In a series of papers, we studied the security of Siemens PLC systems. We first showed that it is possible to fakely and stealthily download any control program into Siemens PLCs, bypassing cryptographic protections (with a variant of HMAC-SHA256 under a supposedly secret key). We could even download a fake executable unrelated to the downloaded source program, thus disabling the ability of the PLC engineers to identify the fake program even if they suspect the PLC behaviour. Following Siemens recommendations to protect against these attacks by using passwords, we studied the passwords schemes and found various vulnerabilities in some versions of the PLCs. A major protection step made by Siemens was to use TLS instead of the Siemens home-grown cryptographic protection. This change seems a good practice in general, but have several weaknesses. One is the long upgrade cycle of firmware in PLCs once a vulnerability is found, which makes any standard (complex) IT software installed on the PLC a security threat. Moreover, we show that the TLS protection allows attacker to perform new strong attacks which were not possible in the home-grown cryptographic version. Last but not least, in a recent openPLC product Siemens use Intel processors that run the (encrypted) PLC firmware and Windows OS on different cores of the same processor, under an hypervisor. Unfortunately, nothing prohibits an attacker to run his own fake version of the PLC firmware. We conclude that the whole security ecosystem and security assumptions of PLCs should be revisited - the currently existing protection schemes do not address the real threats on PLCs. In another work we proposed a framework for a cryptographic protection of PLC communications.

https://cl-cam-ac-uk.zoom.us/j/95369109192?pwd=T0xLb1BkS2ZKdGJUYWd4VEtNOXl4UT09

We are seeing the increasing trend of mobile app evidence in reported cases in the US and globally. Our prior study on the global app markets showed that real-world mobile apps have exceeded 8 million, and many apps have been frequently updated. Commercial mobile device forensic toolkits, such as Cellebrite UEFD, can help physically acquire, search, and recover evidence and reporting. However, most crime labs suffer significantly large backlogs due to an overly-long investigation process (often takes one or two days of an investigator’s efforts per device. Average of 40-80 apps on a device). The Lack of expert knowledge on many of these apps has led to the inability to identify and discover evidence, sometimes misunderstanding the evidence, which resulted in error-prone investigations, subsequently contributing to large backlogs in crime labs. Most existing tools demand the investigators to have the expertise and related experience to utilize them, and the investigative results often heavily depend on the experience and knowledge level of the investigator. With the support of NIST, CSAFE, and many crime labs, we have developed EviHunter, a set of toolkits to simplify and automate the mobile device investigation process with better guarantees in terms of completeness and accuracy. EviHunter leverages taint analysis to retrieve the information flow within an app from source APIs to sink APIs to deliver detailed, accurate, and timely findings of digital evidence stored in the local file system or from a third-party cloud server (e.g., Google/Amazon/Microsoft). Our dynamic EviHunter modified the Android OS and forced the system always enter an interpreter mode where we have inserted taint propagation code inside to follow the data flow in an app. We have cross-validated the analysis result from static and dynamic EviHunter, and are building the integrated results into the Android app forensic artifacts database. With it, practitioners can hopefully reduce the investigation of one device to 20 minutes of work with repeatable and verifiable guarantees. At the end of the talk, we will discuss several future directions this line of research can lead to. We also briefly discuss other interesting forensic, security, and privacy research issues and efforts.

https://us02web.zoom.us/j/87089391869?pwd=NFVLWEY1YUZWRXZ6eUpHU1ZFKzBCZz09

RECORDING: Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

The Dark Web has always been a domain of interest for cybersecurity researchers looking to gain insight into emerging cybercriminal activities such as the sharing of illegal content, scams, malware, etc. As studies on the Dark Web commonly require textual analysis of the domain, language models specific to the Dark Web may provide valuable insights to researchers. In this talk, we begin with a brief introduction to the Dark Web, followed by analysis of the Dark Web text using NLP techniques to uncover some characteristics of how language might be used in the Dark Web. We then introduce DarkBERT, a language model pretrained on Dark Web data, and illustrate the benefits that a Dark Web domain specific model like DarkBERT can offer in various use cases.

https://cl-cam-ac-uk.zoom.us/j/97899232400?pwd=UnBScWlzSTRWOHZ6VC8yRGhLZ1ozZz09

Meeting ID: 978 9923 2400
Passcode: 968971

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

The talk presents challenges facing the study of machine unlearning. The need for machine unlearning, i.e., obtaining a model one would get without training on a subset of data, arises from privacy legislation and as a potential solution to data poisoning. The first part of the talk discusses approximate unlearning and the metrics one might want to study. We highlight methods for two desirable (though often disparate) notions of approximate unlearning. The second part departs from this line of work by asking if we can verify unlearning. Here we show how an entity can claim plausible deniability, and conclude that at the level of model weights, being unlearnt is not always a well-defined property.

https://us02web.zoom.us/j/86904015028?pwd=cmkwUVRkU25JdGlXS1VFVEI3cm1Mdz09
Meeting ID: 869 0401 5028
Passcode: 416566

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

The Nym mixnet is a next-generation continuous time mixnet based on the Loopix design that aims to defeat global passive adversaries capable of observing all network traffic while at the same time maintaining high performance and availability. We will present the system as a whole, including its blockchain-based directory authority and token-based incentive scheme, as well as differences from the original Loopix design that came about during the course of implementation. We will also present for the first time an unpublished head-on comparison in both a closed world and open world setting to Tor.

https://cl-cam-ac-uk.zoom.us/j/92080380023?pwd=YnA0SThaVXVhWG51OVRJMUdFMjhndz09

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

_INCELs_(involuntary celibates) are predominantly males with a grievance that women refuse to have sexual relationships with them because of their perceived genetic inferiority. _INCELs_ are radicalised online and have been spreading misogynistic, hateful, and violent messages across various technology platforms. A growing number of _INCELs_ have taken their extremism offline by carrying out mass killings. This presentation demonstrates the dangers posed by _INCELs_. Discussion will also center on methods to detect those who pose the greatest threat to society and to prevent further violence.

https://cl-cam-ac-uk.zoom.us/j/91917840425?pwd=czlyNEVBTGUzdGkva0FVRVBjMGcwZz09

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

We conducted field experiments before and after the invasion of Ukraine to test the effectiveness of sanctions designed to exclude specified Russian government officials from the international financial system. Researchers impersonated sanctioned individuals and made email solicitations to intermediary firms to establish shell companies and set up corporate bank accounts. Results of responses to the sanctioned names are compared to equivalent solicitations from non-sanctioned individuals in an innocuous placebo condition. If sanctions are effective, private-sector intermediaries should be much less willing to do business with the sanctioned names, relative to the low-risk placebo names, and should also conduct stricter due diligence. The first round of the experiment was implemented before the Russian invasion of Ukraine. The second round was in May of 2022, a few months after the invasion. The pre-invasion approaches from sanctioned names could get access to the financial system almost as easily as the low-risk unsanctioned individuals, suggesting sanctions were ineffective. In contrast, in the post-invasion round, solicitations from sanctioned names were far less likely to receive a response than those from low-risk unsanctioned individuals, suggesting that the sanctions had become much more effective, even though the relevant sanctions law had not changed.

https://cl-cam-ac-uk.zoom.us/j/98480499865?pwd=VldzSU0wWGpYOEhvcWtIMC9GMW42QT09

RECORDING : Please note, this event will be recorded and will be available after the event for an indeterminate period under a CC BY -NC-ND license. Audience members should bear this in mind before joining the webinar or asking questions.

The criminal justice (CJ) system has embraced the use of algorithmic tools. They are employed as decision aids, from policing to parole decisions. This may bring benefits such as improved efficiency and consistency, but also raises many concerns. We will discuss the gap between the promised benefits and what is happening in practice, highlighting challenges around data, ethics, and regulations.

On the data front, a key limitation of current ML for CJ research is overfocus on only a few datasets like COMPAS. Moreover, domain context is rarely taken into account even for these datasets. We will discuss our work on enabling researchers to 1) better utilise existing CJ datasets, and 2) create new datasets using human-machine cooperation. The latter relates to our effort to increase transparency in the UK court system by making trial transcripts amenable to quantitative research.

The cybercrime industry is characterised by work specialisation to the point that it has become a volume industry with various “as-a-service” offerings. One well-established “as-a-service” business model is blackmarket pay-per-install (PPI) services, which outsource the spread of malicious programmes to affiliates. Such a business model represents the archetype of specialisation in the cybercrime industry: a mass of individuals, known as affiliates, specialise in spreading malware on behalf of a service. Extant literature has focused on understanding the scope of such a service and its functioning. However, despite the large number and aggregate effect of affiliates on cybercrime, little research has been done on understanding why and how affiliates participate in such models. This talk summarizes a study that depicts the motivations and challenges of affiliates spreading Android banking Trojan applications through a blackmarket PPI service. In short, we conducted a thematic analysis of over 6,000 of their private chat messages. The findings highlight affiliates’ labour-intensive work and precarious working conditions along with their limited income, especially compared to their expectations. Affiliates’ participation in cybercrime was found to be entangled between legal and blackmarket programmes, as affiliates did not care about programmes’ legal status as long as they yielded money. This study contributes to the literature by providing additional evidence on the downsides of work specialisation emerging from the cybercrime industry.

When staff at a critical national infrastructure organisation were recently polled to associate a word with infosec, they chose “fear”. This is a talk about fear and failures - unavoidable and avoidable - their systemic and institutional causes, and how to overcome them. Using case studies from large organisations such as the civil service, aviation, CNI, and media, I will discuss the role of security engineering, purple team operations, threat and compliance. Drawing from experiences as a head of information security/chief information security officer, I attribute poor organisational security to failures in correctly interplaying people, processes, and technology. I will discuss issues such as why user access is breached despite multi-factor authentication and dedicated identity and access teams; why legacy technology remains misunderstood, and friction in patch management; how to know you’ve hired the right (or wrong) expertise, and why we still get hacked despite all the right intentions, if not the right incentives. I will explore third-parties and supply chains, deploying security tools, disjointed processes undermining secure behaviours, the perils of confusing regulation as a threat model for security, incident management and reactive security, as well as why boards struggle to care about information security, and how to make them.

Crime creates demand for insurance but supplying insurance can inadvertently promote crime. How do insurers reduce uncertainty, pay-outs, and their exposure to extreme and correlated losses from crime? And how do criminals respond to insurers’ attempts to “manage” crime? In this paper we conceptualize insurance and certain types of crime as binary stars, co-evolving as each side innovates and responds to the other side’s innovations. We examine this in five case studies: auto theft, art theft, kidnap and hijack for ransom, ransomware, and payment card fraud. We find that insurers counter criminal innovations that challenge profits by engaging with insureds and third parties: to reduce criminal opportunities, limit damage, salvage stolen property and cap criminal profits. They also increase the risk of detection, capture, and conviction of criminals that defy the (implicit) rules of the game. Across the case studies, “insurance as crime governance” follows a market logic: it erects barriers to opportunistic crime and engages in strategic interaction with sophisticated and organized crime. Insurance tolerates crime if prevention is costlier than covering losses and avoids covering non-profit-motivated crimes.

In this talk, I set out an emerging phenomenon in UK law enforcement - the use of digital ‘nudge’ communications campaigns to achieve strategic policing and security goals. Over the last year, we have studied the use of these campaigns by a single force - Police Scotland - in depth, drawing on empirical research conducted with their dedicated strategic communications team. These campaigns, which involve extremely targeted digital communications designed to directly ‘nudge’ behaviour and shape the culture of particular groups, began in counter-radicalisation as part of the UK’s Prevent programme, but have since moved into a range of other policing areas, from hate crime and domestic violence to knife crime and cybercrime. I set out the historical context of these campaigns in the UK, from their roots in social marketing, through the various iterations of the Prevent strategy, the rise of algorithmic digital marketing infrastructures and surveillance capitalist platforms, and their subsequent transfer from counter-terror policing to a range of other areas. Our study explores the developing institutional and professional arrangements around these campaigns in Police Scotland and the wider UK through interviews and document-based research, drawing on case studies of campaigns across a range of areas. Taking these together, we theorise the rise of influence policing as an embryonic but rapidly emerging domain of police practice, and discuss the ethical, institutional, and democratic implications for the future of law enforcement in the UK.

Ben Collier is Lecturer in Digital Methods at the Institute of Science, Technology, and Innovation Studies at the University of Edinburgh. His research focuses on digital infrastructure as a site of power and resistance, including mixed-methods studies of cybercrime communities, law enforcement engagements with Internet infrastructure, and an upcoming book with MIT Press which maps a cultural history of the Tor anonymity network.