Every year the UK Cyber Security community get together at Royal Holloway for a day of talks just before Christmas; all funded by Hewlett-Packard. And today is no exception. Indeed this is the 23rd such event. The main purpose of the event is for everyone to meet and discuss issues, opportunities and share experiences of the proceeding year. Most of the participants are the thought leaders from the UK Cyber Security industry, as well as a few academic hangers-on like myself.
A regular part of the proceedings is a pen-and-paper cryptographic challenge set for the audience by someone in HP Labs. This is called the Zaba Memorial Challenge, in honour of Stefek Zaba an ex-HP Lab'y who used to set the challenge in the past. Stefek is a much missed member of our community in the UK; and the regular challenge allows us to remember him in a small way.
The talks were given by John Madelin (Area VP for EMEA at Verizon), James Lynne (Director of Technology Strategy at Sophos and David McGrew (Fellow at Cisco). Most of the talks are more focused on business issues rather than technology and scientific issues. Most of the interest I find in the day is this exposure to other views.
John, who talked about the "Business of Security", had some interesting anecdotes about how the younger generation are adopting different, new technologies, compared to our generation. For example, email is often not used at all by people under the age of 20. This is the third talk I have attended at which this quite startling observation (for me) has been made. This has widespread impact on the increasing use of "Bring-Your-Own" device to work; which is only going to accelerate as the generations change. An interesting graph was the growth in cloud based service takeup in the
BRICs countries compared to the tradional high tech economies. John
discussed the security priorities of companies in North America; a
regular survey showed that Cloud Security was the top concern,
displacing Intrusion Detection from the previous years top spot. Indeed
IDS had dropped off the top ten list; which was dominated by concerns
about mobile phones (security and malware), tablet security and so on. Another interesting point made was the difference in technology adoption by the BRICs countries, i.e. Brazil, Russia, India and China. This is because such countries do not have such a sunk investment in legacy systems, and so they can adopt new technology quicker. He discussed how companies spend money protecting against non-existant threats; but which they feel more comfortable on spending money on. They then miss out on protecting against the real threats which provide the greatest risks.
James, talked about "Hacking cyber crime and deja vu" a really cool talk describing a number of attacks which are out there in the wild. A nice histogram (albeit a 3D one) presented the growth in unique pieces of malicious code found per year. Most of this code is distributed by SQL injection into web pages; which is surprising as this weakness has been known about for many many years. A nice description was given of a malware "service" based in the cloud which monitors users computers; and when the malware is detected it phones back to base to enable a new version of the malware to be distribtued. This is an example of the increase in the sophistication of the software used in malware. Annother example was some extortion/ransom based malware which encrypts your files and then asks for you to pay up to get access to the password; and, as an added bonus, if the victum does not pay up the criminal places increminating files on the victims computer and then informs the police of their existance. The talk went on to discuss various other criminal activities which were very close to the old Digicrime joke website; but were scarily real. Most of the rest of the talk discussed an investigation into a specific cyber criminal and how various security weaknesses in photo uploading sites, social media sites etc were used to track them down.
David, who gave a talk at the workshop organized by Kenny Paterson and myself earlier in the year, gave a talk today on "The Vernam cipher is better than Quantum Key Distribution". David's background is in Physcis, but he made a switch to Info Sec and has concentrated on communications security since, and so he was particularly well suited to discuss QKD technology in the real world. David's basic thesis was that there is too much hyperbole about this; with quotes like "QKD will make the internet unhackable", and that is is "absolutely unbreakable", statements which the Info Sec community knows to be false. He presented a set of ten goals that might want from a system to enable secure communication; he then showed that QKD provided very weak (or no) coverage of all bar one of these goals. In fact the only thing for which QKD did well was that it minimized computational assumptions; but even then this is not true since most QKD systems work in a hybrid manner. David compared QKD to building a type out of concrete, it resists punctures but does little else very well. He ended by discussing what would happen if Quantum Computers became a reality; here his thesis was that one could switch to "postquantum" schemes such as those based on lattices. In particular as long as one-way functions still exist we can use digital signatures. In such a situation he claimed that there was still no business reason to adopt QKD.