Category Archives: News

Hacking Handbook

Thoughts on the TalkTalk breach

With the recent TalkTalk security breach impacting potentially 4 million UK customers my phone was ringing off the hook from late on Thursday 22nd October. Regularly when a big cyber security story hits the front pages I get asked by the media for expert opinion given my role at Queen’s University Belfast’s Centre for Secure Information Technologies (CSIT) – the UK’s Innovation & Knowledge Centre (IKC) and lead academic research centre for cyber security.

As with all stories of this nature I pull together some media briefing in advance of going into the studio. Here is some of that which consumers and businesses might find useful:

Top five customer tips following the TalkTalk security breach are as follows:

  1. Whilst you may not be able to change your TalkTalk Account password just yet, there will be many customers who will have used the same password across multiple online services. You should change those right now. Note – this won’t protect bank account/credit card details already stolen.
  2. TalkTalk have said that “there is a chance” that customer Credit Card and Bank Account details have been compromised. All TalkTalk customers present – and past – should keep a close eye on those accounts for the coming weeks and months and report any suspicious activity to their bank or card issuer immediately – no matter how small. If the details get resold, as they are likely to, the criminals may carry out small transactions first to ensure the account details are legitimate before initiating larger money transfers or purchases.
  3. Enable multi-factor authentication, or 2-Step verification, on online services were available. Online services such as Google Mail offer this. For example, when logging in a code will be sent to your phone via text, voice call, or our mobile app as an additional login step. Or, if you have a Security Key, you can insert it into your computer’s USB port to complete authentication.
  4. Never disclose your username, password, bank account, or credit card details to anyone who phones or emails you unsolicited. Ever.
  5. Be particularly careful clicking on links in e-mails or opening e-mail attachments received from people you don’t know. Even when the emails look legitimate, ensure the senders email address and web links are to genuine sites. Fraudsters can easily register domain names that look very similar to legitimate ones. For example customerservice@talktalk.com looks like customerservice@taiktaik.com – swapping the l for an i

Top five business tips for companies who trade on-line:

  1. Always ensure that customer records including passwords, credit card details and bank account numbers are stored securely using modern hashing algorithms, ideally with salting, and are encrypted. This way if the databases are stolen – the data is practically worthless.
  2. Enable multi-factor authentication on systems
  3. Companies who are only now considering cyber security should sign up for the Cyber Essentials scheme. Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.
  4. Work closely with other organisations to share threat and attack intelligence and identify common patterns. Sign up to the Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK, a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business.
  5. If you haven’t got cyber security capability in-house then seek help. If you outsource your IT or web development make sure your suppliers are taking it seriously – get a third party company to audit them if necessary. Ultimately if your systems get hacked your customers will blame you.

Want to find out how you can secure systems and develop the next generation of cyber security technologies?

Hacking Handbook
Hacking Handbook

The featured image I have used for this post purposely features The Web Application Hackers Handbook for a reason. If the reports about this hack are correct, and I don’t wish to speculate until further hard facts come out, then a textbook SQL injection attack may have been used to gain access to customer data. Basic security housekeeping should have prevented this.

If you are interested in securing systems or researching new advanced cyber security technologies as a career we are actively recruiting new Cyber Security PhD students for the CSIT Centre for Doctoral Training (CDT) as well as full-time and part-time masters students for the industry informed CSIT MSc in Cyber Security at Queen’s University Belfast.

I have provided expert commentary on local and national media including:

There is still a long tail of media requests coming in as the story matures and more facts come out. If you need to get in touch with me my contact details are on the Centre for Secure Information Technologies website here.

Turing – Runner up in 2014 #MatrixPoetryAwards Science Category

I’m delighted once again to have picked up honours at the 2014 MATRIX Poetry Competition. This year I was runner up in Category One, open to people with a science/technology background, with my poem “Turing“.

image

image

The competition was judged and award presented by respected poet and retired academic Professor Ignatius (Iggy) McGovern. The Award ceremony was followed by a reading from his new book, “A Mystic Dream of 4” which is a sonnet sequence based on the life and times of the Irish mathematician William Rowan Hamilton.

The winner in the category was my good friend Fabian Campbell-West, who I work alongside at QUB’s ECIT Institute and Centre for Secure Information Technologies (CSIT), with his poem “Computer Coder’s Sonnet“.

My poem has Alan Turing as its subject. Turing was a mathematician, wartime code-breaker and pioneer of computer science. His contribution to the war effort and technology were only recognized recently due to the secret nature of the work, his prosecution for homosexuality and untimely death by suicide at the age of 41.

Much of the research carried out within CSIT on areas such as cryptography, algorithms and artificial intelligence can be traced directly back to his ground-breaking work back in the 1930’s and 1940’s.

Once again here is my poem:

Turing

Celebrated for his passion, persecuted over love
In Bletchley Hut 8 he tackled Enigma
Breaking the ciphers and stemming the tide
Only science mattered, not social stigma

His bombe silenced bombs, he moved on
The genius visualised a machine in his mind
A device for computation, competing with men
His automatic computing engine, all seeing, blind

Without his intelligence, artificial or otherwise
Machine learning, algorithms, big data; unfathomable
As scientists, today, the evidence is clear
The debt of gratitude owed Turing is utterly incalculable.

Since writing the poem I have learned that a film called “The Imitation Game” based on Alan Turing’s life will go on general release in the UK on 14 November 2014. It stars Benedict Cumberbatch as Turing and is directed by Morten Tyldum with a screenplay by Graham Moore, based on the biography Alan Turing: The Enigma by Andrew Hodges. You can view a trailer here:

The Dock – A poem by David Crozier

I am delighted and honoured that my poem “The dock” was chosen as the winner of the inaugural MATRIX Poetry Competition. I collected the prize on Saturday 5th October 2013 from Poet Laureate Carol Anne Duffy at a reading session she hosted in Derry~Londonderry as as part of Poetry Month and the 2013 City of Culture celebrations.

Collecting the inaugural MATRIX Poetry Competition Prize from Poet Laureate, Carol Anne Duffy and MATRIX Deputy Chair, Dr Norman Apsley
Collecting the inaugural MATRIX Poetry Competition Prize from Poet Laureate, Carol Anne Duffy and MATRIX Deputy Chair, Dr Norman Apsley

The inaugural competition, which was introduced by MATRIX to highlight the links between science and the arts, was to write a poem about any science related topic.

It was open to those people who study the STEM subjects or work in science/technology based industries. It was judged by Professor Iggy McGovern, Professor of Physics at Trinity College Dublin and award winning poet.

MATRIX, the Northern Ireland Science Industry Panel, is a business led expert panel, formed primarily to advise government, industry and academia on the commercial exploitation of R&D and science and technology in Northern Ireland.

My poem drew inspiration from the sounds, history and future of the area around the Thompson Dry Dock which my office overlooks.  It also draws parallels between the heavy engineering that the shipyard area was known for and the future, driven by research and development, carried out at my place of work – the ECIT Institute.

The motivation for writing the poem is simple. MATRIX Chair Bryan Keating asked me to. Sometimes being asked to do something is motivation enough.

My poem:

The dock

The sound of hammering and clanging ringing out from the dock
Regularly drifts in the sea breeze through my window.
This recording a remembrance of ocean liners engineered
In Belfast’s mighty shipyards once spread out below.

Now in this furnace of technology, an Institute of the future,
Researchers secure the digital tomorrow for one and all.
Transportation of a different kind their focus; of data and knowledge.
The brains of this nation answering Queen’s Island call.

For through science our pride will be restored once more,
Technology despatched through new venture creation.
Lessons learned, skills honed, motivation unsinkable
Let’s doff a duncher to this foundry of innovation.

Creative Commons License
“The Dock” by David Crozier is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at http://www.davidcrozier.co.uk/2013/10/07/the-dock/

 

Thoughts on Mobile Word Congress 2012; Why you should be there #mwc12

The CSIT booth at MWC 12

I returned from Barcelona on Friday after a week of lead generation, market positioning research and generally being a booth bloke at Mobile World Congress for my employer The Centre for Secure Information Technology (CSIT), an innovation and knowledge centre specialising in cyber security research based at Queen’s University of Belfast.  I have spent the weekend mulling over the experience and trying to distill a few thoughts regarding the Congress which I share here.

There’s no austerity or lack of confidence in mobile industry

The GSMAs event attendance figures speak for themselves.  67,000 visitors from 205 countries.  The number of attendees was up 11% on last year.  Business is not just as usual, it’s booming.  It is ten years since I was last at MWC with Jinny Software when it was in Cannes.  The growth in that decade has been phenomenal.

The level of investment in stands and presence by exhibitors both large and small exuded a level of confidence in the future of the economy currently not shared by many across this continent.  I have no doubt that the level of investment here will be followed by growth in consumer confidence and spending in the coming years.

Mobile security is gonna be massive next year

This is the first time we at CSIT have exhibited at the event though all three of our commercial team have represented previous employers at it.  While we had a number of pre-arranged meetings lined up beforehand this for us was about dipping the toe in the water of the mobile space and see what turned up.

With limited marketing activity prior to and during the event we were simply astounded by the numbers and calibre of companies and organisations who sought us out at the event based on our “Breakthrough technologies for mobile security” pitch to speak to us about our research into things like Physical Uncloneable Function, ITACA, Intrusion Prevention and SCA.  Our activity there was very targeted – sponsoring the Network Intelligence Alliance networking evening where we could engage with prospective partners and customers away from the hustle and bustle of the halls. This was a great opportunity to raise our profile in a niche area were we can add most value.

Mobile security will be a huge market.  If you are working in this area speak to us.

Its about so much more than mobile

If you are building solutions that communicate over IP protocols you are now a mobile company – you should be at next years Congress.  No excuses.  With the phenomenal growth in smartphones and the advent of FTE, Wimax and other wireless data standards if you are involved in any sort of solution that communicates data you need to be there if only to unearth opportunities which may not be entirely obvious if you only think of it as a mobile trade show.

In the last week we spoke to companies about opportunities in utilities, banking, transportation, satellite communications, fixed line operators, government and more.

It doesn’t cost the earth

We exhibited on the Northern Ireland pavilion with a number of other local companies.  The Invest Northern Ireland team did an excellent job in supporting us before and during the week.  It’s the perfect mechanism for getting a low(er) cost presence at the event.  Speak to them about going next year.  You can’t afford not to be there.