Category Archives: alumni

Joshua Cunningham (’25) Named to Knox News 40 Under 40

Joshua Cunningham (RMU ’25), a graduate of the Ph.D. in Information Systems and Communications program, has been named to the Knox News 40 Under 40 Class of 2025.

Josh is an IT Project Manager leading the United States’ largest multiprogram science and technology lab, Oak Ridge National Laboratory (ORNL). He notably led the project for ORNL’s first on-site quantum computer. In addition this cutting-edge IT work, Josh also has a diverse work history ranging from wildland firefigher to DJ and Iditarod reporter in Alaska. Read more about Josh and this award here.

We are excited to see Josh’s leadership and contributions recognized. Congrats, Josh!

Security Awareness Presentation by Proofpoint, sponsored by TSC

Leave a reply

Join the Top Secret Colonials (TSC) as we present Proofpoint‘s team with 3 TSC alumni, for a presentation on Security Awareness on Wednesday, March 2nd at 4:30pm in the Wheatley Atrium.

Colleen Gaffney, Corey Beynon, Sarah Pfabe, and Jake Pacari will be here to provide tips on security and discuss internships and full-time job opportunities with Proofpoint. Information on their presentation is listed below. Students who attend will receive 1-hour of SET credit. Pizza will be provided.

TODAY’S CYBER ATTACKS TARGET PEOPLE, NOT JUST TECHNOLOGY. And people are busy. They’re distracted. Sometimes they click the wrong things. Even your best people can open the wrong email, fall victim to fraud, and make the same digital mistakes we all make. People are your greatest business asset—and your weakest security and compliance link.

Join us in exploring the human centric side of cybersecurity! Phishing and social engineering are the starting point for 93% of all data breaches. Proofpoint’s Security Awareness Platform, combined with Managed Services, helps companies train users to be the first and last line of defense when it comes to cyber security. Learn from the leaders in email security on how to protect yourself in today’s threat landscape. Get a taste for the real-world threats that organizations face every day, and the different job opportunities around them.

Hope to see you all there.

Dr. Peter Draus Wins 2021 TRETC Innovation in Education Award

Leave a reply

Dr. Peter Draus was the recipient of the 2021 Three Rivers Educational Technology Conference (TRETC) Innovation in Education Award! The theme of this year’s TRETC Conference was Next Level EDTECH.

Dr. Draus was nominated for the award by an RMU student, Danielle Wicklund (’20), now a graduate of RMU, having earned her BS in Business Administration (Accounting) and MS in Cybersecurity and Information Assurance in December 2020 via RMU’s 4+1 program. Ms. Wicklund noted that “During this challenging semester, Dr. Draus went above and beyond his methods of teaching and made online learning interesting & enjoyable. Thus, I nominated him and submitted a letter of recommendation.”

The application for the award included a video that was produced by Ms. Wicklund and Dr. Draus. During the closing ceremony at the TRETC Conference on January 18, 2021, the video was showcased as Dr. Draus was announced as the recipient of the Professor – Innovation in Education Award. The video that was showcased can be viewed here:

Ms. Wicklund commented about the award, “Aside from acknowledging Dr. Draus’ mentorship skills, it also reflects the high caliber of professors at RMU (specifically in the Department of Computer and Information Systems and School of Informatics, Humanities, and Social Sciences). This award is for the Colonial nation. I am proud to be an RMU alum.”

Congratulations, Dr. Peter Draus, on this stellar accomplishment!

UPMC Presentation on Phishing, Security Operations, and Jobs

Leave a reply

Join TSC as they present Sarah Pfabe, TSC alumni and an information security analyst at UPMC to speak about the dangers of phishing and what organizations do to protect against it on Tuesday, November 5th at 4:30 pm in the Wheatley Atrium.  She will go through everything from what makes a phishing email, to the tools analysts use to examine and detonate malware.  An overview of working in a Security Operations Center and job opportunities at UPMC will also be a part of this presentation.  

Information about phishing: Phishing is one of the ways hackers attempt to gain access to your personal information via your computer or smartphone. These attacks often rely on the same basic strategy: to trick you into providing sensitive information such as usernames, passwords, and credit card details by making you think the request is coming from a trusted source such as your bank, credit card company, a colleague, or friend. No organization, large or small, is immune to the dangers that phishing emails present.

Students will receive 1 hour of SET credit. Pizza will be provided. 

RMU Grad Torrie McLaughlin is one of the New Faces of IBM Z

Leave a reply

IBM is producing a set of videos that are quick conversations with a new generation of coders and creators on the mainframe.  Watch RMU alumna Torrie McLaughlin, who works on the mainframe at a large financial institution, describe how COBOL is a key asset to her professional toolkit.

Hacking – Breaches and password dumps

Leave a reply

Call it what you want – hacking, cracking, a dump, a data breach, whatever.  The fact is that these events are becoming more and more common, and as IT professionals we need to know how to deal with the fallout.  There is a great visualization that illustrates this recent trend on informationisbeautiful.net.

Often, one of the results of these breaches are that the public gets some insight into the security protections that a company uses (or lack thereof).  In the case of the recent 000Webhost breach, we discovered that passwords for over 13 million of their customers were stored in plaintext; that is to say, with no protection whatsoever.

Also in recent news, users of the Ashley Madison service had a large amount of their information disclosed, including account details and password hashes.  The primary protection mechanism for password storage that was in use here is a technology called bcrypt (a very strong password protection mechanism – you can find more details here and here), however due to a legacy function that had numerous flaws (for all of the details, check out this blog post) some user passwords were also simplified and stored as MD5.  Due to how MD5 functions, hardware like GPUs and ASICs are able to be used to quickly and efficiently crack the passwords, and in this case they were then able to use information gathered from cracking the MD5 hashes to significantly speed up the attacks on bcrypt-stored passwords.

One of the major problems with password hashes getting dumped is that password reuse is a real problem, and without the use of a password safe (like LastPass, KeePass, 1Password, or more enterprise products such as CyberArk or ERPM) it’s not realistic to think that end users will ever fix this on their own.

There are numerous websites and password managers available where you can check if your password has been a part of a breach, where the companies behind those websites seek out and collect password dumps to perform password cracking on them.  Simulating the attacks that malicious individuals use in this way allows them to provide a security monitoring and alerting service to their customers.  Many companies with a significant web presence, including Facebook, Twitter, and LinkedIn, will also scour the Internet for dumps and attempt to crack the passwords, then compare the cracked passwords to the information they have stored for your account.  If they get a match, they can take steps to protect your account by doing things like expiring your sessions, forcing a password reset on your account, etc.

I recently developed a lab focused on how to perform these password cracking attacks for a local security group called Steel City InfoSec.  The lab is available here on my GitHub, and if you aren’t familiar with password cracking, I suggest trying out the Beginner lab.  That difficulty level includes additional details about how to complete the lab, including a hints area that contains explanations and commands to run for each the steps of password cracking.  There is also a recording of my presentation and my slides available (along with additional information on the Steel City InfoSec message boards) if you are interested in a bit more background.

If you’ve done this sort of thing before and want to experiment with different tools or just download a bunch of word lists, feel free to try out the Intermediate lab.  Specifically, take a look at the downloads readme file to get a clean listing of everything that I’ve provided as a part of the lab.

If you have a GPU cracking rig or a cluster of machines at your disposal, and you’ve done this sort of things a few times in the past, take a crack at the competition.  It’s important to note that with the competition you will need to be a bit more creative about how you create a word list than just using the dumps that I’ve provided, and GPUs/ASICs will not help you as much as if you were cracking something stored with MD5 or even SHA-256.  Also, please note that the competition prizes were for the Steel City InfoSec event is are no longer available.

While working on the lab, if you find anything that isn’t clear or may be incorrect, please feel free to reach out to me directly (via a GitHub issue or pull request) and I can either lend a hand or fix any bugs as appropriate.  In addition, I will be available on RMU campus on November 10th in the evening in Hale 304, presenting this material to Dr. Paullet’s class.

Jon Zeolla