Tag: cybersecurity

CS4FN Advent 2023 – Day 19: jingle bells or warning bells? Avoiding computer scams

It’s Day 19 of the CS4FN Christmas Computing Advent Calendar. Every day throughout Advent we’ll be doing our best to publish a computing-themed post that relates to the picture on the advent calendar’s door. If you’d like to judge how well we’ve done please scroll to the end of this post where we have a full list of our attempts on Days 1 to 18 in the panel with the Christmas tree.

Jingle bells, warning you of festive scams. Image drawn and digitised by Jo Brodie.

Gone Phishing

Fake emails or text messages asking for bank details including passwords is known in the trade as ‘Phishing‘ – it’s an example of social engineering, in which someone tries to manipulate someone else into giving away information. Like fishing the criminals scatter lots of bait and once in a while someone bites on the hook and replies. Criminals have even created fake Internet banking sites, direct copies of the real sites, in an attempt to scam customers’ details. This type of crime would never have been possible before computers. Few criminals would have the ability or funds to build a fake copy of your bank in the high street, but they can write programs to simulate them online.

Phishing image by mohamed Hassan from Pixabay

1. A gift for scammers

Scammers love Christmas. It’s the perfect time of year to try and extract money or information (or both) from frazzled, busy and distracted Christmas shoppers.

“We’re sorry we missed you”

This popular phishing scam will come via text, saying that there’s a problem with delivering your item and you need to pay some small amount of money to rearrange delivery.

In the run up to Christmas so many people are expecting deliveries so this scam is successful because even if only a small percent of people fall for it that’s still a lot of people. The text message will contain a link that looks like it’s for the genuine web address of a delivery company where you might already have an account. But… the link’s taken you to the scammer’s replica website in the hope that you hand over your login information and possibly your bank card details to pay. The scam is quite subtle as once you fill in your details and press send you are then redirected to the genuine company’s website, so it’s easy to miss what’s happened at first.

How to stay safe: were you expecting this text message? If not, be alert. Look at the link carefully – does it seem correct? If it seems fake you can forward the message from any mobile phone to 7226 (which spells SPAM on your keypad). Learn about scams (See further reading) and tell people about them so they know what to watch out for.

See how well you do on Google’s Phishing Quiz (you can make up a fake email address to use) – some are genuine, some are trying to steal information. Can you spot which is which?

Screenshot from Google’s Phishing Quiz (c) Google.

Further reading

Phishing: Spot and report scam emails, texts, websites and calls, from the National Cyber Security Centre

2. Logging on, to your computer

Some phishing attempts are a bit more involved. You might get a phone call from someone claiming that ‘bad people’ have ‘got into your internet’ and you need to take immediate action to prevent being cut off. Sometimes the scammers pretend to be from a well-known computer company (such as Microsoft) or from the company that provides you with your broadband internet.

Fraud image by mohamed Hassan from Pixabay

Sometimes they’ll try and engage you in conversation – this is ‘social engineering’. This is a to try and gain your trust while keeping you anxious that something has gone wrong and which they are going to help you with. They may even use some tricks to convince you they’re legitimate. If you use a Windows computer they might ask you to open up the Event Viewer and count the errors, suggesting that there’s a problem (in reality it’s all pretty normal and harmless).

The next thing they might want you to do is to download some ‘desktop sharing’ software onto your computer. The software is real enough (and can be used genuinely to help people) but in this case they want to be able to access your computer and cause havoc. What they probably want to do is see if you have online banking (so they can steal your money) or they might delete some important files and say they’ll give them back only if you pay them. Don’t let them in!

How to stay safe: you can just hang up! Definitely don’t download any software, don’t visit any links they suggest you go to and don’t give them any information.

Further reading

Remote access scams: the call that could wipe out your life savings (Nov 2020) Which?
Who scams the scammers? Meet the scambaiters (October 2021) The Observer

3. And you are…?

This ‘friend in need’ scam will likely come via WhatsApp. Someone pretending to be a family member or friend gets in touch claiming they’re contacting you from a new phone after their old one was lost or stolen. They then claim they need money for some urgent reason and ask you to send them some via online banking.

This scam relies on people’s kindness and goodwill, and not wanting to be seen to be stingy or unhelpful, but sadly it causes thousands of pounds to be stolen and it’s often very difficult to recover that money.

How to stay safe: be suspicious. Try and contact your friend / family member in another way to check it’s really them. Or do a bit of social engineering yourself – make up something and ask them about it. Rather than admit they don’t know about it they’ll probably answer ‘yes’ and give themselves away!

Further reading

We lost festive savings in family WhatsApp scam (11 November 2021) BBC News
Friend in need’ message scam costs victims almost £50,000 in three months (24 November 2021) Action Fraud

Advert for our Advent calendar
Click the tree to visit our CS4FN Christmas Computing Advent Calendar

EPSRC supports this blog through research grant EP/W033615/1.

CS4FN Advent 2023 – Day 18: cracker or hacker? Cyber security

It’s Day 18 of the CS4FN Christmas Computing Advent Calendar. We’ve been posting a computing-themed article linked to the picture on the ‘front’ of the advent calendar for the last 17 days and today is no exception. The picture is of a Christmas cracker so today’s theme is going to be computer hacking and cracking – all about Cyber Security.

If you’ve missed any of our previous posts, please scroll to the end of this one and click on the Christmas tree for the full list.

A cracker, ready to pop. Image drawn and digitised by Jo Brodie.

The terms ‘cracker’ and ‘hacker’ are often used interchangeably to refer to people who break into computers though generally the word hacker also has a friendlier meaning – someone who uses their skills to find a workaround or a solution (e.g. ‘a clever hack’) whereas a cracker is probably someone who shouldn’t be in your system and is up to no good. Both people can use very similar skills though – one is using them to benefit others, the other to be benefit themselves.

We have an entire issue of the CS4FN magazine all about Cyber Security – it’s issue 24 and is called ‘Keep Out’ but we’ll let you in to read it. All you have to do is click on this very secret link, then click on the magazine’s front cover to download the PDF. But don’t tell anyone else…

Both the articles below were originally published in the magazine as well as on the CS4FN website.

Piracy on the open Wi-fi

by Jane Waite, Queen Mary University of London.

You arrive in your holiday hotel and ask about Wi-Fi. Time to finish off your online game, connect with friends, listen to music, kick back and do whatever is your online thing. Excellent! The hotel Wi-Fi is free and better still you don’t even need one of those huge long codes to access it. Great news, or is it?

Pirate flag and wifi picture adapted from an image by OpenClipart-Vectors from Pixabay

You always have to be very cautious around public Wi-Fi whether in hotels or cafes. One common attack is for the bad guys to set up a fake Wi-Fi with a name very similar to the real one. If you connect to it without realising, then everything you do online passes through their computer, including all those user IDs and passwords you send out to services you connect to. Even if the passwords they see are encrypted, they can crack them offline at their leisure.

Things just got more serious. A group has created a way to take over hotel Wi-Fi. In July 2017, the FireEye security team found a nasty bit of code, malware, linked to an email received by a series of hotels. The malware was called GAMEFISH. But this was no game and it certainly had a bad, in fact dangerous, smell! It was a ‘spear phishing’ attack on the hotel’s employees. This is an attack where fake emails try to get you to go to a malware site (phishing), but where the emails appear to be from someone you know and trust.

Once in the hotel network, so inside the security perimeter, the code searched for the machines running the hotel’s Wi- Fi and took them over. Once there they sat and watched, sniffing out passwords from the Wi-Fi traffic: what’s called a man-in-the-middle attack.

The report linked the malware to a very serious team of Russian hackers, called FancyBear (or APT28), who have been associated with high profile attacks on governments across the world. GAMEFISH used a software tool (an ‘exploit’) called EternalBlue, along with some code that compiled their Python scripts locally, to spread the attack. Would you believe, EternalBlue is thought to have been created by the US Government’s National Security Agency (NSA), but leaked by a hacker group! EternalBlue was used in the WannaCry ransomware too. This may all start to sound rather like a farfetched thriller but it is not. This is real! So think before you click to join an unsecured public Wi-Fi.

Just between the two of us: mentalism and covert channels

by Peter W McOwan, Queen Mary University of London.

Secret information should stay secret. Beware ‘covert channels’ though. They are a form of attack where an illegitimate way of transferring information is set up. Stopping information leaking is a bit like stopping water leaking – even the smallest hole can be exploited. Magicians have been using covert channels for centuries, doing mentalism acts that wow audiences with their ‘telepathic’ powers.

Illusionist image by Andrei Cássia from Pixabay

The secret codes of Mentalism

In the 1950’s Australian couple Sydney and Lesley Piddington took the entertainment world by storm. They had the nation perplexed, puzzled and entertained. They were seemingly able to communicate telepathically over great distances. It all started in World War 2 when Sydney was a prisoner of war. To keep up morale, he devised a mentalism act where he ‘read the minds’ of other soldiers. When he later married Lesley they perfected the act and became an overnight sensation, attracting BBC radio audiences of 20 million. They communicated random words and objects selected by the audience, even when Lesley was in a circling aeroplane or Sydney was in a diving bell in a swimming pool. To this day their secret remains unknown, though many have tried to work it out. Perhaps they used a hidden transmitter. After all that was fairly new technology then. Or perhaps they were using their own version of an old mentalism trick: a code to transmit information hidden in plain sight.

Sounds mysterious

Sydney had a severe stutter, and some suggested it was the pauses he made in words rather than the words themselves that conveyed the information. Using timing and silence to code information seems rather odd, but it can be used to great effect.

In the phone trick ‘Call the wizard’, for example, a member of the audience chooses any card from a pack. You then phone your accomplice. When they answer you say “I have a call for the wizard”. Your friend names the card suits: “Clubs … spades … diamonds … hearts”. When they reach the suit of the chosen card you say: “Thanks”.

Your phone friend now knows the suit and starts counting out the values, Ace to King. When they reach the chosen card value you say: “Let me pass you over”. Your accomplice now knows both suit and value so dramatically reveals the card to the person you pass the phone to.

This trick requires a shared understanding of the code words and the silence between them. When combined with the background count, information is passed. The silence is the code.

Timing can similarly be used by a program to communicate covertly out of a secure network. Information might be communicated by the time a message is sent rather than its contents, for example

Codes on the table

Covert channels can be hidden in the existence and placement of things too. Here’s another trick.

The receiving performer leaves the room. A card is chosen from a pack by a volunteer. When the receiver arrives back they are instantly able to tell the audience the name of the card. The secret is in the table. Once the card has been selected, pack and box are replaced on the table. The agreed code might be:

If the box is face up and its flap is closed: Clubs.
If the box is face up and its flap is open: Spades.
If the box is face down and its flap is closed: Diamonds.
If the box is face down and its flap is open: Hearts.

That’s the suits taken care of. Now for the value. The performers agree in advance how to mentally chop up the card table into zones: top, middle and bottom of the table, and far right, right, left and far left. That’s 3 x 4 unique locations. 12 places for 12 values. The pack of cards is placed in the correct pre-agreed position, box face up or not, flap open or closed as needed. What about the 13th possibility? Have the audience member hold their hand out flat and leave the cards on it for them to ‘concentrate’ on.

Again a similar idea can be used as a covert channel to subvert a security system: information might be passed based on whether a particular file exists or not, say.

Making it up as you go along

These are just a couple of examples of the clever ideas mentalists have used to amaze and entertain audiences with feats of seemingly superhuman powers. Our cs4fn mentalism portal has more. Some claim they have the powers for real, but with two dedicated performers and a lot of cunning memory work, it’s often hard to decipher performers’ methods. Covert channels can be similarly hard to spot.

Perhaps the Piddingtons secret was actually a whole range of different methods. Just before she died Lesley Piddington is said to have told her son, “Even if I wanted to tell you how it was done, I don’t think I would be able”. How ever it was done, they were using some form of covert channel to cement their place in magic history. As Sydney said at the end of each show “You be the judge”.

Advert for our Advent calendar
Click the tree to visit our CS4FN Christmas Computing Advent Calendar

EPSRC supports this blog through research grant EP/W033615/1.

Cryptography: You are what you know

A path through the forest at dawn in the fog
Image from PIXABAY

“Carter headed into the trees, his hat pulled low. Up ahead was a dark figure, standing in the shadow of a tree. As he drew close, Carter gave the agreed code phrase confirming he was the new agent: “Could I borrow a match?” The dark figure, stepped away from the tree, but rather than completing the exchange as Carter expected, he pulled a silenced gun. Before Carter could react, he heard the quiet spit of the gun and felt an excruciating pain in his chest. A moment later he was dead. Felix put the gun away, and quickly dragged the body into the bushes out of sight. He then went back to waiting. Soon another figure approached, but from the other direction. This time it was Felix who gave the pass phrase, which he now knew. “Could I borrow a match?” The new figure confidently responded, “Doesn’t everyone use a lighter these days?” Felix hadn’t known what he would say, but was happy to assume this was Carter’s real contact. He was in. “Hello. I’m Carter.” …

The trouble with using spy novel style passphrases to prove who you are is you still have to trust the other person. If they might have nefarious intentions, you want to prove who you are without giving anything else away. You certainly don’t want them to be able to take the information you give and use it to pretend to be you. Unfortunately, the above story is pretty much how passwords work, and why attacks like phishing, where someone sends emails pretending to be from your bank, are such a problem.

This is why phishing works

The story outlines the essential problem faced by all authentication systems trying to prove who someone is or that they possess some secret information. You give up the secret in the process to anyone there to hear. Security protocols somehow need ways one agent can prove to another who they are in a way that no one can masquerade as them in future. Creating a secure authentication system is harder than you might think! To do it well takes serious skill. What you don’t do is just send a password!

A simple solution for some situations is sometimes used by banks. Rather than ask you for a whole account number, they ask you for a random set of its digits: perhaps, the third, fifth and eighth digit one time, but completely different ones the next. Though they have learnt some of the secret, anyone listening in can’t masquerade as you as they will be asked for different digits when they do. Take this idea to an extreme and you get the “Zero Knowledge Proof“, where none of the secret is given up: possibly one of the cleverest ideas of computer science.

– Paul Curzon, Queen Mary University of London

More on …

Magazines …

This article was first published on CS4FN and a copy can also be found on page 5 in ‘Keep Out’ – Issue 24 of CS4FN magazine, on Cyber Security and Privacy (you can download the full magazine free as a PDF here).

All of our material is free to download from: https://cs4fndownloads.wordpress.com

Subscribe to be notified whenever we publish a new post to the CS4FN blog.

This blog and page are funded by EPSRC on research agreement EP/W033615/1.

QMUL CS4FN EPSrC logos

Cryptography: Shafi Goldwasser and the Zero Knowledge Proof

A vortex of books
Image by PublicDomainPictures from Pixabay

Shafi Goldwasser is one of the greatest living computer scientists, having won the Turing Award in 2012 (equivalent to a Nobel Prize). Her work helped turn cryptography from a dark art into a science. If you’ve ever used a credit card through a web browser, for example, her work was helping you stay secure. Her greatest achievement, with Silvio Micali and Charles Rackoff, is the “Zero knowledge proof”.

Zero knowledge proofs deal with the problem that, to be really secure, security protocols often need to prove that some statement is true without giving anything else away (see “You are what you know“). A specific case is where an agent (software or human) wants to prove they know some secret, without actually giving the secret up.

Satisfy me this

There are three properties a zero knowledge proof must satisfy. Suppose Peggy is trying to convince Victor that some statement about a secret is true. Firstly, if Peggy’s statement is true then Victor must be convinced of this at the end. Secondly, if it is not actually true, there must only be a tiny chance that Peggy can convince Victor that it is true. Finally, Victor must not be able to cheat in any way that means he learns more about the secret beyond the truth of the statement. Shafi and colleagues not only came up with the idea, but showed that such proofs, unlikely as they seem, were possible.

Biosecurity break-in

Imagine the following situation (based on a scenario by Jean-Jacques Quisquater). A top secret biosecurity laboratory is protected so only authorised people can get in and out. The lab is at the end of a corridor that splits. Each branch goes to a door at the opposite end of the lab. These two doors are the only ways in or out. The rest of the room is totally sealed (see diagram).

Now, Peggy claims she knows how to get in, and has told Victor she can steal a sample of the secret biotoxin held there if he pays her a million dollars. Victor wants to be sure she can get in, before paying. She wants to prove her claim is true, but without giving anything more away, and certainly not by showing him how she does it, or giving him the toxin. She doesn’t even want him to have any hard evidence he could use to convince others that she can get in, as then he could use it against her. How does she do it?

“I can get in”

A floor plan of a top secret lab
Plan of top secret lab
Image by Paul Curzon.

She needs a Zero knowledge proof of her claim “I can get in”! Here is one way. Victor waits in the foyer, unable to see the corridor. Peggy goes to the fork, and chooses a branch to go down then waits at the door. Victor then goes to the fork, unable to see where she is but able to see both exit routes. He then chooses an exit corridor at random and tells Peggy to appear there. Peggy does, passing through the lab if need be.

If they do this enough times, with Victor choosing at random which side she should appear, then he can be strongly certain that she really does know how to get in. After all, that is the only way to appear at the other side. More to the point, he still cannot get in himself and even if he records everything he sees, he would have no way to convince anyone else that Peggy can get in. Even if he videod everything he saw, that would not be convincing proof. A video showing Peggy appearing from the correct corridor would be easy to fake. Peggy has shown she can get into the room, but without giving up the secret of how, or giving Victor a way to prove she can do it to anyone else.

So, strange as it seems, it is possible to prove you know a secret without giving anything more away about the secret. Thanks to Shafi and her co-researchers the idea is now a core part of computer security.

– Paul Curzon, Queen Mary University of London

More on …

Magazines …

This article was first published on CS4FN and a copy can also be found on pages 4-5 in ‘Keep Out’ – Issue 24 of CS4FN magazine, on Cyber Security and Privacy (you can download the full magazine free as a PDF here).

All of our magazines are free to download from: https://cs4fndownloads.wordpress.com

Subscribe to be notified whenever we publish a new post to the CS4FN blog.

This page is funded by EPSRC on research agreement EP/W033615/1.

QMUL CS4FN EPSRC logos