Informal Security Meetings

We aim to bring together local security specialists and people who are interested in computer and network security. One major objective is to initiate work, in particular collaborative security research in the school, rather than presenting results.

Our meetings feature informal discussions of research papers, emerging problems, interesting current issues in security, whereas formal presentations are coordinated with and channelled to SRGs, ASLs and school colloquia.

Each meeting is about one hour, and two main formats are used:

  1. A two-session meeting. The first session accommodates a single presentation of 20-25 minutes or two 10-minute presentations, plus an opportunity for questions and answers. Work in progress, half-baked ideas and PhD proposals can all be a good short presentation. The second session is dedicated to reports of any interesting recent developments and discussions of interesting current problems.
  2. Reading group exercise: a participant presents one new paper of common interest -- the presented research need not be your own! S/he also responds to audience scrutiny, and coordinates discussion on the presented topic.

The scheduling of the meetings is currently handled by Jeff Yan, who initiated this effort. Please email a title and a short abstract at least two days in advance. Jeff also manages cs-security, a local emailing list for discussing all security-related issues.

At the moment there are no meetings scheduled

Past Security Meetings

February 29, 2008 14:00, CLT922
Usability of CAPTCHAs
Ahmad El Ahmad
CAPTCHA is now almost a standard security technology, and has found widespread application in commercial websites. Usability and robustness are two fundamental issues with CAPTCHA, and they often interconnect with each other. This paper discusses issues that should be considered and addressed in the design of secure and usable CAPTCHAs. Some of these issues are intuitive, but some others have subtle implications for robustness (or security). A simple but novel framework for examining CAPTCHA usability is also proposed.
February 22, 2008 16:00, CLT922
The Hadrian Project
Brian Randell
Brian will lead a brainstorming meeting on "the Harian project".
February 15, 2008 14:00, CLT922
Breaking visual CAPTCHAs -- Episode 3
Jeff Yan
This talk presents an attack on a high-profile scheme. The attack is simple, but effective. (Joint work with Ahmad Salah El Ahmad)
February 1, 2008 14:00, CLT922
Overview of DSTL topics
Tom McCutcheon (DSTL)
Tom McCutcheon, DSTL and Visiting Prof, has kindly agreed to give a brief, informal overview of DSTL topics of interest to kick off a discussion of common areas of interest etc.
January 25, 2008 14:00, CLT922
Trust Economics project
Aad van Moorsel
Trust Economics is about utilising probabistic/stochastic modelling approaches to determine the value or risk associated with enterprise security policies, and is a joint project with HP, Merrill Lynch, Bath and UCL. I'll explain a bit about the feasibility study we concluded in November, and about the upcoming follow-up project.
January 18, 2008 14:00, CLT922
Recent progress in e-voting
Peter Ryan
I will give an informal briefing on the Electoral Assistance Commission roundtable meeting I attended last month. Also talk about some of the idea that Roberto and i developed during his visit, in particular combining Randell/Ryan with Farnel. time permitting, i could also outline some ideas develope with Fiachra on auduting electronic counts of scanned paper ballots.
November 30, 2007 14:00, CLT922
Improving Farnel and Threeballot Voting Schemes
Roberto Samarone
Farnel is a voting scheme introduced in 2001. This scheme is not voter-verifiable and has several drawbacks. Recently Araujo et al. introduced a variant of Farnel that is voter-verifiable. The proposal, however, employs a ballot form that can be faked. In this talk I will first introduce the Farnel and its variant. Then, I will present a new ballot design to Farnel variant based on Pret-a-Voter ballot. After that, I will show that the new ballot can be adapted to accomplish another variant of Farnel and also a variant of Threeballot voting system.
November 15, 2007 14:00, CLT922
Not all about security -- CMU and CCS'07 trip report
Jeff yan
I recently visited a bunch of labs at CMU and went to CCS'07 to present my graphical password paper (joint work with my student Paul Dunphy). In this trip, I came across some interesting people, visions, projects, papers and etc. I will give a trip report to share some of these interesting stuff.
October 26, 2007 14:00, CLT922
Challenges in modelling secure voting systems
Peter Ryan
There is a tendency amongst theorists to think that you start with a security policy/requirement, develop a model and derive threats. Practitioners will tell you that security policies are driven by the (perceived) threats. In reality, there is a fascinating interplay between requirements, models and threats, and we witness this especially clearly when designing high assurance voting schemes.

I this talk I will illustrate these points with respect to the co-evolution of designs, requirements and threat models of voting systems, in particular Pret a Voter and Three Ballot.
October 24, 2007 14:00, CLT701
Evaluation of Web Application Security
Owen Wright
Owen Wright, a security consultant from Deloitte, will give an overview of web application security evaluation ('ethical hacking') at Deloitte. This will cover some of the typical threats faced by websites, common vulnerabilities they find when testing web applications, and a brief look at some current trends in web application security.
October 19, 2007 14:00, CLT1005
Information hiding -- Steganography
Goutam Sanyal
Dr Goutam Sanyal from National Institute of Technology Durgapur, India will talk about "Information hiding : Steganography" this Friday. The outline of his talk is as follows: - Introduction of Steganography
- Examples of Techniques
- Image based Steganography
- Application in Speech Processing
- Our Proposed Methodology
- Case Study
October 12, 2007 13:00, CLT701
User-Centered Security: Stepping Up to the Grand Challenge
Mary Ellen Zurko
User-centered security has been identified as one of the four grand challenges in information security and assurance. In other words, the best minds in security think making it usable is both difficult and important. User-centered security is on the brink of becoming an established subdomain of both security and HCI research, and an influence on the product development lifecycle for any end user facing application, from email to Web 2.0 mashups. As practitioners and researchers in security and HCI, we still face major issues when applying even the most foundational tools used in either of these fields across both of them.
I will discuss the systemic roadblocks to effective user-centered security that I see as most important. They fall into three categories: social, technical, and pragmatic. The social challenges are the most difficult to address, because there is no obvious constituency that will address them. The other two categories, technical and pragmatic challenges, are naturally attacked by researchers and developers, although they were previously overlooked because they crossed expertise boundaries. While security and uability have historically often been at odds, both rely on the reality of deployment to prove the utility and validity of their work. There is a lot of interesting and important work for teams innovative enough to not just cross those boundaries but actually synthesize security and HCI. I'll also touch on the techniques and principles that I believe are producing (more) effective usable security today.
Mary Ellen Zurko leads security architecture and strategy for Lotus Workplace, Portal, and Collaboration Software at IBM. She defined the field of User-Centered Security in 1996. She is on the steering committee for New Security Paradigms Workshop and the International World Wide Web Conference series. She has worked in security since 1986, at The Open Group Research Institute and Digital Equipment Corporation, as well as IBM. She is a contributor to the O'Reilly book "Security and Usability: Designing Secure Systems that People Can Use." Her vita is at http://mysite.verizon.net/resqwf60/id1.html.
September 10, 2007 15:00, CLT701
Usable access control in grid computing
Sacha Brostoff, Bristol University
The full title of this talk is
"R-What?" Development of a Role-Based Access Control (RBAC) Policy-Writing Tool for e-Scientists
Abstract:
A lightweight role-based access control policy authoring tool was developed for e- Scientists, a community where access policies have to be implemented for an increasingly heterogeneous group of local and remote users. Two conceptual problems were identified (1) lack of understanding what the policy components are (i.e. how authorization policies are structured), and (2) lack of understanding of the underlying policy paradigm (i.e. what should go into the policy, and what should be left out). Conceptual design (CD) techniques were used to revise the user interface (UI) labels so that e-Scientists and developers were better able to describe access policy components from labels, and match labels with components (t=6.28, df=7, p< .001 two tailed). CD, instructional text, bubble help, UI behaviour and alert boxes were used to shape users' models of the policy paradigm. The final prototype improved users' efficiency and effectiveness by: more than doubling the speed with which expert users could write authorization policies; and facilitating users without specialist security knowledge to largely overcome the policy paradigm and components problems in a user-trial without reading documentation.
Bio:
Sacha is currently developing an online resource at the University of Bristol to help people learn Multilevel Modelling, a branch of statistics frequently used in analysing large social science datasets. Previously he's worked in usability and e-Science, helping to organise a workshop about it at the National e-Science Centre. He was an RA on the MyTea project (using metaphors for assisting elicitation and design for bio-informatics software), and contributed some usability work to the PERMIS authorisation policy editor - which he will be speaking about here at CS.NCL. Sacha's other work in usability and security includes a PhD at UCL's Human Centred Systems Group, looking at British Telecom's problems with it's employees computer passwords (supervised by Prof. M. Angela Sasse). He's also published an experimental study on the Passfaces authentication mechanism.
August 10, 2007 15:00, CLT902
Evoting conference trip report
Peter Ryan
Peter has recently attended a few evoting workshops. He will give us a highlight of interesting recent developments of evoting research.
August 3, 2007 15:00, CLT922
SOUPS trip report
Paul Dunphy
SOUPS is the leading conference in usable security and privacy. This year we have had two short papers accepted (full program see http://cups.cs.cmu.edu/soups/2007/). Last week, Paul did two poster presentations at the conference and had a nice week at CMU. This Friday, he will share with us his SOUPS trip report. It will be a good opportunity to hear what's going on in usable security research, and, if you don't know much about this field, what it is really about.
July 27, 2007 15:00, CLT922
Identity Management in Public Services
Mike Martin
The public sector, and the caring and developmental services in particular, present some of the most challenging issues of identity management. Not only are their concerns of confidentiality and trust but also the requirements for multi-agency working and for information sharing has been at the centre of many government reforms and systems procurements.

The Social and Business Informatics Group is and has been very active in this area undertaking consultancy and action research projects for central Government as well as local and Regional agencies. In this seminar I will present a range of material developed through this work so that we can explore the relationships between practice of care and development in the real world, the engineering of information and communications systems and the computer science/theory that sometimes informs these processes.
July 20, 2007 15:00, CLT922
Ensuring Consent in Privacy and Identity Management Infrastructure
Robert Stroud
TBA.
July 13, 2007 15:00, CLT1005
Pret a Voter with paper audit trail
Peter Ryan
Voter-verifiable schemes like Pret a Voter election allows voters to confirm that their vote is accurately counted whilst maintaining ballot secrecy. Whilst the scheme is highly trustworthy, due to a high degree of transparency and auditability, the assurance arguments are subtle and involve some understanding of the role of cryptography. As a result, there remain challenges regarding public understanding and trust. It is essential that a voting system be not only trustworthy but also widely trusted.

In this talk I propose a simple mechanism to generate a conventional paper audit trail that can be invoked should the outcome of the cryptographic count be called into question. It is hoped that having such a familiar mechanism as a safety net will encourage public confidence. On the other hand, care has to be taken that such a mechanism not undermine the carefully crafted integrity and privacy assurances of the original scheme.
July 6, 2007 15:00, CLT922
Conference report (DSN and 10.4)
Robert Stround
Robert will tell us interesting papers/things he has seen in DSN and 10.4 last week.
June 14, 2007 11:00, CLT701
A demonstration of Prêt à Voter
David Lundin
David Lundin from Surrey University will be visiting Thursday the 14th June to present the implementation of Pret a Voter and run a mock election using it.
May 25, 2007 15:00, CLT922
Merging Pret a Voter and PunchScan
Peter Ryan
I will outline some ideas due to Jeroen van der Graaf on using some ideas from Chaum's new PunchScan scheme to perform the anonymising tabulation for Pret a Voter. This uses crypto commitments in place of the anonymising mixes currently used. Arguably this makes the process simpler and opens up the possibility of unconditional privacy (at the cost of lossing unconditional integrity).
May 18, 2007 15:00, CLT922
Dilemmas of Privacy and Surveillance
Cliff Jones
Cliff will lead an informal discussion on the recent RAE report "Dilemmas of Privacy and Surveillance". For those who might not know, "RAE" means the Royal Academy of Engineering.
May 11, 2007 15:00, CLT922
Report on the Parliament hearing of NHS Electronic Patient Records
Brian Randell
Brian has kindly agreed to give a report on yesterday's meeting in the UK Parliament, at which he testified, of the Health select committee on Electronic Patient Records.
May 4, 2007 15.00, 922 Claremont Tower
The Electronic Patient Record and its Use
Brian Randell
The title is in fact that of the Parliamentary Select Committee on Health's current inquiry into a central aspect of the NHS's National Programme for Information Technology (NPfIT). Some weeks ago I provided written evidence to the Committee, based on the work I've done compiling a public "dossier of concerns" about this project (http://nhs-it.info ) on behalf of the "Gang of 23" (a group of computer science professors who have been campaigning to persuade the Government to commission a detailed technical review of NPfIT). I have now have been invited to testify to the Select Committee on May 10 - this talk is an opportunity to practice my testimony!
April 30, 2007 15:00, CLT701
KOA: An Experimental Platform for Trustworthy Computer-based Voting
Joseph Kiniry
In 2003 the Dutch government contracted a consulting firm to create a computer-based voting system called "KOA" ("Kiezen op Afstand," or "remote voting") to experiment with remote (telephone and internet- based) voting for Dutch expatriates. This talk will first discuss the origins, evolution, and eventual (partial, broken, incomplete) GPL-licensed release of KOA. We'll then turn our attention to my research group's "KOA revival" and our upcoming KOA re-release. In particular, I will focus on our use of applied formal methods for the development of a trustworthy voting architecture for research experimentation in computer-based voting. Joseph Kiniry is a Lecturer in Computer Science in UCD Dublin, having previously worked extensively in industry and academic research. He holds Degrees from Caltech (Ph.D. Computer Science 2002, MS Computer Science 1998), the University of Massachusetts Amherst (MS Computer Science 1995) and from Florida State University (B.S. Computer Science 1992 and B.S. Pure Mathematics 1992). Joe held a postdoc position at the Radboud University Nijmegen from 2002 to 2004. At UCD Joe's research team focuses on software engineering with applied formal methods. Joe is a major participant in several national and International research grants including the EU FP6 FET "Global Computing II" project MOBIUS and Lero: The Irish Software Engineering Research Centre. Joe has co-founded a number of technology companies and is has been a very active participant in the Free/Libre/Open Source Software movement since the late 1980s. In 1994-1995 he was Senior Research Engineer at the Open Software Foundation Research Institute. Over the past fifteen years he has performed high-level consulting in several domains including applied formal methods, rigorous software engineering, software and system security, and electronic and Internet voting.
April 27, 2007 15:00, CLT922
Secure computer systems for the NHS in London
John Simmons, BT
The NHS National Programme to bring modern computer systems into the NHS is based on these systems being hosted in a secure and highly available way. It also implements high levels of user access security to this sensitive personal information. BT is providing an array of computer systems to the NHS in London and John Simmons, Solution Architect with BT and specifically their GP Systems Engineer on the project, will talk about the technologies and measures that have been used to ensure these systems are hosted and accessed in a secure way.
March 16, 2007 15:00, CLT922
Report from the 5th Janet/CERT Security Conference
Mike Ellison
The 5th JANET-CERT Security Conference took place on 20th February in London. It was Organised by UKERNA and the UK FE/HE Community - providing a chance for security contacts from He/Fe to meet and discuss common threats etc as well as a chance to find out about potential future threats. For details of the programme and the presentations see http://www.ukerna.ac.uk/services/events/calendar/2007/5thJANET_CERT/prog ramme.html one of the most memorable of the presentations was the Security of Ubiquitous Computing - see http://www.ukerna.ac.uk/services/events/calendar/2007/5thJANET_CERT/Adam %20Laurie.pdf which covered ATM Security, Hotel TV Security and flaws in the RFID system.
March 9, 2007 15:00, CLT922
A Case Study in Systematic Analysis: The Randell-Ryan Voting system
Thomas Tjostheim
There has recently been keen interest in the threat analysis of voting systems. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent during protocol execution. We briefly discuss our model for systematic analysis and the "Scrach Card" voting system, which is a version of Prêt à Voter that aims to promote voter understandability. We then demonstate use of the model with a comprehensive threat analysis of one of the more robust versions of the "Scratch Card" voting system.
March 2, 2007 15:00, CLT922
Usable security
Robert Stroud
Robert will lead a discussion on usable security.
February 23, 2007 15:00, CLT922
Online banking security: WIP report and discussion session
Thomas Tjostheim
We present an outline for a possible paper and invite feedbacks.
February 16, 2007 15:00, CLT922
Zero knowledge proof protocol for Paillier Decryption
Peter Ryan
Often it is necessary to prove that a claimed decryption of a given ciphertext is correct. For determinstic algorithms this is quite trivial: the verifier simply applies the public key and check that this agrees with the ciphertext. For randomising encryption algorithms, for example ElGamal and Paillier, this will not work: there typically more potential ciphertexts for a given plaintexts than particles in the universe! If the prover knows the randomisation then of course a possibility is to simple revreal this. Often however this is not appropriate as the randomisation needs to be kept secret. In some situations, the prover does not even know the randomisation.

This is where Zero Knowledge (ZK) protocols come in. ZK protocols are known for proving the correctness of ElGamal and Paillier ciphertexts where the prover knows the randomisation but does not want to reveal it. A protocol is also known, a variant of the Chaum-Pedersen protocol for proving plaintext equivalence, to prove correctness of decryption of an ElGamal ciphertext where the prover doesn't know the randomisation. Curiously, no protocol appears to be known to prove a decryption of a Paillier ciphertext where the prover is ignorant of the randomisation. Given that this is likely to be the context in voting applications this is surprising.

In this talk I will describe the notion of a ZK protocol, give some examples and describe a protocol that appears to fill this gap. I'm still trying to fill in some of the proofs, so this is very much work in progress.
February 9, 2007 15:00, CLT922
Attacks on computer networks and common defense techniques
Maciej Machulak
A brief introduction into some typical/interesting attacks on/through firewall systems and common defense techniques. Both "older" and newer attacks will be covered (as ALL are still used).
February 2, 2007 15:00, CLT922
Graphical Passwords: literature review, work in progress & etc
Paul Dunphy
A short talk on the more interesting parts of my literature review so far in Graphical Passwords/Usable Security. Papers covered may be of interest, also suggestions for future reading would be gratefully received. In addition, a briefing of our ongoing usable security study on ATM and PIN.
January 26, 2007 14:00, CLT922
Breaking visual CAPTCHAs -- Episode 2
Jeff Yan
In this talk, I will show how we have broken the second visual CAPTCHA. Our algorithm as implemented in an early prototype could achieve a success rate of almost 100%. It also boosted our success rate on the first CAPTCHA to close to 100%.

This is joint work with Ahmad Salah El Ahmad.
January 19, 2007 14:00, CLT922
Discussions: banking security, meeting admin., etc.
Jeff/Thomas
January 12, 2007 14:00, CLT922
A Model for Systematic Analysis of Voting Systems
Thomas Tjostheim
There has recently been keen interest in the threat analysis of voting systems. While it is important to verify the system itself, it has been found that certain vulnerabilities only become apparent during protocol execution. Threat analysis has so far been of three main forms: systems-based, protocol-level and taxonomy check-lists. We discuss these approaches before presenting a model for analysis of voting systems that essentially combines the first two methods, while avoiding the repetition that can occur with the latter. The model is described in detail, and demonstrated with an example from a case study of the ThreeBallots voting system.
December 8, 2006 14:00, CLT922
Online banking security: updates
Jeff Yan
I will update recent progress in online banking security.
December 1, 2006 14:00, CLT922
Phishing Defence
Jeff Yan
I will outline a phishing defence method based on the notion of two-way authentication and the notion of visual matching, and discuss potential research issues. MSc students who are looking for project ideas might find this relevant.
November 17, 2006 14:00, CLT922
A Study of Shoulder Surfing on Passwords
Paul Dunphy
TBA.
November 10, 2006 14:00, CLT922
Verified Encrypted Paper Audit Trails
Peter Ryan
TBA.
November 3, 2006 14:00, CLT922
Distributed Systems Research in Online Gaming at Newcastle
Graham Morgan
A number of topics covering scalability, dynamic content evolution, performance and other (distributed systems type) research challenges to do with online gaming will be discussed.
October 27, 2006 14:00,
Breaking visual CAPTCHAs -- Episode 1
Jeff Yan
On the Internet, nobody knows you're a dog. But in some circumstances, it is useful to verify that one party setting on the other end of the Internet is indeed a human.

Designed to automatically tell computers and humans apart, CAPTCHA is actually one kind of automated Turing test. It is now almost a standard security technique for addressing the threat of undesirable or malicious bot programs on the Internet.

In this talk, I will show how we have broken one visual CAPTCHA system. Our algorithm as implemented in an early prototype could achieve a success rate of 87%. Since lots of apparent improvement can be implemented into our attacks, it's very likely we could eventually boost the success rate to close 100%, rendering this captcha useless.
October 20, 2006 14:00, CLT922
Security developments and a real life hack analysis
Mike Ellision
Mike Ellision is IT Security Coordinator in ISS (Information Systems and Services), Newcastle University. His talk will cover the recent IDC security briefing in London (a report is available via http://www.ncl.ac.uk/iss/security/mins/IDC-Sep2106.htm) and also show what was found on a computer system found recently to have been compromised by off campus hackers.
October 13, 2006 14:00, CLT922
The ThreeBallot Voting System
Peter Ryan
Peter will talk about Rivest's new evoting scheme: http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf

Time permitting, maybe we can also discuss the Voting competition: http://www.vocomp.org/
October 6, 2006 14:00, CLT922
ESORICS and RAID trip report
Igor Mozolevsky
Igor Mozolevsky will give a trip report on ESORICS (a major security conference) and RAID (a leading symposium on intrusion detection). Peter will probably also have some comments on ESORICS.
September 27, 2006 14:00, CLT922
Guess my vote: a study of opacity and information flow in voting syste
Thea Peacock
This will be an informal talk about the work I've done towards my thesis. Questions and discussion very welcome in preparation for my viva! Details at http://www.cs.ncl.ac.uk/research/events/srg/abstract.php?id=170
September 1, 2006 14:00, CLT922
How to get more out of the security meetings?
Everybody
We have had this regular security meeting for about half year. It is good time -- just before the beginning of a new semester -- to review what we have done right, and what we could do better. So no talk is scheduled for today. Instead, we are going to have a discussion session. All opinions and wisdoms are welcome. People who cannot turn up today please send your suggestions to either Jeff or the list -- thanks!

If time allows, Robert will go through some of the issues he has raised in his response to the RIPA consultation, which he briefed last week.
August 25, 2006 14:30, CLT922
Consultation on RIPA Part III decryption powers
Robert Stroud
Part III of the Regulation of Investigatory Powers Act (RIPA) gives law enforcement agencies the power to make suspects produce readable copies of encrypted material or else face imprisonment. A code of conduct for exercising these powers has been drawn up by the Home Office, and comments are invited from the public. I attended a public consultation meeting in London, and will report back on the issues raised and my own concerns about the code of conduct.
August 25, 2006 1400, CLT922
Online banking security: a brainstorming session
Thomas Tjostheim
Thomas and Jeff recently have had some discussions about pushing forward our project on online banking security. Today, he would like to brief some new thoughts, present a todo list, and lead a brainstorming session to finalise the list.
August 18, 2006 1400, CLT922
Identifying the Source of Messages in Computer Networks
Marios S. Andreou
I will give a brief background on IP traceback and its shortcomings and then talk about extending traceback to "level 2" networks (of the OSI reference model) such as switched ethernet, and the difficulties that this poses.
August 11, 2006 14:00, CLT922
Further progress in spam detection
Jeff Yan
I will talk about some progress in our ongoing work on collaborative spam detection.

I suppose we will have some time available for other things this Friday, so everybody is welcome to bring interesting issues for discussion. For example, I am interested in raising the visibility of web presence of our security effort at NCL.
August 4, 2006 14:00, CLT922
Keystoke Dynamics
Roy Maxion
Roy will talk about keystroke dynamics, which is how to distinguish among users on the basis of their typing styles.
July 28, 2006 14:00, CLT922
A research proposal on spam detection: feasibility discussions
Jeff Yan
I would like to discuss with colleagues the feasibility of developing our current work on spam detection and Bloom filters into a proper research proposal. First I will summarize our results and progress so far, then brief some initial thoughts on possible future research, including systems issues (design and evaluation), theory (mainly things like hashing optimisation, data structure design) and simulation study. Afterwards, a brain-storming session is expected. All people who are interested in contributing to this project are invited.
July 21, 2006 14:00, CLT922
Copyright, Fair Use, Digital Rights Management, and the Law
Robert Stroud
In this talk, I will give an overview of the tensions between copyright, fair use, and digital rights management, and discuss the current law and its impact on security and cryptography related research. In particular, I will look at the US court cases that arose as a result of the open source community developing a DVD player for Linux, and review the legal arguments concerning the nature of cryptographic software as "free speech" and whether it can be published.
July 14, 2006 14:00, CLT922
Keeping Bots out of MMORPGs
Jeff Yan
MMORPG bots are programs that can play the game on behalf of human players. The use of bots in MMORPGs is increasingly problematic. A cheater can run these bots in MMORPG games, collecting virtual items without real play and then selling them, for example on eBay, for real money -- thus achieving an unfair financial gain. Botting also undermines the delicate balance of the game world, a critical factor affecting the success of such games. In this talk, I introduce how these bots are created and how they work, and discuss what kind of research issues are interesting to be addressed.
July 7, 2006 13:00, CLT922
Trip Report
Robert Stroud
Robert will give an informal trip report about the various security related topics that were discussed at DSN and 10.4.
June 23, 2006 14:00, CLT922
PGD -- Pretty Good Democracy
Peter Ryan
Peter will introduce new tricks that might help resolve some issues in Pret a Voter.
June 16, 2006 14:00, CLT922
Remote Electronic Voting Using Verifiable Chain Encryption
Thomas Tjostheim
In this talk, we describe a new remote electronic voting scheme. A probabilistic multiplekey encryption function based on an extension of ElGamal constitutes the cryptographic basis for the scheme. Ballot encryption, mixing and tallying are carried out through the construction of verifiable chain encryptions. Verifiability is based on the use of publicly available bulletin boards and scrutinizers representing the different canidates (parties). The proposed scheme is receipt free and applicable for large scale elections.

Keywords: electronic voting, receipt freeness, mix networks, coercion.
June 9, 2006 14:00, CLT922
Enhancing Non-Bayesian Spam Detection with Bloom Filters
Jeff Yan
I will talk about our recent work on non-Bayesian spam detection. Our work has focused on the so-called collaborative spam detection, and in my talk, I will show how the Bloom filter, a simple but powerful data structure, together with its variants, can significantly improve some pioneering collaborative spam detection systems. Some simulation results of these data structures will also be presented.
June 2, 2006 14:00, CLT922
Security in Norwegian Online Banks
Thomas Tjostheim
Internet banking is increasingly popular both in Norway and elsewhere. Banks have actively encouraged this cost-saving trend by persuading customers to sign up. Customers, attracted by online banking’s convenience, seem largely unconcerned about identity theft and phishing email scams. In fact, most customers seem to believe that Internet banking is quite safe simply because their banks told them so. In reality, this sense of security might be false. We studied customer authentication methods in several Norwegian Internet banks from 2003 through 2004. Our investigation shows that authentication was often weak, offering simple—but powerful—attack possibilities. (Fortunately, none of the attacks were actually carried out.) Here, we discuss the authentication methods and the attacks they made possible. Our scenarios are based solely on publicly available Internet information. Upon concluding our study, we presented our findings to the Norwegian government agency overseeing the national banking industry. We also engaged in a sustained effort to directly inform the banks most vulnerable to attacks. Our main reason for making this account public is to contribute to the development of more secure Internet banking systems.
May 26, 2006 14:00, CLT922
Dimensions of dynamic coalitions
Jeremy Bryans
Developments in network technology are enabling organisations to form temporary alliances to achieve specific goals. Such alliances are often referred to as "dynamic coalitions", emphasising the fluid character of their memberships. Dynamic coalitions vary widely in architecture, scale and complexity, ranging from ad hoc groupings of organisations created in order to perform a very brief transaction to long-running collaborations between allies. In many cases, there is significant sharing of information between the participants. The term "dynamic coalitions" is often used without definition, giving rise to potential confusion and unfulfilled expectations. This talk presents an approach to mapping out a "space" of dynamic coalitions, using a systematic approach supported by a formal (mathematically-based) modelling language. We show how "dimensions" of dynamic coalitions may be identified and explored, with an emphasis on the flow of information through coalitions.
May 19, 2006 14:00, CLT922
Pret a Voter with visual crypto
Peter Ryan
an informal walk-through (and critique) of the previously distributed Pret a Voter with visual crypto paper.
May 12, 2006 14:00, CLT922
Parameterised Role-based Access Control in Virtual Organisations
Xiaofeng Gong
Managing access control in a Virtual Organisation is always a more difficult problem than managing access control in a conventional centralized system. This talk presents an approach to access control for a virtual organisation. Specifically, we present how parameterised roles can support the execution context in a VO and how parameterised role-based access control can be adapted to VO requirements in order that the required flexibility of VOs can be achieved in practice.
May 5, 2006 14:00, CLT922
Security is still a dirty word
Mike Ellison
The ISS Security Team tend to be the ones that get the blame for not allowing people to use programs like skype and are though of being the harbingers of doom as we only make contact with you when things have either gone wrong or shows signs of going wrong. The talk will cover in the first part the growth of attacks in recent years against systems on campus - not only as part of a global attack but also in some cases targeted attacks against systems on campus. The second part covers some of the daily monitoring and reporting we do, looking for the proverbial needle (compromised system) in the haystack of attacks.

Mike is IT Security Coordinator at ISS, University of Newcastle Upon Tyne.
April 28, 2006 14:00, CLT922
On evaluating authentication mechanisms
Jeff Yan
I will introduce a framework for evaluating various authentication mechanisms, discuss its relevance to the problem which we are currently working on, and outline a work plan which we might want to pursue.
April 21, 2006 14:00, CLT9.22
PassMark: a two-factor two-way authentication mechanism
Jake Wu
Currently the common security threats posed to online banking involve phishing, spoofing, spyware, key-logging, etc., and they raise the concern that password-based authentication alone is not enough. This talk introduces PassMark, a comprehensive Two-Factor mutual authentication mechanism that has been developed to combat these security threats for online banking and e-commerce. Starting with a Bank of America sitekey scenario, I will briefly introduce in this talk what the Passmark is, what problems Passmark is supposed to solve and how Passmark works.
April 7, 2006 14:00, CLT 9.22
Formal Analysis of Access Control Policies
Jeremy Bryans
We present a formal approach to describing and analysing access control policies. This approach allows us to evaluate access requests against policies, compare versions of policies with each other and check policies for internal consistency. Access control policies are described using VDM, a state-based formal modelling language. Policy descriptions are consise and may be easily manipulated. The structure of the VDM description is derived from the OASIS standard access control policy language XACML. It is therefore straightforward to translate between XACML policies and their formal equivalents.

Probably about 45 minutes + a QA session.
March 24, 2006 14:00, CLT 9.22
Active cookies, browser authentication and phishing defense
Robert Stroud
Robert will lead discussions on a new strong client authentication on the Web: active cookies and their application in phishing defense.
March 17, 2006 14:00, CLT9.22
SSL, Phishing and Man in the Middle
Robert Stroud
Robert will lead our reading group excercise on "SSL/TLS Session-Aware User Authentication — Or How to Effectively Thwart the Man-in-the-Middle". You're strongly encouraged to read the paper before coming to this meeting. He will also give an overview of SSL and discuss why it is not fool-proof.
March 10, 2006 14:00, CLT9.22
Personal experience of online-banking authentications
Robert Stroud
Robert will talk about different forms of authorisation required by the various on-line bank accounts that he has experienced. It's interesting that they're all different, with varying strengths and weaknesses.
February 24, 2006 16:10, CLT922
Phishing
Zisis Pitsiavas
February 24, 2006 15:30, CLT922
Automated Turing test and bots prevention
Jeff Yan