1/2018

Keep your feet on the ground when you go to the cloud

Billy Brumley develops information security, hardware-assisted security and cryptography. What worries him most is how quickly people are willing to give up their privacy and leave their data unprotected.

Internet safety

 

The biggest security threat is how people use their web browsers, Billy Brumley says.

 

WHO: Assistant Professor (tenure track) Billy Brumley, 36 years

  • Born in: Plano, Texas, USA
  • Education: D.Sc. (Tech.), 2012, Aalto University
  • Career: Staff Engineer, Qualcomm Technologies Inc., 2012-2014; Researcher, Aalto University, 2006-2012
  • Lives in: Pispala, Tampere
  • Family: Daughter (7 years)
  • Hobbies: Fishing, Rubik's cube
 

Many of us may have sighed with relief when the attacks against Intel processors publicized in January were not targeted to private users. Assistant Professor (tenure track) Billy Brumley sees further than this.

“In my opinion, Spectre and Meltdown, even more generally microarchitecture attacks that exploit low-level processor features, pose the most threat to Cloud providers with Infrastructure as a Service (IaaS). With the model that multiple server stacks execute on the same physical hardware, one evil instance executing in parallel to legitimate instances can allow exfiltration of security-sensitive data. So I feel the first-order threat to a person, their personal computer, or mobile device is limited. But the second-order threats – your data in the cloud – are real,” says Brumley.

Up until 2013, security and cryptography researchers, practitioners, and hobbyists were considered the "tin foil hat" people with their surveillance conspiracy theories. That all changed with the Snowden revelations.

“It turned out that not only are these conspiracy theories correct, but the situation is far worse. Browsers communicate securely with servers in the public Internet but, for example, the traffic in Google cloud, meaning our emails, documents and maps, is unencrypted and therefore easily accessible.

Brumley’s rule of thumb is not to put anything in the cloud that you wouldn't want to be publicly accessible on the Internet.

Your phone is not yours

Our security perception these days is different. When we bought computers in the 80s and 90s, we felt like we owned them and everything in them. With IoT, this model no longer applies.

“For example, you don't own your phone. The System-on-Chip (SoC) manufacturer owns part of it. The phone vendor owns part of it. The OS vendor owns part of it. Your mobile service provider owns part of it. So lots of folks have their fingers in the pie, and the consumer has little control over most of that.”

So what can a consumer control? According to Brumley, the biggest threat is how people use their web browsers. We are willingly loading other people's code and applications when we navigate to a website. Some of them are created with malicious intent. We are putting our data at risk if we blindly click ‘Allow’.

“Pay attention to what links you're following to avoid phishing. Look for padlocks in your browser's address bar to protect sensitive data. Read and carefully consider the prompts your browser presents to you,” lists Brumley.

Hardware and network security

Brumley is part of the Network and Information Security Group (NISEC) established in 1996. NISEC’s high-level expertise covers information security, network security, embedded / IoT security, hardware-assisted security, and cryptography. Significant infrastructure support provided by TUT has recently helped NISEC expand its research capabilities.

Brumley’s area of expertise is Side-Channel Analysis (SCA) that studies how cryptography implementations leak sensitive information through execution characteristics, such as microarchitecture attacks.

“We also analyze other signals such as power consumption and electromagnetic radiation. Right now, we're performing SCA on various hardware security tokens, and on the microarchitecture side exploiting vulnerabilities in popular cryptographic software libraries.”

Finnish education for father and daughter

Billy Brumley

 

Billy Brumley is currently a Visiting Professor at Stellenbosch University, South Africa. He is teaching part of an Applied Discrete Mathematics course at the Department of Mathematical Sciences.

 

Brumley had a comfortable industry position working in product security in the USA, when Professors Jarmo Harju and Tommi Mikkonen offered him a tenure track position in the Laboratory of Pervasive Computing at TUT in 2014.

Finland was not unfamiliar to Brumley, as he has even described himself as a product of the Finnish higher education system.

“I was a MSc student at San Diego State University, California, when I decided to study cryptography and security in Helsinki for a semester in 2004, and stayed for eight years! I transferred over my coursework, and went on to complete my M.Sc. (Tech.), L.Sc. (Tech.), and D.Sc. (Tech.).”

Brumley says that it was a big decision to leave the USA behind, but he had good reasons to continue his career in Finland.

“I wanted to give back to Finnish society that invested eight years to educate me. And my daughter, who is half American and half Finnish, was four at the time, and sooner or later I wanted her to benefit from the Finnish education system, as I have. She started school last fall.”

Text: Kati Vastamäki
Photos: 123rf and Kaisa Niskanen

 
Tell a friend
Machines outperform the human ear
Machines outperform the human ear
1/2018
Machines outperform the human ear
More devices, more data – and critical research problems
More devices, more data – and critical research problems
1/2018
More devices, more data – and critical research problems
On the cusp of everyday AI
On the cusp of everyday AI
1/2018
On the cusp of everyday AI
Pure entertainment and critical safety
Pure entertainment and critical safety
1/2018
Pure entertainment and critical safety
Open a door to assist in the development of smart homes
Open a door to assist in the development of smart homes
1/2018
Open a door to assist in the development of smart homes
What does the future hold for developers of intelligent systems and software?
What does the future hold for developers of intelligent systems and software?
1/2018
What does the future hold for developers of intelligent systems and software?
First thought in the morning: Let’s do it!
First thought in the morning: Let’s do it!
1/2018
First thought in the morning: Let’s do it!
Serious injuries should not be overlooked
Serious injuries should not be overlooked
1/2018
Serious injuries should not be overlooked
School groups attended the European Robotics Forum: “The best day ever!”
School groups attended the European Robotics Forum: “The best day ever!”
1/2018
School groups attended the European Robotics Forum: “The best day ever!”
New ultrafast measurement technique shows how lasers start from chaos
New ultrafast measurement technique shows how lasers start from chaos
1/2018
New ultrafast measurement technique shows how lasers start from chaos
Campus IoT network now available
Campus IoT network now available
1/2018
Campus IoT network now available
Immersive Media goes Disruptive!
Immersive Media goes Disruptive!
1/2018
Immersive Media goes Disruptive!

Tampere University of Technology is at the leading edge of technology development and a sought-after collaboration partner among the scientific and business communities. The University produces competent graduates who enter careers in the different sectors of society.

Visiting address
Korkeakoulunkatu 10,
FI-33720 Tampere
Finland

Mailing address
PO Box 527, FI-33101 Tampere
Finland

Switchboard:
+358 3 311 511