CybSec Seminar Series

Covert Channels within and between FPGAs
Dr Kasper Rasmussen, University of Oxford, UK

In complex Field Programmable Gate Arrays (FPGA) designs, it is quite common that black-box implementations of different sub-systems and proprietary algorithms from different vendors are present in the same chip. The nature of FPGAs means that all sub-systems share the common on-chip infrastructure, including routing resources. We have showed that the so called "long wires" that makes up the communication backbone within an FPGA, can leak information to nearby wires. The effect is measurable for both static and dynamic signals, and can be detected using very simple circuits with a small footprint. This creates an attack vector for one sub-system to listen to, or communicate with, another sub-system, even if they are not directly connected. In this talk we highlight the problem with a number of examples. We demonstrate the channel characterize in detail and show that it is measurable even when multiple competing circuits, including multiple long-wire transmitters, are present. We will further discuss how off chip data exfiltration can happen in order to forward extracted secrets to the wider world.

The Economics of Cybersecurity
Prof. Tyler Moore, University of Tulsa, USA

We often think of cybersecurity as a purely technical problem. However, cybersecurity failures are often better explained by economics rather than technology alone.  This talk describes how misaligned incentives and market failures can expose organizations to attacks despite spending record amounts on countermeasures. It explores how firms typically manage their cybersecurity investment and share thoughts on how they can strengthen their security in today’s threat environment.

Challenges of User-centric Privacy Enhancing Technologies
Prof. Simone Fischer-Hübner, Karlstad University, Sweden

The GDPR promotes the principle of Privacy by Design and Default, acknowledging that the individual’s privacy is best protected if privacy law is complemented by privacy enhancing technologies (PETs). While technically advanced PETs have been researched and developed in the last four decades, challenges remain for making PETs and their configurations usable.  In particular, PETs are often based on “crypto-magic” operations that are counterintuitive and for which no real-world analogies can be easily found.

This presentation presents human computer interaction challenges, end user perceptions and requirements for the design and configurations of PETs in compliance with the GDPR that we explored in recent European research projects. The presentation discusses cultural privacy aspects impacting the users’ preferences and trust in PETs, and it shows that users with technical knowledge may especially encounter challenges in understanding and trusting the protection claims of PETs. It concludes that for this reason, PET user interfaces should not only have to build on real-world analogies but also need to cater for digital world analogies that may impact the users’ understanding of PETs.

A Framework for Effective Corporate Communication after Cybersecurity Incidents
Dr Jason R.C. Nurse, University of Kent, UK

A cybersecurity incident can cripple an organization, particularly because of the related risk of significant reputational damage. As the likelihood of falling victim to a cyberattack has increased, so too has the importance of understanding what effective corporate communications and public relations look like after an attack. Key questions that need immediate answers include: What messages should be communicated to customers? How should correspondence be released? Who should speak to the media and public? In this talk, Jason presents recent research into a playbook to support companies in deciding how to answer these questions and more. This work is grounded in real-world case studies and academic insights and has been validated and refined through interviews with senior security and crisis response industry professionals. The published article can be found here.

Cyber Lessons, Learned and Unlearned
Prof. Eugene H. Spafford, Purdue University, USA

We hear stories weekly about new cyber attacks and vulnerabilities. How new are they, really? In this talk I’ll discuss some of the factors that have led to development of a weak cybersecurity ecosystem, and the pressures that keep us from doing better. I’ll also discuss some areas of looming threat in the years to come.

Slides available here. 

Solving the weak link in the security chain by changing the machines
Dr Joakim Kävrestad, University of Skövde, Sweden

We often describe the user as the weak link of cybersecurity and propose that users should be trained to behave better. Better meaning being more compliant with the implicit and explicit expectations that are put on them by cybersecurity policies, rules, guidelines, etc. But is that really a reasonable ask? This talk describes research into cybersecurity training for end-users and describes a viable method for such training. The talk further questions the notion of training as the silver bullet. In essence, the question is whether we should continue to assume that users can be trained to be compliant or if we could change the rules the users should be compliant with. The conclusion is a call for research into how the workings of computers and the expectations set out in policy documents should be adapted to the cognitive abilities of humans.