Each year, a number of students who submitted outstanding project dissertations are invited to write short white papers for the general IT public. These articles are those which best present research in an area of information security of interest to information security managers and professionals. These projects are re-written as short articles for a general audience and published online by Computer Weekly. The articles are listed below, and the full projects are published as technical reports.
- Driverless Vehicle Security for Military Applications, by Nicola Bates (supervised by Raja Naeem Akram).
In this article Nicola Bates discusses whether the civilian autonomous vehicle security frameworks are suitable for military logistics autonomous vehicles, and examines the threats considered from the point of view of an enemy so as to identify critical weaknesses and countermeasures. The Computer Weekly article can be found here.
- Lessons on Catastrophe: Differences and Similarities between Cyber and other forms of Risk, by Rob Champion (supervised by Carlos Cid).
Organisations may turn to cyber insurance to cover a portion of their enterprise risk. In this article Rob Champion summarises high level findings on a practical model that could be used in lieu of actuarial data. The Computer Weekly article can be found here.
- Secure Connected and Autonomous Vehicles: The Long Road Ahead, by Juliet Flavell (supervised by Paul Dorey).
The emergence of connected and autonomous vehicle is an exciting trend. In this article Juliet Flavell discusses some of the requirements, constraints and challenges, and areas of uncertainty in this technology. The Computer Weekly article can be found here.
- Rowhammer: From DRAM Faults to Escalating Privileges, by Jan Kalbantner (supervised by Konstantinos Markantonakis).
In this article Jan Kalbantner describes a widespread attack based on a hardware vulnerability, and discusses what paths future research might take to mitigate variants of this attack. The Computer Weekly article can be found here.
- Man Proposes, Fraud Disposes, by Tony Leary (supervised by Geraint Price).
In this article Tony Leary dissects the 2017 incident where the ‘WannaCry’ ransomware infected 32 National Health Service trusts in England and discusses the principal causes. The Computer Weekly article can be found here.
- A Novel Approach to Clustering Malware Behaviour to Improve Malware Detection, by Rebecca Merriman (supervised by Daniele Sgandurra).
Connected devices suffer from malware infection and one of the defences against this is the detection of malware using clustering algorithms. Rebecca Merriman studies the accuracy of such algorithms in this article and discusses factors that might affect the results. The Computer Weekly article can be found here.
- Purple Team Playbook: Threat Modeling for Security Testing, by Felisha Mouchous, (supervised by Daniele Sgandurra).
In this article Felisha Mouchous proposes a threat modelling and security testing framework to allow organisations to leverage existing data to identify gaps in defences and understand threat actor behaviour. The Computer Weekly article can be found here.
- An Enhanced Approach for USB Security Management, by Daniyal Naeem (supervised by Keith Mayes).
In this article Daniyal Naeem outlines a strategy to identify what security attributes a good USB security management system must have, and compares the new strategy with established methods. The Computer Weekly article can be found here.
20 years of Bleichenbacher’s attack, by Gage Boyle (supervised by Kenny Paterson).
In this article, Gage Boyle investigates how even the most reputable websites may be exposed to a 20-year-old attack if HTTPS is not properly implemented, and describes some recommendations of steps to prevent this.
The Computer Weekly publication can be found at: https://www.computerweekly.com/ehandbook/The-exploitation-of-flaws-in-the-HTTPS-protocol
Rethinking the cybersecurity of consumer Internet of Things (IoT) by Joo-Huat Ng (supervised by Robert Coles).Here, Joo-Huat Ng describes how innate psychological factors can influence the thinking process of consumers when assessing the cybersecurity risk of IoT, and how this perception eventually leads consumers and enterprises to make economic decisions that harm the security of the internet. The computer weekly publication can be found at
How long does it take to get owned? by David Wardle (supervised by Jorge Blasco Alis).
In this article, David Wardle uses fake "honey identities" and a monitoring infrastructure to study how quickly a stolen credential is used by an unauthorised person, and what activities this person might be interested in.
The Computer Weekly publication can be found at https://www.computerweekly.com/ehandbook/How-long-does-it-take-to-get-owned.
Can I trust my neighbours?: Proving ownership of IPv6 addresses by Colin Putman (supervised by Chris Mitchell)
In this article, Colin Putman describes one of the key weaknesses in the Neighbour Discovery Protocol of IPv6. This protocol is vulnerable to address-spoofing attacks within the same network, and Colin explains the deficiencies in the cryptographic methods which were introduced to prevent these attacks, and gives examples of how they can be improved, justifying the need for a new, unified improvement of the protocol.
The Computer Weekly publication can be found at https://www.computerweekly.com/ehandbook/Proving-ownership-of-IPv6-addresses
Digital Secure Remote Payment: How Apple Pay can change the future of remote payments, by Marcel Fehr (supervised by Konstantinos Markantonakis).
In this article, Marcel Fehr considers the role of Apple Pay's
digital secure remote payment in the future of digital payments that
bridges device boundary, supporting not only mobile in-app purchases
but also connected devices.
GDPR: Risk, opportunity and what it means for security professionals, by Neil Fraser (supervised by Geraint Price).
Here, Neil Fraser discusses why the EU General Data Protection Regulation (GDPR) is necessary, what it means for security professionals, and how it can be approached from a positive perspective.
Demystifying the myths of public cloud computing, by Christopher Hodson (supervised by Geraint Price).
In this article, Christopher Hodson looks into the constituent components of public cloud ecosystems and assesses the service models, deployment options, threats and good practice considerations.
The IoT BattLE, by Jennifer Janesko (supervised Jorge Blasco Alis).
Bluetooth Low Energy (BLE) is a wireless protocol designed to consume
very little power, and is increasingly implemented in more sensitive
devices. In this article, Jennifer Janesko provides a set of security
guidelines, tools and considerations for anyone within an organization
who is considering acquiring, implementing or using BLE-enabled devices.
A study on the security aspects and limitations of mobile payments using Host Card Emulation (HCE) with Near Field Communication (NFC), by Shana Micallef (supervised by Konstantinos Markantonakis).
As smartphones with NFC capabilities are gradually becoming one of the preferred methods over credit cards in contactless payments, Shana Micallef presents in this article a set of risks associated with using smartphones for contactless payment transactions.
The difficulties of defending against web tracking, by Darrell Newman (supervised by Geraint Price)
In this article, Darrell Newman introduces web tracking, provides an overview of how organisations track users, and discusses a few of the difficulties one may face when trying to defend against it.