All posts by Steven J. Murdoch

About Steven J. Murdoch

I am Professor of Security Engineering and Royal Society University Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London (UCL), and a member of the UCL Academic Centre of Excellence in Cyber Security Research. I am also a bye-fellow of Christ’s College, Innovation Security Architect at the OneSpan, Cambridge, a member of the Tor Project, and a Fellow of the IET and BCS. I teach on the UCL MSc in Information Security. Further information and my papers on information security research is on my personal website. I also blog about information security research and policy on Bentham's Gaze.

Call for Papers: USENIX Security 2012

The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The 21st USENIX Security Symposium will be held August 8–10, 2012, in Bellevue, WA.

All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. Submissions are due on Thursday, 16 February 2012, 11:59 p.m. PST. The Symposium will span three days, with a technical program including refereed papers, invited talks, posters, panel discussions, and Birds-of-a-Feather sessions. Workshops will precede the symposium on August 6 and 7. Further details can be found in the full Call for Papers.

In common with other USENIX conferences, the proceedings of USENIX Security 2012 will be open access, and made available for free to everyone from the first day of the event.

Brute force password-guessing attempts on SSH

I recently set up a server, and predictably it started seeing brute-force password-guessing attempts on SSH. The host only permits public key authentication, and I also used fail2ban to temporarily block repeat offenders and so stop my logs from being filled up. However, I was curious what attackers were actually doing, so I patched OpenSSH to log the username and password for log-in attempts to invalid users (i.e. all except my user-account).

Some of the password attempts are predictable (e.g. username: “root”, password: “root”) but others are less easy to explain. For example, there was a log-in attempt for the usernames “root” and “dark” with the password “ManualulIngineruluiMecanic”, which I think is Romanian for Handbook of Mechanical Engineering. Why would someone use this password, especially for the uncommon username “dark”? Is this book common in Romania; is it likely to be by the desk of a sys-admin (or hacker) trying to choose a password? Has the hacker found the password in use on another compromised system; is it the default password for anything?

Over the next few weeks I’ll be posting other odd log-in attempts on my Twitter feed. Follow me if you would like to see what I find. Feel free to comment here if you have any theories on why these log-in attempts are being seen.

Complaining about spam to the ICO

Like I imagine most readers of Light Blue Touchpaper, the vast majority of spam I receive is from overseas. For that you can try complaining to the sender’s ISP, but if the spam is being sent from a botnet, there’s not much you can do to stop them sending you more in the future. There might be an unsubscribe link, but clicking on it will just tell the sender that your address has a real person behind it, and might encourage them to send more spam.

Things are different if the sender (of spam email or text messaging) is in the UK, because then they might have violated the Privacy and Electronic Communications Regulations (PECR), and you can complain to the Information Commissioner’s Office (ICO). The process isn’t fast, or particularly easy, and there are plenty of ways the ICO can avoid investigating, but it can get results.

The last time I went through this process was regarding a PR agency which was sending me repeated emails despite me asking to unsubscribe. I sent the complaint to the ICO in November 2010, and it took over 2 months for them to deal with it, but the ICO did conclude that based on the information available, the PR agency did violate the PECR. At the time, the ICO didn’t have powers to punish an organisation for PECR violations but they did remind the agency of their obligations. I was finally unsubscribed from the list and the PR agency even sent me a box of muffins as an apology.

Things don’t always go smoothly though. Before then I complained about an online DVD rentals company, for similar reasons. The ICO initially refused to invoke the PECR, claiming that “If you work for or attend higher education and are receiving unsolicited marketing emails to a university email address, there is no enforceable opt-out right provided by The Privacy and Electronic Communications Regulations 2003 (the Regulations).” However, they did say that if my name is identifiable from my email address, then the sender is processing personal data and thus is covered by the Data Protection Act. I could therefore ask the company to unsubscribe me (which I had done), and if they continued to send me email after 28 days I could complain to the ICO again.

In fact, the email address to which I was sent the spam was my personal address (I did however send the complaint from my university address), which I told the ICO. The ICO then wrote to the company reminding them of their obligations. I never received further emails from the company so it probably worked, but I didn’t get any muffins or even an apology from them.

Since then, some things have changed — particularly that the ICO can now fine organisations up to £500,000 for very serious breaches of the PECR (although as far as I can tell the ICO has never done so). Hopefully this will encourage organisations to take their obligations seriously. I’ve sent a further complaint to the ICO, so I’ll keep you posted on how this progresses. If you want to try sending a complaint yourselves, instructions can be found on the ICO site.

Debate at Cambridge Festival of Ideas: Internet Freedom

In the evening of Thursday 27 October, I will be participating in a debate at the Cambridge Festival of Ideas, on Internet Freedom. Other speakers include Jim Killock, executive director of the Open Rights Group, Herbert Snorsson, founder of Openleaks.org and David Clemente, Chatham House. Further details can be found on the festival website.

Attendance is free, but booking is required.

PhD studentship available for research on anonymity and privacy

Funding is available for a PhD student to work at the University of Cambridge Computer Laboratory, on the topic of privacy enhancing technologies and anonymous communications, starting in April 2012.

The sponsorship is jointly provided by Microsoft Research Cambridge and under the Dorothy Hodgkin Postgraduate Awards scheme. As such, applicants must be nationals from India, China, Hong Kong, South Africa, Brazil, Russia or countries in the developing world as defined by the Development Assistance Committee of the OECD.

The application deadline is soon (28 October 2011), so please circulate this advertisement to anyone who you think might find it of interest.

Further details can be found on the University website, and enquiries should be sent to me (Steven.Murdoch@cl.cam.ac.uk).

The PET Award: Nominations wanted for prestigious privacy award

The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Symposium (PETS).

The PET Award carries a prize of 3000 USD thanks to the generous support of Microsoft. The crystal prize itself is offered by the Office of the Information and Privacy Commissioner of Ontario, Canada.

Any paper by any author written in the area of privacy enhancing technologies is eligible for nomination. However, the paper must have appeared in a refereed journal, conference, or workshop with proceedings published in the period from August 8, 2009 until April 15, 2011.

The complete award rules including eligibility requirements can be found under the award rules section of the PET Symposium website.

Anyone can nominate a paper by sending an email message containing the following to award-chair11@petsymposium.org.

  • Paper title
  • Author(s)
  • Author(s) contact information
  • Publication venue and full reference
  • Link to an available online version of the paper
  • A nomination statement of no more than 500 words.

All nominations must be submitted by April 15th, 2011. The Award Committee will select one or two winners among the nominations received. Winners must be present at the PET Symposium in order to receive the Award. This requirement can be waived only at the discretion of the PET Advisory board.

More information about the PET award (including past winners) is available at http://petsymposium.org/award/

More information about the 2011 PET Symposium is available at http://petsymposium.org/2011.

Financial Cryptography and Data Security 2011 — Call for Participation

Financial Cryptography and Data Security (FC 2011)
Bay Gardens Beach Resort, St. Lucia
February 28 — March 4, 2011

Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems.

NB: Discounted hotel rate is available only until December 30, 2010

Topics include:

Anonymity and Privacy, Auctions and Audits, Authentication and Identification, Backup Authentication, Biometrics, Certification and Authorization, Cloud Computing Security, Commercial Cryptographic Applications, Transactions and Contracts, Data Outsourcing Security, Digital Cash and Payment Systems, Digital Incentive and Loyalty Systems, Digital Rights Management, Fraud Detection, Game Theoretic Approaches to Security, Identity Theft, Spam, Phishing and Social Engineering, Infrastructure Design, Legal and Regulatory Issues, Management and Operations, Microfinance and Micropayments, Mobile Internet Device Security, Monitoring, Reputation Systems, RFID-Based and Contactless Payment Systems, Risk Assessment and Management, Secure Banking and Financial Web Services, Securing Emerging Computational Paradigms, Security and Risk Perceptions and Judgments, Security Economics, Smartcards, Secure Tokens and Hardware, Trust Management, Underground-Market Economics, Usability, Virtual Economies, Voting Systems

Important Dates

Hotel room reduced rate cut-off: December 30, 2010
Reduced registration rate cut-off: January 21, 2011

Please send any questions to fc11general@ifca.ai

Continue reading Financial Cryptography and Data Security 2011 — Call for Participation

Digital Activism Decoded: The New Mechanics of Change

The book “Digital Activism Decoded: The New Mechanics of Change” is one of the first on the topic of digital activism. It discusses how digital technologies as diverse as the Internet, USB thumb-drives, and mobile phones, are changing the nature of contemporary activism.

Each of the chapters offers a different perspective on the field. For example, Brannon Cullum investigates the use of mobile phones (e.g. SMS, voice and photo messaging) in activism, a technology often overlooked but increasingly important in countries with low ratios of personal computer ownership and poor Internet connectivity. Dave Karpf considers how to measure the success of digital activism campaigns, given the huge variety of (potentially misleading) metrics available such as page impression and number of followers on Twitter. The editor, Mary Joyce, then ties each of these threads together, identifying the common factors between the disparate techniques for digital activism, and discussing future directions.

My chapter “Destructive Activism: The Double-Edged Sword of Digital Tactics” shows how the positive activism techniques promoted throughout the rest of the book can also be used for harm. Just as digital tools can facilitate communication and create information, they can also be used to block and destroy. I give some examples where these events have occurred, and how the technology to carry out these actions came to be created and deployed. Of course, activism is by its very nature controversial, and so is where to draw the line between positive and negative actions. So my chapter concludes with a discussion of the ethical frameworks used when considering the merits of activism tactics.

Digital Activism Decoded, published by iDebate Press, is now available for download, and can be pre-ordered from Amazon UK or Amazon US (available June 30th now).

Update (2010-06-17): Amazon now have the book in stock at both their UK and US stores.

Digital Activism Decoded

Cambridge Science Festival: Science research now!

The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public.

On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on Alzheimer’s Disease, and Adrian Owen discussing his research on the awareness of brain-damage victims. The session will be hosted by The Naked Scientists.

For more details, see the event page — science research now!. The talk is free and no booking is required. It will be held in the Cockcroft Lecture Theatre.

Reliability of Chip & PIN evidence in banking disputes

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere.

One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.

On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:

“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”

Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:

“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”

Requests to American Express for the audit logs that include the CVR (card verification results), which would have shown whether or not the no-PIN attack had been used, were denied. The ombudsman nevertheless decided against the customer.

The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal. This article was written for a legal audience, but would also be suitable for other non-technical readers. It is now available online (PDF 221 kB).

In this article, I give an introduction to payment card security, both Chip & PIN and its predecessors. Then, it includes a high-level description of the EMV protocol which underlies Chip & PIN, with an emphasis on the evidence it generates. A summary of various payment card security vulnerabilities is given, and how their exploitation might be detected. Finally, I discuss methods for collecting and analyzing evidence, along with difficulties currently faced by customers disputing transactions.