SUMIT_2019

Date

Tuesday, October 29, 2019 - 9 a.m.

The 15th annual SUMIT cybersecurity conference took place on Tuesday, October 29. The Security at University of Michigan IT (SUMIT) is the university’s flagship event for National Cybersecurity Awareness Month, and an exciting opportunity to hear recognized experts discuss the latest technical, legal, policy, and operational trends, threats, and tools in cybersecurity and privacy. SUMIT_2019 explored diverse topics in privacy and security research and operations.

SUMIT_2019 was hosted by the Information and Technology Services Information Assurance group and co-sponsored by Dissonance and ESC: The Center for Ethics, Society, and Computing.

Check out the Twitter moments from SUMIT 2019.

Speakers

Denise Anthony

Professor, Health Management and Policy, University of Michigan

Socio-Technical Aspects of Smart and Embedded Cameras: Implications for Privacy and Security

Video recording of Denise Anthony's presentation.

Presenter Bio: Denise Anthony, Ph.D., a sociologist, is Professor of Health Management & Policy in the School of Public Health, and in the Department of Sociology (by courtesy), at the University of Michigan.

Professor Anthony’s work explores issues of cooperation, trust and privacy in a variety of settings, from health care delivery to micro-credit borrowing groups to online groups such as Wikipedia and Prosper.com. She is also interested in the role of organizations and institutions in health care delivery. Her current work examines the use of information technology in health care, including effects on quality, on the organization of health care, as well as the implications for the privacy and security of protected health information. Her multi-disciplinary research has been funded by grants from the National Science Foundation and others, and published in sociology as well as in health policy and computer science journals, including among others the American Sociological Review, Social Science and Medicine, Journal of the American Medical Informatics Association, Health Affairs, and IEEE Pervasive Computing.

Prior to joining the University of Michigan in 2018, she was Professor and past-Chair (2007-11) in the Department of Sociology at Dartmouth College, and Adjunct Professor in the Department of Community and Family Medicine at Geisel School of Medicine, and a faculty affiliate at The Dartmouth Institute for Health Policy and Clinical Practice. From 2014-17 she served as Vice Provost for Academic Initiatives at Dartmouth. From 2008-2013 she served as Research Director of the Institute for Security, Technology, and Society (ISTS) at Dartmouth.

Dawn Isabel

Security Researcher

Adventures in Apple Watch Jailbreaking

Jailbreaking seems mysterious and borderline magical from the outside. What does it take to create a jailbreak using publicly-available exploits and open-source projects? Is it possible to start with very little exploit development experience and end with a functional jailbreak?

As it turns out, it is possible! This talk will provide an overview of constructing a jailbreak for Apple’s watchOS using public exploit and jailbreak code originally written for iOS. The audience will leave with an understanding of the trial-and-error process – and some entertaining mistakes – that resulted in a developer jailbreak suitable for use in further research.

Topics discussed will include selecting hardware and OS targets, key concepts required to port code from 64-bit iOS to 32-bit watchOS, and lessons learned from failed exploit attempts.

Video recording of Dawn Isabel's presentation.

Presenter Bio: Dawn Isabel is a Security Researcher, specializing in mobile application security. She enjoys automating the boring stuff and documenting everything else. Dawn has presented at DefendCon, Bugcrowd’s LevelUp, WiCyS, Converge Detroit, and OWASP AppSec.

Abhishek Narula

Graduate Student, MFA Program, Stamps School of Art & Design, University of Michigan

It's a feature, not a bug

The first documented act of hacking goes back to 1909. Marconi while demoing the future on communication through radio had his signals hijacked by a trickster. Bugs, glitches and failures are an integral part of any system. In this talk, I will explore how I explore the ontology of networked digital media through aesthetic practices. Critical media practices views the exploit of these bugs as an external aberration that a hacker can use for their intended purpose. These exploit although carried out with the intention of changing the systems some fundamental way, remains bound within the system itself. Furthermore these inherent inconsistencies in digital media, much like Derrida’s notion of language, is precisely what allows it to functional normally. My work is not a result of an outside force of hacking but rather key properties that allow these systems to operate as expected. These are features, not bugs.

Video recording of Abhishek Narula's presentation.

Presenter Bio: Abhishek was born in New Delhi, India and moved to Atlanta, GA to pursue his BS in Electrical Engineering and MS in Artificial Intelligence at Georgia Institute of Technology. He studied and applied intelligent control and machine learning to create smart robotic systems. His work as an IT technical consultant for 5 years, integrating networks and systems for business use, led him to Silicon Valley where he became an active member of Noisebridge Hackerpsace. Abhishek got involved in the maker movement and worked at a DIY electronics company. He began to explore the space between the intersection of art and technology and started his own studio practice. His practice is rooted in education and he has taught electronics, digital fabrication and computer science at the University of Colorado, Boulder. Abhishek then worked at The Field Museum of Natural History in Chicago, where he was the lead interactive exhibitions designer and fabricator.

Abhishek’s interest in critical theory and philosophical examination has informed his research-based studio practice. His work manifests in the form of interactive installations, performances and interventions. These serve to explore and reveal hidden forms of subjugation created as a result of our modern networked world. Abhishek is an avid DIYer, electronics junkie and an honorary board member of the Open Source Hardware Association (OSHWA). He prefers the term ‘Hacker’ to ‘Maker’. His work has been showcased at the Boulder Museum of Contemporary Art, The Boulder Public Library, The Boulder Creative Collective Warehouse, The Hyde Park Art Center, and Sector 2337 Art Gallery & Printing Press. Abhishek has presented at conferences including Tangible Embedded Interaction (TEI), International Symposium of Electronic Arts (ISEA) and Infosys Pathfinders Institute.

Mansi Thakar (@mansimusa)

Security Specialist, Stanford Federal Credit Union & Chief Operating Officer for the Women's Society of Cyberjutsu (WSC)

CyberSecure - Learn the rules of the game

There are few key groups in the game of CyberSecure. The attackers who can come in any shape or form often veiled behind the cloak of the dark web. The victims, the everyday users that can be anyone from my grandma to an entire nation state. Last but not the least, the defenders. Who is a defender? It’s all those who work in InfoSec but it’s not just them. It’s you. It’s me. This talk will go over key trends in attacks and how we must leverage the defender in you and me in order to protect. Users are referred to as the "weakest links" but together we can become "the strongest."

Video recording of Mansi Thakar's presentation.

Presenter Bio: Mansi Thakar is a graduate of the University of San Diego's Cybersecurity Operations & Leadership program and serves as a security specialist with Stanford Federal Credit Union. Prior to starting her current position she was at Sony PlayStation, serving as a key member to their Global Vulnerability Management and Security Awareness programs. Thakar is also a leader of nonprofits in the cybersecurity industry that promote diversity such as Women's Society of Cyberjutsu (WSC) and InfoSec Unlocked (ISUnlocked).

Thakar has a flair for sustainable innovative ideas and a history of implementing them successfully. To Thakar, cybersecurity is a field where you can be a digital superhero. But when you’re a modern-day tech protector facing millions of malware threats, you need backup. That is why she is drawn to the space where cybersecurity meets machine learning. Thakar wants to help shape how we meet the growing magnitude of cyber threats through data and automation. This challenge energizes her – the same way she is energized by the challenge of being one of the few women in the Boardroom, even though it is sometimes difficult. She knows that what she achieves can have a ripple effect and inspire others. She also plays a Lead role in the PBS Documentary, Life Hackers and spends her summers protecting the "most hostile network on the planet" as a DEFCON NOC Goon.

Dana Turjeman

Doctoral Candidate in Marketing, Ross School of Business, University of Michigan

When The Data Are Out: Measuring Behavioral Changes Following a Data Breach

In recent years, the severity and quantity of data breaches increased. Despite this, little is known about the social and behavioural effects of such breaches. Specifically – do users change their behaviour on a website, following an announcement of a severe data breach? Do they have varying reactions? What are the sources for this heterogeneity?

Our data includes detailed behaviour of ~40K members of a matchmaking website for affair seekers[1]. This website experienced a severe data breach. We extend several non-parametric causal inference methods, and construct a tree-based matching-prediction method. We use this method to assess individual changes in users’ engagement on the website.

Our results suggest that, on average, users decreased the number of messages and searches on the website, and deleted more photos. Individual estimates reveal heterogeneity in user responses. For example, married users had more extreme reactions.

The paper presents a general method to obtain individual measures of changes in behaviour following disclosure of an exogenous information shock; in this case, a major data breach, and discusses reasons for heterogeneity in the reactions to this data breach.

[1] We received the anonymized data directly from, and in agreement with, the company.

Author information:
Dana Turjeman; Doctoral Candidate in Marketing, Ross School of Business, University of Michigan, Ann Arbor, Michigan 48109; [email protected]
Fred M. Feinberg; Joseph Handleman Professor of Marketing and Professor of Statistics, Ross School of Business, University of Michigan, Ann Arbor, Michigan 48109; [email protected]

Video recording of Dana Turjeman's presentation.

Presenter Bio: Dana Turjeman is a PhD Candidate in Quantitative Marketing at the Ross School of Business, University of Michigan. In her research, she focuses on the intersection between privacy and customer behavior. She uses and develops quantitative methods, in the domains of causal inference, machine learning and statistical modeling, in order to answer substantive questions in these topics, and to help users make better decisions to protect their privacy. Prior to the doctoral program, Dana earned a BSc in Computer Science and an MBA (with honors) at the Hebrew University of Jerusalem.