RHUL Cyber CDT Blog

Below we hear from first-year CDT students Benjamin Bencina and Shubham Pawar who attended Black Hat  which was held in London in early December.  At the beginning of December, Shubham Pawar and I had the pleasure of attending Black Hat Europe, the European (including the UK) rendition of the internationally recognised cyber security event Black Hat. The event was hosted in London this year, and I’ve been following the research presented at Black Hat for a few years now, so there was no excuse not to attend. Luckily, our advisor Martin helped us get free student passes, since we were not there to present our own work, but mainly to indulge our curiosities. The briefings were scheduled over two days, each day beginning with a keynote and ending with a locknote, where various Black Hat veterans and cyber security practitioners tried to capture and discuss the current state of cyber security, and pave the way forward. While we were mostly interested in the briefings themselves, it was sti

At the end of October, I went to Bergen for a week-long research visit to Simula UiB. I was visiting two collaborators to work on a research project which came out of discussions at the Edinburgh summer school that I organised together with Joe and Rachel this summer. It was great to visit Norway again, after being in Trondheim earlier this year for Eurocrypt. This time, however, it was much colder, and quite a bit darker too! It's great to be able to travel again and visit other researchers, especially those at a similar stage of research to me. Having collaborators and friends around the world is like a bigger version of the cohorts we have in the CDT. We discussed our research ideas, and broke several of them. It's much easier to argue about how the secret keys are distributed when you're in the same room with a whiteboard in it, as well as plentiful cups of tea! As well as getting lots of work done, I was able to participate in the Norge Kryptoseminar, or the Norwegian

Nearly two weeks ago, I handed in my PhD after five years within the CDT. The experience has been so varied both in activities and the things that life has thrown at me since I began. Overall, it has been a good experience with some difficult points, but I feel so relieved to and proud to have got here. The day before I handed in I had to work on writing my acknowledgements. In my head, this signified that the journey was coming to an end and allowed me to reflect along the whole process. Writing those acknowledgements made me realise how much I have needed my friendships in order to get to the finish line. It made it clear how much I have relied on this form of support along this journey and how thankful I was for this. PhDs can often passion projects. Many people pour their time, effort, frustrations, tears, and a lot else into their thesis. This was very much the case for me and at times, I felt like the thesis could swallow me whole. At other points it was frustrating or draining.

S tudents from our 2021 cohort recently enjoyed their viva session in which they had the opportunity to present their summer project and officially mark the end of the taught component of their course and embark on the research phase. This viva session is always a highlight for us and this year was no exception. The variety of talks was inspiring and there were some superb presentations, with speakers delivering their talks in a calm, measured style!  Below, we hear from some of the 2021 cohort who have written a short article about their first year experience and the move to the research phase of their PhD: Cherry Jackson Introduction Having now completed the first year of a PhD through Royal Holloway's CDT, it is hard to fathom how most PhD students just simply throw themselves into the choppy waters of academia. The first year provided a flotation device. Without the opportunity to dip a toe into the programme, gather my bearings and try out different routes, I suspect I would

As a cohort of 13 students , the first few weeks of entering the CDT have been hectic but immensely fascinating. We all came into the CDT for different but related reasons. Evidently, we all have a strong interest in cybersecurity, but the focus of that interest really varies. Some of us have an interest in the social and political elements of cybersecurity, whereas others thrive on theoretical and applied cryptographic questions, malware analysis, and systems design. While in a standard 3-year PhD our interests may intersect and overlap in passing, the structure of the CDT allows for us to directly confront and take on each other’s strengths, thus changing the way that we will likely see our own research methods and interests in the future. For example, social scientists in the cohort get to benefit from the complex knowledge bases of the more technically minded researchers, and the more technically minded researchers get to explore the expanded toolkit of methods and research framewo

A while back, I had the pleasure of joining IEEE Security & Privacy (S&P / Oakland) and the Workshop On Offensive Technologies (WOOT) on behalf of Royal Holloway. In part, this was to present my latest research project at WOOT: an online puzzle game where solutions off-load exploit writers and aid vulnerability severity analysis. In S&P, Royal Holloway presented multiple more projects. Guido from the S3Lab presented his work on the formal analysis of web payment APIs. Through their analysis, they found two vulnerabilities that could be leveraged by online vendors to overcharge the customer, e.g. by forcing to pay the required amount with multiple payment methods. The vulnerabilities have been acknowledged and patched, making the world a safer place. We also had a great (online) presentation from Lenka on security properties of Telegram. They studied the non-conventional symmetric cryptography used in Telegram under normal usage, exploited the flaws, and both propose a fix

Prior to joining the CDT, I was finishing my Masters in Electronic Engineering and working at an industry placement one day per week. The short time I had working in industry was great fun. I’d met lots of interesting people and found a great team of exceptional colleagues to co-develop my skills with. My decision to apply and join the CDT programme was based on the amazing opportunities it provided. A funded venture, to peruse my own research ideas and collaborate with a cohort of world-class researchers with similar interests was too big of an opportunity to miss. Whilst my industry work was interesting and deepened my skillset, it was mainly applied work. I re-used components developed by other people and glued them together to create new applications. It was fast-paced and exciting, but never completely novel. I had a passion to give back to the open-source community and create something original for myself. The CDT structure allowed me to spend the first year exploring many av

Third year CDT student Stephanie Itimi has had a busy start to the summer, promoting Seidea (a career development platform she formed aimed at helping black and ethnic minorities build career in cyber security), speaking at conferences and visiting Senegal! Catch up with her great interview with peepsec and read her stories in the links below PeepSec Conference https://peepsec.com/peepsec2022/stephanie-itimi/ Cybersecurity is a growing concern in today’s digital world. I was invited to speak at CybSafe's June PeepSec conference, which addressed the human side of cybersecurity. I spoke about how we can diversify our cyber security efforts and create more opportunities for people who want them. Increased investment in training programs helps bridge gaps that can arise when it comes to hiring employees or developing new strategies. If you don't have enough talent, how effective are our cybersecurity policies, not only at the micro level, but also at the macro level? The UK is faci

> … Loading, 30 seconds until player two enters the game I appear to be in some sort of train carriage. I look down. My shoes have morphed into some rather fetching cowboy boots, my hands are clad in leather gauntlet-style gloves. > … 15 seconds until player two enters the game Furiously I attempt to discern how to move, hesitantly waddling forward, wary of my unfamiliar surroundings. > … 5 seconds until player two enters the game I turn to face the door of the carriage. > … Start game The door violently swings open and I am met with a veritable blizzard. The scene clears. I am under a moonlit sky. I am on a moving train. Up ahead there is movement. This must be my opponent – the much-vaunted player two. I look down to my hand. I am holding a pistol, a shiny silver pistol. I lift my hand and take aim, expecting a flurry of fire to down my adversary. But my shiny silver sidearm does not flurry. Instead, what can only be described as a slow moving, fluorescent blue orb emerge

When was the first cyberattack? Your answer to that question might depend on how you define the term ‘cyberattack’. It also might depend on how far you think the public record is complete in this area. It was this knotty tangle of conceptual disputes, secrets, and mysteries that participants sought to address at a recent workshop organised by the University of Warwick: ‘Cyberattacks and covert strategies in perspective: the long history of the future’. The workshop brought together academics from intelligence studies and history, cybersecurity and cyber conflict studies, and security studies more broadly. Among other themes, the panels at the event examined the early roots of state cyber operations, focusing primarily on the US and the UK. As the workshop organisers noted, it is important that academics looking at cyber operations not succumb to the ‘shock of the new’. The means of a state cyber espionage operation may be new, but espionage, deception, and subversion are all very old.

This April, many CDT cryptographers headed to Amsterdam to attend the Real World Crypto conference . For many, this was our first ever conference, and for almost all of us, the first conference since before the pandemic. RWC itself had already been rescheduled from January of this year due to a surge in cases in the Netherlands. RWC is intended as a conference for both academic researchers and industry professionals, with delegates from many organisations who design and implement cryptography in the wild. The program is designed to have talks with high real world impact - this year, the theme for the invited talks was Cryptography in the Ads Ecosystem, where representatives from Meta and Google Chrome spoke about their understanding and solutions to reconciling users’ privacy and effective advertising using cryptographic primitives. It was really great to finally be able to attend a conference in person after so long! Although the pandemic has led to many conferences being held onl

It is no surprise that in 2022 fears around cyber incidents potentially impacting elections run high. Since the 2016 interference reports against the US presidential election, concerns over cyber threats to the electoral system have been on the rise around the world. And Colombia is no different. With the legislative elections having passed in March, and the first round of the presidential elections due in May, Colombians have been seeing a stream of warnings from media outlets of possible cyber incidents . In February, during a speech given at a Plenary Session of the European Parliament, Colombian President Iván Duque discussed the need for Colombia to “ be able to protect its democracy against external influence or interference, [and] of those who intend to manipulate algorithms or those who intend to generate hatred and division” [1]. By early March the National Registrar, Alexander Vega, revealed that the National Civil Registry website had seen 400,000 cyber-attack attempts

During the lockdown I was researching the implementation of sandboxes with mobile operating systems on the internet. After producing a program to survey these platforms and setting up a reporting server I was able to ascertain that sensor implementations were vulnerable to trivial attacks because of the lack of dynamic values witnessed during the survey. I furthered this work by looking into how researchers would run malware samples on local physical devices which would report the results and then be reset ready for the next execution. This setup has the benefit of including all the sensors of a mobile device and real-world readings.   I decided to imitate such a setup at home using a physical device attached via USB to a reporting server to see if I could exploit the real-world readings to tell me something about the nature of the app analysis. From this I created an app that contained a reverse Turing test to act as a trigger for malware only when a device is performing a recognised

In this short piece I will discuss my PhD journey during COVID-19, highlighting some of the issues I faced, how I overcame these and providing recommendations to help others in the same position. Of course, first and foremost, the COVID-19 crisis is a global health crisis, and people have been put in much worse situations than their PhD research being delayed. I was fortunate that the EPSRC granted me an extension for my research, a great benefit that was not extended to many other PhD students from different disciplines. However, social distancing has been essential to minimise the spread of COVID and for many researchers this represented, and still does, a change in fieldwork methods, write-up strategy, as well as changing the way we interact with our cohort and supervisors.   1) Field Work When we went into the first lockdown in March 2020, I had just found an organisation (a global law firm) willing to let me conduct my research with their employees. The plan was to spend a few day