Here we go again … passwords marked never to be used, still in the top ten

Our previous post by Joseph Williams titled ‘Bad passwords or just bad advice’ discussed the poor password habits of an online savvy society. Discussing that “the past few decades [of password advice] hasn’t quite sunk in” (Williams, 2016). In light of the leak of a Yahoo database, most likely tied to the huge data hack in recent headlines, researchers have once again looked at the most popular passwords uncovered.

Insecure passwords such as “123456”, “password”, “abc123”, “welcome” and “qwerty” were among the top ten exposed (Wang et al., 2016). Amongst these classic passwords, other users were using simple combinations of easily identifiable information (e.g. name, age and birthday). Generally, some users make their passwords easy to remember and simple for convenience. Yet, this leads us to an argument of convenience vs security. Continue reading

Cheap(ish) Scanning at Home using a Microsoft® Kinect

It is accurate to say that everybody knows what a printer is – a device that puts information on paper. Fast-forward to the 21-century, and printers still have a place in the world. Although now, the most common form of a printer is one which prints information from the computer onto paper. There are a variety of printers available to do this including inkjet, laser and dot-matrix – the latter of which is no longer in common usage (thankfully).

In a similar way that the aforementioned computer printers print 2-dimensional information onto paper, 3-dimensional printers can create objects using plastic. This is done using a heated nozzle laying down layers of molten plastic in a pre-defined pattern. The layers (which are commonly a fraction of a millimetre thick) eventually build up into an object.

Continue reading

A warm welcome to our new Computing, Digital Forensics and Cybersecurity Students

The Welcome Programme 2016 at Christ Church University (CCCU) gave us a delightful opportunity to welcome our new 2016/17 undergraduate students to Computing.

Students were provided with a timetable of stimulating, introductory and fun activities/events to socialise, make friends, and discover what it means to learn at CCCU in Computing. A social gathering welcomed students to meet the team, get to know each other, and get to know their lecturers.

First week (26 – 30 September) of teaching for our new students, and a welcome back to existing students, we hope you are all settling into the swing of things. We would like to provide our new students with a few tips for keeping organised from the beginning of your studies.

So let’s get started …

Continue reading

How vulnerable are you?

You might be one of those people who always update their devices as soon as a patch comes out.  Maybe you like to wait a while to let the inevitable “Version x.y.z broke my wifi” niggles get resolved; perhaps you even take the view “if it’s not broke, don’t fix it!”.   Whatever your appetite for risk, there is almost certainly going to be some vulnerability that you are exposed to and there’s little you can do to avoid it.

Lets take an example.  Let’s say you have an iPhone running a flavor of iOS.  Not so long ago, it used to be that Apple products boasted there was no need for security protection.  Apple even used this in their marketing: “MAC vs PC Commercial – Viruses” (Apple Videos, 2007)

But time has moved on and the bad guys eventually realized there were a growing number of people out there with unprotected devices just aching to be exploited.  In the case of the iPhone, there are plenty of ways for others to get their hands on your cash, your identity or just your messages and contacts.

We all now know that iPhones are no longer the once fabled secure place that even the FBI can’t invade; a sort of digital embassy where its digital citizens can feel secure from hostile interests.   The San Bernardino iPhone put a stop to that idea.  The phone was reportedly unlocked using a zero-day exploit: “FBI vs San Bernardino iPhone Case cracked by hackers zero day” (Smith, 2016)

Zero-day exploits are weaknesses in systems that are either unknown by the vendor or not yet patched in the wild.  A bit like going out, remembering you left a window open and then trying to get in touch with your neighbor who has keys to enter your home and close it before you are robbed.

Security researchers are constantly looking for these zero-days exploits to get them confirmed and published as quickly as possible.  If you want to see how vulnerable you really are before Abobe, Apple, Microsoft or other vendors decide to warn you, you need to take a look at the CVE database.

The Common Vulnerabilities and Exposures (CVE) database houses a dictionary of cyber security vulnerabilities you really need to know about if you are going to make informed decisions on what risks you choose to tolerate and those you cannot.  You can search by keyword or by providing a CVE identifier.  Each identifier refers to an individual reported vulnerability (CVE, 2015).

Another, slightly more detailed resource that is linked to the MITRE database is here: (MITRE, 2016)

This site is particularly good for visually spotting trends in known cyber security issues.  Take a search for Apple iPhone’s iOs:

VulnerabilityTrendsOverTime

VulnerabilitiesByType

Source: “Apple Iphone Os: Vulnerability Statistics” (2016)

Ignoring the partial 2016 results, there is a clear upward trend in iOS vulnerabilities.

So imagine you see a notification pop up telling you to update your phone. What’s the risk if you don’t?  Let’s say you check out the update on Apple’s website:

SecurityContentiOS93.png

Source: Apple Inc. (2016)

Is Apple telling us everything here?  Let’s look up the CVE number CVE-2016-1734.  We can look this up on MITRE’s website and this will give you a little more independent detail that the Vendor may provide on their own page (bear in mind that no vendor likes to admit there are weaknesses in their products).

Lookup the CVE identifier on the cvedetails.com website we find:

CVSSscoresTypes.png

Source: “Vulnerability Details : CVE-2016-1734” (2016)

This informs us of a total disclosure of system files, a total compromising of the system, rendering the system (your phone) unusable without any credentials being needed.  From the same page you can also check what other risks you are taking from the same version of iOS.  Clicking on the Vulnerabilities link for iOS v9.2.1:

ProductsAffectedCVE

This leads to a page of 38 other issues (at the time of writing) with iOS 9.2.1, colour coded with red, amber and green to given a threat score.

iPhoneSecurityVulnerabilities.png

So before you ignore that update notice on your laptop, phone or other device, at least be more informed about the risk you are taking.

It’s time to write an essay – don’t forget your references!

Thank you to Lynsey Blandford for this great post!

We’ve all been there, an essay is due within a week or even days and so we start to quickly read around our subject.  It’s really easy to forget to make a note of where we’ve found interesting ideas or even a page number for a quotation.  Why is that important?  Firstly, it’s only fair to acknowledge others’ work, but secondly, forgetting to reference will look like plagiarism!  If this scenario is familiar, follow these tips and it’ll make your life much easier come deadline day.

  1. You’ll need a list of references and also a bibliography at the end of your essay. If you refer to a writer or source, this will need to be included in your references list as well as your bibliography.
  2. Throughout your essay there should also be references either alongside a quotation or even just a mention of another person’s idea or work.
  3. There are different ways to reference different types of sources, here are some examples:

Online

In-text citation

There is evidence of a rise in cybercrime (Davies, 2016), which suggests …

Reference list

Davies, R. (2016) UK businesses battling huge rise in cybercrime, report says. Available at: http://www.theguardian.com/technology/2016/feb/25/cybercrime-uk-businesses-battling-huge-rise-silver-fraudsters (Accessed: 17 March 2016).

Continue reading

Internet of Things (IoT) – How private is your private life?

Last November I was invited to give a keynote speech at the 2015 IEEE International Conference on Research in Computational Intelligence and Computer Networks (ICRCICN 2015) held in Kolkata, India.  I chose the topic “The Internet of Everything: How secure should it be?”* The more I thought about the security of the IoT, the more I realised how IoT could make individuals insecure and vulnerable and that the coming of IoT could seriously impact on our privacy!

Continue reading

Job hunting tips

Once more, another cluster of students will be fleeing into the job market, searching for jobs in the field of Computing and Digital Forensics. Skills they have acquired and knowledge they have gained, will once again, fall under question… here come the interviews. Shivering in their boots, thoughts raised over what questions will be asked, are they worthy enough for such job descriptions and do they know everything and enough to pull through? Continue reading

Bad passwords or just bad advice?

Another year, another article in the media slamming the password habits of people. Evidently the advice of the past few decades hasn’t quite sunk in, with “123456” taking the award for the most obvious password for the 30th year in a row.

I’m sure we’ve all been guilty at some stage of using bad passwords. I remember being a young teenager, and inviting a friend over to my house in order to create a Hotmail account for MSN Messenger. “What do you want your password to be?” he asked. Being a child who possessed the three quintessential qualities of a teenager: naivety, stupidity and a general smart assary, I thought it would be hilarious to choose the password ihateyou. My reasoning was sound, “Well, if anyone hacks into it then they know I don’t like them”. Genius, really. Unsurprisingly, my Hotmail account was compromised a year later, and I lost my 2MB of e-mail space and my friends list of people who I saw at school every day.

Self-deprecating anecdotes aside, the largest reason for this blog post comes from a BBC article posted a couple of days ago.

Continue reading

Training EU law enforcement officers

paul-and-georginaDr Paul Stephens, Director of Computing, Digital Forensics & Cybersecurity and Georgina Humphries, University Instructor in Computing spent last week in Ireland presenting a course with colleagues from University College Dublin and Norwegian Police University College to Law Enforcement Officers from across the European Union.  The course sought to teach investigators how to retrieve digital evidence and gather intelligence using the Python programming language.  Funding for the initiative was received from the European Commission and was held under the auspices of the European Cybercrime Training and Education Group (ECTEG) whose activity is coordinated by Europol.

Predicting the density of dark energy

By Mike Hewitt

Recently the School of Law Criminal Justice and Computing funded me to take part in this year’s International Conference on Particle Physics and Cosmology hosted by the University of Warsaw and to present a paper about predicting the density of dark energy – a mysterious property of space which is making the expansion of the universe accelerate. This was a wonderful opportunity to meet researchers from around the world and hear first-hand about the latest developments in our understanding of the structure and evolution of the universe.

Cosmo 2015, Poland

Delegates at the Cosmo 15 Conference in Poland

Find out more on the Cosmo-15 website.