Second Annual Cyber Conference at Canterbury Christ Church University

BOOKING IS NOW OPEN for the 2nd* annual cyber conference organised by the Cyber Innovation Hub of Canterbury Christ Church University

‘Emerging Cyberspace Challenges and Solutions‘

Keynote Speaker: David Rogers, Cyber Security & Standards Adviser, Department for Digital, Culture, Media and Sport, UK Government

Date: Friday 11 January 2019

Venue: Michael Berry Lecture Theatre, Old Sessions House, Canterbury Christ Church University

Supported by: 

• The Cybercrime Forensics Specialist Group of the BCS, The Chartered Institute for IT
• The OWASP Cambridge Chapter and
• The UK Cyber Security Forum – Cambridge Cluster

Experts from the Industry, Academia and Law Enforcement will give presentations at the Conference covering following topics:

• Can IPFIX Improve Traffic Capture Techniques for Cyber Threat Intelligence? – Adrian Winckles, Chair, BCS Cybercrime Forensics Specialist Group
• Smart Home Security – Fida Hussain & Dr Man Qi, Canterbury Christ Church University
• Vehicle Forensics: Analysis of the SYNC3 (QNX6 based) Infotainment System of a Ford Kuga – Luc Poelmans, Telecom IT Security Expert, Belgium
• Validation Techniques for Live Forensic Tools – Ulf Bergum, Head of Education in Digital Forensics and Cybercrime Investigation & Detective Superintendent, Norwegian Police University College, Norway
• The Threat of Security Knowledge Gaps – Jonathan Haddock, Network Security Engineer, Public Sector
• Security Auditing of Medical Suppliers and Devices – Dr Nimmo Dragomelo, Senior Consultant, Quality World
• Electronic Evidence: Role of First Responders in an IoT world – Yves Vandermeer, Chair, European Cybercrime Training & Education Group (ECTEG) and Norwegian Police University College, Norway

To book your free place please go to www.canterbury.ac.uk/cyber-conference-2019

For any further enquiries, please contact: cyberconference@canterbury.ac.uk

* for programme and presentations of last years conference (12 January 2018) please visit: http://www.canterbury.ac.uk//cyber-conference-2018

Dr. Abhaya Induruwa – Director of Cyber Innovation Hub and Principal Lecturer in Computing, Digital Forensics and Cybersecurity

Here we go again … passwords marked never to be used, still in the top ten

Our previous post by Joseph Williams titled ‘Bad passwords or just bad advice’ discussed the poor password habits of an online savvy society. Discussing that “the past few decades [of password advice] hasn’t quite sunk in” (Williams, 2016). In light of the leak of a Yahoo database, most likely tied to the huge data hack in recent headlines, researchers have once again looked at the most popular passwords uncovered.

Insecure passwords such as “123456”, “password”, “abc123”, “welcome” and “qwerty” were among the top ten exposed (Wang et al., 2016). Amongst these classic passwords, other users were using simple combinations of easily identifiable information (e.g. name, age and birthday). Generally, some users make their passwords easy to remember and simple for convenience. Yet, this leads us to an argument of convenience vs security. Continue reading →

Cheap(ish) Scanning at Home using a Microsoft® Kinect

It is accurate to say that everybody knows what a printer is – a device that puts information on paper. Fast-forward to the 21-century, and printers still have a place in the world. Although now, the most common form of a printer is one which prints information from the computer onto paper. There are a variety of printers available to do this including inkjet, laser and dot-matrix – the latter of which is no longer in common usage (thankfully).

In a similar way that the aforementioned computer printers print 2-dimensional information onto paper, 3-dimensional printers can create objects using plastic. This is done using a heated nozzle laying down layers of molten plastic in a pre-defined pattern. The layers (which are commonly a fraction of a millimetre thick) eventually build up into an object.

Continue reading →

How vulnerable are you?

You might be one of those people who always update their devices as soon as a patch comes out.  Maybe you like to wait a while to let the inevitable “Version x.y.z broke my wifi” niggles get resolved; perhaps you even take the view “if it’s not broke, don’t fix it!”.   Whatever your appetite for risk, there is almost certainly going to be some vulnerability that you are exposed to and there’s little you can do to avoid it.

Lets take an example.  Let’s say you have an iPhone running a flavor of iOS.  Not so long ago, it used to be that Apple products boasted there was no need for security protection.  Apple even used this in their marketing: “MAC vs PC Commercial – Viruses” (Apple Videos, 2007)

But time has moved on and the bad guys eventually realized there were a growing number of people out there with unprotected devices just aching to be exploited.  In the case of the iPhone, there are plenty of ways for others to get their hands on your cash, your identity or just your messages and contacts.

We all now know that iPhones are no longer the once fabled secure place that even the FBI can’t invade; a sort of digital embassy where its digital citizens can feel secure from hostile interests.   The San Bernardino iPhone put a stop to that idea.  The phone was reportedly unlocked using a zero-day exploit: “FBI vs San Bernardino iPhone Case cracked by hackers zero day” (Smith, 2016)

Zero-day exploits are weaknesses in systems that are either unknown by the vendor or not yet patched in the wild.  A bit like going out, remembering you left a window open and then trying to get in touch with your neighbor who has keys to enter your home and close it before you are robbed.

Security researchers are constantly looking for these zero-days exploits to get them confirmed and published as quickly as possible.  If you want to see how vulnerable you really are before Abobe, Apple, Microsoft or other vendors decide to warn you, you need to take a look at the CVE database.

The Common Vulnerabilities and Exposures (CVE) database houses a dictionary of cyber security vulnerabilities you really need to know about if you are going to make informed decisions on what risks you choose to tolerate and those you cannot.  You can search by keyword or by providing a CVE identifier.  Each identifier refers to an individual reported vulnerability (CVE, 2015).

Another, slightly more detailed resource that is linked to the MITRE database is here: (MITRE, 2016)

This site is particularly good for visually spotting trends in known cyber security issues.  Take a search for Apple iPhone’s iOs:

Source: “Apple Iphone Os: Vulnerability Statistics” (2016)

Ignoring the partial 2016 results, there is a clear upward trend in iOS vulnerabilities.

So imagine you see a notification pop up telling you to update your phone. What’s the risk if you don’t?  Let’s say you check out the update on Apple’s website:

Source: Apple Inc. (2016)

Is Apple telling us everything here?  Let’s look up the CVE number CVE-2016-1734.  We can look this up on MITRE’s website and this will give you a little more independent detail that the Vendor may provide on their own page (bear in mind that no vendor likes to admit there are weaknesses in their products).

Lookup the CVE identifier on the cvedetails.com website we find:

Source: “Vulnerability Details : CVE-2016-1734” (2016)

This informs us of a total disclosure of system files, a total compromising of the system, rendering the system (your phone) unusable without any credentials being needed.  From the same page you can also check what other risks you are taking from the same version of iOS.  Clicking on the Vulnerabilities link for iOS v9.2.1:

This leads to a page of 38 other issues (at the time of writing) with iOS 9.2.1, colour coded with red, amber and green to given a threat score.

So before you ignore that update notice on your laptop, phone or other device, at least be more informed about the risk you are taking.

It’s time to write an essay – don’t forget your references!

Thank you to Lynsey Blandford for this great post!

We’ve all been there, an essay is due within a week or even days and so we start to quickly read around our subject.  It’s really easy to forget to make a note of where we’ve found interesting ideas or even a page number for a quotation.  Why is that important?  Firstly, it’s only fair to acknowledge others’ work, but secondly, forgetting to reference will look like plagiarism!  If this scenario is familiar, follow these tips and it’ll make your life much easier come deadline day.

1. You’ll need a list of references and also a bibliography at the end of your essay. If you refer to a writer or source, this will need to be included in your references list as well as your bibliography.
2. Throughout your essay there should also be references either alongside a quotation or even just a mention of another person’s idea or work.
3. There are different ways to reference different types of sources, here are some examples:

Online

In-text citation

There is evidence of a rise in cybercrime (Davies, 2016), which suggests …

Reference list

Davies, R. (2016) UK businesses battling huge rise in cybercrime, report says. Available at: http://www.theguardian.com/technology/2016/feb/25/cybercrime-uk-businesses-battling-huge-rise-silver-fraudsters (Accessed: 17 March 2016).

Continue reading →

Internet of Things (IoT) – How private is your private life?

Last November I was invited to give a keynote speech at the 2015 IEEE International Conference on Research in Computational Intelligence and Computer Networks (ICRCICN 2015) held in Kolkata, India.  I chose the topic “The Internet of Everything: How secure should it be?”* The more I thought about the security of the IoT, the more I realised how IoT could make individuals insecure and vulnerable and that the coming of IoT could seriously impact on our privacy!

Dr Abhaya Induruwa

Continue reading →

Bad passwords or just bad advice?

Another year, another article in the media slamming the password habits of people. Evidently the advice of the past few decades hasn’t quite sunk in, with “123456” taking the award for the most obvious password for the 30^th year in a row.

I’m sure we’ve all been guilty at some stage of using bad passwords. I remember being a young teenager, and inviting a friend over to my house in order to create a Hotmail account for MSN Messenger. “What do you want your password to be?” he asked. Being a child who possessed the three quintessential qualities of a teenager: naivety, stupidity and a general smart assary, I thought it would be hilarious to choose the password ihateyou. My reasoning was sound, “Well, if anyone hacks into it then they know I don’t like them”. Genius, really. Unsurprisingly, my Hotmail account was compromised a year later, and I lost my 2MB of e-mail space and my friends list of people who I saw at school every day.

Self-deprecating anecdotes aside, the largest reason for this blog post comes from a BBC article posted a couple of days ago.

Continue reading →

Curse of the Dreaded Dates

As an undergraduate, I was given a Bash assignment and one of the sub-tasks was to sort some .csv file by date. It took me two weeks to realise that the way we, as British humans, format the date (dd-mm-yyyy) is utterly useless to sort with and simply reversing the date (to yyyy-mm-dd) and treating it as a numerical type (example, 20150810) would guarantee an easy way to sort. It later transpired that formatting dates to yyyy-mm-dd is an ISO standard and what you should be doing when working with dates on computers and whatnot. At the time, though, my undergraduate mind was overjoyed that I managed to solve what was a tricky problem.

Given that previous lesson, you really would have thought that an experienced Joe, having already world exclusively solved the date sorting problem for the standards committees, would not be naive enough to use dates that follow dd-mm-yyyy format when programming.  Well…

Continue reading →

Welcome!

This is the blog for the department of Computing, Digital Forensics and Cybersecurity!