Posts

Showing posts from 2016

Are we losing the Internet Security battle?

Image
I was recently invited by Heimdal Security to take part in an expert roundup, with the theme of "Is Internet Security a Losing Battle?".  The main thrust of my answer was to question our use of analogies of conflict in the context of Internet Security or cyber security.  As I said in my response:
"... in this context the metaphors of conflict, such as ‘war’ and ‘battle’ are unhelpful because they suggest that internet security is the responsibility of the technologists who act our defensive force against attackers.   Instead, as has been argued by technology activists like Cory Doctorow and others we might have more success by thinking of cyber security using the analogy of public health and communicable diseases.   By using this analogy, we make cyber security issues more relevant to people and spur them to gain a better understanding that, like diseases, any of us can be afflicted by a cyber security attack.  We can also adopt an analogous approach for handling cyber …

Privacy-by-Design Framework for Internet of Things Systems

IOT-2016 7-9 September, 2016, Stuttgart, Germany from Charith Perera
Recent DDoS attacks on key internet services, like the attack that affected the Dyn domain name service, highlighted the security challenges associated with the proliferation of insecure Internet of Things (IoT) systems.  This attack exploited common vulnerabilities like the use of default administration passwords on IoT devices such as internet-enabled CCTV cameras, internet-enabled appliances and smart home devices, to recruit over hundreds of thousands of nodes into a botnet.   This capability highlights the cyber security threats associated with the IoT and brings into sharp relief the importance of considering both security and privacy when designing these systems.

In recent work, presented at the Internet of Things Conference, we describe a privacy-by-design framework for assessing the privacy capabilities of IoT applications and platforms.  Building on more general design strategies for privacy in informaiton …

Privacy Itch and Scratch

Image
Ubiquitous computing technologies are being used to collect, process and share increasing amounts of personal information, from our location and physical activity levels to the things we buy and the web pages we read.  Although these developments have created a wealth of new applications that engage and entertain us, they also pose significant challenges for our privacy - particularly the challenge of maintaining awareness and control over our personal information flows as we go about our daily lives.

My colleagues, Vikram Mehta, Blaine Price and Bashar Nuseibeh, and I have been exploring new interaction metaphors for enhancing our privacy awareness and control.  Our earlier work in this area used haptic interactions through the users' smartphone to enable privacy controls to be configured by physically shaking and moving the device (PrivacyShake).   More recently we have been exploring the role of on-body interfaces to achieve more subtle and non-intrusive mechanisms for privacy …

Learning Privacy Norms for Social Software

Privacy Dynamics: Learning Privacy Norms for Social Software from Arosha Bandara
The slides above are from a presentation of our work on learning privacy norms for social software at the Symposium on Engineering Adaptive and Self-Managing Systems (SEAMS) in Austin, Texas.  The paper describes an architecture for integrating privacy management capabilities into social applications that integrate sharing functionality using social media platforms like Facebook.  The following summary is extracted from the abstract of the paper that accompanies this presentation:

Privacy Dynamics, is an adaptive architecture that learns privacy norms for different audience groups based on users’ sharing behaviours. Our architecture is underpinned by a formal model inspired by social identity theory, a social psychology framework for analysing group processes and intergroup relations. Our formal model comprises two main concepts, the group membership as a Social Identity (SI) map and privacy norms as a set…

Cyber Security Awareness across the Middle-East

Image
Over the past year, I have been working the colleagues at Qatar University's KINDI Centre for Computing Research to adapt the Introduction to Cyber Security course for the Arabic-speaking world.

After an initial workshop with a variety of stakeholders across the region, we designed two versions of the course - one aimed at improving workplace cyber security awareness and the other provides a broader overview that aims to help raise awareness among the general public.  Both courses will be made available in Arabic and English, the latter in recognition of the fact that there is a large cadre of expatriates in the Gulf region.

The courses are already open for registration, hosted on the Canvas platform, but will be formally launched at Qatar University today.  The video above is one of the publicity trailers produced to promote this project.  For more information, see the KINDI Centre for Computing Research website.

Who's been typing on my keyboard?

Image
Wired magazine reports on some research carried out by Bastille, where attackers can hijack proprietary wireless keyboard (and mouse) dongle from over 100 yards away.  The attack exploits firmware vulnerabilities in a particular radio communications chip used by wireless input devices.   It seems to be a popular piece of hardware, which is integrated into some computer manufacturers' wireless input devices.
The report only discusses hijacking the target computer, and it is not clear if the technique can also be used to log the keystrokes of the victim's keyboard.  However, it seems straightforward that an attacker could use the capability to inject the commands for the target computer to download and execute a more significant malware payload.  Of course, the computer would have to be unlocked for this to work, which would mean the attacker could see the victim's screen.  Alternatively, an attacker could simply keep trying to send their commands, making sure to backspace an…