Categories
News

Khir Henderson featured in Diversity in Action Fall 2021 Magazine

Khir Henderson, doctoral student at Morgan State University whose work focuses on designing and developing sustainable and scalable architectures to help protect some of the major security vulnerabilities in our nation’s critical infrastructures, was recently featured in the Fall 2021 edition of Diversity in Action.

Khir’s work on the SPLICE team includes investigating hardware and software implementations of hardware-based security used to establish the ‘root of trust’ in IoT devices or systems. He has also lead the development of an IoT device testbed, housed at the CAP Center at Morgan State University, that uses an automated network-security architecture following the Manufacturer Usage Description (MUD) IETF model. Khir has collaborated with researchers at Johns Hopkins University on developing a smart home scanning apparatus that encompasses discovery, fingerprinting, and profiling.

You can find Khir’s feature in the Fall 2021 edition of Diversity in Action here. To stay up-to-date with SPLICE happenings, consider following the SPLICE blog by scrolling to the bottom of this page and entering your email address.

SPLICE Researcher and Doctoral Student, Khir Henderson
Categories
News Publication

New SPLICE paper on Engaging Underrepresented Students in Cybersecurity

To increase minority students’ participation, particularly African Americans in cyber fields, STEM engineering education requires a new approach to student learning. Students learn best when they are actively involved in the learning process. The concept of gamification is an emerging alternative approach that adds game elements to traditional instruction, engaging students in learning engineering concepts. In recent years, capture-the-flag competitions have emerged as a gamification approach to training and building students’ interest in cybersecurity. 

During the spring 2019 academic term, a team of students from the Electrical and Computer Engineering department of Morgan State University participated in an embedded capture-the-flag (eCTF) competition organized by MITRE. The eCTF was also offered as a graduate course in the department. This graduate course included a cohort of minority students who had been exposed to fundamental concepts regarding secure embedded systems. We found that the eCTF allowed students to work in teams, develop critical thinking skills, address complex technical issues associated with real-world applications, and motivated continued learning and increased research productivity after the course ended. This paper aims to describe the design and implementation of the eCTF competition in the graduate course and summarize the successes and the barriers that impact the engagement of minority students in cybersecurity.

To read more, check out the full paper here. To see other SPLICE publications, check out our Zotero page here.

Michel A. Kornegay, Md Tanvir Arafin, and Kevin Kornegay. Engaging Underrepresented Students in Cybersecurity using Capture-the-Flag(CTF) Competitions (Experience). 2021 ASEE Virtual Annual Conference Content Access, Virtual Conference. July 2021. https://peer.asee.org/37048

Categories
News

Webinar on Communications Metadata and User Privacy

Join us for a Zoom webinar, by our very own Dr. Susan Landau, on the topic of Communications Metadata and User Privacy. The link to register and add the event to your calendar can be found on the bottom right corner of the flyer below and is copied here: https://tinyurl.com/52my6sh4

Categories
News Publication

New SPLICE paper on Security and Privacy Attitudes

Many studies of mobile security and privacy are, for simplicity, limited to either only Android users or only iOS users. However, it is not clear whether there are systematic differences in the privacy and security knowledge or preferences of users who select these two platforms. Understanding these differences could provide important context about the generalizability of research results. This paper reports on a survey (n=493) with a demographically diverse sample of U.S. Android and iOS users. We compare users of these platforms using validated privacy and security scales (IUIPC-8 and SA-6) as well as previously deployed attitudinal and knowledge questions from the Pew Research Center. As a secondary analysis, we also investigate potential differences among users of different smart-speaker platforms, including Amazon Echo and Google Home. We find no significant differences in privacy attitudes of different platform users, but we do find that Android users have more technology knowledge than iOS users. In addition, we find evidence (via comparison with Pew data) that Prolific participants have more technology knowledge than the general U.S. population.

To read more, check out the full paper and presentation from the Symposium on Usable Privacy and Security (SOUPS) 2021 here. To see other SPLICE publications, check out our Zotero page here.

Desiree Abrokwa, Shruti Das, Omer Akgul, and Michelle L. Mazurek. Comparing Security and Privacy Attitudes Among U.S. Users of Different Smartphone and Smart-Speaker Platforms. USENIX Symposium on Usable Privacy and Security (SOUPS) 2021, pages 139-158. USENIX Association, August 2021.

Categories
News Publication

New SPLICE Paper on Recurring Device Verification

The most common forms of authentication are passwords, potentially used in combination with a second factor such as a hardware token or mobile app (i.e., two-factor authentication). These approaches emphasize a one-time, initial authentication. Recent work has explored how to provide passive, continuous authentication and/or automatic de-authentication by correlating user movements and inputs with actions observed in an application (e.g., a web browser). The issue with indefinite trust goes beyond user authentication; consider devices that pair via Bluetooth.

The increased adoption of IoT devices and reports of inadequacy of their security makes indefinite trust of devices problematic. The reality of ubiquitous connectivity and frequent mobility gives rise to a myriad of opportunities for devices to be compromised. Thus, we argue that one-time, single-factor, device-to-device authentication (i.e., an initial pairing) is not enough, and that there must exist some mechanism to frequently (re-)verify the authenticity of devices and their connections.

In this paper we propose a device-to-device recurring authentication scheme – Verification of Interaction Authenticity (VIA) – that is based on evaluating characteristics of the communications (interactions) between devices. We adapt techniques from wireless traffic analysis and intrusion detection systems to develop behavioral models that capture typical, authentic device interactions (behavior); these models enable recurring verification of device behavior. 

To read more, check out the paper here.

Travis Peters, Timothy J. Pierson, Sougata Sen, José Camacho, and David Kotz. Recurring Verification of Interaction Authenticity Within Bluetooth Networks. Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2021), pages 192–203. ACM, June 2021. doi:10.1145/3448300.3468287. ©

Categories
News

Morgan State featured on NSA website

If you’re in the market for a new car, you’ve probably noticed two things recently. The first being that almost all new cars today have electronic components for even the most basic of functionalities. The second being that because cars have these functionalities that require semiconductors (small chips “that manage functions like data storage, graphic rendering, and power consumption in electrical devices”), the recent semiconductor shortage is keeping many new cars on the lots.

If you end up buying that new car (or a relatively new, used car), you will be buying both a transportation and data collection system. “The data collected and recorded is quite broad and includes vehicle speed, passenger count, GPS routes, images from backup cameras, and [personally identifiable information] from connected cell phones. This information stays locally on the vehicle forever and in most cases is uploaded to the [original equipment manufacturer]. Those systems also control critical safety items like brakes. If left unprotected both privacy and lives could be at risk,” says Brian Knighton from the National Security Agency.

That’s where Morgan State comes in. Morgan State University Professor and SPLICE PI, Kevin Kornegay, and his team at the Cybersecurity Assurance and Policy (CAP) Center are working with the NSA’s reverse-engineering tool, Ghidra, to mitigate privacy, cybersecurity, malware, and geolocation vulnerabilities. Their work ensures that the electronic systems are supported and protected throughout the lifetime of the vehicle. Follow the links to learn more about the CAP Center and to read about their partnership with the NSA.

Dr. Kevin Kornegay (front) and Aaron Edmond review Ghidra firmware analysis. (Photo courtesy of Morgan State University)

Categories
News Video

David Kotz speaks on Smart Devices

Did you receive a smart device this holiday season, and leave it sitting in the box because you don’t know how to set it up? Or were you one of those savvy shoppers who bought a smart device on clearance after the holiday rush and already have the perfect place to put it in your home?

Either way, SPLICE PI David Kotz has some advice for keeping your information secure and private when using smart devices. Check it what he has to say in the video!

Categories
News Patents Publication

New SPLICE Patent

The SPLICE team is pleased to announce one new patent derived from research conducted by SPLICE Principal Investigator Kevin Kornegay and Professor Willie Thompson, both from Morgan State University. The patent describes a data traffic module supporting the attestation and secure boot operations of IoT devices and legacy computing devices, and providing tamper resistance to such devices. 

Kevin Kornegay and Willie Lee Thompson II. Decentralized Root-of-Trust Framework for Heterogeneous Networks, November 2020. Morgan State University; USPTO. Download from https://patents.google.com/patent/US20180196945A1/en