Information Review 12/13 Security ACADEMIC CENTRE OF Group EXCELLENCE – CYBER SECURITY RESEARCH LETTER FROM THE ISG DIRECTOR

Welcome to our annual review of activities of the Information Security Group at Royal Holloway, University of London.

It has been a very exciting year to be an academic research group in the area of cyber security since there have been many opportunities to embrace as part of the UK’s Cyber Security Budget filtered down to support academic research.

Perhaps most fundamentally, Royal Holloway was recognised as one of the first eight institutions to be awarded the status of Academic Centre of Excellence in Cyber Security Research (ACE-CSR). This award came about after careful scrutiny by an expert panel of our research activities, both in terms of depth, breadth and future plans. As the first institution in the UK to develop a dedicated research centre in this area we would have been horrified not to have achieved this award, yet it was still gratifying to have the quality of our research formally recognised.

There have also been several research calls dedicated to cyber security research from which we have successfully obtained significant research funding. The CySeCa project forms part of the Research Institute in Science of Cyber Security and you can read more about the project in this newsletter. We were also successful in bidding to host a Centre for Doctoral Training in Cyber Security Research. This £4M award will fund 30 PhD scholarships and represents an entirely new approach to PhD training, which we are extremely excited about. The newsletter contains further details, as well as a call for applications - if you know talented people seeking to develop a career in cyber security research then please draw their attention to this.

The past year has also seen the launch of Prof. Dusko Pavlovic’s Adaptive Security and Economics Laboratory (ASECOLab). As well as big ideas, ASECOLab also houses the most comfortable sofa in the ISG, so it is well worth learning more about their plans in order to get yourself an invitation to come and sit on it!

Elsewhere in the newsletter you can read about new security standards for cloud security, the launch of a new open access Coursera course on malicious software, meet some of our staff, and learn more about some of our highlights from last year. Don’t hesitate to get in touch if you want more details, wish to study with us, or seek to explore opportunities for working together.

Professor Keith Martin on the subject of his recent research on the (in) ACADEMIC CENTRES security of the DTLS protocol. Further meetings OF EXCELLENCE of the ACEs are expected at Imperial in June IN CYBER SECURITY and Royal Holloway in September. RESEARCH By Jason Crampton The ACE-CSR scheme will provide ongoing validation of the quality of an institution’s & Keith Martin research in cyber security, with re-evaluation expected every five years. As long as the > Prof. Jason Crampton is ISG Director government runs the ACE-CSR scheme, we of Research will make sure that Royal Holloway more than > Prof. Keith Martin is Director of the ISG meets the necessary qualifying criteria.

The quality of the Information Security Group’s research in cyber security was officially acknowledged by GCHQ and EPSRC when Royal Holloway was awarded the status of INDEX Academic Centre of Excellence in Cyber Security Research (ACE-CSR). We are one 03 ACADEMIC CENTRES OF EXCELLENCE of only eight higher education institutions in IN CYBER SECURITY RESEARCH the UK to receive such recognition in the first 04 CENTRE FOR DOCTORAL TRAINING round, although additional institutions will IN CYBER SECURITY receive accreditation this year. ACE-CSR 05 ROYAL HOLLOWAY LAUNCHES accreditation is based on several indicators RESEARCH THEME IN SECURITY of research strength and breadth, including AND SUSTAINABILITY research strategy, number of active researchers, 06 SUPPORTING STUDENTS AT A DISTANCE scope and quality of research work, health 07 ISG SMART CARD CENTRE EXPANDS of PhD graduate school, extent of research RESEARCH INTO TRANSPORT funding, and research environment. TICKETING SECURITY 08 ORGANIZATIONAL PROCESSES FOR Of course it was not a surprise that the SUPPORTING SUSTAINABLE SECURITY research activities of the ISG made the 09 UPSY-DAISY IN CYBER CRIME grade in this assessment exercise, but it 10 ARTISTS AND DESIGNERS is nonetheless pleasing to have this formally IN RESIDENCE recognised at a national level. We already 12 HOW THE OTHER HALF LIVES: regarded ourselves as a centre of SECURITY DESIGN INFORMED excellence – it’s just good to hear that BY FAMILIES SEPARATED BY PRISON some other folks agree! 13 STAFF PROFILE: GERHARD HANCKE 14 CHOICE OF SEVEN MSC’S FOR The real question is: does obtaining the THE PRICE OF ONE! ACE-CSR “badge” really make a difference? 15 MASSIVE OPEN ONLINE COURSE The jury is out over the long term, but for now ON MALICIOUS SOFTWARE it really does matter. One of the intentions 16 OUTSOURCING PERSONAL DATA behind the ACE-CSR scheme is to identify PROCESSING TO THE CLOUD research capability in cyber security in the UK, 19 CYBER SECURITY CLUB UPDATE thus allowing money and other resources to be 20 NEW CYBER SECURITY RESEARCH directed to those universities that have been LAB AT THE ISG able to demonstrate genuine expertise in this 22 VISITING PROFESSOR: ANDY CLARK area. We have already seen the benefits of this, 23 NEW MSC MODULE ON SECURE with a number of funding opportunities open BUSINESS ARCHITECTURES only to ACE-CSR institutions, including some 24 ALUMNI REUNION CONFERENCE 2012 / PhD studentships funded by GCHQ. We have 2500 ALUMNI CAN’T BE WRONG! also seen a closer working relationship forming 25 Q. CAN YOU CRACK THE ENIGMA CODE? between GCHQ and the ACE-CSR institutions, 26 SHORT NEWS BITES / RECENTLY which will be to the good of both parties. We COMPLETED PHD THESES expect ACE-CSR status to strengthen our links 27 CONFERENCES HOSTED BY THE ISG with industry and, crucially, help us to obtain insights into the critical cyber security problems facing modern businesses.

Another benefit of the ACE-CSR branding is the plans to encourage meetings with and collaborations between ACEs. The inaugural ACE-CSR conference, attended by several representatives of each ACE, was held at Cheltenham in November. We were delighted that Royal Holloway’s Nadhem Alfardan scooped the prize for best “elevator pitch” to a panel of government and industry judges

03 increase in cyber attacks against individuals, companies, and governments. McAfee is extremely excited to join forces with Royal Holloway in fostering a cohort of new security warriors whose job will be to protect the global computing ecosystem of tomorrow.”

Another unique aspect of CDT research training is that the projects funded through the CDT should be strategically chosen to cover the broad range of research areas related to cyber security. To assist with this strategic assignment of projects, the CDT has an advisory panel consisting of research leaders in both the UK and overseas. Prof. David Basin, Chair of Information Security at ETH Zurich is one of the panellists: “Cyber Security has become a central concern for governments and one year of courses in advance of their industry. This planned Centre represents a three-year research programme, and will remarkable opportunity for faculty, doctoral experience varied industrial placements students, and industry partners alike to during their studies. The intention is join forces and work on different aspects that PhD graduates have a well-rounded of this problem. I look forward to sharing education in cyber security, as well as experiences, having run a similar centre CENTRE FOR develop specialist skills in a research area here in Zurich for many years.” of practical relevance. DOCTORAL Prof. Keith Martin, Director of the ISG, is TRAINING IN As Alex Hulkes from the EPSRC explains, thrilled that Royal Holloway was successful CYBER SECURITY “The doctoral training that EPSRC funds in bidding to host a CDT in Cyber Security: should have the student at its heart. “Royal Holloway has operated a graduate CDTs are an excellent way of ensuring school in cyber security for many years and, We were delighted to learn that Royal this is the case as they provide students although we feel that this is an area where Holloway will host a new EPSRC Centre for with a stimulating environment and a we have an excellent track record, a CDT Doctoral Training (CDT) in Cyber Security broader training than is often found in more represents a significantly different approach Research. The ISG-led bid for a research traditional models of a PhD. When combined to research training and we are really looking training grant of just under £4M will create with excellent research this enhances forward to engaging with it. With this award funding for ten PhD scholarships in each graduates’ employability no matter what also comes a great responsibility to deliver of three annual intakes in 2013, 2014 and their final destination. In particular, the the PhD graduates in a manner that benefits 2015. Two CDT grants were awarded inherently collegiate experience which from the CDT cohort approach.” nationally, one to Royal Holloway and one comes from a CDT’s cohort approach is to Oxford University. The intention behind of great value in any future career, whether The Cyber Security CDT at Royal Holloway these awards is to boost the number of research-based or not, as it reflects the will be led by Dr Carlos Cid: “We are PhD graduates with skills relevant to the realities of the modern workplace.” obviously delighted that our bid to host one national need for cyber security expertise of the Centres for Doctoral Training in Cyber at all levels. James Quinault, Director of the One of the most exciting aspects of the Security was successful. One of the goals of Government’s Office of Cyber Security, said CDT award is that it integrates industrial the CDT is to contribute to the pool of UK- “I am very pleased that Royal Holloway’s engagement throughout the programme. based doctoral-level cyber security experts, strengths in this area have been deservedly The ISG is delighted to have the backing and we are aiming to recruit and train some recognised; we look forward to working with of around 30 organisations from across of the most promising students to work in them to build the numbers of UK graduates the cyber security sector, including IBM, this field. We are looking forward to working working at the cutting edge in this field.” McAfee, Thales, Vodafone, UK Payments, with our industrial and academic partners to TfL and Logica. Igor Muttik, Principal deliver training and research of the highest The ISG already has a healthy doctoral Research Architect of McAfee Labs, is one quality to the CDT students.” training programme, with around 40 PhD of the cyber security research experts researchers studying at any given period. that the CDT will be developing projects Royal Holloway’s CDT in Cyber Security is However, a CDT is “game-changing” in the alongside. He says: “We are at a point at recruiting now, so please pass on the word sense that each intake of new students is which the explosive growth of computer and encourage suitable candidates to get in regarded as a “cohort”. They will attend technologies has resulted in a worrying touch with us.

04 The Information Security Group manifestly ROYAL HOLLOWAY represents one of the most important areas of LAUNCHES RESEARCH security-related research that Royal Holloway THEME IN SECURITY undertakes, with an enviable reputation for AND SUSTAINABILITY research and teaching excellence and a track By Klaus Dodds record for engaging with academic and non- academic communities. I hope this research theme will act, in part, as a way of recognising > Prof. Klaus Dodds is Professor the achievements of colleagues in ISG. Indeed of Geopolitics and Research without the ISG, alongside other pockets of Theme Champion: Security excellence in security and sustainability-based and Sustainability research across the faculties, we would not have been able to creditably launch such a theme in the first place. In February 2013, Royal Holloway launched five new research themes, one of which was Looking forward, I want to do a number “security and sustainability”. As a Professor of things as research theme champion. First, of Geopolitics, I was appointed the “champion” I want to better understand the full range of for this research theme and part of my mandate research that we undertake at Royal Holloway. over the next three years is to encourage In part this enables me not only to learn about inter-disciplinary and inter-faculty research particular areas of interest but also better judge initiatives building on existing and potentially where we might take advantage of inter- new areas of research strength. The idea of the disciplinary research calls and networking research themes is to provide a strategic focus opportunities. I would like, where appropriate, for Royal Holloway and to act as a catalyst to help bring research teams together to for future activity. Moreover, we hope that the address these opportunities. Second, I hope research themes not only guide and support this theme will encourage more interaction colleagues throughout the different faculties between security and sustainability-based and departments of Royal Holloway, but also researchers. For example, in the field of infor- help to further promote our work within the mation security I could well imagine that a great academy and beyond. deal of the research, say on security services, has to confront issues pertaining to logistical, financial, and political sustainability. And for researchers concerned with sustainability, questions regarding security are never far removed. How we make our lives more sustainable will in part depend on how we make judgements regarding what needs to be securitised or not. Third, with the launch of cross-theme funded PhD studentships, we have an opportunity to sustain a community of new researchers who will have supervisors drawn from two academic departments. The ISG is well placed to renew and establish new contacts with colleagues throughout the university.

As an example of the kinds of initiative that I want to seed, I recently had the pleasure of working with colleagues in Biological Sciences, Criminology and Geography on a project relating to social media usage and the British armed forces. In a nutshell the team were examining how the Ministry of Defence will need to review its social media policies in the light of changing technologies and user habits. They pitched the proposal to an ESRC/DSTL competition on Science and Security and have recently heard that they have been successful. I look forward to working with ISG colleagues to cultivate interdisciplinary projects of this type and would be delighted to hear from any potential partners who would like to get involved.

05 SUPPORTING ///////////////////////////////////////////////////////// Do you ever get opportunities to meet STUDENTS AT the students? A DISTANCE Yes, we run a weekend conference for past and present students, and I enjoy meeting Distance learning provides students with everyone at this event. It’s nice to meet the a unique opportunity to study our MSc in new cohort of students and catch up with Information Security at their own pace continuing students, as well as past and place. It is particularly important for graduates. We also welcome students to students studying remotely that they have visit if they are in the area, and I appreciate a friendly, reliable and supportive response it when they do take the time to come to the to any queries that they have regarding the campus and say “Hi”. In addition we now operational aspects of the programme. use Skype to communicate with students We spoke to Claire Hudson, who is the and, although I’m not physically meeting Distance Learning Programme Administrator them, it helps to put a face to a name when about what it is like being at the “other end” they call. It does often feel as if they have of student support. just popped by the office and that I have just met them in person. ///////////////////////////////////////////////////////// How would you describe your role ///////////////////////////////////////////////////////// in supporting the distance learning What’s the most bizarre thing you have had programme? to do as part of your job?

My primary role is to support the students For the past couple of years, I’ve been and staff on the distance learning asked to draw on my non-existent acting programme. I am responsible for all aspects skills and participate in a social engineering of administration, ranging from initial demonstration as part of the Cyber Crime registration queries from new students module. This short “production” presents through to assisting with exam preparation a variety of scenarios in which users and graduation arrangements for students are manipulated into divulging personal who have successfully completed. I have information over the telephone. Fraudsters to work closely with module leaders based use several angles to convince the users at Royal Holloway, as well as staff from all to give them their information, leaving the departments across the University of London victim unaware that they have been tricked. to deliver effective and professional support This demonstration forms a small part of the for the smooth running of all teaching and lecture, but is in front of a lecture hall full examination processes within the distance of students, so initially I was quite nervous. learning programme. Over the years I have grown to enjoy the experience, and am even looking at ways ///////////////////////////////////////////////////////// in which I can develop and improve my What do you enjoy most about working character and performance! on the distance learning programme? ///////////////////////////////////////////////////////// I have most enjoyed becoming part of the If you could be anywhere other than here, ISG team and getting to know the students answering these intrusive questions, where and academics. It’s particularly satisfying if would it be and what would you be doing? I have been involved with a student’s initial application, and then see them join the I would love to return to Avenches, which programme and really embrace the course is a small village just outside Bern, through the distance learning mode of study. Switzerland. Ideally, I would enjoy a couple I have also enjoyed the range of tasks that of hours of horseback riding around the I have become involved in since these vary picturesque mountains, and would then finish depending on where we are within the the day with friends and family enjoying a academic year. good bottle of red wine.

06 with the huge support for the Open Day) that as once thought. Significantly, the system has SCC research and student projects continue changed from pre-pay to post-pay and the to be relevant and of interest to both public back office has to work harder to ensure correct and private organisations. The extra funding payments are charged and received, and that will enable us to expand our research in suspicious cards are blocked from the transport transport ticketing security in a direction that system. From a technical perspective one might promises real/practical impact to systems imagine that the terminals will become simpler in the UK and overseas. without the need to store secret keys, however the reality is that they are more complex. The If you have never given much thought to reason is that for some years the legacy Oyster modern transport ticketing security then now cards will need to be supported as well as the is a good time to turn your attention to it, EMV cards, and commuters into London will especially as there is now funding to support eventually also have ITSO standardised cards. a couple of PhD students. Advanced transport ITSO cards are intended for high value national ticketing systems involve almost all the security travel in the UK and are based on the traditional topics that an alumnus of the Royal Holloway wallet and stored travel credential approach. MSc in Information Security would recognise from their studies: smart cards, algorithms, If we bring mobile phones into the equation keys, protocols, PKI, HSMs, mobile phones, then we have a lot more issues to investigate. back offices, applications, sensitive data, Near Field Communication (NFC) enabled e-payments, databases, IT/Web security, phones can be used to emulate transport access control, payment scheme interfaces, tickets and payment cards, or indeed the forensics and so on. The financial value of terminal devices. There have been numerous transport ticketing also provides a great proof-of-concept trials of NFC ticket emulation, incentive for attackers to target transport including one in London some years ago. ticketing security and attempt physical However, due to the slow rollout of compatible tampering, side-channel and fault attacks, devices, the many different security options, as well as the human aspects of fraud/ and competing rather than collaborating ISG SMART CARD criminality. This provides a very broad and industry parties, a mass-market fit-for-use CENTRE EXPANDS interesting playing field for research, which solution is still some way off. The solution RESEARCH INTO will only get more intriguing as we see more also needs to be desirable, keeping in mind TRANSPORT regional and national smart card tickets, as that a user with an EMV contactless payment well as options to pay via EMV “touch and pay” card or an Oyster card with auto-top-up can TICKETING SECURITY cards and mobile phone wallets. already travel around London without the By Keith Mayes need to go anywhere near a ticket office It is worth pointing out some of the recent or top-up machine. > Prof. Keith Mayes is Director of the game-changing developments, as well as the ISG Smart Card Centre diversity in national and international solutions. We are starting to see phones that offer Most legacy chip-card transport ticketing EMV contactless emulation, albeit as a tight systems have an electronic wallet containing co-operation between individual mobile network The year 2012 was momentous for the ISG travel credit; when a traveller uses the card operators, banks and a limited set of handsets. Smart Card Centre (SCC) as we reached our at a terminal or gate, some of the credit is These phones might eventually be used for tenth anniversary. This was celebrated at exchanged for ticket/travel permission. travel in London, however there are few of them, the SCC Open Day Exhibition on the 11th This requires the terminal to be able to and banks are deploying bridging technology in September 2012, which was sponsored by support the cryptographic protocol for card the form of EMV “stickers” that you can attach Orange Labs, The UK Cards Association, communication as well as the business and to any phone. Technically this is not exciting, Transport for London (TfL), ITSO, Collis, fare rules to buy tickets and manage wallet since it is similar to sticking your existing bank Comprion, Cubic and Visa. A record 15 contents. This all has to be conducted at card onto your phone, however it may help to organisations and 20 MSc/Phd students great speed (to avoid user inconvenience change user behaviour and encourage the use exhibited and the day concluded with a very and station congestion) and card transactions of the phone as a touch-and-pay device. interesting guest lecture from John Walker typically complete in a few hundred (SiVenture/Cisco) on physical attacks against milliseconds, which rules out an online, If we consider the international situation, hardware security. As befitted a birthday real-time response from a back office system. there is sadly not too much harmonisation celebration, there were balloons and a rather The offline operation normally uses symmetric and compatibility of strategy or solutions. splendid cake with an icing QR code linking key cryptography and thus introduces a key For example, in Scandinavia there are un- to the SCC website! However, the most management and protection responsibility for gated smart card ticketing systems and some exciting part of the birthday was the gift the terminal devices. practical smart phone (non-NFC) tickets for supplied by TfL. national travel. Furthermore, in Germany you However, all this is being radically challenged can find a system where a smart phone is used Anyone who has followed the history of the in London as it is now possible to take a bus as a terminal/reader emulator and the cards/ SCC will know that it has been active in the ride (and eventually a train ride) using your tags are fixed at stations. The EMV payment area of transport ticketing security and systems, contactless EMV payment card, even though card (and phone emulation) is currently the most and that TfL (and also ITSO) have been staunch it has no transport wallet and uses asymmetric likely route to an international roaming solution, supporters over many years in their roles as cryptography in the card-to-terminal protocol. however its payment limits currently restrict it to Associate Members. The TfL birthday gift was A journey is then no longer really a sequence low value local fares. an agreement to increase its membership of wallet transactions, but rather a collection / contribution to the highest level and commit of fixed location authentications that are later I hope this short overview of one of our current this for a minimum period of three years. resolved into a journey and payment by the research areas will excite interest. If you are This was a fantastic endorsement of the back office. The speed of authentication is interested in research in this area then please SCC and its activities, and shows (along still a challenge, although not so problematic get in touch.

07 consider that the user could be under duress, potentially resulting in an insider attack either against the user’s own interests or against the interests of the benefit system. Designing security processes for this setting is not straightforward because, as benefits are time-critical, any security procedure that denies or delays benefits to eligible applicants will entail a cost that has to be borne by society. My research is based around the fact that there seems to be a current lack of understanding of how security policies can be tailored to address users potentially operating under duress. In this setting it is clear that the security policies need to be carefully chosen in order to minimize total cost to society, while ensuring maximum impact of the resources. During the subsequent discussion in Dagstuhl I received many valuable pointers from the audience, for which I am very grateful.

One case described a university research group To emphasize the workshop character of this ORGANIZATIONAL which decided to move from a share-all access Dagstuhl seminar, participants were also asked PROCESSES FOR control policy to a more restrictive setting. to break into small groups and try to design SUPPORTING The problem arose when one of the research organizational processes for security problems SUSTAINABLE group members decided to copy all of the described in the provocations. In a second documents to their hard drive before the new breakout session we then tried to design SECURITY policy was put in place. This showed how interventions to realize those organizational By Alf Zugenmaier tightening of security procedures can lead to processes. When the results of these breakout unanticipated problems, including a sudden sessions were discussed in front of the whole > Prof. Alf Zugenmaier is a Professor build-up of distrust between team members. group, some time was spent addressing poten- in Informatics and Mathematics at A second case described security issues of tial solutions to the individual cases. However, Munich University of Applied Sciences information systems in health care and, more it became clear that we are still missing an (currently visiting the ISG) worryingly, security issues with information arsenal of methods to tackle these problems technology in health products. A third case more generally. presented an information security challenge The journey from Royal Holloway to Dagstuhl with genuine life-and-death consequences: While many of us would love to have remained seemed to take us further and further away the dilemma social media poses to the military. at Dagstuhl and attempted to solve some of from civilization. It started with a flight to As much as the military supports use of social these fascinating research problems, sadly the Frankfurt subject to severe delays due to media in order for soldiers to feel connected taxis arrived to take us back to the train station, adverse weather, then a train, and finally to home, there is a danger of soldiers from which we returned home to less secluded a taxi through a winter fairyland of snow. unwittingly putting out seemingly benign places and their many day-to-day distractions. Schloss Dagstuhl is so secluded that it is information that might compromise operational My takeaway from these three days of intensive hard to believe that this spectacular castle security. Interestingly, despite the supposedly discussions in Dagstuhl, often continuing late is one of the most eminent places in computer “complete” control of the military over their into the night, is that while the problem space science research. There must be something soldiers, this problem defies an easy solution. itself is reasonably well understood, what is special about this place that inspires computer The discussions following up on these missing are generally applicable scientific scientists to make such long and complex provocations got our minds set towards methods to arrive at, and to evaluate, potential journeys in order to reach it... security problems faced by organisations, organizational processes for supporting sus- many of which go beyond technology. tainable security. At Dagstuhl, the German Leibniz organization runs a famous conference centre, where Following the provocations, much of the For those of you wishing more information, world renowned experts in computer science workshop was dedicated to a series of the organizers intend to produce a paper meet for dedicated seminar series in order presentations and discussions on issues summarizing the outcome from the seminar. to advance the state of research. Lizzie such as modelling frameworks, technical Look out for further news about an Coles-Kemp from Royal Holloway was one tools and research methods that can be used interdisciplinary workshop and a possible of the organizers of a Dagstuhl seminar on to tackle the organizational aspects of security special journal issue in order to document organizational processes for supporting policy lifecycle. These dealt with all aspects future progress. sustainable security. She invited approximately of socio-technical views of security, from policy 35 researchers and practitioners, set the setting through to verification, enforcement, agenda, and started us off on our discussions. and compliance.

First, a set of short “provocations” framed My own presentation was based around the problem space to be discussed. a research project that I am conducting during The provocations dealt with how security my visit to Royal Holloway which deals with is handled in different organisations. the importance of user authentication in the “Provocateurs” described the day-to-day UK’s new universal credit benefit system. problems they were facing with organizational The problem with user authentication in this security in their business environments. setting is that the users’ environment is not The cases were diverse. closely controlled. All security processes thus

08 of Cyber Crime. The answer is probably not. known as ‘hacktivists’. A recent survey by CYBER CRIME Firstly the figures recorded by police have Verizon estimates that at least 50% of hacking always been a marginal record of this type attacks in 2012 were by these groups. More of criminality. Unlike other crimes, such as opportunity, higher rewards, and, with the ad- murder, there is no mandatory statutory vancement of botnets, greater anonymity, have 100 requirement to report them to the police all contributed towards the creation of a cyber or to any other authorities. Secondly, insofar criminal’s paradise. as computer hacking is concerned, the victim UP DOWN does not always realise that they are just And that is not all. Internet scams together that - a victim. Detecting intrusion into one’s with card fraud are at unprecedented levels. system or detecting Trojans or spyware is really The Banks and Law Enforcement now admit a game for those who invest in up-to-date that a ‘no man’s land’ has emerged in which versions of the latest detection software; organised crime commit low-value frauds something usually far outside the means that generally go unrecorded, will never be 0 100 of individuals. Computer hacking is a strange investigated and are not even reported as crime; it is usually committed from a crimes. Law enforcement have identified at geographically (but not electronically) vast least 1,000 crime gangs in 25 countries distance. The tools of the hacker are stealth, dedicated to committing cyber-fraud with secrecy and anonymity. Only when they are at least 300 of those specialising in attacks caught does the true enormity and breadth targeted at Britain. Corroboration of this of the crimes appear. In 1991, some 22 years comes in the reports from The National Fraud ago, following the arrest of a three-member Intelligence Bureau of 431,000 victims in 2012, hacker group, an examination of their stored a 9% increase on preceding years, with losses data revealed in excess of 10,000 successful estimated at £185 million. Some cyber intrusions into commercial systems – almost criminals are having a really profitable time. equivalent to the entire police figures for 2012. Their methods go across the cyber crime And that was just three hackers two decades spectrum; Trojans to collect passwords, identity ago, when commercial use of the Internet was fraud from illegally accessed documentation, much lower than today. Then we look at the social engineering and phishing scams are the recent surveys. The 2012 DTI and PWC main weapons in the armoury. Information Security breaches Survey showed UPSY-DAISY IN historically high figures for intrusions into Worse still, they are attacking a divided society; CYBER CRIME systems. Conducted on a (relatively small) not necessarily divided by wealth, class, By John Austen survey of just 1,000 organisations, 93% of the nationality or racial stereotypes, but a society larger ones reported a successful breach and divided in terms of technical knowledge and > John Austen is Director of QCC InfoSec intrusion into their systems. If that is the case security awareness. Everybody uses email; Training Ltd. and Consultant to the ISG for just that catchment, one wonders what the everybody activates personal financial true UK-wide figures would show. transactions in one form or another; and most use Facebook or other social networks – The figures for computer misuse offences Whilst statistics are invariably open to a mine of information for the unscrupulous. (CMAs) within Greater London (known as interpretation, there is a yawning gap in our Unfortunately few actually understand how the Metropolitan Police Area) were 12,817 in knowledge of the true extent of cyber crime. the technology works and the dangers that lie the year ending November 2012. This, a slight Recent comments from the Foreign Secretary within it. This is a prime methodology of the rise from the preceding year, was proportionally on the threats of cyber crime to the U.K. cyber criminal, to attack the line of least represented in the other 42 Police areas National Critical Infrastructure and the resistance and target the most vulnerable. in England and Wales, the eight in Scotland substantial government monetary investment and the one in Northern Ireland. Within London, into combating it tell their own story. Perhaps we really are ‘In the Night Garden’. 997 people were charged and 342 cautioned The notion that cyber crime is a periphery with these offences. This was a drop in cases crime, demanding few investigative resources from 2010 and 2011. Perhaps even more (as indicated by the police figures) is a peculiar is the decline in the (police-recorded) flawed prognosis. Internet fraud and forgery offences from 2,519 to 2,240 and overall the non-CMA offences So why is there an acceleration in cyber crime? involving the Internet saw a decline from 3,096 Obvious reasons include the proliferation of to 2,686. So the question is: is Cyber Crime opportunity, targets, motivation, anonymity on the up or on the down? Let us look at some and the chances of success. In using an of the arguments and make sense of the analogy: car theft was hardly a burning issue police figures. in the 1950’s; fewer cars, fewer drivers and fewer trunk roads meant fewer car thieves. CMA offences fall into the categories of unau- As an equivalent, in 1981 the ARPANET thorised access (otherwise known as computer (forerunner to the Internet) expanded to a hacking), unauthorised impairment to the 213-node network with, naturally, no incidents operation of a computer (usually by some type to speak of. Today the Internet, expanding of malware) and the supply or obtaining of tools at breakneck speed, already connects more or articles in order to commit these offences. devices than there are people on Earth, Fraud and forgery relate directly to those cyber even though just 2.4 of the world’s 7 billion crimes that directly relate to financial gain. population are online. This vast communication system has provided a platform for a A closer look at the figures begs the question subdivision of cyber criminals, namely the as to whether or not this is a true reflection politically motivated hackers - otherwise

09 “ I like the density of her sketchnote work ARTISTS AND and her use of the cloud separator for DESIGNERS IN elements of information.” RESIDENCE My sketchnoting is now making a regular appearance at ISG events including our The end of the social research project weekly seminars and it complements a Visualisation and Other Methods of number of my other visualisation practices, Expression (VOME) marked the beginning including the use of rich pictures in of a new phase in the ISG’s social and organisational and community research. organizational research programme, building Lizzie’s a keen supporter and comments and extending the knowledge learned during VOME Lizzie Coles-Kemp has now started “ Sketchnotes make a great tool for two new funded projects: TREsPASS, an breaking down barriers between EU funded project on quantitative risk disciplines and communicating assessment, and CySeCa, an EPSRC/GCHQ security-related concepts between funded project on decision support for academic and non-academic control selection. communities.”

Both projects see Lizzie leading research (http://sketchnotearmy.com/blog/2013/ teams that use visual research methods 1/30/hewlett-packard-23rd-colloquium and develop innovative ways of exploring -on-information-security-sket.html ) and communicating the cyber landscape. Two new researchers have joined the ISG Examples of my sketchnotes can be staff in order to extend our expertise in this found at: http://www.flickr.com/photos/ area. Claude Heath is a visual art practitioner makaylalewis/sets/72157633090981769/ and researcher, and Makayla Lewis is a user experience researcher interested in accessibility design and creative research approaches. Here is how they describe themselves and their role in the ISG:

//////////////////////////////////////////////////////// Makayla Lewis:

I have a passion for inductive Human Computer Interaction research. I completed a PhD in Human-Computer Interaction (HCI) at City University London’s Centre for HCI Design in 2012, where I was funded by EPRSC to research online social network experiences and challenges, specifically change management, from a perspective of end users with motor impairments, especially cerebral palsy. Not only do I believe that the web should be accessible for all, it should also be secure for all. I was drawn to the CySeCa project because I’m not only passionate about user-centered research, but also about alternative ways to display this information using data- driven visualisations. I shall be using my user-centered design skills to draw out an understanding of how people influence the management of their data and how they use social networks to extend and maintain this influence. With this understanding we hope to map the organization in different ways and combine this view with a view of technical controls to better support the security management decision making in the cyber era.

I am a live “sketchnote” practitioner and have been producing and publishing sketchnotes about topics related to cyber security since I joined the ISG. My sketchnotes from the Hewlett Packard Colloquium were recently reviewed by Sketchnote Army who commented:

10 //////////////////////////////////////////////////////// nations into his office to dwell upon the Claude Heath: beautiful cobalt ground of Claude Heath’s ‘Ben Nevis on Blue’, all dots and doodles For me, the exciting prospect of joining the and just shy of figuration. Which was ISG at Royal Holloway is becoming part of extremely helpful during some particularly a large team working on a difficult subject, heated negotiations on Iran, where the that of security visualisation. The TREsPASS painting was used as a kind of soothing project, one arm of which is based at Royal time-out for eyes and mind. ‘Agreement,’ Holloway, aims to break new ground in the according to Sawers, ‘was reached an field of security visualisation and threat hour later.’ navigation. My background is in visual art practice, specialising in drawing, while my Works can be seen at: first degree was in philosophy at King’s www.claudeheath.com College, London.

We are hoping that we can find some small way to inject fresh questions into the arena. Working with the 17 EU-based partners of the TREsPASS project, and engaging wherever possible with ISG members who work on these questions, the hope is that we can develop visual research techniques to help us on our way.

I come to Royal Holloway from Queen Mary, University of London, where I was based in the Cognitive Science Group in the Department of Electronic Engineering and Computer Science (EECS). This group specialises in the study of human interaction, and I have been looking at how drawing has been used in the social sciences, both as a means of recording and of discovery.

When looking at ethnographic data, my aim was to test out drawing strategies that add something to our understandings of shared space in human interaction. This data contained complicated and layered spatial interactions between collaborating architects, where establishing agreed meaning is crucial to their job, and shared space is an important means of achieving this.

It has never been my goal as an artist, or researcher, to make merely aesthetically pleasing pictures, so it was a pleasant surprise to hear Lizzie say about her research group: “we don’t want to make pretty pictures.” Nevertheless, I have found that if a visual idea comes about with a mix of rigour and free experimentation, people will sometimes use aesthetic words in connection with it.

Experience has taught me that an art practice can lead in any direction, almost by definition I believe. Also, one can never be quite sure where pictures will end up, or the uses they will be put to once they leave the studio. For example, I can quote a review of my work by Laura Cumming in The Observer, (‘The Government Art Collection: At Work’, Whitechapel Art Gallery, London 2011, touring 2012):

Sir John Sawers, currently head of MI6, previously at the UN, used to invite hostile

11 Perhaps the same is true for people who do not HOW THE OTHER use security services and technologies; perhaps HALF LIVES: SECURITY some simply do not see themselves as security DESIGN INFORMED BY technology users? FAMILIES SEPARATED It was an extraordinary project to work on and BY PRISON I am extremely grateful to the Arts & Humanities By Lizzie Coles-Kemp Research Council for the funding. The story of families separated by prison is a powerful, > Dr Lizzie Coles-Kemp is a Senior moving and often humbling story. It’s a Lecturer in the ISG community of families that is often invisible to society. As researchers we felt that we were lifting off a curtain to reveal a diverse and In 2012 I was lucky enough to lead a team resilient community that often feels cut-off of artists who specialise in using participatory and isolated in its struggles. We used our skills engagement methods to unearth the collective to explore how it feels to be a family separated narratives of a community. As a group, we use by prison and, with two participant groups, these collective narratives to explore how these we created collage, film and puzzles to communities might be served or supported. better understand why aspects of support The aim of this Arts & Humanities Research feel inaccessible to some and to envision Council funded Connected Communities how this might be changed. We hope that scoping study was to work with the the creative outputs that this funding made community of families separated by prison possible will help families to feel that their using a participatory engagement process in voices are a little more audible. order to identify why some families do not en- gage with the support offered, and to envision All illustrations and collage design from how support might be re-designed to encour- this project are by Alice Angus, Proboscis. age wider engagement by more families. Further details on this project and links to the outputs can be found at: The hardships that these families experience http://proboscis.org.uk/tag/hidden-families/ are many and varied. As the quotes (below) illustrate, families in this community often have to manage both the practical and emotional aspects of a family member being imprisoned.

Quotes from Telling the Children by Action for Prisoners’ Families:

“I try to deal with things myself- I don’t like going in and burdening him. I tell him things when the time is right. I don’t talk about money. I do have problems with debt but I try to hide that – like last month my phone was cut off.” Prisoner’s partner

“She mustn’t think we don’t love her... if we don’t keep in touch she will think we don’t love her and she will harm herself again”

As a security specialist, I learned a number of important points about security design on this project. In particular I saw firsthand how choices about information disclosure and service engagement are dramatically constrained when people are placed under enormous emotional and financial pressure. I realized how many assumptions we make in our security designs about the stability of the environments in which services are used and the attitudes that service users have towards service providers. When service users are not in stable environments and have conflicted feelings about the service providers, security practices are not as we might expect. Above all I learned that how we as people see ourselves in relation to technology defines much of our technology practice. In the context of families separated by prison, many families do not engage with support services because they simply do not see themselves as support users.

12 ///////////////////////////////////////////////////////// dedicated hardware module, within the What are your research interests? mobile handset to implement security services under the assumption that the My main interest is the security of embedded rest of the platform insecure. In the devices. These tend to be categorised into future, this approach could potentially many different areas, such as Internet-of- extend to core security functions of the Things, smart tokens, mobile devices and platform as a whole. cyber-physical systems, but essentially these are the bits and pieces all around us ///////////////////////////////////////////////////////// with some computational capability. These You have been looking after some of the devices all play a prominent role in our ISG’s outreach activities - how important everyday lives but do not always enjoy the do you regard this type of activity? same security scrutiny as larger devices such as a PC or server. I look at system Outreach is our interface to the general security as a whole but have a particular public and it gives us an opportunity to interest in vulnerabilities and security make an impact on the wider society. At mechanisms at the hardware and the the moment we are primarily engaged in physical communication layer. That said activities like school talks and participating it is a perk of any academic position to go in Royal Holloway’s Science Festival, an STAFF PROFILE: off and take a chance on something new, open day where younger visitors can take GERHARD HANCKE so I am happy looking at topics outside my part in a collection of science activities. main interests, especially areas of security Through these activities we raise awareness > Dr Gerhard Hancke is a Teaching such as management and law that are about security and we also promote security Fellow in the ISG outside my current technical comfort zone. as a potential career path, along with STEM fields as a whole. We are looking ///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// at expanding our outreach activities to Tell us a bit about your background and How do these interests tie into research raise security awareness within a broader how you ended up joining the ISG. being conducted in the wider ISG? audience and this year we had our first public science lecture where Dr Lorenzo My early academic background is in In some cases being a bit of a generalist Cavallaro gave a great talk on malware Computer Engineering - I completed is useful and I feel that I can contribute and botnets. I hope this will become an both my BEng and MEng degrees at the in a number of areas. The boundaries annual event. University of Pretoria in South Africa. In between the technical and non-technical 2003, I was fortunate enough to be awarded areas of security in particular present some ///////////////////////////////////////////////////////// a Skye Foundation scholarship to study interesting opportunities. I am currently Tell us something about yourself that you towards a PhD abroad and I headed out to involved in the ISG project on Cyber Security think would surprise your closest colleagues! the UK to join the Computer Laboratory at Cartographies (CySeCa), where I am working the University of Cambridge. I arrived at on methods for integrating and visualising South Africa is not known for anything Royal Holloway in the latter stages of 2007 organisational and data network data in cold but I have become a great fan of ice when I was hired as a researcher at the ISG a way that can aid security managers in hockey. If you wander by my office you Smart Card Centre to work in the area of identifying security issues. This requires me will sometimes see me catching up on RFID and contactless tokens. In 2011, I was to do some system engineering and design, NHL games (only during lunch and coffee appointed as a Teaching Fellow with the some applying of my understanding of breaks!). I support the Edmonton Oilers, ISG and essentially swapped the laboratory technical network concepts, as well as some who were really good around the time I in Founders for an office in McCrea. understanding of the softer science involved was born and somewhat bad ever since, in organisational research, and some but they are my wife’s hometown team so ///////////////////////////////////////////////////////// aspects of security management. I’m not abandoning them yet. As an added What are the joys and challenges of benefit, games in Edmonton start around 2 teaching on the MSc Information Security ///////////////////////////////////////////////////////// am, which is great for working late and even programme? Do you think it will ever be possible to better now that I have a few-weeks-old son. have smart mobile phones that provide I enjoy teaching as every class is different a comfortable level of day-to-day security? and the students keep you on your toes. We have some really bright students who This is difficult to answer definitively – come from a variety of backgrounds – some have we truly reached a comfortable level students have been working in security- of security for devices that preceded mobile related fields for numerous years. This phones? I believe that mobile platform brings about some interesting discussions, developers have a greater appreciation of and it is often possible to learn something security needs than their PC counterparts new during a lecture or project meeting. at a corresponding stage in the device As a teaching fellow I have had the lifecycle. This is positive and although opportunity to be involved in a number of it can definitely not be said that a complete different modules. This is a good opportunity solution exists, there is already some basic and has challenged me to get involved in functionality in place which can be built areas of information security outside of my upon for the future. What I think will happen own core interests. Teaching itself is also first is that a comfortable level of security a challenge and delivering a good lecture might be realised for specific applications. takes some effort. Teaching is something For example, some mobile payment that I am relatively new to so I am continually applications already leverage a trusted working to improve. execution environment, the SIM or a

13 SMARTCARDS & RFID/NFC

DIGITAL CYBER FORENSICS SECURITY

SECURITY TESTING

SECURE CYBERCRIME DIGITAL BUSINESS

Royal Holloway now offers six different specialist tracks of the MSc in Information Security. This will enable students to receive the globally recognised MSc in Information Security, whilst also offering the option of having a specialist track title recorded on their MSc degree transcript. In effect this means that the ISG is now offering six different specialist MSc degrees within the overall area of Information Security, as well as the “standard” MSc in Information Security. Registering for a track will require students to complete a set menu of courses tailored to the track focus within the existing MSc programme, as well as a specialist project.

Full details of track requirements are available at http://www.rhul.ac.uk/isg/ informationforcurrentstudents/ mscsyllabus.aspx

CHOICE OF SEVEN MSC’S FOR THE PRICE OF ONE!

14 academic and underground research in the field, trying to answer the foremost question about malware and underground economy: FREE “Should we care?” Students will learn how MASSIVE OPEN COURSE! traditional and mobile malware works, how ONLINE COURSE it is analyzed and detected, peering through ON MALICIOUS the underground ecosystem that drives this SOFTWARE profitable, but illegal, business. By Lorenzo Cavallaro Understanding how malware operates > Dr Lorenzo Cavallaro is a is of paramount importance to inform Lecturer in the ISG. knowledgeable experts, teachers, researchers and practitioners how to fight back. Besides, it allows us to gather intimate knowledge of the systems and the threats, which is a necessary step in the successful devising of novel, effective and practical mitigation techniques. To this end, as a concrete ongoing research effort It all started with a big bang (for me). to fight malicious software, the ISG has On a very hot day in July 2012, Keith Martin been exploring several research directions rang me up and left me a voice message: focused on characterizing the behaviour “We got to talk.” Did I forget any malware of Android malware (http://copperdroid.isg. running in the lab? Was I late with rhul.ac.uk --- joint work with University a deadline? of Milan, Italy) and botnets (initial collaborative research effort with Fortunately, it was indeed a blast – TU Milan, Italy), for which I have recently and a positive one. It turned out that been awarded a three-year EPSRC the University of London International -funded grant. Programmes had been approached by Coursera, a social entrepreneurship Malicious Software and its Underground company that partners with top universities Economy: Two Sides to Every Story is going around the world to offer online courses to be a short six-week long introductory for anyone to take - for free. Through this, course on Coursera, and currently claims Coursera, in its own words “hopes to give more than 20,000 registered students. everyone access to the world-class Although statistics suggest that only 10% education that has so far been available of registered students will actually take only to a select few; to empower people the course, it’s undoubtedly the biggest with education that will improve their audience that anyone in the ISG has ever lives, the lives of their families, and the presented a course to! The mixed nature communities they live in.” As a result of of the audience (background, skills and this partnership, Royal Holloway has been expertise) will make pleasing everyone selected to deliver two courses in June 2013. quite challenging. Nonetheless, I have been Emmett Sullivan (History) will deliver designing the course to try to keep it as The Camera Never Lies and I have been interesting as possible for everyone... given the honour to present Malicious Software and its Underground Economy: So, if you are interested in malicious Two Sides to Every Story. software and want to know a bit more about this fascinating topic, please do sign up to Cybercrime has become both more Malicious Software and its Underground widespread and harder to battle. Economy: Two Sides to Every Story as soon Researchers and anecdotal experience as possible. I’m looking forward to seeing show that the cybercrime scene is becoming you guys on June 1, 2013 on Coursera. increasingly organized and consolidated, with strong links also to traditional http://www.coursera.org/about criminal networks. Modern attacks are http://www.coursera.org/course/malsoftware indeed stealthy and often profit-oriented. Malicious software (malware) is the traditional way in which cybercriminals infect user and enterprise hosts to gain access to their private, financial, and intellectual property data. Once stolen, such information can enable more sophisticated attacks, generate illegal revenue, and allow for cyber-espionage.

By mixing a practical, hands-on approach with the theory and techniques behind the scene, the course will discuss the current

15 One possible solution to this problem confidence needs be developed as speedily would be an auditable standard for cloud as possible. service providers which process PII. An auditor could verify whether a cloud provider The goal of the work described here is meets the requirements of the standard to create a system for cloud PII processor and, if satisfied, it could issue a compliance governance, and for demonstrating certificate. This certificate could then be conformance using certification. Moreover, used both as a marketing tool for the cloud this system should ideally integrate with provider and as a simple way for a client processes already used by today’s cloud to verify that a provider will meet their infrastructure, based on existing PII legal and regulatory obligations with processing obligations, to encourage respect to PII processing. Indeed, audited rapid and wide adoption. The system compliance to such a standard could be should be capable of being developed in written into the contract for cloud service future releases to move towards improved provision agreed between the cloud client cloud privacy as cloud infrastructure and and service provider. privacy requirements develop.

The main focus of this article is an ///////////////////////////////////////////////////////// emerging international standard, 03 Pll Processing In The Cloud ISO/IEC 270187, which is intended to become just such a standard. As such, If the PII controller uses a cloud service it is hoped that ISO/IEC 27018 will solve to process PII, then the PII controller retains a key problem for the cloud industry. its legal and regulatory obligations relating to the gathering and processing of PII. ///////////////////////////////////////////////////////// The precise nature of these obligations will, 02 Meeting A Business Need of course, depend on the jurisdiction within OUTSOURCING which the PII controller operates. The We next explore in a little more detail relationship of the PII processor to a public PERSONAL DATA the need for such a standard. We first cloud service provider acting as a PII PROCESSING TO introduce some terminology. PII can be processor is shown in Figure 2. THE CLOUD formally defined as any information that By Chris Mitchell (a) can be used to identify the PII principal The PII controller therefore needs to ensure to whom such information relates, or that the public cloud service provider will (b) is or might be directly or indirectly meet the PII controller’s obligations when > Prof. Chris Mitchell is a Professor linked to a PII principal. As implied above, processing PII. This can be achieved in of Computer Science in the ISG a PII principal (or data subject in some two main ways. jurisdictions) is simply the person to whom the PII relates. 1. The PII controller can ensure that ///////////////////////////////////////////////////////// the contract it establishes with the PII 01 Introduction We are concerned here with the needs processor enshrines all the principles of organisations acting as PII controllers. necessary to ensure that the PII Use of the cloud for a wide variety of data A PII controller (or data controller in some processor’s obligations are met. processing purposes is undoubtedly a major jurisdictions) is a person who, either alone 2. The PII controller can verify that the growth area, with many potential advantages or jointly or in common with other persons, PII processor behaves in appropriate for users in terms of reduced costs, and determines the purposes for which and the ways through compliance auditing. simple and quick access to processing manner in which any personal data are, resources. However, problems potentially or are to be, processed. We suppose that It is intended that ISO/IEC 27018 can arise when cloud services are used a PII controller wishes to use a public cloud assist with both of these steps. The PII to process personal data or, more precisely, service provider, acting as a PII processor, controller can cite ISO/IEC 27018 in its Personally Identifiable Information (PII). to process its PII (note that, in line with the contract, and can verify that the PII In particular, whilst the data processing scope of ISO/IEC 27018, we do not address processor has been audited against the is outsourced, the legal obligations with issues relating to private cloud services). principles specified in the standard, thereby respect to PII protection remain with the A PII processor is any entity that processes allowing the PII controller to select a client of the cloud service. That is, the user PII on behalf of and in accordance with the well-governed PII processor. of cloud services will have to ensure that the instructions of a PII controller. We refer cloud service respects the legal obligations also to a cloud PII processor, meaning ///////////////////////////////////////////////////////// associated with the storage, management a public cloud service provider acting 04 THE ISO/IEC 27018 APPROACH and processing of the PII which it submits as a PII processor. for processing. The cloud provider market already The relationships between the key roles understands, invests in, and extensively Since it is hard to imagine an organisation involved in PII management and use are implements, audited certification to that does not hold a certain amount of PII, shown in Figure 1. ISO/IEC 27001 (information security e.g. relating to its employees, this is likely management system requirements)2, using to be a potential obstacle to almost any As briefly discussed, developing the industry the information security controls catalogue organisation wishing to outsource its data opportunity provided by the cloud needs in ISO/IEC 27002 3. Moreover, the notion of processing to the cloud. To ensure that it both customer and regulatory authority ISO/IEC 27001 certification, with its origins is not in breach of its legal obligations, an confidence that PII will be processed in the in BSI 7799 parts 1 and 2, is now very well- organisation will need to determine which cloud in ways that do not breach laws or established internationally, and is therefore cloud service providers will process regulations applying to the PII controller. something that will be familiar to many PII appropriately. To maximise the market opportunities, such potential users of cloud services.

16 As a result, it has been decided to build on the existing ISO/IEC 27001 security Figure 1: PII – context of management management system. That is, cloud and use provider PII protection certification will be achieved using the existing Regulatory Pll ISO/IEC 27001 processes. ISO/IEC 27018 oversight Protection Authority will act as a supplement to ISO/IEC 27002, containing (a) additional cloud PII process- ing-specific implementation guidance for existing ISO/IEC 27002 controls, and (b) additional cloud PII processing-specific con- trols; using the ISO/IEC terminology, ISO/IEC Pll controller who 27018 will be structured as a sector-specific processes (and stores) Pll principal his own data standard to cover PII protection for a cloud PII processor. The additional controls in ISO/ IEC 27018 will be used in conjunction with Pll law & the ISO/IEC 27002 controls as the basis for regulation certification of a cloud PII processor.

This approach is designed to provide a Figure 2: Relationship of PII controller practical and pragmatic base to start the to cloud PII processor process of creating confidence that the cloud industry deals appropriately with the PII that it processes. At the same time, the public cloud industry will have clear guidance about what it needs to achieve Cloud service Regulatory Pll to meet the legal and regulatory concerns provider oversight Protection of its clients. (Pll processor) Authority

It is hoped that the ISO/IEC 27018 approach will be attractive to existing cloud providers and will scale well. It also seems reasonable to believe that it will provide an economically Contact Pll controller who viable means of developing an incremental processes (and stores) Pll principal accreditation and certification process, his data in the cloud which can be continuously improved once Pll law & it is in place. regulation

///////////////////////////////////////////////////////// 05 SCOPE OF ISO/IEC 27018

The scope of ISO/IEC 27018, as previously Figure 3: Scope of ISO/IEC 27018 explained, is a relatively narrow one. That is, it is restricted to those controls of relevance to a public cloud service provider acting as a PII processor. This scope is show diagrammatically as ‘Scope 1’ in Figure 3. In particular it excludes privacy concerns This is the scope of a which may arise if a cloud service provider separate standards activity also acts as a PII controller. In fact, ‘Scope 2’ shown in Figure 3 is a poten- SCOPE 2 tially considerably larger scope, which it is intended will be addressed by a different This is the scope of ISO/IEC 27018 standard that is currently at an earlier stage SCOPE 1 of development. Indeed, this latter standard Pll is currently being balloted as a possible new Regulatory Protection work item, and will only proceed if the ballot Cloud service oversight Authority result is positive. provider (Pll processor) ISO/IEC 27018 can be seen as implement- ing the privacy principles of ISO/IEC 29100 (the privacy framework)4 as applied to a PII Pll controller who processor (but not as applying only to a PII Contact processes (and stores) Pll principal controller). In the second Working Draft of his data in the cloud ISO/IEC 27018, all additional controls have been classified according to these privacy Pll law & Audited regulation principles. The scope of ISO/IEC 27018 is conformance summarised in Figure 3. Scope of ISO/IEC 27018 Within SC27/WG5 we believe that ISO/ IEC 27018 is a key element to start the cloud

17 industry moving down the path of privacy ///////////////////////////////////////////////////////// 3. ISO/IEC 27002, Information technology ― conformance. 08 Acknowledgements Security techniques ― Code of practice for information security controls, 2nd ///////////////////////////////////////////////////////// I would like to thank John Phillips for not edition (to be published). 06 ORIGINS OF ISO/IEC 27018 only providing all the figures in this article, 4. ISO/IEC 29100, Information technology PROTECTION CONTROLS but also helping greatly with the structure ― Security techniques ― Privacy and text. I am further indebted to Microsoft Framework, 2011. Prior to producing the first draft of for their generous support during the 5 ISO/IEC JTC1/SC27 N10550, Proposal ISO/IEC 27018, an extensive analysis was development of ISO/IEC 27018. Finally, for a new work item on Code of practice performed of existing law relevant to third I must thank all the experts in SC 27/WG 5, for data protection controls for public party processing of PII. The main result of whose valuable comments and suggestions cloud computing services, November 2011. this analysis was a set of 70 controls, which have helped shape the current draft of 6. ISO/IEC JTC1/SC27 N11253, 1st WD were documented in the original proposal ISO/IEC 27018. 27018, Information technology – Security for a new work item5. Only those not already techniques - Code of practice for data covered by the existing set of controls in ///////////////////////////////////////////////////////// protection controls for public cloud com- ISO/IEC 27002 were included in the first 09 Bibliography puting services, June 2012. Working Draft of ISO/IEC 270186. 7. ISO/IEC JTC1/SC27 N11742, 2nd WD 1. European Union, Article 29 Working Party, 27018, Information technology ― Security Subsequently, the European Union Opinion 05/2012 on Cloud Computing, techniques — Code of practice for data published an important review of cloud adopted July 2012. protection controls for public cloud com- computing privacy issues [1]. These 2. ISO/IEC 27001, Information technology puting services, December 2012. were carefully analysed, along with other ― Security techniques ― Information published opinions, and used to derive security management systems ― a number of additional controls which were Requirements, 2nd edition included in the current (second) Working (to be published). Draft of ISO/IEC 270187.

The origins of the controls in the current Working Draft of ISO/IEC 27018 Figure 4: Origin of ISO/IEC 27018 is summarised in Figure 4. controls and guidance Stage 3: ///////////////////////////////////////////////////////// Eliminate controls & guidance 07 The Development Of ISO/IEC 27018 already in ISO/IEC 27002. Draft Stage 1: ISO/IEC 27018 with the new Find EU laws applying to cloud controls & new guidance ISO/IEC 27018 is being developed Pll proccessors within SC 27 (Security techniques) Stage 2b (Rome): of Analyse published DPA ISO/IEC JTC1/SC 27, concerned with cloud opinions Information technology. Within SC 27, the development of the standard is being ISO/IEC 27018 performed within Working Group 5 (WG 5), concerned with Privacy and identity management. 27018: New controls Work officially started on ISO/IEC 27018 Spain and new guidance with the successful conclusion of a new work item ballot in February 2012. A preliminary Working Draft was circulated New controls 27018: New guidance for in March 2012, and this was discussed and guidance existing controls in 27002 at the Stockholm meeting of SC 27 in Germany May 2012. A first official Working Draft6 was circulated in June 2013, and discussed at the Rome meeting of SC 27 in October France New controls 2013. Following lively discussions in Rome, and guidance a second Working Draft7 was circulated UK in December 2012, which is due to be Stage 2a (Nairobi): discussed at the Sophia Antipolis meeting 27002: existing controls & Create 70 new controls guidance (the revised 27002) of SC 27 in April 2013. to cover EU Laws

To participate in the development of ISO/IEC 27018 please consider joining the work on SC 27/WG 5, via your national standards body. As the editor of ISO/IEC 27018 I am always happy to provide information and answer questions – contact me at: [email protected].

18 Another theme consists of an existing truth that only gets more and more relevant as time goes on. After a decade of attending industry- focused security events, I have lost count of the number of times that I have heard that there needs to be a greater understanding and symbiotic relationship between the core business function and the security function within an organisation. This is not something new but, taking into account the two previous findings, it is only going to get more imperative that we get to grips with this issue.

Another theme that has emerged is that efficiency will be the key to good cyber security. With an increased range of services CYBER SECURITY to protect, and an ever expanding range CLUB UPDATE of threat actors, we are likely to be asked By Geraint Price to provide more varied security services in a wider range of environments, without a suitably > Dr Geraint Price is a Lecturer in the ISG commensurate increase in the level of funding. And this was going to be the case even before the cascading effect of the economic downturn Over the past fifteen years, the ISG has run of the past few years. a number of industrial research “clubs” which bring together various interested parties from Finally, what has become all too apparent industry, government and academia to discuss is that the burden of responsibility needs to be central issues of relevance to the club theme. shared between the public and private sectors We have previously hosted clubs on elliptic when we come to look for solutions to the curve cryptography, quantum cryptography, problems faced. Ultimately, this highlights that PKIs, and identity management; we are the focus in the club has come full circle. currently looking at cyber security. In starting off with a wide range of speakers from government and industry, our initial goal This most recent club came about through was to ensure that we had sufficient breadth to discussion with one of the member set the scene for our discussions. However, we organisations who felt that, as the phrase now believe that this far-reaching shared view “cyber security” was a burgeoning theme of responsibility is itself integral to our findings. in the press, it would be good to discuss this further. The club itself started in September While the club meetings have been interesting 2011 and has held eleven meetings to date. and informative, there is also a desire to move the discussion beyond the confines of the club Each meeting involves an invited speaker itself. We have already presented a précis of coming to lead a discussion relevant to their some of our findings at the 2012 ISF Congress. particular area of expertise. As befits discussion Once we have concluded our discussions, we surrounding cyber security, we started with a intend to publish the findings in a white paper mix of speakers from government and industry. which we hope will help to inform some aspects This gave us a basis from which to target more of the contemporary debate about the nature specific topics, such as malware, the policy of cyber security. challenges and mobile security.

What have we learnt? While the discussion is ongoing, there are some consistent and inter- esting themes that have emerged from our deliberations.

Firstly, the pace of change in this arena is relentless, and it is only getting faster. As a result, our ability to respond and develop coherent strategies for mitigating the threats we face are being severely tested.

The second recurring theme is that we need to move away from a silo mentality. The very nature of “cyber” is that of an interconnected world. No one individual or organisation can provide the answer. Indeed, the highly interconnected nature of the services we produce and consume on the Internet means that action and reaction are becoming increasingly difficult to map out.

19 cryptography, based on the capabilities the network, and run out of sight, beyond and the limitations of computers. the horizon. Computation is therefore not Diffie and Hellman’s paper New directions fully and directly controlled by programs in cryptography is often mentioned as the any more, but it can only be steered inception point of the revolution that indirectly, through security protocols. produced the cryptographic tools of Network computation is not a pure artifact computer security. But as computers joined of programming, but it involves natural into networks, cyber security emerged as information processing, like life, or society. a new problem area, where the old solutions Although it still involves a lot of program- didn’t seem to apply. Resolving the problems ming and engineering, network computation of cyber security seems to require a as a natural process is thus not only paradigm shift, akin to the one brought forth a subject of engineering, which synthesizes in cryptography by Diffie and Hellman’s artifacts, but also a subject of science, NEW CYBER ‘New directions’. We are thus looking for which analyzes natural processes. Cyber SECURITY RESEARCH new directions in cyber security. Tables 1 security requires that we take the ‘science’ LAB AT THE ISG and 2 (Below) provide a crude overview of in ‘computer science’ seriously. By Dusko Pavlovic the paradig-matic shifts in computation and in security. ///////////////////////////////////////////////////////// 2.3 Cyber Security Solutions, and the Gap > Prof. Dusko Pavlovic is a Professor in ///////////////////////////////////////////////////////// Information Security with the ISG 2.2 Cyber Security Problems As a new problem area of great economic, political and technical interest, cyber Cyber space is the distance-free space security has attracted a lot of attention, ///////////////////////////////////////////////////////// of costless communication, where modern and focused efforts from government, from 1 What is ASECOLab? networking technologies assure that every security industry, and from academia. two nodes appear to each other as neigh- Extensive and focused legislative and policy ASECOLab is the Adaptive Security and bors. But since this ‘end-to-end’ network efforts have been undertaken in many Economics Laboratory at the Information service hides the communication routes, countries, attempting to tackle the problems Security Group of Royal Holloway, University a pair of nodes with whom I am communi- cutting across all areas of social life, from of London. It was started in September 2012, cating cannot be distinguished by their national security and governance, through with funding from the US and the UK positions in cyber space, like they are industry, economy, to culture and social Governments, including EPSRC and distinguished in the physical space. networking. The looming dangers of AFOSR, and with a gift from Intel Corp. And since I cannot tell these two nodes cyberwar and the intricacies of protecting At the moment, ASECOLab consists of 14 apart, the problem of authentication arises. the critical infrastructure from cyber aseconauts, including 5 PhD students, and In this way, cyber space challenges some attacks have been quickly recognized by 4 external members. It is located on the first of our basic communication assumptions. governments and their agencies. The grave level of McCrea Building, and on the web Similar authentication problems have, economic losses from the cyber attacks at asecolab.org. of course, already been treated in computer have been extensively analyzed, publicized, security. But cyber space also changes our and transformed into signicant business ///////////////////////////////////////////////////////// notion of computation. In a computer, opportunities for the security industry. 2 What do we do at ASECOLab? computation is the process of executing The complex and quickly evolving problems programs. In a networked computer, as of social networking in cyber space, such We try to solve some problems of security a gateway into cyber space, computation as cyber bullying and loss of privacy, have and economics in cyber space. Security ceases to be programmable in the old sense, attracted a lot of public attention and and economics are, of course, two sides as the processes invoke each other across interdisciplinary research. The gentle reader of the same coin: wealth comes with security, security with wealth. In the early Table 1: Paradigms of computation days of computing, the problems of security and economics were tackled separately; AGE ANCIENT TIMES MIDDLE AGES MODERN TIMES but it is becoming increasingly clear again that many security vulnerabilities cannot Platform computers operating system network be solved without an economic analysis, Applications Quicksort enterprise systems World Wide Web compilers botnets and that many economic problems require security solutions. Requirements correctness liveness trust temination safety privacy ///////////////////////////////////////////////////////// Tools programming specification scripting languages languages languages 2.1 Exploring New Directions

There are already many different Table 2: Paradigms of security approaches and directions in security. Why seek new ones? AGE MIDDLE AGES MODERN TIMES POSTMODERN

Security is one of the driving forces of Space computer center cyber space cyber-social- physical space history: both war and diplomacy are efforts towards attaining security goals. With the Assets computing information public & resources private resources advent of computers and their spreading through our work and life, computer security Requirements availability confidentiality trust authorization integrity privacy came into focus, as a new family of locks | tokens | engineering problems. A new family Tools cryptography mining & passwords protocols classification of security solutions emerged from modern

20 of the ISG’s newsletter has probably already rules, and sometimes prefer to win that way. ///////////////////////////////////////////////////////// encountered much more information about This type of adversarial situations brings 3 What else do we want to do at ASECOLab? all these problem areas than could fit into with it new challenges. As an illustration, this issue. Figure 1 illustrates the main cyber consider the toy model of a game of attack While the game of attack vectors illustrates security problem areas, ranging from cyber vectors, displayed in Figure 3. The first our overarching goal, to provide war, through cyber crime, to cyber bullying. picture illustrates the slogan that the mathematical tools for strategic reasoning Figure 2 illustrates the main types of defenders have to defend all attack vectors, in cyber security, it is just an example from cyber security solutions. The two distinct whereas the attackers only need to choose one of the projects. Like computations in families of approaches, at the two ends one. The remaining illustrations show how a network, the projects invoke each other, of the spectrum, tackle the cyber security System turns this strategic disadvantage pass tasks to each other, and depend on problems through: into an advantage by assigning increasingly each other’s results. There is not enough greater weights to the information about space here to try to introduce all of them, • Policy, i.e. the legislative and regulatory the opponent. The final graphic depicts the but the web site at asecolab.org provides an efforts of governments and industry strategic situation where the attackers have overview. Covering the important questions, consortia; and through to conceal all identity markers, whereas but not spreading the efforts too thinly, and the defenders only need to defend one mark- determining the right priorities – is a matter • Technology, i.e. by adapting and extending er. Our adaptive immune system is a realiza- of subtle balance. At the moment we have the existing cryptographic techniques for tion of this strategy. The illustrations thus enough funding for 3 years of research, cyber security applications. show how the strategy of a ‘fortress under and probably enough questions for 30. siege’ on the left evolves into the strategy of We’ll do our best. To connect and coordinate the two types a ‘macrophage devouring a bacterium’ on of solutions, the stakeholders from the right. The illustrations correspond Please don’t hesitate to contact us for more governments, industry and academia to the states arising in the mathematical information: [email protected] initiated broad collaborative networks, model of this game. For more details and casting aside many old boundaries. In cyber references, please visit asecolab.org. space, nobody can win without their friends, not the attackers, and not the defenders. The main challenges, however, remain on Figure 1:  Figure 3: the middle ground, between the technical Flavours of cyber security problems Game of attack vectors solutions and the policy solutions. The strategic gear box in the middle of Figure 2 is needed to synchronize the engine of cryptography with the wheels of policy. Although the interdisciplinary combinations of the methods from social and computa- tional sciences provide some solutions, it seems unlikely that a toolkit for man- agement of computational and economic resources will be obtained by mixing the existing toolkits. The genuinely new adversarial situations that arise in cyber space require genuinely new adaptive strategies, leading to security as equilibrium, through economics. This strategic middle ground, the gear box on Figure 2, is the area that we are studying in ASECOLab.

///////////////////////////////////////////////////////// 2.4 Adaptive strategies Figure 2:  In the 1950s, the new strategic challenges Flavours of cyber security solutions engendered by the Cold War grew to be more complex than anything that generals and diplomats had seen before. They asked mathematicians for help, and game theory was developed to facilitate strategic decisions in adversarial situations. The Cold War is now over, but game theory is still used to model the adversarial Policy situations in various sciences, and in daily trading on the markets. The problems of cyber security are also complex and Technology adversarial. Why is game theory not a standard tool of cyber security, like it is a standard tool of economics?

The reason (or at least one of the reasons) is, roughly speaking, that game theory Strategy assumes that the players follow the rules, whereas the cyber attackers often break the

21 as its Operations Director from 1998, My relationship with the ISG started in 1991 then in 2001 joined the Corporate ISS team when I was General Chair of the IACR’s where I specialised in the design of large Eurocrypt conference held in Brighton. scale business-to-business information I needed help with the operational aspects security architectures. of running the conference and Fred suggested some of his students might I left Entegrity in late 2001 and founded be able to help. I seem to recall a young Inforenz Limited, a U.K. company Keith Martin being one of them… specialising in information system and cryptographic forensics. We designed and ///////////////////////////////////////////////////////// implemented a range of specialist forensic Remind us now - exactly how many tools and software applications. I was IP-enabled devices did you say you had in a member of the Board responsible for your home? product development and also undertook I checked my router this morning and there detailed forensic casework for both criminal were 48 active leases – my latest favourite and civil matters. device is a Raspberry Pi – it’s running my home VoIP phone system, brilliant! Inforenz Limited was acquired by Detica Limited in July 2006 at which point I was ///////////////////////////////////////////////////////// appointed Head of Forensics at Detica. What do you hope to contribute to the ISG I remained in that role until December 2010 as a Visiting Professor? VISITING PROFESSOR: when I left to form a new company, Primary ANDY CLARK Key Associates Limited, a company that I hope that sharing my experience of provides a range of consulting services designing, implementing and forensically including digital forensic investigation of analysing secure systems over many years The ISG is delighted that Andy Clark’s information systems and analysis of the will help the ISG understand the commercial long association with the ISG was recently security of information systems designed structures and objectives that drive the formalised through the establishment to protect digital assets. ‘security industry’; one that has been of a Visiting Professorship. through a substantial level of change during ///////////////////////////////////////////////////////// the time in which I have been engaged within ///////////////////////////////////////////////////////// How did you first get into the area of it, and one that continues to change. Andy, you’ve had a diverse and interesting information security? career – can you provide an overview? ///////////////////////////////////////////////////////// Well, ironically, it was in my first real job If you had one piece of advice for aspiring My career in the information security out of school. Some ten years before joining cyber security professionals, what industry started in earnest in 1984 when Open Computer Security I was working for would it be? I joined Open Computer Security as a flight simulator manufacturer. Because of Research & Development Manager my natural interest in radio communications Try and think from a systems viewpoint – responsible for managing the development systems (I was an active radio amateur at it can be too easy to be submerged in of the company’s range of commercial the time) I managed to get assigned to the security technologies without considering encryption products aimed at the banking department responsible for the design of the bigger picture. I recall several projects and finance sector. I remained with the (simulated) navigation and communication where the proposed security solution was company during its acquisition by new systems. The first project I worked on was nothing more than window dressing to owners and renaming as Computer Concorde (still my favourite) but the second comply with an internal standard, missing Security Limited in 1985. In late 1990 was the Jaguar strike aircraft. As part of that the threats completely. Security needs I left to join Logica plc. project I had to understand the mechanisms to be “business driven” and thinking of the IFF (Identify Friend Foe) protocol. from a systems viewpoint is critical to I was both a Programme and Divisional It was my first introduction to cryptography understanding where best it should be Manager with Logica’s Secure Systems (Challenge/Response) and I was naturally applied and the benefits it should deliver. Division where my work was focused curious to find out why it was considered towards specification, design and ‘secure’. As part of my research I discovered ///////////////////////////////////////////////////////// management of the development of David Kahn’s book, The Codebreakers, As someone who has been an information systems with very stringent security which opened my eyes to a new and exciting security practitioner, whilst maintaining requirements developed for a specialist world, albeit one that I would not join as my close relationships with academia, how do government client base. profession for another decade. you see the relationship between academic research activities and information I left Logica in 1996 to found a consulting ///////////////////////////////////////////////////////// security practice? practice, Primary Key Limited, specialising Tell us about your association with the ISG. in the analysis of the security of I am really encouraged by how this has cryptographic systems. At the same time In the mid 1980’s the UK crypto changed over the years. When I attended I accepted a part-time position on the Board manufacturing community was pretty my first Eurocrypt in 1987 there was limited of Sapher Servers Limited where I joined small. Each company had access to understanding of the role of cryptology my good friend Vince Gallo (ex OCS and mathematicians and cryptologists, either outside government, academia and the Sapher’s founder) and was responsible as fulltime staff members or as external banking sector. Since then, organisations for technical and corporate development consultants. At OCS we retained the like IACR have provided, through workshops of a range of secure messaging products. services of Donald Davies with whom I and conferences, a showcase for the best consider myself privileged to have worked. academic research in the field, and that has Sapher Servers Limited was acquired in I think it was Donald that introduced me to been picked up by the information security 1998 by Entegrity Solutions Corp. I joined Fred (Piper) and I started then to understand industry and beyond. Institutions like RHUL the Board of the U.K. operating company the importance of the crypto group at RHUL. now have a much higher profile outside the

22 InfoSec community as being at the leading NEW MSC MODULE edge of security research and a source of innovation. ON SECURE BUSINESS ARCHITECTURES ///////////////////////////////////////////////////////// By Geraint Price What do you see as the biggest cyber security challenges facing society? > Dr Geraint Price is a Lecturer in the ISG

I am reminded of the rather pointed help desk acronym PICNIC – Problem In Chair This academic year has seen the addition Not In Computer; security usability remains of several new modules on the ISG’s MSc one of the most challenging areas for Information Security programme, one of which society. The vast majority of us have no is Secure Business Architectures. This is a new interest in interacting with any security core module for students following the pathway system, we just want it to work and do its through our MSc which is directed towards job. Our increasingly technology-led society students with more of a “business bent”. develops more and more sophisticated devices, some of which can be life- Why this new module? For some time I have enhancing or life-threatening, such as felt that organisational requirements were not intelligent vehicles and remotely accessible sufficiently represented when discussing the medical equipment and implants. The users security infrastructures and technologies which of such devices are probably the least are implemented in those organisations. While well-qualified to make any decisions about the core module Security Management cov- their security features and functions and we ers many aspects of the business-to-security should not consider them to be the problem relationship, I felt that the “why?” of the design if it fails. That means we need to consider choices made in relation to the technology was system failure as an integral part of our not sufficiently covered. This led me to propose security design and decide how best we can a new module to fill this void, which ran for the recover safely, without having to involve a first time this year. user; that is not going to be easy. The overall syllabus is broken down into three As an information forensics professional parts. The first part effectively sets the scene I think there is a big risk that system and outlines the tools through which we will designers will frequently continue to analyse the technological choices which the ignore the importance of designing and organisation is faced with. It covers GRC implementing proper audit facilities in a (Governance, Risk and Compliance), Risk system to establish what happened when Assessment (as its own component) and the things went wrong. Planning to understand Secure Development Lifecycle. These are then security failures in systems is critical to used as lenses through which we analyse some improving them over time. candidate infrastructures and technologies which many modern organisations implement. ///////////////////////////////////////////////////////// Those are: Identity Management, Cloud Com- What’s your prediction for the future of the puting, PCI-DSS, BYOD, Supply Chain Security, Internet and its security? and Big Data. To close, we had a guest lecture from one of our alumni, Holger Mack, which As Niels Bohr said “Prediction is very brought those themes together from the difficult, especially about the future” viewpoint of a practitioner in the field. and I feel less qualified than him to make accurate predictions. I think one thing is A number of topics were delivered by subject- clear: our (Western European) society is specific experts, including Paul Dorey (Visiting already almost completely dependent Professor, and former CISO) who commented: on IP-based communications systems. “This new module gives life to how security More than three quarters of the UK’s critical management processes and standards are national infrastructure (CNI) is controlled used in practice. I have been delighted to share by commercial companies whose primary real experiences with the students.” interest is their duty to their shareholders. We are going to need to recognise this MSc student Alan Watkins enjoyed the dependency and make sure that the CNI is experience: “Secure Business Architectures not just technically, but also commercially was an interesting and stimulating course. resilient. After covering the mechanics and the pro- cesses involved, week by week we went on to ///////////////////////////////////////////////////////// see how they have been applied in different in- You’re a technology fan, what future gadget dustries. We saw how it has shaped and refined would you love to see developed? the security of everyday systems, such as credit cards and mobile phones, and the challenges The babelfish. emerging technologies like BYOD and Cloud still have to address. We were encouraged to participate in lectures, with lively debates where students could draw upon their work experi- ence and how these things work in practice.”

23 ALUMNI REUNION CONFERENCE 2012 By Chez Ciechanowicz 2500 ALUMNI CAN’T BE WRONG! > Dr Chez Ciechanowicz is MSc Information Security Programme Director

The MSc in Information Security is now twenty years old, being one of the first such programmes worldwide. Our third Alumni Reunion Conference, held at Embarrassingly, however, we have never Royal Holloway from 25th – 27th June 2012, was established exactly how many students attended by well over one hundred of our alumni. have successfully graduated from the It was also the twentieth anniversary of the launch programme. Nor have we ever determined of the MSc in Information Security. Many of these precisely how many different countries alumni are now in very senior, in many cases top, they have come from. Is it 1500 graduates positions within the information security sphere. from over 50 countries? Is it maybe The format was similar to previous events in that, even 2000 graduates from 60 countries? with the exception of two keynote speakers, all the talks were given by alumni of the Royal Holloway We were thus very pleased to discover Information Security MSc programme. What was that when this surprisingly difficult particularly pleasing was to see two of the original information was finally computed, thanks alumni from the 92-93 cohort (in which there were in no small part to the efforts of Lynne only seven full-time students!) delivering two White, the latest tally is over 2500 alumni of the presentations. from more than 100 countries. This is a statistic which the whole of the Information The first of the keynotes, “The Future of Security Security Group is incredibly proud of and - responding to what is ahead”, was delivered by is a testament to the ongoing efforts to Dr Alistair MacWillson from Accenture Technology maintain this as the number one masters Consulting. Alistair frightened the life out of us with programme in its field. Adding to the list his predictions, but at the end of his session he of countries is getting harder, but 3000 redressed the balance by reassuring us that all alumni is firmly in our sights... of our jobs were safe for many (many) years to come! The second keynote was by our own Visiting Professor, Whit Diffie, who gave a fascinat- ing historical talk about the fundamental turning points in the development of cryptography.

As always the atmosphere was convivial, the quality of the talks was excellent, and a thoroughly enjoyable time was had by all, including some mutually beneficial recruitment sessions (or should I say “poaching sessions”?). Reactions from the attendees were very positive and more than one alumni commented that the event was easily as good, if not better than, equivalent commercial conferences, while attendance involved a minute fraction of the costs.

I would like to thank Kostas Markantonakis, Emma Mosley, Fred Piper and Geraint Price for their considerable help with organising and running the 2012 conference.

24 “When I received the book around the and Robert Matson, a space scientist who date of publication, it didn’t take me lives and works in California. long to read it. I already had a bit of knowl- edge about most of the unsolved ciphers The solutions to the Enigma puzzles will mentioned in the book but what intrigued remain secret for now, so that future me the most was the competition. The idea generations of puzzlers can also pit their was simple: break the ciphers, solve the wits against this challenge. However, here riddle and win an Enigma machine! At the are the first couple of puzzles from the time, I was a high-ranking player of the series, to whet the appetites of aspirant hit ARG Perplex City and so it was natu- code-breakers: ral for me to want to invest some amount of time on these six seemingly harmless Puzzle 1: ciphers. However, these ciphers were not WKHFLSKHUWHAWLQWKHQHAW harmless; they were skillfully crafted by a SXCCOHLVDPBVWHULRXVDQG team of experts from the ISG (Carlos Cid, ODUJHDQDJUDP(WKHSODLQW Jason Crampton, Laurence O’Toole and HAWPDBSURYHXVHIXOLQVRO Kenny Paterson). Their difficulty became YLQJVXEVHTXHQWSXCCOHV) more and more apparent the longer I spent on them.” Puzzle 2: ALAN TURING, ENIGMA, VISIONARY, “Six long years later and the trail has EXPOSES THEIR HARD ROTOR CODE, finally been slain through the use of FOR IT HALTS WAR. Q. CAN YOU CRACK lots of persistence and patience. I did THE ENIGMA CODE? not go it alone though, I was part of a Full details of all the puzzles can be found in team (consisting of me, David Dack, Richard’s book and at the Enigma puzzles A. YES, BUT IT’S GOING Mark Armitage, Robert Matson and website: enigma.isg.rhul.ac.uk TO TAKE SIX YEARS Robert Dickson... four people who I had never met!). We each decided to collaborate through the online It started back in 2006 when the ISG forum provided by the ISG.” was contacted by Richard Belfield with an intriguing project: to set a series of “Each of us worked through the first three puzzles to be interleaved with the chapters ciphers independently but joined forces of Richard’s book “Can You Crack the for the final three ciphers. Incredibly, every Enigma Code?” (Orion, ISBN-10:0752875264). member of the team has provided a vital An ISG team was formed, a series of six contribution at some point in the trail. puzzles of increasing difficulty were set, I myself exploited certain patterns in cipher a website and online discussion forum five that led me to its solution in the realms was built, and the book was published. of music. I was also credited as being the annoying guy that begged for clues from The original prize from the publisher Orion the code-setters (often receiving a po- was a Genuine WWII Enigma machine. lite ‘no’ in return) and as being the most Unfortunately nobody managed to crack persistent guy on board. I managed to keep the puzzles before Orion’s deadline expired, the team together and working on this even and the prize was withdrawn. Eventually, through times when we drifted apart.” the machine was sold off in order to market the latest instalment of some footballer’s “Although the prospect of winning an autobiography. Enigma machine was long gone, we were still happy to continue towards However, an international team of four a solution and, as a nice treat for solving determined code breakers, three from their puzzles, both the author and the England and one from the USA, never code-setters invited the team to dinner. gave up. Six years later, they have finally It was a great evening, and strong broken all six puzzles; an extraordinary feat evidence that hard work can induce of collective intellectual firepower, creative pleasure...” thought and dogged perseverance. “As closing words I can recommend Dan Fretwell, one of the successful this trail to anyone with a love of code-breaking team, takes up the story: challenges. For not wanting to spoil the solution I cannot mention exactly what “As a 17-year-old teenager I was interested these ciphers entailed, but I can mention in many things that were quite distant from the existence of a 63-letter anagram, the interests of a standard teenager. I loved many pangrams and a musical theme. puzzles, mathematics and cryptography Good luck...” (although I was only an amateur at breaking ciphers). I first learned about the book `Can Step forward and take a bow: Dan Fretwell, you crack the enigma code’ from the BBC a PhD student in Mathematics from puzzle magazine `Mind games’. In fact Sheffield, Mark Armitage, a semi-retired I won a competition in that magazine and organic chemist, David Dack, a retired my prize was a signed copy of the book.” research lab manager at Hewlett-Packard,

25 with the premier annual European security of cloud storage and data sharing. The SHORT NEWS conference ESORICS, deals with all aspects ISG, as a member of a consortium led of research into Public Key Infrastructures. by technology company Thinking Safe BITES Kenny’s talk, entitled ‘Key Reuse in Limited and including design company Wax Public Key Cryptography: Theory and RDC, has recently won funding from the Practice’ covered a range of issues in key Technology Strategy Board’s `Innovating in The ISG was delighted to host the 23rd management and cryptographic security the Cloud’ competition, for a project to make HP Colloquium on Information Security arising from the common practice of using information storage more secure for people on the 20th December. Attendees enjoyed public keys in multiple algorithms. In this using cloud computing. three excellent talks as well as great talk, Kenny reported on his recent research networking opportunities. John Madelin on the security of key reuse in EMV, the The Service Protection and Acceleration into (Verizon) spoke about ‘The Business global de facto standard for payment cards. the Cloud for Enterprise (SPACE) project of Security’, giving an overview of the has ambitious goals and seeks to design role of security within a large business Researchers from the ISG have been and develop a national infrastructure for environment. James Lyne (Sophos) provided selected by intelligence agency GCHQ enterprise data protection, which will enable a highly interactive and entertaining look and EPSRC to use their expertise to form the UK to establish a leading role in the at recent trends in contemporary cyber part of the UK’s first academic Research international cloud services industry. Co- crime. David McGrew (Cisco) presented Institute to investigate the “Science of ordinated by Allan Tomlinson, the ISG’s role a thoughtful critique of quantum key Cyber Security.” Royal Holloway was in this project is to provide a threat analysis distribution. We are, as always, very grateful selected along with three other universities, of the proposed scheme and subsequently to HP for sponsoring this extremely University College London, Imperial College develop protocols to allow secure data successful event. and Newcastle University following a tough sharing between users of the service. competitive process. The new institute The ISG hosted InTrust 2012, the 4th will bring together a diverse set of interdis- International Conference on Trusted ciplinary researchers to tackle cyber crime Systems, on 17th and 18th December 2012. and make the UK more resilient to cyber This was the fourth in a series of conferenc- attack. The collaborative team will focus es focusing on the theory, technology and on driving forward the basic understanding applications of trusted systems. Prof. Chris of how to assess the relative security RECENTLY Mitchell and Dr Allan Tomlinson from the ISG of an enterprise system – including its COMPLETED were co-chairs together with Dr Liqun Chen constituent technology, people and PHD THESES from Hewlett Packard. processes – and the effectiveness of different mitigation strategies. There will Dr Gerhard Hancke was invited to present be a particularly strong emphasis on the Qin Li on the topic of NFC security at the recent human behavioural aspects of security. Design and Analysis of Electronic Feedback European Electronic Crime Task Force Mechanisms (EECTF) plenary meeting, which focused on Dr Konstantinos Markantonakis was one the security of innovative payment systems. of the invited keynote speakers at the 8th Raja Akram This event was held at the headquarters edition of RFIDSec which took place in User Centric Security Model for of Poste Italiane on the 29th of November Nijmegen, The Netherlands, on July 1st – Tamper-Resistant Devices in Rome, and was attended by around 120 3rd 2012. RFIDSec is the earliest workshop participants representing 50 organizations devoted to security and privacy in Radio Muntaha Alawneh from 8 different countries. The EECTF is an Frequency Identification (RFID). Starting in Mitigating the Risk of Insider Threats When initiative founded in 2009 by Poste Italiane, 2005, RFIDSec is today the reference work- Sharing Credentials the Italian Postal and Communication Police shop in the RFID field with participants from and the United States Secret Service to all over the world. RFIDsec aims to bridge Julia Novak share information amongst a wide commu- the gap between cryptographic researchers Generalised Key Distributions Patterns nity of organisations that play a leading role and RFID developers through invited talks in countering cyber crime. and contributed presentations. Haitham Al-Sinani Managing Identity Management Systems Dr Carlos Cid was one of the invited The ISG attended the 2012 Information speakers at the ECRYPT II AES Day event, Security Forum (ISF) Congress held in Elizabeth Quaglia held on 18 October 2012, in Bruges, Belgium. Chicago in November (the last day coincid- Anonymity and time in public-key encryption The event, to commemorate the 10th ing with the re-election of President Obama). anniversary of the AES standard, was Visiting Prof. Whitfield Diffie gave an invited Penying Rochanakul organised by ECRYPT II - European Network keynote, outlining some of the important Protecting Digital Copyright with Fingerprinting of Excellence in Cryptology, and featured challenges from computer science that Codes and Separating Hash Families historical talks on the design and selec- system designers and builders have had to tion process, as well as more recent work overcome, and how these have translated on security and implementation. The list of into vulnerabilities in real world systems. speakers also included Miles Smid, David Dr Geraint Price gave a member presenta- Naccache and Joan Daemen (co-designer tion which outlined the early findings of the of the AES and of the recently selected ISG’s Cyber Security Club. SHA-3 hash function algorithm). SPACE PROJECT: Many organisations are Professor Kenny Paterson from the ISG moving their infrastructure to `The Cloud’. was one of the invited keynote speakers at This poses some interesting security, and the 9th edition of EuroPKI which took place legal, questions depending on the particular in Pisa, Italy on September 13th and 14th cloud configuration adopted. One area of 2012. The workshop, which is associated interest to researchers at the ISG is that

26 CONFERENCES HOSTED BY THE ISG

Prof. Chris Mitchell was General Chair of IFIP IDMAN 2013, the 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, which was hosted by the Information Security Group on the 8th and 9th of April 2013 - see idman2013.com. IFIP IDMAN 2013 was the third in a series of conferences focusing on the theory, technology and applications of identity management. The two previous conferences (IFIP IDMAN 2007 and IFIP IDMAN 2010) were held in Rotterdam, The Netherlands and Oslo, Norway, respectively. IDMAN 2013 was co-located with a workshop organised by the EPSRC-funded Future of Identity Network of Excellence.

ESORICS (European Symposium on Research in Computer Security) is the premier European research conference in computer security. ESORICS started in 1990 and has been held in several European countries, attracting an international audience from both the academic and industrial communities. ESORICS 2013, the 18th symposium in the series, will be held in the UK at Royal Holloway, University of London. ESORICS has not been hosted in the United Kingdom since 1994, when it took place in Brighton, and has never been hosted by Royal Holloway. The conference will take place in early September. Prof. Jason Crampton is co-chair of the Programme Committee alongside Prof. Sushil Jajodia of George Mason University, one of the world’s most prolific and experienced researchers in computer security. Prof. Keith Mayes is chair of the Organizing Committee. Further details are available from the conference web site http://esorics2013.isg.rhul.ac.uk/ or contact [email protected]. The organisers would be very interested to hear from potential sponsors.

Dr Carlos Cid is joint Programme Chair and General Chair of Fast Software Encryption (FSE) 2014, to be held in Central London in March 2014. FSE is one of the International Association of Cryptologic Research flagship events, and over 150 participants are expected to meet to discuss the design and analysis of fast and secure primitives for symmetric cryptography. The ISG has a long history of expertise in this area, and Carlos and his research student Gordon Procter received the best paper award for their paper On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes at FSE 2013 in Singapore.

27 Facebook: http://www.facebook.com/ISGofficial

Twitter: http://twitter.com/isgnews

LinkedIn: http://www.linkedin.com/groups?gid=3859497

You Tube www.youtube.com/isgofficial

CONTACT INFORMATION:

For further information about the Information Security Group, please contact:

Information Security Group Royal Holloway, University of London Egham, Surrey, TW20 0EX United Kingdom

T: +44 (0)1784 443101 F: +44 (0)1784 430766 E: [email protected] W: www.isg.rhul.ac.uk/isg