That is a Wrap On Computing 2020

July 18, 2020 / bugejajoseph / Leave a comment

As a follow-up to my previous blog post, I can say that it was an honor to participate yesterday and on Thursday at the Computing Conference 2020. It was very well organized, professionally executed, and fun!

There was a wide range of presenters coming from different research areas covering computing, AI, security, IoT, and much more. It was also cool to have a Mindfulness and Yoga general session at the conference. This was something unique!

Here, is a screenshot of my presentation with feedback received. Also, I got private messages for collaboration work and I truly appreciate those!

My presentation with feedback received.

Once again thanks for the thumbs up and already looking forward to next year’s edition!

Talking about DoS Attacks at the Computing Conference

July 6, 2020 / bugejajoseph / Leave a comment

On Friday, 17 July 2020, I will be talking at the Computing Conference 2020. This conference going was going to be held in London but due to the COVID-19 pandemic, it is now going to be held fully online. I am especially excited to listen to the keynote of Vinton G. Cerf. He is widely known as a “father of the Internet”. Cerf is also the vice president and Chief Internet Evangelist for Google. During the conference, I will be talking about Denial of Service (DoS) attacks and how commercial devices are prone to severe forms of this attack.

DoS is a widely used attack vector by various malicious threat agents from hackers to nation-states. Its consequences range from a nuisance to loss of revenues to even loss of life. Think about for instance the effects of disabling medical devices such as pacemakers, drones and weapon systems, connected alarm systems, and so on. In the case of smart homes, DoS may be the first attack to remove a component from a network to exploit a vulnerability. In our study, we found devices manufactured by established commercial players prone especially to HTTP GET DoS attacks. This can result in the complete shutdown of the device, possibly remotely, by using a simple exploit with code available over the Internet.

DoS attacks targeting the smart connected home.

Take a look at the conference agenda and have a read of my conference paper. I will be uploading my presentation slides after the conference is held under my Presentations tab.

Feel free to drop me a message or get in touch if you want to know more about this topic or in case you are interested in information security.

Using Mindmaps to Organize My Writing

April 10, 2020April 10, 2020 / bugejajoseph / Leave a comment

Especially, when working with a long manuscript but as well when you want to organize concepts and brainstorm ideas, mind maps offer a great visual tool for helping in that.

You can draw mind maps by hand but personally, I prefer to use software tools for this. A tool that I find particularly effective is XMind. I have used the free version of this software to layout the structure of my thesis. Once you know the shortcuts keys you can layout a structure in minutes and then refine it accordingly.

Take a look at the main structure of my licentiate hereunder and an expansion of it in the second diagram.

Mind map showing the main structure of my licentiate thesis.

Expanding the nodes of the mind map to show some of the concepts I have used for Part 1 and Part 2 of my thesis.

At the moment, I am also working on an idea for my journal article, and have already created a structure for that as a mind map. After I get the structure ready and approved by my coauthors, I can start working on the actual text. I would already know how the pieces would connect together in a cohesive structure and flow well if I follow the mind map in my writing.

Certainly, if you need help on how to create mind maps for your manuscript, course, talk, or for whatever reason you may have, feel free to get in touch.

Interesting Book Showed Up In My Mailbox

April 9, 2020April 10, 2020 / bugejajoseph / Leave a comment

Today, I am happy to have received a hardcopy of the book – Privacy and Identity Management. Data for Better Living: AI and Privacy. There is a chapter in this book, which I have authored together with my academic advisor titled: “On the Design of a Privacy-Centered Data Lifecycle for Smart Living Spaces.” In that article, I have identified how the software development process can be enhanced to manage privacy threats, amongst other things.

Hardcopy of the book “Privacy and Identity Management. Data for Better Living: AI and Privacy”

All the articles included in the book are certainly worth a read covering various aspects of privacy ranging from a technical, compliance, and law perspective.

The Current State of IoT Security and a Glimpse Into The Future

March 12, 2020March 12, 2020 / bugejajoseph / Leave a comment

On Tuesday 10th March, I was invited to give a guest lecture about IoT security in Blekinge Tekniska Högskola (BTH) in Karlskrona, Sweden. Karlskrona is approximately 3 hours away from Malmö.

During my lecture, I gave realistic examples of attacks that targeted IoT systems. For instance, attacks targeting consumer drones, electric cars, and IP cameras. I also discussed the technical, procedural, and human challenges involved in securing IoT and some safeguards.

Blekinge Tekniska Högskola.

In the future, I will work to automate IoT security. Similar to smart devices acting autonomously to perceive and act on their environment, IoT security should evolve towards greater autonomy in detecting threats and reacting to attacks. This evolution relates to the autoimmunity of smart devices allowing for the prevention and containment of attacks in hostile environments.

You can access a condensed version of my lecture here.

Lecturing about IoT Security at Lund University

October 3, 2019October 3, 2019 / bugejajoseph / Leave a comment

On Thursday, 03 October 2019, I was cordially invited as an external guest lecturer to deliver a 2-hour lecture to undergraduate students at Lund University. Lund University is a prestigious university in Sweden and one of northern Europe’s oldest universities.

In my presentation, I covered some of the notable IoT security threats, attacks, and countermeasures. I emphasized the difficulties of implementing traditional security measures and strategies, such as standard asymmetric encryption algorithms, end-to-end security, and scheduled patching. This is especially due to the heterogeneous nature of devices, various resource and energy constraints, and the dynamic nature of the environment. The characteristics of an IoT environment further bring in a different set of security threats, including those that can cause permanent physical damage to a system. In the second and final part of my lecture, I talked about the persons behind the attacks, their skills, their motives, and how challenging it is to defend against certain classes of malicious threat agents.

Entrance to the Informatics department in Lund University.

Entrance to the Informatics department at Lund University.

You can download my presentation from the adjacent link: IoT Security at Lund University.

Presenting at the Science Day in Angelholm

September 26, 2019September 26, 2019 / bugejajoseph / Leave a comment

This Wednesday, 25 September 2019, I was invited to deliver a lecture at the science day (Vetenskapsdagen) in the Gymnasieskolan in Ängelholm. Ängelholm is a tranquil locality in Skåne, south of Sweden, about an hour away by train from Malmö.

I have to say that it was a very rewarding experience for me. It was so nice to see young students, with age varying between 16 and 18 years old, getting interested in the topic of information security and my journey into that. This so much reminded me of myself at that time and how curious about science and experimentation I was.

Entrance to the Gymnasieskolan in Ängelholm

Back then, when I had the age of these students, I was inspired by the famous Kevin Mitnick a hacker (probably the most famous one in the 90s) now turned into a computer security consultant; and intrigued by The Mentor’s “The Hacker Manifesto”. I still remember me getting hold of articles on computer security through a dial-up modem working at a peak rate of 56 kbit/s rate.

Download my presentation: InfoSec: Agents, Attacks, and Tools.

My Presentation at FHNW

August 23, 2019January 13, 2020 / bugejajoseph / Leave a comment

This week, between August 19-23 2019, I was in Switzerland attending the International Federation for Information Processing (IFIP) Summer School at the University of Applied Sciences Northwestern Switzerland (FHNW) in Brugg/Windisch. Attending this school is of great benefit to strengthen your network of professional and academic contacts, especially for those working on Information Privacy. Topics covered in the jam-packed schedule included: the ethics of Artificial Intelligence, sensors and biometrics, privacy by design (PbD), identity management, users and usability, and more.

On Tuesday 20, I presented my paper therein titled: “On the Design of a Privacy-Preserving Data Lifecycle for Smart Living Spaces” in the “Privacy by Design” track. I had a 30 mins presentation slot and following that a 10 mins critical review from two pre-assigned paper discussants including questions from the attendees. I have to say that I have received very positive and constructive feedback. Hereunder, is a photo of myself presenting some of the related work in PbD, threat analysis, and threat modeling.

Explaining the related research work before positioning my contribution.

Overall, I can say that there were some fantastic keynotes and excellent presentations from diverse Phd students. Especially, I liked the keynote “Privacy as Innovation opportunity” by Marc van Lieshout from Radboud University. In particular, I enjoyed his mentioning of Alan Westin’s privacy dimensions: reserve, intimacy, anonymity, and solitude; and how these are to different extents being hampered by privacy-evasive technologies, affecting the physical, individual, collective, and virtual dimensions of human beings. At the same time, I like his take on the increasing market of privacy, in particular with privacy service features such as activity monitoring, assessment manager, data mapping, etc.

My advice, if you are a doctoral student or interested in learning information privacy from a computer science or informatics standpoint, then I highly recommend you to attend the IFIP school at some point. Typically, there are ECTS credits for this course, (possibly 1.5 HP – 3 HP) if you attend and/or present your paper. In the meantime, check out my presentation (redacted version). The full version will be uploaded after the paper gets published.

Common Attacks in the IoT

June 19, 2019June 19, 2019 / bugejajoseph / Leave a comment

In general, an IoT architecture is composed of three layers: physical layer, network layer, and services layer. The physical layer (also called perception layer) constitutes of hardware, namely, sensors, actuators, RFID, etc., that collect data from individuals and their environment. The network layer (also called transport layer) facilitates the interchange and processing of data between the physical and services layer. Examples of technologies used here are: 4G/5G, Wi-Fi, Bluetooth, etc. The services layer (also called application layer) is responsible for processing the received information from the network layer and issuing instructions to be implemented by the equipment in the physical layer. Hereunder, I identify some of the common attacks occurring at the different IoT architecture layers:

Attacks at the Physical Layer

Denial-of-service: Packets are sent along the routing path to the base station causing network disruption and battery exhaustion of the node.
False node: Addition of a node to the network which sends malicious data and thereby affecting the availability of a system.
Integrity: Injection of false sensor measurements and control inputs causing system disruption.
Node capture: Information leakage caused by taking control over a node that could contain sensitive data such as encryption keys.
Node outage: Node services are stopped making it rather difficult to extract information from them.

Attacks at the Network Layer

Jamming: The wireless channel between the sensor nodes and the remote base station becomes obstructed through a signal with the same frequency.
Selective Forwarding: A compromised node is introduced to drop and discard packets and forward selected packets.
Sinkhole: The attacking node offers the best routing path for the devices in the network; and hence resulting in congestion (amongst other issues) in the IoT environment.
Sybil: An attacker can manipulate false identities or misuse pseudo identities to compromise the efficiency of the IoT and even spread spam.
Wormhole: Creation of information holes in the network by the announcement of false paths through which all the packets are routed.

Attacks at the Services Layer

Buffer Overflow: The vulnerable features in the software lead to buffer overflow vulnerabilities (where a program while writing data to a buffer overwrites adjacent memory locations) and exploit it to launch attacks.
Malicious Code: Services are attacked by via malware, worms, virus, adware, and spyware. These can degrade performance or collapse client devices.
Phishing: This attack aims to capture an individual’s personal information where an attacker appears as legitimate user in the network and gains knowledge about the sensitive information regarding an individual.

In this article, I listed some of the more common security attacks affecting IoT-based systems. The reality, is that there can be more attacks (e.g., man-in-the-middle attacks), and the architecture can be further decomposed into additional layers (e.g., physical layer, data link layer, network layer, transport layer, and application layer).

Given that there is no dictionary, glossary, or list of some kind, that acts as a reference identifying the different IoT security and privacy attacks, from my side I will be working to put one myself. I believe that this will be somewhat useful for both researchers and industry, e.g., as a way to measure the strength of their product or as a tool to assess risks in an IoT-based system.

Stay tuned, as I will be soon having such a list available under the “Projects” section. In the meantime, as always if you want to learn more about IoT attacks, cybersecurity threats, risks, etc. get in touch; and I would be willing to help.

Smart home datasets and a realtime Internet-connected home

June 3, 2019June 3, 2019 / bugejajoseph / 1 Comment

When designing an algorithm or as a means to justify an approach you have pursued in your research you need at some point empirical data. In the case of the IoT, more specifically when it comes to smart homes, there is a lack of open-source datasets available for public access and unfortunately some of them disappear (from the Internet) after being active for a couple of months. My preferred collection of smart home datasets are developed and curated by Washington State University. In particular, I am referring to the Centre for Advanced Studies in Adaptive Systems (CASAS) smart home project.

CASAS is a multi-disciplinary research project focused on creating an intelligent home environment by using IoT technologies such as sensors and actuators. This same team has developed in its recent research the “smart home in a box”, which is a lightweight smart home design that has been installed in 32 homes to capture the participants interactions.

The link to access CASAS datasets is: http://casas.wsu.edu/datasets/. Datasets included consist mainly of ADL activity data of single/two/multi-resident apartments. Some of the datasets are fully annotated with some of them going back to 2007 (and still running) and spanning different countries from Europe to Asia.

Some other useful datasets; highly cited in scholarly publications; that are also featured on CASAS’ website are:

MavLab Sensor data: http://casas.wsu.edu/datasets/mavlab.zip
MIT Activity Recognition data: https://courses.media.mit.edu/2004fall/mas622j/04.projects/home/
University of Amsterdam activity recognition dataset: http://casas.wsu.edu/datasets/kasterenDataset.zip

In case you are not satisfied with the datasets identified here you can also consider two generic sites, working similar to a search engine, but for datasets. I am referring specifically to: DataHub and Google datasets.

An Internet-connected home in the Netherlands.

Now, if you want to take a peek at a cool smart home setup in the Netherlands displaying its captured and processed data in realtime on the Internet take a look at https://www.bwired.nl/index.asp

If you need any information about smart homes or related just get in touch 🙂

Joseph Bugeja

Security, Privacy, and Trust

IoT