Alejandro Guerra Manzanares awarded at the Estonian Research Council student thesis competition
Alejandro Guerra Manzanares awarded at the Estonian Research Council student thesis competition in the category of science and engineering.
Our centre's PhD Student & Early Stage Researcher Alejandro Guerra Manzanares was awarded with third prize for his master thesis: “Application of full machine learning workflow for malware detection in Android on the basis of system calls and permissions" (supervised by dr Hayretdin Bahsi and dr Sven Nõmm)
Congratulations to Alejandro and to both of his supervisors!
Student Brief 2019
We’re offering a unique opportunity to meet the team of TalTech Centre for Digital Forensics and Cyber Security, learn more about the research interests of our academic staff, discuss internship options and introduce potential thesis supervisors and topics, as well as get detailed insight into the new Cyber Security Research Excellence Course.
Cyber Security MSc students are invited to join Cyber Security Student Briefing on 5th of November 2018 at 15:00 – 17:00. The briefing will take place in auditorium U01-202 in TalTech main building, Ehitajate tee 5 (located near the assembly hall).
- 14:45 Gathering
- 15:00 Welcome and introduction of the Centre by Prof. Rain Ottis
- Opening words for the Cyber Security Research Excellence Course by Prof. Olaf Maennel and Prof. Matthew Sorell
- 15:15 Introduction of members of the Centre. Presenting research interests of supervisors and thesis topics. Q&A.
- 16:30 Official launch and detailed insight into Cyber Security Research Excellence Course. Introduction of the objective, topics, and timeline. Q&A. Prof. Olaf Maennel and Prof. Matthew Sorell
People who might be interested in applying for the Cyber Security MSc program in the future are also welcome to join.
If you have any questions regarding the event, please contact kristi dot ainen at taltech dot ee.
Join us on the 5-year anniversary of ICR! Since 2015, the Tallinn University of Technology Centre for Digital Forensics and Cyber Security has been co-hosting the annual Interdisciplinary Cyber Research (ICR) workshop taking place at the Tallinn University of Technology.
The event brings together hundreds of participants from various academic backgrounds to share their research related to information and communication technologies. The ICR format is particularly appealing since the workshop promotes interdisciplinarity and therefore strives for the synergy between technical and other (such as law, political sciences, psychology, etc) research domains. Presentations for the event are carefully chosen via double-blind peer review process and the extended abstracts are published in ICR proceedings.
You can participate as a speaker (submitting an abstract+delivering a presentation) or simply join our wonderful audience. Speakers are requested to submit a 1000-word abstract. Abstracts should explain the relevance of the research, outline principle research questions, and expected or achieved results together with your research methods. In addition to young researchers and scholars, we welcome student submissions based on Master or PhD thesis research (and bachelor level students are very welcome to join in as audience). All authors will get feedback from our distinguished peer reviewers and selected authors are invited to present their ideas at the workshop. All selected abstracts will be published as workshop proceedings by Tallinn University of Technology (with an ISBN number). Selected authors are also invited to submit their research as an academic article for established academic journals, subject to additional review process.
- ICR2019 on the 29 June 2019
- Call for abstracts deadline: 15 April 2019
- Notification of authors: 6 May 2018
- Registration open until: 25 June 2019
From Battlewatch to civvy street: keeping your people safe from attack
There’s no such thing as cyber security, just security – and it’s everybody’s problem, says Kieren Niĉolas Lovell, keynote speaker at the Jisc Security Conference. After a career spent battling pirates of the watery kind, he sets out what university IT teams can learn from the navy’s approach to security.
What do extinguishing a fire on a naval warship and tackling a security breach at a university have in common? Quite a lot, actually, according to Kieren Niĉolas Lovell. He should know. While Lovell is currently incident management specialist at Tallinn Technical University in Estonia and spent three years as head of computer emergency response (CERT) at the University of Cambridge, in a previous life he was a Nato Battlewatch captain, charged with leading five warships against the pirate threat in Somalian waters.
“If we were ever practising a fire aboard a ship, if somebody were to turn up with a fire extinguisher within two minutes of that fire starting, the fire was dead. Ship saved, no harm done. If they take more than two minutes then that small fire becomes a complete inferno. Time is of the essence. Dealing with a fire quickly and firmly is how you get it under control,” says Lovell. In contrast, universities tend to take the opposite approach to cyber attacks, with security teams practising scenarios in which a small incident happens and slowly gets bigger for three or four hours, when there is a big crescendo and the exercise stops.
“That sounds logical unless you’ve ever done an incident,” says Lovell. “It’s actually the other way round. It starts off as a little incident but quickly gets massively huge and chaotic before becoming smaller and more manageable as you deal with it. If you practise it the first way, with the gradual incline, you don’t manage the chaos – you’re slowly getting yourselves organised just as the incident is ramping up rather than quickly taking control and reducing it.”
At Cambridge, Lovell introduced the idea that – contrary to the university norm that experts are called in one by one as needed – the military approach is taken and everybody is called in at once and then sent away again if not needed. It reduces process and bureaucracy and ensures that the emergency team are all in place at the most critical time.
The progress of incidents is not the only similarity between the military and academia. Both sectors are drowning in too much information and that, says Lovell, means that crucial command, control and communication – those fundamental leadership and communication skills – are getting worse.
“Every university, every college, every department, every research group, all the staff, researchers and students are generating so much information – on Facebook, on Twitter, on every other network – all day every day and the divide between personal and work life is non-existent,” argues Lovell. “It provides an excellent baseline for launching personally targeted attacks, for emotional attacks.”
He gives the example of the “sexploitation emails” many universities have experienced. The emails, sent to staff and students, were along the lines of “you were on YouPorn last night at 9pm, I hacked into your webcam and I recorded it. If you don’t pay me one bitcoin I will publish the photos online”. The emails were completely fake and they didn’t have much of an impact. But then the attackers changed one thing. Using databases that had been leaked online in various breaches, such as LinkedIn and MySpace, they sent the same emails but included the user’s leaked usernames and password in each case. The attackers’ revenues went through the roof, according to the evidence of the Bitcoin stack.
“We’re seeing more and more of these social engineering attacks, which do not require any actual hacking because it’s now a lot harder to do a technical attack,” says Lovell. “Organisations have detection systems and firewalls. But when it comes to the individual we really don’t help them at all. We may have firewalls on our university network but 90% of people are using laptops, tablets, phones – they are not always at the office. People are always working from home, airports, everywhere and none of these tools really help unless you’re helping to protect the individual. That’s what we need to change our mindset to – help the individual to protect their own data so that, collectively, our organisation is better protected.”
End-user education is, of course, the first line of defence – if it is done in the right way. Lovell suggests emphasising that it is a human problem, not a technical problem, and encouraging users to understand and research what information they have put online and is still out there – all those abandoned accounts, from MySpace to Friends Reunited, that may well contain embarrassing conversations and photos. At Tallin, Lovell also shows teams of researchers how easy it is to use the same intelligence gathering techniques against naval warships. While the actual cyber security on a ship is quite high, the exercise shows how you can get full compromise on an entire warship and track ship movements just by using Twitter, Facebook and Snapchat.
“When I went on a nine-month deployment in the navy it was much easier because you didn’t have so much connection on a phone – I had a phone to make phone calls, that was it really. But now your entire life is on there and you communicate entirely through Facebook, and Whatsapp. It’s against policy but it happens – you can’t expect sailors not to have that connection any more. But in doing that, because they are not entirely sure how this data can be used against them or against an armed force, they don’t know that they are sometimes unwittingly putting themselves and their fellow sailors at risk. It’s exactly the same issue we have in universities and organisations and blue chip companies,” warns Lovell.
His second solution to the human problem draws, again, on his naval experience: to get universities to share when things go wrong and not to be embarrassed by it.
“There’s a sentence within the IT security industry that is stolen from the military: the ‘need to know principle’. Unfortunately, that’s not the military principle at all – it’s half the sentence. The full military one is ‘need to know, responsibility to share’. That completely changes the whole dynamic. Yes, people should know and secure data and look after it but if anything goes wrong you have a responsibility to share with your industry partners, your friends, your colleagues, even your competitors, that this is going on,” says Lovell, offering a good example of what happens when such information is not shared.
“Around three years ago at the University of Cambridge we had a payday fraud. About six or seven months later I was at a conference in London and I was talking about this fraud. I could see faces dropping as other universities said, ‘we’ve had that’. Analysing the data it was as clear as day that it was the exact same people and the exact same approach but because we hadn’t told anybody about it, and they hadn’t told us, the attackers were just burning through from one university to the next and the next, stealing thousands of pounds.”
Lovell commends the work that Jisc has been doing with the community in this area and believes that, as a fear of loss of reputation is a key factor in the secrecy, “the only way I see us fixing it is having a safe space established within the Jisc community – and even within the international community as well in the university sector – to share information to better protect and better share from our collective experiences. It could be as simple as a Jisc web page where you report an incident that’s ongoing but you don’t actually say who you are. To be honest, I don’t really care who you are, I care who the attacker is and how they are doing it. That might be a way of getting over the political barrier and that mindset of ‘we can’t tell everybody that we’ve made a mistake’.”
This same fear of discovery is also frequently the attacker’s friend in social engineering scams such as the sexploitation emails or dating fraud. Even when victims do get up the courage to inform authorities what has been happening, the crime is often not taken seriously because it is ‘cyber’ crime, which Lovell finds aggravating. For him, there is no such thing as cyber security, only security.
“We like to add the word ‘cyber’ to everything and it’s annoying – it’s just stupidity. For example, if you were mugged while walking on a London street and somebody steals £100 out of your wallet at knifepoint you would go to the police station, report the crime and it would be treated seriously. If I steal £1000 out of your bank account you’ll report it to Action Fraud and you’ll get an email in two days’ time. The effect is just the same, you still go through the same emotional issues, the breach of trust, the loss of money but we’ve added the word ‘cyber’ to it and taken it less seriously. But it’s not cyber money, it’s money. It’s not cyber crime, it’s crime.
“We try to hide behind it being an IT problem, but it’s everybody’s problem.”