Abstract

The Internet of Things (IoT) paradigm refers to the network of physical objects or "things" embedded with electronics, software, sensors, and connectivity to enable objects to exchange data with servers, centralized systems, and/or other connected devices based on a variety of communication infrastructures. IoT makes it possible to sense and control objects creating opportunities for more direct integration between the physical world and computer-based systems. IoT will usher automation in a large number of application domains, ranging from manufacturing and energy management (e.g. SmartGrid), to healthcare management and urban life (e.g. SmartCity). However, because of its fine-grained, continuous and pervasive data acquisition and control capabilities, IoT raises concerns about the security and privacy of data. Deploying existing data security solutions to IoT is not straightforward because of device heterogeneity, highly dynamic and possibly unprotected environments, and large scale. In this talk, after outlining key challenges in data security and privacy, we present initial approaches to securing IoT data, including efficient and scalable encryption protocols, software protection techniques for small devices, and fine-grained data packet loss analysis for sensor networks.

Short Bio: Elisa Bertino is professor of computer science at Purdue University, and serves as Director of Purdue Cyber Center and Research Director of the Center for Information and Research in Information Assurance and Security (CERIAS). She is also an adjunct professor of Computer Science & Info Tech at RMIT. Prior to joining Purdue in 2004, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory (now Almaden) in San Jose, at the Microelectronics and Computer Technology Corporation, at Rutgers University, at Telcordia Technologies. Her recent research focuses on data security and privacy, digital identity management, policy systems, and security for drones and embedded systems. She is a Fellow of ACM and of IEEE. She received the IEEE Computer Society 2002 Technical Achievement Award, the IEEE Computer Society 2005 Kanai Award and the 2014 ACM SIGSAC outstanding contributions award. She is currently serving as EiC of IEEE Transactions on Dependable and Secure Computing.

Abstract

This talk focuses on the level of security offered by 2-key triple DES, an encryption technique that remains very widely used despite recently being de-standardised by NIST. Existing attacks, including the 1990 van Oorschot-Wiener attack, will be introduced; a recent generalisation and enhancement of this attack, which constitute the first advance in cryptanalysis of 2-key triple DES since 1990, will then be described; together these results imply that the widely used estimate that 2-key triple DES provides 80 bits of security can no longer be regarded as conservative; the widely stated assertion that the scheme is secure as long as the key is changed regularly is also challenged. The main conclusion is that, whilst not completely broken, the margin of safety for 2-key triple DES is slim, and efforts to replace it, at least with its 3-key variant, should be pursued with some urgency.

Short Bio: Prof Chris Mitchell BSc PhD (London) CITP CMath FBCS FIMA received his BSc (1975) and PhD (1979) degrees in Mathematics from Westfield College, University of London. Prior to his appointment in 1990 as Professor of Computer Science at Royal Holloway, he was a Project Manager in the Networks and Communications Laboratory of Hewlett-Packard Laboratories in Bristol, which he joined in 1985. Between 1979 and 1985 he was at Racal-Comsec Ltd (Salisbury, UK), latterly as Chief Mathematician. In 1990, soon after joining Royal Holloway, he co-founded the Information Security Group, and also played a leading role in launching the MSc in Information Security in 1992. His research interests mainly relate to information security and applications of cryptography. He has played an active role in a number of major international collaborative projects, covering a range of security topics including trusted computing, mobile security and security hardware. For around 25 years he has been convenor of Technical Panel 2 of BSI IST/33, dealing with security mechanisms and providing input to ISO/IEC JTC1/SC27, on which he has served as a UK Expert since 1992. He has edited over twenty international security standards and, in recognition of his contributions to international standards, in 2011 he received the prestigious IEC 1906 award. He has published around 250 research papers. He is co-editor-in-chief of Designs, Codes and Cryptography and editor of Section D (Security in Computer Systems and Networks) of The Computer Journal. He served as a member of Microsoft's Trustworthy Computing Academic Advisory Board throughout its existence (2003-2014), and he was a member of the DoCoMo Euro-Labs Advisory Board between 2005 and 2009. He continues to act as a consultant on a variety of topics in information security.

Abstract

RFID technologies have been widely used worldwide. However, the wide applications of RFID technologies also introduce serious security and privacy risks as the information stored in RFID tags can easily be retrieved by any malicious party with a compatible reader. In this talk we will introduce some security and privicy challenges in passive RFID technologies, and based on our research, we will outline a number of schemes for authentication, ownership transfer, secure search and grouping proof in passive mobile RFID systems. The talk will be based on our following recently published papers:

1. Saravanan Sundaresan, Robin Doss, Selwyn Piramuthu, and Wanlei Zhou, "Secure Tag Search in RFID Systems Using Mobile Readers", IEEE Transactions on Dependable and Secure Computing, Vol. 12, No. 2, pp. 230-242, March/April 2015.
2. Saravanan Sundaresan, Robin Doss, and Wanlei Zhou, "Zero Knowledge Grouping Proof Protocol for RFID EPC C1G2 Tags", IEEE Transactions on Computers, Volume:64, Issue: 10, pp. 2994-3008, October 2015.
3. Saravanan Sundaresan, Robin Doss, Selwyn Piramuthu, and Wanlei Zhou, "A Robust Grouping Proof Protocol for RFID EPC C1G2 Tags", IEEE Transactions on Information Forensics and Security, VOL. 9, NO. 6, pp 961-975, 2014.
4. R. Doss, S. Sundaresan and W. Zhou, "A Practical Quadratic Residues Based Scheme for Authentication and Privacy in Mobile RFID Systems", Ad Hoc Networks (Elsevier), Volume 11, Issue 1, January 2013, Pages 383-396.
5. R. Doss, W. Zhou, and S. Yu, "Secure RFID Tag Ownership Transfer based on Quadratic Residues", IEEE Transactions on Information Forensics and Security, VOL. 8, NO. 2, FEBRUARY 2013, pp. 390-401.

Short Bio: Professor Wanlei Zhou received the B.Eng and M.Eng degrees from Harbin Institute of Technology, Harbin, China in 1982 and 1984, respectively, and the PhD degree from The Australian National University, Canberra, Australia, in 1991, all in Computer Science and Engineering. He also received a DSc degree (a higher Doctorate degree) from Deakin University in 2002. He is currently the Alfred Deakin Professor (the highest honour the University can bestow on a member of academic staff), Chair of Information Technology, and Associate Dean (International Research Engagement) of Faculty of Science, Engineering and Built Environment, Deakin University. Professor Zhou has been the Head of School of Information Technology twice (Jan 2002-Apr 2006 and Jan 2009-Jan 2015) and Associate Dean of Faculty of Science and Technology in Deakin University (May 2006-Dec 2008). Before joining Deakin University, Professor Zhou served as a lecturer in University of Electronic Science and Technology of China, a system programmer in HP at Massachusetts, USA; a lecturer in Monash University, Melbourne, Australia; and a lecturer in National University of Singapore, Singapore. His research interests include distributed systems, network security, bioinformatics, and e-learning. Professor Zhou has published more than 300 papers in refereed international journals and refereed international conferences proceedings. He has also chaired many international conferences. Prof Zhou is a Senior Member of the IEEE.

Abstract

Charging threats are often ignored by the literature. In this talk, I introduce a new type of charging attack (called juice filming attack) based on a standard USB connector and HDMI, which can steal users' secrets through automatically video-capturing their inputs (e.g., unlock patterns, PIN code). The attack efficiency relies on the observations that users are not aware of any risk when charging their phones in public places and that most users would interact with their phone during the charging. Different from other malware and attacks, our designed juice filming attacks possess six major features: 1) be simple but quite efficient; 2) user unawareness; 3) does not need to install any apps on phone's side; 4) does not need to ask for any permissions; 5) cannot be detected by any current anti-malware software; 6) can be scalable and effective in both Android OS and iOS. To implement this attack, my work employs a VGA/RGB frame grabber and further conducts several user studies to explore the feasibility and effectiveness of such attack. Based on the understanding, additional mechanisms should be deployed to protect our mobile devices. I later introduce one potential solution: TMGuard, a touch movement security mechanism to enhance the security of Android unlock patterns, through combining it with behavioral biometrics.

Short Bio: Weizhi Meng received his B.Eng. degree in Computer Science from the Nanjing University of Posts and Telecommunications and obtained his Ph.D. degree in Computer Science from the City University of Hong Kong. He is currently a Research Scientist in Infocomm Security (ICS) Department, Institute for Infocomm Research, Singapore. His primary research interests are cyber security and intelligent technology in security including intrusion detection, mobile security and authentication, HCI security, trust computation, malware and vulnerability analysis. He also shows a strong interest in applied cryptography. He won the Outstanding Academic Performance Award during his doctoral study, and was a recipient of The HKIE Outstanding Paper Award for Young Engineers/Researchers in 2014.

Abstract

The emergence of Internet of Things (IoT) will see a large number of lightweight devices (referred to as things) connected over the Internet. Gartner estimated that 20.8 billion things will be connected by 2020. The things are usually deployed to monitor a physical environment and transmit the collected data to a backend server to store and analyse. A large number of applications are emerging in this area ranging from smart health, smart cities to smart grids. When things communicate with servers, it is critical to guarantee the authenticity of things and servers as their communication is over the open Internet.

The conventional way of authenticating Internet devices uses public-key encryption schemes, such as RSA (Rivest-Shamir- Adleman) and ECC (Elliptic curve cryptography). However, these schemes are too costly for lightweight IoT devices because they consume too much computation and memory resources. In this talk, we present a survey of the state-of- the art lightweight authentication protocols and a new lightweight public-key encryption we have developed. Based on this scheme, a corresponding mutual authentication protocol between two IoT devices, called CSIRO Light Weight Authentication Protocol (CLAP), is developed. This talk briefly discusses the CLAP and its features.

Short Bio: Dr Surya Nepal is a Principal Research Scientist at CSIRO Data61. He currently leads a distributed systems security team. His main research interest is in the development and implementation of technologies in the area of distributed systems and social networks, with a specific focus on security, privacy and trust. He obtained his BE from National Institute of Technology (NIT) Surat, India; ME from Asian Institute of Technology (AIT), Thailand; and PhD from RMIT University, Australia. He has more than 150 peer-reviewed publications to his credit; his papers are published in international journals such as IEEE Trans. Parallel and Distributed Systems, IEEE Trans. on Service Computing, ACM Trans. on Internet Technologies, and IEEE Trans. on Computers. He has co-edited three books including security, privacy and trust in cloud systems by Springer.

Abstract

Ransomware is a relatively new business model being used by cybercriminals and it is still evolving. It changes the way that cybercriminals do their business; in particular on how they execute their Ransomware outbreaks. There has been an ongoing series of Ransomware outbreaks In Australia since mid 2014; these campaigns are specifically tailored for Australian victims. We do an in depth case study of these outbreaks, and ee look at how the changes in the business model affect the execution. In particular, these changes to the business model allow these campaigns to use many evasion techniques to avoid detection by security researchers, including:

• anticrawling techniques to stop sandboxes and web reputation systems,
• techniques to avoid identification by spam filters,
• the use of many compromised webservers (sometimes hundreds each day) that redirects web traffic to the malicious sites, and
• antimalware techniques to ensure that at the start of each outbreak the malware is not detected.

Overall, the effect of these evasion techniques makes these attacks very effective since it makes research on these cyber threats difficult. This session will discuss the implications of these changes.

Short Bio: Jonathan Oliver works at Trend Micro most recently focusing on data analytics methods for identifying Ransomware outbreaks such as TorrentLocker and CryptoWall. Previous work has included machine learning and big data for the identification of BlackHole Exploit kit spam runs, and creating the antispam pattern. Prior to joining Trend Micro, Dr Oliver served as Chief Spam Fighter and Director of Research at Mailfrontier; and as a data mining consultant in the Silicon Valley for organisations such as NASA and the FAA. Jonathan Oliver holds a doctorate in information theoretic approaches to machine learning from Monash University, Melbourne. He holds more than 50 patents for technological designs.