Keep your feet on the ground when you go to the cloud
Billy Brumley develops information security, hardware-assisted security and cryptography. What worries him most is how quickly people are willing to give up their privacy and leave their data unprotected.
The biggest security threat is how people use their web browsers, Billy Brumley says.
WHO: Assistant Professor (tenure track) Billy Brumley, 36 years
- Born in: Plano, Texas, USA
- Education: D.Sc. (Tech.), 2012, Aalto University
- Career: Staff Engineer, Qualcomm Technologies Inc., 2012-2014; Researcher, Aalto University, 2006-2012
- Lives in: Pispala, Tampere
- Family: Daughter (7 years)
- Hobbies: Fishing, Rubik's cube
Many of us may have sighed with relief when the attacks against Intel processors publicized in January were not targeted to private users. Assistant Professor (tenure track) Billy Brumley sees further than this.
“In my opinion, Spectre and Meltdown, even more generally microarchitecture attacks that exploit low-level processor features, pose the most threat to Cloud providers with Infrastructure as a Service (IaaS). With the model that multiple server stacks execute on the same physical hardware, one evil instance executing in parallel to legitimate instances can allow exfiltration of security-sensitive data. So I feel the first-order threat to a person, their personal computer, or mobile device is limited. But the second-order threats – your data in the cloud – are real,” says Brumley.
Up until 2013, security and cryptography researchers, practitioners, and hobbyists were considered the "tin foil hat" people with their surveillance conspiracy theories. That all changed with the Snowden revelations.
“It turned out that not only are these conspiracy theories correct, but the situation is far worse. Browsers communicate securely with servers in the public Internet but, for example, the traffic in Google cloud, meaning our emails, documents and maps, is unencrypted and therefore easily accessible.
Brumley’s rule of thumb is not to put anything in the cloud that you wouldn't want to be publicly accessible on the Internet.
Your phone is not yours
Our security perception these days is different. When we bought computers in the 80s and 90s, we felt like we owned them and everything in them. With IoT, this model no longer applies.
“For example, you don't own your phone. The System-on-Chip (SoC) manufacturer owns part of it. The phone vendor owns part of it. The OS vendor owns part of it. Your mobile service provider owns part of it. So lots of folks have their fingers in the pie, and the consumer has little control over most of that.”
So what can a consumer control? According to Brumley, the biggest threat is how people use their web browsers. We are willingly loading other people's code and applications when we navigate to a website. Some of them are created with malicious intent. We are putting our data at risk if we blindly click ‘Allow’.
“Pay attention to what links you're following to avoid phishing. Look for padlocks in your browser's address bar to protect sensitive data. Read and carefully consider the prompts your browser presents to you,” lists Brumley.
Hardware and network security
Brumley is part of the Network and Information Security Group (NISEC) established in 1996. NISEC’s high-level expertise covers information security, network security, embedded / IoT security, hardware-assisted security, and cryptography. Significant infrastructure support provided by TUT has recently helped NISEC expand its research capabilities.
Brumley’s area of expertise is Side-Channel Analysis (SCA) that studies how cryptography implementations leak sensitive information through execution characteristics, such as microarchitecture attacks.
“We also analyze other signals such as power consumption and electromagnetic radiation. Right now, we're performing SCA on various hardware security tokens, and on the microarchitecture side exploiting vulnerabilities in popular cryptographic software libraries.”
Finnish education for father and daughter
Billy Brumley is currently a Visiting Professor at Stellenbosch University, South Africa. He is teaching part of an Applied Discrete Mathematics course at the Department of Mathematical Sciences.
Brumley had a comfortable industry position working in product security in the USA, when Professors Jarmo Harju and Tommi Mikkonen offered him a tenure track position in the Laboratory of Pervasive Computing at TUT in 2014.
Finland was not unfamiliar to Brumley, as he has even described himself as a product of the Finnish higher education system.
“I was a MSc student at San Diego State University, California, when I decided to study cryptography and security in Helsinki for a semester in 2004, and stayed for eight years! I transferred over my coursework, and went on to complete my M.Sc. (Tech.), L.Sc. (Tech.), and D.Sc. (Tech.).”
Brumley says that it was a big decision to leave the USA behind, but he had good reasons to continue his career in Finland.
“I wanted to give back to Finnish society that invested eight years to educate me. And my daughter, who is half American and half Finnish, was four at the time, and sooner or later I wanted her to benefit from the Finnish education system, as I have. She started school last fall.”