If you have an ARM-based SBC capable of supporting a 64-bit OS, then the steps needed to get Rosetta up and running are pretty straightforward. They are presented below using a Raspberry Pi 4, with OS installation from scratch, though this may not be needed if you have a compatible OS already installed. If so, just skip down to the Software Installation section. A Raspberry Pi 3 or 4 will do the trick but for other SBC’s you will need to check. If you are unsure of your OS’s suitability or that of your SBC, simply run the following command from the command line:

lscp

You will be presented with a lengthy output, but we are only interested in the first two items. The first item is “Architecture” and must be “x86_64”. The second item is “CPU op-mode(s)” and should read” 32-bit, 64-bit”. If it does not include “64-bit”, then your OS will not be suitable and must be overwritten for the needed software to work. If so, please make sure that you backup any important files before installing your new OS.

The Operating System

Technically any 64-bit OS should do the trick, but a lightweight or terminal only distribution will be preferred here since the SBC used will be dedicated to this single task. Our choice to meet these criteria is 64-bit Ubuntu server for Raspberry Pi. Please make sure to select the 64-bit OS for your Raspberry Pi model (3 or 4) from the download link here: https://ubuntu.com/download/raspberry-pi

Once you have downloaded the OS to a PC or laptop, you need to write it to a micro SD card for use in the Raspberry Pi. It is common practice for micro SD cards to be sold with a full-size SD card adapter allowing for it to be read by an SD card reader such as those found on many laptops. Alternatively, you can also use a USB card reader if your PC/Laptop does not support SD cards. Next, you need to use software to write the OS to the micro SD card. Our preferred solution is Belena Etcher, and you can download it here: https://www.balena.io/etcher/

Once installed, open up Etcher, insert the micro SD card into the card reader, and use Etcher’s simple interface to select first the Ubuntu OS you downloaded and secondly the micro SD card to write it to. Etcher will do the rest and notify you when the micro SD card is ready. Please make sure you have the micro SD card selected when writing the OS to it, since Etcher will overwrite whatever is in the target drive. With that done, we are ready to get the SBC running. If you need more help on the OS setup, especially if this is your first time doing it, please have a look at the Raspberry Pi guide located here: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Remove the micro SD card from your computer and insert it into the card slot at the bottom of the Raspberry Pi or other SBC, connect an Ethernet cable and then power it on. At this point, you can plug a screen and keyboard into your SBC, or you can ssh into it. We will describe the ssh option below, but all other steps will be identical. Please note that if you are a novice user, the screen and keyboard option will be easier, and you can now skip to the setup section below.

To ssh into the SBC, you will need to connect it to your router via Ethernet, have ssh enabled on the SBC and know the login credentials. For Ubuntu server ssh will be enabled by default, while the username and password will both be “ubuntu”. We will also need to know the IP address of the SBC to ssh into it. You can use any network scanner to find a new device and its IP address on your network. For this task, I usually use Netdiscover due to its lightweight nature. If needed, you can get Netdiscover via your package manager or else here: https://github.com/alexxy/netdiscover

Once you have everything ready, go ahead and ssh into the SBC using your preferred tool. For this, I used PuTTY which you can download here: https://www.chiark.greenend.org.uk/~sgtatham/putty/

Setup

With your SBC has booted up you are either connected via ssh or have plugged in a screen and keyboard. You will be presented with a terminal window only (no graphical interface here) and asked for a username and then the password. Enter “ubuntu” for both (without the quotation marks, and assuming you are using Ubuntu server). You will now be logged in and the first order of business will be to change the system password. On Ubuntu server you will be prompted to do so as follows:

The “(current) UNIX password” is “ubuntu” and the new password prompted for thereafter will be whatever you wish. Once this is done, you will need to ensure that your system is up to date. First run:

sudo apt-get update

Once this is done you need to run:

sudo apt-get upgrade

You will be prompted to install new packages and should select “Y” to proceed. Upgrading the system could take quite some time so while this is running, we need to create a Rosetta account. Head over to the Rosetta site at https://boinc.bakerlab.org/rosetta/ and click the “sign up” tab top right.

Follow the onscreen prompts to create your account. Once done look at the right top side of your account dashboard and under the “Community” heading locate the “member of team” section. Click the link to the right of it to join a team. This is not strictly necessary but since we are trying to show the utility of ARM-based SBCs, it would be good to join the “crunch-on-arm” team. Once done, your “Community” tab should look as follows:

Software Installation

Once your account is set up and the OS upgraded, we can proceed. To install the needed software, we will use the following command and select “Y” at the install prompt:

sudo apt-get install boinc-client boinctui

Once the installation is complete, we can launch the software using the following command:

boinctui

You will be presented with a configuration screen, simply hit enter to continue. One of the first things you will probably notice is the pretty awful interface. Hit F9 to enter the menu and from the “View” tab select “ASCII line draw” and hit “enter” as shown below:

Now hit F9 again and from the “Projects” tab select “New Project” and then “Rosetta@home”. You will now be prompted to enter your email and password as you used to set up your account on the website.

That is all there is to it, from here you can just let it run and the software will take care of everything. To get a glimpse of what is going on though you can check the system display in the boinc software or else go to your profile on the Rosetta site and under “Computing and Credit” look for “Computers on This Account” and click the “view” link next to it. Please note that the display in the software shows running progress while the website is slower to update:

As of the time of publication the crunch-on-arm team is in the top 1% of performers, showing how big a contribution a small computer can make!

Contributing to COVID-19 Research from Home: Putting your Raspberry Pi to Work. was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

On May 25, 2018, the EU’s General Data Protection Regulations (the GDPR), known as the most stringent data protection law in the history of the European Union, came into effect.

Regardless of whether the data processing is carried out in the EU, the process may still be subject to the GDPR, which will inevitably require every company and individual dealing with the EU data to study the GDPR seriously.

The radius of business radiation of companies spreads the jurisdiction of GDPR globally. Meanwhile, “Enterprise Data Governance” was introduced as a new management concept, and this is why CDO (Chief Data Officer) has entered the corporate executive team. The internal control mechanism of large enterprises is increasingly oriented towards a unified privacy protection strategy. For example, Apple and Facebook have begun to implement the global unified implementation of the GDPR. How to understand the essence of GDPR and put it into practice? How to think about data security from the information security perspective?

Against this backdrop, this course aims for CDOs and information security officers from both government and enterprise. The content varies from shallow to deep, which has six modules including “privacy and anonymity”, “cross-border data flow”, “network security”, “competition and finance”, “financial technology and blockchain”, “data protection compliance”. Through the combination of theory and practice, this program intends to empower the senior management of the enterprise to master the principles of data protection and its supervision, thus promoting the development of the enterprise.

UoS Instructors

Sophie Stalla-Bourdillon

Hedvig Schmidt

Vladimiro Sassone

Andrea Margheri

Henry Pearce

Mu Yang (University of Greenwich)

Runshan Hu

SJTU Instructors

Yue Wu

Duoqi Xu

Chenguo Zhang

Matias Aranguiz

The Classes

The classes were a mix of computer science, law, and finance. People from various backgrounds sat together and discussed about the future of data privacy, cyber security, and FinTech etc. It is illuminating to witness some cyber security principles being evaluated divergently based on different values from legal and financial values, and also to see similar problems being described in disparate terms when starting from distinct perspectives.

For the first time over, the partnership between UoS and SJTU spanned multiple departments including UoS’s law school and the cyber security group (ECS school) and SJTU’s school of finance and cybersecurity.

We believe a multi-disciplinary approach via international lens is crucial to derive credible informed views, productive and fruitful collaborations.

Also, this is consistent with cyber security group’s focus on the multi-disciplinary approach when doing research in UoS.

Night Views in Shanghai

SJTU-UoS joint course of Data Protection for Chief Data Officer was launched was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

Starting life as an alternate event to Black Hat Briefings in the US, BSides has grown to a global series of conferences and related events, numbering over 30 for 2019.

To a large part this success can be attributed to BSides being community driven, free to attend and geared towards giving new speakers a platform.

BSides London fit this bill perfectly, with one of its four tracks being totally given over to rookie speakers. The pre-conference workshops also followed this approach with two extended sessions aimed at those new to the field.

The main event kicked off with a heartfelt and largely informal welcome address, followed by two main talks covering cyber systems of the power grid and user profiling and tracking on smartphone apps. Following these two talks the rookie track and track three also opened up. The tree main tracks all presented talks of 30 minute to one hour, while talks on the rookie track were limited to 15 minutes. This short form worked particularly well and attending the rookie track was particularly enjoyable.

Although BSides London presented a great range of security talks and the requisite side events such as a CTF and lock picking, one of the most notable talks was a full hour on track one devoted to mental health and wellbeing. Olga Zilberberg, who specialises in Cognitive Behavioural Therapy and Neuro Linguistic Programming, lead the session. Focussing on the symptoms and mechanics of stress, anxiety and depression, the inclusion of such a talk on the main stage exemplifies the different approach taken by BSides and is one of the many reasons that we will be back next year!

Videos from the event can be found here.

Attending BSides London. was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

PETRAS is an IoT research hub jointly operated by 11 research universities, with funding provide by both the Engineering and Physical Sciences Research Council and private companies.

This not only explains the breath of academic interest and participation in the conference but also the presence of a large private sector contingent. The conference programme also reflected this, with the opening keynote presented by Dr Kevin Jones, Head of Cyber Security Architecture, Innovation and Scouting at Airbus. Predictably, this keynote set a very high bar for the conference, not only in terms of interesting content but also in engaging delivery.

Following the keynote, the conference split into three tracks with joint sessions reserved for further keynotes and main panels. This formula was followed over both days, with breaks for lunch, poster sessions and networking sessions. One notable deviation in this programme was the ministerial launch of the UK’s consultation on, and guidelines for, consumer IoT.

Margot James, minister for Digital and Culture personally made the announcement and took questions afterwards. Key elements of which included the ongoing consultation process and also the Code of Practice for Consumer IoT Security.

The code can be downloaded here. In brief though, the code introduces 13 guidelines of which the first three are prioritised. These are:

• No default passwords.
• Implementation of a vulnerability disclosure policy.
• Software updates.

The papers and posters presented all fell into the general grouping of IoT security, privacy and ongoing development.

The Southampton Cybersecurity contingent also covered these topics with a paper and a poster presented. The paper presented a new approach to analysing cyber-physical threats for IOT using provenance modelling. The threat analysis case study focused on BlockIT, a blend of IOT and Blockchain technologies which provides electricity trading in small communities. Our results included new attack vectors not previously exploited.

The poster we presented focused on the need for an integrated approach to engineering privacy by design in IoT. By integrated in this context, we mean both industry best practice (a moving target) and regulatory compliance (a mostly fixed point). Since work in both these fields tend to take a risk based approach, we see ample common ground for the building of an integrated framework.

Notable in the discussions around the work we presented, was not just the high level of synergy with the work of other presenters, but also the degree to which these academic presentations resonated with attendees from the private sector. Although the former can be expected from a highly focused conference, the latter is indicative of the IoT’s ever increasing economic prominence. As such, we can only assume that future conferences will garner even more attention from academia and the private sector alike.

Attending PETRAS Living in the IoT was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

UKEF is investing in the digitalisation of Trade Finance processes, trying to automating procedures and minimising process latencies. All this, it is required for strengthening the financial support to UK Exporters while controlling the actual financial risks.

The need of establishing an interoperable, accountable layer for multi-stakeholder interaction paves the way for blockchain empowered Trade Finance.

Together with the Open Innovation Team at the Cabinet Office and the Public Policy team at the University of Southampton, I have approached this UKEF challenge to design and prototype a blockchain solution for UK Trade Finance

The challenge

UKEF aims at supporting the Department of International Trade in their innovation strategy by creating new digital solution supporting UK Trade Finance.

Creating a decentralised solution to underpin the distributed process of Trade Finance by establishing a new, accountable and transparent medium of interaction upon which exporters, banking players and UKEF can conduct in a timely manner their negotiations

Given the sensitivity and the commercial nature, it is necessary to ensure high level of trust and confidentiality throughout all the processes of the distributed actors.

Establishing an interoperable framework across trade finance stakeholders would allow UKEF to achieve a threefold objective:

1. Early access to current exporter trade finance application by providing direct support to exporters and streamlining negotiations with banks.
2. Facilitating multi-actor processes by ensuring accountable and up-to-date data exchanges.
3. Increasing knowledge on current UK export activities by creating new knowledge-bases for defining more effective trade support solutions and better risk assessment.

While the last objective would require long-term plan, we can start today to prototype blockchain based solution for trade finance.

The blockchain prototype

The prototype system must offer storage and processing capability for carrying out the management of exporter trade applications (for simplicity’s sake, just Bond application) among: Exporter, Bank and UKEF IT systems.

The blockchain platform acts as distributed, accountable application data storage and computational framework for the assessment of bond applications.

For realising this prototype, I have used the R3 Corda framework and integrated with Spring web-apps for showcasing purpose.

Blockchain Technology. In a nutshell, blockchain is a decentralised computational infrastructure offering reliable storage and program execution(aka smart contract). Among others, the key advantage of using blockchain is the lack of any centralised trusted-third-party that can singularly control the system. Interaction among multi actors can then be carried out ensuring that any of the actor is in control nor misbehaving (e.g. tampering with managed information or neglecting the submission of an application).

The Prototype. The Corda blockchain framework is a state-of-the-art solution for decentralised financial processes. It relies on Java-based technology for offering transactional multi-actor distributed flows. Most of all, it provides on top of classical blockchain data storage (i) user authentication; (ii) pluggable consensus; (iii) smart contract based interactions; (iv) selective data visibility. (Many more features are available, as well as the integration with relational databases and long-term transaction support)

The prototype is then formed by four (logical) nodes, each of them running a Corda instance and authenticated via an X.509 standard certificate. The Notary logically represents a set of additional nodes that are part of the network and ensure replication and fault tolerance factors. Notice that those nodes may be prevented from accessing any information of the bond application, even though the will store copy of the corresponding transaction.Thus, controls on flow execution and visibility ensure to both Exporters and Banks that data is only shared to authorised actors.

The flows implemented in the systems to support exporter trade finance are

1. CreateBond: Creation of an Exporter Bond application — this operation is issued by an Exporter user and is signed by both Bank and UKEF which enforces acceptability controls on bond values and impact.
2. BankAssess: Bank assessment of the Bond application — a user part of the bank (to which Exporter submitted the application) can provide the needed financial data on the Exporter and report on the bank support to the bond.
3. UKEFAssess: UKEF guarantee on the Bond application — a user part of UKEF can control the bank approved decision and report on the UKEF support to the bond.

These flows, together with the needed contract state and transaction signing controls, have been implemented in Java. The code is available online and can be easily re-deployed following the available instructions.

cybersoton/corda-trade-finance

Showcasing the prototype

The prototype has been tailored to UKEF needs and a mock-up Spring web-app has been developed to visualise actual integration of the solution. Below a screen recording of the web-apps, one for each Exporter, Bank and UKEF distinguished node of the prototype.

It appears that despite the intricacies of implementing and using blockchain technology, the Corda blockchain solution can be used likewise classical web-app based on REST APIs.

Behind the scenes, the deployment of an distributed blockchain framework ensures that any B2B interoperability issues are overcome by-design: all multi-actor interactions are programmed, controls and enforced via smart contracts

To shed light on the stages needed to create, validate and store a flow (aka a transaction) in the system, watch the video below.

I presented the technical challenges and Corda prototype at the last DIT Innovation Conference on Blockchain. Here while introducing the fundamentals on blockchain.

The audience was significantly engaged in the discussion on the potential role of blockchain in Public Services. Looking forward to see the development plan in UKEF and DIT for a possible adoption of blockchain!

UKEF Trade Finance Blockchain Project was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

Back in March over 100 students organised in 26 teams from the top cyber universities in the country, descended to B16 on the Highfield Campus to take part in ‘HECC 2019’, the Higher Education Cyber Challenge.

The event was a resounding success with both participants and media. Here is a write up by Charles Elder, Head of the University of Southampton’s media relations department.

Southampton set to host the one of country’s largest inter-university cyber security challenge

The University of Southampton is set to host one of the UK’s largest inter-university cyber security competition exclusive to students.

Over 100 students will descend on Southampton’s Highfield Campus on Saturday, 9th March, to compete in the 2019 Higher Education Cyber Challenge.

During the intense one-day competition, the students from 14 ACE (Academic Centre of Excellence for Cyber Security Research) universities, including eight participants from Southampton, will face a range of challenges created by experts from a team of international experts, including industry sponsors as well as current Southampton PhD researchers, Josh Curry and Laurie Kirkcaldy, and graduate Jamie Scott.

Both Josh and Laurie themselves were part of the Southampton team to place second in last year’s Inter-ACE Challenge hosted by Cambridge University.

Inter-ACE was established to help resolve the vast and growing cyber security skills gap, with an estimated shortfall of 1.8M workers worldwide by 2022. The competition aimed to inspire young tech enthusiasts into the cyber security sector, while also honing the skills of those who already have a strong aptitude for ethical hacking and helping them meet like-minded individuals and potential employers.

“Southampton have really enjoyed attending the Inter-ACE cyber challenge over the last few years,” said Josh Curry. “With that competition not running in 2019, we wanted to continue the tradition of bringing together students in cyber security and so created HECC, the Higher Education Cyber Challenge.We hope that everyone enjoys the challenges we have put together, and are happy to once again provide an opportunity for students to meet and network with their peers from across the UK.”

This year’s competitors will face 50 challenges in total, involving everything from hacking websites to reverse engineering. Working in teams of three or four, the students will be looking to find ‘flags’, worth a varying amount of points, during each activity to determine the winners.

Professor Vladimiro Sassone, Director of the Southampton’s Cyber Security Academy, said: “We’re very pleased to bring the Higher Education Cybersecurity Challenge to Southampton for the first time. The Challenge provides an excellent platform for students to perform as teams, under pressure, and is proving to be an important training ground as the future of the world’s cyber security capabilities rests on the shoulders of these students.”

Southampton is well-placed to host the HECC Challenge as the University plays a leading role in cyber security research and education through its Cyber Security Research Group where expertise and excellence in these fields are brought together.

The Group undertakes basic and applied cyber security research, providing core capabilities and leadership in support of the University’s broader security activities. The Group constitutes the core of the Academic Centre of Excellence for Cyber Security Research (recognised by National Cyber Security Centre and the Engineering and Physical Sciences Research Council) as well as the Cyber Security Academy, a partnership between University, Industry and Government, whose objectives span from research and consultancy to outreach, training and knowledge transfer.

It was an outstanding success with 1st, 2nd and 3rd prizes going to Cardiff, Cambridge and Imperial. There was even coverage on BBC South Today and BBC Radio Solent. It was great the University supported this event.

Higher Eduction Cyber Challenge was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

The cybersecurity group brought seven posters related to different projects, where researchers and PhD students showed some of the IoT activity of the group.

Two posters were for the PETRAS BlockIT project: Dr. Nawfal Fadhel (Research Fellow) and Dr. Federico Lombardi (Lecturer) presented ETSE, an architecture which integrates blockchain and smart meter devices to enable energy trading in a smart energy neighbourhood. As a second poster on the BlockIT project, they presented a threat analysis based on semantic modelling for a paper that will be presented at the IET Living in the Internet of Things Conference next May.

The prototype of the BlockIT project has been developed and we are now simulating results with a smart meter data generator. Soon, we will integrate the prototype with real smart meter devices.

cybersoton/blockchain-empowered-smart-energy

A new IoT testbed of the Cyber Security group is now ready to be used for other IoT activities and it will be beneficial for a real evaluation of security and vulnerabilities of IoT devices.

Among others, Stefano De Angelis (PhD student) presented a risk assessment methodology for IoT-based systems through the OWASP database, while Ryan Gregory (cyber intern) showed a project to create a realistic smart home dataset by injecting attacks against a network composed by IoT devices and collecting metrics related to their traffic in response to the attacks.

Max Hayman (PhD student) presented his PhD work related to IoT vulnerabilities and he showed a case studied on the Yale Smart Lock (YSL), showing how it can be easy to clone an NFC card to unlock the YSL due to a lack of encryption.

Finally, Rob Thorburn (PhD student) presented a study on privacy of IoT devices. Specifically, he showed some common architectural patterns, assessing the traffic flow and the involved parties to check which kind of data should be (or should not be) sent as a plaintext or cipher-text also to be compliant with GDPR.

The Cybersecurity group of the University of Southampton is carrying on many other projects on IoT, such firmware analysis, network fingerprinting, penetration testing, privacy and security of voice assistants and many other.

The “smart” sector is growing and the cyber group is spending a big effort in IoT research. Indeed, we are involved in PETRAS Internet of Things Research Hub, a consortium of eleven leading UK universities, which are working together since three years to explore critical issues in privacy, ethics, trust, reliability, acceptability, and security of IoT. Currently, we have BlockIT as a main IoT project for PETRAS and our goal is to propose to PETRAS other innovative solutions that we are carrying on thanks to the work of our PhD students and researchers.

IoT Research of the Cyber Security group was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

The event lasted 4 days, with a preliminary session for tutorials. The session was based on different technical solutions for cybersecurity both from a defender and attacker perspective.

I proposed a tutorial on penetration testing and ethical hacking with the Metasploit framework. I set up a simple virtual lab based on Virtual Box with a Kali Linux Virtual Machine (VM) acting as attacker, and a Metasploitable Linux VM, a Windows XP SP3 and a Windows 10 VM as victims to target. The picture below shows the environment.

Then I started by describing the steps that an attacker needs to follow to perform an attack against a target machine, as follow:

1. Passive Reconnaissance
2. Active Reconnaissance
3. Gaining Access
4. Privilege Escalation and Password Cracking
5. Maintaining Access
6. Covering Traces

For each step I described and used some useful tools. The session was a mix between theoretical concept and practical demos.

During the first step (Passive Reconnaissance) I showed tools for Open Source Intelligence (OSINT). A first tool was the Google Hacking Database (GHDB) https://www.exploit-db.com/google-hacking-database. This tool is a collaborative database of dorks, i.e. a collection of advanced syntax of the Google search engine to find useful open information. In the picture below, there is an example of a dork created by Kevin Randall to find txt file with information related to login and password.

Then I presented a more advanced tool for gathering information on the web, namely Discover. It is a script developed by Lee Baird to collect information about file, domains and IP addresses of a desired target. This tool can be combined with other tools like Shodan and TheHarvester to obtain a number of information and successfully perform the passive reconnaissance step.

In the second phase I introduced two tools for active reconnaissance, i.e. to perform port scanning and enumeration, namely NMap and ZenMap. I showed a practical example of these tools to scan the network of the virtual lab and to find ports and services opened in the three victims VMs. Then, I showed how to find vulnerabilities by using the CVE database and the collected information. In our lab, the first example shown is the MS08–067 vulnerability of Windows XP (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067). This is a vulnerability of the Microsoft Server Service for remote sharing of files and printer.

To exploit such a vulnerability I moved to the step of the attack, i.e. Gaining Access. Here, I introduced the Metasploit framework, one of the most common framework for penetration testing.

I described how to perform an attack with Metasploit towards a vulnerable machine through the Reverse Shell and I introduced the Meterpreter payload. I showed a practical example where the Kali machine through Metasploit was able to exploit the vulnerability of the Windows XP machine to create a Meterpreter shell as a payload. Thus, we had an open admin shell, having so the total control of the victim, indeed we were able to access to its file system, desktop, webcam, etc.

We repeated this attack against the Metasploitable Linux machine, by exploiting the vsftpd_234 backdoor. Again, we had the total control of the machine with admin privileges.

Then I showed as repeating the attack against the Windows 10 machine was challenging since there was not known vulnerability. Thus, I introduced client-side attack, which exploit social engineering for cheating an user to click on something malicious. Specifically, I showed how to create a backdoor with Veil-Evasion and hide it inside a pdf file by spoofing the pdf extension and a pdf icon.

We sent the fake pdf attachment to the victim with the Windows 10 machine and prepared Metasploit to listen for incoming connection to a specific port that we specified when we created the backdoor. Once the user opened the pdf, on the Kali machine we had an open shell on the target Windows 10 machine.

However, conversely to Windows XP and Metasploitable Linux examples, the shell we opened was not with admin privileges. So I showed another module of Metasploit to simulate a Windows update to the user.

An expert user should notice this fake popup since this file to execute does not provide any signature… but how many people look at this detail?

If the user does not pay attention to this and click yes, is giving access to the software that launched it the privilege of administrator. In our case this software is the Meterpreter shell, thus we can escalate the privilege of the Meterpreter shell to admin permanently.

We also introduced different approaches for Privilege Escalation, for example by using a keylogger (Meterpreter Keyscan) and steal password, or using the Metasploit Hashdump to dump the password database.

The figure above shows how Hashdump can save the password database. The problem is that those are not the passwords, but the hashes of the passwords. We have to revert the hash to obtain the real password. For that scope, I showed John The Ripper and an online free tool, i.e., crackstation.net.

In the last part of the tutorial, I first described how to maintain a permanent access by placing a backdoor in the target machine. Figure below shows Meterpreter installing and executing the backdoor.

The backdoor is placed as a vbs script stored on the victim. This script launches an exe file.

Furthermore, it writes in the Windows registry the key in the autorun command. In that way every time the computer startup the backdoor is executed again to open again a new meterpreter session on the attacker side.

In the last section, we detailed some techniques an attacker can use to cover his trace with solutions for clearing logs, timestomping the accessed resources and use rootkit to avoid to be detected.

Finally, we had a 10 minutes session of question and answer to interact in which we discussed about some best practice that everybody must follow to minimise the cyber risk.

The goal of the tutorial was to give a practical overview to technical and non- technical users how simple can be to be hacked if not well protected.

The tutorial has been highly voted on the Whova app by attendants and few companies asked for collaborations on this direction. This topic is modern and of interest of companies and public entities. I strongly believe that is a good starting point to increase the awareness of users and employees, and I also believe that with practical examples of what can happen people can effectively learn.

“Hacking with Metasploit” Tutorial was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

My internship experience at NATO has been incredibly positive. NATO, as a security organisation, was for me one of the perfect places to ameliorate my knowledge in the field of security, from a most practical point of view. I worked for the NATO Office of Security (NOS). The NOS division is responsible for security and administrative support of NATO. It is divided in three main branches:(i) Protective Security Branch (PRB), (ii) Security Intelligence Branch (SIB) and (iii) Policy Oversight Branch (POB).

The first two branches care about the physical security, safety and the counterintelligence at NATO HQ and NATO civil and military bodies. On the other hand, the POB coordinates security inspections in NATO-member nations, NATO civil and military bodies and other partners. The main purpose of such inspections is to certify that all those NATO-related organisations are properly protected.

POB is in turn divided in two sub branches, one dedicated to Security Policies and one specialised in Communication and Information Systems. The first branch develops and revises security policies, guidance and supporting documents for NATO enterprise. The second, CIS Security cares about security accreditation of technologies employed in NATO bodies.

The CIS Security branch works closely with the NATO Communication and Information Agency which is the technology and cyber leader for NATO. CIS engineers evaluate and develop risk assessment and management methodologies of the cutting-edge technologies and projects proposed by the Agency.

On my arrival I have been assigned to the CIS division. Because of my technical background and my expertise on security aspects of technologies, CIS asked me to investigate and evaluate the Internet of Things (IoT) technology for NATO purposes.

A security methodology for IoT-based applications

My first contribution at CIS was the security assessment of IoT-based applications, outlining the technology and its security risks. I defined a general model for the evaluation of IoT applications illustrating its components, the possible application fields and the security risks. For this purpose I defined a multi-layer architecture describing a general purpose use case.

This architecture is characterised by three main layers: (i) Objects layer, (ii) Middleware layer and (iii) Visualisation layer. The first layer specifies all the connected physical IoT devices, the Middleware Layer has a Service Oriented Architecture which offers connectivity, data storage, abstraction and computing features (supported by cloud and fog computing technologies). The third layer is characterised by user-friendly applications exploiting data provided by the middleware.

Based on this architecture I described the security issues and threats which affect such systems. Specifically I highlighted the security vulnerabilities of IoT systems caused by the devices of the Object layer, the technologies of the Middleware layer and the applications in the Visualisation layer. Vulnerabilities, affects mainly data confidentiality, privacy an trust of IoT-based systems and are mainly related to:

1. Poor computational and storage power of devices;
2. Physical vulnerability of devices;
3. Weak communication protocols which prefer performance to security;
4. Application vulnerabilities caused by cloud services employed for computation and storage capabilities;
5. Front end applications vulnerabilities.

Due to the complexity of such systems, is usually difficult to evaluate security and mitigate vulnerabilities. Even if this issues cannot be ignored, particularly in a military and political context like NATO, most of the time is hard to determine which particular layer of the application architecture needs more attention and investment of resources rather than others. For this reason I proposed a methodology to evaluate vulnerable IoT-based systems and mitigate the most dangerous vulnerabilities identified by a risks and benefits analysis.

By referring the OWASP IoT Project, I proposed a easy-to-follow schema to

1. classify the most common IoT Attack Surface Areas;
2. identify the most dangerous vulnerabilities;
3. propose a security approach for the risk assessment and vulnerability mitigation.

The table above illustrates a classification of the most common attack surface areas. I divided such attacks based on their impact (s.t. how much the attack is dangerous once exploited) and exploitability (s.t. how much easy is the attack to be exploited). Thus with a red line I highlighted the most dangerous vulnerabilities that should always be mitigated.

For the evaluation of risks and benefits of IoT vulnerabilities, I proposed a three-phase methodology according to the classification above. The methodology relies on the OWASP best practices for attack mitigation. It offers some basic roles to identify, evaluate and mitigate the most dangerous vulnerabilities of IoT systems.

In conclusion, I really enjoyed my stay at NATO. I worked on interesting topics with a friendly team of people always ready to help me. I learned how to approach a working environment such that of a military organisation and I experienced from a practical point of view security topics, for me matter of research.

The NATO Internship Programme is a great opportunity for students and young professionals to having a work experience in one of the most important and relevant organisations of the North Atlantic Alliance. Apart from the chance to be introduced in the world of European Institutions, interns will have the opportunity to meet a number of professionals inside the fascinating NATO Headquarter (HQ) in Brussels and participate to several working activities. The NATO Internship is the best solution for young workers to create a network of contacts and improve their cv with a highly recognized experience.

NATO Internship outcome: Security assessment of IoT-based applications for NATO Enterprise. was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.

It was an honour and privilege to have Professor Mark Spearing, President and Vice-Chancellor here at the University of Southampton opening the event. He spoke of the importance of industry and academia coming together to look at research and innovation and the importance of hosting events to make that possible. Next to take to the stage was DSI Jess Wadsworth, Head of SEROCU, who spoke of the importance of working with academia to focus on problems the police face in day to day criminal investigations. She went on to say how exciting it will be to work with us and strengthen our relationship even more.

The theme for the day was Cryptocurrency, the morning was spent looking at challenges the police face on a daily basis, with the increasing number of cyber-crime offences being related to crypto-currencies and the length criminals are going to commit such crimes. It was raised issues, which can be viewed from a technical aspect. I am pleased to say, our very own Dr Federico Lombardi, Lecturer in Cyber Security at University of Southampton, gave a presentation on a Cyber Range for Blockchain Platforms, building on a Group Design Project (GDP) recently carried out by ECS students under his supervision. Judging by the discussions within the audience, it was a brilliant and very informative GDP.

After lunch, we heard presentations from officers who have been involved with some pretty meaty cryptocurrency investigations. I have to say I was astonished at the level these criminals go to and impressed with the work that goes on behind the scenes for the Police to bring these perpetrators to justice. They are steady, methodical and show commitment to the job, we are lucky to have these people protecting us.

At 16:15 I was able to breathe a sigh of relief as all had gone very well, and feedback had been very positive. Watch this space for more events in the future.

Launch of Partnership between SEROCU and The Cyber Security Academy was originally published in Cyber Security Southampton on Medium, where people are continuing the conversation by highlighting and responding to this story.