Institute News
iCloud hack of revealing celebrity photos shows we are all vulnerable
What fills up your iPhone's photo album? Selfies? Snaps of gourmet meals gone by? Anything you'd rather not mention or moments not meant for the world to see? Then you better know about two factor authentication.
That's the advice JHU information security expert Matthew Green shared during an interview this week on NPR's All Things Considered. Green, an assistant research professor at the Johns Hopkins Information Security Institute, was brought on the show to talk about how hackers might have gotten their hands on the intimate photos of dozens of celebrities like actress Jennifer Lawrence and model Kate Upton.
Read more here: JHU HUB
iSeeYou: Disabling the MacBook Webcam Indicator LED
Recent research by Matthew Brocker, an MSSI graduate student, and Steve Checkoway, a JHUISI and CS faculty member, was featured in an article by The Washington Post on December 18, 2013, and picked up by several news and Internet venues around the world.
Started as an MSSI capstone project, this study found a means for disabling the green light indicator while turning on the built-in camera on Mac computers, raising serious concerns of privacy and security.
Read more here: The Washington Post
or here: The New York Times
JHUISI Hosts Meeting of the Maryland Cybersecurity Commission's Subcommittee on Education and Training
On February 21, 2013 the Maryland Cybersecurity Commission's Subcommittee on Education and Training holds its quarterly meeting at JHUISI. "The Education and Training subcommittee is charged with making recommendations regarding methods the State of Maryland can use to increase cyber innovation by promoting workforce training, education, and development and by promoting science, technology, engineering, and mathematics courses at all levels of education." The committee chair Kathy Michaelian from Montgomery College and member Sean Fahey, Vice Provost for Institutional Research of JHU lead extensive discussions on broadening the pool of individuals in both K-12 and college educations to be prepared to enter the cybersecurity workforce and defining the barriers and resources.
In this meeting JHUISI director Dr. Anton Dahbura gives an overview of JHUISI's MSSI program and related research. The JHUISI technical director Dr. Avi Rubin and MSSI program director Dr. Xiangyang Li also participate in the presentation and discussion. Peggy Maxson, Director of National Cybersecurity Education Strategy at the Department of Homeland Security gives a brief explanation of the National Initiative for Cybersecurity Education (NICE). She demonstrates a newly launched web portal that pulls together resources for government,industry, and academia to promote cybersecurity awareness, education, careers, and workforce development.
Charles Wright is Featured in an Article by New Scientist Magazine
Charles Wright is featured in a June article by New Scientist Magazine regarding the potential of eavesdropping on encrypted VoIP communications that use a compression technique called variable bitrate compression. A paper was presented at the 2008 IEEE Symposium on Security and Privacy, in Oakland, California, US, in May.
Susan Hohenerger Receives Microsoft New Faculty Fellowship
Congratulations to Susan Hohenberger, Assistant Professor in Computer Science. She has been selected as a 2008 recipient of a Microsoft New Faculty Fellowship. "Each year, five up-and-coming new faculty members are chosen for these awards from universities throughout North America". Faculty Fellows are awarded a $200,000 (USD) grant to stimulate creative research in their respective fields.
Hohenberger's research focuses on cryptography: the art of securely communicating. She is interested in designing secure solutions for pervasive settings, where devices everywhere are constantly talking to their environments, which may require low energy, short overhead and the ability to quickly process a large number of incoming messages. Her research includes an emphasis on developing privacy-friendly technologies, such as anonymous communication and electronic cash.
JHUISI is among the first to be designated as a National Center of Academic Excellence in Information Assurance Research
JHUISI has also been previously designated as a National Center of Academic Excellence in Information Assurance Education. A press release is to be posted shortly at the following site.
JHUISI is featured in the Winter '08 edition of Johns Hopkins Engineering Magazine
Researchers at JHUISI discuss their latest work regarding the statistical analysis and information leakage pertaining to encrypted VoIP communications. In addition, Richard Moxley, Executive Vice President and Chief Technical Officer of Blackbird Technologies states that Blackbird executives are "very impressed with the quality of the students and with the school's research and programs..." Read More...
JHUISI featured in IATAC Spotlight on Education
The Johns Hopkins University (JHU) Information Security Institute (ISI) was created, as Founding Director Gerald M. Masson explains, to address "the fact that a lot of Internet systems are vulnerable, and Internet Security is vitally important in today's society." An NSA IA Center of Academic Excellence since May 2003 and charter member of the Institute for Information Infrastructure Protection (I3P), the ISI is a multi-discipline collaboration of serveral JHU schools. Read More...
Avi Rubin, Technical Director of JHUISI featured in IATAC Spotlight on Research
This article is the fifth in a series of profiles of members of the Information Assurance Technology Analysis Center (IATAC) Subject Matter Expert (SME) program. The SME profiled in this article is Dr. Aviel "Avi" D. Rubin is a Professor of Computer Science and has served as the Technical Director of the Information Security Institute at Johns Hopkins University since 2003. During his tenure, he also co-founded the start-up consultancy Independent Security Evaluators with some of his former students, which focuses on penetration testing and redesign of "non-secure systems" revealed through testing. Read More...
JHUISI Listed in Information Security Magazine as NSA Center of Academic Excellence
Information Security magazine has listed JHUISI amongs schools that are NSA Centers of Academic Excellence. You may find additional information in the July/August 2007 issue.
iPhone Flaw Lets Hackers Take Over
Independent Security Evaluators' researchers have discovered a vulnerability in the iPhone, which allowed them to gain full control of the device. The New York Times article may be found here. Details about the vulnerability can be found at www.exploitingiphone.com
ShmooCon Hacker Event gets under way with an opening keynote from Avi Rubin
The Third Annual Convention Draws Security Researchers and Other Experts to Debate Everything from Wireless Hacks to Data Breach. Read more of this InfoWorld article.
Recent MSSI Graduates discover a Windows Vista Security Loophole
Aaron Powell and Christopher Vincent have discovered a loophole in BitLocker. Further information can be found in the InformationWeek article.
Researchers featured in Johns Hopkins Engineering Magazine
Fabian Monrose, Andreas Terzis, and Moheeb Rajab are featured in the Winter 2007 issue of Johns Hopkins Engineering discussing Botnet research being performed at JHUISI.
JHUISI MSSI and CS MSECS - Dual Masters Program
The Johns Hopkins University Information Security Institute (JHUISI) and the Department of Computer Science (CS) in the Whiting School of Engineering have approved the establishment of a two-year Dual Masters Program (DMP) combining the Master of Science in Security Informatics (MSSI) offered by JHUISI and the Master of Science in Engineering in Computer Science (MSECS) offered by CS.
Dual Masters Program with the Department of Applied Math and Statistics in the WSE
A similar DMP has been initiated regarding the JHUISI MSSI and the masters program in the Department of Applied Math and Statistics in the WSE. The details of this DMP are similar in principal to those for the MSSI/MSECS, but there are some significant differences. Each program should be contacted if a student is interested.
Dual Masters Program with the School of Public Health in the BSPH
A similar DMP has been initiated regarding the JHUISI MSSI and the Master of Health Sciences (MHS) program in the Bloomberg School of Public Health (BSPH). The details of this MSSI/MHS DMP are similar in principal to those for the MSSI/MSECS, but there are some significant differences. Each program should be contacted if a student is interested.
Fabian Monrose and Andreas Terzis receive National Science Foundation's Faculty Early Career Development awards (CAREER).
Avi Rubin to direct $7.5 million NSF funded ACCURATE E-Voting Center
A federally funded center dedicated to improving the reliability and trustworthiness of voting technology, drawing on experts in computer science, public policy and human behavior, will be based at The Johns Hopkins University Information Security Institute, the National Science Foundation announced Aug. 15. Researchers from five other institutions nationwide will participate in the project, which is aimed at addressing public concerns about the growing use of electronic voting machines in local, state and national elections.
The NSF said it would provide $7.5 million over five years to launch the new endeavor called ACCURATE, which is short for A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections.
Read more: ACCURATE website, NSF Website, JHU Gazette, and Baltimore Business Journal.Brave New Ballot : The Battle to Safeguard Democracy in the Age of Electronic Voting
Order your copy of Avi Rubin's newest book.
Read more: www.bravenewballot.org.
90 Years of Engineering at the Johns Hopkins University
These slides were prepared by the Whiting School of Engineering at Johns Hopkins University as part of the 25th Anniversary Celebration of the establishment of the WSE and the 90th anniversary of engineering academic programs at the University. They provide interesting information and highlights regarding education and research at Hopkins over the previous 90 years.
ISI Researchers Identify Security Flaws in RFID Devices
RFID Encryption vulnerabilities are identified in a newly published paper entitled 'Security Analysis of a Cryptographically-Enabled RFID Device' by Steve Bono, Matthew Green, Adam Stubblefield, and Avi Rubin. NY Times - Graduate Cyptographes Unlock Code of 'Thiefproof' Car Key, USA Today - Researchers: We cracked car alarm system, Slashdot - Mobile SpeedPass, Various Car RFID Car Keys Cracked, Headlines@Hopkins - RFID Chips in Car Keys and Gas Pump Pay Tags Carry Security Risks.
Gerald Masson received MAHE 2004 Outstanding Educator Award
Gerald Masson has been selected to receive the Maryland Association for Higher Education’s 2004 Outstanding Administrator Award for his key role in the creation, development, and operation of the Johns Hopkins University Information Security Institute.
The Electronic Frontier Foundation (eff.org) names Avi Rubin as a 2004 Pioneer Award recipient for his work spearheading and nurturing a popular movement for integrity and transparency in modern elections.
AVI RUBIN named as one of the top 10 Baltimoreans of 2003
BaltimoreMagazine.net
ISI Researchers Identify Security Flaws in Electronic Voting System
Numerous security flaws are identified in a newly published paper entitled 'Analysis of an Electronic Voting System' by Tadayoshi Kohno (JHU), Adam Stubblefield (JHU), Aviel Rubin (JHU), and Dan Wallach (Rice University). The Washington Post, CNET News, Scoop, and Headlines@Hopkins.
Electronic Voting System Updates:
The Response to Diebold's Technical Analysis of the original paper is now available.
On August 6, 2003 Governor Robert Ehrlich put a hold on Maryland's electronic voting machine purchases. Safeguarding Maryland's Votes, Jolted Over Electronic Voting, and E-Vote Machines Face Audit.
On September 24, 2003 the Maryland State Board of Elections announced their plans to continue with the purchase of the electronic voting machines. A public copy of the report by Science Applications International Corporation is available. Md. Plans Vote System Fixes After Criticisms.
Be sure to check out the November 3rd edition of Newsweek that featured an article entitled 'Black Box Voting Blues'.
ISI Hosts Cyber Trust Point Meeting
The Johns Hopkins University Information Security Institute hosted the first National Science Foundation sponsored Cyber Trust Meeting. The meetings were held on August 13 -15, 2003 at The Johns Hopkins University Homewood campus. The National Science Foundation invited Principal Investigators currently conducting research in systems and information security. The meetings were open for general attendance on Thursday. There meetings were the initial opportunity for researches throughout the country to gather to present their research to colleagues. Additional information is available on our NSF Cyber Trust Point Meeting Information page.
NSF Scholarship Grant Awarded to ISI
The National Science Foundation has awarded the Johns Hopkins University Information Security Institute a $2.92M grant to fund graduate education in information security. The funding from the Federal Cyber Service: Scholarship for Service program will pay tuition, fees, housing and a stipend for full-time information security students planning to enter federal employment. Anyone interested in applying for this scholarship should visit our Education section
In its application for the grant, the Information Security Institute emphasized the need for security expertise in the health and medical sectors. Under new federal law, health care organizations are required to secure electronic medical systems in order to protect privacy. Johns Hopkins has developed a master's degree program that stresses the technical demands of information security and applications in the medical field.
JHU Recognized as a Center of Academic Excellence
The National Security Agency has designated The Johns Hopkins University Information Security Institute as a Center of Academic Excellence in Information Assurance Education. Visit the NSA's website for additional information about the National INFOSEC Education & Training Program.
This designation reflects the strength of the university's inter-disciplinary programs in education and research.
The NSA recognition, for the academic years 2003 to 2006, enables Johns Hopkins to apply for a wide range of grants for research and programs in information security.
"It's more than just an award. It's a requirement that carries significant weight regarding opportunities for funding for both educational programs and research programs," said Gerald M. Masson, who serves as director of the Information Security Institute. "For government agencies in the Baltimore, Washington, Northern Virginia area, this is highly important."
EMR Conference Presentations and Information
June 30, 2003
The speaker presentations from the May 31, 2003 Distribution and Access to Electronic Medical Records Conference and other relevant links and information are available here.
MSSI Application Period Has been Extended
May 1, 2003
The Information Security Institute is still accepting applications for the Master of Science in Security Informatics. All interested parties are encouraged to visit the Admissions page.
JHUISI was created to address the educational and research agenda of the Security Informatics field. The Masters of Science in Security Informatics stands as the flagship degree offered by Johns Hopkins University in the area of information security and assurance. The educational goal of the Information Security Institute is to produce graduates with solid technology foundations in conjunction with a robust understanding of national and international policy/law, and managerial ramifications. The graduates will assume leadership positions in government and industry in a society in which the role played by information security and assurance is increasingly pervasive and critical.
To learn about the Masters of Science in Security Informatics degree please visit our Education section
ISI's Technical Director on TechTV
Avi Rubin was on TechTV's show 'Call for Help' on Monday, May 12. The show aired a section entitled 'Prescription for Privacy' in which Avi discussed some of the security issues related to HIPAA. Be sure to check out the video highlights.
Firewalls and Internet Security: Repelling the Wily Hacker
Co-author, ISI Technical Director, Avi Rubin is proud to announce the release of the second edition of Firewalls and Internet Security. Order your copy from Amazon.com and get 30% off plus free shipping.
Current Privacy Research and Frameworks
January 30, 2003
ISI Executive Director Darren Lacey's presentation at SecureWorld--Baltimore on January 28 is now available for download in PDF format here.
"Will Microsoft listen if users demand change?"
Once again, Professor Jonathan Shapiro's Extremely Reliable Operating System (EROS) is brought up as a counterexample in the discussion of secure software development Microsoft is not pursuing. This time, in a commentary by the UK's IT Week, the core EROS paradigm of mathematically provable security is held up as a proposed model for Microsoft operating system redesign.
ISI professor set to present at eleventh WATSH on Feb. 5
January 23, 2003
Is privacy of health care records something citizens can count on today and in the future? Or is it simply too hard to implement workable technical controls that can provide emergency access to critical records and still afford patients the control over their data that HIPAA regulations require?
ISI's own Giuseppe Ateniese has been working on cryptographic mechanisms that can provide both the access and the control that HIPAA requires. Ateniese will be the speaker at the eleventh Washington Area Trustworthy Systems Hour (WATSH) presented by the NSF's Directorate for Computer Science & Information Science & Engineering (CISE).
The talk, "Health Information Privacy," will be given Wednesday, February 5 at 4:00 PM at the NSF Stafford I Building, Room 110 (directions). Mark your calendar now!
Complete information including an abstract and the speaker's bio can be found here.
"Way too many passwords, not enough protection"
January 22, 2003
When the Chicago Tribune wanted expert input on the security implications of a tech society overwhelmed by passwords, ISI professor Avi Rubin got the call.
In a January 19 article of the above title, Tribune correspondent Stevenson Swanson explores the various situations that require passwords and how peoples' desire for convenience often comprises security through their selection of easily crackable passwords and use of one password for multiple situations.
In the article, Rubin suggests a password creation scheme more secure than the selection of a word that can be found in a dictionary: "taking the first letters of an easily remembered phrase and then adding some numbers or, better yet, punctuation marks and capital letters. " The resultant password is too complex to be easily broken.
But a complex password is only useful if it can be remembered, and the sheer quantity of passes one is often asked to memorize can make it hard to recall the right one at the right time. Rubin is in no way insulated from this problem; according to the article he "recently counted all the access codes he has to remember, including those for his computer, for two garage doors and for the nanny to get into the house. " The total? 53.
The full text of the article can be accessed in the online archives of the Tribune (free registration required - so if you're Avi, that means password number 54).
"George Orwell, here we come"
January 7, 2003
Professor Avi Rubin, a recent addition to ISI, is quoted in this CNET commentary that discusses governmental and police bodies' increasing interest in developing and proposed surveillance technologies. Professor Rubin's comments on the probable emergence of an antisurveillance movement offset somewhat the piece's rather bleak perspective on the future of personal privacy.
ISI Response to Windows Security Certification Getting Press
November 18, 2002
ISI Professor Jonathan S. Shapiro's critical response to Microsoft's receiving a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4 is making the news.
His criticism of Windows security sparked a Slashdotting and discussion there of ISI's Extremely Reliable Operating System (EROS) project.
The Sydney Morning Herald has also published an article, "Researcher says Windows 2000 certification means little," addressing Shapiro's comments.
Fabian Monrose joins Hopkins and ISI
October 31, 2002
The Hopkins Information Security Institute is pleased to announce that Dr. Fabian Monrose will be joining the faculty of the Department of Computer Science in the Whiting School of Engineering this fall, and will be affiliated with the Institute, where his lab and office will be located. Dr. Gerald Masson, ISI Director, said "Dr. Monrose will play an important and timely role in the evolution of the Hopkins ISI. Fabian's research and teaching interests fit exceedingly well with the directions we intend to pursue, and his experiences in industry will be invaluable."
Dr. Monrose was awarded his Ph.D. in Computer Science from the Courant Institute of Mathematical Sciences, New York University (NYU), in May 1999. Upon graduating, he joined the Secure Systems Group at Bell Labs, Lucent Technologies, where for over 3 years, he lead an innovative research program on the generation of cryptographic keys from biometric measurements. His initial research focused on techniques for strengthening the security of typed passwords by hardening the passwords themselves using habitual patterns in a users typing behavior (as she types her password). In subsequent work he explored methods for generating strong cryptographic keys from spoken pass-phrases. In that work, cryptographic keys are generated based on how the user speaks as well as what the user says. These cryptographic keys can be used, for example, for file encryption. His current research focuses on practical attacks and defenses against voice-based authentication systems.
Dr. Monrose has also conducted research in mobile code security, hybrid distributed attacks, web privacy, graphical password schemes, and continues to conduct research in these and other areas. He has served on numerous program committees, including Network & Distributed System Security (2001-2003), the 1st ACM Workshop on Security & Privacy in Electronic Commerce, the International Workshop on Discrete Algorithms for Mobile Computing & Communications, and the Security & Privacy track of the 12th International World Wide Web Conference.
ISI announces relationship with Windermere
October 21, 2002
JHU ISI and Windermere have entered into a memorandum of understanding creating a partnership that will serve as the model for academic and industry collaboration in the field of information security. Windermere, provider of systems development and technical support for some of the most complex mission critical systems in the federal government, will lend its exceptional reputation and knowledgeable professionals and ISI its broad university influence and research talents to the development of widely-applicable information security/assurance solutions and practices.
Peter A. Freeman speaks at Hopkins
October 17, 2002
Dr. Peter A. Freeman, Assistant Director for the Computer and Information Science & Engineering Directorate (CISE) of the NSF, delivered a talk on "Research for Homeland Security" to a packed house at Homewood campus Thursday, October 17.
The talk (available here) provided an overview of the recently released National Academies report on "The Role of Science and Technology in Countering Terrorism" and then illustrated the problems that must be dealt with to protect our critical infrastructure, to improve our law enforcement and justice system, and to provide a responseive and effective public health system.
Avi Rubin joins Hopkins ISI as Technical Director
October 7, 2002
UPDATE: Avi quoted in CNN article Electronic elections: What about security?
Dr. Avi Rubin, who has been a Principal Researcher at AT&T Labs since 1997 and an Adjunct Professor of Computer Science at New York University, has joined the Johns Hopkins Information Security Institute as Technical Director, and has been appointed to the rank of associate professor in the Department of Computer Science in the Whiting School of Engineering.
Dr. Gerald Masson, Director of the Hopkins ISI, stated "Avi Rubin is a superb addition to the Institute in all regards. He brings us a wealth of experience from the perspective of both foundational issues as well as systems oriented programs in the information security field, and will clearly be an excellent teacher and mentor to our students.''
Dr. Rubin has a broad and distinguished background in information security and assurance field. He is a member of the Board of Directors of the USENIX Association, and author of "White-Hat Security Arsenal'' (Addison Wesley, 2001), "Web Security Sourcebook'' (with Dan Geer and Marcus Ranum, John Wiley & Sons, 1997), and the upcoming "Firewalls and Internet Security,'' second edition (with William Cheswick and Steven Bellovin, Addison Wesley, 2003). Dr. Rubin is Associate Editor of ACM Transactions on Internet Technology and an Advisory Board member of Springer's Information Security and Cryptography Book Series.
Dr. Rubin was a member of the research team at AT&T Labs that was the first to demonstrate a serious flaw in the 802.11 WEP standard. Among his research projects that have been deployed on the Internet are Betsi, Crowds, Absent and Publius. Rubin received the Index on Censorship Freedom of Expression Award for the Best Circumvention of Censorship for the Publius project. On numerous occasions, he has advised the government on security issues related to electronic voting. Rubin also serves on the Technical Advisory Boards of several companies. Besides his peer-reviewed contributions in technical conferences and journals, Rubin's work has been featured on CNN, NBC Nightly News with Tom Brokaw, TechTV, the New York Times, the Wall Street Journal, the Washington Post, and in many other media outlets.
Faculty Member and Students to Appear at WiSE
September 16, 2002
Dr. Baruch Awerbuch, along with students David Holmer, Cristina Nita-Rotaru, and Herbert Rubens, will appear at WiSE, a security workshop in conjunction with ACM Mobicom, to present a paper on wireless security.
The paper, entitled "An On-Demand Secure Routing Protocol Resilient to Byzantine Failures," (.pdf, .ps) focuses on providing routing survivability in ad-hoc networks where any node or group of nodes can perform Byzantine attacks such as creating routing loops, misrouting packets on non-optimal paths, or selectively dropping packets.
The work includes a fully specified routing protocol and presents a logarithmic upper bound on the number of packets lost while finding a fault free path in a network which consists solely of adversaries with the exception of enough fault free nodes to connect the source and the destination.
Students Conduct Archipelago Pilot Test
September 13, 2002
Dr. Baruch Awerbuch's students David Holmer and Herbert Rubens recently conducted a pilot test of their secure wireless ad-hoc networking system called Archipelago at an industrial plant in Chicago. They were able to successfully demonstrate the system's ability to provide a secure ad-hoc infrastructure enabling users to continuously monitor and control the plant's systems and processes.
The industrial sector is becoming more educated about the potential security threats through the Process Control Security Requirements Forum (PCSRF) which was created as part of NIST's Critical Infrastructure Protection initiative. Through this channel, Holmer and Rubens have helped to create a multi-hop peer-to-peer wireless local area network protection profile for sensitive but unclassified environments.
Researchers Win Award
July 2, 2002
Jonathan Shapiro and John Vanderburgh of the Systems Research Laboratory have been awarded the USENIX 'Best Freenix Track Paper Award' for their paper entitled 'CPCMS: A Configuration Management System Based on Cryptographic Names'. The paper was presented at the 2002 USENIX Annual Technical Conference in Monterey, California.
The OpenCM (www.opencm.org) website can be found here. You can read about the alpha release of it on slashdot.
University Certified for Next Four Years
June 2002
The Committee on National Security Systems and the National Security Agency certified that Johns Hopkins University offers a courseware that has been reviewed by National Level Information Assurance Subject Matter Experts and determined to meet National Training Standard for Information Systems Security Professionals, NSTISSI No. 4011 for academic years 2002 - 2005.