Publications by Dr Budi Arief

Ransomware remains one of the most prevalent cyberthreats to individuals and businesses alike. Psychological techniques are often employed by attackers when infecting victims' devices with ransomware, in an attempt to increase the likelihood of the victims paying the ransom demand. At the same time, cybersecurity researchers are continually putting in effort to find new ways to prevent ransomware infections and victimisation from happening. Since employees and contractors are often considered to be the most frequent and well-known attack vectors, it makes sense to focus on them. Identifying factors to predict the most vulnerable population to cyberattacks can be useful in preventing or mitigating the impact of ransomware attacks. Additionally, understanding victims' psychological traits can help us devise better solutions to recover from the attack more effectively, while at the same time, encouraging victims not to pay the ransom demand to cybercriminals. In this paper, we investigated the relationship between personality types and ransomware victimisation, in order to understand whether people with certain personality types would be more prone to becoming a ransomware victim or not. We also studied the behavioural and psychological effects of becoming a ransomware victim, in an attempt to see whether such an experience can be used to reinforce positive cybersecurity behaviours in the future. We carried out a survey involving 880 participants, recruited through the Prolific online survey platform. First, these participants were asked to answer a set of standard questions to determine their personality type, using the Big-Five personality trait indicators. They were then asked to answer several follow-up questions regarding victimisation, as well as their feelings and views post-victimisation. We found that 9.55% (n=84) of the participants had been a victim of ransomware. Out of these, 2.38% (n=2) were found to have paid the ransom. We found no compelling evidence to suggest that personality traits would influence ransomware victimisation. In other words, there are no discernible differences regarding potential ransomware victimisation based on people's personality types alone. Therefore, we should not blame victims for falling prey – in particular, we should not apportion the blame to their personality type. These findings can be used to improve positive cybersecurity behaviours, for example, by encouraging victims to invest more in cybersecurity products and tools. Additionally, our results showed that the aftermath of a ransomware attack could be quite devastating and hard to deal with for many victims. Finally, our research shows that properly dealing with ransomware is a complex socio-technical challenge that requires both technical and psychological support.

National Computer Security Incident Response Teams (CSIRTs) have been established worldwide to coordinate responses to computer security incidents at the national level. While it is known that national CSIRTs routinely use different types of tools and data from various sources in their cyber incident investigations, limited studies are available about how national CSIRTs evaluate and choose which tools and data to use for incident response. Such an evaluation is important to ensure that these tools and data are of good quality and, consequently, help to increase the effectiveness of the incident response process and the quality of incident response investigations. Seven online focus group discussions with 20 participants (all staff members) from 15 national CSIRTs across Africa, Asia Pacific, Europe, and North and South America were carried out to address this gap. Results from the focus groups led to four significant findings: (1) there is a confirmed need for a systematic evaluation of tools and data used in national CSIRTs, (2) there is a lack of a generally accepted standard procedure for evaluating tools and data in national CSIRTs, (3) there is a general agreement among all focus group participants regarding the challenges that impinge a systematic evaluation of tools and data by national CSIRTs, and (4) we identified a list of candidate criteria that can help inform the design of a standard procedure for evaluating tools and data by national CSIRTs. Based on our findings, we call on the cyber security community and national CSIRTs to develop standard procedures and criteria for evaluating tools and data that CSIRTs, in general, can use.

The aim of this study is to obtain operational insights of real-world practices across national CSIRTs, concerning cyber incident reporting channels, ticketing tools, incident classification schemes, and ways to identify appropriate responses. An online survey involving 19 staff members of 17 national CSIRTs was conducted, leading to four major findings. First, multiple reporting channels are provided by national CSIRTs for prompt incident reporting. Second, free and open-source ticketing tools are popular among national CSIRTs for tracking reported incidents. Third, different incident classification schemes are used across national CSIRTs, indicating a lack of standardised approaches that can have important implications (for example, difficulties in cross-CSIRT information sharing). Fourth, for classifying incidents and identifying appropriate responses, manual approaches are used more than automated ones. We conclude that more cross-CSIRT efforts are needed to define a more standardised cyber incident classification scheme, and to develop more automated tools to support national CSIRTs' operations.

Computer Security Incident Response Teams (CSIRTs) have been established at national and organisational levels to coordinate responses to computer security incidents. It is known that many CSIRTs, including national CSIRTs, routinely use public data, open-source intelligence (OSINT) and free tools in their work. However, the current literature lacks research on how such data and tools are used and perceived by the staff of national CSIRTs in their operational practices. To fill such a research gap, an online survey and twelve follow-up semi-structured interviews with staff of thirteen national CSIRTs from Asia, Europe, the Caribbean and North America were carried out. The aim was to gain detailed insights into how such data and tools are used and perceived by staff in national CSIRTs. The study was conducted in two stages: first with MyCERT (Malaysia's national CSIRT) to get some initial results, and then with twelve other national CSIRTs to enlarge the results from the first stage. Thirteen participants from MyCERT completed the survey and seven of them took part in a semi-structured interview; twelve participants from eleven other national CSIRTs took the survey and five participants from five national CSIRTs took an interview. Results from the survey and the interviews led to three main findings. First, the active use of public data, OSINT and free tools by national CSIRT staff was confirmed, e.g., all 25 participants had used public data for incident investigation. Second, all except two (i.e., 23 out of 25, 92%) participants perceived public data, OSINT and free tools to be useful in their operational practices. Third, there is a number of operational challenges regarding the use of public data, OSINT and free tools. In particular, there is a lack of standard and systematic approaches on how such data and tools are used across different national CSIRTs. There is also a lack of standard and systematic processes for validating such dataand tools. These findings call for further research and development of guidelines to help CSIRTs to use such data and tools more effectively and more efficiently.

Ransomware is a type of malware that locks out its victim's access to their device or data – typically by encrypting files – and demands payment in exchange of restoring access. To fight the increasing threat posed by ransomware, security researchers and practitioners have developed decryption tools. These tools aim to help victims in recovering their data, generally by decrypting the compromised files without paying the ransom. Unfortunately, there has been minimal research on the effectiveness of decryption and recovery tools. There is a scant understanding regarding the extent to which these tools can actually recover compromised data. The research presented in this work aims to cover this gap by providing an empirical study on these tools' effectiveness – in terms of decrypting and restoring compromised data. For doing so, we tested a total of 78 tools created by 11 security companies against 61 ransomware samples. That allows us to present an in-depth critical discussion of the real effectiveness of the recovery tools studied. We found that nearly half of the tools fail to recover compromised data satisfactorily. We conclude that there is still a lot of work to be done before these tools can make a real positive impact on ransomware victims. We finish our work by offering some additional insights and recommendations that could help in improving the effectiveness of ransomware decryption tools.

Ransomware is a type of malicious software that locks out its victim from accessing functionality or data on their device, typically by encrypting files. To regain access, victims would typically need to make a ransom payment. Victims get notified that their device has been infected through a ransom note (splash screen) displayed on their device. Ransomware splash screens can be presented in many ways; the most common ones are via a text file or a graphical user interface (GUI). Splash screens may also include additional features, such as a countdown timer, as part of the ransomware operator's ploy to encourage their victims to pay. The main aim of this study was to gain valuable insights into how ransomware splash screens might affect victims' responses. Moreover, the study also investigated whether exposure to different splash screens would encourage participants to adopt good security behaviours. A controlled experiment was conducted by randomly assigning 538 participants into one of the three ransomware infection scenarios based on the splash screen type (Text-based, GUI or GUI + Timer). After watching a demonstration of a ransomware scenario, each participant was asked to complete a survey regarding their post-infection behaviour and their cybersecurity habits. The study concluded that ransomware's user interface elements do not have a notable effect on how victims would react, in terms of their willingness to pay or their reporting rates. Additionally findings included that, even though 60% of the participants would like to report a ransomware incident, they were not sure how to do this. This illustrates the lack of public awareness about cybercrime reporting. Lack of trust was the main reason why participants did not want to click on links offering cybersecurity advice after the exposure. This shows that more effective methods for encouraging cybersecurity behaviour are still needed.

As Internet use increases, there is a growing risk of online harms, including cyber stalking and cyber harassment. However, there has been limited research investigating the impact of such online harms upon adults' well-being. This paper engages in a systematic literature review concerning the mental health impact of online stalking and harassment for adult victims to further understand their experiences and the effects these have on their lives. Our research utilised the PRISMA technique to review papers published in eight online databases. A total of 1,204 articles were extracted, and ultimately 43 articles analysed. Forty-two of the reviewed articles reported that victims of cyber stalking and/or harassment experienced a multitude of harmful and detrimental consequences for their mental health including depression, anxiety, suicidal ideation and panic attacks. Victims recounted the lack of support they received from the criminal justice system, and their subsequent distrust of technology post abuse. Only one study found no relationship between cyber abuse victimisation and the well-being dimensions they examined. Our research highlights the need to devise practical solutions to tackle and minimise this victimisation. Furthermore, it underlines the necessity for adult education concerning safer technology use, as well as for researchers to be transparent regarding the platforms that victims have been abused on so we can better infer where and how exactly individuals need support to interact safely online.

Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response.

This article provides an extensive study of the current practice of online payment using credit and debit cards, and the intrinsic security challenges caused by the differences in how payment sites operate. We investigated the Alexa top-400 online merchants' payment sites, and realised that the current landscape facilitates a distributed guessing attack. This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. We will show that this attack would not be practical if all payment sites performed the same security checks. As part of our responsible disclosure measure, we notified a selection of payment sites about our findings, and we report on their responses. We will discuss potential solutions to the problem and the practical difficulty to implement these, given the varying technical and business concerns of the involved parties.

The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of "Ben-ware": a beneficial software system that uses low-level data collection from employees' computers, along with Artifi- cial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee's activities against their own 'normal' profile, as well as against the organisational's norm, we can detect those that are significantly divergent, which might indicate malicious activities. Dealing with false positives is one of the main challenges here. Anomalous behaviour could indicate malicious activities (such as an employee trying to steal confidential information), but they could also be be- nign (for example, an employee is carrying out a workaround or taking a shortcut to complete their job). Therefore it is important to minimise the risk of false positives, and we do this by combining techniques from human factors, artificial intelligence, and risk analysis in our approach. Developed as a distributed system, Ben-ware has a three-tier architecture composed of (i) probes for data col- lection, (ii) intermediate nodes for data routing, and (iii) high level nodes for data analysis. The distributed nature of Ben-ware allows for near-real-time analysis of employees without the need for dedicated hardware or a significant impact on the existing infrastructure. This will enable Ben-ware to be deployed in situations where there are restrictions due to legacy and low-power resources, or in cases where the network connection may be intermittent or has a low bandwidth. We demonstrate the appropriateness of Ben-ware, both in its ability to detect potentially malicious acts and its low- impact on the resources of the organisation, through a proof-of-concept system and a scenario based on synthetically generated user data.

A comprehensive model and taxonomy of cybercrime, including all of its stakeholders, would contribute to better cybersecurity. Part 1 of this two-part series, which appeared in the January/February 2015 issue of IEEE Security & Privacy, explored cyberattackers and their motives in detail. Part 2 focuses on the other key stakeholders: defenders and victims of cybercrime.

Although cybercrime is rampant, there is no authoritative definition of the term and all that it implies. A comprehensive model and taxonomy of cybercrime, including all of its stakeholders, would contribute to better cybersecurity. Part one of this two-part series explores attackers and their motives in detail.

Many software development methodologies are called "open source". However, simply stating that a project is open source doesn't precisely describe the approach used to support the project. A multidisciplinary viewpoint can help determine those characteristics that are common to open source projects and those that vary among projects. These characteristics form the basis for a taxonomy of open source projects that's useful for analyzing and setting up projects. They also provide a starting point for understanding what "open source" means.

Computer security has traditionally been assessed from a technical point of view. Another way to assess it is by investigating the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centred set of recommendations.

Building a software service requires careful analysis of the requirements given by the customer for the system. It is often difficult to understand the system requirements correctly, due to the fact that they are usually described in plain language. This difficulty could be overcome if a sufficiently precise description of system services to be provided can be produced that is easy to follow by both customers and designers. Given such a specification of a service that on the surface permits several ways of implementing it, the design team should be able to select with reasonable confidence, the most appropriate set of design options, before commencing the building of the service. Naturally, this requires the development of modelling and analysis techniques that enable the evaluation of various design options for a given service. As a first step towards achieving these goals, the paper briefly reviews current approaches to specifying system architectures and explores the suitability of the Unified Modelling Language (UML) as a specification tool.

This paper presents a security analysis of the manual override feature of the Noke smart lock. The Noke allows its user to operate, monitor and even share his smart lock with others through a smartphone. To counter the risk of being unable to open the lock when the smartphone is unavailable, it provides an override mechanism. Noke implements this override feature using a quick-click scheme, whereby its user can choose a sequence of eight to sixteen short and long shackle presses (similar to a Morse code). To explore the security implications of this feature, we conducted a study collecting human-generated quick-click codes from 100 participants, and analysed and modelled the resulting dataset. Our analysis shows that the override mechanism, at least in its current implementation, presents a significant opportunity for successful guessing attacks. We demonstrate this by building a mechanical brute force tool that on average can test one quick-click code in under three seconds. We conclude that this speed, together with the low entropy of human-generated passcodes, makes this manual override feature one of the most significant weaknesses of the system and constitutes a promising attack vector. We responsibly disclosed our findings to the Noke manufacturer. We also provide a list of potential countermeasures that can help to address this risk. We believe that alternative authentication methods such as quick-click codes will become increasingly popular in ever-expanding Internet of Things devices, so the weaknesses and the countermeasures discussed in this paper are timely and relevant, as they can also apply to other devices and security systems that rely on unconventional user-generated authentication codes.

The Internet of Things (IoT) has introduced a myriad of ways in which devices can interact with each other. The IoT concept provides opportunities for novel and useful applications but at the same time, concerns have been raised over potential security issues caused by buggy IoT software. It is therefore imperative to detect and fix these bugs in order to minimise the risk of IoT devices becoming the target or source of attacks. In this paper, we focus our investigation on the underlying IoT operating system (OS), which is critical for the overall security of IoT devices. We picked Contiki as our case study since it is a very popular IoT OS and we have access to part of the development team, allowing us to discuss potential vulnerabilities with them so that fixes can be implemented quickly. Using static program analysis tools and techniques, we are able to scan the source code of the Contiki OS systematically in order to identify, analyse and patch vulnerabilities. Our main contribution is a holistic and systematic analysis of Contiki, starting with an exploration of its metrics, fundamental architecture, and finally some of its vulnerabilities. Our analysis produced relevant data on the number of unsafe functions in use, as well as the bug density; both of which provide an indication of the overall security of the inspected system. Our effort led to the finding of two major issues, described in two Common Vulnerabilities and Exposures (CVE) reports.

In this paper, we present the concept of "Ben-ware" as a beneficial software system capable of identifying anomalous human behaviour within a 'closed' organisation's IT infrastructure. We note that this behaviour may be malicious (for example, an employee is seeking to act against the best interest of the organisation by stealing confidential information) or benign (for example, an employee is applying some workaround to complete their job). To help distinguish between users who are intentionally malicious and those who are benign, we use human behaviour modelling along with Artificial Intelligence. Ben-ware has been developed as a distributed system comprising of probes for data collection, intermediate nodes for data routing and higher nodes for data analysis. This allows for real-time analysis with low impact on the overall infrastructure, which may contain legacy and low-power resources. We present an analysis of the appropriateness of the Ben-ware system for deployment within a large closed organisation, comprising of both new and legacy hardware, to protect its essential information. This analysis is performed in terms of the memory footprint, disk footprint and processing requirements of the different parts of the system.

Privacy is a concept with real life ties and implications. Privacy infringement has the potential to lead to serious consequences for the stakeholders involved, hence researchers and organisations have developed various privacy enhancing techniques and tools. However, there is no solution that fits all, and there are instances where privacy solutions could be misused, for example to hide nefarious activities. Therefore, it is important to provide suitable measures and to make necessary design tradeoffs in order to avoid such misuse. This short paper aims to make a case for the need of careful consideration when designing a privacy solution, such that the design effectively addresses the user requirements while at the same time minimises the risk of inadvertently assisting potential offenders. In other words, this paper strives to promote "sensible privacy" design, which deals with the complex challenges in balancing privacy, usability and accountability. We illustrate this idea through a case study involving the design of privacy solutions for domestic violence survivors. This is the main contribution of the paper. The case study presents specific user requirements and operating conditions, which coupled with the attacker model, provide a complex yet interesting scenario to explore. One example of our solutions is described in detail to demonstrate the feasibility of our approach.

As future intelligent infrastructure will bring together and connect individuals, vehicles and infrastructure through wireless communications, it is critical that robust communication technologies are developed. Mobile wireless sensor networks are self-organising mobile networks where nodes exchange data without the need for an underlying infrastructure. In the road transport domain, schemes which are fully infrastructure-less and those which use a combination of fixed (infrastructure) devices and mobile devices fitted to vehicles and other moving objects are of significant interest to the ITS community as they have the potential to deliver a 'connected environment' where individuals, vehicles and infrastructure can co-exist and cooperate, thus delivering more knowledge about the transport environment, the state of the network and who indeed is travelling or wishes to travel. This may offer benefits in terms of real-time management, optimisation of transportation systems, intelligent design and the use of such systems for innovative road charging and possibly carbon trading schemes as well as through the CVHS (Cooperative Vehicle and Highway Systems) for safety and control applications. As the wireless sensor networks technology is still relatively new and very little is known about its real application in the transport domain. Our involvement in the transport-related projects provides us with an opportunity to carry out research and development of wireless sensor network applications in transport systems. This chapter outlines our experience in the ASTRA (ASTRA, 2005), TRACKSS (TRACKSS, 2007) and EMMA (EMMA, 2007) projects and provides an illustration of the important role that the wireless sensor technology can play in future ITS. This chapter also presents encouraging results obtained from the experiments in investigating the feasibility of utilising wireless sensor networks in vehicle and vehicle to infrastructure communication in real ITS applications.

Social media and online communication encourage social interaction but do little to strengthen community relations between people who live in the same area. The aim of this work is to develop a set of requirements, in this initial case from a group of older adults, for an online system aimed at increasing local face-to-face communication and enhancing community interaction. Eleven older adults took part in two discussion groups to develop this list of requirements. The results of these discussions are presented and come under six broad categories, these being: Security/Information, Social, Physical, Interface, Crime and Management. We also suggest additional requirements we think would benefit the system and future directions.

Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I as well as I2V)applications are developing very fast. They rely on telecommunication and localizationtechnologies to detect, identify and geo-localize the sources of information (such as vehicles,roadside objects, or pedestrians). This paper presents an original approach on how twodifferent technologies (a near infrared identification sensor and a Zigbee smartdust sensor)can work together in order to create an improved system. After an introduction of these twosensors, two concrete applications will be presented: a road sign detection application and acooperative traffic light application. These applications show how the coupling of the twosensors enables robust detection and how they complement each other to add dynamicinformation to road-side objects.

Developing fault tolerant ambient systems requires many challenging factors to be considered due to the nature of such systems, which tend to contain a lot of mobile elements that change their behaviour depending on the surrounding environment, as well as the possibility of their disconnection and re-connection. It is therefore necessary to construct the critical parts of fault tolerant ambient systems in a rigorous manner. This can be achieved by deploying formal approach at the design stage, coupled with sound framework and support at the implementation stage. In this paper, we briefly describe a middleware that we developed to provide system structuring through the concepts of roles, agents, locations and scopes, making it easier for the developers to achieve fault tolerance. We then outline our experience in developing an ambient lecture system using the combination of formal approach and our middleware.

The paper introduces the CAMA (Context-Aware Mobile Agents) framework intended for developing large-scale mobile applications using the agent paradigm. CAMA provides a powerful set of abstractions, a supporting middleware and an adaptation layer allowing developers to address the main characteristics of the mobile applications: openness, asynchronous and anonymous communication, fault tolerance, and device mobility. It ensures recursive system structuring using location, scope, agent, and role abstractions. CAMA supports system fault tolerance through exception handling and structured agent coordination within nested scopes. The applicability of the framework is demonstrated using an ambient lecture scenario - the first part of an ongoing work on a series of ambient campus applications. This scenario is developed starting from a thorough definition of the traceable requirements including the fault tolerance requirements. This is followed by the design phase at which the CAMA abstractions are applied. At the implementation phase, the CAMA middleware services are used through a provided API. This work is part of the FP6 IST RODIN project on Rigorous Open Development Environment for Complex Systems.

Computer security is an important issue in determining the dependability of computer systems. It becomes even more crucial when we talk about computer-based systems (CBS), where we take into consideration the roles played by the human actors (or human components) involved in the system. In this chapter, we begin to explore the security of complex CBS (sometimes called socio-technical systems). We do this by putting forward a common structuring abstraction for technical systems (that of component-based systems), then extending this abstraction to computer-based systems, in order to take into account the socio-technical structure of the system. Section 2 introduces some basic notions of computer security largely developed within the technical domain, and in Section 2.2 we look at a well known model of how these systems are protected (the Swiss Cheese model [9]). In Section 3 we consider more closely the component-based architecture, and consider how well this architectural model copes with introducing people as components. The security implications of this architectural model are presented in Section 3.3, together with a new diagrammatic representation of the model, and an attempt to adapt Reason's Swiss Cheese model to socio-technical systems. A short discussion of socio-technical security policies is presented in Section 4, and we conclude in Section 5.

The new synergetic approach to sensing data for automative applications are presented. Software development to build networks of non-homogeneous technologies are discussed. Approach dealing with parts of the engine, detectors within the car and the car itself in connection to the outside world are also presented.

Software architectures have been playing a central role in software engineering research for some years now. They are considered of pivotal importance in the success of complex software systems development. However, with the emergence of Open Source Software (OSS) development, a new opportunity for studying architectural issues arises. In this paper, we introduce accepted notions of software architectures (Section 2), discuss some of the known issues in OSS (Section 3), resulting in a set of aspects we consider to be relevant for future research (Section 4).

The original EMV protocol was designed to operate in a situation where the card holder removes their card from their wallet and insert the card into a Point of Sale (POS) terminal. The protocol operates predominantly in plaintext which was not a problem because the attackers needed to tamper with the POS to gain access to the information on the card. The introduction of contactless EMV cards exposes the mainly plaintext EMV protocol to a wireless interface. This allows attackers to use an off-the-shelf NFC reader to access the card without the cardholders knowledge and potentially whilst the card is still in their wallet. Research has demonstrated that contactless EMV cards are vulnerable to various attacks carried out using off-the- shelf equipment which is both cheap and easy to obtain. The proposed solution addresses these issues by having the card request that any NFC reader, attempting to initiate communication, must authenticate itself as a genuine bank issued POS. The POS does this using a Bank issued private key to sign a nonce provided by the card.

Contactless / Near Field Communication (NFC) card payments are being introduced around the world, allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Although the terminal needs to be able to verify a PIN, it is not clear if such PIN verification features should be available on the NFC card itself. We show that contactless Visa payment cards have (largely redundant) functionality, Verify PIN, which makes them vulnerable to new forms of wireless attack. Based on careful examination of the Europay, MasterCard and Visa (EMV) protocol and experiments with the Visa fast Dynamic Data Authentication transaction protocol, we provide a set of building blocks for possible attacks. These building blocks are data skimming, Verify PIN and transaction relay, which we implement and experiment with. Based on these building blocks, we propose a number of realistic attacks, including a denial-of-service attack and a newly developed realistic PIN guessing attack. The conclusion of our work is that implementing Verify PIN functionality on NFC cards has no demonstrated benefits and opens up new avenues of attack.

For most of us advances in digital technology have made our lives easier, by providing access to information and services whenever and wherever we want. In a perfect world this should be true for Survivors of domestic violence, with technology providing access to domestic violence support services at a time and place that is convenient to the Survivor, thereby arousing less suspicion from their partner. Unfortunately the technologies Survivors are using to access help and support (i.e. mobile phones and Internet browsers) are recording a trail of "electronic footprints" which can be followed; consequently Survivors are being prevented from accessing the services that have been provided to help them. Related research shows that intimate partner cyber stalking represents a genuine threat to Survivors, with a proven link between the stalking behaviour and the controlling / abusive behaviours common to cases of domestic violence. The aim of this research was to improve the ability of Survivors to access domestic violence support services. This has been divided into two objectives, the first objective is to make the services more accessible (easier to find and more targeted in the information they provide), the second objective was to give Survivors the tools they require to erase their electronic footprints so that they can access support services safely (and thereby be more willing to use the services provided). To achieve these objectives the project looked at existing support services, carried out a survey of Survivors to find out what they needed from the services, identified the issues with existing Internet and mobile phone technologies and proposes new and innovative solutions to help Survivors access the services they need. In this document we present a case study based on our work with the Angelou Centre, this case study serves as the core of our research, in which we outline the technology issues facing survivors and present number of technology solutions that can be used to address these issues. The technology requirement of each survivor and each organisation providing domestic violence services is unique, so the proposed solutions presented in this document are intended to be used individually or in combination as is most appropriate for the survivor and / or organisation providing the service.

The prevalence of location-informing devices such as smart phones brings a lot of benefits, such as the ability to find the right services nearby. Nonetheless, there are also concerns that such devices might infringe our privacy and breach security. This paper discusses both viewpoints by outlining how location information might be obtained, what the location information can be used for, as well as the issues and problems that might be faced when location information becomes available too readily or in too much detail. We illustrate these with a case study using an iPhone application that we developed, which allows users to track the last known location of their "contacts" (such as friends or family), and to specify the granularity level of the information they are willing to share with each of their contacts in return.

Computer security has traditionally been assessed from a technical point of view. In this paper, we wish to adopt a cognitive standpoint and investigate some of the cognitive processes involved in computer security. One angle which is not considered very often is the active role played by legal users of systems in impairing the level of protection. In this paper, we thus attempt to highlight the cognitive processes underlying security impairments by legal users. This approach relies on the concept of trade-off. At the end of the paper, we propose a short usability-centered set of recommendations.

Computer systems and internet are becoming pervasive in our everyday life. Being online brings the consequence that such systems are prone to malicious attack. This vulnerability, along with our reliance on these systems, implies that it is important for us to do our best in securing them to ensure their proper functioning. In this paper, we are trying to tackle the security issues from both technical and human perspectives. From this dual standpoint, we hope to obtain a better understanding on how computer attacks are performed, including how to gain illicit access, the types of attacks, as well as the potential damage that they can cause. We also uncover sociological and psychological traits of the attackers, including their community, taxonomy, motives and work ethics. This survey paper will not provide a concrete solution on how to secure computer systems, but it highlights the socio-technical approach that we must take in order to obtain that goal.

This report presents the findings of this investigation by reporting on the main activities that have been undertaken and presenting our informed final recommendation on a follow-on project activity. It is structured in the following way. Section 2 explains the obstacles encountered while trying to understand the term "open source", contacts pursued and projects observed with respect to open source. Section 3 presents insights into the sociology of open source software development, whereas section 4 describes observations drawn and main issues identified for open source software development and dependable systems engineering. Finally, section 5 explains our recommendation together with the reasons behind our decision. Further insights on the activities described in this report, as well as various papers that have been written in relation to this activity can be found in the appendices A - E.

As the name implies, the dark web market - also commonly known as the anonymous market - has put measures for protecting the privacy of its users as a key priority. With the rapid growth of the dark web market, competition between markets has become more intense. With this, malicious attacks between competitors - for instance, aimed at reducing the availability of competitors' services - have also become more common. These attacks not only affect the services' availability and accessibility, but they may also cause some personal and private information being leaked. As such, it is understandable that dark web markets may implement security mechanisms to protect themselves and their users. Although the literature has analysed and described dark web markets from multiple perspectives, there is still a gap in understanding the security mechanisms implemented by different dark web markets. Furthermore, data collection - which is often considered a common challenge in this research area - may be hindered by these security mechanisms. Therefore, the study presented in this paper aims to investigate the security mechanisms of various dark web markets systematically, in order to shed a better light on their operation. To achieve this aim, we performed data collection and experiments in twelve existing dark web markets, using them as information sources. Although data collection practices slightly vary for each market, the data was collected over a span of four months between May and August 2023. We found there are two main groups of security mechanisms used in dark web markets: web security and account security. Web security contains accessibility, waiting queue, anti-phishing, CAPTCHAs, secret phrase, warrant canary, bug bounty, rate limiting and a toolset. Account security contains username requirement, password & PIN requirement, mnemonic, multi-factor authentication (MFA) and account kill-switch. In conclusion, different types of security mechanisms used by the market may reflect the operator's business philosophy, which in turn may affect the way the market operates. The results of this study can help the academic and security research communities to understand the operation and evolution of the dark web markets better, which in turn can be used to combat crimes facilitated by these markets more effectively. Additionally, findings from this study may provide clues on how to improve the efficiency of data collection in this environment.

Ransomware attacks and the use of the dark web forums are two serious contemporary cyber-problems. These two areas have been investigated separately in the past, but there is currently a gap in our understanding with regard to the interactions between them – i.e., dark web forums that can potentially lead to ransomware activities. The rise of Ransomware-as-a-Service (RaaS) exacerbates these problems even further. The aim of this paper is therefore to investigate the social and technological discourse within the dark web forums that may foster or initiate some of the users' pathway towards ransomware-related criminal activities. To this aim, we carried out data collection (crawling) of pertinent posts from the "Dread" dark web forum, based on sixteen keywords commonly associated with ransomware. Our data collection and manual screening processes resulted in the identification of 1,279 posts related to ransomware, with the posting dates between 25 March 2018 and 30 September 2022. Our dataset confirms that ransomware-related posts exist on the Dread dark web forum. We found that these posts can generally be grouped into eight categories: Hacker, Potential Hacker, RaaS Provider, Education, Information, News, Debate and Other. Furthermore, the contents of these posts shed some light on the social and technological incentives that may encourage some actors to get involved in ransomware crimes. In conclusion, such posts pose a threat to cyber security, because they might provide a pathway for wannabe ransomware operators to get in on the act. The findings from our research can serve as a starting point for devising practical countermeasures, for instance by considering how such posts should be handled in the future, or how some follow-up intervention actions can be prepared in anticipation of certain actors getting involved in ransomware as a result of reading posts in such forums.

The work presented in this paper investigates the crime of ransomware from the perspective of neutralisation theory. In particular, this research-in-progress paper aims to explore the feasibility of using neutralisation theory to better understand one of the key stakeholders in ransomware operations: the offenders. Individuals (including offenders) may employ techniques of neutralisation in order to justify their rule-breaking acts, and to diminish both the perceived consequences of their acts and the feeling of guilt. The focus of this work is on highly organised ransomware groups that not only conduct cyber attacks but also operate Ransomware-as-a-Service (RaaS) businesses. Secondary data was used in this research, including media interviews with alleged ransomware offenders. Data analysis is currently ongoing, but preliminary results show that ransomware offenders mainly use six neutralisation techniques to minimise the perceived impact and/or guilty feeling of their actions. These six neutralisation techniques are (1) denial of victim, (2) denial of injury, (3) claim of benefits, (4) claim of entitlement, (5) defence of necessity, and (6) claim of relative acceptability. The findings from this work can shed some light on the ransomware offending pathways, which in turn can be utilised to devise more effective countermeasures for combatting ransomware crime.

Child sexual exploitation and abuse (CSEA) and the associated distribution of child sexual abuse material (CSAM) are serious offences online and offline. They are exacerbated by the increased popularity of dark web markets, in which vendors and buyers can exchange CSAM while hiding their identities. The aim of this paper is to improve our understanding of the CSEA landscape in dark web markets. We reviewed and collated four groups of keywords (a total of 198) for the detection/discovery of potential CSAM on the dark web market. This allowed us to conduct a systematic data collection (i.e., scraping) on dark web markets containing CSAM to create a new text-based dataset and perform further analysis. We found that CSAM is more public in the Chinese market, but not in the mainstream English market. To illustrate this point, we detected 724 CSAM items in the two Chinese dark web markets studied, but none in the eight English markets. While the prices of these CSAM remain low, we found that there were 3,449 sales over the 44-week observation period, implying that CSAM has been commercialised to some extent. We also noticed that mainstream cloud-based data storage services were used for the distribution and sharing of CSAM. We hope that the findings presented in this paper can help relevant stakeholders to understand the CSAM landscape in the dark web market better, which in turn may be used to devise more effective countermeasures to combat CSEA and CSAM.

The prevalence and significance of web services in our daily lives make it imperative to ensure that they are – as much as possible – free from vulnerabilities. However, developing a complex piece of software free from any security vulnerabilities is hard, if not impossible. One way to progress towards achieving this holy grail is by using static code analysis tools to root out any common or known vulnerabilities that may accidentally be introduced during the development process. Static code analysis tools have significantly contributed to addressing the problem above, but are imperfect. It is conceivable that static code analysis can be improved by using AI-powered tools, which have recently increased in popularity. However, there is still very little work in analysing both types of tools' effectiveness, and this is a research gap that our paper aims to fill. We carried out a study involving 11 static code analysers, and one AI-powered chatbot named ChatGPT, to assess their effectiveness in detecting 92 vulnerabilities representing the top 10 known vulnerability categories in web applications, as classified by OWASP. We particularly focused on PHP vulnerabilities since it is one of the most widely used languages in web applications. However, it has few security mechanisms to help its software developers. We found that the success rate of ChatGPT in terms of finding security vulnerabilities in PHP is around 62-68%. At the same time, the best traditional static code analyser tested has a success rate of 32%. Even combining several traditional static code analysers (with the best features on certain aspects of detection) would only achieve a rate of 53%, which is still significantly lower than ChatGPT's success rate. Nonetheless, ChatGPT has a very high false positive rate of 91%. In comparison, the worst false positive rate of any traditional static code analyser is 82%. These findings highlight the promising potential of ChatGPT for improving the static code analysis process but reveal certain caveats (especially regarding accuracy) in its current state. Our findings suggest that one interesting possibility to explore in future works would be to pick the best of both worlds by combining traditional static code analysers with ChatGPT to find security vulnerabilities more effectively.

As the economic hubs of (potentially) illegal transactions, dark web markets are fraught with uncertainty, including their ending. The ending of a dark web market can bring disruption to the stakeholders involved, especially vendors and buyers. Most importantly, there is a growing concern that such an ending can cause financial repercussions or even fraud victimisation. At the moment, there is scant published work about how, why or when dark web markets would end. We aim to fill this gap to help the academic and security research communities to reflect on what would typically happen to dark web markets in their final days. We used crawling and data scraping techniques to gather relevant weekly data from six dark web markets over a span of several months, right up to their closure. We then analysed the data to find common characteristics and predictive features leading to the closure of these markets. We found three main reasons for the ending of dark web markets: (i) exit scam, (ii) voluntary closure, or (iii) taken down by Law Enforcement Agencies (LEAs). We also gained further insights by analysing our data more closely. For instance, markets are most likely to be closed down when they are most visible, when they are under attack or when they are growing rapidly to their peak. In particular, more mature markets (i.e. markets that have been in operation for a long period of time) are more likely to disappear when their economic patterns start to change (for example, there might be a rapid growth or a sudden – or even gradual, but noticeable – economic decline). When a market was closed down, vendors and buyers would typically move on quickly to other alternative markets – which might grow rapidly as a result – and in turn, those alternative markets' risk of being closed down would become higher. Whether a market is still accepting new vendors (or not) appears to be a valuable indicator for predicting the market's next move. These insights can be useful in anticipating potential market closure, so that sufficient warning can be provided to avoid people being victimised.

Computer Security Incident Response Teams (CSIRTs) have been established at national and organisational levels to respond to and mitigate cyber incidents. National CSIRTs play a critical role in defending a nation's infrastructure from cyber attacks. However, the research literature lacks studies that can provide first-hand insights on current operational practices in national CSIRTs and challenges faced by staff at national CSIRTs. This paper provides personal observations and opinions from two members of staff at MyCERT (Malaysia's national CSIRT), regarding important areas of national CSIRTs' operational practices including cross-CSIRT collaboration, the lack of systematic use of data and tools, and the lack of evaluation of data and tools used. We hope this paper can help stimulate more research and work to address some of the gaps we identified.

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots.

Ransomware (malware that threatens to lock or publish victims' assets unless a ransom is paid) has become a serious security threat, targeting individual users, companies and even governments, causing significant damage, disruption and cost. Instances of ransomware have also been observed stealing private data and blackmailing their victims. Worryingly, the prevalence of Internet of Things (IoT) devices and the massive amount of personal data that they collect have opened up another avenue of attack. The main aim of this paper is to determine whether privacy invasion based ransomware would be a viable vector for attackers to use on IoT devices. The secondary aim is to identify countermeasures that can be implemented to prevent such attacks from being used. To accomplish these aims, we examined how private data accessible via IoT devices could be obtained, processed and managed by a ransomware attacker. We identified a number of data sources on IoT devices that can be used to access private data, such as audio and video feeds. We then investigated methods to interpret such data in order to blackmail the device's owner. We then produced proof of concept malware for multiple IoT devices, including an external "collator" that manages the valuable data collected, demonstrating that an attack could be performed at scale. This research shows that attackers can use the functionality of an infected device to invade the privacy of the device's owner, as part of a ransomware attack. We have demonstrated that, given suitable infrastructure, attackers would be able to ransom users for values higher than the cost of the compromised device, as well as heavily damage the trust in the device itself, which would cause further negative impact on the device manufacturer. Finally, we highlight the need for proactive measures to deter this style of attack by applying the suggested countermeasures.

The Internet of Things (IoT) is a rapidly growing collection of "smart" devices capable of communicating over the Internet. Being connected to the Internet brings new features and convenience, but it also poses new security threats, such as IoT malware. IoT malware has shown similar growth, making IoT devices highly vulnerable to remote compromise. However, most IoT malware variants do not exhibit the ability to gain persistence, as they typically lose control over the compromised device when the device is restarted. This paper investigates how persistence for various IoT devices can be implemented by attackers, such that they retain control even after the device has been rebooted. Having persistence would make it harder to remove IoT malware. We investigated methods that could be used by an attacker to gain persistence on a variety of IoT devices, and compiled the requirements and potential issues faced by these methods, in order to understand how best to combat this future threat. We successfully used these methods to gain persistence on four vulnerable IoT devices with differing designs, features and architectures. We also identified ways to counter them. This work highlights the enormous risk that persistence poses to potentially billions of IoT devices, and we hope our results and study will encourage manufacturers and developers to consider implementing our proposed countermeasures or create new techniques to combat this nascent threat.

The popularity of online shopping and cryptocurrency has contributed to drive the economy of darknet markets in recent years. These are often perceived to be conducive to (or may even facilitate) cybercrime related activities. It is, therefore, worthwhile to have a deeper understanding of how various darknet markets operate, so that researchers and law enforcement agencies can test and deploy appropriate countermeasures to fight against online crime. Currently, there is a knowledge gap regarding the similarities and differences among darknet markets in different languages. This study aims to compare between darknet markets operating in English and Chinese. Data from three English and two Chinese darknet markets was collected. The gathered data is described, compared, and analysed in six main aspects: operation model and structures, product categories, market policies, payment methods, security mechanisms, and vendors' characteristics. Our datasets were collected during a seven-week period between 17 July and 30 August 2021, and they contain data from 384 vendors in the English darknet markets and 4,429 in the Chinese ones. The Chinese darknet markets generally seem to have more liberal policies than their English counterparts, as demonstrated by the variety and types of goods and services offered, many of which would have been banned in the English speaking ones. All darknet markets suffer from reputation issues. Cross-market actors are active, but they represent only a small proportion of the vendors observed in our study. In summary, our findings reveal key characteristics of darknet markets in two widely used languages. This information can provide useful insights for security researchers and law enforcement agencies in combating cybercrime.

The frequent use of basic statistical techniques to detect ransomware is a popular and intuitive strategy; statistical tests can be used to identify randomness, which in turn can indicate the presence of encryption and, by extension, a ransomware attack. However, common file formats such as images and compressed data can look random from the perspective of some of these tests. In this work, we investigate the current frequent use of statistical tests in the context of ransomware detection, primarily focusing on false positive rates. The main aim of our work is to show that the current over-dependence on simple statistical tests within anti-ransomware tools can cause serious issues with the reliability and consistency of ransomware detection in the form of frequent false classifications. We determined thresholds for five key statistics frequently used in detecting randomness, namely Shannon entropy, chi-square, arithmetic mean, Monte Carlo estimation for Pi and serial correlation coefficient. We obtained a large data set of 84,327 files comprising of images, compressed data and encrypted data. We then tested these thresholds (taken from a variety of previous publications in the literature where possible) against our dataset, showing that the rate of false positives is far beyond what could be considered acceptable. False positive rates were often above 50% and even above 90% on several occasions. False negative rates were also generally between 5% and 20%, numbers which are also far too high. As a direct result of these experiments, we determine that relying on these simple statistical approaches is not good enough to detect ransomware attacks consistently. We instead recommend the exploration of higher-order statistics such as skewness and kurtosis for future ransomware detection techniques.

The popularity of the Internet of Things (IoT) devices makes it increasingly important to be able to fingerprint them, for example in order to detect if there are misbehaving or even malicious IoT devices in one's network. However, there are many challenges faced in the task of fingerprinting IoT devices, mainly due to the huge variety of the devices involved. At the same time, the task can potentially be improved by applying machine learning techniques for better accuracy and efficiency. The aim of this paper is to provide a systematic categorisation of machine learning augmented techniques that can be used for fingerprinting IoT devices. This can serve as a baseline for comparing various IoT fingerprinting mechanisms, so that network administrators can choose one or more mechanisms that are appropriate for monitoring and maintaining their network. We carried out an extensive literature review of existing papers on fingerprinting IoT devices – paying close attention to those with machine learning features. This is followed by an extraction of important and comparable features among the mechanisms outlined in those papers. As a result, we came up with a key set of terminologies that are relevant both in the fingerprinting context and in the IoT domain. This enabled us to construct a framework called IDWork, which can be used for categorising existing IoT fingerprinting mechanisms in a way that will facilitate a coherent and fair comparison of these mechanisms. We found that the majority of the IoT fingerprinting mechanisms take a passive approach – mainly through network sniffing – instead of being intrusive and interactive with the device of interest. Additionally, a significant number of the surveyed mechanisms employ both static and dynamic approaches, in order to benefit from complementary features that can be more robust against certain attacks such as spoofing and replay attacks.

Efforts have been made to improve the security of the Internet of Things (IoT) devices, but there remain some vulnerabilities and misimplementations. This paper describes a new threat to home security devices in which an attacker can disable all functionality of a device, but to the device's owner, everything still appears to be operational. We targeted home security devices because their security is critical as people may rely on them to protect their homes. In particular, we exploited a feature called "heartbeat", which is exchanged between the devices and the cloud in order to check that the devices are still connected. Even though network traffic was encrypted, we successfully identified the heartbeats due to their fixed size and periodic nature. Thereafter, we established a man-in-the-middle attack between the device and the cloud and selectively forwarded heartbeats while filtering out other traffic. As a result, the device appears to be still connected (because the heartbeat traffic is being allowed through), while in reality the device's functionality is disabled (because non-heartbeat traffic is being filtered out). We applied this exploit on a set of six devices, and five were found to be vulnerable. Consequently, an intruder can use this exploit to disable a home security device and break into a house without the awareness of the owner. We carried out a responsible disclosure exercise with the manufacturers of the affected devices, but the response has been limited. This shows that IoT security is still not taken completely seriously and many threats are still undiscovered. Finally, we provide some recommendations on how to detect and prevent the threats posed by insecure IoT devices, which ironically include IoT home security kits.

Ransomware is a form of malware designed to prevent access to data by either locking out the victims from their system or encrypting some or all of their files until a ransom has been paid to the attacker. Victims would know that they had been hit by ransomware because a ransom demand (splash screen) would be displayed on their compromised device. This study aims to identify key user interface features of ransomware splash screens and see how these features affect victims' likelihood to pay, and how this information may be used to create more effective countermeasures to mitigate the threat of ransomware. We devised an experiment that contained three broad types of splash screens (Text, Time-Sensitive Counter, and Other). A total of nine splash screens were shown to each participant, from which data on the participants' eye behaviour were collected. After each splash screen, participants were also asked a set of questions that would help describe their experience and be cross-referenced with the eye tracking data to aid analysis. Our experiment collected quantitative eye tracker data and qualitative data regarding willingness to pay from 25 participants. Several key components of the splash screens such as the text, logo, images, and technical information were analysed. Comments from the participants on whether they would pay the ransom or not, and the reasons behind their decision were also recorded. We found that there is no clear indication that one type of splash screen would have a higher chance of success with regard to ransom payment. Our study revealed that there are some characteristics in splash screens that would strongly discourage some victims from paying. Further investigation will be carried out in this direction, in order to design and develop more effective countermeasures to ransomware.

Ransomware is a type of malware which restricts access to a victim's computing resources and demands a ransom in order to restore access. This is a continually growing and costly threat across the globe, therefore efforts have been made both in academia and industry to develop techniques that can help to detect and recover from ransomware attacks. This paper aims to provide an overview of the current landscape of Windows-based anti-ransomware tools and techniques, using a clear, simple and consistent terminology in terms of Data Sources, Processing and Actions. We extensively analysed relevant literature so that, to the best of our knowledge, we had at the time covered all approaches taken to detect and recover from ransomware attacks. We grouped these techniques according to their main features as a way to understand the landscape. We then selected 15 existing anti-ransomware tools both to examine how they fit into this landscape and to compare them by aggregating their accuracy and overhead – two of the most important selection criteria of these tools – as reported by the tools' respective authors. We were able to determine popular solutions and unexplored gaps that could lead to promising areas of anti-ransomware development. From there, we propose two novel detection techniques, namely serial byte correlation and edit distance. This paper serves as a much needed roadmap of knowledge and ideas to systematise the current landscape of anti-ransomware tools.

Smart locks are a recent development in the Internet of Things that aim to modernise traditional keybased padlock systems. They allow users to operate the lock with their smartphone instead of carrying around a physical key. Typically, smart locks have a cloud system for sharing access with other people, which makes them ideal for schemes such as communal lockers or bike sharing. One of the smart locks available on the market is that produced by Master Lock. They are an established brand, and unlike many of the single product companies that have provided insecure offerings, Master Lock have so far shown that their locks are reasonably secure and resistant to known attacks such as shimming, fuzzing, and replay attacks. This paper provides a security analysis of the Master Lock Bluetooth padlock. More importantly, it reveals that there were several security vulnerabilities, including a serious one in the Application Programming Interface used by Master Lock to provide a crucial feature for managing access. We carried out a responsible disclosure exercise to Master Lock, but communication proved to be quite a challenge. In the end we managed to establish contact, and as a result the most serious vulnerabilities have now been patched. This indicates that responsible disclosure is a valuable exercise, but we still need better report-and-response mechanisms.

Cyberspace is a very real man-made environment. Like any physical realm, while it offers potential for progress and benefits, it also offers opportunities for misconduct, and cyber criminals and cyber terrorists are continually searching out weaknesses in the defences that have been erected against them. There is one weakness that is pervasive across society: our individual lack of awareness, and of how to protect ourselves and our organisations against cyber attack. This paper reports on an EU funded project called SUCCEED (Shaping University Curricula to Critical Infrastructure Employer Needs) which seeks to reduce that vulnerability through education; specifically, we want to advise Higher Education Institutions of measures by which curricula can be augmented to ensure that all graduates have an appropriate level of cyber savvy. The paper's structure reflects the project's straightforward approach: first we identified what is needed in terms of knowledge and understanding of how to be protected in cyberspace; second we examined current provision (primarily to identify gaps, but also to refer to best-practice); third we will outline recommendations based on our findings from the first and second phases; and fourth we will have these recommendations validated by relevant stakeholders (including representatives from industry, government organisations and academia) in order to distil our conclusions, which will be disseminated and exploited further as final contributions of the project. This paper presents current progress of the SUCCEED project, in particular the results and findings obtained from the first two phases of the project. This is a relatively modest project, and will not claim to provide a definitive solution. However, we believe it can provide an important first step towards an enrichment of curricula that will better prepare graduates to cope with the dangers and risks from terrorists and cyber criminals in the digital future they will all participate in. Only thus can they SUCCEED in cyberspace, by staying safe and secure in the digital realm – through education.

In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a "rogue merchant" who then uses the transaction data to take money from the victim's account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim's balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.

With the rapid growth and spread of Internet-based social support systems, the impact that these systems can make to society – be it good or bad – has become more significant and can make a real difference to people's lives. As such, various aspects of these systems need to be carefully investigated and analysed, including their security/privacy issues. In this paper, we present our work in designing and implementing various technological features that can be used to assist domestic violence survivors in obtaining help without leaving traces which might lead to further violence from their abuser. This case study serves as the core of our paper, in which we outline our approach, various de- sign considerations – including difficulties in keeping browsing history private, our currently implemented solutions (single use URL, targeted history sanitita- tion agent, and secret graphical gateway), as well as novel ideas for future work (including location-based service advertising and deployment in the wild).

Contactless card payments are being introduced around the world al- lowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require veri- fication of the cardholder's PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder's PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.

In this paper we discuss the current state of our work regarding the development and planned in-situ testing of a computer-based system to enhance community relations through the Neighbourhood Watch scheme. The system is intended for use in a community to help the residents interact with each other more easily and to encourage the reporting of suspicious behaviour or crime. We discuss some details of the system and how we plan to test it in the field using an iterative process. We also discuss the possible implications of the work for the future.

There are various technologies that can be used to improve road safety, but they tend to be self-contained and do not interact much with other technologies. This might provide sufficient service as such, but we believe better systems can be developed if we allow these technologies to collaborate and share information with each other. This paper outlines the work we have carried out within the EU-funded TRACKSS project in order to allow two sensing technologies (near-infrared camera and smart dust) to work together, especially in developing more robust V2V and I2V safety applications.

The last few years have seen the emergence of many new technologies that can potentially have major impacts on Intelligent Transportation Systems (ITS). One of these technologies is a micro-electromechanical device called smartdust. A smartdust device (or a mote) is typically composed of a processing unit, some memory, and a radio chip, which allows it to communicate wirelessly with other motes within range. These motes can also be augmented with additional sensors – such as those for detecting light, temperature and acceleration – hence enhancing their features and making their application areas virtually limitless. As the smartdust concept is still relatively new, and very little is known about its application in transport domain, conducting research in this area may prove to be very valuable. It is generally perceived that smartdust will become the low-cost, ubiquitous sensor of the future, especially once its size shrinks dramatically to merit its name. Our involvement in several transport-related EU and UK funded projects (ASTRA, 2005; ASK-IT, 2007; EMMA, 2007; Foot-LITE, 2007; MESSAGE, 2007; TRACKSS, 2007) provides us with an opportunity to carry out experiments and to develop demonstrations of smartdust applications in transport systems. We also have a chance to investigate how smartdust can be used in collaboration with other (more traditional) transport sensors for developing better Co-operative Transport Systems (CTS). This paper outlines our experience in these projects and provides an illustration on the important role that the smartdust technology can play in future ITS. We also present encouraging results obtained from our experiments in investigating the feasibility of utilising smartdust in real ITS applications.

In this paper, we discuss a new method for developing fault-tolerant ambient applications. It supports stepwise rigorous development producing a well structured design and resulting in disciplined integration of error recovery measures into the resulting implementation.

Building open distributed systems is an even more challenging task than building distributed systems, as their components are loosely synchronised, can move, become disconnected, and their behaviour may depend on the changing context. The approach we are putting forward relies on using a combination of formal methods applied for rigorous development of the critical parts of the system and a set of design abstractions proposed specifically for the open context-aware applications and supported by a special middleware. Our middleware provides system structuring through the concepts of roles, agents, locations and scopes, making it easier for application developers to achieve fault tolerance. We demonstrate our approach using a case study, in which we show the whole process of developing an ambient campus application - an example of open distributed systems - including its formal specification, refinement, and implementation.

The paper introduces the Cama (Context-Aware Mobile Agents) framework intended for developing large-scale mobile applications using the agent paradigm. Cama provides a powerful set of abstractions, a supporting middleware and an adaptation layer allowing developers to address the main characteristics of the mobile applications: openness, asynchronous and anonymous communication, fault tolerance, device mobility. It ensures recursive system structuring using location, scope, agent and role abstractions. Cama supports system fault tolerance through exception handling and structured agent coordination. The applicability of the framework is demonstrated using an ambient lecture scenario - the first part of an ongoing work on a series of ambient campus applications.

The term "open source" is widely applied to describe some software development methodologies. This paper does not provide a judgment on the open source approach, but exposes the fact that simply stating that a project is open source does not provide a precise description of the approach used to support the project. By taking a multi- disciplinary point of view, we propose a collection of characteristics that are common, as well as some that vary among open source projects. The set of open source characteristics we found can be used as a tick-list both for analysing and for setting up open source projects. Our tick-list also provides a starting point for understanding the many meanings of the term open source.

For sometime now, Unified Modelling Language (UML) has been accepted as a standard for designing new systems. Its array of notations helps system designers to capture their ideas in a way that is expressive yet easy to understand. One thing that UML lacks though, is a means for predicting the system's performance directly from its design. Performance prediction is a desirable feature that enables us to evaluate whether a particular design is worth implementing or not. This prediction can frequently be obtained by constructing a simulation program that mimics the characteristics of the new system. The information gathered from running the simulation will then allow us to estimate the performance. In this paper, we present a simulation framework that can be used to generate simulation programs straight from UML notations. We also present a tool has been built to demonstrate the feasibility of using this framework to perform such a transformation automatically.

The cost of building a new system is usually quite high and without a proper design, a mismatch might occur between the proposed system and the actual system delivered. One aspect that is important to be investigated prior to the system implementation is its performance. A simulation program could be built to obtain the performance characteristics of the new system, but constructing such a program is not a trivial task. Therefore, it is useful to have a tool that can generate a simulation program automatically from a design notation. We have developed a generic syntax based on the UML design notation which is transformable into a simulation program. A tool that performs the transformation automatically has also been built, and in this paper, we present our experience in designing a new telecommunication system-using our syntax and tool.

Nowadays, an object-oriented approach is commonly used for building computer systems. The benefits of the object-oriented method, such as scalability, stability and reusability, make this method suitable for building complex systems, including those in the distributed system area. A distributed system application usually needs to satisfy quite stringent requirements such as reliability, availability, security, etc. and the cost of building such an application will be quite high. It is therefore desirable to be able to predict the performance of the proposed system before the construction begins. In order to do this, it is important to evaluate the requirements of the new system and translate them into a specification (design). The design process helps the system developers to understand the requirements better as well as to avoid misconceptions about the system. From the specification, a simulation program can be built to mimic the execution of the proposed system. The simulation run provides some data about the states of the system and from these data, the performance of the system can be predicted and analysed. UML (Unified Modeling Language) is one example of the object-oriented design methods that has been widely used for specifying system requirements. There are also some object-oriented simulation languages/packages available, for example, SIMULA or C++SIM package, but it is often difficult to transform the system' s requirements into a simulation program without sound knowledge of some simulation techniques. On top of that, a new simulation program needs to be built each time for different systems, which can be quite tedious. The currently available UML tools do not provide a feature to generate simulation programs automatically from UML specifications. In this paper, we describe a tool for constructing simulation programs in a generic way, based on a simple specification (preferably in a UML notation) by identifying the simulation components and their structure.

We describe a tool which transform UML specifications (in a textual form) into C++ code which can be used by C++SIM - a discrete-event process-based simulation facility. A tool written in the Perl scripting language is used to perform the automatic transformation from specification into C++SIM code. As an example we show how the tool is used to generate simulations of a non-trivial fault tolerant distributed computing system. The system was specified in about 180 lines of UML like notation and automatically generated a simulation program of about 1100 lines of C++.