The CNIL’s Privacy Research Day

June 29, 2022June 29, 2022 / bugejajoseph / Leave a comment

The first CNIL’s International Conference on Research in Privacy took place in Paris yesterday, June 28, and was broadcast online for free. In addition to providing a great opportunity to consider the influence of research on regulation and vice versa, this conference facilitated the building of bridges between regulators and researchers.

During the day, experts from different fields presented their work and discussed its impact on regulation and vice-versa. I attended it online — there were many interesting topics covered by the different panelists. The topics ranged from the economics of privacy, smartphones and apps, AI and explanation, and more. Surely, one of the panels that I liked was that on AI and explanation.

Machine learning algorithms are becoming more prevalent, so it is important to examine other factors in addition to optimal performance when evaluating them. Among these factors, privacy, ethics, and explainability should be given more attention. Many of the interesting pieces I see here are related to what I and my colleagues are working on right now and what I have planned for my upcoming projects.

You are welcome to contact me if you are curious about what I am working on and would want to collaborate.

Threat Modeling: Some of the Best Methods

June 3, 2022June 3, 2022 / bugejajoseph / Leave a comment

Threat modeling methods are a set of general principles and practices for identifying cyber threats to computer systems and software. These methods can be applied during the design phase of new systems or when assessing existing security controls against new threats. There are several threat modeling methodologies in use today, ranging from informal processes to formalized models that can be captured within software tools. A summary of some of the most popular threat modeling methods is provided below:

• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE)

• Process for Attack Simulation and Threat Analysis (PASTA)

• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

• Trike

• Visual, Agile, and Simple Threat modeling (VAST)

• Common Vulnerability Scoring System (CVSS)

• Attack Trees

• Persona non grata (PnG)

• Security Cards

• Hybrid Threat Modelling Method (hTMM)

• Quantitative Threat Modelling Method (QTMM)

• Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance (LINDDUN)

All of the above methods are designed to detect potential threats, except for CVSS. The number and types of threats will vary considerably between the different methods, as well as the quality and consistency of the methods. Which one is your favorite threat modeling method? Are you interested in using some of the methods above for your company or research project?

Panel Discussion on the topic of Designing IoT Systems

April 8, 2022 / bugejajoseph / Leave a comment

I was invited to participate in a panel discussion at Malmö University on Friday, April 8th. The topic of “Designing IoT Systems” was the one I was asked to speak about. There were representatives from Sony and Sigma Connectivity in the panel with me. Concerns about trustworthiness were a major topic of discussion during the session.

Safety, security, privacy, reliability, and resilience tend to be identified by several researchers as the main trustworthiness concerns in the IoT domain. These concerns are there to ensure that systems function as intended in a variety of situations.

According to several academics, the most challenging aspects of designing trustworthy IoT systems are achieving privacy and security. From applications to devices, each layer of the Internet of Things has its own set of security risks and potential attacks. From a research perspective, a hot topic is that of building energy-efficient security, along with scalable and dynamic security architectures. Preserving data privacy in the IoT, on the other hand, is also particularly challenging. Existing IoT privacy mechanisms are often built for single services, and not necessarily for interdependent, dynamic, and heterogeneous services. Building new privacy preservation techniques for interdependent services is a hot topic, as is federated learning when it comes to data privacy.

Panel discussion on the topic of “Designing IoT Systems”

Finally, there are a number of standards that pertain to trustworthiness. ISO/IEC 30147 “Integration of trustworthiness in IoT lifecycle processes” and ISO/IEC 30149 “IoT trustworthiness principles” are two ISO/IEC standards.

If you want to collaborate with me or learn more about a specific topic that is related to my research topics, please send me an email.

The Ultimate OSINT Collection

February 10, 2022 / bugejajoseph / Leave a comment

For threat agents, reconnaissance (scouting) and gathering intelligence are vital. The aim is to get as much information about a potential target, as possible. With that information, they can exploit any weaknesses in a system or an individual, which will allow them to gain access to a system. One type of data that is often overlooked by victims and hackers alike is publicly available data. The collecting and analysis of data acquired from open sources (overt and publicly available sources) is known as open-source intelligence (OSINT). Some examples of OSINT are social media, forums, news, blogs, public data and reports, and other publicly available materials.

Red or blue, OSINT could effectively assist threat agents and researchers alike in discovering dark places that they may be unaware of. It allows them to create attack scenarios for red teams or hypotheses for threat hunting. Most cybersecurity initiatives, in my opinion, should include OSINT; a service that is often overlooked. A fantastic one-stop shop for the best OSINT content is compiled by @hatless1der and is available at the website: https://start.me/p/DPYPMz/the-ultimate-osint-collection.

Investigative tools/resources collection from Hatless1der OSINT collection.

Please remember to get in touch if you want to learn more about cyber security research and OSINT.

Cyber Threat Maps

January 27, 2022 / bugejajoseph / Leave a comment

A cyber threat map, sometimes known as a cyber attack map, is a live map of current computer security attacks. These maps allow one to observe attacks as they pass through countries and continents. The majority of the cyber threat maps resemble video games, with colorful light beams indicating attacks from one region of the world to another.

Cyber threat maps can be highly useful in examining past attacks in terms of locations, volumes, and patterns. They can also help someone who is just starting out in their studies to acquire a sense of what is involved in the intricate world of cybersecurity. Last week, I had my introductory lecture on cyber security at Malmö University. I used cyber threat maps in my lecture to help raise awareness of how prevalent cyber security attacks are.

Here are three of my favorite cyber threat maps (listed in no particular order):

• Check Point ThreatCloud Live Cyber Threat Map

• FireEye Cyber Threat Map

• Kaspersky Cyberthreat Real-Time Map

If you want to learn more about the topic of attack detection and how cyber threat maps work, you are welcome to get in touch.

The Internet of Things and Security

January 2, 2022December 27, 2021 / bugejajoseph / Leave a comment

The Internet of Things (IoT) is changing the way we live. The IoT is the idea of having devices that are connected to each other and can be controlled via the Internet. Cameras, refrigerators, alarm systems, televisions, and other electronic gadgets are examples of such devices. The IoT has contributed to giving people an improved quality of life.

But how can we put our trust in all of these IoT devices? How can we be sure they will not turn against us? How will we know whether or not the device we are utilizing is safe? All of these questions are key to unlocking growth in the IoT.

IoT devices can be both, physical and virtual in nature. They can have a variety of different functions, from being a simple remote control to being a complex system that monitors the environment, collects data, and sends it back for analysis.

Many people do not realize that their smart home devices may contain security vulnerabilities that hackers could exploit. Hackers can enter a smart home or even switch off the power by exploiting weaknesses in IoT devices such as connected door locks and lighting systems. For instance, over the course of one week, a study by the UK-based consumer group Which? discovered 2,435 malicious attempts to enter into devices with weak default usernames and passwords in a fake “smart home.”

Cybersecurity is a critical responsibility for organizations of all sizes, but manufacturers, in particular, must do more to ensure that IoT devices are secure from hackers and do not endanger consumer lives. Recently, in the UK, the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced subjecting stricter cybersecurity rules for manufacturers, importers, and distributors of IoT technologies. This new legislation intends to better protect consumers’ IoT devices from hackers, as well as help the IoT market get the trust it needs to reach its full potential.

If you would like to learn about IoT security and how to safeguard your IoT devices, please get in touch.

Lecture about IoT Security

September 28, 2021 / bugejajoseph / Leave a comment

On Tuesday, September 28th, I delivered an online lecture to Bachelor’s students at Lund University in Sweden. In the lecture I covered the topic of IoT security, especially in relation to consumer IoT systems.

One of the slides that I discussed in my lecture is shown below. Mirai malware is seen as a watershed moment in the threat landscape, demonstrating that IoT botnets can be deployed in distributed denial-of-service (DDoS) attacks and do substantial damage.

The equipment that was used to deliver the online lecture (September 2021).

Recognizing the significance of addressing IoT security, especially as more and more things become connected to the Internet, European Commission President Ursula von der Leyen unveiled a Cyber Resilience Act on September 15, 2021. This Act lays out a common European approach to cyber security by establishing common cybersecurity standards for connected devices.

If you have any queries about information security or would like to collaborate with me, please contact me.

Security Engineering and Machine Learning

June 25, 2021 / bugejajoseph / Leave a comment

This week I attended the 36th IFIP TC-11 International Information Security and Privacy Conference. The conference was organized by the Department of Informatics at the University of Oslo. During the first day of the conference, there was a keynote on Security Engineering by the celebrated security expert Prof. Dr. Ross Anderson.

He discussed the topic involving the interaction between security engineering and machine learning. He warned us about the things that can go wrong with machine learning systems, including some new attacks and defenses, such as the Taboo Trap, data ordering attacks, sponge attacks, and more.

Outline of Ross Anderson’s keynote (IFIP TC-11).

I especially enjoyed the part of his talk where he mentions the human to machine learning interaction. Coincidentally, this is a topic that I am researching. He discusses cases when robots incorporating machine learning components start mixing with humans, and then some tension and conflict, e.g., robots trying to deceive and bully humans, arises. This is a scenario that we should expect to see more in the future.

I highly recommend you to consider purchasing his brilliant book titled: “Security Engineering: A Guide to Building Dependable Distributed Systems”. This book is filled with actionable advice and latest research on how to design, implement, and test systems to withstand attacks. Certainly, this book has an extremely broad coverage of security in general and absolutely worth the purchase!

Sweden’s cyber range and cyber security

June 2, 2021 / bugejajoseph / Leave a comment

On Wednesday, 2nd June, I attended an interesting online program about cybersecurity. This program was organized by the Research Institutes of Sweden (RISE). Its main theme was about the inauguration of RISE’s cyber range and cyber security in Sweden.

A cyber range is a virtual environment that companies can use typically for cyber warfare training. Sweden’s own cyber range was introduced as a multipurpose state-of-the-art cybersecurity research environment, test, and a demo arena. Using RISE’s cyber range it appears that real-world applications, for example, vehicles and automotive systems, could be tested, in a safe environment, against real-world attacks. This is done using a sandboxed virtualised network environment that is managed and operated by professionals.

In addition to cyber range, there were other topics presented from a variety of compelling speakers. Particularly, topics about the Swedish bug bounty, cyber security at the EU level, and cyber security investment opportunities. One delivery (in Swedish) that I think was riveting was an interview with an (unnamed) ethical hacker.

Carl Heath (RISE) interview an ethical hacker.

Cyber security is a topic that is becoming increasingly important, especially as more systems are getting interconnected. Unfortunately, there is a shortage of skilled and qualified individuals to fill the increasing demands for cyber security professionals.

From an academic perspective, we have been for years, and especially in recent years, developing and running courses about cybersecurity. However, this year, in Sweden, we are developing something that specifically is meant to help advance cyber security research and competence. More on that in a later post.

Keeping Your Smart Home Secure

May 7, 2021May 7, 2021 / bugejajoseph / Leave a comment

Smart homes are increasingly being subjected to attacks. The motives for this range from pranking users, causing chaos, cyberstalking, and more nefarious purposes. In spite of that, there are various strategies that residents can use to keep their home secure from intruders. In my latest article, I identify and discuss five of these strategies.

Check out the full article (in Swedish) by clicking here.

A full transcript in English is available to any interested reader.

Joseph Bugeja

Security, Privacy, and Trust

cybersecurity