Category Archives: Tech

Cyber security needs to consider both technology and human factors.

Cyber Security – Back to Basics

This week I finished the Open University’s “Introduction to Cyber Security” online course which is available through the FutureLearn platform.

Why, I hear you ask, am I going back to basics to learn about a subject in which I am already pretty well versed?

It is true that I have been exposed to cyber security principles and practice for almost 20 years by virtue of my primary degree in Computer Science, internship and subsequent career in both technical and non-technical roles. Heck I’ve even spent the last three years as Technical Marketing Manager of QUB’s Centre for Secure Information Technologies (CSIT), the UK’s Innovation & Knowledge Centre for Cyber Security, a role which sees me regularly speak to businesses, students and contributing to TV, radio and print media on the subject of technology vulnerabilities, threats and breaches. The role also involves bringing new cyber security technology, the output of much of our ground-breaking research, to market.

Why participate?

I participated in the 8 week long online course for three reasons:

  1. I’m big enough to admit that I don’t know it all – even in my own field of expertise there is always scope to learn new approaches and relearn concepts that I may have forgotten. This course offered me a chance to look at cyber security with fresh eyes.
  2. Working day to day in a research and innovation environment at the very bleeding edge of cyber security technology it is all too easy to forget how the person on the street views my area of expertise. This course allowed me the chance to step back from that edge, think about cyber security from an end user perspective and consider how our research and technology could be applied to solve the simple and mundane as well as grander challenges.
  3. Lastly, I wanted to kick the tyres on it. Prior to this course launching I had been asked by a number of organisations if we at CSIT could deliver similar entry level training. We had already delivered some internally to the wider QUB staff body and the question was whether or not we should package that up and produce an offering to business and community groups. I wanted to assess if the OU course would rule that effort worthless.

Did it pass muster?

In a word – yes.

The course surpassed my expectations to be honest. It wasn’t patronising, while it assumed no prior knowledge it explored more complex aspects of cyber security explaining them in an engaging way.

Those charged with information and cyber security in organisations and the wider world can often be seen as bad guys and girls in their own right. Blocking access to fun stuff on the internet and not allowing the latest whizzy consumer devices onto corporate networks without a satisfactory reason from an end-user stand-point. The first week explored the threat landscape in depth, explaining why cyber security matters to everyone and laid a solid foundation for the remaining seven weeks.

Over the last number of years many of the times I have been invited by the media to provide analysis on cyber security events has been due to password breaches.

It’s one of the reasons I’m so passionate about bringing our LIOPA lip biometric technology to market. Week two covers the whole gambit of authentication even going so far as covering salting, hashing as well as multi-factor which is thankfully becoming the norm for most online services.

One area where I disagree with the course is its highlighting of password manager applications as a solution to remembering multiple usernames and passwords. Personally I see them as a significant risk and prime target for cyber criminals. Hack those and you have the master key for an individual’s whole online life.

Weeks 3 and 4 cover Malware and Networking & Communications adequately but it was Week 5’s focus on Cryptography which drew my attention. It’s an area which we at CSIT carry out significant research in areas such as Post-Quantum Cryptography,Physical Uncloneable Functions (PUF)-PKI and Fully Homomorphic Encryption.

The practical application of PGP is taught through the use of Mailvelope, a plug-in for Google’s Chrome browser that uses an implementation of the Open PGP standard. This is welcome but it goes to show that straightforward ways for the man/woman in the street to use PGP to encrypt communications is still a little way off in terms of user experience.

As the family IT go to guy weeks 7 and 8 coverage of what to do when things go wrong and managing risks is welcome. Its also a timely reminder for everyone to fully consider their own vast stores of digital information, prioritising which bits are most important and putting in place a regular backup routine to protect against loss.

Have I changed how I think about my own cyber security after completing this course?

Absolutely. Will I tell you the changes I have implemented as a result? Absolutely not. Why make it easier for the cyber criminals? Individuals and organisations are under constant attack. It is a case of when and not if your cyber security defences will be probed and breached – why make it easy for them.

Wider lessons for going back to basics.

Sometimes subject matter experts can be a little reluctant to admit that they may not be across all the basics in terms of their field. Instead they baffle the uninitiated with the more advanced aspects of their product or service. Looking once again from an amateur’s perspective can be enlightening.

Participating in this course has also opened my eyes to interesting use cases for some of CSIT’s innovations.

While this course may close off opportunities for us as an organisation to deliver similar training ultimately it educates a greater number of people in respect of cyber security who will demand greater security from service providers and technology providers. If it encourages more students to consider applying for our MSc Cyber Security or consider carrying out PhD research with us then even better.

Ultimately this will stimulate further the burgeoning global cyber security market benefiting CSIT and the wider industry in which we operate.

This blog post post was originally published by me on LinkedIn Pulse on 2nd Dec 2014 and can be found here.

Thoughts on the Apple #WWDC14 announcements, media crib sheet

I was asked last week by BBC Good Morning Ulster to come in to the show and talk about the announcements made at Apple’s World Wide Developer Conference 2014. You can listen to it again here. Go to 55:50.

As with every media engagement I do I had done my homework the night before and prepared a crib sheet covering all potential areas for discussion which is shared with the show producer in advance so they can brief the presenter and prepare questions for them.

Tech bling
Little bit of tech bling. Always dress for the occasion – even if its only radio.

Having done a few of these now the key, in my opinion, is to get to the heart of the “so what” question. What does this mean to the person sitting in their car on their way to work or doing the school run? The trick is to avoid being over technical and to retain a level of company independence or favouritism – especially when contributing to the BBC.

I’m neither pro or anti Apple. While I use an MacBook for personal computing and an Apple iPad for work I also use a Google Nexus 5 phone and a Microsoft Window’s laptop for work purposes. It’s nice to have this broad level of experience when talking about new product announcements in this space.

The whole experience is definitely a positive one. If you are approached to contribute to programmes such as this I would highly recommend it as it allows you to hone writing and speaking skills for the day job.

In the end time only permitted us to discuss the Family Sharing feature. The full crib sheet is replicated below for those who haven’t OD’ed on WWDC commentary yet.

Intro

Apple announces new features that enable family sharing, home automation and our vital signs to be monitored all from our mobile phones.

Family sharing

Apple have announced a new family sharing feature in iOS version 8 for iPhones and iPads. This will allow whole families share and synchronise their photos, calendars and locations with each other.

  • Great for the busy family to keep track of each other and give parents piece of mind that their kids are where they say they are
  • Not so great for parents whose phones will be filled to the brim with selfies of their kids
  • Even worse for kids whose phones will be full of their parents selfies – take note Máirtín Ó Muilleoir’s kids
  • Definitely not good for kids bunking off school

There have been numerous examples of children running up hundreds, if not thousands of pounds of credit card bills due to innocently buying costly add-ons for games through the Apple App Store.

  • Last year a five year old ran up a bill of £1700 buying costly add-ons for a game called Zombie v Ninja in one ten minute period
  • Earlier this year Apple was forced to refund at least £20 million to disgruntled parents over in-app purchases made by their kids
  • Family sharing allows parents to implement tighter controls on App Store spending.
  • Kids can send App purchase requests to their parents phones when they wish to buy new games or make in app purchases.
  • Great for parents looking to reign in their kids spending on the Apple App Store
  • Not so great for some app developers who were making stacks of money from unsuspecting kids

Home automation

The smart home is now a key battle ground for companies like Apple and Google. Google recently bought Nest, a company that makes smart devices such as learning thermostats and intelligent smoke and carbon dioxide detectors for the home which can be controlled from mobile devices for a cool $3.2 billion.

Apples new Home app (HomeKit) allows an iPhone or iPad to control smart appliances, lights and locks around the home.

  • Partners include Philips, Honeywell and Osram that make a variety of smart widgets and lights
  • Great if you want to live in the home of the future and command all your home appliances by voice
  • Not so great when the power goes out.

Health app

HealthKit is a feature and package of tools that will allow developers to build bespoke apps around health and well being, from sleep monitoring and stress reduction to exercise and blood testing.

  • Great for helping to take pressure off a stretched NHS
  • Great for early alerting of serious health problems
  • Great for changing behaviour in unhealthy people
  • Not so great for couch potatoes
  • Question marks over patient privacy
Sakir Sezer 250 166

Queen’s researchers on the front line against cyber crime

On 2nd June 2014 numerous news outlets globally ran a story about a Russian man being charged with being behind a major cybercrime operation that affected individuals and businesses worldwide and added to the FBI’s most wanted list. Evgeniy Bogachev, also known as “lucky12345″ and “slavik”, is wanted for his alleged involvement in a wide-ranging racketeering enterprise and scheme that installed, without authorization, malicious software known as “Zeus” and a variant called “GameOver Zeus” on victims’ computers.

Zeus is a type of malware known as a bot which makes up part a network of hijacked home computers, typically controlled by a criminal gang called a botnet. The software was used to capture bank account numbers, passwords, personal identification numbers, and other information necessary to log into online banking accounts.

In a non-descript glass fronted building in the heart of the Northern Ireland Science Park the news came as no surprise to a crack team of cyber security researchers who barely raised an eyebrow. The team, based in Queen’s University Belfast’s (QUB) Centre for Secure Information Technologies (CSIT), is at the forefront of researching and developing new technologies to detect bots, botnets, malware and Advanced Persistent Threats (APTs) since it was established as the UK’s Information and Knowledge Centre (IKC) in 2009. The Zeus botnet, and the plethora of variants it has spawned, has been of particular interest to the team who work as part of the Secure Digital Systems research cluster headed by Professor Sakir Sezer.

Sakir Sezer 250 166Professor Sezer says: “As the internet has evolved into a multi-trillion pound business, the threats have evolved as well. To date members of the gang who operate the Zeus botnet have stolen an estimated $500 million. This represents a huge loss to citizens and businesses alike. Our research is helping minimise the fraud and theft enabled by this pernicious software through the development of hardware and software tools and technologies which have been proven to detect and prevent this type of malicious activity.”

In a secure laboratory within the facility Professor Sezer’s team of researchers and engineers have installed a complete botnet for the purposes of determining how it replicates, evolves over time and communicates with command and control systems. The team are reluctant to say too much about their findings in an effort to stay one step ahead of the criminals in this cat and mouse game. What they will say, however, is that the solution they have developed has the ability to analyse gigabytes of network traffic, in real-time, pinpointing botnet activity on corporate, mobile operator or Internet Service Provider (ISP) networks. This malicious activity can be traced to a specific machine, laptop or mobile device which has been infected with the malware.

Notwithstanding, the research isn’t a purely academic endeavour. Through its unique ‘Open Innovation’ model CSIT works to exploit and transfer knowledge to industry through member companies such as global giants McAfee and IBM, as well as via commercial R&D and consultancy engagements with local SME’s such as RepKnight and AirPOS. This ensures the research is both industrially relevant and that findings can be put to work as quickly as possible to limit the impact of malware and botnets on society as well as bringing new cyber security technologies to market.

Highlighting ISP and mobile network operator’s failure to adopt technology to limit the damage wreaked by malware and botnets Professor Sezer says: “We have the proven technology to detect and stop these malicious applications at the ISP and operator level but many are reluctant to take on responsibility for providing this service to their customers. Common Carrier status means the ISP is not responsible for anything illegal taking place over the network.  For example, Warner Brothers can’t sue BT because their digital content (films) are being illegally streamed to BT broadband subscribers.  The ISPs use this legal provision to see no evil.  Hence they make no attempt to protect subscribers from malware. However, they are quite happy to detect and block Skype traffic when it effect’s their bottom line. The legislative framework needs to change to enable broader use of this technology to protect internet consumers.”

MSc_in_Cyber_SecurityNew technology is only one part of the CSIT story.  Currently, the demand for cyber security experts is growing at twelve times the rate of the overall job market. The Centre has listened to the needs of industry and is complementing its technology research by developing a new Master’s degree in Cyber Security to skill up the next generation of cyber security professionals. The course is open for application now and will begin in September 2014.

Professor Maire O’Neill, Co-Ordinator of the new MSc in Cyber Security, says: “The emphasis of the MSc is to provide graduates with a comprehensive understanding of the cyber security challenges facing industry and society, today and in the future, and equipping them with the skills necessary to address those challenges.”

Finally, the Centre recognises its wider responsibilities to society in terms of supporting citizens, industry and government to tackle the scourge of cyber-crime as well as capitalising on the huge global demand for technologies in this area. CSIT staff are involved in a variety of prominent advisory bodies such as the Organised Crime Task Force’s Cyber Crime Sub Group, the UK Cyber Growth Partnership and chairing the Royal Society’s Cyber Security Research policy committee.

You can find out more about CSIT and the MSc in Cyber Security on its website here: http://www.csit.qub.ac.uk/

Hi-tech crime terms

  • Bot – one of the individual computers in a botnet; bots are also called drones or zombies
  • Botnet – a network of hijacked home computers, typically controlled by a criminal gang
  • Malware – an abbreviation for malicious software i.e. a virus, Trojan or worm that infects a PC
  • APT – Advanced Persistent Threats are a set of stealthy and continuous computer hacking processes, often orchestrated by human targeting a specific entity.

Advice from Get Safe Online

  • Install internet security software from companies listed on Get Safe Online’s website to download a free tool to scan for Gameover Zeus and remove it from your computer
  • Do not open attachments in emails unless you are 100% certain that they are authentic
  • Make sure your internet security software is up-to-date and switched on at all times
  • Make sure your Windows operating system has the latest Microsoft updates applied
  • Make sure your software programs have the latest manufacturers’ updates applied
  • Make sure all of your files including documents, photos, music and bookmarks are backed up and readily available in case you are no longer able to access them on your computer
  • Never store passwords on your computer in case they are accessed by Gameover Zeus or another aggressive malware program

Is this the end of usernames and passwords? #csitsummit

Updated 3rd June 2013.

This post was previously published by me over at The Centre for Secure Information Technologies blog.

At the recent World Cyber Security Technology Research Summit hosted by CSIT I had the pleasure of scribing one of the breakout sessions titled “Is it the end of the road for username and password? If so what are the alternatives?”.

The answer, given recent high profile breaches, might surprise. It’s not as clear cut as you might think. One thing is for sure however. There is a huge amount of opportunity in this area.

Continue reading