to enjoy a weekend of hacking, workshops, tech talks, networking, and other fun activities. At the end of 24 hours, projects are presented and judged for different prize categories from sponsors and other organizations.

The event takes place on Saturday and Sunday, October 7-8 at several locations on the UMBC campus. Visit the HackUMBC site for complete details and to register.

The post HackUMBC hackathon, Saturday-Sunday 7-8 October 2017 appeared first on Department of Computer Science and Electrical Engineering.