Morning Keynote by Dr. Kun Sun
On Enhancing Security of Password-based Authentication
Passwords remain the dominant authentication scheme for more than 30 years, and cannot be totally replaced in the foreseeable future. However, password authentication has been long plagued to have many security and usability drawbacks, mainly due to human memory limitations. We present two research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays an important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. Then, we develop a novel password cracker, named personal-PCFG, that leverages personal information for password cracking. Second, we investigate an overlooked aspect in the password lifecycle – the password recovery procedure. We study the possibility of mounting an email-based account recovery attack. We examine the account authentication and recovery protocols in 239 traffic-heavy websites, confirming that most of them use emails for account recovery. We further scrutinize the security policy of major email service providers and show that a significant portion of them take no or marginal effort to protect user email accounts. Finally, we propose a lightweight email security enhancement called Secure Email Account Recovery (SEAR) to defend against account recovery attacks as an extra layer of protection to account recovery emails.
Dr. Kun Sun is an associate professor in the Department of Information Sciences and Technology at George Mason University. He is also the director of Sun Security Laboratory. He received his Ph.D. in Computer Science from North Carolina State University in 2006. Before joining GMU, he was an assistant professor in College of William and Mary. His research focuses on systems and network security. Dr. Sun has more than 15 years working experience in both industry and academia, publishing over 70 conference and journal papers. His current research focuses on trustworthy computing environment, moving target defense, software security, mobile security, and password management. His homepage is http://csis.gmu.edu/ksun/
Afternoon Keynote by Dr. Krishna Venkatasubramanian
Biometrics and Vulnerable Populations
One of the most important technological developments in the recent years has been the increase of sensing modalities around us. One of the consequences of this has been a rapid increase in the number of solutions available to identify people using the notion of biometrics (i.e., based on physical, behavioral, and physiological traits of the person). My research has been focused on bringing biometrics to help some of the most vulnerable population in our society. To this end, in this talk, I will be presenting some of my new work on developing zero-effort authentication solutions for people with motor disabilities. Further, I will also be talking about using notions from biometrics to detect deliberate non-adherence to biosensor-based surveillance regime for people suffering from opioid use disorders.
Dr. Krishna Venkatasubramanian is an Assistant Professor in the Department of Computer Science at Worcester Polytechnic Institute (WPI) in Worcester, Massachusetts, USA. Prior to coming to WPI, he was a Post-Doctoral Researcher at the University of Pennsylvania, Philadelphia, Pennsylvania, USA. He received his Ph.D. in Computer Science from Arizona State University, Tempe, Arizona, USA. His research interests are in areas of cyber-security, machine-learning, wearable Internet-of-Things (wIoT), and assistive technologies, and in curating these technologies and methods to address real-world problems pertaining to some of the most vulnerable populations in our society. His research has been featured on CBS News; Discovery Channel website; Clinical innovations and Technology magazine; and IEEE Engineering in Medicine and Biology magazine. More information on his research activities can be found at https://kven.me/