̽��ֱ�� of Cambridge - computer security

Making the digital world a safer place

skbf2 — Wed, 25 May 2022 09:49:36 +0000

New technology developed by Cambridge researchers and Arm to make our computers more secure is being put through its paces by tech companies in the UK and around the world.

Architecting the future

skbf2 — Tue, 08 Dec 2020 16:17:50 +0000

Arm is working with Cambridge researchers to make our phones and computers more secure, more efficient and ready for the digital revolution.

Combating cybercrime when there's plenty of phish in the sea

sc604 — Fri, 21 Oct 2016 07:51:23 +0000

We’ve all received the emails, hundreds, maybe thousands of them. Warnings that our bank account will be closed tomorrow, and we’ve only got to click a link and send credit card information to stop it from happening. Promises of untold riches, and it will only cost a tiny fee to access them. Stories of people in desperate circumstances, who only need some kind soul to go to the nearest Western Union and send a money transfer to save them.

Tricking people into handing over sensitive information such as credit card details – known as ‘phishing’ – is one of the ways criminals scam people online. Most of us think we’re smarter than these scams. Most of us think that we could probably con the con artist if we tried. But we would be wrong.

Across the world, cybercrime is booming. When the UK government included cybercrime in the national crime statistics for the first time in 2015, it doubled the crime rate overnight. Millions of people worldwide are victimised by online scams, whether it’s blocking access to a website, stealing personal or credit card information, or attempting to extort money by remotely holding the contents of a personal computer hostage.

“Since 2005, the police have largely ignored cybercrime,” says Professor Ross Anderson of Cambridge’s Computer Laboratory. “Reported crime fell by as much as a half in some categories. Yet, now that online and electronic fraud are included, the number of reported crimes has more than doubled. Crime was not falling; it was just moving online.”

In 2015, computer scientists, criminologists and legal academics joined forces to form the Cambridge Cybercrime Centre, with funding from the Engineering and Physical Sciences Research Council. Their aim is to help governments, businesses and ordinary users to construct better defences.

To understand how the criminals operate, researchers use machine learning and other techniques to recognise bad websites, understand what kinds of brands tend to be attacked and how often, determine how many criminals are behind an attack by looking at the pattern of the creation of fake sites and how effective the various defence systems are at getting them taken down.

One way in which studying cybercrime differs from many other areas of research is that the datasets are difficult to come by. Most belong to private companies, and researchers need to work hard to negotiate access. This is generally done through nondisclosure agreements, even if the data is out of date. And once researchers complete their work, they cannot make the data public, since it would reduce the competitive advantage of corporate players, and it may also make it possible for criminals to reverse engineer what was detected (and what wasn’t) and stay one step ahead of law enforcement.

One of the goals of the Cambridge Cybercrime Centre is to make it easier for cybercrime researchers from around the world to get access to data and share their results with colleagues.

To open up cybercrime research to colleagues across the globe, the team will leverage their existing relationships to collect and store cybercrime datasets, and then any bona fide researcher can sign a licence with the Centre and get to work without all the complexity of identifying and approaching the data holders themselves.

“Right now, getting access to data in this area is incredibly complicated,” says Dr Richard Clayton of Cambridge’s Computer Laboratory, who is also Director of the Centre. “But we think the framework we’ve set up will create a step change in the amount of work in cybercrime that uses real data. More people will be able to do research, and by allowing others to work on the same datasets more people will be able to do reproducible research and compare techniques, which is done extremely rarely at the moment.”

One of the team helping to make this work is Dr Julia Powles, a legal researcher cross-appointed between the Computer Laboratory and Faculty of Law. “There are several hurdles to data sharing,” says Powles. “Part of my job is to identify which ones are legitimate – for example, when there are genuine data protection and privacy concerns, or risks to commercial interests – and to work out when we are just dealing with paper tigers. We are striving to be as clear, principled and creative as possible in ratcheting up research in this essential field.”

Better research will make for better defences for governments, businesses and ordinary users. Today, there are a lot more tools to help users defend themselves against cybercrime – browsers are getting better at recognising bad URLs, for example – but, at the same time, criminals are becoming ever more effective, and more and more people are getting caught in their traps.

“You don’t actually have to be as clever as people once thought in order to fool a user,” says Clayton when explaining how fake bank websites are used to ‘phish’ for user credentials. “It used to be that cybercriminals would register a new domain name, like Barclays with two Ls, for instance. But they generally don’t do that for phishing attacks anymore, as end users aren’t looking at the address bar, they’re looking at whether the page looks right, whether the logos look right.”

̽��ֱ��Centre is also looking at issues around what motivates someone to commit cybercrime, and what makes them stop.

According to Dr Alice Hutchings, a criminologist specialising in cybercrime, cybercriminals tend to fall into two main categories. ̽��ֱ��first category is the opportunistic offender, who may be motivated by a major strain in their lives, such as financial pressures or problems with gambling or addiction, and who uses cybercrime as a way to meet their goals. ̽��ֱ��second type of offender typically comes from a more stable background, and is gradually exposed to techniques for committing cybercrime through associations with others.

Both groups will usually keep offending as long as cybercrime meets their particular needs, whether it’s financial gratification, or supporting a drug habit, or giving them recognition within their community. What often makes offenders stop is the point at which the costs of continuing outweigh the benefits: for instance, when it takes a toll on their employment, other outside interests or personal relationships.

“Most offenders never get caught, so there’s no reason to think that they won’t go back to cybercrime,” says Hutchings. “They can always start again if circumstances in their lives change.

“There is so much cybercrime happening out there. You can educate potential victims, but there will always be other potential victims, and new ways that criminals can come up with to social engineer somebody’s details, for example. Proactive prevention against potential offenders is a good place to start.”

Criminologist Professor Lawrence Sherman believes the collaboration between security engineering and criminology is long overdue, both at Cambridge and globally: “Cybercrime is the crime of this century, a challenge we are just beginning to understand and challenge with science.”

“We’re extremely grateful to the people giving us this data, who are doing it because they think academic research will make a difference,” says Clayton. “Our key contribution is realising that there was a roadblock in terms of being able to distribute the data. It’s not that other people couldn’t get the data before, but it was very time-consuming, so only a limited number of people were doing research in this area – we want to change that.”

“Our Cybercrime Centre will not only provide detailed technical information about what’s going on, so that firms can construct better defences,” says Anderson. “It will also provide strategic information, as a basis for making better policy.”

As more and more crime moves online, computer scientists, criminologists and legal academics have joined forces in Cambridge to improve our understanding and responses to cybercrime, helping governments, businesses and ordinary users construct better defences.

You don’t actually have to be as clever as people once thought in order to fool a user

Richard Clayton

LastHuckleBerry

TeQi's Graffitti Phish

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. For image use please see separate credits above.

Yes

Licence type:

Attribution-ShareAlike

Opinion: FBI backs off from its day in court with Apple this time – but there will be others

Anonymous — Wed, 30 Mar 2016 12:57:18 +0000

After a very public stand-off over an encrypted terrorist’s smartphone, the FBI has backed down in its court case against Apple, stating that an “outside party” – rumoured to be an Israeli mobile forensics company – has found a way of accessing the data on the phone.

̽��ֱ��exact method is not known. Forensics experts have speculated that it involves tricking the hardware into not recording how many passcode combinations have been tried, which would allow all 10,000 possible four-digit passcodes to be tried within a fairly short time. This technique would apply to the iPhone 5C in question, but not newer models, which have stronger hardware protection through the so-called secure enclave, a chip that performs security-critical operations in hardware. ̽��ֱ��FBI has denied that the technique involves copying storage chips.

So while the details of the technique remain classified, it’s reasonable to assume that any security technology can be broken given sufficient resources. In fact, the technology industry’s dirty secret is that most products are frighteningly insecure.

Even when security technologies are carefully designed and reviewed by experts, mistakes happen. For example, researchers recently found a way of breaking the encryption of Apple’s iMessage service, one of the most prominent examples of end-to-end encryption (which ensures that even the service provider cannot read the messages travelling via its network).

Most products have a much worse security record, as they are not designed by security experts, and often contain flaws that are easily found by attackers. For example, internet-connected baby monitors that could be hacked and allow strangers to talk to their child at night. Insecure cars that could be controlled via an internet connection while being driven. Drug infusion pumps at US hospitals that could be hacked by an attacker to manipulate drug dosage levels.

Even national infrastructure is vulnerable, with software weaknesses exploited to cause serious damage at a German steel mill, bring down parts of the Ukrainian power grid, and alter the mix of chemicals added to drinking water. While our lives depend more and more on “smart” devices, they are frequently designed in incredibly stupid ways.

Insecure by design

̽��ֱ��conflict between Apple and the FBI was particularly jarring to security experts, seen as an attempt to deliberately make technology less secure and win legal precedent to gain access to other devices in the future. Smartphones are becoming increasingly ubiquitous, and we know from the Snowden files that the NSA can turn on a phone’s microphone remotely without the owner’s knowledge. We are heading towards a state in which every inhabited space contains a microphone (and a camera) that is connected to the internet and which might be recording anything you say. This is not even a paranoid exaggeration.

So, in a world in which we are constantly struggling to make things more secure, the FBI’s desire to create a backdoor to provide it access is like pouring gasoline on the fire.

̽��ֱ��problem with security weaknesses is that it is impossible to control who can use them. Responsible researchers report them to the vendor so that they can be fixed, and sometimes receive a bug bounty in return. But those who want to make more money may secretly sell the knowledge to the highest bidder. Customers of this dark trade in vulnerabilities often include governments with repressive human rights records.

If the FBI has found a means of getting data off a locked phone, that means the intelligence services of other countries have probably independently developed the same technique – or been sold it by someone who has. So if an American citizen has data on their phone that is of intelligence interest to another country that data is at risk if the phone is lost or stolen.

Most people will never be of intelligence interest of course, so perhaps such fears are overblown. But the push from governments, for example through the pending Investigatory Powers Bill in the UK, to allow the security services to hack devices in bulk – even if the devices belong to people who are not suspected of any crime – cannot be ignored.

Bulk hacking powers, taken together with insecure, internet-connected microphones and cameras in every room, are a worrying combination. It is a cliche to conjure up Nineteen Eighty-Four, but the picture it paints is something very much like Orwell’s telescreens.

Used by one, used by all

To some extent law enforcement has historically benefited from poor computer security, as hacking a poorly secured digital device is easier and cheaper than planting a microphone in someone’s house or rifling their physical belongings. No wonder that the former CIA director loves the Internet of Things.

This convenience often tempts governments to deliberately weaken device security – the FBI’s case against Apple is just one example. In the UK, the proposed Investigatory Powers Bill allows the secretary of state to issue “technical capability notices”, which are secret government orders to demand manufacturers make a device or service deliberately less secure than it could be. GCHQ’s new MIKEY-SAKKE standard for encrypted phone calls is also deliberately weakened to allow easier surveillance.

But a security flaw that can be used by one can be used by all, whether legitimate police investigations or hostile foreign intelligence services or organised crime. ̽��ֱ��fears of criminals and terrorists “going dark” are overblown, but the risk to life from insecure infrastructure is real: fixing these weaknesses should be our priority, not striving to make devices less secure for the sake of law enforcement.

Martin Kleppmann, Research associate, ̽��ֱ�� of Cambridge

This article was originally published on ̽��ֱ��Conversation. Read the original article.

̽��ֱ��opinions expressed in this article are those of the individual author(s) and do not represent the views of the ̽��ֱ�� of Cambridge.

Martin Kleppmann (Computer Laboratory) discusses how vulnerable security technologies really are, and how these vulnerabilities could be exploited by both law enforcement and criminals.

Nicolas Nova

Smartphone rituals

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. For image use please see separate credits above.

Yes

Licence type:

Attribution-Noncommerical