How vulnerable are you?

You might be one of those people who always update their devices as soon as a patch comes out.  Maybe you like to wait a while to let the inevitable “Version x.y.z broke my wifi” niggles get resolved; perhaps you even take the view “if it’s not broke, don’t fix it!”.   Whatever your appetite for risk, there is almost certainly going to be some vulnerability that you are exposed to and there’s little you can do to avoid it.

Lets take an example.  Let’s say you have an iPhone running a flavor of iOS.  Not so long ago, it used to be that Apple products boasted there was no need for security protection.  Apple even used this in their marketing: “MAC vs PC Commercial – Viruses” (Apple Videos, 2007)

But time has moved on and the bad guys eventually realized there were a growing number of people out there with unprotected devices just aching to be exploited.  In the case of the iPhone, there are plenty of ways for others to get their hands on your cash, your identity or just your messages and contacts.

We all now know that iPhones are no longer the once fabled secure place that even the FBI can’t invade; a sort of digital embassy where its digital citizens can feel secure from hostile interests.   The San Bernardino iPhone put a stop to that idea.  The phone was reportedly unlocked using a zero-day exploit: “FBI vs San Bernardino iPhone Case cracked by hackers zero day” (Smith, 2016)

Zero-day exploits are weaknesses in systems that are either unknown by the vendor or not yet patched in the wild.  A bit like going out, remembering you left a window open and then trying to get in touch with your neighbor who has keys to enter your home and close it before you are robbed.

Security researchers are constantly looking for these zero-days exploits to get them confirmed and published as quickly as possible.  If you want to see how vulnerable you really are before Abobe, Apple, Microsoft or other vendors decide to warn you, you need to take a look at the CVE database.

The Common Vulnerabilities and Exposures (CVE) database houses a dictionary of cyber security vulnerabilities you really need to know about if you are going to make informed decisions on what risks you choose to tolerate and those you cannot.  You can search by keyword or by providing a CVE identifier.  Each identifier refers to an individual reported vulnerability (CVE, 2015).

Another, slightly more detailed resource that is linked to the MITRE database is here: (MITRE, 2016)

This site is particularly good for visually spotting trends in known cyber security issues.  Take a search for Apple iPhone’s iOs:

VulnerabilityTrendsOverTime

VulnerabilitiesByType

Source: “Apple Iphone Os: Vulnerability Statistics” (2016)

Ignoring the partial 2016 results, there is a clear upward trend in iOS vulnerabilities.

So imagine you see a notification pop up telling you to update your phone. What’s the risk if you don’t?  Let’s say you check out the update on Apple’s website:

SecurityContentiOS93.png

Source: Apple Inc. (2016)

Is Apple telling us everything here?  Let’s look up the CVE number CVE-2016-1734.  We can look this up on MITRE’s website and this will give you a little more independent detail that the Vendor may provide on their own page (bear in mind that no vendor likes to admit there are weaknesses in their products).

Lookup the CVE identifier on the cvedetails.com website we find:

CVSSscoresTypes.png

Source: “Vulnerability Details : CVE-2016-1734” (2016)

This informs us of a total disclosure of system files, a total compromising of the system, rendering the system (your phone) unusable without any credentials being needed.  From the same page you can also check what other risks you are taking from the same version of iOS.  Clicking on the Vulnerabilities link for iOS v9.2.1:

ProductsAffectedCVE

This leads to a page of 38 other issues (at the time of writing) with iOS 9.2.1, colour coded with red, amber and green to given a threat score.

iPhoneSecurityVulnerabilities.png

So before you ignore that update notice on your laptop, phone or other device, at least be more informed about the risk you are taking.

It’s time to write an essay – don’t forget your references!

Thank you to Lynsey Blandford for this great post!

We’ve all been there, an essay is due within a week or even days and so we start to quickly read around our subject.  It’s really easy to forget to make a note of where we’ve found interesting ideas or even a page number for a quotation.  Why is that important?  Firstly, it’s only fair to acknowledge others’ work, but secondly, forgetting to reference will look like plagiarism!  If this scenario is familiar, follow these tips and it’ll make your life much easier come deadline day.

  1. You’ll need a list of references and also a bibliography at the end of your essay. If you refer to a writer or source, this will need to be included in your references list as well as your bibliography.
  2. Throughout your essay there should also be references either alongside a quotation or even just a mention of another person’s idea or work.
  3. There are different ways to reference different types of sources, here are some examples:

Online

In-text citation

There is evidence of a rise in cybercrime (Davies, 2016), which suggests …

Reference list

Davies, R. (2016) UK businesses battling huge rise in cybercrime, report says. Available at: http://www.theguardian.com/technology/2016/feb/25/cybercrime-uk-businesses-battling-huge-rise-silver-fraudsters (Accessed: 17 March 2016).

Continue reading

Internet of Things (IoT) – How private is your private life?

Last November I was invited to give a keynote speech at the 2015 IEEE International Conference on Research in Computational Intelligence and Computer Networks (ICRCICN 2015) held in Kolkata, India.  I chose the topic “The Internet of Everything: How secure should it be?”* The more I thought about the security of the IoT, the more I realised how IoT could make individuals insecure and vulnerable and that the coming of IoT could seriously impact on our privacy!

Continue reading

Job hunting tips

Once more, another cluster of students will be fleeing into the job market, searching for jobs in the field of Computing and Digital Forensics. Skills they have acquired and knowledge they have gained, will once again, fall under question… here come the interviews. Shivering in their boots, thoughts raised over what questions will be asked, are they worthy enough for such job descriptions and do they know everything and enough to pull through? Continue reading

Bad passwords or just bad advice?

Another year, another article in the media slamming the password habits of people. Evidently the advice of the past few decades hasn’t quite sunk in, with “123456” taking the award for the most obvious password for the 30th year in a row.

I’m sure we’ve all been guilty at some stage of using bad passwords. I remember being a young teenager, and inviting a friend over to my house in order to create a Hotmail account for MSN Messenger. “What do you want your password to be?” he asked. Being a child who possessed the three quintessential qualities of a teenager: naivety, stupidity and a general smart assary, I thought it would be hilarious to choose the password ihateyou. My reasoning was sound, “Well, if anyone hacks into it then they know I don’t like them”. Genius, really. Unsurprisingly, my Hotmail account was compromised a year later, and I lost my 2MB of e-mail space and my friends list of people who I saw at school every day.

Self-deprecating anecdotes aside, the largest reason for this blog post comes from a BBC article posted a couple of days ago.

Continue reading

Training EU law enforcement officers

paul-and-georginaDr Paul Stephens, Director of Computing, Digital Forensics & Cybersecurity and Georgina Humphries, University Instructor in Computing spent last week in Ireland presenting a course with colleagues from University College Dublin and Norwegian Police University College to Law Enforcement Officers from across the European Union.  The course sought to teach investigators how to retrieve digital evidence and gather intelligence using the Python programming language.  Funding for the initiative was received from the European Commission and was held under the auspices of the European Cybercrime Training and Education Group (ECTEG) whose activity is coordinated by Europol.

Predicting the density of dark energy

By Mike Hewitt

Recently the School of Law Criminal Justice and Computing funded me to take part in this year’s International Conference on Particle Physics and Cosmology hosted by the University of Warsaw and to present a paper about predicting the density of dark energy – a mysterious property of space which is making the expansion of the universe accelerate. This was a wonderful opportunity to meet researchers from around the world and hear first-hand about the latest developments in our understanding of the structure and evolution of the universe.

Cosmo 2015, Poland

Delegates at the Cosmo 15 Conference in Poland

Find out more on the Cosmo-15 website.

EKC Computing students visit CCCU

On Wednesday 14th October 2015, students studying on the HNC in Computing & Systems Development programme based at East Kent College Broadstairs enjoyed a day at the CCCU Canterbury Campus at the invitation of the academic Computing team.  The day began with a warm welcome and an introduction to Computing degrees at CCCU by Senior Lecturer, Mr Reza Mousoli, which provided the students with possible progression routes for their continued studies once they had completed their HNC programme.

East Kent College Computing students visit CCCU

East Kent College Computing students visit CCCU

Continue reading

Open Source: just a development tool, or something more?

What is open-source? You may, or may not have heard of it. If you work in IT chances are that you have definitely heard of it. Most people would probably associate the term with software and software development. Going a bit further, some might associate it with certain software projects, such as the Linux[1] kernel[2] [3], the Apache Webserver[4] [5], or web browsers such as Firefox[6] [7] and Chromium[8] [9] (the open-source version of Google’s Chrome browser)[10]. These projects are all considered open-source licensed. Continue reading

Curse of the Dreaded Dates

As an undergraduate, I was given a Bash assignment and one of the sub-tasks was to sort some .csv file by date. It took me two weeks to realise that the way we, as British humans, format the date (dd-mm-yyyy) is utterly useless to sort with and simply reversing the date (to yyyy-mm-dd) and treating it as a numerical type (example, 20150810) would guarantee an easy way to sort. It later transpired that formatting dates to yyyy-mm-dd is an ISO standard and what you should be doing when working with dates on computers and whatnot. At the time, though, my undergraduate mind was overjoyed that I managed to solve what was a tricky problem.

Given that previous lesson, you really would have thought that an experienced Joe, having already world exclusively solved the date sorting problem for the standards committees, would not be naive enough to use dates that follow dd-mm-yyyy format when programming.  Well…

Continue reading