Network Forensics in Incident Response: Advanced Persistent Threat (APT)
Tuesday, May 14th, 2013 @ 3:00PM
Abstract: The incident response process is well known and well understood in the information security community. The forensics process consists of several important steps that follow a repeatable and common practice using a chain of custody that will stand up to legal scrutiny. These steps apply to both traditional forensics and network forensics, so it is important to understand them. I especially analyze APT, named DarkComet, from the network forensic perspective with network forensics tools in this paper. With dynamic analysis, I analyze network behaviors of the malware by looking at the after effects of execution in the cuckoo sandbox. Finally, I compare with the results both analyzing with forensics tools on my own virtual environment and performing analysis in the cuckoo sandbox.
Speaker: Jongsoo Kim is a Graduate Student enrolled in the MSSI Program at the Johns Hopkins University Information Security Institute.
Hall Rm 214
Investigating That Pesky Green Light - A Security Analysis of Apple's Built-In Camera
Friday, May 10th, 2013 @ 11:00AM
Abstract: Apple laptops have a growing market share and all come with a built-in camera. When the camera is recording, there is an green LED that turns on to let you know. The question is: Is this LED under software control or is there a piece of hardware that ensures the LED is on whenever the camera is on? The interesting thing about these cameras is that when powered up following a shutdown, the host computer uploads the firmware to the camera from a file on the operating system. Could altering this firmware file disable that pesky green light?
Speaker: Matthew Brocker is a Graduate Student enrolled in the MSSI Program at the Johns Hopkins University Information Security Institute.
Hall Rm 214
Finding Algorithmic Bits in a Binary Haystack
Monday, May 6th, 2013 @ 1:30PM
Abstract: A plugin has been developed and tested with two basic approaches: Dynamic Analysis and Static Analysis. The following approaches have been combined together for a final metric calculation and to provide a confidence for finding the most probable algorithm. Dynamic Analysis: Dynamic program analysis is the analysis of computer software that is performed by executing the programs on a real or virtual processor. In our analysis we have compared the two binaries that have code blocks by arbitrarily assigning values to the stack. The changes that these blocks of code perform on the stack are then compared and considered for the next step i.e. static analysis. Static Analysis: Static analysis is the analysis of computer software performed without actually executing programs. In our case the binary is analyzed against the training data without actually considering the stack changes. The static analysis is based on the Levenstein Distance which calculates the number of bytes that differ in two binaries. The static analysis is also done using the graph analysis.
Presenters: Balaji Dhamodharaswamy, Graduate Student; Paul D. Martin, Ph.D. Student; Anupam Mehta, Graduate Student;
Faculty Mentor: Dr. Kevin Fairbanks, Cyber Security Research Engineer, Johns Hopkins University Applied Physics Laboratory
An Overview of Functional Encryption
Thursday May 2nd, 2013 @ 10:30AM
Abstract: Enterprise data is growing at the astounding rate of 70% per year. Companies need to share this data, both internally and externally, to do business, but they simultaneously must protect it from unauthorized access. In this talk, we will overview recent progress in "functional encryption", a new vision of public key encryption, that allows encrypted data to be tagged with attributes and then decryption keys can be issued based on policies over these attributes. For instance, a company could grant an employee a key that unlocks all files for "human recourses" regarding "college hiring" between March and April. A primary technical challenge in this area was realizing a solution that is collusion-resistant; that is, where Alice with a key for "human resources" from June to July and Bob with a key for "accounts payable" from March to April cannot combine their keys to open files for "human resources" from March to April. We discuss industrial applications of this technology in the cloud storage and mobile space, as well as a $20M effort by the Office of the National Coordinator and NSF to use this technology to secure electronic medical records, some of which is being researched today at Johns Hopkins. We conclude by outlining some of the most exciting open research problems in this area.
This talk is for a general audience; a background in cryptography will be helpful, but not assumed.
Speaker: Dr. Susan Hohenberger is a Associate Research Professor in the Department of Computer Science at Johns Hopkins University. She earned a B.S. in Computer Engineering from The Ohio State University in 2000 and a Ph.D. in Computer Science from the Massachusetts Institute of Technology in 2006, where she was advised by Professor Ronald Rivest (the 'R' in RSA). She has published over thirty original research papers in cryptography and computer security, earning her an NSF CAREER award, a Microsoft Research Faculty Fellowship, and a Google Faculty Research Award. Her research has been covered by BBC News, slashdot, The Economist and Scientific American.
Hall Rm 214
ScoutVision, Redis, and Interval Trees
Monday March 4th, 2013 @ 11:30AM
Abstract: ScoutVision is a cyber situational awareness platform allowing organizations to identify, understand, and act against cyber and physical threats before they can impact operations. I will overview how ScoutVision accomplishes this through internet structure information, threat data, and monitoring. I will outline some of our customer use cases and explain the gap we fill in the network security market.
Redis (www.redis.io) is an open-source, networked, in-memory, key-value data store with optional durability, and is written in ANSI C. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. I will overview the typical use cases for Redis and its capabilities and limitations as a tool for developers.
After providing insight to our product and an overview of the Redis server, I will review interval trees, specifically an augmented AVL tree, and how we implemented this basic data structure in Redis as a solution to one of Scoutvision's many demanding features.
Speaker: Jason Denney is a software engineer for Lookingglass Cyber Solutions. Originally from Ellenboro, NC, he graduated with a BS in Electrical Engineering and Spanish minor from North Carolina State University in 2008. He moved to Baltimore to partake in Northrop Grumman Electronic Systems' Professional Development Program before accepting a full-time position at Lookingglass in 2011. He is an active member of the Baltimore Node Hackerspace and was one of the lead organizers of the 2nd Baltimore Hackathon.
Hall Rm 214
(Lunch served at 11:30)