Security in light of Drone Delivery

In recent news Amazon’s Prime Air has successfully completed its first drone delivery, and we get to see the actual flight footage … no simulation!

For a number of years we have known of the intentions for companies to experiment with the use of drones for the delivery of parcels. Back in 2015 we saw a video released by Amazon which explained how the process would work, for Amazon Prime Air, noting we could eventual see the delivery of individual packages within 30 minutes of ordering. Since, Amazon has begun its trials for Prime Air’s drone delivery service. Currently trials are being run nearby to Amazon’s drone testing facility near Cambridge.

Amazon released official footage of the first ever successful drone delivery in the middle of December 2016. The video (below) demonstrates a customer who ordered an Amazon TV streaming stick and a bag of popcorn to their own garden. It is reported that the delivery, with no human pilot involved, delivered the package to the customer in 13 minutes from the click for delivery (Bezos, 2016).

Continue reading

Advertisements

Here we go again … passwords marked never to be used, still in the top ten

Our previous post by Joseph Williams titled ‘Bad passwords or just bad advice’ discussed the poor password habits of an online savvy society. Discussing that “the past few decades [of password advice] hasn’t quite sunk in” (Williams, 2016). In light of the leak of a Yahoo database, most likely tied to the huge data hack in recent headlines, researchers have once again looked at the most popular passwords uncovered.

Insecure passwords such as “123456”, “password”, “abc123”, “welcome” and “qwerty” were among the top ten exposed (Wang et al., 2016). Amongst these classic passwords, other users were using simple combinations of easily identifiable information (e.g. name, age and birthday). Generally, some users make their passwords easy to remember and simple for convenience. Yet, this leads us to an argument of convenience vs security. Continue reading

Cheap(ish) Scanning at Home using a Microsoft® Kinect

It is accurate to say that everybody knows what a printer is – a device that puts information on paper. Fast-forward to the 21-century, and printers still have a place in the world. Although now, the most common form of a printer is one which prints information from the computer onto paper. There are a variety of printers available to do this including inkjet, laser and dot-matrix – the latter of which is no longer in common usage (thankfully).

In a similar way that the aforementioned computer printers print 2-dimensional information onto paper, 3-dimensional printers can create objects using plastic. This is done using a heated nozzle laying down layers of molten plastic in a pre-defined pattern. The layers (which are commonly a fraction of a millimetre thick) eventually build up into an object.

Continue reading

A warm welcome to our new Computing, Digital Forensics and Cybersecurity Students

The Welcome Programme 2016 at Christ Church University (CCCU) gave us a delightful opportunity to welcome our new 2016/17 undergraduate students to Computing.

Students were provided with a timetable of stimulating, introductory and fun activities/events to socialise, make friends, and discover what it means to learn at CCCU in Computing. A social gathering welcomed students to meet the team, get to know each other, and get to know their lecturers.

First week (26 – 30 September) of teaching for our new students, and a welcome back to existing students, we hope you are all settling into the swing of things. We would like to provide our new students with a few tips for keeping organised from the beginning of your studies.

So let’s get started …

Continue reading

How vulnerable are you?

You might be one of those people who always update their devices as soon as a patch comes out.  Maybe you like to wait a while to let the inevitable “Version x.y.z broke my wifi” niggles get resolved; perhaps you even take the view “if it’s not broke, don’t fix it!”.   Whatever your appetite for risk, there is almost certainly going to be some vulnerability that you are exposed to and there’s little you can do to avoid it.

Lets take an example.  Let’s say you have an iPhone running a flavor of iOS.  Not so long ago, it used to be that Apple products boasted there was no need for security protection.  Apple even used this in their marketing: “MAC vs PC Commercial – Viruses” (Apple Videos, 2007)

But time has moved on and the bad guys eventually realized there were a growing number of people out there with unprotected devices just aching to be exploited.  In the case of the iPhone, there are plenty of ways for others to get their hands on your cash, your identity or just your messages and contacts.

We all now know that iPhones are no longer the once fabled secure place that even the FBI can’t invade; a sort of digital embassy where its digital citizens can feel secure from hostile interests.   The San Bernardino iPhone put a stop to that idea.  The phone was reportedly unlocked using a zero-day exploit: “FBI vs San Bernardino iPhone Case cracked by hackers zero day” (Smith, 2016)

Zero-day exploits are weaknesses in systems that are either unknown by the vendor or not yet patched in the wild.  A bit like going out, remembering you left a window open and then trying to get in touch with your neighbor who has keys to enter your home and close it before you are robbed.

Security researchers are constantly looking for these zero-days exploits to get them confirmed and published as quickly as possible.  If you want to see how vulnerable you really are before Abobe, Apple, Microsoft or other vendors decide to warn you, you need to take a look at the CVE database.

The Common Vulnerabilities and Exposures (CVE) database houses a dictionary of cyber security vulnerabilities you really need to know about if you are going to make informed decisions on what risks you choose to tolerate and those you cannot.  You can search by keyword or by providing a CVE identifier.  Each identifier refers to an individual reported vulnerability (CVE, 2015).

Another, slightly more detailed resource that is linked to the MITRE database is here: (MITRE, 2016)

This site is particularly good for visually spotting trends in known cyber security issues.  Take a search for Apple iPhone’s iOs:

VulnerabilityTrendsOverTime

VulnerabilitiesByType

Source: “Apple Iphone Os: Vulnerability Statistics” (2016)

Ignoring the partial 2016 results, there is a clear upward trend in iOS vulnerabilities.

So imagine you see a notification pop up telling you to update your phone. What’s the risk if you don’t?  Let’s say you check out the update on Apple’s website:

SecurityContentiOS93.png

Source: Apple Inc. (2016)

Is Apple telling us everything here?  Let’s look up the CVE number CVE-2016-1734.  We can look this up on MITRE’s website and this will give you a little more independent detail that the Vendor may provide on their own page (bear in mind that no vendor likes to admit there are weaknesses in their products).

Lookup the CVE identifier on the cvedetails.com website we find:

CVSSscoresTypes.png

Source: “Vulnerability Details : CVE-2016-1734” (2016)

This informs us of a total disclosure of system files, a total compromising of the system, rendering the system (your phone) unusable without any credentials being needed.  From the same page you can also check what other risks you are taking from the same version of iOS.  Clicking on the Vulnerabilities link for iOS v9.2.1:

ProductsAffectedCVE

This leads to a page of 38 other issues (at the time of writing) with iOS 9.2.1, colour coded with red, amber and green to given a threat score.

iPhoneSecurityVulnerabilities.png

So before you ignore that update notice on your laptop, phone or other device, at least be more informed about the risk you are taking.

It’s time to write an essay – don’t forget your references!

Thank you to Lynsey Blandford for this great post!

We’ve all been there, an essay is due within a week or even days and so we start to quickly read around our subject.  It’s really easy to forget to make a note of where we’ve found interesting ideas or even a page number for a quotation.  Why is that important?  Firstly, it’s only fair to acknowledge others’ work, but secondly, forgetting to reference will look like plagiarism!  If this scenario is familiar, follow these tips and it’ll make your life much easier come deadline day.

  1. You’ll need a list of references and also a bibliography at the end of your essay. If you refer to a writer or source, this will need to be included in your references list as well as your bibliography.
  2. Throughout your essay there should also be references either alongside a quotation or even just a mention of another person’s idea or work.
  3. There are different ways to reference different types of sources, here are some examples:

Online

In-text citation

There is evidence of a rise in cybercrime (Davies, 2016), which suggests …

Reference list

Davies, R. (2016) UK businesses battling huge rise in cybercrime, report says. Available at: http://www.theguardian.com/technology/2016/feb/25/cybercrime-uk-businesses-battling-huge-rise-silver-fraudsters (Accessed: 17 March 2016).

Continue reading

Internet of Things (IoT) – How private is your private life?

Last November I was invited to give a keynote speech at the 2015 IEEE International Conference on Research in Computational Intelligence and Computer Networks (ICRCICN 2015) held in Kolkata, India.  I chose the topic “The Internet of Everything: How secure should it be?”* The more I thought about the security of the IoT, the more I realised how IoT could make individuals insecure and vulnerable and that the coming of IoT could seriously impact on our privacy!

Continue reading

Job hunting tips

Once more, another cluster of students will be fleeing into the job market, searching for jobs in the field of Computing and Digital Forensics. Skills they have acquired and knowledge they have gained, will once again, fall under question… here come the interviews. Shivering in their boots, thoughts raised over what questions will be asked, are they worthy enough for such job descriptions and do they know everything and enough to pull through? Continue reading

Bad passwords or just bad advice?

Another year, another article in the media slamming the password habits of people. Evidently the advice of the past few decades hasn’t quite sunk in, with “123456” taking the award for the most obvious password for the 30th year in a row.

I’m sure we’ve all been guilty at some stage of using bad passwords. I remember being a young teenager, and inviting a friend over to my house in order to create a Hotmail account for MSN Messenger. “What do you want your password to be?” he asked. Being a child who possessed the three quintessential qualities of a teenager: naivety, stupidity and a general smart assary, I thought it would be hilarious to choose the password ihateyou. My reasoning was sound, “Well, if anyone hacks into it then they know I don’t like them”. Genius, really. Unsurprisingly, my Hotmail account was compromised a year later, and I lost my 2MB of e-mail space and my friends list of people who I saw at school every day.

Self-deprecating anecdotes aside, the largest reason for this blog post comes from a BBC article posted a couple of days ago.

Continue reading

Training EU law enforcement officers

paul-and-georginaDr Paul Stephens, Director of Computing, Digital Forensics & Cybersecurity and Georgina Humphries, University Instructor in Computing spent last week in Ireland presenting a course with colleagues from University College Dublin and Norwegian Police University College to Law Enforcement Officers from across the European Union.  The course sought to teach investigators how to retrieve digital evidence and gather intelligence using the Python programming language.  Funding for the initiative was received from the European Commission and was held under the auspices of the European Cybercrime Training and Education Group (ECTEG) whose activity is coordinated by Europol.