Jason Nurse contributes to an article on the Symantec blog

Dr Jason Nurse has contributed to an article on the Symantec blog advising CISO’s to think beyond pure tech when looking for more resources to improve security.

The article entitled ‘Advice for CISOs: Want More Resources? Think Beyond Pure Tech’ is written by journalist John Borland and offers a range of proposals that may help CISOs argue successfully for new resources, while also demonstrating that existing resources are being used effectively.

In the article Jason Nurse advises CISOs to think broadly, assessing the range of potential harms across areas such as corporate reputation, societal impacts, psychological influences, physical harms, as well as financial impacts.

Jason said ‘A lot of attention is placed on the financial impact, but realistically there are other types of impact that result from a cyber attack. Identifying these could help convince a board that security is important even beyond the financial perspective.’

The article concludes that simple scare tactics are unlikely to work, and even research as it stands currently does not provide unambiguous answers regarding exactly what does. However, training, continuous feedback, and sensitivity to employees’ different cultural contexts and responses all appear to be important factors.

Read the full article at: www.symantec.com/blogs/feature-stories/advice-cisos-want-more-resources-think-beyond-pure-tech

Posted in News, security | Tagged , , , | Leave a comment

Carlos Perez-Delgado on IBM launch of commercial quantum computing

Carlos Perez-Delgado has written an article for The Conversation entitled ‘IBM launches commercial quantum computing – we’re not ready for what comes next.’

IBM recently unveiled what it claimed was the world’s first commercial quantum computer. While the announcement of the Q System One wasn’t scientifically groundbreaking, the fact that IBM sees this as a commercial product that organisations (if not individuals) will want to use is an important breakthrough.

IBM has taken a prototype technology that has existed in the lab for over 20 years and launched it in the real world. In doing so, it marks an important step towards the next generation of computing technology becoming ubiquitous, something the world isn’t yet ready for. In fact, quantum may well prove to be the most disruptive technology of the information age.

Quantum computers work by exploiting the weird phenomenon described by quantum physics, like the ability of an object to be, in a very real sense, in more than one place at the same time. Doing so enables them to solve problems in seconds that would take the age of the universe to solve on even the most powerful of today’s supercomputers.

Too expensive?
The one criticism typically laid against quantum technologies is that they are “too expensive”, and will continue to be so even as they become more readily available. This is certainly the case today. IBM isn’t making its quantum computer available to buy but rather to access over the internet. But this shows the technology is on its way to becoming affordable in the near future.

Quantum computers are very easily disrupted by changes in the environment and take a long time to reset. So IBM has developed a protective system to keep the Q System One stable enough to perform tasks for commercial customers, which are likely to include large companies, universities and research organisations that want to run complex simulations. As a result, IBM believes it has a commercially viable product, and is putting its money where its mouth is.

History shows us that technologies can experience rapid growth in use and capability once they become viable commercial products. After conventional digital computers became commercially viable, they experienced an exponential explosion referred to commonly as Moore’s Law. Roughly every two years, computers have doubled in power while their size and costs have fallen by half. This “law” is really just a trend that has been made possible, in part, by market forces.

The IBM announcement does not guarantee that quantum computers will now experience Moore’s Law-style exponential growth of their own. It does, however, make that explosion likelier and sooner.


Skills crisis
Quantum technologies are disruptive, and more so in cybersecurity than any other field. Once large-scale quantum computers become available (which at the current rate could take another ten to 15 years), they could be used to access pretty much every secret on the internet. Online banking, private emails, passwords and secure chats would all be opened up. You would be able to impersonate any person or web page online.

This is because the information locks we use to secure privacy and authentication online are like butter to a quantum computer’s hot knife. Quantum technology is disruptive in many other areas as well. If your business decides not to “go quantum” and your competitor or adversary does, you may well be at a strong disadvantage.
As the technology landscape realigns itself, it is quite likely that many tech professionals will see their skills turn obsolete very quickly. Simultaneously, companies may find themselves frantic to hire expertise that does not readily exist.

When geopolitical and market forces realign, it’s common for people in business to say everyone now has to learn a new language. For example, as China has grown in power and influence, it is not uncommon in business communities to hear the phrase “we’ll all have to learn Mandarin now”. Perhaps it’s time for all of us to start learning to speak quantum.

Posted in News | Tagged , , | Leave a comment

Refinitiv CIO John Finch visits the School of Computing

Presentation by John Finch


Tuesday 19 February

2-3pm, Marlowe LT1

Book now

John Finch is the Chief Information Officer for Refinitiv – formerly the Financial & Risk business of Thomson Reuters – and is responsible for all engineering, technical, security and logistical operations to develop enterprise business systems.

John has been twice recognised as one of the 20 “most influential people in UK technology” and speaks widely on talent development in technology and digital, cloud and AI strategy.

John says “We are living through an age of exponential growth in technology capacity and capability, powered by big data, cloud and artificial intelligence – how can businesses accelerate beyond the speed of this change together with their customers?
With computing power able to reach quadrillions of instructions per second, it’s unsurprising that businesses are turning to infrastructure as a service and cloud as they seek to reduce costs and reinvest into innovation. Understanding how to harness the disruption – by leveraging it to process big data or calculate machine learning algorithms – will be key for companies looking to survive and thrive. All of this augmented intelligence will lead us to smarter humans, with smarter machines.”

In this talk, John will share his perspective on disruptions, some bold predictions of the future of technology and how data and an open platform is key to connecting the financial community.

Posted in event, News, security | Tagged , | Leave a comment

Jason Nurse comments on Fortnite’s security flaws

Dr Jason Nurse from the School of Computing Cyber Security Research Group commented in an article in Wired on security issues with Fortnite.

A security flaw spotted in Fortnite means hackers could have allowed gamers’ login details to be compromised. But developer Epic Games didn’t even respond to the researchers who uncovered the vulnerability which affects the game’s 125 million players.
Security researchers at Check Point Software have revealed they uncovered a vulnerability in the massively popular game’s login system, which could have let attackers takeover an account by tricking players into clicking a link offering V-Bucks, Fortnite’s in-game currency. With account access, hackers could buy more V-Bucks and spend it in-game, passing the loot on to other players, as well as viewing user data including contacts, and listen in on conversations held while playing.

The attack makes use of a set of vulnerabilities in Fortnite’s login process but doesn’t steal players’ passwords. Instead, it nabs the single sign-on (SSO) token used for authentication, such as when you login via Facebook or Google accounts to play the game. Check Point found a flaw in the Epic Games login page that allowed for redirections to another Epic sub-domain, which could be hacked using a cross-site scripting flaw, giving attackers the ability to load a script to make a second request to resend the token, when it would be collected.

“The problem is implementation,” says Oded Vanunu, head of products vulnerability research for Check Point. “I’m changing the [player] to my server, then I’m getting the tokens, and them I’m sending you back to Epic — this implementation should not be happening.”

For the attack to work, hackers would need to create a phishing link, perhaps promising free V-Bucks, and send it to players either via social media or in the game. If players click on the link, the attackers could nab their authentication token, gaining access to their account. Such a simple attack could be effective, says Vanunu, as VBucks are expensive and all-but-necessary for full enjoyment of the game, but also because plenty of players are children.

While advanced Fortnite accounts can be worth hundreds of pounds, because this attack doesn’t leak players’ passwords and Epic requires entering the existing credential to change a password, it should make it harder to wholly steal and sell accounts with this process. That said, hackers could run up bills on credit cards saved to the account and snoop on private data and chats. There is no evidence that the hack was used by criminals.
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.

It’s true that the flaw is now fixed, but Epic Games didn’t react as expected, says Vanunu. Check Point approached Epic with the flaw at the beginning of November, he said, and the developer acknowledged the message was received two days later. Another couple of days passed, and Vanunu sent a follow up asking for a status update when the flaw would be patched and confirmation it was being addressed. “Then, they disconnected and stopped communicating with us,” he says. “We tried to do follow-up and follow-up and follow-up, and they didn’t comment.”

Check Point then started to watch the flaw, to see if and when it was fixed. At the end of December, it was. “We saw that this thing was terminated, and that Fortnite are not communicating with us anymore,” Vanunu says. “So we can go with this and show it to the public. Then we started to share it with the media before publication.”

“Two days ago, magic happened and we got an email from Epic,” Vanunu said, describing Epic as claiming the email fell between the cracks. Asked about this version of events, a spokesperson for Epic Games said the company didn’t have any additional comment.
Vanunu said he expected better from the company, with similar reports to companies like Facebook earning a response within hours. “I was disappointed by the communication with Fortnite,” he says. “It’s a shared responsibility, we are not looking for bounties… we want to make this better and secure.”

With 125m users, security is serious, making Fortnite’s attitude “unfortunate”, says Jason Nurse, assistant professor in cybersecurity at the University of Kent. “Security researchers serve a key function in today’s environment as they help to find and resolve security flaws, bugs and unforeseen issues,” he says.

And Fortnite’s popularity will continue to attract hackers, Nurse says, pointing to a rise in attacks such as imposter apps that spread malware and stolen accounts being sold online. “The reality is that cyber criminals are attracted to areas, products and services where there is money to be made and where there are masses of individuals, especially vulnerable ones — including children [and] the elderly,” Nurse says. “Fortnite provides a perfect mix of these factors.”

Epic’s apparent attitude to Check Point’s assistance may seem surprising, but there’s potentially some left over tension after Google and Epic had a public spat in 2018. In August, Epic Games released an installer for the game bypassing Google’s official Play store for Android, requiring players to sideload the app and raising concerns from security experts.

Google’s own researchers swiftly spotted a flaw in the installer that could allow hackers to install dodgy software alongside the game, sparking a row between the companies by publishing the details sooner than Epic would have liked, but after the developer was notified and a patch was available.

“While it’s impossible to know what’s really going on, there might well be some left over ‘tension’ here between Fortnite and security researchers,” Nurse says. “It was not too long ago that Fortnite criticised Google’s security researchers for disclosing a security flaw in Fortnite too soon, according to Epic Games.”

There are other ways Fortnite players can avoid flaws such as the one spotted by Check Point being used against them or their children.

As ever, never click any link from an unknown origin, and teach any children in your life to do the same – especially if an offer sounds too good to be true. Also, sign up for two-factor authentication, which is offered by Epic Games but isn’t turned on by default, though Epic is actively encouraging Fortnite players to enable 2FA by offering free prizes including the “Boogiedown Emote”, 50 Armory Slots, 10 Backpack Slots, and one “legendary troll stash llama”. Security boost and a stash llama – what more could any Fortnite player want?

Posted in News | Tagged , | Leave a comment

Why Amazon, Facebook and Google don’t need to spy on your conversations to know what you’re talking about.

Dr Jason Nurse from the School of Computing Cyber Security Research Group has written an article for The Conversation on why Amazon, Facebook and Google don’t need to spy on your conversations to know what you’re talking about.

If you’ve ever wondered if your phone is spying on you, you’re not alone. One of the most hotly debated topics in technology today is the amount of data that firms surreptitiously gather about us online. You may well have shared the increasingly common experience of feeling creeped out by ads for something you recently discussed in a real life conversation or an online interaction.

This kind of experience has led to suggestions that tech firms are secretly recording our private conversations via smartphones or other internet-connected devices such as smart TVs, Amazon Echo or Google Home. Or that they are reading our private messages even when they are supposedly encrypted, as with Facebook’s WhatsApp. If this were proven to be true, it would reveal a huge conspiracy that could do untold damage to the tech industry – which makes it seem somewhat far-fetched. But recent revelations about the degree to which Facebook users’ data has been shared certainly won’t help to convince people that the big firms aren’t spying on them.

Yet, there is another, more compelling reason for the incredibly relevant ads you see. Simply put, tech firms routinely gather so much data about you in other ways, they already have an excellent idea what your interests, desires and habits might be. With this information they can build a detailed profile of you and use algorithms based on behavioural science and trends found elsewhere in their data, to predict what ads might be relevant to you. In this way they can show you products or services that you’ve been thinking about recently, even if you’ve never directly searched for or otherwise indicated online that you’d be interested in them.

Firms invest heavily in gathering user data and do so in a number of clever ways. Social networks and other apps offer to store and share our uploaded data for “free” while using it, and the content we access and “like”, to learn about our interests, desires and relationships. And, of course, there is our search history, which can reveal so much about our current circumstances that Google data has even been used to spot the start of flu epidemics.

But it gets far creepier. Your personal email inbox is also fair game for tech firms. In 2017, Google said it would no longer analyse email content for the purposes of advertising, but recent reports suggest that other large firms still do this. New tech also provides another data source, be it wearables, smart TVs, other in-home smart devices or the smartphone apps that we have come to love. These can gather data on how you use your smart devices, who you contact, what you watch and for how long, other devices on your home network, or where you go.

It’s not just individual sites or devices that monitor your online behaviour. A massive ecosystem of advertisers and supporting companies is dedicated to tracking your activity across the internet. Sites commonly record what pages you look at by saving a small file called a “cookie” to your browser. And your activity across different sites can be matched by looking at your browser’s “fingerprint”, a profile made up of details such as your screen size, the version of the browser you’re using and what plug-in tools you have downloaded to use with it. Then, when you visit another website, an ad firm that has built a profile of you based on your cookies and browser fingerprint can load a “third-party script” to display ads relevant to your profile.

Perhaps even more alarmingly, this tracking does not stop at online data. Tech firms are known to purchase data from financial organisations about user purchases in the real world to supplement their ad offerings. According to some reports, this includes information on income, types of places and restaurants frequented and even how many credit cards are present in their wallets. Opting out of this tracking and onward data sharing is incredibly difficult.

Even where you ask to opt out of this data gathering, your request might not be respected. An example is the uproar caused when it was discovered that Google tracks the location of Android users even when the location setting is turned off. Location data is one of the most useful for advertising and many firms, including Apple, Google and Facebook, track the location of individuals to use as input into their bespoke algorithms.

Putting the data together
To sum up with a simple example, imagine you have just started to think about where to go for your next holiday. You spend the morning visiting travel agents to discuss the latest deals and then visit your favourite restaurant, a popular Caribbean food chain, in the city. Excited about your potential trip, later that night you watch mostly TV shows on the tropics. The next day, your social media feed contains flight, hotel and tour ads with deals to Barbados.

This is a very real illustration of how data on your location, financial purchases, interests, and TV viewing history can be correlated and used to create personalised ads. While some might welcome holiday deals, it becomes much more worrying when we consider data gathering or ads targeting sensitive health issues, financial difficulties, or vulnerable people such as children.

The future of digital advertising is set to be as scary as it is intriguing. Even with new laws that try to protect people’s information, tech firms are constantly looking to push the boundaries of data gathering and algorithm design in ways that can feel invasive. It may yet be proven that some firms aren’t being honest with us about all the data they collect, but the stuff we know about is more than enough to build an alarmingly accurate picture of us.

Posted in News, security | Tagged , , | Leave a comment

Year In Computing Kickstart Lunch

Many students are keen to learn the tech skills that will make them stand out to a graduate employer, or simply want to learn more about computing for their own interests. The Year in Computing gives Kent students from any subject area* the opportunity to add a Year in Computing to their degree to help improve their skills and employability. This extra year can be taken after stage 2 or any subsequent year of your degree (including your final year).

Students interested in finding out more about the Year in Computing are invited to a kickstart lunch with FREE Pizza on Tuesday 22 January from 12.30 – 14.00  in Cornwallis South West, room 101. Please book a place at the kickstart lunch.

The ‘Year in Computing’ will be an addition to your current degree and it should be possible to extend your student finances for an extra year. You will not only learn coding and web skills, but also how to analyse data and how to make computer systems that people will find it easy to engage with.

The Year in Computing will especially be of interest to students if;

  • they are interested in studying computing AND their current degree,
  • they would like to get prepared for a career in tech,
  • they are interested in exploring the frontiers of their subject and computing,
  • they want to learn how to be creative with computing.

Kent graduate, Allana Bailey, BA Economics and Politics with a Year in Computing, 2018, said ‘I never expected to be going into computing but I did the Year in Computing and enjoyed pretty much everything, and that is how I found my new career.’  Find out more in the video below.

More details are available at: www.cs.kent.ac.uk/ug/year-in-computing.html


*with the exception of students from the School of Computing and School of Psychology

Posted in News | Tagged , , , | Leave a comment

Virtual queuing system aims to reduce impact of Operation Brock after Brexit

Developed by the University’s School of Computing and Kent Business School (KBS) this dynamic digital solution would manage cross channel traffic in ways similar to air traffic control at airports.

For example, during Operation Brock drivers would join the ‘queue’ as soon as they are ready to travel from anywhere in the country. When there are delays at the ports or Channel Tunnel they would then be advised to delay their journeys or take a break as soon as the delay is reported, often before they get to Kent. In effect the virtual queue can ‘hold’ hundreds of trucks at different locations across the country rather than physically in Kent.
The held trucks can then be ‘released’ in a managed way via an app or text message. The system could also enable penalties to be imposed upon those drivers who ignore the virtual queue.

The advantages of this system would be:
* Vehicles could be held across a number of locations
* Drivers in multiple locations can be told to when to start travelling again
* All involved can be updated on the queue status
* Seamless queuing would enable better forecasting
* Ultimately the system could link to inland customs clearance.

The research is led by Professor Said Salhi and Dr Jesse O’Hanley from KBS, and Dr Dominique Chu from Computing. Collaborative partners such as operators from Kent Resilience Forum whose members include Highways England, Eurotunnel, Port of Dover, Kent Police and Border Force, software providers and sector groups such as the automotive industry are being sought to ensure the long term viability of the project, which came about following the Keep Kent Moving Forum at the University’s Canterbury campus during the summer of 2018.

As part of the Forum delegates were required to come up with digital innovations that would address the issues caused by Operation Brock. These include the expected delays and disruption that in the past have led to gridlock across Kent and the formation of Operation Stack to park lorries in Kent.

The researchers are now seeking data sets to start to establish and test the ideas, aiming for a trial and phased introduction during 2019.

The Dover sea crossing and Channel Tunnel at Cheriton provides the highest capacity for access to and from European countries for freight. Up to 5,500 trucks per day cross from the UK to France.

Transport infrastructure is one of the key themes of the Kent Business Summit 2019 hosted by Kent Business School on the 11th January.

Posted in event, News, research | Leave a comment

Bronze Award for School of Computing blog

The International Impact Award scheme has awarded The School of Computing a Bronze award for creating an internationally-focused blog.

The scheme, set up in 2016,  seeks to recognise, promote and reward internationalisation-related activity and achievements within schools and departments at Kent.

This year’s scheme focused on school and departmental blogs and how their internationalisation ventures, achievements and strategic activities are categorised and presented through online relevant news stories.

Dr Anthony Manning, Dean for Internationalisation said “This year, the standard was high and  14 schools entered from across the University. The great news is that this venture has now created a series of opportunities for updating the University’s range of audiences with Kent’s internationally-focussed news and it is great that the Computing blog is now an important part of that”.

Thanks to this achievement, the School was eligible for £150 development award to contribute to the cost of enhancing the existing International Impact blog category and will be presented with a commemorative certificate to display our success in January 2019.


Posted in awards, international, News | Leave a comment

Jason Nurse features in article in the Kentish Gazette on cybercrime

Dr Jason Nurse, from the School of Computing, featured in an article in the Kent Gazette on Thursday 13 December on safeguarding yourself against the rise in online crime.

The article looks at some of the elaborate scams fraudsters use to trick unsuspecting victims out of millions of pounds in Kent each year, including a recent ‘sextortion’ scam which includes users’ real password and claims to have taken over their webcams and accessed their social media accounts.

Jason commented ‘The cyber criminals of today use incredibly sophisticated methods. They run it like a proper business and the amounts of money they stand to make are incredible’

The article also looks at how to avoid cybercrime and offers advice from the Get Safe Online organisation, a public/private sector organisation supported by the government and leading organisations in banking, retail, internet security and other sectors, and raises concerns around over sharing on social media.

The full article is available in the Kentish Gazette published on Thursday 13 December and online at www.kentonline.co.uk/kent/news/sextortion-scam-warning-195357/

Posted in News | Tagged , , , , | Leave a comment

Athena SWAN award presented to School

The School of Computing has been presented with a bronze Athena SWAN award for gender equality work at a ceremony at the University of Southampton. The award formally recognises the School’s commitment to advancing gender equality: representation, progression and success for all, students and staff, in academic and professional roles.

Head of School Professor Richard Jones, and School Administration Manager Amanda Ollier received the award at a ceremony on Monday 10 December. The award was presented by Professor Helen Beebee, Samuel Hall Professor of Philosophy at the University of Manchester and an Athena SWAN Patron. Congratulations also go to Mark Batty and his team who put a lot of effort into the School’s submission.

Richard said: “As computer scientists, we recognise the unequal representation of women at all levels, in both our industry and academia. Here at Kent, we are determined to change this. For example, our innovative Year in Computing is encouraging more women into our discipline – 56% of the students in 2017/18. I am delighted that some of the steps we are taking have been recognised with this award.”

There were also awards for the University of Kent’s School of Psychology, School of Engineering and Digital Arts and School of Social Policy, Sociology and Social Research as well as other universities and departments from across the UK.

Posted in News | Tagged , , | Leave a comment