My FOSAD experience and Ph.D. security courses

December 8, 2021December 6, 2021 / bugejajoseph / Leave a comment

Going back to the summer of 2016, I had the opportunity to attend a summer school on information security. It was the International School on Foundations of Security Analysis and Design (FOSAD) held in the University Residential Center of Bertinoro, Italy. FOSAD is one of the best Ph.D. summer schools I have ever attended.

There were various outstanding and demanding presentations on a wide range of topics, including mathematical models, analysis tools, and Internet security, as well as formal verification of security protocol implementations, practical system security, and others. We also covered information security from a practical perspective as well.

Aside from education, we also enjoyed the Italian countryside, breathtaking views, exquisite food, and some local wine. I had the opportunity to meet and mingle with exceptional students from all around the world, as well as professors from renowned universities. This also helped me in the expansion of my academic network.

If you are a Ph.D. student or simply you want to delve deeper into the intricate world of information security, I recommend attending FOSAD, preferably in person. It is a challenging summer school, but it is one of the best schools I have ever attended.

Here is a group photo from that event.

FOSAD 2016 group photo (adapted from http://www.sti.uniurb.it)

More details about FOSAD can be found on their website: https://sites.google.com/uniurb.it/fosad

Finally, if you want to learn more about security-related Ph.D. courses organized in Sweden, I highly recommend that you visit the website: https://swits.hotell.kau.se/Courses/SWITS-PhD-courses-in-IT-security.htm

Also, please feel free to drop me an email or a tweet in case you want to know more about Ph.D. courses in general.

Security Engineering and Machine Learning

June 25, 2021 / bugejajoseph / Leave a comment

This week I attended the 36th IFIP TC-11 International Information Security and Privacy Conference. The conference was organized by the Department of Informatics at the University of Oslo. During the first day of the conference, there was a keynote on Security Engineering by the celebrated security expert Prof. Dr. Ross Anderson.

He discussed the topic involving the interaction between security engineering and machine learning. He warned us about the things that can go wrong with machine learning systems, including some new attacks and defenses, such as the Taboo Trap, data ordering attacks, sponge attacks, and more.

Outline of Ross Anderson’s keynote (IFIP TC-11).

I especially enjoyed the part of his talk where he mentions the human to machine learning interaction. Coincidentally, this is a topic that I am researching. He discusses cases when robots incorporating machine learning components start mixing with humans, and then some tension and conflict, e.g., robots trying to deceive and bully humans, arises. This is a scenario that we should expect to see more in the future.

I highly recommend you to consider purchasing his brilliant book titled: “Security Engineering: A Guide to Building Dependable Distributed Systems”. This book is filled with actionable advice and latest research on how to design, implement, and test systems to withstand attacks. Certainly, this book has an extremely broad coverage of security in general and absolutely worth the purchase!

Keeping Your Smart Home Secure

May 7, 2021May 7, 2021 / bugejajoseph / Leave a comment

Smart homes are increasingly being subjected to attacks. The motives for this range from pranking users, causing chaos, cyberstalking, and more nefarious purposes. In spite of that, there are various strategies that residents can use to keep their home secure from intruders. In my latest article, I identify and discuss five of these strategies.

Check out the full article (in Swedish) by clicking here.

A full transcript in English is available to any interested reader.

Some initiatives to help secure smart home devices

February 28, 2021 / bugejajoseph / Leave a comment

Smart home devices make people’s lives more efficient. However, implementing cyber security of smart home devices is just as important as the physical security of our homes. Below are three popular initiatives by governments to help secure consumer IoT, particularly smart home devices.

The Department for Digital, Culture, Media, and Sport (DCMS) published a Code of Practice titled “Code of Practice for Consumer IoT Security” to support all parties involved in the development, manufacturing, and retail of consumer IoT. Essentially DCMS guidelines are proposed to ensure that IoT products are secure-by-design and to make it easier for people to stay secure in a digital world.

The Federal Trade Commission (FTC) proposed in a detailed report on the IoT concrete steps that businesses can take to enhance and protect consumers’ privacy and security. Additionally, it introduced further guidance for companies to implement “reasonable security” in order to actively enhance and protect consumers’ IoT privacy and security.

The European Union Agency for Cybersecurity (ENISA) in their publication titled “Security and Resilience of Smart Home Environments” present examples of actions for users to perform in order to: choose a smart home device securely, operate a smart home device securely, and use online services for smart home securely. ENISA later introduced good practices guidelines for securing IoT products and services throughout their lifetime.

There are a number of measures and practices identified by the three bodies above that apply to different IoT stakeholders. The stakeholders can range from device manufacturers to service providers to mobile application developers, and more. One core recommendation that applies, especially to the device manufacturers, is that of having no default passwords. The recommendation of changing the device’s password, and potentially have a unique password for every device, is something that I emphasize.

In case you want to know more about how to secure your smart home or are simply curious about IoT security and privacy, you are welcome to get in touch.

Lecturing about security and blockchain in a Masters course

November 25, 2020November 25, 2020 / bugejajoseph / Leave a comment

On 24 November, I was invited to deliver a guest lecture to Masters students in Computer Science at Malmö University. The lecture’s main topic was IoT security and the application of blockchain as a security-enhancing technology. It was fun doing this 2-hour lecture over Zoom, and especially I was pleased to see some former students attending my lecture.

When introducing blockchain, I focused on a use-case where this technology is used for securing drone communication. In particular, I referenced the paper titled “Towards data assurance and resilience in IoT using blockchain” which uses some of the properties of blockchain for providing instant and permanent data integrity, trusted accountability, and a resilient backend for drones. Blockchain has several uses including also in smart homes (e.g., as discussed in the paper titled “Blockchain for IoT Security and Privacy: The Case Study of a Smart Home”) and in many other domains.

Recently, I also co-authored a paper with some of my colleagues where we explored the use of blockchain for countering adversarial attacks in incremental learning.

Online Lecture about IoT Security

October 4, 2020October 4, 2020 / bugejajoseph / Leave a comment

On 01 October, I was invited to deliver an online lecture about the topic of securing the Internet of Things (IoT) to Lund University Bachelors students. I have been researching security and privacy on a full-time time basis for the past five years and working on information security for well over a decade.

My lecture consisted of a two-hour presentation, where I focused on some key attacks targeting consumer and industrial IoT applications. Denial-of-service attacks, routing attacks, and service attacks of which we have been talking about for many years have become even more serious. For instance, think about Mirai, the botnet which broke out in 2016, and other malware targeting unsecured IoT devices such as webcams. This is partly happening due to the interconnectedness of the devices, but especially due to a lack of inbuilt security measures. In this regard, Vint Cerf, one of the computer scientists hailed as a founding father of the Internet, said in an ACM panel in 2017:

“The biggest worry I have is that people building [IoT] devices will grab a piece of open source software or operating system and just jam it into the device and send it out into the wild without giving adequate thought and effort to securing the system and providing convenient user access to those devices.”

Although plugging any device to the Internet is becoming the trend especially with the rise of the IoT, I believe that companies should put in more effort into securing their devices prior to releasing them to the consumer market. Unfortunately, it is still common to run simple attacks, such as SQL injections, on IoT devices, and finding them vulnerable to that.

That is a Wrap On Computing 2020

July 18, 2020 / bugejajoseph / Leave a comment

As a follow-up to my previous blog post, I can say that it was an honor to participate yesterday and on Thursday at the Computing Conference 2020. It was very well organized, professionally executed, and fun!

There was a wide range of presenters coming from different research areas covering computing, AI, security, IoT, and much more. It was also cool to have a Mindfulness and Yoga general session at the conference. This was something unique!

Here, is a screenshot of my presentation with feedback received. Also, I got private messages for collaboration work and I truly appreciate those!

My presentation with feedback received.

Once again thanks for the thumbs up and already looking forward to next year’s edition!

Talking about DoS Attacks at the Computing Conference

July 6, 2020 / bugejajoseph / Leave a comment

On Friday, 17 July 2020, I will be talking at the Computing Conference 2020. This conference going was going to be held in London but due to the COVID-19 pandemic, it is now going to be held fully online. I am especially excited to listen to the keynote of Vinton G. Cerf. He is widely known as a “father of the Internet”. Cerf is also the vice president and Chief Internet Evangelist for Google. During the conference, I will be talking about Denial of Service (DoS) attacks and how commercial devices are prone to severe forms of this attack.

DoS is a widely used attack vector by various malicious threat agents from hackers to nation-states. Its consequences range from a nuisance to loss of revenues to even loss of life. Think about for instance the effects of disabling medical devices such as pacemakers, drones and weapon systems, connected alarm systems, and so on. In the case of smart homes, DoS may be the first attack to remove a component from a network to exploit a vulnerability. In our study, we found devices manufactured by established commercial players prone especially to HTTP GET DoS attacks. This can result in the complete shutdown of the device, possibly remotely, by using a simple exploit with code available over the Internet.

DoS attacks targeting the smart connected home.

Take a look at the conference agenda and have a read of my conference paper. I will be uploading my presentation slides after the conference is held under my Presentations tab.

Feel free to drop me a message or get in touch if you want to know more about this topic or in case you are interested in information security.

Joseph Bugeja

Security, Privacy, and Trust

security