All posts by David Crozier

Here’s why I voted to #Remain in the #EURef

I have been a floating voter up until this morning when I had to put my X on the ballot paper.

Over the past couple of weeks I have thought long and hard about the issues around bureaucracy, immigration, costs and benefits that come with being part of the EU.

Ultimately it comes down to how the EU has impacted me, my family and our future.

Growing up in the 80’s I am old enough to remember customs posts at the border crossings between Keady and Castleblaney and Middleton and Monaghan which created barriers to trade between North and South. The old customs yard where lorry loads of freight had to be checked still lies derelict at the Monaghan Road/Keady Road junction in Armagh.

I got my first break in the technology industry from Intel Corporation working at their Leixlip campus in Co. Kildare. They were an American company, attracted to Ireland for a number of reasons not least because it was within the EU and a beneficiary of huge structural funds which were being invested in new infrastructure and skills development there.

I was an economic immigrant, able to work in the Republic due to the free movement of workers within the EU at a time when career options were limited in Northern Ireland.

My second break was with a start-up company called Jinny Software, based in Dublin which was founded by another economic immigrant – a Lebanese man, from Beirut. He was welcomed with open arms into the growing tech sector in Dublin supported by and with access to the EU and its sizeable telecoms market, factors which encouraged him to move his business and family there.

The rapid improvement in peace and stability in Northern Ireland, supported by EU Peace funds, and the significant Foreign Direct Investments, again supported in part by EU Regional Development Funds, helped create significant numbers of new, high quality, well paying jobs which encouraged me to move home to Northern Ireland to further my career.

Moving forward to the present day the ECIT Institute in which I work was built using EU funds 13 years ago and today generates around one third of its income from collaborative EU Horizon 2020 and European Space Agency projects. One quarter is generated from commercial engagements with companies either based in or who generate significant revenue from the EU. Other work is supported via Invest NI with funds which ultimately come from the EU through its ERDF mechanisms. These are not handouts – they are hugely competitive research projects which we have secured by building consortia across the EU and through our research excellence, engineering capabilty and well articulated commercialisation strategies have beaten all-comers. Our staff are a mix of nationalities drawn from the UK, Ireland, Spain, Greece, Germany, Russia, India, China, Vietnam and many others.

From a cyber security perspective, UK police forces in addition to their colleagues from across the EU as part of Europol (The current Director is a UK national by the way) formed the European Cybercrime Centre (EC3) which commenced its activities in January 2013. Cyber crime respects no international borders. This Centre is there to keep you and I safe and catch bad guys online who would wish to do us all harm.

When I travel throughout Europe I can use my phone to make calls, text, email and use the internet for a paltry £3 per day. Probably less if I reviewed my mobile contract. I’m able to do this because the EU have forced the telecoms companies to stop ripping off their customers wishing to use roaming services.

This isn’t about high tech jobs or my pocket however. My salary and those of my colleagues help support additional jobs in the local community through our taxes and spending on goods and services.

Fiona and I simply couldn’t continue to work full-time without significant childcare for example. We help support jobs in the nursery who we entrust the care of Ethan and Lucas, and before them Jacob, to. The staff there are a mix of local and other nationalities. Again the free movement of workers across the EU ensures the nursery can get sufficient skilled nursery staff to keep my kids happy and safe during the day. We also support jobs in the morning and after schools clubs that care for Jacob outside of core primary school hours.

Jacob, Lucas and Ethan have had their fair share of healthcare – yet again the EU and immigration have helped. With nurses, doctors, consultants and auxiliary staff all helping to keep them healthy and well. Many new medications that they have taken during their short lives have been developed with support from the EU. We have had confidence that their food and milk has been safe due to rigorous health and safety standards imposed because we are part of the EU. One only has to look to the 2008 baby milk scandal where powder was adulterated with melamine to see how this can go horribly wrong when there is little oversight.

I have direct experience of working with a variety of EU lead and sponsored institutions both here and in Brussels. There is no doubt that the EU needs reformed. Notwithstanding, we can only do that if we stay in and not run away when things are getting tough.

This morning I cast my vote for remain.

The polling stations close at 10pm. Remember to cast yours.

Hacking Handbook

Thoughts on the TalkTalk breach

With the recent TalkTalk security breach impacting potentially 4 million UK customers my phone was ringing off the hook from late on Thursday 22nd October. Regularly when a big cyber security story hits the front pages I get asked by the media for expert opinion given my role at Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) – the UK’s Innovation & Knowledge Centre (IKC) and lead academic research centre for cyber security.

As with all stories of this nature I pull together some media briefing in advance of going into the studio. Here is some of that which consumers and businesses might find useful:

Top five customer tips following the TalkTalk security breach are as follows:

  1. Whilst you may not be able to change your TalkTalk Account password just yet, there will be many customers who will have used the same password across multiple online services. You should change those right now. Note – this won’t protect bank account/credit card details already stolen.
  2. TalkTalk have said that “there is a chance” that customer Credit Card and Bank Account details have been compromised. All TalkTalk customers present – and past – should keep a close eye on those accounts for the coming weeks and months and report any suspicious activity to their bank or card issuer immediately – no matter how small. If the details get resold, as they are likely to, the criminals may carry out small transactions first to ensure the account details are legitimate before initiating larger money transfers or purchases.
  3. Enable multi-factor authentication, or 2-Step verification, on online services were available. Online services such as Google Mail offer this. For example, when logging in a code will be sent to your phone via text, voice call, or our mobile app as an additional login step. Or, if you have a Security Key, you can insert it into your computer’s USB port to complete authentication.
  4. Never disclose your username, password, bank account, or credit card details to anyone who phones or emails you unsolicited. Ever.
  5. Be particularly careful clicking on links in e-mails or opening e-mail attachments received from people you don’t know. Even when the emails look legitimate, ensure the senders email address and web links are to genuine sites. Fraudsters can easily register domain names that look very similar to legitimate ones. For example customerservice@talktalk.com looks like customerservice@taiktaik.com – swapping the l for an i

Top five business tips for companies who trade on-line:

  1. Always ensure that customer records including passwords, credit card details and bank account numbers are stored securely using modern hashing algorithms, ideally with salting, and are encrypted. This way if the databases are stolen – the data is practically worthless.
  2. Enable multi-factor authentication on systems
  3. Companies who are only now considering cyber security should sign up for the Cyber Essentials scheme. Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.
  4. Work closely with other organisations to share threat and attack intelligence and identify common patterns. Sign up to the Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK, a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business.
  5. If you haven’t got cyber security capability in-house then seek help. If you outsource your IT or web development make sure your suppliers are taking it seriously – get a third party company to audit them if necessary. Ultimately if your systems get hacked your customers will blame you.

Want to find out how you can secure systems and develop the next generation of cyber security technologies?

Hacking Handbook
Hacking Handbook

The featured image I have used for this post purposely features The Web Application Hackers Handbook for a reason. If the reports about this hack are correct, and I don’t wish to speculate until further hard facts come out, then a textbook SQL injection attack may have been used to gain access to customer data. Basic security housekeeping should have prevented this.

If you are interested in securing systems or researching new advanced cyber security technologies as a career we are actively recruiting new Cyber Security PhD students for the CSIT Centre for Doctoral Training (CDT) as well as full-time and part-time masters students for the industry informed CSIT MSc in Cyber Security at Queen’s University Belfast.

I have provided expert commentary on local and national media including:

There is still a long tail of media requests coming in as the story matures and more facts come out. If you need to get in touch with me my contact details are on the Centre for Secure Information Technologies website here.

Cyber security needs to consider both technology and human factors.

Cyber Security – Back to Basics

This week I finished the Open University’s “Introduction to Cyber Security” online course which is available through the FutureLearn platform.

Why, I hear you ask, am I going back to basics to learn about a subject in which I am already pretty well versed?

It is true that I have been exposed to cyber security principles and practice for almost 20 years by virtue of my primary degree in Computer Science, internship and subsequent career in both technical and non-technical roles. Heck I’ve even spent the last three years as Technical Marketing Manager of QUB’s Centre for Secure Information Technologies (CSIT), the UK’s Innovation & Knowledge Centre for Cyber Security, a role which sees me regularly speak to businesses, students and contributing to TV, radio and print media on the subject of technology vulnerabilities, threats and breaches. The role also involves bringing new cyber security technology, the output of much of our ground-breaking research, to market.

Why participate?

I participated in the 8 week long online course for three reasons:

  1. I’m big enough to admit that I don’t know it all – even in my own field of expertise there is always scope to learn new approaches and relearn concepts that I may have forgotten. This course offered me a chance to look at cyber security with fresh eyes.
  2. Working day to day in a research and innovation environment at the very bleeding edge of cyber security technology it is all too easy to forget how the person on the street views my area of expertise. This course allowed me the chance to step back from that edge, think about cyber security from an end user perspective and consider how our research and technology could be applied to solve the simple and mundane as well as grander challenges.
  3. Lastly, I wanted to kick the tyres on it. Prior to this course launching I had been asked by a number of organisations if we at CSIT could deliver similar entry level training. We had already delivered some internally to the wider QUB staff body and the question was whether or not we should package that up and produce an offering to business and community groups. I wanted to assess if the OU course would rule that effort worthless.

Did it pass muster?

In a word – yes.

The course surpassed my expectations to be honest. It wasn’t patronising, while it assumed no prior knowledge it explored more complex aspects of cyber security explaining them in an engaging way.

Those charged with information and cyber security in organisations and the wider world can often be seen as bad guys and girls in their own right. Blocking access to fun stuff on the internet and not allowing the latest whizzy consumer devices onto corporate networks without a satisfactory reason from an end-user stand-point. The first week explored the threat landscape in depth, explaining why cyber security matters to everyone and laid a solid foundation for the remaining seven weeks.

Over the last number of years many of the times I have been invited by the media to provide analysis on cyber security events has been due to password breaches.

It’s one of the reasons I’m so passionate about bringing our LIOPA lip biometric technology to market. Week two covers the whole gambit of authentication even going so far as covering salting, hashing as well as multi-factor which is thankfully becoming the norm for most online services.

One area where I disagree with the course is its highlighting of password manager applications as a solution to remembering multiple usernames and passwords. Personally I see them as a significant risk and prime target for cyber criminals. Hack those and you have the master key for an individual’s whole online life.

Weeks 3 and 4 cover Malware and Networking & Communications adequately but it was Week 5’s focus on Cryptography which drew my attention. It’s an area which we at CSIT carry out significant research in areas such as Post-Quantum Cryptography,Physical Uncloneable Functions (PUF)-PKI and Fully Homomorphic Encryption.

The practical application of PGP is taught through the use of Mailvelope, a plug-in for Google’s Chrome browser that uses an implementation of the Open PGP standard. This is welcome but it goes to show that straightforward ways for the man/woman in the street to use PGP to encrypt communications is still a little way off in terms of user experience.

As the family IT go to guy weeks 7 and 8 coverage of what to do when things go wrong and managing risks is welcome. Its also a timely reminder for everyone to fully consider their own vast stores of digital information, prioritising which bits are most important and putting in place a regular backup routine to protect against loss.

Have I changed how I think about my own cyber security after completing this course?

Absolutely. Will I tell you the changes I have implemented as a result? Absolutely not. Why make it easier for the cyber criminals? Individuals and organisations are under constant attack. It is a case of when and not if your cyber security defences will be probed and breached – why make it easy for them.

Wider lessons for going back to basics.

Sometimes subject matter experts can be a little reluctant to admit that they may not be across all the basics in terms of their field. Instead they baffle the uninitiated with the more advanced aspects of their product or service. Looking once again from an amateur’s perspective can be enlightening.

Participating in this course has also opened my eyes to interesting use cases for some of CSIT’s innovations.

While this course may close off opportunities for us as an organisation to deliver similar training ultimately it educates a greater number of people in respect of cyber security who will demand greater security from service providers and technology providers. If it encourages more students to consider applying for our MSc Cyber Security or consider carrying out PhD research with us then even better.

Ultimately this will stimulate further the burgeoning global cyber security market benefiting CSIT and the wider industry in which we operate.

This blog post post was originally published by me on LinkedIn Pulse on 2nd Dec 2014 and can be found here.

Turing – Runner up in 2014 #MatrixPoetryAwards Science Category

I’m delighted once again to have picked up honours at the 2014 MATRIX Poetry Competition. This year I was runner up in Category One, open to people with a science/technology background, with my poem “Turing“.

image

image

The competition was judged and award presented by respected poet and retired academic Professor Ignatius (Iggy) McGovern. The Award ceremony was followed by a reading from his new book, “A Mystic Dream of 4” which is a sonnet sequence based on the life and times of the Irish mathematician William Rowan Hamilton.

The winner in the category was my good friend Fabian Campbell-West, who I work alongside at QUB’s ECIT Institute and Centre for Secure Information Technologies (CSIT), with his poem “Computer Coder’s Sonnet“.

My poem has Alan Turing as its subject. Turing was a mathematician, wartime code-breaker and pioneer of computer science. His contribution to the war effort and technology were only recognized recently due to the secret nature of the work, his prosecution for homosexuality and untimely death by suicide at the age of 41.

Much of the research carried out within CSIT on areas such as cryptography, algorithms and artificial intelligence can be traced directly back to his ground-breaking work back in the 1930’s and 1940’s.

Once again here is my poem:

Turing

Celebrated for his passion, persecuted over love
In Bletchley Hut 8 he tackled Enigma
Breaking the ciphers and stemming the tide
Only science mattered, not social stigma

His bombe silenced bombs, he moved on
The genius visualised a machine in his mind
A device for computation, competing with men
His automatic computing engine, all seeing, blind

Without his intelligence, artificial or otherwise
Machine learning, algorithms, big data; unfathomable
As scientists, today, the evidence is clear
The debt of gratitude owed Turing is utterly incalculable.

Since writing the poem I have learned that a film called “The Imitation Game” based on Alan Turing’s life will go on general release in the UK on 14 November 2014. It stars Benedict Cumberbatch as Turing and is directed by Morten Tyldum with a screenplay by Graham Moore, based on the biography Alan Turing: The Enigma by Andrew Hodges. You can view a trailer here: