Jason Nurse comments on Fortnite’s security flaws

Dr Jason Nurse from the School of Computing Cyber Security Research Group commented in an article in Wired on security issues with Fortnite.

A security flaw spotted in Fortnite means hackers could have allowed gamers’ login details to be compromised. But developer Epic Games didn’t even respond to the researchers who uncovered the vulnerability which affects the game’s 125 million players.
Security researchers at Check Point Software have revealed they uncovered a vulnerability in the massively popular game’s login system, which could have let attackers takeover an account by tricking players into clicking a link offering V-Bucks, Fortnite’s in-game currency. With account access, hackers could buy more V-Bucks and spend it in-game, passing the loot on to other players, as well as viewing user data including contacts, and listen in on conversations held while playing.

The attack makes use of a set of vulnerabilities in Fortnite’s login process but doesn’t steal players’ passwords. Instead, it nabs the single sign-on (SSO) token used for authentication, such as when you login via Facebook or Google accounts to play the game. Check Point found a flaw in the Epic Games login page that allowed for redirections to another Epic sub-domain, which could be hacked using a cross-site scripting flaw, giving attackers the ability to load a script to make a second request to resend the token, when it would be collected.

“The problem is implementation,” says Oded Vanunu, head of products vulnerability research for Check Point. “I’m changing the [player] to my server, then I’m getting the tokens, and them I’m sending you back to Epic — this implementation should not be happening.”

For the attack to work, hackers would need to create a phishing link, perhaps promising free V-Bucks, and send it to players either via social media or in the game. If players click on the link, the attackers could nab their authentication token, gaining access to their account. Such a simple attack could be effective, says Vanunu, as VBucks are expensive and all-but-necessary for full enjoyment of the game, but also because plenty of players are children.

While advanced Fortnite accounts can be worth hundreds of pounds, because this attack doesn’t leak players’ passwords and Epic requires entering the existing credential to change a password, it should make it harder to wholly steal and sell accounts with this process. That said, hackers could run up bills on credit cards saved to the account and snoop on private data and chats. There is no evidence that the hack was used by criminals.
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.

It’s true that the flaw is now fixed, but Epic Games didn’t react as expected, says Vanunu. Check Point approached Epic with the flaw at the beginning of November, he said, and the developer acknowledged the message was received two days later. Another couple of days passed, and Vanunu sent a follow up asking for a status update when the flaw would be patched and confirmation it was being addressed. “Then, they disconnected and stopped communicating with us,” he says. “We tried to do follow-up and follow-up and follow-up, and they didn’t comment.”

Check Point then started to watch the flaw, to see if and when it was fixed. At the end of December, it was. “We saw that this thing was terminated, and that Fortnite are not communicating with us anymore,” Vanunu says. “So we can go with this and show it to the public. Then we started to share it with the media before publication.”

“Two days ago, magic happened and we got an email from Epic,” Vanunu said, describing Epic as claiming the email fell between the cracks. Asked about this version of events, a spokesperson for Epic Games said the company didn’t have any additional comment.
Vanunu said he expected better from the company, with similar reports to companies like Facebook earning a response within hours. “I was disappointed by the communication with Fortnite,” he says. “It’s a shared responsibility, we are not looking for bounties… we want to make this better and secure.”

With 125m users, security is serious, making Fortnite’s attitude “unfortunate”, says Jason Nurse, assistant professor in cybersecurity at the University of Kent. “Security researchers serve a key function in today’s environment as they help to find and resolve security flaws, bugs and unforeseen issues,” he says.

And Fortnite’s popularity will continue to attract hackers, Nurse says, pointing to a rise in attacks such as imposter apps that spread malware and stolen accounts being sold online. “The reality is that cyber criminals are attracted to areas, products and services where there is money to be made and where there are masses of individuals, especially vulnerable ones — including children [and] the elderly,” Nurse says. “Fortnite provides a perfect mix of these factors.”

Epic’s apparent attitude to Check Point’s assistance may seem surprising, but there’s potentially some left over tension after Google and Epic had a public spat in 2018. In August, Epic Games released an installer for the game bypassing Google’s official Play store for Android, requiring players to sideload the app and raising concerns from security experts.

Google’s own researchers swiftly spotted a flaw in the installer that could allow hackers to install dodgy software alongside the game, sparking a row between the companies by publishing the details sooner than Epic would have liked, but after the developer was notified and a patch was available.

“While it’s impossible to know what’s really going on, there might well be some left over ‘tension’ here between Fortnite and security researchers,” Nurse says. “It was not too long ago that Fortnite criticised Google’s security researchers for disclosing a security flaw in Fortnite too soon, according to Epic Games.”

There are other ways Fortnite players can avoid flaws such as the one spotted by Check Point being used against them or their children.

As ever, never click any link from an unknown origin, and teach any children in your life to do the same – especially if an offer sounds too good to be true. Also, sign up for two-factor authentication, which is offered by Epic Games but isn’t turned on by default, though Epic is actively encouraging Fortnite players to enable 2FA by offering free prizes including the “Boogiedown Emote”, 50 Armory Slots, 10 Backpack Slots, and one “legendary troll stash llama”. Security boost and a stash llama – what more could any Fortnite player want?

Posted in News | Tagged , | Leave a comment

Why Amazon, Facebook and Google don’t need to spy on your conversations to know what you’re talking about.

Dr Jason Nurse from the School of Computing Cyber Security Research Group has written an article for The Conversation on why Amazon, Facebook and Google don’t need to spy on your conversations to know what you’re talking about.

If you’ve ever wondered if your phone is spying on you, you’re not alone. One of the most hotly debated topics in technology today is the amount of data that firms surreptitiously gather about us online. You may well have shared the increasingly common experience of feeling creeped out by ads for something you recently discussed in a real life conversation or an online interaction.

This kind of experience has led to suggestions that tech firms are secretly recording our private conversations via smartphones or other internet-connected devices such as smart TVs, Amazon Echo or Google Home. Or that they are reading our private messages even when they are supposedly encrypted, as with Facebook’s WhatsApp. If this were proven to be true, it would reveal a huge conspiracy that could do untold damage to the tech industry – which makes it seem somewhat far-fetched. But recent revelations about the degree to which Facebook users’ data has been shared certainly won’t help to convince people that the big firms aren’t spying on them.

Yet, there is another, more compelling reason for the incredibly relevant ads you see. Simply put, tech firms routinely gather so much data about you in other ways, they already have an excellent idea what your interests, desires and habits might be. With this information they can build a detailed profile of you and use algorithms based on behavioural science and trends found elsewhere in their data, to predict what ads might be relevant to you. In this way they can show you products or services that you’ve been thinking about recently, even if you’ve never directly searched for or otherwise indicated online that you’d be interested in them.

Firms invest heavily in gathering user data and do so in a number of clever ways. Social networks and other apps offer to store and share our uploaded data for “free” while using it, and the content we access and “like”, to learn about our interests, desires and relationships. And, of course, there is our search history, which can reveal so much about our current circumstances that Google data has even been used to spot the start of flu epidemics.

But it gets far creepier. Your personal email inbox is also fair game for tech firms. In 2017, Google said it would no longer analyse email content for the purposes of advertising, but recent reports suggest that other large firms still do this. New tech also provides another data source, be it wearables, smart TVs, other in-home smart devices or the smartphone apps that we have come to love. These can gather data on how you use your smart devices, who you contact, what you watch and for how long, other devices on your home network, or where you go.

It’s not just individual sites or devices that monitor your online behaviour. A massive ecosystem of advertisers and supporting companies is dedicated to tracking your activity across the internet. Sites commonly record what pages you look at by saving a small file called a “cookie” to your browser. And your activity across different sites can be matched by looking at your browser’s “fingerprint”, a profile made up of details such as your screen size, the version of the browser you’re using and what plug-in tools you have downloaded to use with it. Then, when you visit another website, an ad firm that has built a profile of you based on your cookies and browser fingerprint can load a “third-party script” to display ads relevant to your profile.

Perhaps even more alarmingly, this tracking does not stop at online data. Tech firms are known to purchase data from financial organisations about user purchases in the real world to supplement their ad offerings. According to some reports, this includes information on income, types of places and restaurants frequented and even how many credit cards are present in their wallets. Opting out of this tracking and onward data sharing is incredibly difficult.

Even where you ask to opt out of this data gathering, your request might not be respected. An example is the uproar caused when it was discovered that Google tracks the location of Android users even when the location setting is turned off. Location data is one of the most useful for advertising and many firms, including Apple, Google and Facebook, track the location of individuals to use as input into their bespoke algorithms.

Putting the data together
To sum up with a simple example, imagine you have just started to think about where to go for your next holiday. You spend the morning visiting travel agents to discuss the latest deals and then visit your favourite restaurant, a popular Caribbean food chain, in the city. Excited about your potential trip, later that night you watch mostly TV shows on the tropics. The next day, your social media feed contains flight, hotel and tour ads with deals to Barbados.

This is a very real illustration of how data on your location, financial purchases, interests, and TV viewing history can be correlated and used to create personalised ads. While some might welcome holiday deals, it becomes much more worrying when we consider data gathering or ads targeting sensitive health issues, financial difficulties, or vulnerable people such as children.

The future of digital advertising is set to be as scary as it is intriguing. Even with new laws that try to protect people’s information, tech firms are constantly looking to push the boundaries of data gathering and algorithm design in ways that can feel invasive. It may yet be proven that some firms aren’t being honest with us about all the data they collect, but the stuff we know about is more than enough to build an alarmingly accurate picture of us.

Posted in News, security | Tagged , , | Leave a comment

Year In Computing Kickstart Lunch

Many students are keen to learn the tech skills that will make them stand out to a graduate employer, or simply want to learn more about computing for their own interests. The Year in Computing gives Kent students from any subject area* the opportunity to add a Year in Computing to their degree to help improve their skills and employability. This extra year can be taken after stage 2 or any subsequent year of your degree (including your final year).

Students interested in finding out more about the Year in Computing are invited to a kickstart lunch with FREE Pizza on Tuesday 22 January from 12.30 – 14.00  in Cornwallis South West, room 101. Please book a place at the kickstart lunch.

The ‘Year in Computing’ will be an addition to your current degree and it should be possible to extend your student finances for an extra year. You will not only learn coding and web skills, but also how to analyse data and how to make computer systems that people will find it easy to engage with.

The Year in Computing will especially be of interest to students if;

  • they are interested in studying computing AND their current degree,
  • they would like to get prepared for a career in tech,
  • they are interested in exploring the frontiers of their subject and computing,
  • they want to learn how to be creative with computing.

Kent graduate, Allana Bailey, BA Economics and Politics with a Year in Computing, 2018, said ‘I never expected to be going into computing but I did the Year in Computing and enjoyed pretty much everything, and that is how I found my new career.’  Find out more in the video below.

More details are available at: www.cs.kent.ac.uk/ug/year-in-computing.html

 

*with the exception of students from the School of Computing and School of Psychology

Posted in News | Tagged , , , | Leave a comment

Virtual queuing system aims to reduce impact of Operation Brock after Brexit

Developed by the University’s School of Computing and Kent Business School (KBS) this dynamic digital solution would manage cross channel traffic in ways similar to air traffic control at airports.

For example, during Operation Brock drivers would join the ‘queue’ as soon as they are ready to travel from anywhere in the country. When there are delays at the ports or Channel Tunnel they would then be advised to delay their journeys or take a break as soon as the delay is reported, often before they get to Kent. In effect the virtual queue can ‘hold’ hundreds of trucks at different locations across the country rather than physically in Kent.
The held trucks can then be ‘released’ in a managed way via an app or text message. The system could also enable penalties to be imposed upon those drivers who ignore the virtual queue.

The advantages of this system would be:
* Vehicles could be held across a number of locations
* Drivers in multiple locations can be told to when to start travelling again
* All involved can be updated on the queue status
* Seamless queuing would enable better forecasting
* Ultimately the system could link to inland customs clearance.

The research is led by Professor Said Salhi and Dr Jesse O’Hanley from KBS, and Dr Dominique Chu from Computing. Collaborative partners such as operators from Kent Resilience Forum whose members include Highways England, Eurotunnel, Port of Dover, Kent Police and Border Force, software providers and sector groups such as the automotive industry are being sought to ensure the long term viability of the project, which came about following the Keep Kent Moving Forum at the University’s Canterbury campus during the summer of 2018.

As part of the Forum delegates were required to come up with digital innovations that would address the issues caused by Operation Brock. These include the expected delays and disruption that in the past have led to gridlock across Kent and the formation of Operation Stack to park lorries in Kent.

The researchers are now seeking data sets to start to establish and test the ideas, aiming for a trial and phased introduction during 2019.

The Dover sea crossing and Channel Tunnel at Cheriton provides the highest capacity for access to and from European countries for freight. Up to 5,500 trucks per day cross from the UK to France.

Transport infrastructure is one of the key themes of the Kent Business Summit 2019 hosted by Kent Business School on the 11th January.

Posted in event, News, research | Leave a comment

Bronze Award for School of Computing blog

The International Impact Award scheme has awarded The School of Computing a Bronze award for creating an internationally-focused blog.

The scheme, set up in 2016,  seeks to recognise, promote and reward internationalisation-related activity and achievements within schools and departments at Kent.

This year’s scheme focused on school and departmental blogs and how their internationalisation ventures, achievements and strategic activities are categorised and presented through online relevant news stories.

Dr Anthony Manning, Dean for Internationalisation said “This year, the standard was high and  14 schools entered from across the University. The great news is that this venture has now created a series of opportunities for updating the University’s range of audiences with Kent’s internationally-focussed news and it is great that the Computing blog is now an important part of that”.

Thanks to this achievement, the School was eligible for £150 development award to contribute to the cost of enhancing the existing International Impact blog category and will be presented with a commemorative certificate to display our success in January 2019.

 

Posted in awards, international, News | Leave a comment

Jason Nurse features in article in the Kentish Gazette on cybercrime

Dr Jason Nurse, from the School of Computing, featured in an article in the Kent Gazette on Thursday 13 December on safeguarding yourself against the rise in online crime.

The article looks at some of the elaborate scams fraudsters use to trick unsuspecting victims out of millions of pounds in Kent each year, including a recent ‘sextortion’ scam which includes users’ real password and claims to have taken over their webcams and accessed their social media accounts.

Jason commented ‘The cyber criminals of today use incredibly sophisticated methods. They run it like a proper business and the amounts of money they stand to make are incredible’

The article also looks at how to avoid cybercrime and offers advice from the Get Safe Online organisation, a public/private sector organisation supported by the government and leading organisations in banking, retail, internet security and other sectors, and raises concerns around over sharing on social media.

The full article is available in the Kentish Gazette published on Thursday 13 December and online at www.kentonline.co.uk/kent/news/sextortion-scam-warning-195357/

Posted in News | Tagged , , , , | Leave a comment

Athena SWAN award presented to School

The School of Computing has been presented with a bronze Athena SWAN award for gender equality work at a ceremony at the University of Southampton. The award formally recognises the School’s commitment to advancing gender equality: representation, progression and success for all, students and staff, in academic and professional roles.

Head of School Professor Richard Jones, and School Administration Manager Amanda Ollier received the award at a ceremony on Monday 10 December. The award was presented by Professor Helen Beebee, Samuel Hall Professor of Philosophy at the University of Manchester and an Athena SWAN Patron. Congratulations also go to Mark Batty and his team who put a lot of effort into the School’s submission.

Richard said: “As computer scientists, we recognise the unequal representation of women at all levels, in both our industry and academia. Here at Kent, we are determined to change this. For example, our innovative Year in Computing is encouraging more women into our discipline – 56% of the students in 2017/18. I am delighted that some of the steps we are taking have been recognised with this award.”

There were also awards for the University of Kent’s School of Psychology, School of Engineering and Digital Arts and School of Social Policy, Sociology and Social Research as well as other universities and departments from across the UK.

Posted in News | Tagged , , | Leave a comment

School of Computing postgraduate students raise a glass to celebrate their graduation

The sun was shining and  the town was buzzing with anticipation on Friday 23 November as hundreds of Kent University students made their way  to Canterbury Cathedral  to receive their diploma.

Following the ceremony, over 100 people including academics, students and their families gathered at Café Rouge for the School of Computing graduation party.

Professor Richard Jones, Head of School, welcomed everyone and was delighted to award  the School of Computing Prize for best overall performance. The prize was given to three exceptional postgraduate students: Maxime Agor, MsC Networks and Security, achieved 81%;  Dorota Oleszczuk, MSc Computer Science, achieved 84.1% and Ali Hariri, MSc Advanced  Computer Science, achieved 85%

Maxime said ” I chose to do a masters at Kent both because of the high quality teaching and the intercultural aspect. I was both surprised and delighted to receive this prize, after what happened to be the most exciting year of my life”.

Ali Hariri commented “I would have never achieved what I achieved without the support and guidance of the staff of the school of computing. They are very knowledgeable and I will forever be grateful to them. My advice to the upcoming students: with enough time and effort, one can achieve anything, so just believe in yourselves and work hard!”

Congratulations to all the students.

 

 

 

 

 

 

 

 

Posted in graduation, News, Uncategorized | Tagged , , , | Leave a comment

Privacy and the AI-enabled smartphone spy

Professor Ian McLoughlin from the School of Computing Data Science Research Group has written an article for The Conversation on what AI-enabled smartphones can learn from the sound of your speech.

The vast majority of people in developed countries now carry a smartphone everywhere. And while many of us are already well aware of privacy issues associated with smartphones, like their ability to track our movements or even take surreptitious photos, an increasing number of people are starting to worry that their smartphone is actually listening to everything they say.

There might not be much evidence for this but, it turns out, it isn’t far from the truth. Researchers worldwide have begun developing many types of powerful audio analysis AI algorithms that can extract a lot of information about us from sound alone. While this technology is only just beginning to emerge in the real world, these growing capabilities – coupled with its 24/7 presence – could have serious implications for our personal privacy.
Instead of analysing every word people say, much of the listening AI that has been developed can actually learn a staggering amount of personal information just from the sound of our speech alone. It can determine everything from who you are and where you come from, your current location, your gender and age and what language you’re speaking – all just from the way your voice sounds when you speak.

If that isn’t creepy enough, other audio AI systems can detect if you’re lying, analyse your health and fitness level, your current emotional state, and whether or not you’re intoxicated. There are even systems capable of detecting what you’re eating when you speak with your mouth full, plus a slew of research looking into diagnosing medical conditions from sound.

AI systems can also accurately interpret events from sound by listening to details like car crashes or gunshots, or environments from their background noise. Other systems can identify a speakers’ attitude in a conversation, pick up unspoken messages or detect conflicts between speakers. Another AI system developed last year can predict, just by listening to the tone a couple used when speaking to each other, whether or not they will stay together. These are all examples of current AI technology developed in research labs worldwide.

All of these technologies – no matter what they’re trying to learn about you – use machine learning. This involves training an algorithm with large amounts of data that has been labelled to indicate what information the data contains. By processing thousands or millions of recordings, the algorithm gradually begins to infer which characteristics of the data – often just tiny fluctuations in the sound – are associated with which labels.

For example, a system used to detect your gender would record speech from your smartphone, and process it to extract “features” – a small set of distinct values that compactly represent a bigger speech recording. Typically, features represent amplitude and frequency information in each successive 20 millisecond period of speech. The way that these fluctuate over time will be slightly different for male or female speech.

Machine learning systems will not only look at those features, but also how much, how often, and in which way the features change over time. While the recording happens in the smartphone itself, clips are sent to internet servers which will extract features, compute their statistics, and handle the machine learning part.

AI was first created to perform conceptual tasks normally requiring human intelligence. At the moment, most AI systems perform analysis and understanding tasks, which means they provide information for humans to act on, rather than acting automatically.
For example, audio AI systems for road monitoring can alert traffic controllers to the sound of a vehicle crash, and audio-based medical diagnosis AI would alert a doctor about findings of concern. But a human would still have to make a decision based on the information provided to them by the AI.

But new AI technologies are changing. Many AI systems are starting to exceed human capabilities, with some devices even able to act without human intervention. Amazon Echo and Google Home are both examples of AI that has thinking abilities. This kind of AI can respond to commands directly and can also act on these commands, like when we ask Alexa to turn on the lights or draw our smart curtains.

While most AI systems today are designed to assist people, in the wrong hands, these technologies could look more like the Thought Police from George Orwell’s 1984. Audio (and video) surveillance can already detect our actions, but the AI systems we have mentioned are starting to detect what is behind those actions – what we’re thinking, even if we never speak it aloud.

Most tech firms say their devices don’t record us unless we command them to, but there have been examples of Alexa making recordings by mistake. And researchers have shown that it doesn’t take much to turn your phone into a permanent microphone. It may only be a matter of time before advertisers and scammers start to use this technology to understand exactly how we think, and target our private weaknesses.

Organisations like the World Privacy Forum, Fight for the Future and the Electronic Frontier Foundation are working to ensure people have the right to privacy from digital sensing systems, or have the right to opt out from commercial surveillance. In the meantime, when you next install an app or a game on your smartphone and it asks to access all sensors on your device, just remember what you are potentially signing up to.

These data collectors could learn to understand you as well as your closest friend and probably better, because your phone travels everywhere with you, potentially listening to every sound you make. But while we can trust a true friend with our life, can we say the same for those who are collecting our data today?

Ian McLoughlin, Professor of Computing, Head of School (Medway), University of Kent

This article was originally published on The Conversation. Read the original article.

Posted in data science, News | Tagged , | Leave a comment

PhD students to attend Google summit in Munich

Three PhD students from the School of Computing have been accepted to attend Google’s 6th Compiler and Programming Language Summit. Hrutvik Kanabar, Joanna Sharrad and Nicolas Dilley will attend the summit in Munich, Germany from 3-5 December 2018.

At the summit, Google engineers will share highlights of Google’s latest research in the area of programming language implementation and how this research is applied to compilers and language tooling at Google. The event will be a unique opportunity to deeply explore cutting edge complier and programming language technology and network with engineers working on these topics in industry. The summit is designed to create a close collaborate environment and facilitate a dialogue between students and Google engineers.

Nicolas Dilley said ‘I am very glad to attend this event because I will meet other Phd students from all over the world that are currently working on projects very similar to mine. I will also attend many tech talks given by Google’s researchers about their current research and developments. In addition, I always wanted to visit Germany!’

 

Posted in News, research | Tagged , , | Leave a comment