Journal Paper Published in the Computer Law & Security Review

“Defence Against the Dark Artefacts: Smart Home Cybercrimes and Cybersecurity Standards”

post by Stanislaw Piasecki (2018 cohort)

Dr. Lachlan Urquhart (Lecturer in Technology Law, University of Edinburgh and former CDT student) had the first idea in terms of the paper’s topic, which has evolved quite significantly since then concerning its content, structure and methodology. The paper has been written by myself, Lachlan and Professor Derek McAuley (Professor of Digital Economy, Faculty of Science, University of Nottingham). The initial version was based on the practice-led project module completed during the 2018-2019 academic year (part of the Horizon CDT PhD programme). The first title of the project was “Defence Against Dark Artefacts: Mapping Smart Home Cybersecurity Standards”. While I was working on the PLP, the United Kingdom Department for Digital, Culture, Media and Sport (DCMS) published a series of documents aggregating various standards in its “Code of Practice for Consumer Internet of Things (IoT) Security” and the associated “Mapping of IoT security recommendations, guidance and standards to the UK’s Code of Practice for Consumer IoT Security”. During the same period of time, the European Union Agency for Network and Information Security (ENISA) mapped standards in its “IoT Security Standards Gap Analysis”. We realised that the mapping has already been done both at national and EU levels and, as a result, focused our work on analysing the assumptions underpinning emerging EU and UK smart home cybersecurity standards, changing the article’s title to “Defence Against the Dark Artefacts: Smart Home Cybercrimes and Cybersecurity Standards”. Staying up to date was crucial to making our paper relevant and as accurate as possible. I considered the publication of the documents mentioned above as a positive development as I was able to completely focus on the analysis of the assumptions upon which IoT standards are based, the most interesting aspect of our project in my view. My motivation to write this paper has always been to stir discussions about those assumptions and contribute to moving policies into a positive direction for EU and UK citizens. While the main objective of our work has not changed, the means to achieve our goals did. For example, as a result of team discussions, we decided to use the routine activity criminological theory to explain security risks associated with the current design of many smart products. This theory has supported effective policymaking and crime prevention strategies for a long time and has recently been applied more frequently to “virtual” world-related scenarios. Discussing and contributing ideas with my co-authors was a great experience, which certainly improved the content of our article.

We started discussing the outline of the paper already in 2019. My professional background is in law and politics, and our project also involved work in fields such as computer science, cybersecurity and criminology. For this reason, the interdisciplinary nature of our team was helpful and important. In addition to online research and team discussions, I organised meetings with experts from the University and with people I met during various events (such as the 2019 EUROCRIM conference in Ghent, Belgium) to receive advice. However, the interdisciplinary nature of our project remained a challenge for me and involved much reading and discussions to better understand the computer science and criminological aspects of our article, especially at the beginning of my PhD journey (I was still getting familiar with certain basic terminology used in the computer science field). In my opinion, this part of the paper preparation process greatly enhanced my research knowledge and skills. While I will never become a computer scientist, learning about this field of study by reading journal papers, books but also asking questions to computer scientists continues to help me in proposing the most relevant and accurate legal solutions, as my work often lies at the intersection of law and technology. Writing this journal paper has reminded me of the value and importance of interdisciplinary work.

In terms of the review process, the initial journal, to which we submitted our paper had difficulties in finding reviewers and we decided to withdraw our submission. We made this decision before any reviewer was found. I discussed this with my co-authors to make sure that this was ethical (until then, I did not know that withdrawing the submission was in some cases an acceptable decision) and we contacted together the journal in question to be certain that they are comfortable with this as well. This is why the publication process has been much longer than anticipated. This has also influenced our work as we had to stay up to date with new research and technological developments, and include them into our paper while waiting for reviews. Subsequently, we decided to submit our article to the Computer Law and Security Review journal, known for its interdisciplinary nature. The reviewers were quickly selected and we started working on their comments.

Two persons reviewed our work and, in my opinion, the comments were fair. The reviewers were open to discussing them and it felt as if they really wanted to improve our paper rather than just criticise it. The article required a minor revision, which has been completed after two cycles of amendments. While we agreed with some comments, we disagreed with others but always found a common solution. I did anticipate some suggestions. For example, in terms of the structure of the paper, I have suspected that this might be something that they could comment on as I was hesitating myself on how to order specific sections. In this regard, the reviewers helped me in seeing this issue more clearly and finding the right solution. They also suggested citing additional articles, defining certain technical terms and giving more examples of real-world situations to illustrate my arguments. This has definitely improved our paper. In terms of the remarks we disagreed with, we were able to explain to the reviewers what we meant by particular statements and convince them that they are important. This also allowed us to refine those statements and make them clearer for future readers.

While publishing our paper took a rather long time due to the necessity to withdraw our first submission and switch journals, writing this article was a valuable and challenging process, my first publication of interdisciplinary work, an opportunity to collaborate with more experienced researchers and learn about various aspects of journal paper publications. I have already applied what I learned by submitting a second paper this year (based on the first two chapters of my PhD), which has been recently conditionally accepted for publication. Among others, this time I tried to use more concrete real-life examples to support my statements and define technical terms. Even though there might be very well-written articles, I think that there is always room for reviewers’ suggestions to further improve them, and I look forward to participating in the review process again in the future.

 

Covid-19 and Cybercrime

Post by Neeshé Khan (2018 Cohort)

After being in self isolation for what feels like an eternity like many others I am also starting to get warped for what time it is. It’s hard for me to remember when things happened or which day we’re on. I’m experiencing a weird fatigue setting in which is the same for many of the people I’ve been speaking to, despite LinkedIn being on steroids. The fatigue also means that I’m finding it hard to find inspiration to write this blog but here we are – it’s Friday and things must get done. So, welcome to another blog post!

In my earlier posts I wrote about remote working and some pitfalls this could bring for your cybersecurity during Covid-19. Unsurprisingly, as more people have shifted to working from home (WFH) cyberthreats have been on a sharp increase. Some of you might be aware of Zoom (group meet up software) vulnerabilities that allowed hackers or unauthorised users to attend closed sessions which quickly became known as Zoom Bombings. Some kids innocently did some Zoom Bombings to prank their teachers while hackers used this to cause disruptions to virtual classrooms in Singapore.

The National Centre for Cyber Security (NCSC) and the National Centre in the US have issued a joint statement this month to announce that cybercriminals are using Covid-19 themed content to lure in users that are then cyberattacked.

This really shouldn’t be a surprise. There was an interesting mapping done by one of the US universities that showed how the virus moved across the US after spring breakers partied and went back to their respective homes. In the UK there have been several news stories on the BBC talking about an app by the government which will track Covid-19 infections. Given this context it doesn’t take a rocket scientist to see what the easiest bait is for a cybercriminal. To me it’s the same as discussing that you’re planning to upgrade your home with new windows in public places (either online or in real life) and then suddenly seeing adverts that talk about a local window company or worse, getting cold calls from them. Plus, with a pandemic that’s sucker punched economies, had impacts that were unforeseen or unknown and where you have authorities proactively conceal the number of infections, it’s not surprising that Covid-19 becomes an interesting concept to explore, track and be ‘in the know’ for.

So, what can you do to stay safe online. I would suggest reading the news once or twice a day from a trusted source, ideally in static text (such as articles as opposed to interactive graphs), avoid disclosing your location to check the number of cases in your local area and always be wary of clicking links that are from people you don’t know. Even if the links are from people you might frequently speak with, be alert and notice if something ‘doesn’t feel right’ because their account could’ve been hacked. Trust your instincts with content online, listen to that small voice in your head that’s usually right and try to supress (if not temporarily extinguish) your curiosity for the time being. While you’re focusing on suppressing your curiosity, practice some mindfulness or Netflix binge watch the Tiger King.

Stay safe and my best wishes your way. Until next time!

–originally posted on Neeshé’s blog

Mel travels to Sweden for CRITIS2019

Mel Wilson  (2018 cohort) has recently returned from the CRITIS 2019 conference in Linkoping, Sweden where she successfully submitted the paper titled  Exploring How Component Factors and Their Uncertainty Affect Judgements of Risk in Cyber-Security 


Post by Melanie Wilson (2018 Cohort)

This conference paper was submitted following the work done for my PLP. It involved the process of recording and analysing the effects of uncertainty in experts’ ratings of cyber security risks, using an interval range method. This procedure allows capture of a value for uncertainty in a rating, by the use of an elliptical marking, as illustrated below.

A larger ellipse represents a greater uncertainty and a smaller represents greater certainty.

Following the PLP write up my PLP supervisor Josie McCulloch suggested that I might like to present the findings at a conference. Coincidentally I had been talking with an industry colleague who holds a doctorate in cyber security and is a senior figure in the cyber security industry with a large, international company with a particular interest in the industry sector addressed by the PLP work. He had suggested CRITIS as an ideal showcase for the paper.

After passing the details on to Josie, Zack and Christian we all felt that this was a worthwhile submission and after some discussions decided that we would submit a long paper with some adjustments from the original PLP work, to cover a greater range of data and greater depth of statistical analysis. Zack was to work on the statistical adjustment, with Josie and me looking at the general paper presentation and Christian inputting as necessary from his more experienced perspective of conference submissions.

I have been a commercially published author since the late 1980s, but I have not published an academic paper before. I enrolled on the Graduate School online course “ An Introduction to writing for academic Journals” which I found very helpful. It explained clearly the process and ways of dealing with each stage both practically and emotionally, as it recognised that peer review can be a harsh undertaking and hurtful if one’s mindset it not aligned to the process.

In general peer review does not differ too much from that of submitting to a mainstream publication. The biggest difference from my perspective was that you had several reviewers, rather than just a single editor. This meant that there were several different perspectives to address.

As a team I felt that each of us as contributors brought a different perspective and style to the paper. I had wondered how this might be aligned, as this kind of working, on a paper, was new to me. We all contributed to the paper by using overleaf; we also discussed ideas around changes and met to talk over differing aspects before the first submission. This was a really interesting process and one I really valued as it gave me a good insight into the way others could work in academia.

Following submission and peer review we again put our ideas forward on adjustments that could be made, and each contributed in their area. We met a discussed the points and addressed each one that was highlighted by each reviewer taking on board the suggestions and often hypothesising on the perspective of each reviewer and their field of expertise. Most of the points were valid and were useful contributions towards clarity and completeness within the paper.  I feel we addressed all the points we felt had validity for change and we explained our perspective if we felt the point was perhaps unclear, but correct. I felt that working in this way was very helpful and our different ways of looking at the project benefited us all as it brought greater depth of multiple perspectives in to play.

I was impressed with how we all worked together on the project and how well everyone’s skills complemented the others. I’ve worked in a great many industry and charity sector teams and am very aware of the psychological process of team building, but in this case the transitions were smooth and at all times calm and friendly.

CRITIS2019

CRITIS2019

The conference was very interesting and gave me a chance to hear about other work in the area as well as the have many talks with various attendees on a large range of associated subjects. Particularly interesting were those working is gamification on learning strategies which link into my PhD work.

An added and very exciting bonus was that the paper was presented with the Young CRITIS award. The conference process has a rejection rate of 2/3rds of submissions and our paper was stated as a clear winner of the award, which is something I feel proud to have been a part of.

I am hoping to use this method of recording uncertainty in some of the questionnaires for my PhD in terms of capturing the uncertainty of risk, online as experienced by children.  I also want to use the capture of uncertainty from the teachers of the children in terms of the skills changes they perceive that the children have experienced.

From my perspective as an Evolutionary psychologist the capture of uncertainty in risk is a very necessary part of the data needed to improve the industry’s ability to predict and assess how both experts and the general population assess risks and consequently respond to them. Using this uncertainty capture can help us to analyse what biases may be influencing decision making and to find methods to mitigate these as we increase individuals’ abilities to accurately predict the probability of the risks effect.

I am pleased that I undertook the PLP I chose and have progressed the work in this way. I am looking forward to working with this method and team in the future.

LINK TO PAPER https://arxiv.org/abs/1910.00703

Human Aspects of Cyber-crime and Online Fraud Summer school

Post by Melanie Wilson (2018 Cohort)

This summer school was presented by Canterbury University in collaboration with the Leicester Castle Business School of De Montfort University, Leicester.

I attended on the Monday & Tuesday of this three-day event, as I had a family commitment on the Wednesday.

The presentations on the Monday were specifically addressing ideas around cyber-crime, social engineering and fraud. These are particularly relevant to me as my PhD is around increasing children’s abilities to identify and resist activities and approaches whilst online. I am addressing these from the perspective of enabling children to recognise attempts from others to engage in social engineering and to have the confidence and personal autonomy to reject anything they feel uncomfortable with, and to seek help where it is needed.

I am working with the Northamptonshire Police cyber-crime team on this and as such have a valuable insight into the challenges they have seen children facing as well as my own perspective as a psychotherapist working with children.

The summer school was the first of its kind to be run at Canterbury University and was led with great enthusiasm and skill by Jason Nurse. The summer school involved people from academia, social enterprise and industry which allowed a large variety of input and ideas to be expressed. Jason was skilful in accommodating discussions within the topics and I found that this approach, rather than the “talked at” approach, was very beneficial. Cyber-crime is a fast-growing field and the traditional approaches of academic study, which often take years to complete, are at risk of being overtaken as both technology and its associated exploitation by criminals proceeds at a rate far outstripping the slower traditional progress of academic work.

I feel this pace change was reflected well in the way the summer school was run. Some of the input could have been improved with more industry input to increase the pace and knowledge of the current challenges further, but I believe that Jason is aware of this and plans to address this in future events.

The first session explored the basics of cyber-crime reflecting on what forms it can take and highlighting how insidious it can be. It addressed the aspects of this area of criminology that are rapidly expanding and exploiting the tools that are available to enhance crime via technological means. One big take-home from this introduction and discussion was how fast this is developing in criminal circles where there are few restrictions and great financial gains to be made. This is at odds with the crime fighters and honest technological industry where there are checks and balances to be met in all circumstances which often results in a slower response which the criminal can exploit.

The Cyber Protect and Prevent Officer for Kent then gave us her perspective on how cyber-crime was affecting policing and the tensions between businesses which often wanted  just to solve the issue and move on with business as usual and the desire to pursue cyber-crime as a crime with ramifications for the criminals.

The final session of the day looked at profiling cyber criminals and looking at how these criminals might be led into a perpetrator role. This is particularly relevant to my work because vulnerability leads to both perpetrator and victim activities and the two routes often share common factors.

At the end of the sessions we arranged to meet after dinner in a pub in Canterbury. Doing so was valuable as it provided a relaxed atmosphere in which to talk further with other attendees both about their work and that of others and gave a great deal of insight into the varying field that are involved with this ever-expanding and important field.

Tuesday morning looked at how cyber-crime is often underlined by psychological methodologies that criminals have learnt to use in order to perpetrate their crimes. We explored how social engineering uses a number of methods to elicit cooperation from people, utilising their vulnerabilities and often just their normal desires to help others and be nice. Again, this is an area that I focus on a great deal and feel addressing our ability to say “no” is fundamentally decreasing individuals’ vulnerability to such tactics. There is a noticeable difference in the psychological mechanisms that criminals exploit ruthlessly and the non-criminals’ tendency to trust.

The afternoon sessions addressed the cost to businesses from cyber-crime.  It was led by Edward Cartwright from De Montfort University and Anna Cartwright from Coventry University. It addressed business vulnerabilities and the attacks that businesses face daily, and the routes into the enterprise which are often indirect. The conflicts of security and running businesses were highlighted and discussed. The reality of end users often not rejecting companies following a breach and whether reputational damage is as damaging as is often thought.  In Anna’s session we looked at the financial motivation for attacks and at what level the attacks and demands became profitable for criminals.

Finally, we looked at the problems and advantages in cyber security that Small and Medium Sized Enterprises face, addressing the challenges of this sector where often there are just a few individuals trying to complete multiple roles.

This summer school was fun. Where a learning experience is fun, lively and open to discussion, I feel far more is gained than from a situation where there is just one voice with very little interaction.

It greatly benefited from a range of perspectives and allowing those to be expressed and discussed. I feel everyone learned something from the variety and range of participants at the event and very much look forward to taking part next year.

How to make a strong password

Post by Neeshé Khan (2018 Cohort)


Making strong passwords which are memorable are easier than you think if you ignore everything that you’ve been told and start to think of the reasoning behind the combination.

Yesterday morning I heard an advert by the UK’s National Cyber Security Center about setting better passwords. I went to the resources and ended up going down the rabbit hole to discover a range of resources on a variety of topics on ‘Get Safe Online’.

It’s a good starting point but very basic. If you know not to keep your dog’s name as a password, you won’t come out any better than when you went in. Personally, I’ve always found it a waste of effort with imposed slap-dash restrictions by IT teams or platforms to make me ‘secure’ (must be 8 characters long, include a special character etc). You can follow these rules but still be relatively vulnerable to hacks like the dictionary attack.

So, here’s some things I’ve learnt from various readings, discussions and from Dr Pound’s lectures at University of Nottingham that will help you understand how to make strong passwords rather than being told what passwords should contain.

1. Ignore what you’ve heard: Most common password is, believe it or not, ‘Pa55w0rd’. It meets the base requirements of being 8 characters long and contains a capital and a numeral. But, this would literally take no time to crack with a dictionary hack. But, if you ignore these requirements and change the way the same word is written to ‘pAssw*rd9’: first letter is not capital, ‘0’ turned to an asterisk and adding a ‘9’ because it’s conveniently next to the asterisk key. The strength of this simple memorable word changes to drastically more secure than what you started off with.

I’ve explained this in the parts below but just making a case here that keeping the word password as a password, isn’t all that weak, but it’s actually the combination that’s weak. In a similar way, you can keep words that are easy to recall by simply changing the combination of how those words are set. Always try to use three words as your password.

2. Don’t replace alphabets with numbers: You’re not any more secure by replacing the ‘e’ with a ‘3’, an ‘O’ with a ‘0’ or an ‘a’ with a ‘4’. When hackers attack, this is one of the first parameters they set as it allows an easy break when they’re racing against time. Instead, add it randomly into the word instead, ‘baseball’ to ‘ba9eb8ll’ where cracking time goes from something around the 10-minute mark to 3 months. Similarly, ‘p12345R6’ is much stronger than ‘Pa55w0rd’, although it’s the same word with ‘1,2,3,4,5, 6’ introduced and ‘R’ made into a capital letter than the ‘D’.

3. Capitals: Yes, they’re good but try not separating or ending words with them. This is because these parameters are set by the hackers when they attack i.e. words beginning/ending with a capital letter. See example 2 above for password where we made R capital instead of ‘P’ or ‘D’.

4. Special Characters: If you’re using a character like “_” or a “*”, use it in the middle of the word rather than to separate the words. Imagine the censoring of a r*de word. This means avoiding adding it at the start or end as the word won’t be well censored if you would see it anyway. Again, this helps to not get fished out at the start of a hack. Now, imagine updating the password to ‘pA*sw0Rd’ on the principles above.

5. Complexity: The complexity doesn’t have to be “letsthinkofacrazylongword” to keep us safe. You could use simple word combinations that are memorable without being vulnerable by using the tricks above. This also saved you the time taken to have to reset your password because it was so hard you forgot yourself an hour/day after setting it. I think we’ve all been there, right?

6. Prioritise Passwords: “Don’t keep the same password for everything” is obvious. What’s new is that you can actually prioritize the passwords you choose. This can be relatively easy by simply deciding how much information a platform holds about you and how valuable this information is to you. If there are pictures of you on a platform that can be used against you (snapchat/insta), that goes higher up on the priority list than an email account you don’t use very often. For low priority platforms use passwords that you wouldn’t mind resetting if you forgot them (which can take time). Equally, you won’t be at a great risk if your information was stolen or acquired by someone who isn’t supposed to have it.

7. ‘Call a friend’ option: Just that in this case the friend is still you, but through a different screen that you own. This is known as two factor authentication and great way to put in another loop to make sure others are kept out. Not every platform offers it and it could potentially mean that you might end up locking yourself out. For instance, if my online bank uses a text message with a code that I need to enter on to the platform, I could have changed/lost my phone number and not updated it for the bank. This means I have to go into the branch to prove my identity and provide new details. Another case could be Hotmail using Gmail to verify that’s it’s actually me IRL, but I might have forgotten my Gmail password too because it wasn’t my primary email. This will be quite difficult to correct because I can’t show up to Google HQ to prove it’s still my account.

8. Install that update: Yes, update your application or software. New patches/updates sometimes happen because they’ve found a weakness in the software, like the recent Whatsapp and Facetime bugs. Updates are rolled out to implement new software that gets rid of any backdoors that hackers can use to get in.

9. IRL: Yes, keep a note in the real world with your password(s). It’s like writing a diary so similar rules apply. Ideally, don’t give it the heading of ‘these are my passwords, keep out’, don’t stick them next to the device and don’t indicate which platform those passwords are for. It could be as simple as what appears to be a shopping list under your spice jars.

Resetting passwords is annoying but you’re better off doing it now than later.

—originally posted at https://neeshekhan.wordpress.com/