University home »
Faculty of Science »
Department of Computer Science »
Courses » COMPSCI 725 S2 C » Lectures »
Computer Science
Archived Announcements
This page was updated on 13 October 2017.- 18 Oct: ISACA Auckland Chapter Cybersecurity Day, from 8.30am. Registration required.
- 12 Oct:
NZISF
Breakfast
meeting, registration
required. Speaker: Mike Pence, Managing Director and
Principal Digital Forensic
Consultant, DeCipher
Ltd. Topic: "Are you ready for the execution of a Search
Warrant, Search Order or eDiscovery Order on you or your
organisation? (Just ask Paul Manafort?)". Abstract:
- Computer Forensics came of age in NZ in the late 1990s. As
the technology has changed and the Law has tried to keep pace,
tools, techniques and standards have developed. A number of
Government departments have upskilled in this area and continue
to develop.
eDiscovery came along as a junior partner in these developments but has grown considerably in costs and complexity. Major organisations are now taking proactive steps to limit their exposure in relation to Computer Forensics and eDiscovery events.
How will the tools and techniques progress in the future to meet these challenges, and what laws does society want (or will have forced on them?) from governments to balance law/order and privacy in an ever connected and social media world?
- Computer Forensics came of age in NZ in the late 1990s. As
the technology has changed and the Law has tried to keep pace,
tools, techniques and standards have developed. A number of
Government departments have upskilled in this area and continue
to develop.
- The Race to Secure Voting Tech Gets an Urgent Jumpstart, Wired, 10 Oct 2017. "... [at] DefCon's Voting Village, hundreds of hackers got to physically interact with -- and compromise -- actual US voting machines for the first time ever at the conference in July. Work over three days at the Village underscored the fundamental vulnerability of the devices, and raised questions about important issues, like the trustworthiness of hardware parts manufactured in other countries, including China... the report highlights the dire urgency of securing US voting systems before the 2018 midterm elections."
- Stanford Cyber Initiative tackles pressing issues in cybersecurity, governance and the future of work, 26 Sept 2017. "... Why is it important to work across disciplines when addressing cyber concerns? [Prof Dan] Boneh: It brings together researchers who normally do not interact much. Every project that we fund crosses school boundaries. It brings faculty in the humanities to work with faculty in engineering, and that is not something that happens very often. You cannot do policy without understanding technology and effective technology needs to understand the policy implications..."
- `We've Been Breached': Inside the Equifax Hack, The Wall Street Journal online, 18 Sept 2017. "On March 8, researchers at Cisco Systems Inc. reported an online security flaw that allowed hackers to break into servers around the internet. Cisco urged users to upgrade their systems immediately with a newly issued fix... On Sept. 7, Equifax said it had discovered the data breach July 29. There are signs that the problem took root long before then... `There's an old saying that there's those companies that have been breached and know it, and those companies that have been breached and don't know it.'"
- US FDA Safety Communication: "On August 23, 2017, the FDA approved a firmware update ... intended as a recall... to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers."
- Press release from CORDIS, 2017-09-12: "The EU-funded AMBER (Enhanced Mobile Biometrics) project has ... shown it can identify gender by breaking down gestures and analysing the way in which users swipe screens using multiple datasets... The results of this exploratory analysis have confirmed the possibility of sex prediction from the swipe gesture data, obtaining an encouraging 78% accuracy rate using swipe gesture data from two different directions."
- Siri and Alexa can be turned against you by ultrasound whispers, Daily News, 7 Sept 2017. "...Voice assistants have been successfully hijacked using sounds above the range of human hearing. Once in, hackers were able to make phone calls, post on social media and disconnect wireless services, among other things. Assistants falling for the ploy included Amazon Alexa, Apple's Siri, Google Now, Samsung S Voice, Microsoft Cortana and Huawei HiVoice, as well as some voice control systems used in cars..." Preprint of CCS'17 article.
- A Brittle and Fragile Future, Vint Cerf, C.ACM 60:7, July 2017, "... Consider systems that use passwords and two-factor authentication to identify users. It is often advised to have alternative means for authentication: a mobile device, a distinct email account, a phone number, or an alternative means of identification. These kinds of interdependencies can lead to cascade failures where loss of access to one system initiates failures in others until a complex of authentication failures render a user unable to use any of them... The designers of devices that populate the Internet of Things have an ethical responsibility to be attentive to the hazards their interactions may create..."
- BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain, by Gu et al, arXiv 1708.06733v1. Reviewed in NextGov, 25 August 2017. Abstract: ... "we show that outsourced training introduces new security risks: an adversary can create a maliciously trained network (a backdoored neural network, or a \emph{BadNet}) that has state-of-the-art performance on the user's training and validation samples, but behaves badly on specific attacker-chosen inputs... [we created] a U.S. street sign classifier that identifies stop signs as speed limits when a special sticker is added to the stop sign; we then show in addition that the backdoor in our US street sign detector can persist even if the network is later retrained for another task and cause a drop in accuracy of 25% on average when the backdoor trigger is present. These results demonstrate that backdoors in neural networks are both powerful and -- because the behavior of neural networks is difficult to explicate -- stealthy."
- "Shattered Trust: When Replacement Smartphone Components Attack", Shwartz et al., 2017 USENIX Workshop on Offensive Technologies. "Phone touchscreens, and other similar hardware components such as orientation sensors, wireless charging controllers, and NFC readers, are often produced by third-party manufacturers and not by the phone vendors themselves... the component driver's source code implicitly assumes that the component hardware is authentic and trustworthy... In this paper, we call this trust into question... building blocks toward a full attack: a series of touch injection attacks that allow the touchscreen to impersonate the user and exfiltrate data, and a buffer overflow attack that lets the attacker execute privileged operations."
- Right to privacy not just for privileged few, it's a part of what makes us human, Hindustan Times, 25 August 2017. "In a verdict that will surely count as one of the most important for human rights in recent times, the Supreme Court of India has resoundingly and in a unanimous 9-0 judgment, held the right to privacy to indeed be a fundamental right protected by the Constitution of India... The government argued against the right to privacy by countering that companies like Facebook and Google collect your data. The judgment rightfully holds that this doesn't in any way diminish the need for privacy: it enhances it... women's bodily integrity (in the context of abortion) and citizens' sexual orientation are among those aspects of privacy that were recognised in this judgment..."
- Computer scientists use music to covertly track body movements, activity, UW News, 16 Aug 2017. "... researchers at the University of Washington have demonstrated how it is possible to transform a smart device into a surveillance tool that can collect information about the body position and movements of the user, as well as other people in the device's immediate vicinity. Their approach involves remotely hijacking smart devices to play music embedded with repeating pulses that track a person's position, body movements, and activities both in the vicinity of the device as well as through walls."
- Reserve
Bank raises money-laundering questions over ATMs, NZ
Herald, 13 Aug 2017. "The Reserve Bank has questioned New
Zealand's banks over the use of smart ATMs and the level of
cash deposits they allow in the wake of the money-laundering
scandal surrounding Australia's Commonwealth Bank.
Australian regulator Austrac alleges CBA failed to provide
on-time reports of 53,506 cash transactions of A$10,000 or
more, totalling A$625 million ($674.3m), that were made
through the bank's new Intelligent Deposit Machines (IDMs)
from November 2012 to September 2015. In Australia deposits
of more than A$10,000 must be reported to Austrac as part of
measures to prevent criminals laundering money through banks.
CBA has blamed a coding error which occurring during a
software update to its intelligent deposit machines or smart
ATMs in 2012 for failing to pick up on the transactions. CBA
said the fault was fixed within a month of it being
discovered in 2015."
Note: when a system has a long-standing and critical security vulnerability, some of the people involved in its quality-assurance processes may be convicted of a crime. Their professional peers may consider their behaviour to be negligent, incompetent, competent, or following best practice in their profession. - USB connections make snooping easy, press release from U Adelaide, 10 Aug 2017. "USB connections, the most common interface used globally to connect external devices to computers, are vulnerable to information `leakage', making them even less secure than has been thought, Australian research has shown. University of Adelaide researchers tested more than 50 different computers and external USB hubs and found that over 90% of them leaked information to an external USB device. The results are being presented at the USENIX Security Symposium in Vancouver, Canada next week... Dr Yarom says other research has shown that if USB sticks are dropped on the ground, 75% of them are picked up and plugged into a computer. But they could have been tampered with to send a message via Bluetooth or SMS to a computer anywhere in the world."
- `Anonymous' browsing data can be easily exposed, researchers reveal, The Guardian online, 1 August 2017. "A judge's porn preferences and the medication used by a German MP were among the personal data uncovered by two German researchers who acquired the `anonymous' browsing habits of more than three million German citizens. `What would you think,' asked Svea Eckert, `if somebody showed up at your door saying: "Hey, I have your complete browsing history - every day, every hour, every minute, every click you did on the web for the last month"? How would you think we got it: some shady hacker? No. It was much easier: you can just buy it.'"
- DEFCON Hackers Found Many Holes in Voting Machines and Poll Systems, IEEE Spectrum online, 3 Aug 2017: "E-voting machines and voter registration systems used widely in the United States and other countries' elections can readily be hacked -- in some cases with less than two hours' work. This conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the assurances of election officials and voting machine companies who claim that virtually unhackable election systems are in place. ... Harri Hursti, Hacking Village co-coordinator [says] `I hacked the same e-poll book system in 2007... The sad part here is in 10 years nothing really has happened, except that the [voting officials] have moved on,' he says. `And we have shown it over and over again that electronic voting is currently beyond our technical capabilities... if we keep auditability and secrecy and privacy of the ballot, then we cannot have electronic voting. That's a full stop.'"
- The bizarre arrest of WannaCry hero, NZ Herald, 9 Aug 2017: "... Hutchins, the feted WannaCry hero, was in Las Vegas to attend the Black Hat and DefCon security conferences when he was arrested by police. He's now in custody while bail surety is raised, and faces charges of writing and selling another piece of malware. This was a nasty bug called Kronos, which if users were tricked into running it, would try to steal their internet banking logins and credit card details. Hutchins has denied he wrote Kronos, but the stakes are high: if convicted, he's looking at decades behind bars..." See also What is the Kronos malware Marcus Hutchins is accused of creating?, Wired, 5 August 2017.
- "Sheriff James Underwood said the [twelve prisoners who escaped] ... took advantage of a new guard who was working in the control room, ... using peanut butter to obscure the number above the jail cell and then yelling at the unidentified guard to open the door to let them in the cell. 'They changed the number over the door with peanut butter,' he said. '(Then) they hollered, "Hey, open door" so-and-so, but (the number the inmates gave the worker) was the outside door. And unknowingly to him, he hit that lock and out the door they went,' Underwood said." Source: Susannah Cullinane and Joe Sutton, "Inmates use peanut butter to escape Alabama jail", CNN, version of "1032 GMT (1832 HKT) August 1, 2017". Retrieved 2017-08-1T21:03Z from http://edition.cnn.com/2017/07/31/us/alabama-inmate-escape/index.html. See also Norm Hardy, "The Confused Deputy (or why capabilities might have been invented)", ACM SIGOPS Operating Systems Review 22:4, 1988, pp. 36-38.
- InternetNZ has published a position paper on Encryption: ways forward that protect the Internet's potential. "We think there are options for increasing New Zealanders' security online and also addressing the concerns of law enforcement and national security agencies... We often hear about encryption being a privacy vs security yfdebate. But we think that is a false dichotomy. Encryption is a security technology that protects privacy... `the issue is really about security versus security: encryption protects critical infrastructure, trade secrets, financial transactions, and personal communications and information. Yet encryption also limits law enforcement's ability to track criminals, collect evidence, prevent attacks, and ensure public safety.' [Going Dark, Going Forward: A Primer on the Encryption Debate, House Homeland Security Committee Majority Staff Report, USA, September 2016]"
- 14
Sep: NZISF
Breakfast
meeting, registration
required. Speaker: Ofer Reshef, Manager - Digital Security &
Risk in Fonterra's Global Information Services. Topic: "Cyber
resilience in a disruptive world: managing security in Fonterra".
Abstract:
- Resilience is the ability to withstand and recover from unexpected events. Cyber-security has its own share of unexpected events (think WannaCry, or, if you're an old hand SQL Slammer). As technology changes, the range of unexpected events increases. From Business Email Compromise (phishing to make money), Mirai (DDoS attack by baby monitors & cameras) to weaponised emails (wikileaks publishing email originating from Russian hacking during the U.S presidential election). This talk will cover how basic security hygiene practices, strategic planning, and good business communication improve Fonterra's cyber resilience.
- 10 Aug: NZISF
Breakfast
meeting, registration
required. Speaker: Matt
Cotterell, Software Security Engineer at Fairfax Media.
Topic: "You Shall Not Passw0rd1!". Abstract:
- Like them or not, passwords are an everyday part of our lives and we're going to be stuck with them for the foreseeable future. Many of the inherent problems with password continue to plague us however, and a lot of the ignorance, ancient conventions and general misinformation about how they should be used still hasn't been resolved.
- In this one hour presentation, we explore what actually makes passwords secure, the patterns we humans use to make passwords, how attackers exploit this to their gain, and how we can defend against them. This talk is mainly aimed at application designers, developers and architects, but requires no prior experience and has content everyone can benefit from.
-
Related Programmes