Archive | Cyber security RSS feed for this section

Every Breath You Take: Reclaim the Internet

2 Sep

by Paul Curzon, Queen Mary University of London

You watch a sad woman through a rainy window. From PIXABAY.com

The 1983 hit song by the Police “Every breath you take” is up there in the top 100 pop songs ever. It seems a charming love song, and some couples even treat it as “their” song, playing it for the first dance at their wedding. Some of the lyrics “Every single day…I’ll be watching you”, if in a loving relationship, might be a good and positive thing. As the Police’s Sting has said though, the lyrics are about exactly the opposite.

It is being sung by a man obsessed with his former girlfriend. He is singing a threat. It is about sinister stalking and surveillance, about nasty use of power by a deranged man over a woman who once loved him.

Reclaim the Internet

Back in 1983 the web barely existed, but what the song describes is now happening every day, with online stalking, trolling and other abuse a big problem. What starts in the virtual world, we now see, spills over into the real world, too. This is one reason why we need to Reclaim the Internet and why online privacy is important. We must all call out online abuse. Prosecuters need to treat it seriously. Social media companies need to find ways to prevent abusive content being posted and remove it quickly. They need easier ways for us to protect our privacy and to know it is protected. They need to be up for the challenge.

Reclaim your privacy

The lyrics fit our lives in another way too, about another kind of relationship. When we click those unreadable consent forms for using a new app, we give permission for the technology companies that we love so much to watch over us. They follow the song as a matter of course (in a loving way they say). They are “watching you” as you keep your gadgets on you “every single day”; “every night you stay” online you are recorded along with anyone you are with online; they watch “every move you make” (physically with location aware devices and virtually, noting every click, every site visited, everything you are interested in they know from your searches); “every step you take” (recorded by your fitness tracker); and “every breath you take” (by your healthcare app); “every bond you break” is logged (as you unlike friends and as you leave websites never to go back); “every game you play” (of course), “every word you say” (everything you type is noted, but the likes of Alexa also record every sound too, shipping your words off to be processed by distant company servers). They really are watching you.

Let’s hope the companies really are loving and don’t turn out to have an ugly underside, changing personality and becoming abusive once they have us snared. Remember their actual aim is to make money for shareholders. They don’t actually love us back. We may fall out of love with them, but by then they will already know everything about us, and will still be watching every move we make. Perhaps you should not be giving up your privacy so freely.

You belong to me?

We probably can’t break our love affair, anyway. We’ve already sold them our souls (for nothing much at all). As the lyrics say: “You belong to me.”

More on…

The Cyber-Security Honeypot

28 May

by Paul Curzon, Queen Mary University of London

based on a talk by Jeremiah Onaolapo, UCL

Wasps around a honeypot

To catch criminals, whether old-fashioned ones or cybercriminals, you need to understand the criminal mind. You need to understand how they think and how they work. Jeremiah Onaolapo, a PhD student at UCL, has been creating cyber-honeypots and finding out how cybercriminals really operate.

Hackers share user ids and passwords they have stolen on both open and hidden websites. But what do the criminals who then access those accounts do once inside? If your webmail account has been compromised what will happen. Will you even know you’ve been hacked?

Looking after passwords is important. If someone hacks your account there is probably lots of information you wouldn’t want criminals to find: information they could use whether other passwords, bank or shopping site details, personal images, information, links to cloud sites with yet more information about you … By making use of the information they discover, they could cause havoc to your life. But what are cybercriminals most interested in? Do they use hacked accounts just to send spam of phish for more details? Do they search for bank details, launch attacks elsewhere, … or something completely different we aren’t aware of? How do you even start to study the behaviour of criminals without becoming one? Jeremiah knew how hard it is for researchers to study issues like this, so he created some tools to help that others can use too.

His system is based on the honeypot. Police and spies have used various forms of honeytraps, stings and baits successfully for a long time, and the idea is used in computing security too. The idea is that you set up a situation so attractive to people that they can’t resist falling in to your trap. Jeremiah’s involved a set of webmail accounts. His accounts aren’t just normal accounts though. They are all fake, and have software built in that secretly records the activities of anyone accessing the account. They save any emails drafted or sent, details of the messages read, the locations the hackers come in from, and so on. The accounts look real, however. They are full of real messages, sent and received, but with all personal details, such as names and passwords or bank account details, fictionalised. New emails sent from them aren’t actually delivered but just go in to a sinkhole server – where they are stored for further study. This means that no successful criminal activity can happen from the accounts. A lot can be learnt about any cybercriminals though!

Experiments

In an early experiment Jeremiah created 100 such accounts and then leaked their passwords and user ids in different ways: on hacker forums and web pages. Over 7 months hundreds of hackers fell into the trap, accessing the accounts from 29 countries. What emerged were four main kinds of behaviours, not necessarily distinct: the curious, the spammers the gold diggers and the hijackers. The curious seemed to just be intrigued to be in someone else’s account, but didn’t obviously do anything bad once there. Spammers just used the account to send vast amounts of spam email. Gold diggers went looking for more information like bank accounts or other account details. They were after personal information they could make money from, and also tried to use each account as a stepping stone to others. Finally hijackers took over accounts, changing the passwords so the owner couldn’t get in themselves.

The accounts were used for all sorts of purposes including attempts to use them to buy credit card details and in one extreme case to attempt to blackmail someone else.

Similar behaviours were seen in a second experiment where the account details were only released on hidden websites used by hackers to share account details. In only a month this set of accounts were accessed over a thousand times from more than 50 countries. As might be expected these people were more sophisticated in what they did. More were careful to ensure they cleared up any evidence they had been there (not realising everything was separately being recorded). They wanted to be able to keep using the accounts for as long as possible, so tried to make sure noone knew the account was compromised. They also seemed to be better at covering the tracks of where they actually were.

The Good Samaritan

Not everyone seemed to be there to do bad things though. One person stood out. They seemed to be entering the accounts to warn people – sending messages from inside the account to everyone in the contact list telling them that the account had been hacked. That would presumably also mean those contacted people would alert the real account owner. There are still good samaritans!

Take care

One thing this shows is how important it is to look after your account details: ensure no one knows or can guess them. Don’t enter details in a web page unless you are really sure you are in a secure place both physically and virtually and never tell them to anyone else. Also change your passwords regularly so if they are compromised without you realising, they quickly become useless.

Of course, if you are a cybercriminal, you had better beware as that tempting account might just be a honeypot and you might just be the rat in the maze.

HMS Belfast: destroying the destroyer

7 May

by Paul Curzon, Queen Mary University of London

HMS Belfast

On the South Bank of the Thames in the centre of London lies the HMSBelfast. Now a museum ship, it once took part in one of the most significant sea battles of the Second World War. It fought the Scharnhorst in the last great sea battle based on the power of great guns. The Belfast needed more than just brilliant naval tactics to stand a chance. It needed help from computer science and electronic engineering too. In fact, without some brilliant computer science the battle would never have been fought in the first place. It came about because of the work of the code crackers at Bletchley Park.

Getting supplies across the Atlantic and then round to Russia was critical to both the British and Russian’s survival. By 1943 the threat of submarines had been countered. The battleship Tirpitz had also been disabled. However, the formidable battle cruiser Scharnhorst was left and it was the scourge of the Allied convoys. It sank 11 supply ships in one operation early in 1941. In another, it destroyed a weather station on Spitzbergen island that the Allies used to decide when convoys should set off.

By Christmas 1943 something had to be done about the Scharnhorst, but how to catch it, never mind stop it? A trap was needed. A pair of convoys going to and from Russia were a potential bait. The Nazis knew the target was there for the taking: the Scharnhorst was in a nearby port. Would they take that bait though, and how could the British battle ships be in the right place at the right time to not only stop it, but destroy it?

The Allies had an ace up their sleeve. Computer Science. By this point in the war a top secret team at Bletchley Park had worked out how to crack the Enigma encryption machine that was used to send coded messages by the German Navy. It was always easy to listen in to radio broadcasts, you just needed receivers in the right places, but if the messages were in code that didn’t help. You had to crack the day’s code to know what they were saying. Based on an improved approach, originally worked out by Polish mathematicians, the Brits could do it using special machines that were precursors to the first electronic computers. They intercepted messages that told them that Scharnhorst was preparing to leave. It was taking the bait.

The British had two groups of ships. The Belfast, the Norfolk and the Sheffield were coming from Russia protecting the returning convoy. The HMS Duke of York was tracking the new convoy heading to Russia. Both were keeping their distance so the convoys looked unprotected. They needed to know when and where the Scharnhorst would attack. Bletchley Park were listening in to everything though, and doing it so well they were reading the messages almost as soon as the Germans. At 2am on Boxing Day morning the Belfast got the message from Admiralty Head quarters that SCHARNHORST PROBABLY SAILED AT 1800 25 DECEMBER. A further radio signal from the Scharnhorst asking for a weather report allowed the spies to work out exactly where the ship was by picking up the signal from different listening stations and triangulating: drawing a line on a map from each station in the direction the radio signal came from. The point they meet is the ship’s location. This is an example of meta-data (information about a message rather than the message itself) giving vital information away. The spies had done their job. It was enough to tell Vice Admiral Burnett on the Belfast where the Scharnhorst was aiming to attack the convoys. They could lie in wait. At this point, electronic engineering mattered. The Belfast had better radar than the Scharnhorst. They detected its approach without the Scharnhorst having any idea they were there. The first the Captain of the Scharnhorst knew was when they were hit by shells from the Norfolk. The Belfast ended up out of position at the critical point though and couldn’t join in. The faster Scharnhorst turned tail and ran. The Brits had had their chance and blown it!

Burnett now needed luck and intuition. He guessed the Scharnhorst would try another attack on the convoy. They took up a new waiting position rather than actively trying to find the Scharnhorst as others wanted them to do. By midday the radar picked it up again. The trap was reset, though this time the initial surprise was lost. An all out battle began, with radar helping once again, this time as a way to aim shells even when the enemy wasn’t in sight. Having failed to reach the convoy undetected a second time the Scharnhorst retreated as the battle continued. What they didn’t know was that they were retreating deeper into the trap: heading directly towards the waiting Duke of York. The chasing Belfast stopped firing and dropped back, making the Scharnhorst crew think they were safe. In fact, they were still being followed and tracked by radar once more, though only by the Belfast as the other ships had actually been partially disabled. Had the Scharnhorst known, they could have just stopped and taken out the Belfast. After several hours of silent shadowing, the Belfast picked up the Duke of York on the radar, and were able to communicate with them. The Scharnhorst’s radar had been crippled in the battle and thought it was alone.

The Belfast fired shells that lit up the sky behind the Scharnhorst as seen from the Duke of York, then largely watched the battle. Luck was on their side: the Scharnhorst was crippled and then sunk by torpedoes. Over a thousand German sailors sadly died. The crew of the Belfast were well aware that it could just as easily have been them, sealed in to a giant metal coffin, as it sank, and so held a memorial for the dead Germans afterwards.

The Belfast didn’t fire the torpedoes that finally sank the Scharnhorst and was not the key player in the final battle. However, it was the one that was in the right place to save the convoy, thanks to the Enigma decrypts combined with the Vice Admiral’s intuition. It was also the one that pushed the Scharnhorst into the deadly trap, with its superior radar then giving it the advantage.

It is easy to under-estimate the importance of the Bletchley Park team to the war, but they repeatedly made the difference, as with the Scharnhorst, making Allied commanders look amazing. It is much easier to be amazing when you know everything the other side says! The Scharnhorst is just one example of how Computer Science and Electronic Engineering help win wars, and here, in the long run at least, save lives. Today having secure systems matters to everyone not just to those waging war. We rely on them for our bank system, our elections, as well as for our everyday privacy, whether from hacking newspapers or keeping our health records secret from ruthless companies wanting to exploit us. Cyber security matters.

More on …

Cyber Security at the Movies: Guardians of the Galaxy (Fail Secure security)

28 Apr

by Paul Curzon, Queen Mary University of London

[Spoiler Alert]

Guardians of the Galaxy  Poster

If you are so power hungry you can’t stand the idea of any opposition; if you want to make a grab for total power, so decide to crush everyone in your way, then you might want to think about the security of your power supply first. Luckily, all would-be dictators who crush everyone who gets in their way as they march towards total domination of the galaxy, tend to be very naive about cyber-security.

Take Ronan the Accuser in the original Guardian of the Galaxy film. He’s a villain with a religious streak, whose belief that strength is virtue and weakness is sin leads to his totally corrupted morality. To cut to the guts of the story he manages to get the “Infinity Stone” that gives unimaginable power to its owner. With it he can destroy anyone who gets in his way so sets out to do so.

Luckily for the Galaxy, good-guy Peter Quill, or Star-Lord as he wants to be known, and his fellow Guardians have a plan. More to the point they have Gamora. She is an assassin originally sent to kill Quill, but who changes sides early on. She is an insider who knows how Ronan’s security system works, and it has a flaw: its big, heavy security doors into his control room.


Security Lesson 1. It should still be secure even when the other side know everything about how it works. If your security relies on no one knowing, its almost certainly bad security!


Once inside his ship, to get to Ronan the Guardians will need to get through those big heavy security doors. Now once upon a time big, heavy doors were locked and barred with big, heavy bolts. Even in Roman times you needed a battering ram to get in to a besieged city if they had shut the doors before you got there. Nowadays, how ever big and heavy the door, you may just need some cyber skills to get in if the person designing it didn’t think it through.

Electromagnetic locks are used all over the place and they give some big advantages, such as the fact that they mean you can program who is and isn’t allowed entry. Want to keep someone out – you can just cancel their keycard in the system. They are held locked by electromagnets: magnets that are switched on and off using an electric current. That means computers can control them. As the designer of an electromagnetic lock you have a choice, though. You can make them either “fail safe” or “fail secure”. With a fail safe lock, when the power goes, the doors automatically unlock. With fail secure, instead they lock. Its just a matter of whether the magnet is holding the door open or closed. Which you choose when designing the lock depends on your priorities.

Fail safe is a good idea, for example, if you want people to be able to escape in an emergency. If a fire cuts the electricity you want everyone to still be able to get out, not be locked in with no chance of escape. Fail secure on the other hand is good if you don’t want thieves to be able to get in just by cutting the power. The magnets hold the bolts open, so when the power goes, the spring shut.


Security Lesson 2. If you want the important things to stay secure, you need a fail secure system.


This is Ronan’s problem. Zamora knows that if you cut the power supply then the doors preventing attackers getting to him just open! He needed a fail secure door, but instead had a fail safe one installed. On such small things are galaxies won and lost! All Zamora has to do is cut the power and they can get to him. This of course leads to the next flaw in his security system. It wouldn’t have mattered if the power supply was on the secure side of that door, but it wasn’t. Ronan locks himself in and Zamora can cut the power from the outside … Dhurr!

There is one last thing that could have saved Ronan. It needed an uninterruptible power supply.


Security Lesson 3. If your system is reliant on the power supply, whether a door, your data, your control system or your life-support system, then it should keep going even if the power is switched off.


After all, what if the space ships cleaners (you never see them but they must be there somewhere!) unplug the door lock by mistake just because they need somewhere to plug in the hoover.

The solution is simple: use an “uninterruptible power supply”. They are just very fast electricity storage systems that immediately and automatically take over if the main power cuts out. The biggest on Earth keeps the power going for a whole city in Alaska (you do not want to lose the power running your heating mid-winter if you live in Alaska!). Had Ronan’s doors had a similar system, the doors wouldn’t have just opened as the power would not have been cut off.It’s always the small details that matter in cyber security (and in successfully destroying your enemies and so ruling the universe). As with all computational thinking, you have to think about everything in advance. If you don’t look after your power supply, then you may well lose all your power over the galaxy too (and your life)!


More on …