CS4FN Advent – Day 18: cracker or hacker? Cyber security

It’s Day 18 of the CS4FN Christmas Computing Advent Calendar and also the last day for 2nd class Christmas post to reach people in the UK, but you’ve got until Tuesday the 21st for first class post.

We’ve been posting a computing-themed article linked to the picture on the ‘front’ of the advent calendar for the last 17 days and today is no exception. The picture is of a Christmas cracker so today’s theme is going to be computer hacking and cracking – all about Cyber Security.

If you’ve missed any of our previous posts, please scroll to the end of this one where we have a full list.

A cracker, ready to pop

 

The terms ‘cracker’ and ‘hacker’ are often used interchangeably to refer to people who break into computers though generally the word hacker also has a friendlier meaning – someone who uses their skills to find a workaround or a solution (e.g. ‘a clever hack’) whereas a cracker is probably someone who shouldn’t be in your system and is up to no good. Both people can use very similar skills though – one is using them to benefit others, the other to be benefit themselves.

We have an entire issue of the CS4FN magazine all about Cyber Security – it’s issue 24 and is called ‘Keep Out’ but we’ll let you in to read it. All you have to do is click on this very secret link, then click on the magazine’s front cover to download the PDF. But don’t tell anyone else…

Both the articles below were originally published in the magazine as well as on the CS4FN website.

 

Piracy on the open Wi-fi

by Jane Waite, Queen Mary University of London. This article was originally published on the CS4FN website.

You arrive in your holiday hotel and ask about Wi-Fi. Time to finish off your online game, connect with friends, listen to music, kick back and do whatever is your online thing. Excellent! The hotel Wi-Fi is free and better still you don’t even need one of those huge long codes to access it. Great news, or is it?

Pirate flag and wifi picture adapted from an image by OpenClipart-Vectors from Pixabay

You always have to be very cautious around public Wi-Fi whether in hotels or cafes. One common attack is for the bad guys to set up a fake Wi-Fi with a name very similar to the real one. If you connect to it without realising, then everything you do online passes through their computer, including all those user IDs and passwords you send out to services you connect to. Even if the passwords they see are encrypted, they can crack them offline at their leisure.

Things just got more serious. A group has created a way to take over hotel Wi-Fi. In July 2017, the FireEye security team found a nasty bit of code, malware, linked to an email received by a series of hotels. The malware was called GAMEFISH. But this was no game and it certainly had a bad, in fact dangerous, smell! It was a ‘spear phishing’ attack on the hotel’s employees. This is an attack where fake emails try to get you to go to a malware site (phishing), but where the emails appear to be from someone you know and trust.

Once in the hotel network, so inside the security perimeter, the code searched for the machines running the hotel’s Wi- Fi and took them over. Once there they sat and watched, sniffing out passwords from the Wi-Fi traffic: what’s called a man-in-the-middle attack.

The report linked the malware to a very serious team of Russian hackers, called FancyBear (or APT28), who have been associated with high profile attacks on governments across the world. GAMEFISH used a software tool (an ‘exploit’) called EternalBlue, along with some code that compiled their Python scripts locally, to spread the attack. Would you believe, EternalBlue is thought to have been created by the US Government’s National Security Agency (NSA), but leaked by a hacker group! EternalBlue was used in the WannaCry ransomware too. This may all start to sound rather like a farfetched thriller but it is not. This is real! So think before you click to join an unsecured public Wi-Fi.

 

 

Just between the two of us: mentalism and covert channels

by Peter W McOwan, Queen Mary University of London. This article was originally published on the CS4FN website.

Secret information should stay secret. Beware ‘covert channels’ though. They are a form of attack where an illegitimate way of transferring information is set up. Stopping information leaking is a bit like stopping water leaking – even the smallest hole can be exploited. Magicians have been using covert channels for centuries, doing mentalism acts that wow audiences with their ‘telepathic’ powers.

Illusionist image by Andrei Cássia from Pixabay

The secret codes of Mentalism

In the 1950’s Australian couple Sydney and Lesley Piddington took the entertainment world by storm. They had the nation perplexed, puzzled and entertained. They were seemingly able to communicate telepathically over great distances. It all started in World War 2 when Sydney was a prisoner of war. To keep up morale, he devised a mentalism act where he ‘read the minds’ of other soldiers. When he later married Lesley they perfected the act and became an overnight sensation, attracting BBC radio audiences of 20 million. They communicated random words and objects selected by the audience, even when Lesley was in a circling aeroplane or Sydney was in a diving bell in a swimming pool. To this day their secret remains unknown, though many have tried to work it out. Perhaps they used a hidden transmitter. After all that was fairly new technology then. Or perhaps they were using their own version of an old mentalism trick: a code to transmit information hidden in plain sight.

Sounds mysterious

Sydney had a severe stutter, and some suggested it was the pauses he made in words rather than the words themselves that conveyed the information. Using timing and silence to code information seems rather odd, but it can be used to great effect.

In the phone trick ‘Call the wizard’, for example, a member of the audience chooses any card from a pack. You then phone your accomplice. When they answer you say “I have a call for the wizard”. Your friend names the card suits: “Clubs … spades … diamonds … hearts”. When they reach the suit of the chosen card you say: “Thanks”.

Your phone friend now knows the suit and starts counting out the values, Ace to King. When they reach the chosen card value you say: “Let me pass you over”. Your accomplice now knows both suit and value so dramatically reveals the card to the person you pass the phone to.

This trick requires a shared understanding of the code words and the silence between them. When combined with the background count, information is passed. The silence is the code.

Timing can similarly be used by a program to communicate covertly out of a secure network. Information might be communicated by the time a message is sent rather than its contents, for example

Codes on the table

Covert channels can be hidden in the existence and placement of things too. Here’s another trick.

The receiving performer leaves the room. A card is chosen from a pack by a volunteer. When the receiver arrives back they are instantly able to tell the audience the name of the card. The secret is in the table. Once the card has been selected, pack and box are replaced on the table. The agreed code might be:

If the box is face up and its flap is closed: Clubs.
If the box is face up and its flap is open: Spades.
If the box is face down and its flap is closed: Diamonds.
If the box is face down and its flap is open: Hearts.

That’s the suits taken care of. Now for the value. The performers agree in advance how to mentally chop up the card table into zones: top, middle and bottom of the table, and far right, right, left and far left. That’s 3 x 4 unique locations. 12 places for 12 values. The pack of cards is placed in the correct pre-agreed position, box face up or not, flap open or closed as needed. What about the 13th possibility? Have the audience member hold their hand out flat and leave the cards on it for them to ‘concentrate’ on.

Again a similar idea can be used as a covert channel to subvert a security system: information might be passed based on whether a particular file exists or not, say.

Making it up as you go along

These are just a couple of examples of the clever ideas mentalists have used to amaze and entertain audiences with feats of seemingly superhuman powers. Our cs4fn mentalism portal has more. Some claim they have the powers for real, but with two dedicated performers and a lot of cunning memory work, it’s often hard to decipher performers’ methods. Covert channels can be similarly hard to spot.

Perhaps the Piddingtons secret was actually a whole range of different methods. Just before she died Lesley Piddington is said to have told her son, “Even if I wanted to tell you how it was done, I don’t think I would be able”. How ever it was done, they were using some form of covert channel to cement their place in magic history. As Sydney said at the end of each show “You be the judge”.

 

Answers to yesterday’s bumper puzzle compendium

CS4FN Christmas Computing Advent Calendar – Answers

 

Previous Advent Calendar posts

CS4FN Advent – Day 1 – Woolly jumpers, knitting and coding (1 December 2021)

 

CS4FN Advent – Day 2 – Pairs: mittens, gloves, pair programming, magic tricks (2 December 2021)

 

CS4FN Advent – Day 3 – woolly hat: warming versus cooling (3 December 2021)

 

CS4FN Advent – Day 4 – Ice skate: detecting neutrinos at the South Pole, figure-skating motion capture, Frozen and a puzzle (4 December 2021)

 

CS4FN Advent – Day 5 – snowman: analog hydraulic computers (aka water computers), digital compression, and a puzzle (5 December 2021)

 

CS4FN Advent – Day 6 – patterned bauble: tracing patterns in computing – printed circuit boards, spotting links and a puzzle for tourists (6 December 2021)

 

CS4FN Advent – Day 7 – Computing for the birds: dawn chorus, birds as data carriers and a Google April Fool (plus a puzzle!) (7 December 2021)

 

CS4FN Advent – Day 8: gifts, and wrapping – Tim Berners-Lee, black boxes and another computing puzzle (8 December 2021)

 

CS4FN Advent – Day 9: gingerbread man – computing and ‘food’ (cookies, spam!), and a puzzle (9 December 2021)

 

CS4FN Advent – Day 10: Holly, Ivy and Alexa – chatbots and the useful skill of file management. Plus win at noughts and crosses – (10 December 2021)

 

CS4FN Advent – Day 11: the proof of the pudding… mathematical proof (11 December 2021)

 

CS4FN Advent – Day 12: Computer Memory – Molecules and Memristors – (12 December 2021)

 

CS4FN Advent – Day 13: snowflakes – six-sided symmetry, hexahexaflexagons and finite state machines in computing (13 December 2021)

 

CS4FN Advent – Day 14 – Why is your internet so slow + a festive kriss-kross puzzle (14 December 2021)

 

CS4FN Advent – Day 15 – a candle: optical fibre, optical illusions (15 December 2021)

 

CS4FN Advent – Day 16: candy cane or walking aid: designing for everyone, human computer interaction (16 December 2021)

 

CS4FN Advent – Day 17: reindeer and pocket switching (17 December 2021)

 

 

CS4FN Advent – Day 18: cracker or hacker? Cyber security(18 December 2021) – this post

 

 

 

Machines Inventing Musical Instruments

by Paul Curzon, Queen Mary University of London

based on a 2016 talk by Rebecca Fiebrink

Gesturing hands copyright www.istock.com 1876387

Machine Learning is the technology driving driverless cars, recognising faces in your photo collection and more, but how could it help machines invent new instruments? Rebecca Fiebrink of Goldsmiths, University of London is finding out.

Rebecca is helping composers and instrument builders to design new musical instruments and giving them new ways to perform. Her work has also shown that machine learning provides an alternative to programming as a way to quickly turn design ideas into prototypes that can be tested.

Suppose you want to create a new drum machine-based musical instrument that is controlled by the wave of a hand: perhaps a fist means one beat, whereas waggling your fingers brings in a different beat. To program a prototype of your idea, you would need to write code that could recognize all the different hand gestures, perhaps based on a video feed. You would then have some kind of decision code that chose the appropriate beat. The second part is not too hard, perhaps, but writing code to recognize specific gestures in video is a lot harder, needing sophisticated programming skills. Rebecca wants even young children to be able to do it!

How can machine learning help? Rebecca has developed a machine learning program with a difference. It takes sensor input – sound, video, in fact just about any kind of sensor you can imagine. It then watches, listens…senses what is happening and learns to associate what it senses with different actions it should take. With the drum machine example, you would first select one of the kinds of beats. You then make the gesture that should trigger it: a fist perhaps. You do that a few times so it can learn what a fist looks like. It learns that the patterns it is sensing are to be linked with the beat you selected. Then you select the next beat and show it the next gesture – waggling your fingers – until it has seen enough examples. You keep doing this with each different gesture you want to control the instrument. In just a few minutes you have a working machine to try. It is learning by example how the instrument you are wanting works. You can try it, and then adjust it by showing it new examples if it doesn’t quite do what you want.

It is learning by example how the instrument you are wanting works.

Rebecca realised that this approach of learning by example gives a really powerful new way to support creativity: to help designers design. In the traditional ways machine learning is used, you start with lots of examples of the things that you want it to recognize – lots of pictures of cats and dogs, perhaps. You know the difference, so label all these training pictures as cats or dogs, so it knows which to form the two patterns from. Your aim is for the machine to learn the difference between cat and dog patterns so it can decide for itself when it sees new pictures.

When designing something like a new musical instrument though, you don’t actually know exactly what you want at the start. You have a general idea but will work out the specifics as you go. You tinker with the design, trying new things and keeping the ideas that work, gradually refining your thoughts about what you want as you refine the design of the instrument. The machine learning program can even help by making mistakes – it might not have learnt exactly what you were thinking but as a result makes some really exciting sound you never thought of. You can then explore that new idea.

One of Rebecca’s motivations in wanting to design new instruments is to create accessible instruments that people with a wide range of illness and disability can play. The idea is to adapt the instrument to the kinds of movement the person can actually do. The result is a tailored instrument perfect for each person. An advantage of this approach is you can turn a whole room, say, into an instrument so that every movement does something: an instrument that it’s impossible not to play. It is a play space to explore.

Playing an instrument suddenly really is just playing.

Cyber Security at the Movies: Guardians of the Galaxy (Fail Secure security)

by Paul Curzon, Queen Mary University of London

[Spoiler Alert]

Guardians of the Galaxy  Poster

If you are so power hungry you can’t stand the idea of any opposition; if you want to make a grab for total power, so decide to crush everyone in your way, then you might want to think about the security of your power supply first. Luckily, all would-be dictators who crush everyone who gets in their way as they march towards total domination of the galaxy, tend to be very naive about cyber-security.

Take Ronan the Accuser in the original Guardian of the Galaxy film. He’s a villain with a religious streak, whose belief that strength is virtue and weakness is sin leads to his totally corrupted morality. To cut to the guts of the story he manages to get the “Infinity Stone” that gives unimaginable power to its owner. With it he can destroy anyone who gets in his way so sets out to do so.

Luckily for the Galaxy, good-guy Peter Quill, or Star-Lord as he wants to be known, and his fellow Guardians have a plan. More to the point they have Gamora. She is an assassin originally sent to kill Quill, but who changes sides early on. She is an insider who knows how Ronan’s security system works, and it has a flaw: its big, heavy security doors into his control room.


Security Lesson 1. It should still be secure even when the other side know everything about how it works. If your security relies on no one knowing, its almost certainly bad security!


Once inside his ship, to get to Ronan the Guardians will need to get through those big heavy security doors. Now once upon a time big, heavy doors were locked and barred with big, heavy bolts. Even in Roman times you needed a battering ram to get in to a besieged city if they had shut the doors before you got there. Nowadays, how ever big and heavy the door, you may just need some cyber skills to get in if the person designing it didn’t think it through.

Electromagnetic locks are used all over the place and they give some big advantages, such as the fact that they mean you can program who is and isn’t allowed entry. Want to keep someone out – you can just cancel their keycard in the system. They are held locked by electromagnets: magnets that are switched on and off using an electric current. That means computers can control them. As the designer of an electromagnetic lock you have a choice, though. You can make them either “fail safe” or “fail secure”. With a fail safe lock, when the power goes, the doors automatically unlock. With fail secure, instead they lock. Its just a matter of whether the magnet is holding the door open or closed. Which you choose when designing the lock depends on your priorities.

Fail safe is a good idea, for example, if you want people to be able to escape in an emergency. If a fire cuts the electricity you want everyone to still be able to get out, not be locked in with no chance of escape. Fail secure on the other hand is good if you don’t want thieves to be able to get in just by cutting the power. The magnets hold the bolts open, so when the power goes, the spring shut.


Security Lesson 2. If you want the important things to stay secure, you need a fail secure system.


This is Ronan’s problem. Zamora knows that if you cut the power supply then the doors preventing attackers getting to him just open! He needed a fail secure door, but instead had a fail safe one installed. On such small things are galaxies won and lost! All Zamora has to do is cut the power and they can get to him. This of course leads to the next flaw in his security system. It wouldn’t have mattered if the power supply was on the secure side of that door, but it wasn’t. Ronan locks himself in and Zamora can cut the power from the outside … Dhurr!

There is one last thing that could have saved Ronan. It needed an uninterruptible power supply.


Security Lesson 3. If your system is reliant on the power supply, whether a door, your data, your control system or your life-support system, then it should keep going even if the power is switched off.


After all, what if the space ships cleaners (you never see them but they must be there somewhere!) unplug the door lock by mistake just because they need somewhere to plug in the hoover.

The solution is simple: use an “uninterruptible power supply”. They are just very fast electricity storage systems that immediately and automatically take over if the main power cuts out. The biggest on Earth keeps the power going for a whole city in Alaska (you do not want to lose the power running your heating mid-winter if you live in Alaska!). Had Ronan’s doors had a similar system, the doors wouldn’t have just opened as the power would not have been cut off.It’s always the small details that matter in cyber security (and in successfully destroying your enemies and so ruling the universe). As with all computational thinking, you have to think about everything in advance. If you don’t look after your power supply, then you may well lose all your power over the galaxy too (and your life)!


More on …