Fall 2014

Abstract:

Chief Information Security Officer (Baklarz) will discuss his experience in CISO-roles from the Naval Nuclear Program to the U.S House of Representatives. In addition to his perspectives and experiences with each of these organizations, he will discuss information security as a vocation and the specific areas of incident response, disaster recovery, security program development, risk management, and compliance issues.

Biography:

Ron Baklarz has over twenty-five years in the Information Security field developing "first-of-a-kind" information security programs within government, military, and private sector organizations including the Naval Nuclear Program, U.S. House of Representatives, Prudential Insurance Company, The American Red Cross, MedStar Health, and Amtrak. Ron is currently the Chief Information Security Officer at Amtrak and he has held various information security consulting, technical, and operational positions throughout his career.

In addition to holding professional certifications in the fields of information security and auditing, Ron earned a BS Business Management from Point Park University and MS Information Science and CAS Telecommunications both from the University of Pittsburgh.

Abstract:

The past decade has brought forth dramatic advances in our ability to collect, share, and analyze personal data. At the same time, information technology has enabled access to a vast quantity of personal information with relative ease. This is a particularly exciting time in the biomedical domain, as health information and high-throughput genome sequencing technologies become ubiquitous. Thus, as researchers push forward to make the most of new exciting opportunities, they are increasingly confronted with challenges to traditional protections for the corresponding participants. This talk will thus review why certain protections, such as privacy through "de-identification", appear to be eroding and how this could impact how personal information is collected, shared, and studied. It will then illustrate that privacy may not be as dead as some have made it out to be, how protections can be measured and managed to more effectively to protect research subjects, and how computational mechanisms such as new types of cryptography may be applicable to managing and learning from big databases. This talk will draw upon examples from the speaker's experiences with establishing the country's largest de-identified biorepository tied to an electronic medical record system (EMR) and directing a privacy research program for a consortia of academic medical centers conducting genomics research with EMR data.

Biography:

Bradley Malin, Ph.D. is an Associate Professor and Vice Chair of Biomedical Informatics in the School of Medicine, an Associate Professor of Computer Science in the School of Engineering, and Affiliated Faculty in the Center for Biomedical Ethics and Society at Vanderbilt University. He founded and currently directs the Health Information Privacy Laboratory (HIPLab), which develops technologies that enable privacy in the context of real world organizational, political, and health information architectures. Of note, since 2007, he has directed a privacy research and advisory program for the NIH-sponsored Electronic Medical Records and Genomics (eMERGE) network and currently serves as co-chair of the Data Privacy Task Force of the Patient Centered Outcomes Research Institute (PCORI). From 2010-2013, he assisted the Office for Civil Rights at the U.S. Department of Health and Human Services in the development of guidance for de-identification in accordance the HIPAA Privacy Rule. His research on de-identification (and re-identification) has been cited by the U.S. Federal Trade Commission and featured in various popular media outlets, including Nature News and Scientific American. He is an elected fellow of the American College of Medical Informatics and a recipient of the Presidential Early Career Award for Scientists and Engineers (PECASE). He completed his education at Carnegie Mellon University, where he received a bachelor's in biology, master's in public policy and management, and doctorate in computer science.

Abstract:

Cloud computing has emerged as a dominant paradigm that has been widely adopted by enterprises. Clouds provide on-demand access to computing utilities, an abstraction of unlimited computing resources, and support for on-demand scale up, scale down and scale out. Clouds are also rapidly joining high-performance computing system, clusters and Grids as viable platforms for scientific exploration and discovery. As a result, understanding application formulations and usage modes that are meaningful in such a hybrid infrastructure, and how application workflows can effectively utilize it, is critical. In this talk, I will l explore the role of clouds in science and engineering. I will also explore how science and engineering applications can benefit from clouds and how the cloud abstraction can lead to new paradigms and practices. This talk is based on research that is part of the CometCloud autonomic cloud-computing project at the NSF Cloud and Autonomic Computing Center at Rutgers.

Biography:

Manish Parashar is Professor of Computer Science at Rutgers University. He is also the founding Director of the Rutgers Discovery Informatics Institute (RDI2) and site Co-Director of the NSF Cloud and Autonomic Computing Center (CAC). His research interests are in the broad areas of Parallel and Distributed Computing and Computational and Data-Enabled Science and Engineering. Manish serves on the editorial boards and organizing committees of a large number of journals and international conferences and workshops, and has deployed several software systems that are widely used. He has also received a number of awards and is Fellow of AAAS, Fellow of IEEE/IEEE Computer Society and Senior Member of ACM. For more information please visit http://parashar.rutgers.edu/.

Abstract:

As telephony converges with the Internet with technologies like Voice-over IP (VoIP), it offers several benefits including richer applications and reduced communication costs. However, this convergence also enables malicious actors to use the traditionally trusted telephony channel to craft new attacks like caller-id spoofing, voice phishing, voice spam, and malware distribution for smart phones. A data-driven understanding of telephony based threats presents new and different challenges. Also, it is unclear if threat intelligence is being shared effectively across telephony and the Internet. This talk will describe early experience with setting up a telephony honeypot to better understand threats coming over the telephone. Analysis of data collected by the honeypot provides evidence of several types of attacks that have now become common. It will also describe how cross channel attacks are becoming increasingly common. Such attacks utilize both the Internet and telephony channels to craft attacks and defraud users. The talk will end with potential defenses and how cross channel intelligence can potentially help us better defend against a variety of attacks.

Biography:

Dr. Mustaque Ahamad is a professor of computer science at the Georgia Institute of Technology, and a global professor of engineering at New York University Abu Dhabi. He also serves as chief scientist of Pindrop Security, which he co-founded in 2011. Dr. Ahamad served as director of the Georgia Tech Information Security Center (GTISC) from 2004-2012. As director of GTISC, he helped develop several major research thrusts in areas that include security of converged communication networks, identity and access management, and security of healthcare information technology. His research interests span distributed systems and middleware, computer security and dependable systems. He has published over one hundred researchpapers in these areas. Dr. Ahamad received his Ph.D. in computer science from the State University of New York at Stony Brook in 1985. He received his undergraduate degree in electrical and electronics engineering from the Birla Institute of Technology and Science, Pilani, India.

Abstract:

Privacy through accountability refers to the principle that entities that hold personal information about individuals are accountable for adopting measures that protect the privacy of the data subjects. In this talk, I will cover computational treatments of this principle. This emerging research area, which my research group has played a pivotal role in developing, has produced precise definitions of privacy properties and computational accountability mechanisms to aid in their enforcement. After providing an overview of the research area, I will focus on two of our recent results in Web privacy. First, I will present our joint work with Microsoft Research on building and operating a system to automate privacy policy compliance checking in Bing. Central to the design of the system are (a) LEGALEASE -- a language that allows specification of privacy policies that impose restrictions on how user data is handled; and (b) GROK -- a data inventory for Map-Reduce-like big data systems that tracks how user data flows among programs. GROK maps code-level schema elements to datatypes in LEGALEASE, in essence, annotating existing programs with information flow types with minimal human input. Compliance checking is thus reduced to information flow analysis of big data systems. The system, bootstrapped by a small team, checks compliance daily of millions of lines of ever-changing source code in the data analytics pipeline for Bing written by several thousand developers. Second, I will describe the problem of detecting personal data usage by websites when the analyst does not have access to the code of the system nor full control over the inputs or observability of all outputs of the system. A concrete example of this setting is one in which a privacy advocacy group, a government regulator, or a Web user may be interested in checking whether a particular web site uses certain types of personal information for advertising. I will present a methodology for information flow experiments based on experimental science and statistical analysis that addresses this problem, our tool AdFisher that incorporates this methodology, and findings of opacity, choice and discrimination from our experiments with Google.

Biography:

Anupam Datta is an Associate Professor at Carnegie Mellon University where he holds a joint appointment in the Computer Science and Electrical and Computer Engineering Departments. His research focuses on the scientific foundations of security and privacy. Datta's work contributed towards creating a computational basis for the research area of Privacy through Accountability. Specific foundational contributions include a formalization of privacy as contextual integrity, a formalization of purpose restrictions on information use, and a suite of accountability mechanisms for privacy protection. His research group produced the first complete logical specification and audit of all disclosure-related clauses of the HIPAA Privacy Rule for healthcare privacy. His group's work with Microsoft Research produced the first automated privacy compliance analysis of the production code of an Internet-scale system -- the big data analytics pipeline for Bing, Microsoft's search engine. Datta has also made significant contributions to the research area of Compositional Security. Specifically, his work led to new principles for securely composing cryptographic protocols and their application to several protocol standards, most notably to the IEEE 802.11i standard for wireless authentication and to attestation protocols for trusted computing. Datta has authored a book and over 50 other publications on these topics. He serves as Associate Editor of the Journal of Computer Security and the Journal of Computer and System Sciences, as well as the 2013-14 Program Co-Chair of the IEEE Computer Security Foundations Symposium. Datta obtained Ph.D. (2005) and M.S. (2002) degrees from Stanford University and a B.Tech. (2000) from IIT Kharagpur, all in Computer Science.

Abstract:

To date, most work regarding the formal analysis of access control schemes has focused on quantifying and comparing the expressive power of a set of schemes. Although expressive power is important, it is a property that exists in an absolute sense, detached from the application-specific context within which an access control scheme will ultimately be deployed. In this talk, by contrast, we formalize the access control suitability analysis problem, which seeks to evaluate the degree to which a set of candidate access control schemes can meet the needs of a specific application or environment. This process involves both reductions to assess whether a scheme is capable of securely implementing a workload, as well as cost analysis using ordered measures to quantify the overheads of using each candidate scheme to service the workload. We will broadly overview the theory behind this research, as well as discuss software tools that our group has developed to explore instances of this problem.

Biography:

Adam J. Lee is currently an Associate Professor of Computer Science at the University of Pittsburgh, where he previously held the position of Assistant Professor (2008-2014). Prior to joining the University of Pittsburgh, he received the MS and PhD degrees in Computer Science from the University of Illinois at Urbana-Champaign in 2005 and 2008, respectively. Prior to that, he received his BS in Computer Science from Cornell University (2003). His research interests lie at the intersection of the computer security, privacy, and distributed systems fields. Dr. Lee's research has been supported by the NSF and DARPA, and he is an NSF CAREER award winner (2013).