ISI In The News


The Troubling Implications Of The Celebrity Photo Leak
By: Melissa Block, NPR

"To learn more about the recent celebrity photo hack, Melissa Block speaks with Matthew Green of Johns Hopkins University. They discuss how the photos might have been obtained, as well as how you can protect your own material saved to the cloud."


Researchers Hack Webcam While Disabling Warning Lights
By: Nick Bilton, New York Times

"The Johns Hopkins paper, titled "iSeeYou: Disabling the MacBook Webcam Indicator LED," explains how the researchers were able to reprogram an iSight camera's microcontroller to activate the recording functions and LED activation lights independently to spy on someone without giving that person any idea that the computer camera is in use.."

Prism: What the NSA could know about you
By: Laurie Segall, CNNMoney

'Zerocoin' Add-on For Bitcoin Could Make It Truly Anonymous And Untraceable
By: Andy Greenberg, Forbes

"A lot of people have tried to make systems of anonymous digital cash over the years, and they've failed. Bitcoin has almost made it, but it's come just a little short," says Matthew Green, the computer science professor who designed Zerocoin along with graduate students Ian Miers and Christina Garman. "How do we get it that last ten percent of the way? It's taken us nearly two years to come up with the answer, and this is what we've got."

World's Health Data Patiently Awaits Inevitable Hack
By: Daniela Hernandez, Wired

"Most people see a service, and they just assume it's safe and secure and they use it," said Avi Rubin, the director of the Health and Medical Security Lab at Johns Hopkins University. "There seems to be, I believe, a bias when people get hold of a product to trust it and to think that it's okay until proven otherwise instead of the other way around."

But as the recent chain of hack attacks at companies like Apple, Twitter, Facebook, Dropbox and most recently Evernote suggest, that may be the wrong assumption to make. "Any system that consists in large part of software is hackable," Rubin warns. At some point, someone will hack a major repository of healthcare data. And it won't be pretty.

Fincen Spying Plan Invites Privacy Workarounds
By: Jon Matonis, American Banker

Having received a preliminary copy of the academic paper, I interviewed Hopkins research professor Matthew Green about some of the details of Zerocoin.

Operating as a decentralized layer of anonymous cash on top of the existing Bitcoin network, "Zerocoin creates an 'escrow pool' of bitcoins, which users can contribute to and then later redeem from," Green explained. Users receive different coins than they put in (though the same amount) and there is no entity that can trace your transactions or steal your money. "Unlike previous e-cash schemes, this whole process requires no trusted party. As long as all the nodes in the network support the Zerocoin protocol, the system works in a fully distributed fashion," added Green.

Theoretical Lucky Thirteen TLS Attacks Could Turn Practical
By: Michael Mimoso, Threat Post

For now, the Lucky Thirteen attacks described in a paper last week by researchers at Royal Holloway, University of London, are largely theoretical. But the potential exists to adapt techniques used in the BEAST attacks against TLS/SSL to improve the feasibility of Lucky Thirteen, a researcher said.

BEAST, which stands for Browser Exploit Against SSL/TLS, is custom javascript exploit code developed by researchers Juliano Rizzo and Thai Duong that is injected into a browser session via a malicious iframe or a direct remote injection into a victim’s browser. Attackers can use BEAST to steal cookie data or hijack browser sessions. Researcher Matthew D. Green of Johns Hopkins University said a similar attack could be used to reduce the number of calculations currently required in the Lucky Thirteen attacks to decrypt a session and steal sensitive information.

"The guys who did the BEAST attack have written javascript like this already; someone would just need to tweak it," Green said. "They're most of the way there already."

Chinese Hackers infiltrate The NYTimes
By: Catie Paul, JHU

"I believe that cyberwarfare has already begun and that governments and corporations are feeling the brunt of the attacks. Unfortunately, there is no one size fits all security solution. The best that organizations can do is to practice defense in depth with multiple layers of protection," Avi Rubin, a professor of computer science at Hopkins and technical director of the Information Security Institute, wrote in an email to The News-Letter.

Researchers devise new attack techniques against SSL
By: Lucian Constantin (IDG News Service), Computer World

"The new AlFardan and Paterson result shows that it is indeed possible to distinguish the tiny timing differential caused by invalid padding, at least from a relatively close distance -- e.g., over a LAN," Matthew Green, a cryptographer and research professor at Johns Hopkins University in Baltimore, Maryland, said Monday in a blog post. "This is partly due to advances in computing hardware: most new computers now ship with an easily accessible CPU cycle counter. But it's also thanks to some clever statistical techniques that use many samples to smooth out and overcome the jitter and noise of a network connection."


Health-care sector vulnerable to hackers, researchers say
By: Robert O'Harrow Jr., The Washington Post

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

"I have never seen an industry with more gaping security holes," said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. "If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed."

Use online reviews while shopping? Know how to spot fakes

"You can't hook someone up to a lie detector test when they are writing a review," said Avi Rubin, the technical director of the Johns Hopkins University Information Security Institute. He said it's hard to tell what's real or not and that some sites do a better job than others at making it harder for people to post fake reviews.

Fake airline-boarding passes get through security, experts say
By: James Ball, The Washington Post

Even if digital signatures were mandatory, other security gaps remain, experts warn. Airlines cross-check passenger names against federal databases for names of passengers on the no-fly list or subject to additional screening. But the names are not cross-checked by TSA once passengers reach airport checkpoints with boarding passes in hand.

To do so, the TSA would need to have electronic scanners with networking capabilities to communicate with the federal databases. Technical documents issued by the agency confirm its system does not have such capabilities and does not routinely check boarding passes against federal databases.

"The TSA has a real problem here," said Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute.

Half of polling places knocked out by Sandy restored
By: Salvador Rizzo/Statehouse Bureau,

"E-mail accounts get hacked all the time," said Avi Rubin, a Johns Hopkins University professor and technical director of its Information Security Institute.

Rubin said there is no guarantee of the source of ballots e-mailed or faxed. "E-mail is trivial to forge, and faxes can be spoofed as well," he said.

How secure is your electronic vote?
By: Doug Gross, CNN

"If the election is predicted to be a landslide, and then it is, really the problems we're concerned about aren't that big a deal, because everyone knows the election went the way it was supposed to," said Avi Rubin, a professor of computer science at Johns Hopkins University who specializes in computer security.


All Your Devices Can Be Hacked
By: Avi Rubin @ TEDxMidAtlantic 2011


Thinking Out Loud: In the Age of Cybercrime
By: William R. Brody

Flawed election machines leave Maryland voters guessing
The Baltimore Sun

Personal Data for the Taking
The New York Times

Invading Privacy for School Credit

How secure is your ballot?

Johns Hopkins Leads in Cyber Education
Federal Computer Week

Men Are Pigs

The perils of electronic voting
The Mercury News

Profile: Adam Stubblefield
Security Wire Perspectives

The Taming Of The Internet

Black Box Voting Blues

Md. Plans Vote System Fixes After Criticisms
The Washington Post

Md. Voting System's Security Challenged
The Washington Post

Voting machine fails inspection

Electronic Voting Machines Blasted by Scientists, Hacked by Author
Scoop Media

Electronic Voting System is Vulnerable to Tampering

NSF funds Info Security Scholarships
The JHU Gazette

Securing the Internet Age

Information Security Institute receives $2.9 million grant
WSE News

Hopkins gets $2.9M grant for information security
Baltimore Business Journal
Last Modified: September 23 2014 12:07:17

Press Room

Contact Us

JHU Information Security Institute
Malone Hall Suite 160
Baltimore, MD 21218

E-mail Us

Phone: 410-516-6282
Fax: 410-516-6134