Categories
News Publication

New SPLICE paper on Engaging Underrepresented Students in Cybersecurity

To increase minority students’ participation, particularly African Americans in cyber fields, STEM engineering education requires a new approach to student learning. Students learn best when they are actively involved in the learning process. The concept of gamification is an emerging alternative approach that adds game elements to traditional instruction, engaging students in learning engineering concepts. In recent years, capture-the-flag competitions have emerged as a gamification approach to training and building students’ interest in cybersecurity. 

During the spring 2019 academic term, a team of students from the Electrical and Computer Engineering department of Morgan State University participated in an embedded capture-the-flag (eCTF) competition organized by MITRE. The eCTF was also offered as a graduate course in the department. This graduate course included a cohort of minority students who had been exposed to fundamental concepts regarding secure embedded systems. We found that the eCTF allowed students to work in teams, develop critical thinking skills, address complex technical issues associated with real-world applications, and motivated continued learning and increased research productivity after the course ended. This paper aims to describe the design and implementation of the eCTF competition in the graduate course and summarize the successes and the barriers that impact the engagement of minority students in cybersecurity.

To read more, check out the full paper here. To see other SPLICE publications, check out our Zotero page here.

Michel A. Kornegay, Md Tanvir Arafin, and Kevin Kornegay. Engaging Underrepresented Students in Cybersecurity using Capture-the-Flag(CTF) Competitions (Experience). 2021 ASEE Virtual Annual Conference Content Access, Virtual Conference. July 2021. https://peer.asee.org/37048

Categories
News Publication

New SPLICE paper on Security and Privacy Attitudes

Many studies of mobile security and privacy are, for simplicity, limited to either only Android users or only iOS users. However, it is not clear whether there are systematic differences in the privacy and security knowledge or preferences of users who select these two platforms. Understanding these differences could provide important context about the generalizability of research results. This paper reports on a survey (n=493) with a demographically diverse sample of U.S. Android and iOS users. We compare users of these platforms using validated privacy and security scales (IUIPC-8 and SA-6) as well as previously deployed attitudinal and knowledge questions from the Pew Research Center. As a secondary analysis, we also investigate potential differences among users of different smart-speaker platforms, including Amazon Echo and Google Home. We find no significant differences in privacy attitudes of different platform users, but we do find that Android users have more technology knowledge than iOS users. In addition, we find evidence (via comparison with Pew data) that Prolific participants have more technology knowledge than the general U.S. population.

To read more, check out the full paper and presentation from the Symposium on Usable Privacy and Security (SOUPS) 2021 here. To see other SPLICE publications, check out our Zotero page here.

Desiree Abrokwa, Shruti Das, Omer Akgul, and Michelle L. Mazurek. Comparing Security and Privacy Attitudes Among U.S. Users of Different Smartphone and Smart-Speaker Platforms. USENIX Symposium on Usable Privacy and Security (SOUPS) 2021, pages 139-158. USENIX Association, August 2021.

Categories
News Publication

New SPLICE Paper on Recurring Device Verification

The most common forms of authentication are passwords, potentially used in combination with a second factor such as a hardware token or mobile app (i.e., two-factor authentication). These approaches emphasize a one-time, initial authentication. Recent work has explored how to provide passive, continuous authentication and/or automatic de-authentication by correlating user movements and inputs with actions observed in an application (e.g., a web browser). The issue with indefinite trust goes beyond user authentication; consider devices that pair via Bluetooth.

The increased adoption of IoT devices and reports of inadequacy of their security makes indefinite trust of devices problematic. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Categories
News Publication

Landau’s book on contact-tracing apps published

The term “contact tracing” has recently grown in public prominence. Articles, news reports, and Google searches surrounding the phrase have sky-rocketed since the start of the pandemic. As Susan Landau explains in her recently published book People Count: Contact-Tracing Apps and Public Health, “Ending a plague requires more than medication; we need to stop spread.” And for that, contact tracing—test patients, trace their contacts, and have them isolate—is key. But how do you do so with a disease that spreads as quickly as Covid-19 does, with people contagious before they are even aware they are ill?

The pervasiveness of smart phones has led to the deployment of mobile applications designed to aid in the contact-tracing process. In her book, Landau explains how the technologies work, how they can be designed to protect privacy, and what the complex interplay between technology, social needs, and medicine looks like. Landau highlights the need for technical solutions to be created with the guidance of social scientists and public health experts. 

To get a copy of Landau’s book, check out the MIT Press’s website. To learn about Landau’s work at the intersection of technology and society with regards to the SPLICE project, check out the rest of this website.

Susan Landau: SPLICE PI at Tufts University and author of People Count: Contact-Tracing Apps and Public Health

Categories
News Patents Publication

New SPLICE Patent

The SPLICE team is pleased to announce one new patent derived from research conducted by SPLICE Principal Investigator Kevin Kornegay and Professor Willie Thompson, both from Morgan State University. The patent describes a data traffic module supporting the attestation and secure boot operations of IoT devices and legacy computing devices, and providing tamper resistance to such devices. 

Kevin Kornegay and Willie Lee Thompson II. Decentralized Root-of-Trust Framework for Heterogeneous Networks, November 2020. Morgan State University; USPTO. Download from https://patents.google.com/patent/US20180196945A1/en