News & Announcements

Dr Murdoch was interviewed by BBC News about the introduction of an app store register in China

17 January, 2017

Third party app stores are widespread in China and bad monitoring of third party apps caused large propagation of malware. As a consequence, the Cyberspace Administration of China requested all app marketplaces to join a register. Dr Murdoch was interviewed by BBC news on some potential side effects of this decision.  The full article can be found here.

 

Dr Murdoch featured in a BBC news article about Barclays cardless withdrawals

28 November, 2016

Barclays is testing new cash machines allowing its customers to use their smatphones to withdraw. Dr Murdoch commented on BBC News potential risks we could possibly face with the introduction of these machines. The article can be found here.

 

Dr Murdoch featured in E&T article on ransomware

28 November, 2016

Dr Steven Murdoch was featured in a E&T article about ransomware. A recent survey by a security company highlighted the extension of ransomware attacks. Dr Murdoch commented

"attackers are finding more efficient ways to force their victims to pay the ransom. New types of ransomware have been found that don’t only encrypt the victim’s data but also make an online copy. The attacker then threatens to publish the sensitive data to the world if ransom is not paid."

The full article can be find here.

 

News coverage for Jeremiah Onaolapo, Dr De Cristofaro and Dr Stringhini on their paper on 4chan

27 November, 2016

In the past weeks Jeremiah Onaolapo, Dr De Cristofaro, Dr Stringhini and co-authors published a study on 4chan politcally incorrect board (/pol/). The article provides a large scale analysis of content of posts, posting behaviour of the users and attacks carried from the platform into other social media.  The study attracted considerable attention from the media:https://theconversation.com/4chan-raids-how-one-dark-corner-of-the-internet-is-spreading-its-shadows-68394

 

Mustafa Al-Bassam has been featured on The Register article about blockchain

09 November, 2016

Mustafa Al-Bassam has been quoted in a news article on use cases of blockchains. The full article, from The Register, can be found here.

 

Mustafa Al-Bassam featured on various news article about the latest data released by The Shadow Brokers

09 November, 2016

Mustafa Al-Bassam has been quoted on a number of articles about new data released by a group conducting an illicit auction of "cyber weapons" believed to be created by the NSA-linked makers of Stuxnet, Duqu, and Flame. The group released files containing IP addresses which Mustafa pointed out that "the IP addresses may relate to servers the NSA has compromised and then used to deliver exploits" and that the "servers were compromised between 2000 and 2010".

The full articles can find here and here.

 

News Coverage for Vasilios Mavroudis' Work on Ultrasound Cross-device Tracking

08 November, 2016

A recent presentation on Blackhat Europe given by UCL's Vasilios Mavroudis and POLIMI's Federico Maggi discusses the potential attacks and countermeasures that are possible using ultrasounds for cross-device communication. The presentation is based on joint research by UCL, POLIMI and UCSB.  Their findings demonstrate that attackers can imperceptibly exchange information between devices, thus bypassing security measures such as sandboxing or permissions management. 

The presentation has gathered a large amount of media coverage including WIRED, New Scientist and Slashdot.

More information is available in the project's website.

 

Dr Murdoch featured on Telegraph article about NCSC's anti-DDoS Strategy

08 November, 2016

Dr Steven Murdoch was featured on a Telegraph article about a plan by the National Cyber Security Centre, which is part of GCHQ, to strengthen the UK's internet infrastructure against distributed denial of service attacks. The plan calls for ISPs to stop using legacy internet protocols such as BGP, as they lack adequate protections. Dr Murdoch commented that GCHQ "doesn’t really have the trust of industry".

The full article is available here.

 

Dr Murdoch Featured on BBC News about Digital Forensics and Biometrics

08 November, 2016

Dr Steven Murdoch was featured on two different BBC news articles regarding digital forensics. In the first article, Dr Murdoch was consulted on the feasibility of FBI reviewing 650,000 emails in 8 days. The key point, he said, was that reviewing does not necessarily mean reading, as automated techniques could significantly reduce the number of documents requiring the investigators' attention.

In the second article, Dr Murdoch commented on Voco, Adobe's photoshop analogue for voice data. Using the software, one can take a voice sample of a person uttering one phrase and synthesise a similar voice uttering another. While biometrics firms, who use voice prints for authentication, believe their software to be impervious to such forgeries, Dr Murdoch opined that testing is the only definitive way to evaluate their claims.

 

Dr Olejnik's Work Results in Removal of Browser Battery API for Privacy Reasons

08 November, 2016

Firefox and WebKit (the engine behind Apple's Safari and Google's Chrome) recently revealed plans (Firefox  WebKit) to remove support for the Battery API in their browsers. This comes following research by Dr Lukasz Olejnik which highlighted the privacy implications of shipping a high-precision battery API, including fingerprinting and differential pricing. While the research suggested some forms of mitigation, the decision reached by the two groups was that the potential benefits and use cases of the API were unclear. In his blog, Dr Olejnik notes that this removal of functionality in favour of security is unprecedented in the history of the web.

The full blog article is available here. Further coverage is available in the Guardian, Slashdot, Betanews, and Heise (German) among others.

 

Dr Murdoch featured on BBC News article regarding Google's recent vulnerability disclosure

02 November, 2016

Dr Steven Murdoch was interviewed for a BBC News article regarding Google's recent disclosure of a vulnerability affecting the Windows operating system. Microsoft was given notice 10 days before the public announcement, but a longer blackout period of 30 or 60 days is standard practice. Google decided to publicise the vulnerability because it is currently being exploited, drawing criticism for Microsoft who have not yet produced fixes for all versions of Windows. Dr Murdoch suggested that "[...] whether or not it was right to have made the flaw public is a matter of debate - there are reasonable arguments on both sides, and we still don't know who are the attackers and who are the targets".

The full article is available at BBC News.

 

Dr Murdoch featured in The Anthill, a podcast from The Conversation

24 October, 2016

Dr. Steven Murdoch was featured in The Anthill, a podcast from The Conversation. In the sixth episode, titled "Into the darkness", Dr. Murdoch discusses about the dark web and Tor onion services.

You can find the podcast here (segment starts at 35m 22s)

 

Dr Lukasz Olejnik quoted in Daily Telegraph article on new Swiss surveillance law

28 September, 2016

UCL's Dr Lukasz Olejnik was quoted on a Daily Telegraph article about the new surveillance law that Switzerland which was recently adopted via referendum. The new law combines new investigative powers with tight oversight, in a combination described as "unprecedented and important". While strong surveillance laws are somewhat commonplace, the requirement to notify surveillance targets after the fact is relatively novel.

 

The full Daily Telegraph article is available here.

More details are available in Dr Olejnik's blog.

 

 

 

Dr Murdoch featured in BBC coverage of Yahoo breach

25 September, 2016

Dr Steven Murdoch was featured in BBC's coverage of Yahoo's recently announced security breach. The breach, which took place on 2014 but was only made known last week involves account details of 500 million users of the service. It is believed to be the largest known security breach in terms of number of affected users.

  

 

Dr Murdoch featured in BBC article on cyberweapon auction

17 August, 2016

Dr Steven Murdoch was quoted on a recent BBC article about an illicit auction of software described as "cyber weapons". The all-pay auction, which is to be conducted via bitcoin is claimed to include software from the makers of Stuxnet, Duqu, and Flame; all widely believed to be state-sponsored. Dr Murdoch stated that "It is extraordinary that a government based (or at least government supported) group would get comprehensively hacked, but there is evidence indicating that this may have actually happened".

 

News Coverage of Relay Attack Article by Dr Murdoch

11 August, 2016

A recent article by Dr Steven Murdoch has been covered by The Register and the Daily Mail. The article discusses how previous work on bank card relay attacks by Dr Murdoch is still relevant. Relay attacks work by rerouting the communication between a customer's card and the Point of Sales device, sending it to a different terminal, and charging the customer for a different transaction. The initial research was based on chip and PIN cards and proposed a simple solution: the transaction protocols would require fast replies so that relayed communication would fail.

Contactless cards present a harder challenge: their operating power is limited, and the timing of wireless communications standards is less precise.

Dr Murdoch's article in the Conversation is available here.  

 

Dr Olejnik's work on Battery Status Privacy featured on the Guardian

02 August, 2016

A recent paper co-authored by Dr. Lukasz Olejnik was featured in a Guardian article. The paper demonstrates that the potential privacy implications of the Battery Status API. The intention behind the API is to allow websites to offer simpler versions when accessed by devices low on battery. However, by offering high precision information, the API could also enable privacy breaches such as tracking.

The full paper, "Privacy engineering analysis of Browser Status API" is available, along with some discussion in Dr. Olejnik's Blog.

The Guardian article is available here.

 

Dr De Cristofaro at Microsoft's Research Faculty Summit

18 July, 2016

Dr Emiliano De Cristofaro attended the seventeenth annual Microsoft Research Faculty Summit in Redmond, Washington. He has been invited to give a talk about Genome privacy:

The Genomics Revolution: The Good, The Bad, and The Ugly (The Privacy Edition)

See more at https://www.microsoft.com/en-us/research/event/faculty-summit-2016/

 

Dr Murdoch interviewed by ShareFM Radio on Cybercrime

12 July, 2016

Dr Steven Murdoch was featured on the Morning Money show on ShareFM. The topic of the interview was the recent advice issued by the National Crime Agency with respect to cybercrime.

You can listen to the interview here.

 

Jonathan Bootle wins ACE-CSR elevator pitch competition

12 July, 2016

Congratulations are due to Jonathan Bootle for winning the best PhD student presentation prize at the ACE-CSR conference. Jonathan gave a very animated and space efficient presentation on space efficient zero knowledge proofs, based on research performed at UCL.

The presentation, "How to do Zero Knowledge from Discrete Logs in under 7kB",  was also featured on last week's InfoSec seminar.

 

Dr Murdoch interviewed by BBC and ShareFM on Apple and iOS encryption

27 June, 2016

Dr Steven Murdoch was interviewed by BBC and radio ShareFM on the latest news about Apple and encryption. Last week apple released the beta version of his iOS featuring, differently from previous versions, an unecrypted kernel.

More details can be found in the BBC article and ShareFM interview.

 

UCL work on Bank Fraud T&Cs covered on the Register

09 June, 2016

The paper International Comparison of Bank Fraud Reimbursement: Customer Perceptions and Contractual Terms  was covered by an article on The Register. The paper compares the terms and conditions related to fraud across 30 banks in 35 countries, and was co-authored by researchers in the UCL Information Security Group: Ingolf Becker, Ruba Abu-Salma, Dr. Steven Murdoch, Prof. Angela Sasse and Dr. Gianluca Stringhini, joined by Dr. Alice Hutchings and Prof. Ross Anderson from the University of Cambridge and Nicholas Bohm from the Foundation for Information Policy Research.

Apart from discussing the differences in the terms and conditions themselves, the paper also examines the expectations of bank customers in different countries (UK, US, and Germany) regarding fraud, as well as their evaluation of the terms after having read them.

The paper will will be presented at the Workshop on the Economics of Information Security (WEIS), Berkeley, CA USA, 13–14 June 2016.

 

The Register article is available here.

A post on the Bentham's Gaze blog is available here.

The paper is available here.

 

Dr Murdoch Interviewed by BBC News on Ransomware

09 June, 2016

Dr Steven Murdoch was interviewed by the BBC for a news story concerning ransomware. A Canadian University has confirmed that more than 100 machines had been compromised with ransomware, malicious software that encrypts files on the infected computer and then requires a ransom to be paid before the decryption key is produced. The University decided to pay upwards of £10,000 to hackers in order to restore access to maliciously encrypted data. Dr Murdoch commented that while paying up might be the simplest solution to restore access, it will increase attacks in the future.

The full article is available here.

 

Dr Murdoch Interviewed on ATM bank heist

31 May, 2016

Dr Steven Murdoch was interviewed on the Daily Telegraph, regarding an organised ATM bank heist. The heist involved 1400 ATMs being targeted in a 2 hour period, using counterfeit credit cards with accounts in the South African institution Standard Bank. Damages are estimated at £8.8 million. Dr Murdoch opined that the attack targeted weaknesses in Banks' systems instead of individual customers.

The full article is available here.

 

Dr Murdoch Interviewed on Spying via Metadata

23 May, 2016

UCL's Dr Steven Murdoch was interviewed on the subject of authorities tracking people via the use of metadata. The topics covered include the breadth of metadata tracking in the US (with one interpentation suggesting up to 25000 people tracked in relation to a single suspect), as well as the power and significance of metadata. Dr Murdoch quoted former NSA & CIA Director David cole: "We kill people based on metadata". At the same time, Dr Murdoch criticised the lack of legal protections regarding metadata: “'Metadata is not sensitive so it doesn’t deserve protection of the court system.' That’s the prevailing thought process in UK legislation”.

The interviews were related to a recent Stanford research paper, demonstrating the practicality of metadata analysis, available here.

The BBC Radio 4 interview is available here. [Interview starts at 14m55s]

The BBC World Service interview is available here. [Interview starts at 17m30s, Segment starts at 14m35s]

The Daily Telegraph article quoting Dr Murdoch is available here.

 

Dr Murdoch Interviewed by BBC News on Malvertising

16 May, 2016

Dr Steven Murdoch was interviewed by BBC News on the topic of malicious advertising. Malvertising works by using ad networks to serve malicious software posing as ads to visitors of legitimate, mainstream websites. Dr Murdoch mentions that ad networks "fail to vet their clients" thus undermining the current business model of the web. As users turn to ad blocking to protect themselves, websites will need to find other ways to stay in business.

 

Read the full article here.

 

Dr De Cristofaro talked about Facebook like farm on Dutch television

27 April, 2016

Dr Emiliano De Cristofaro appeared on Dutch TV AVOTROS talking about Facebook like farm.

The segments (English) can be find here at minutes 2.15, 6.15, 11.05 and 12.05.

 

Dr Murdoch interviewed on BBC Radio Scotland on Apple-FBI case

21 April, 2016

Dr Steven Murdoch was interviewed on the Good Morning Scotland programme on the ongoing topic of the Apple-FBI phone encryption debate. The case is now being presented to the US House of Representatives Energy and Commerce Committee. Dr Murdoch opined that security services, given adequate expertise, should be able to effectively investigating crimes by taking advantage of outstanding security flaws rather than requiring cooperation from software companies.

 

You can listen to the full interview here [starts at 1h 55m].

 

Dr Murdoch interviewed by BBC Radio 4 on Phishing Emails [Updated]

07 April, 2016

Dr Steven Murdoch was interviewed on the You and Yours programme on BBC Radio 4. The segment was discussing Phishing Emails that include the recipient's mailing address in the text, so as to appear more convincing. This data often originates from retailer sites being hacked said Dr Murdoch. The interview is also featured in a BBC news article on the same issue.

Update: There is further coverage on the scam from the BBC here, including quotes from Dr Murdoch:

"It also appears to be quite widespread - I've heard about it from multiple sources so it seems like they were fairly successful getting a lot of these sent out."

Listen to the interview here [starts at 33m24s].

 

Dr Murdoch interviewed by BBC Radio Scotland on the Apple-FBI case

04 April, 2016

Dr Steven Murdoch was interviewed by BBC Radio Scotland on the topic of phone encryption, and specifically the ongoing story between Apple and the FBI. The interview touches on the subject of responsible disclosure as Apple is requesting that the FBI reveal their means of bypassing iPhone security.

 

You can listen to the interview here. [Starts at 1h 48m]

 

Dr Danezis' work recognised by Government Digital Service

24 March, 2016

A recent blog post by the Government Digital Service explains how a research paper co-authored by Dr George Danezis provided feedback to the GOV.UK Verify project, and the steps taken to mitigate the threats described in the paper. The GOV.UK Verify project aims to provide a secure framework for proving ones identity online. Danezis' paper examines threats that arise in such a system if the central hub is compromised or corrupt.

 

Dr Danezis and Prof Angela Sasse also serve as members of the Privacy and Consumer Advisory Group (PCAG), advising the government in matters regarding personal data and privacy.

 

Read the full post here.

Read the referenced paper here.

 

Dr Stringhini interviewed by BBC World Service on bug bounties

22 March, 2016

Dr Gianluca Stringhini was interviewed on the BBC World Service Business Daily programme. Dr Stringhini explained how companies offer bounties for bug disclosure in order to incentivise ethical hacking and improve their security.

Listen to the interview here [starts at 9:06]

 

Dr Meiklejohn and Dr Danezis' work on centrally bank cryptocurrencies featured on several news articles

14 March, 2016

Dr Meiklejohn and Dr Danezis' work on centrally banked cryptocurrencies received significant attention in the media. The paper (presented at NDSS'16) proposes RSCoin, a cryptocurrency that allow a central bank to control the monetary supply, while a distributed set of authorities is in charge of mantaining the transaction ledger.

Some news articles on the topic:

 

Dr Meiklejohn and Dr Danezis' work featured in MIT Tech Review article

11 March, 2016

Dr Meiklejohn and Dr Danezis' work on centrally banked cryptocurrencies was featured in a MIT Tech Review article.

The full article is available here.

 

Dr Murdoch interviewed by BBC News on encryption of Amazon Fire

11 March, 2016

Dr Steven Murdoch was interviewed by BBC News about the encryption of Amazon Fire devices. The company removed the disk encryption security feature and subsequently faced criticism.

The full article is available here.

 

 

 

Dr Murdoch et al. NDSS 2016 paper featured in several news article

02 March, 2016

Dr Steven Murdoch's NDSS 2016 paper "Do You See What I See? Differential Treatment of Anonymous Users" was featured in several news articles. The paper observes that several websites either block, degrade their service or impose CAPTCHA's to users accessing via the Tor network. News coverage on the article appeared in numerous sources:

 

 

Dr Murdoch interviewed by BBC on Tor Hidden services

02 March, 2016

Dr Steven Murdoch was interviewed by BBC on Tor hidden services. Researchers recently noticed a spike in the number of hidden addresses in the Tor network. While there are some plausible causes of this dramatic increase, it might be hard to know for sure the actual reason behind it. Reed the full article here.

 

Dr Murdoch Interviewed by the Telegraph on glibc bug

02 March, 2016

Dr Steven Murdoch Interviewed by the Telegraph on a bug discovered by Google researchers in the glibc library. The bug exposes the vast majority of Linux operating systems, even though most Android devices should not be affected. Reed the full article here.

 

Dr Murdoch interviewed by BBC and Sputnik News on a court order regarding FBI and Apple

22 February, 2016

Dr Steven Murdoch was interviewed by BBC News on a court order regarding FBI and Apple. The company was asked to help the FBI access data on a phone owned by San Bernardino gunman. Apple announced their opposition to the order.

The article is available here.

Another interview on the same topic coule be found here.

 

Dr Emiliano DeCristofaro awarded Google Research Award.

22 February, 2016

Dr Emiliano DeCristofaro, and co-Investigator Dr Christophe Dessimoz, have been awarded with Google Research Award. The award features a  $70,625.00 USD grant and  will cover tuition for a graduate student.  Their proposal is titled "Enabling Progress in Genomic Research via Privacy-Preserving Data Sharing" and is one of the 151 funded projects out of a total of 950.

More details are available in the Google Research Blog.

 

Prof. Sasse and Dr DeCristofaro on voice recognition.

22 February, 2016

Dr Emiliano DeCristofaro and Professor Angela Sasse appeared on BBC Radio to comment on the recent rollout of voice recognition for phone banking authentication. Dr DeCristofaro appeared on Radio 4's Today programme, commenting on the particulars of voice recognition as well as biometrics in general. Professor Sasse appeared on Jeremy Vine's Radio 2 show and gave her insight on the security and usability of the system being rolled out.

You can listen to Professor Sasse here [starts at 37:25].

Dr DeCristofaro's interview is available here [excerpt] and here [starts at 1:16:40].

 

Dr Danezis mentioned in Ars Technica news article.

19 February, 2016

Dr George Danezis was mentioned in a news article about NSA's SKYNET program. The article referenced a blog article by Dr Danezis commenting on the data mining techniques used by GCHQ.

The article is available here.

 

Proferssor Sasse and Dr Murdoch were interviewed by BBC on hack of VTech's electronic toys.

15 February, 2016

Proferssor Angela Sasse and Dr Steven Murdoch were interviewed by BBC Online News about the Hack of information from VTech's website. After last year's breach, the company changed their terms and conditions making the parents to accept full responsability in case of future breaches. 

Read the article here.

 

Dr Steven Murdoch on Proposed Phone Call Encryption

25 January, 2016

Dr Steven Murdoch posted an article on Bentham's gaze regarding the (in)security of the proposed MIKEY-SAKKE protocol. The protocol is being promoted by the UK government as a means of phone call encryption. However, it is based on mandatory key escrow which means that surveillance is essentially built into the system. News coverage on the article appeared in numerous sources:

 

 

 

ACE-CSR Event

06 January, 2016

The opening event for the ACE-CSR 2015-2016 academic term featured three speakers: Earl Barr, whose work on approximating program equivalence has won several ACM distinguished paper awards; Mirco Musolesi from the Department of Geography, whose background includes a degree in computer science and an interest in analysing myriad types of data while protecting privacy; and Susan Landau, a professor at Worcester Polytechnic Institute and a visiting professor at UCL and an expert on cyber security policy whose books include Privacy On the Line: the Politics of Wiretapping and Encryption (with Whitfield Diffie) and Surveillance or Security? The Risks Posed by New Wiretapping Technologies.

Earl Barr is a member of the software systems engineering group and the Centre for Research on Evolution, Search, and Testing. His talk outlined his work using program similarity to determine whether two arbitrary programs have the same behaviour in two areas relevant to cyber security: malware and intellectual property theft in binaries (that is, code reused in violation of its licence).

Barr began by outlining his work on detecting malware, comparing the problem to that facing airport security personnel trying to find a terrorist among millions of passengers. The work begins with profiling: collect two zoos, and then ask if the program under consideration is more likely to belong to the benign zoo or the malware zoo.

Rather than study the structure of the binary, Barr works by viewing the program as strings of 0s and 1s, which may not coincide with the program's instructions, and using information theory to create a measure of dissimilarity, the normalised compression distance (NCD). The NCD serves as an approximation of the   Kolmogorov Complexity, a mathematical measure of the complexity of the shortest description of an object, which is then normalised using a compression algorithm that ignores the details of the instruction set architecture for which the binary is written.

Using these techniques to analyse a malware zoo collected from sources such as Virus Watch, Barr was able to achieve a 95.7% accuracy rate. He believes that although this technique isn't suitable for contemporary desktop anti-virus software, it opens a new front in the malware detection arms race. Still, Barr is aware that malware writers will rapidly develop countermeasures and his group is already investigating counter-countermeasures.

Malware writers have three avenues for blocking detection: injecting new content that looks benign; encryption; and obfuscation. Adding new content threatens the malware's viability: raising the NCD by 50% requires doubling the size of the malware. Encryption can be used against the malware writer: applying a language model across the program reveals a distinctive saw-toothed pattern of regions with low surprise and low entropy alternating with regions of high surprise and high entropy (that is, regions with ciphertext). Obfuscation is still under study: the group is using three obfuscation engines available for Java and applying them repeatedly to Java malware. Measuring the NCD after each application shows that after 100 iterations the NCD approaches 1 (that is, the two items being compared are dissimilar), but that two of the three engines make errors after 200 applications. Unfortunately for malware writers, this technique also causes the program to grow in size. The cost of obfuscation to malware writers may therefore be greater than that imposed upon white hats.

In the case of IP theft, suspect binaries are often huge, with tens of thousands of functions in them. Reused code is borrowed and obfuscated (for example, by compiler optimisation), usually out of laziness. To be a match, the suspect code must be both syntactically and functionally similar (though this can happen innocently even with clean-room development if different developers are implementing the same function to the same specification). This work is simplified by filtering out functions under 100 instructions (because they're not worth copying). Barr finds that it doesn't take many tests to establish whether two functions are equivalent. However, some shorter functions are "reticent" - that is, they are false almost everywhere, but true at a few points. In these cases, Barr uses the technique of microexecution, in which the researchers build the execution state the program expects at that point and treats that state as part of the input. Using the GNU core utilities and ten popular C projects sourced from Github, designating one randomly chosen function as "stolen", and varying the complier, optimisation level, and obfuscation engines, Barr found that at the most aggressive optimisation level the results had a mean precision of 88% and a recall rate (the number of matches flagged) of 25%. Varying the compiler was the biggest difficulty.

The barrier to adoption for this system is that it's extremely intensive and took weeks to run on Livermore's computers; in addition, either the recall rate is too low for the real world or IP theft is more rare than conventional wisdom would believe.

Mirco Musolesi is interested in identity and identification in the smartphone era and looks at the privacy implications of merging the many types of data smartphones collect from their embedded sensors - GPS, cameras, microphones, proximity, ambient light, gyroscope, accelerometer and their "social sensors" (social media apps). Merging open data with these many data streams, which represent our digital identity, makes it possible to test many long-held theories about human behaviour, mobility, and design.

As an example, Musolesi outlined his work with data derived from three location-based social networks (LBSNs): FourSquare, the now-defunct BrightKite (2004-2011), and Gowalla (launched 2007, acquired by Facebook 2011). These and many others such as Twitter encourage users to share location information.  Musolesi wanted to find the limits of obfuscation: how hard is it for an attacker to identify individual users from their location information? How many check-ins does the attacker need? Musolesi's group studied four attack models. The trajectory-based approach identifies a user by considering the trajectory of spatio-temporal points of their check-ins. In the multinomial approach, a Bayes classification model takes advantage of the fact that most users' check-ins cluster around a limited set of GPS points to estimate the probability that any one check-in relates to a particular user. "Social smoothing" takes into account users' friends' check-ins within the social network. Finally, the hybrid model merges the spatial and frequency information into a single model.

Using directed Hausdorff distances to compare the results of these four models showed that where only a few points are available the trajectory model was the most accurate for the Foursquare and Gowalla datasets, though not Brightkite. Musolesi went on to ask whether some locations are more discriminative than others, which venues an attacker might want to monitor to optimise their success, and what strategy users should adopt for deciding whether to make a particular check-in public or not. Based on a dataset of check-ins in 17 core based statistical areas (as defined by the US Office of Management and Budget) and assuming that the attacker can only access some check-ins in specific categories (such as restaurants), the researchers found that venues in the travel category were the least discriminative because of their high user-to-venue ratio. The most discriminative was residence, followed by shops, which are highly discriminative if enough points are available. There turned out to be no correlation between a user's entropy (whether the user checks in frequently from many or few venues) and the complexity of identifying them; collective, rather than individual, behaviour determines the complexity of identifying an individual. How to ensure identity privacy remains an open question, along with attack models that consider sequences of check-ins and the influence of urban environments.

UCL visiting professor Susan Landau's talk outlined her forthcoming paper with Steve Bellovin, Matt Blaze, and Stephanie Pell, "It’s Too Complicated: The Technological Implications of IP-Based Communications on Content/Non-Content Distinctions and the Third-Party Doctrine". The paper uncovers technical and legal problems in applying existing US wiretap law to Internet Protocol-based communications. The main conclusion: the laws in effect today, drafted with traditional telephony in mind, are a poor fit for IP-based communications.

As background, Landau noted her work with seven other expert co-authors on "Bulk Collection of Signals Intelligence: Technical Options". This report, issued earlier this year, was commissioned under the 2014 Presidential Policy Directive 28; it concluded that there are no technical alternatives to NSA bulk collection that provide the ability to delve into past communications and that automated controls on usage can help enforce privacy protections. Laws covering wiretapping in the US must stand against and be interpreted by court challenges under the Fourth Amendment, which states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The following laws control wiretapping in the United States:
- Title III (1968) provides for wiretaps in criminal cases where telephony was used in planning one of a short list (originally 25, now nearly 100) of crimes, where there is probable cause, and where wiretapping is a last resort.
- Foreign Intelligence Services Act (1978) adds probable cause that the target is the agent of a foreign power, later amended to include terrorist groups.
- Electronic Communications Privacy Act (1986) sets out rules for pen/traps, which record numbers dialled and trap incoming calls.
- The PATRIOT Act (2001) adds "lone-wolf" suspected terrorists to FISA.

Two key Supreme Court cases control the application of existing wiretap laws.  The first, Katz v United States (1967), established that even in a public phone booth wiretapping constitutes a search and requires a warrant because the Fourth Amendment protects people, not places. Title III was drafted in response, and sets out warrant procedures. The second, Smith v Maryland (1979), created "third-party doctrine", which holds that no reasonable expectation of privacy applies to information voluntarily conveyed to a third party - such as the address written on a letter or a dialled phone number. Protection for the contents of a package in the US goes all the way back to the 18th century, and, like the Fourth Amendment, devolves from the US's colonial history. Taken together, this is the basis for treating content differently from metadata.

In their research, Landau and her co-authors discovered that the current (2005) Department of Justice manual on electronic surveillance includes "dialing, routing, addressing, and signaling information" in its definition of non-content, and specifies that this includes IP addresses, port numbers, and "to" and "from" information included in the email header.

However, the public switched telephone network (PSTN) and IP communications are fundamentally different architectures. In IP-based communications, there is no dialling; routing does not map easily to identifiable end points (and a single email's packets may follow many different paths), addressing information may mean one thing to computer protocols and another to the humans using them, and signalling means setting up an end-to-end TCP connection. Other problems with the distinctions created by Katz and Smith include: where a service occurs; whether non-content can reveal content; and whether non-content is content. Third-party doctrine similarly poses problems: users can't be said to share information voluntarily or knowingly when they can't tell if a third party is involved in a DNS request; URLs comprise both addressing information (the base domain) and content (the path specifying a page); and proxy servers introduce additional complications. Other commonly used technologies - NAT, firewalls, domain fronting, notification services, basic email headers that can reveal location, and packet lengths that can reveal the content of the communication - further blur the boundaries of the traditional distinction between content and metadata.

They  conclude that the rules are too difficult to apply, that trying to apply the old rules on the internet leads to inconsistent results, and that the concept that metadata is wholly distinguishable from content no longer works. The paper concludes with recommendations for the DoJ, judges, and policy makers. For the DoJ, it recommends that "to" and "from" should be seen as content, not signalling information. For policy makers, the paper recommends grounding the law more solidly in today's technical realities without focusing too much on today's technologies and being aware that "big data" may give law enforcement insight into individuals that under traditionally required a warrant or court order. Third-party doctrine may have to be reconsidered, as Supreme Court Justice Sonia Sotomayor noted in US v Jones (2012).

 

Dr Murdoch quoted on BBC article about AVG TuneUp

03 January, 2016

Dr Steven Murdoch was quoted on a BBC article about a vulnerability in AVG's TuneUp software. While the TuneUp software is produced by a reputable vendor the vulnerability put millions of users at risk; Dr Murdoch comments:

 

"Although it is now fixed, it shows that almost any software installed on a computer can introduce security vulnerabilities, even if that software is intended to improve security."

 

Read the article here.

 

Dr Murdoch writting for The Conversation: How Tor’s privacy was (momentarily) broken, and the questions it raises

11 December, 2015

Dr Steven Murdoch wrote an article for The Conversarion discussing a recent de-anonymisation attack against users of hidden Tor services. The article explains the operation of Tor and the attack itself. It also highlights some ethical issues that arose in connection to the attack, namely responsible disclosure and large scale real-world use of vulnerabilities affecting users.

 

Read the full article here.

 

Dr De Cristofaro gave a keynote talk at the first 3TU Cyber Security Workshop

26 November, 2015

Dr Emiliano De Cristofaro gave a keynote talk at the first 3TU Cyber Security Workshop on Pirvacy-Preserving Information Sharing.

The workshop was held in The Hague Security Delta Headquarters on the 26th of November.

The title of the talk was "Privacy-preserving Information Sharing: Tools and Applications".

 

Dr Danezis quoted on Gulf Times article regarding Encryption and Cyberattacks.

25 November, 2015

Dr George Danezis was quoted on a Gulf Times article, on the topic of encryption and cyberattacks. The article covers the use of online services by terrorists, as well as the possibility of cyberattacks against infrastructure. Dr Danezis was sceptical both about the benefits of proposed data gathering measures as well as the feasibility of terrorism-backed cyberattacks: 

 

“Good engineering should prevent such things.”

 

Read the full article.

 

Dr Murdoch quoted on The Register regarding Security and Privacy.

24 November, 2015

Dr Steven Murdoch was quoted in an article on The Register, regarding the deployment of strong encryption by tech companies and the needs of security agencies.


"These companies are not using cryptography to defend against governments, they're trying to defend against those with no legitimate reason to access that information [...]
The debate shouldn't be framed as 'security versus privacy'. For those in the intelligence agencies, security is privacy.
"

 

Read the full article at The Register.

 

This page was last modified on 24 Feb 2016.