NISlectures is a free monthly event addressing current issues in information security. The lectures are streamed live (from approximately 10 minutes before the lecture streaming starts, connect to online streaming). After the lecture recordings will be made available online (see individual lectures). Some of the lectures have also been made available as hyper interactive presentations (HIP).For more information on the series of NISlectures please contact Head of IIK Nils Kalstad Svendsen (firstname.lastname@example.org).
The NTNU digital security section (DS) and Security Operations Centre (SOC) was officially established 1.1.2017 and is the largest security section in academic Norway. Since being established, DS has been actively working on improving cyber and information security at the university. DS is primarily working in two domains, operative security and security management. The section also has a leading role in establishing the information security management system (ISMS) at NTNU. This talk will present the section and how it contributes to making the university a more secure environment for all. Furthermore, we will provide a picture of the operational capacity for cybersecurity of NTNU SOC, including the technology choices and the roadmap of building a scalable sensor network. Based on the operational capability, the talk will also provide some insight into the current risks and trends that NTNU is facing in the cyber domain. Finally, we will present how the digital security section is cooperating with academia and possible venues for further collaboration.
About the Speaker
: Christoffer Hallstensen has got a Bachelor and Master degree in information security from NTNU Gjøvik specializing in digital forensics. He is currently working as a senior security analyst at the NTNU Digital Security Section in Gjøvik, where he is the team leader for the security operations center (SOC). Academically he is affiliated with the NTNU Digital Forensics research group where he wrote his masters about intrusion detection and situational awareness. He has previously worked as a security consultant for Gjøvik university college and NTNU before the establishment of the digital security section.
Gaute Wangen has got a Bachelor, Masters and Ph.D. degree in information security from NTNU Gjøvik. He is currently working as a senior adviser at the NTNU Digital Security Section at Gjøvik, where he conducts, researches, and teaches information security risk assessments. He has previously worked as a special adviser on information security in Healthcare, working with governance and risk management. Gaute is a Certified Information Systems Auditor (CISA).
Biometric recognition refers to the automated recognition of individuals based on their physiological and behavioral characteristics such as fingerprint, face, iris, and voice. The first scientific paper on automated fingerprint matching was published by Mitchell Trauring in the journal Nature in 1963, which led to the first Automatic Fingerprint Identification Systems (AFIS) in the late 1970s for law enforcement and forensic agencies. Since then, biometrics has mushroomed, from large-scale national ID programs (India’s Aadhaar with 1.2 billion enrolment) to mobile phone unlock and payment. While state-of the-art biometric systems can accurately recognize individuals based on biometric trait(s) acquired from cooperative users under controlled conditions, one of the foremost challenges is the design of algorithms for recognizing an uncooperative person under unconstrained imaging conditions (e.g., fingerprints at crime scenes and faces in a surveillance video). In addition, we need guidance on fundamental issues such as distinctiveness and persistence of biometric traits. There are larger issues such as usability, template security, spoof attacks, privacy, searching billions of identities, and biometrics for social good that need solutions.
About the Speaker
: Anil Jain is a distinguished professor of Computer Science at Michigan State University. He is a Fellow of the ACM and IEEE and is a recipient of Guggenheim, Humboldt, Fulbright, and King-Sun Fu awards. He served as editor-in-chief of the IEEE Transactions on Pattern Analysis and Machine Intelligence and was a member of the United States Defense Science Board, Forensic Science Standards Board and AAAS latent fingerprint study. Jain is a member of the U.S. National Academy of Engineering and the Indian National Academy of Engineering.
NISlecture 2018/3 (23.02.2017, 12.15-13.00 in K105)
Title: Forensic face recognition, how pattern recognition can support the forensic examiner
Speaker:Raymond Veldhuis, Chris Zeinstra, University of Twente, Netherlands
This presentation is about a part of the PhD work of Chris Zeinstra. We will show how properly designed classifiers can support the task of a forensic examiner to compare the images of two faces. We will pay attention to a semi-automatic method to compare facial marks and on how the result can be expressed in a likelihood ratio in order to quantify the evidential value. In addition we will illustrate to what extend forensic facial comparison is different from biometric facial comparison as used in for instance access control.
About the Speaker
: Raymond Veldhuis graduated from The University of Twente, The Netherlands in 1981. From 1982 until 1992 he worked as a researcher at Philips Research Laboratories in Eindhoven in various areas of digital signal processing. In 1988 he received the PhD degree from Nijmegen University on a thesis entitled Adaptive Restoration of Lost Samples in Discrete-Time Signals and Digital Images. From 1992 until 2001 he worked at the IPO (Institute of Perception Research) Eindhoven in the field of speech processing. Raymond Veldhuis is now a full professor in Biometric Pattern recognition at The University of Twente, where he is leading a research team in this field. The main research topics are face recognition (2D and 3D), fingerprint recognition, vascular pattern recognition, multibiometric fusion, and biometric template protection. The research is both applied and fundamental.
NISlecture 2018/4 (23.03.2017, 12.15-13.00 in D201)
Title: Crossed Off Our Bucket List: Reverse Engineering Malware Protected by a Custom Virtual Machine
In 2016, FireEye Labs identified a new zero-day exploit targeting users in the Middle East. While our colleagues hurried to identify and patch the vulnerability (CVE-2016-4117, Adobe Flash code execution), we studied the final payload. In doing so, we achieved a goal on every reverse engineer's bucket list: to reverse engineer malware protected by a custom virtual machine.
In this presentation, we'll share our experience in dealing with malware protected with virtualized code. It's a fun story, as we learned a new (unique) architecture, developed disassemblers, emulators, and debuggers for the bytecode, and a translator that re-writes the logic into an x86 PE file. We'll show you how we built up a suite of tools and techniques that made quicker work of this challenging sample. You'll leave having learned plenty of bit-level details, collected a strategy of attack, and possibly having picked up a new "I want to try this just once..." goal.
While we are happy to distribute our scripts, we do not plan on advertising newly released general-purpose tools for devirtualizing such malware. Instead, we teach how we tackled the malware from initial triage to complete binary reconstruction. This way, the audience will leave knowing which techniques can pay great dividends and what follies to avoid, since we already went down this rabbit hole.
Why this is cool:
As malware reverse engineers, we enjoy a good challenge and the thrill of defeating obfuscations. Custom virtualized obfuscation is one of the most difficult challenges that we encounter. We don't always see these types of obfuscations or have the time to dive into them. On our bucket list was to perform an in-depth analysis of one. We enjoyed this challenge and are excited to share our experiences dealing with an implementation of a custom virtualized obfuscator.
About the Speaker
: William Ballenthin is a Senior Staff Reverse Engineer on FireEye's FLARE team. He enjoys researching novel investigative techniques for incident responders. Recently, William has researched function similarity metrics, implemented file system drivers, and reverse engineered Android malware. Prior to eight years at Mandiant & FireEye, he graduated from Columbia University with a degree in Computer Science.