Pursuant to University System of Georgia (USG) policy, Section 5.8 (page 66), all USG organizations must implement endpoint security by "deploying tools that add a layer of security to devices connecting to networks that may otherwise make them vulnerable to cyber attacks." Georgia Tech's Endpoint Management & Protection Program ensures secure management of all Institute-owned endpoint devices, including desktops, laptops, tablets, and mobile phones. In early 2020, President Cabrera requested that campus leadership work with their respective teams to ensure full attention and participation in the endpoint compliance effort and other efforts related to data security and protection.
The knowledge article, How to Meet Endpoint Management Compliance for Endpoints, shares additional information and resources regarding the compliance campaign as well as resources for installing the appropriate endpoint tools. Please note that you must be logged into Services.gatech.edu to view the knowledge article.
Additional information regarding the campaign is shared at https://oit.gatech.edu/endpointcompliance.
]]>Currently, people rely on blacklist apps to stop spam calls, but they are only up to 60 percent effective, according to School of Computer Science Ph.D. student Sharbani Pandit. This is because of the prominence of neighbor spoofing, or numbers similar to person’s own.
“The caller number will look very similar to your own number, so you’re more likely to pick up, and each time they call, they use a new number, so it doesn’t show on the blacklist,” said Pandit.
So Pandit and her team tried a more direct approach, a virtual assistant (VA). Like a smart home device or a secretary, the VA determines whether calls are from people before it passes the call off to the user.
How It Works
Whether a call is spam or not can be determined by a simple question: does the caller know the name of the person they’re calling?
“The idea is someone who is a wanted caller would know the full name of the person they’re trying to reach,” Pandit said.
If the caller can confirm the name, the VA would forward the call and a transcript of how the conversation went to the user. The entire interaction takes 10 seconds.
For callers who may not know the name but are not a bot, VA engages in a conversation and interrupts the caller as they are speaking to determine if the caller stops talking. This process takes a maximum of 30 seconds.
“It’s very natural in human conversation that you would stop to listen to what the other party is saying on the call, but a bot wouldn’t do that,” Pandit said.
For calls thought to be spam, the notification would be sent to the user with a label for each caller to indicate whether it was a human or a robot caller.
How Many Calls It Stops
The researchers did a user study with 21 people who determined they were comfortable talking to the VA. They also tested the VA on a database 8,000 robocall recordings, in which 97.8 percent of the robocalls were correctly labeled as such.
Pandit presented the research in Fighting Voice Spam with a Virtual Assistant Prototype. She co-wrote the paper with University of Georgia’s Jienan Liu and Associate Professor Roberto Perdisci, and SCS Professor Mustaque Ahamad. The work has already garnered media attention from New Scientist and Digital Trends.
The researchers are still making a few adjustments before they release the Android app. Robocalls are constantly evolving and getting more sophisticated, which introduces new challenges to researchers. Some robocalls even have lists of phone numbers and names, so the researchers are adding more questions in the screening conversation that only a human could answer.
They believe that anything that can slow down the efficacy of robocalls will be a benefit.
“The goal of robocalls is to make as many calls as possible to target victims and make a profit from it, but as security researchers, if we can add hurdles in their step, then sometimes the cost isn’t worth it for the attacker,” said Pandit.
]]>The new School, announced Sept. 15, burnishes the Georgia Institute of Technology's No, 1 ranking in undergraduate cybersecurity programs by U.S. News. & World Report and will bring together cybersecurity researchers from across campus to focus on protecting personal privacy and national security. Faculty from the School of Public Policy and the Sam Nunn School of International Affairs are among the School’s inaugural key scholars.
“Solving tomorrow’s toughest cybersecurity problems will require not only a thorough understanding of the technologies and threats involved,” said Ivan Allen College Dean Kaye Husbands Fealing. “It also will require deep expertise in behavioral and policy considerations that must increasingly inform the development and use of new cybersecurity approaches and technologies.”
“By drawing on Georgia Tech’s globally respected expertise in the technology and policy arenas, the School of Cybersecurity and Privacy will extend our leadership in this area with exactly the kind of innovative, interdisciplinary, human-centered thinking and research we need to advance socially responsible and technically practical solutions to these critical issues.”
The school builds on the Institute’s — and Ivan Allen College’s — deep expertise in cybersecurity issues. More than 500 researchers from across campus work on the issue. U.S. News and World Report ranks Georgia Tech No. 1 in undergraduate cybersecurity education.
Within Ivan Allen College, the School of Public Policy offers the Master of Science in Cybersecurity with a specialization in policy as well as the Online Master of Science in Cybersecurity with a policy focus. The school offers courses in issues such as information security policies and strategies; privacy, technology, policy, and law; and the internet and public policy.
“As the current director of the policy track in Georgia Tech’s Master of Science in Cybersecurity, I see the new School as a strengthening of our growing capabilities in cybersecurity research and education,” said Milton Mueller, professor in the School of Public Policy and co-founder and director of the Internet Governance Project.
“The new SCP recognizes the cybersecurity field as an intersection of public policy, international relations, computer science and management. My own research on the relationship between security and Internet governance will be greatly enhanced by the interdisciplinary approach.”
Faculty from the Nunn School also are noted experts in cybersecurity related issues. The school teaches courses as part of the cybersecurity degree program including data analytics and security. The school also offers a Master of Science in International Security that includes cyberwarfare as one potential focus for students to explore.
“I’m excited to be affiliated with the new School to further build bridges across the Institute in approaching these complex problems,” said Associate Professor Margaret E. Kosal. “Putting policy and social science at the forefront of the School is critical. Purely technical approaches aren’t going to solve the current and emerging problems in cybersecurity. These are inherently global challenges.”
Regents Professor Seymour Goodman of the Nunn School and College of Computing, who has studied and written widely on cybersecurity issues, will also be affiliated with the new school.
“I came to Georgia Tech 20 years ago with a view that cybersecurity should be defined to include protection against a wide range of cyber-enabled risks and vulnerabilities that threaten a huge number of people and institutions,” Goodman said. “By bringing together so many of us working on these issues across Georgia Tech, SCP will be a boon for research in this field, as well as in the kind of innovative cross-disciplinary education we need to prepare the workforce of tomorrow to do this work.”
Other Ivan Allen College faculty who will do work in the school include Peter Brecke, a Nunn School associate professor and assistant dean of information technology, Associate Professor Jenna Jordan and Assistant Professor David Muchlinski from the Nunn School; Aaron Santesso, professor in the School of Literature, Media, and Communication; and Nadia Kostyuk, assistant professor in the School of Public Policy.
The School of Cybersecurity and Privacy will be led on an interim basis by Rich DeMillo (Ph.D. ’72), the Charlotte B. and Warren C. Chair of Computer Science and Professor of Management in the College of Computing.
The new school will launch a nationwide search this fall for multiple faculty members and for its founding permanent chair.
]]>The new School will build on Georgia Tech’s considerable investments in cybersecurity and privacy education and research. The Institute already has three cybersecurity degree programs. The School will weave them together with other important interdisciplinary programs.
“The new School of Cybersecurity and Privacy is a reflection of Georgia Tech’s strengths and commitment to serving the needs of our society and our state,” said Georgia Tech President Ángel Cabrera.
“Georgia Tech’s new School of Cybersecurity and Privacy will focus on applied research collaborations with the fast-growing cybersecurity industry in Georgia and meeting a critical workforce need,” Cabrera said. “It will bring together Georgia Tech’s expertise across disciplines to advance technology and find new solutions to protect our personal privacy and support our national security.”
There are more than 500 cybersecurity researchers spread across Georgia Tech who bring in more than $180 million in research awards annually. Georgia Tech’s faculty are ranked #2 in the world in publications in top security conferences.
The School of Cybersecurity and Privacy at Georgia Tech is the first School of its kind at a top university, drawing together faculty and researchers across various disciplines from practically all six colleges at Georgia Tech and the Georgia Tech Research Institute.
The new School will be intercollegiate and interdisciplinary because cybersecurity and privacy problems typically play out across multiple dimensions.
“Cybersecurity includes not only technology but the law, business processes, and cultural considerations,” said Charles Isbell, dean and John P. Imlay, Jr. chair of the College of Computing. “The School of Cybersecurity and Privacy will bring together thought leaders from all of those areas to push the envelope of technical innovation and produce the workforce of the future."
To that end, the School will bring in not only computer scientists and engineers but business experts and behaviorists.
“Solving tomorrow’s toughest cybersecurity problems will require not only a thorough understanding of the technologies and threats involved. It also will require deep expertise in behavioral and policy considerations that must increasingly inform the development and use of new cybersecurity approaches and technologies,” said Kaye Husbands Fealing, dean of the Ivan Allen College of Liberal Arts.
“By drawing on Georgia Tech’s globally respected expertise in the technology and policy arenas, the School of Cybersecurity and Privacy will extend our leadership in this area with exactly the kind of innovative, interdisciplinary, human-centered thinking and research we need to advance socially responsible and technically practical solutions to these critical issues.”
The solutions and the workforce produced by the new School will not only benefit business, but also protect every aspect of our online lives and our national infrastructure.
“Cybersecurity is not just a personal issue — our credit cards or identities quickly come to mind — but it has an even larger impact on national security, financial markets, even power grids,” said Provost and Executive Vice President for Academic Affairs Steve McLaughlin. “That is why the new School of Cybersecurity and Privacy is so important at this time. Cybersecurity, privacy, and related policies dominate the priorities of many organizations, and the need for advanced research and talent is outpacing supply. Georgia Tech is already a leader in this area the new School will take us to even greater heights and impact.”
The creation of the School has been welcomed by industry leaders in cybersecurity and privacy, both in Atlanta and nationwide. Atlanta in particular is a center of financial technology, an area that goes hand-in-hand with cybersecurity.
"Financial technology companies leverage technology and data to fuel innovation, which makes cybersecurity and privacy vital to their success”, said Ryan Graciano (B.S. Computer Science ’04), co-founder and chief technology officer of Credit Karma. “This means not only staying on the cutting-edge technologically but also building systems that work with multiple sets of privacy regulations in different jurisdictions. The School of Cybersecurity will be an essential resource for fintech companies in Atlanta and worldwide."
The new School will strengthen Atlanta’s tech economy, said Alan Taetle, general partner at the venture-capital firm Noro-Moseley Partners.
“The creation of a new School of Cybersecurity and Privacy will help the Atlanta tech ecosystem build on two of its greatest strengths: internet security and payment processing,” Taetle said. “Georgia Tech is a world-class university that creates world-class technology, and I expect the new school to both produce new companies and also provide vital support to existing ones both locally and nationally.”
Of course, financial companies are not the only ones to benefit from new cybersecurity and privacy technologies.
“Consumer demands for digital service are transforming business, forcing new innovations in cloud infrastructure and other areas for businesses to compete or remain relevant. Every one of these innovations must be accompanied by new cybersecurity technologies and policies in order to keep both corporations and consumers safe,“ said Tony Spinelli, chief information officer for Urban One, Inc. and former chief information officer for Capital One. “The School of Cybersecurity and Privacy, in other words, is addressing a vast and growing demand from all sectors of the modern digital economy.”
The School of Cybersecurity and Privacy will be led by interim chair Rich DeMillo (Ph.D. 72), the Charlotte B. and Warren C. Chair of Computer Science and Professor of Management. DeMillo has previously served as the founder and executive director of Georgia Tech’s Center for 21st Century Universities, and as the dean of the College of Computing. He is the author of more than 100 articles, books, and patents, and is a fellow of the Association for the Advancement of Science and the Association of Computing Machinery. Prior to arriving at the Institute, DeMillo served as Hewlett-Packard’s first chief technology officer.
“Its roots are in computer science and engineering, mathematics, public policy, and national security, but the last twenty years has seen the birth of cybersecurity as a profession in its own right,” DeMillo said. “I am pleased that the Institute recognized this shift by launching an academic unit that will be home to a new generation of scholars. Building that culture will be challenging, but we will be judged by the success of our people and our ability to meet the growing demand for Georgia Tech-caliber experts with unique skills.”
The new School will launch a nationwide search this fall for multiple faculty members and for its founding chair. For more information about the school, please visit its website.
]]>All of Tech’s engineering programs remained in the top five for universities offering the discipline, with the H. Milton Stewart School of Industrial and Systems Engineering and the undergraduate civil engineering program at the top. Tech’s undergraduate programs in aerospace, biomedical, chemical, and mechanical engineering were all ranked No. 2 in their respective fields. Electrical, environmental, and materials engineering each ranked No. 4, and computer engineering ranked No. 5.
The College of Engineering remains ranked No. 4 for best undergraduate engineering disciplines overall.
New this year was the ranking for computer science programs. Georgia Tech’s cybersecurity program ranked No. 1, and software engineering ranked No. 2 among national universities. The computer science program ranked No. 5 overall in a tie with California Institute of Technology, Cornell, Princeton, University of Illinois Urbana-Champaign and the University of Washington.
“Thanks to our outstanding students, faculty, and staff, leaders in higher education continue to recognize Georgia Tech as one of the leading public research universities in the U.S.," said Ángel Cabrera, president of Georgia Tech. “I am also delighted the Institute is listed among the nation's most innovative schools — a fitting recognition of our efforts to enrich the student experience and expand access to working professionals through our innovative online graduate programs.”
The Scheller College of Business climbed three spots this year to No. 19 in a tie with the University of Illinois Urbana-Champaign; University of Maryland, College Park; University of Minnesota Twin Cities; and the University of Washington. Three of Scheller’s specialty programs ranked in the top five, with both management information systems and business analytics at No. 3, and quantitative analysis at No. 4.
This is the 36th year that U.S. News has released their Best College rankings. Georgia Tech was among 1,452 U.S. bachelor's degree-granting institutions ranked on 17 indicators, including student-faculty ratio, the average federal loan debt of graduates, tuition and financial aid policies, student body demographics, and campus life.
Overall, Georgia Tech ranked No. 8 in the best public university category, along with the University of California, Irvine and the University of California San Diego. Tech ranked No. 35 among top national universities, which includes public and private institutions, in a tie with Boston College; University of California, Irvine; and University of California San Diego.
Other highlights for the Institute this year included being ranked No. 3 for Co-op/Internship Programs, No. 4 for Most Innovative national university, No. 11 for Undergraduate Research/Creative Projects, and tying for No. 15 in Best for Veterans (University of California, Irvine and University of California San Diego).
Tech Reports Record Amount in Research Awards
Georgia Tech is also making major strides in its research activities. Tech’s academic colleges recently recorded a total of $53.3 million in research and sponsored activities for July 2020, making it the highest month of award dollars in 10 years. The amount is an increase of $16.6 million from the same period in 2019. The total number of awards increased from 210 in July 2019 to 285 in July 2020 in academic units. The College of Engineering received 111 awards in July 2020. The College of Design notably had 45 more awards than in July 2019.
]]>
Institute Communications
]]>“I am honored to be named to this study committee. Because so much of modern life occurs online, encryption is a uniquely important tool for protecting privacy and cybersecurity. Evolving technology means that nations, including adversaries of the United States, are constantly seeking new ways to break encryption. This multi-disciplinary study will seek to prepare for the most important technical and policy scenarios for encryption in the next two decades,” said Swire.
Professor Swire, Elizabeth and Thomas Holder Chair and Professor of Law and Ethics at Scheller College has both government and academic experience in the area of encryption. In 1999, while he was the chief counselor for privacy in the U.S. Office of Management and Budget, he chaired the White House Working Group on Encryption when the government enabled the export of strong encryption, to provide greater security and privacy on the Internet. In 2012, he published “Encryption and Globalization,” which coined the term the “golden age of surveillance,” in contrast to assertions by some in government that encryption was causing intelligence agencies to “go dark.” He has testified before the Senate on encryption issues, and in 2013 he was a member of the Director of National Intelligence’s Review Group on Intelligence and Communications Technology when it made policy recommendations on encryption.
]]>Georgia Tech has begun using NOVID, an exposure notification app that will help students, staff, and faculty be anonymously notified if they have potentially been exposed to Covid-19. Use of the app is voluntary, and it is available at no cost to members of the Georgia Tech community. A link to information about the app is available from the COVID Central portal: (covidcentral.gatech.edu).
Developed by researchers at Carnegie Mellon University, NOVID captures no personally identifiable information from people using it. Instead, smartphones running the app exchange synthetic codes with other smartphones that are nearby for more than a brief period of time. If the owner of one of the phones tests positive for the virus, they can notify other app users with whom they have been in contact without identifying themselves or sharing any personal information.
That rapid notification can facilitate early testing, slowing spread of the virus from infected individuals who may not be showing symptoms yet – or who may be asymptomatic.
Manual contact tracing will continue to be done by the Georgia Department of Public Health with support from Georgia Tech. Contact tracing makes initial rapid notifications of close contacts in the Georgia Tech community based on information gathered from the individual who tests positive. For contact tracing purposes, a close contact is defined as anyone who, for 15 minutes or more, was within 6 feet of the person who tested positive, anyone who had physical contact with the person, or anyone who was coughed or sneezed on by the person.
In a large community, exposure notification apps can fill in the gaps by finding individuals who might have been close enough to be exposed to the virus but not known to the individual with a positive test result. These could include, for instance, someone working nearby in a makerspace or lab – or working out on nearby equipment at the gym.
“Manual contact tracing has been proven over time to be extremely useful for tracking all of the contacts that you know about,” said Alexa Harter, director of the Georgia Tech Research Institute’s (GTRI) Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Lab. “An exposure notification app is useful when you are in contact with someone you don’t know. It’s very good at the kinds of interactions that manual contract tracing doesn’t do as well.”
Installed on an iOS or Android smartphone, the app exchanges information with other phones also running the app. It records a frequently changing code to other devices so they can be alerted if necessary, but without sharing any personally identifiable information. Pairs of code interactions are stored on the NOVID server for a limited period of time.
On a college campus, faculty, staff, and students may walk past hundreds of people on sidewalks and hallways, but those brief encounters are not used for exposure notification because evidence suggests that such interactions have a very low risk of disease transmission.
NOVID leverages a combination of ultrasound and Bluetooth technology to note other devices that are within 6 feet, and only if they remain that close for 15 minutes or more. By briefly using the device’s microphone and measuring the time sound takes to travel, ultrasound can accurately measure the distance between devices. The benefit of this combined method is avoiding false positives that would be generated from Bluetooth alone, such as contacts that may be on the other side of a wall – nearby, but not creating a risk of exposure.
If a student receives a positive Covid-19 test at Stamps Health Services, they will be given a one-time code that they can enter into the app, which will send a notification to other phones the app has recorded as potential exposures. Community members who have received positive tests elsewhere on campus or off campus are required, as part of public health regulations, to report their positive Covid-19 status to Stamps Health Services. They will receive an app notification code at that time.
Persons being warned through NOVID of a potential exposure will be encouraged to isolate themselves, monitor for symptoms, and be tested for the virus. The app will provide directions for how to contact relevant campus services when alerting a user that they have potentially been exposed.
Researchers from the GTRI CIPHER Lab’s Software Assurance Branch have evaluated NOVID for privacy protections to make sure it doesn’t record personal information that could identify users – and for cybersecurity issues to make sure it protects the device. “They found it was not collecting anything it shouldn’t be collecting or transmitting anything it shouldn’t be transmitting,” said Harter.
When launched for the first time, the app will ask users of iOS phones to give it permission to use the device’s microphone. That allows the ultrasound system to determine distance from other phones. The GTRI researchers found that the app did not store or transmit sound received via the device's microphone, and did not send sound via the device's speaker other than what is necessary for detecting potential contacts. On iOS devices, the app must be operating in standby mode to detect contacts.
Android users will be asked to allow the app to access location information. That’s necessary to use the device’s Bluetooth radio, which is part of the distance-finding process.
Because NOVID sends out signals only intermittently, it has minimal effect on battery life. Battery usage is slightly higher on Android than iOS because of Android's background mode.
The effectiveness of exposure notification apps grows with the percentage of community members using it. The app can also be helpful to smaller groups, such as fraternities or sororities that may be able to encourage a high percentage of members to use it.
“The more members of the Georgia Tech community that are using this, the more effective it will be in helping us stop the spread of infection,” said Jon Duke, director of Georgia Tech’s Center for Health Analytics and Informatics who led adoption of the software with Harter. “Addressing the pandemic will take a community-wide effort involving testing, wearing masks, maintaining distance from others, and frequent handwashing. NOVID is another part of that effort.”
As of Aug. 17, more than 2,000 users had joined the Georgia Tech NOVID community.
NOVID can be downloaded from Apple’s App Store or Android’s Google Play Store. Georgia Tech staff, faculty and students should enter the community code JACKETS on the NOVID settings page to join the Georgia Tech NOVID community. Additional information about using the system is available at covidcentral.gatech.edu.
Research News
Georgia Institute of Technology
177 North Avenue
Atlanta, Georgia 30332-0181 USA
Media Relations Contact: John Toon (404-894-6986) (jtoon@gatech.edu).
Writer: John Toon
]]>Research News
(404) 894-6986
]]>Unlike other heap exploitation techniques that require considerable effort from the researcher, ArcHeap can autonomously explore the system.
“Many heap exploitation techniques have been discovered by researchers; however, this task always relies on manual efforts,” said School of Computer Science (SCS) Ph.D. student Insu Yun. “We wanted to automate this process.”
[RELATED CONTENT: Team IDs Real-world Vulnerabilities In Popular Browser During Premier Hackathon]
Heap exploitation techniques
Heap is dynamically allocated memory, or memory that’s size is determined during program execution. Heap allocators manage it efficiently, yet they are also very susceptible to attack.
Exploitation techniques abuse underlying heap allocator mechanisms to exploit vulnerabilities. Popular systems software is plagued by heap-related vulnerabilities. Microsoft said heap vulnerabilities led to more than half of their security problems in 2017. Heap vulnerability attacks have also been seen in popular software such as WhatsApp, VMware, and Eximail in 2019.
Since each exploit is specific to the allocator, previous research was specialized and manually done. This created a barrier to understanding security issues with various heap allocators and led to even more attacks.
How ArcHeap works
ArcHeap introduces operations and attack capabilities to see if these trigger an exploitation. The approach is comparable to fuzzing, an automatic software testing technique that inputs random data to expose vulnerabilities.
“We found that fuzzing is very useful for finding software vulnerabilities, so we extended this idea into discovering heap exploitation techniques,” Yun said. “However, classical fuzzing cannot be naively applied to this new problem, so ArcHeap employs several new ideas.”
The researchers determined heap allocators share common design components that allowed them to abstract enough so that the tool can be applied to any allocator. ArcHeap also synthesizes its finding as it moves through the allocator to reduce redundancies.
ArcHeap’s findings
Researchers evaluated ArcHeap on 11 allocators and found five new exploitation techniques in Linux's default allocator, ptmalloc2. Despite decades of research in this area, ArcHeap successfully discovered heap exploitation techniques in ptmalloc2.
“Our results show that their manual security analysis was insufficient to cover a large space of heap exploitation techniques,” Yun said. “As a result of this insufficient manual testing, these allocators were actually not secure as their claims.”
They also found vulnerabilities in seven of the 10 other popular allocators.
Although right now ArcHeap can determine if a heap allocator is vulnerable or not, the researchers hope to put a quantitative value on that security in the future.
They presented the research in the paper, Automatic Techniques to Systematically Discover New Heap Exploitation Primitives, at Usenix’s 29th Security Symposium from August 12 to 14. Yun co-wrote the paper with SCS Associate Professor Taesoo Kim and Facebook’s Dhaval Kapil.
]]>
By turning the compromised equipment on or off to artificially increase or decrease power demand, botnets made up of these energy-consuming devices might help an unscrupulous energy supplier or retailer (electric utility) alter prices to create a business advantage, or give a nation-state a way to remotely harm the economy of another country by causing financial damage to its electricity market. If done within the bounds of normal power demand variation, such an attack would be difficult to detect, the researchers said.
“If an attacker can slightly affect electricity market prices in their favor, it would be like knowing today what’s going to happen in tomorrow’s stock market,” said Tohid Shekari, a graduate research assistant in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “If the manipulation stays within a certain range, it would be stealthy and difficult to differentiate from a typical load forecasting error.”
Believed to be the first proposed energy market manipulation cyberattack, the operation would depend on botnets composed of thousands of appliances that could be controlled centrally by attackers who had taken over their Internet of Things (IoT) controllers. Malicious actors have already demonstrated IoT botnet attacks such as Mirai, which used a network of compromised internet-connected cameras and routers to launch attacks on key internet infrastructure.
The attack, dubbed “IoT Skimmer,” would be made possible by the deregulation of energy markets, which has created a system to efficiently supply electrical power. To meet the demand for electrical energy, utility companies must predict future demand and purchase power from the day-ahead wholesale energy market at competitive prices. If the predictions turn out to be wrong, the utilities may have to pay more or less for the energy they need to meet the demands of their customers by participating in the real-time market, which has more volatile prices in general. Creating erroneous demand data to manipulate forecasts could be profitable to the suppliers selling energy to meet the unexpected demand, or the retailers or utilities buying cheaper energy from the real-time market.
The researchers weren’t able to determine whether such an attack might have already taken place because IoT devices – beyond being insecure – also lack the kind of monitoring that would be necessary to detect such hijacking. But they used real data sets from two of the largest U.S. energy markets – New York and California – to evaluate the feasibility of their proposed attack.
“We did a lot of simulation and mathematical analysis to show that this kind of transfer could occur,” said Raheem Beyah, the Motorola Foundation Professor in the School of Electrical and Computer Engineering who is also Georgia Tech’s vice president for Interdisciplinary Research and co-founder of the company Fortiphyd Logic. “We also did a feasibility analysis of the supporting areas to show that this would be possible from various perspectives.”
The researchers assume that such botnets already exist, and that attackers could simply rent their use on the dark web. More than 20 million smart thermostats already exist in the North American market, and they are connected to at least one high-wattage device – a heating and air-conditioning system that could be controlled by attackers on an intermittent basis.
“If you consider all of the smart thermostats and internet-connected electric ovens, water heaters, and electric vehicle chargers that are already in use, there are plenty of devices to be compromised,” Shekari said. “Homeowners would likely never notice if the EV charger turns on when electricity demand is highest, or if the air conditioning cools a little more than they expected when they are not home.”
To counter the potential attack, researchers suggest both detection and prevention steps. Through integrated monitoring of the normal power use of high-wattage IoT-connected devices, unexpected peaks or valleys in power consumption triggered by an attacker could be detected. And access to data on expected energy demand – which is now made available publicly – could be restricted to those who actually need it.
The primary factor that makes this attack possible is the detailed online data sharing of electricity market information, which is usually updated every five minutes.
“This energy demand information is really a data privacy issue, and we need to think long and hard about the balance between transparency and security,” Beyah said. “There’s always a tension there, but limiting the amount of detail could make it more difficult for attackers who want to hide their manipulations to know what the normal variations are.”
The potential attack highlights the need for considering cybersecurity threats in technology areas where they had perhaps never been possible before.
“This is an interesting intersection between the IoT security world and energy markets,” said Beyah. “Right now, it seems that there is a large gap between the two worlds. Our point is that there are implications for combining IoT technology and high-wattage devices that can compromise markets in ways we would never have thought of before.”
The presentation, “IoT Skimmer: Energy Market Manipulation Through High-Wattage IoT Botnets,” will be presented on Wednesday, Aug. 5, at 2:30 p.m. as part of the Black Hat USA 2020 conference.
Research News
Georgia Institute of Technology
177 North Avenue
Atlanta, Georgia 30332-0181 USA
Media Relations Contact: John Toon (404-894-6986) (jtoon@gatech.edu)
Writer: John Toon
]]>Research News
(404) 894-6986
]]>Boldyreva, who is a professor and associate chair in the School of Computer Science, wrote the single-author winning paper, Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme, in 2003 as a Ph.D. student at the University of California San Diego.
“My advisor had to convince me to write the paper because I thought the results were too simple to deserve a publication,” Boldyreva said. “Of course, back then I would have never believed that the paper would do so well.”
Her new multi-user digital signature schemes were simpler and more efficient than existing schemes at the time. One of the most useful was a multisignature that allows a number of users to jointly digitally sign the same message while keeping the final signature as short and computationally efficient as a single signature. In effect, the length of the multisignature doesn’t grow as more users sign.
Secure networking protocols as well as blockchains and cryptocurrencies commonly rely on efficient multi-user signatures. Yet, at the same time, the schemes Boldyreva created are still simple enough that introductory cryptography courses teach them.
Boldyreva gave a five-minute presentation on the paper at this year’s virtually held PKC.
“Now, I’m certain that simplicity is a big advantage as long as the result is useful or interesting.”
]]>
To ensure Americans can find the most accurate information, College of Computing researchers are creating machine-learning (ML) and data science tools to help fact-checkers be more efficient.
The Disinformation Dilemma
Although having high-quality news is important any time, the ever-changing nature of COVID-19 makes it even more vital that users have access to vetted information. Many Americans receive their news from social media, where rumors can be shared as much as memes.
“Rumors, hoaxes, fake cures, bioweapon claims, and disinformation campaigns about COVID-19 are prevalent on social media,” said School of Computational Science and Engineering Assistant Professor Srijan Kumar. “These induce anger, anxiety, and stress in readers, and in many cases, have even led to fatalities, such as hydroxychloroquine overdose.”
Newsroom fact-checkers are at forefront of fighting against false information, but manually verifying every fact is time-consuming at best and nearly impossible in the age of COVID-19. So Kumar and School of Computer Science Professor Mustque Ahamad are building data-driven, secure solutions for fact checking.
A Next-Generation Solution
Kumar and Ahamad are a well-matched team. In his past cybersecurity research, Ahamad has worked with professional fact-checkers to determine what they need to complete their work at news organizations. Kumar, for his part, has been building ML and data-driven tools to detect disinformation. COVID-19 seemed like a natural pairing for the two.
“Together, we started collaborating to build the next generation of data-driven and security-minded solutions for effective fact checking,” Kumar said.
Their solution is to do early detection of disinformation before it even gets to the fact-checkers. With this in mind, they plan to develop ML techniques to remove deliberately misleading information from the news.
Their ML models will be able to learn the difference between true versus false information with only a few training data points.
“Our models will triage the cases that are most likely to be false in order of their impact on the readers,” Kumar said.
The models will also be customizable to the individual fact-checker’s topical, geographical, and language preferences. As the project develops, Kumar and Ahamad will collaborate with professional fact-checkers to ensure the models are effective throughout the research.
“Our framework will bring together a one-stop-shop for group of fact checkers to collaboratively identify false information,” Kumar said. “This information can then be shipped to appropriate stakeholders, so that the readers can be appropriately alerted when they view it and the hoaxes can be removed from social media circulation.”
For more coverage of Georgia Tech’s response to the coronavirus pandemic, please visit our Responding to COVID-19 page.
]]>Their boyfriend starts showing up at the apartment all the time, whether you know he is coming or not. Sometimes, he’s even there when your roommate isn’t. He has a key to the front door, and helps himself to what’s in the fridge. All of a sudden, you essentially have a new roommate that you never approved and don’t know a whole lot about.
Sure, it’s annoying, but consider some of the bigger implications: Shared resources are becoming vulnerable to people outside of the intended group of users. Privacy is being compromised by one member of the group who is practicing poor security behavior. There is a disconnect amongst members of the group about what should and should not be acceptable. As the world becomes more computing intensive, this type of behavior has even larger implications in the context of technology.
New research by members of Georgia Tech’s School of Interactive Computing has found that existing technical controls for shared digital resources fall short in facilitating collaborative governance and decision making. The paper, which was accepted and awarded a Best Paper Honorable Mention at the 2020 CHI Conference on Human Factors in Computing Systems, examines why they fall short and offers guidance on ways to improve them.
“The idea here is that as computing infiltrates more and more of our social lives, we are lacking in ability for groups of people to come together and collaboratively think about the access control policies, the threat models we share, and decide together,” said Sauvik Das, an assistant professor in the school and the lead on the research. “What’s a fair way to control access to this resource?”
To examine these factors, Das and his team – which includes co-authors Hue Watson, Eyitemi Moju-Igbene, and Akanksha Kumari – spoke with a number of types of groups about their behaviors and processes. Roommates, long-term friends, work colleagues – any group of 3-5 people that is socially connected for about 3-6 months. They looked at the resources that they collectively own and share that they would rather not have people outside of the group have access to – a smart fridge, a conference room, or a Google Doc, for example – and asked the threat models they each had.
“What are they afraid of?” Das said. “Who might they be against having access? How do they jointly come up with strategies? What conversations do they have about security and privacy? How does that impact their behaviors inside and outside of the group setting?”
They also had subjects fill out a diary to probe deeper individually – has something come up about security and privacy since they spoke as a group? What are the pain points and emergent threats on a day-to-day basis?
The research uncovered that the existing controls for digital resources drop the ball.
“They’re all designed under the understanding that people either don’t care enough or that only one person should handle the privacy,” Das said. “Most of these strategies were socially construed, but implicit because technical controls didn’t allow them to do it differently.”
One conclusion Das reached is that there need to be tools of shared governance, a tangible way for each member of the group to engage constructively with the shared privacy structure.
“What it looks like now is sort of a dictatorship,” Das explained. “Or, it can be egalitarian where anybody can adjust anything, and that causes problems too. There’s nuance of how different groups would like to control different resources. People are concerned about outsider threats, the types of information you share with people within your group, and with the reliability of people within the group to practice good behavior.
“We need a simple, fun, and easy way for people to come together and approach security and privacy as a group.”
]]>Communications Officer
]]>The goal is to supply a broad initiative by the governor’s office involving multiple universities and partners to rapidly produce and administer more tests. At least 35 volunteers at Georgia Tech, while adhering to social distancing, are reorienting labs normally used for scientific discovery to do larger-scale production of biochemical components.
“We are inventing new ways of doing things like an electronic buddy system so people can be alone – but not alone – while they work in the lab. The technical part is actually the easiest. The logistics of testing, data security, and regulatory considerations – those things are more challenging,” said Loren Williams, a professor in Georgia Tech’s School of Chemistry and Biochemistry.
Williams and the researchers are supporting Georgia Governor Brian Kemp’s COVID-19 State Lab Surge Capacity Task Force, which is a project managed through the Georgia Tech Research Institute (GTRI). GTRI is also leading the coordination and integration of data management across the lab surge effort.
“We are providing technical and project management of the effort which is focused on increasing the state’s ability to expand testing beyond current limitations,” said Mike Shannon, GTRI’s lead in the project and a principal research engineer at GTRI.
The science behind coronavirus testing is complementary to the researchers’ usual work. That includes understanding proteins associated with glaucoma, figuring out how RNA and DNA evolved in the first place, or whether ribosomes – lumps of RNA and protein key to translating genetic code into life – may exist on exoplanets.
Williams’ research team studies the last topic, and some of their work is related to the core of coronavirus testing, a chemical reaction that amplifies the virus’ genetic fingerprint. It is called a reverse transcription polymerase chain reaction (RT-PCR), and it transcribes trace amounts of coronavirus’ RNA code into ample amounts of corresponding DNA in the lab for easy analysis.
“His lab members are very familiar with RT-PCR, and when the lack of tests became apparent, they swung into action. The group grew from there, based on the technical needs for the project,” said Raquel Lieberman, another leading scientist in the effort and also a professor in Georgia Tech’s School of Chemistry and Biochemistry.
“Every day, very talented, hardworking people with perfect skill sets come out of the woodwork and ask to help,” Williams said.
The group has teams that engineer the production of enzymes or other chemicals needed for RT-PCR to work: Two central enzymes are reverse transcriptase, which converts RNA to DNA and Taq polymerase, which rapidly replicates DNA. Another important component is ribonuclease inhibitor, which slows coronavirus RNA decay.
Other researchers develop processes for mass production or implementation of COVID-19 safety procedures; the list goes on. Some colleagues telework; others work in labs but spaced far from each other while they wear masks.
“The group is planning to produce enough enzyme components for hundreds of tests per day,” said Vinayah Agarwal, an assistant professor in Georgia Tech’s School of Chemistry and Biochemistry and School of Biological Sciences. “Using these components, we will also build cheaper and more robust testing kits going forward.”
Instructions already exist for some of the ingredients for the test, but they are not readily available because the rights to them are exclusive.
“Intellectual property and other proprietary issues hinder our effort,” Lieberman said. “But we have received help from scientists all over the world to piece together protocols on how to make what we need.”
The state wants to increase current testing capacities by 3,000 more tests per day. The task force also includes teams from Augusta University Health System, Georgia State University, Emory University, University of Georgia, and the Georgia Public Health Laboratory. The task force lead is Captain Kevin Caspary who is with the Georgia National Guard.
Raw footage and images as press handouts for journalists. (No commercial or personal use):
https://www.dropbox.com/sh/f2wc2i74lz1lffl/AADLJ8dQnZMr4uEDxAiIMusoa?dl=0
Also read this: Interactive COVID-19 tool shows the importance of staying at home
External News Coverage:
NPR - Sun Rays, Disinfectants And False Hopes: Misinformation Litters The Road To Reopening
News-Medical.Net - Georgia Tech researchers create key components for COVID-19 tests
Georgia Tech News Center- A New Normal: Researchers Across Georgia Tech Rally to Fight COVID-19
Here's how to subscribe to our free science and technology email newsletter
Writer & Media Representative: Ben Brumfield (404-272-2780), email: ben.brumfield@comm.gatech.edu
Georgia Institute of Technology
]]>That goal received support April 10 with an announcement by Google and Apple that they are collaborating on standards and tools to make it easier for software developers to build apps that can help fight the pandemic.
For the past month, a team of researchers at the Georgia Tech Research Institute (GTRI) has been working with a community-driven open source project on a “privacy first” open-source app that can take advantage of these tools to do something known as “contact tracing.” Contact tracing software, running on smartphones of persons who’ve chosen to participate, records the kind of person-to-person interactions that have the potential for transmitting contagious illnesses. If any of the other participants the user has interacted with becomes ill and chooses to share information about their symptoms, the software then alerts the impacted user anonymously. During this process, all shared information remains completely anonymous – to other users, to the government, to technology companies, and even to the database that makes the exposure matching possible.
Individuals notified of a potential exposure could then receive information and guidance about steps they might take, including suggestions to get tested for COVID-19, to self-quarantine, or to closely monitor for symptoms. The notification would be one part of a larger effort to control virus clusters before they become outbreaks. To be most successful, a software-based contact tracing system will have to be coupled with broad-based testing able to quickly determine who’s infected with the virus.
Similar approaches have proven effective in countries such as Singapore and South Korea, though these systems have weaker privacy guarantees in place. A key feature of this new approach is that it would not exchange or publish any personally identifiable information and does not disclose any information at all unless someone voluntarily chooses to share their symptoms or diagnosis. This approach accomplishes this using Bluetooth signal strength to assess proximity rather than GPS data, which is difficult to anonymize and could be used to identify individual users based on frequently visited locations.
“We really need a better early warning network to guard against the re-emergence of COVID-19 in the general population,” said J. True Merrill, a GTRI senior research scientist who is working on the project. “In the early part of this outbreak, COVID-19 was spreading easily across the United States without an early warning of it. After the current shelter-in-place period is over, we are going to need tools to help people determine when they need to self-quarantine in order to stop outbreaks before they can grow.”
Manual contact tracing to identify who’s been infected has long been part of public health strategies to contain serious communicable diseases, but the speed at which COVID-19 has spread outpaced traditional methods, said Alexa Harter, director of GTRI’s Cybersecurity, Information Protection, and Hardware Evaluation Research Laboratory.
Privacy First, for the Common Good
“Smartphone contact tracing is a way of using technology to automate and augment some of the techniques that public health agencies have used,” she said. “Technology can enable us to do this, but for people in the United States to adopt it, privacy will really have to be locked down. Everything we’re doing in this project aims at providing privacy first. Manual contact tracing is still critically important, but digital contact tracing and alerting can significantly assist these efforts.”
Beyond protecting privacy, large-scale adoption of smartphone contact tracing will need a social component that appeals to supporting the common good.
“To be successful, we’ll need to turn participation in this into a socially good thing, perhaps like the Ice Bucket Challenge,” Merrill said. “We’ll need people to voluntarily opt-in, and to get that, users would need to have full knowledge and control over where their data is stored and with whom they choose to share it.”
An Open-Source Global Effort
GTRI researchers are working with an open source community-driven project known as CoEpi (which stands for Community Epidemiology in Action), which envisions an app of the same name that could be installed on phones running Apple’s iOS or Google’s Android systems. CoEpi focuses on anonymous symptom sharing and alerting to stop the spread of transmissible illnesses like COVID-19.
Other organizations are also working on contact tracing apps, and these organizations have recently joined together to form the TCN Coalition to support privacy-preserving digital contact tracing protocols to flatten the curve and stop the spread of COVID-19 while reopening the economy. TCN, the core component of the effort, stands for “temporary contact number,” which is an anonymous number generated to privately record interactions between mobile devices without allowing the devices themselves (or their users) to be tracked.
The TCN Coalition developed a common, shared protocol so that all of the different apps in the entire digital contact tracing network can cross-communicate, no matter which app is used. The TCN Coalition also developed a "Digital Contact Tracing Bill of Rights" that outlines requirements to minimize data collection, restricts what can be done with the collected data, and establishes security guidelines to protect civil liberties.
The Path Forward, Group Benefits
“A symptom-sharing app such as CoEpi would allow us to relax stay-at-home orders so that we can increasingly return to work and public spaces, while providing a way for individuals to get early alerts about potential exposures to symptoms,” said Dana Lewis, one of the founders of CoEpi. “CoEpi can provide early detection of exposure risks for individuals, and an early warning system for the communities they interact in to detect and slow the transmission of illness like COVID-19, influenza, and even the common cold.”
Convincing a hundred million U.S. citizens to install a new app on their phones could be a significant challenge, but the CoEpi focus on symptom sharing and alerting could yield benefits to smaller groups even before being widely adopted.
“The good thing about this is that it could help protect small groups without needing the buy-in of the whole population,” said Harter. “An example would be a retirement community that is largely self-contained. If someone there got sick, it would be important to alert everybody that person had interacted with so they could self-quarantine and protect other people in the community.”
Other groups might include organizations performing critical services, such as factories, warehouses, or package delivery companies. “If you had a group where people really needed to work together, you could get early alerts to stop outbreaks from happening,” she said. It could also be used among small clusters of high-risk individuals and their family and friends, or at universities and schools as they emerge from self-isolation.
How Contact Tracing Would Work
The contact tracing component of the system would work something like this.
Each user opting into the service would install an app that would generate personal keys – long strings of letters and numbers unique to that specific smartphone, which are in turn used to generate randomized temporary contact numbers. The phones of users opting in would then communicate those temporary numbers with each other when they were nearby, using low-energy Bluetooth, a short-distance protocol widely used on mobile devices. Signal strength could provide a measure of how close the phones are to assess the risk of virus transmission when those people crossed paths.
“The idea is to log close interactions,” said Michael Brown, a GTRI research scientist who is the Georgia Tech technical lead of the project. “We’ll want to eliminate as many false positives as possible. For example, it’s highly unlikely that person-to-person transmission would occur across a large room.” For each interaction, the system could also record the duration of proximity, another factor in assessing potential risk.
Each phone would periodically generate new anonymous unique keys, and use those to generate new temporary contact numbers each time it crossed paths with another phone running similar apps. It would record those keys in a database that would be kept on the phone for a short period of time determined by the incubation period of the virus.
If a CoEpi user developed symptoms, they would share their symptoms in their app. In future versions, the CoEpi developers envision that the sick user would be presented with a series of options such as anonymously notifying public health authorities. For now, the symptoms are sent to the CoEpi system, which would add the anonymous key and symptom report from the sick user’s phone.
Each user’s phone would periodically download the list of keys associated with known symptom reports and check the temporary numbers generated by those keys against those of the phones it had been near. A match between each phone’s database and the numbers generated from the server’s key list would generate a notification of the exposure, and the app would then help the user decide whether the match likely represented a real exposure, and if so, decide what to do: self-quarantine, be tested, and/or notify public health authorities.
“Everyone would be pinged when they get tied to a known case, but only over a time range that really could have created a risk of transmission,” Merrill said. “There would be no identification information exchanged between the phones or the phones and the server.”
Other Potential Epidemiological Uses
Beyond advice on illness and notification of potential contacts, the system could also generate anonymized epidemiological information useful to researchers tracking pandemics. Users of the system would decide if they want to opt into the database and share their anonymized information with public health authorities.
“The CoEpi project will help provide earlier detection and testing of potential cases, and that information would be helpful for our predictive models,” said Pinar Keskinocak, who is William W. George Chair and Professor in Georgia Tech’s H. Milton Stewart School of Industrial and Systems Engineering.
Beyond programming support, GTRI will assist the effort through security analysis and potentially testing in its Atlanta facilities, Brown said. The testing will need to include many different environments and handset types, including multiple variations in operating systems.
The GTRI researchers have been racing to help CoEpi roll out software for beta and on-site testing, which should occur over the next several weeks. “The time line for this is super aggressive,” Harter said. “There is an urgency to this because we know it will be very useful in helping people stop social distancing, return to work and school, and try to get back to a more normal life.”
If you're interested in helping CoEpi as a mobile developer who can help at #WeAreNotWaiting speed (e.g. today or this week), please reach out to CoEpi: https://forms.gle/MLeKz9nerPvX8fwC8
Similarly, individuals who are interested in becoming early testers of CoEpi can sign up via the same form: https://forms.gle/MLeKz9nerPvX8fwC8.
Research News
Georgia Institute of Technology
177 North Avenue
Atlanta, Georgia 30332-0181 USA
Media Relations Contact: John Toon (404-894-6986) (jtoon@gatech.edu).
Writer: John Toon
]]>Research News
(404) 894-6986
]]>Unlike traditional competitive peer-reviewed grant processes, the “Small Bets” initiative will make awards randomly from among interdisciplinary proposals that meet basic qualifications. As much as $2 million will be provided by the Office of the Executive Vice President for Research to teams interested in taking first steps toward solving the world’s most intractable problems.
“Small Bets is intended to seed the first steps of problem-solving that will change the world,” said Robert Butera, Georgia Tech’s vice president for research development and operations. “Through this, we hope to foster new collaborations and new activities without institutional or implicit bias toward any specific programs or initiatives. This is intentionally independent of efforts we already have to support strategic efforts in emerging high-profile areas.”
As traditional federal funding has become more competitive, it has become more difficult for researchers to find support for high-risk projects even if they have a high return, he noted.
“This program will be an experiment, our bet is that Georgia Tech researchers can provide the key to addressing our biggest local, national and global issues,” Butera said. “We want to challenge researchers to dream about what is possible and propose solutions that other funding sources might consider too risky. This is also the first year of an annual effort, and our focus next year will be to provide fewer but larger awards that support more ambitious team-based efforts.”
Each proposal must have at least two eligible principal investigators (PIs), and faculty members can be a PI or co-PI on only one proposal. Proposals with a PI from the Georgia Tech Research Institute (GTRI) must have a non-GTRI PI. Otherwise, any pairing of two or more PIs will be eligible.
The initiative will consider proposals from three categories: (1) GTRI Collaborations, which require at least one PI from GTRI and one PI from outside GTRI; (2) Broad Interdisciplinary Collaborations, which require at least one PI from the College of Computing, College of Sciences or College of Engineering and one from the Ivan Allen College, College of Design or Scheller College of Business, and (3) Open Pool, which is open to all proposals regardless of the affiliation of the PIs.
Proposals will be pre-screened for eligibility and program requirements. Following eligibility screening, a randomly selected ordered list will be created of all eligible projects. Each selected project will be matched to an available funding pool until funds are fully allocated. Proposals satisfying the criteria for more than one funding pool will therefore have increased chances of being funded because they can draw on more than one source of support.
Applications for Small Bets funding are due by March 13, and awards will be announced in April. Additional information, FAQs and the application are available at http://research.gatech.edu/gt-community/funding-opportunities/gt-annual-seed-grant An online form will be made available.
Georgia Tech will be hosting two public forums designed to help faculty members learn more about the program and develop collaborations. The events will consist of a public information session, Q&A session, and collaboration teaming event.
The first event, to be held at the GTRI Conference Center (250 14th Street, N.W.) on March 2 from 4 to 6 p.m., will focus on building collaborations between GTRI and academic researchers. The second, to be held at the Dalney Building Meeting Room (926 Dalney Street, N.W.) on March 3 from 11 a.m. to 1 p.m., will focus on building broadly interdisciplinary interaction among faculty from the humanities and social sciences with faculty from the STEM disciplines and GTRI.
Additional information will be made available on the seed program website.
Research News
Georgia Institute of Technology
177 North Avenue
Atlanta, Georgia 30332-0181 USA
Media Relations Contact: John Toon (404-894-6986) (jtoon@gatech.edu).
]]>
Research News
(404) 894-6986
]]>