CFP: Passwords 2016

====================================================================
Call for Papers
The 11th International Conference on Passwords
PASSWORDS 2016

5-7 December 2016
Ruhr-University Bochum, Germany

https://passwords2016.rub.de/
https://passwordscon.org/
====================================================================

The Passwords conference was launched in 2010 as a response to
the lack of robustness and usability of current personal
authentication practices and solutions. Annual participation has
doubled over the past three years. Since 2014, the conference
accepts peer-reviewed papers.

* IMPORTANT DATES *

Research papers and short papers:
– Title and abstract submission: 2016-07-04 (23:59 UTC-11)
– Paper submission: 2016-07-11 (23:59 UTC-11)
– Notification of acceptance: 2016-09-05
– Camera-ready from authors: 2016-09-19

Hacker Talks:
– Talk proposal submission: 2016-09-15 (23:59 UTC-11)
– Notification of acceptance: 2016-09-30

* CONFERENCE AIM *

More than half a billion user passwords have been compromised
over the last five years, including breaches at internet
companies such as Target, Adobe, Heartland, Forbes, LinkedIn,
Yahoo, and LivingSocial. Yet passwords, PIN codes, and similar
remain the most prevalent method of personal
authentication. Clearly, we have a systemic problem.

This conference gathers researchers, password crackers, and
enthusiastic experts from around the globe, aiming to better
understand the challenges surrounding the methods personal
authentication and passwords, and how to adequately solve these
problems. The Passwords conference series seek to provide a
friendly environment for participants with plenty opportunity to
communicate with the speakers before, during, and after their
presentations.

* SCOPE *

We seek original contributions that present attacks, analyses,
designs, applications, protocols, systems, practical experiences,
and theory. Submitted papers may include, but are not limited to,
the following topics, all related to passwords and
authentication:

– Technical challenges and issues:
– Cryptanalytic attacks
– Formal attack models
– Cryptographic protocols
– Dictionary attacks
– Digital forensics
– Online attacks/Rate-limiting
– Side-channel attacks
– Administrative challenges:
– Account lifecycle management
– User identification
– Password resets
– Cross-domain and multi-enterprise system access
– Hardware token administration
– Password “replacements”:
– 2FA and multifactor authentication
– Risk-based authentication
– Password managers
– Costs and economy
– Biometrics
– Continous authentication
– FIDO – U2F
– Deployed systems:
– Best practice reports
– Incident reports/Lessons learned
– Human factors:
– Usability
– Design & UX
– Social Engineering
– Memorability
– Accessibility
– Pattern predictability
– Gestures and graphical patterns
– Psychology
– Statistics (languages, age, demographics…)
– Ethics

* INSTRUCTIONS FOR AUTHORS *

Papers must be submitted as PDF using the Springer LNCS format
for Latex. Abstract and title must be submitted one week ahead of
the paper deadline.

We seek submissions for review in the following three categories:

– Research Papers
– Short Papers
– “Hacker Talks” (talks without academic papers attached)

RESEARCH PAPERS should describe novel, previously unpublished
technical contributions within the scope of the call. The papers
will be subjected to double-blind peer review by the program
committee. Paper length is limited to 16 pages (LNCS format)
excluding references and well-marked appendices. The paper
submitted for review must be anonymous, hence author names,
affiliations, acknowledgements, or obvious references must be
temporarily edited out for the review process. The program
committee may reject non-anonymized papers without reading
them. The submitted paper (in PDF format) must follow the
template described by Springer at
http://www.springer.de/comp/lncs/authors.html.

SHORT PAPERS will also be subject to peer review, where the
emphasis will be put on work in progress, hacker achievements,
industrial experiences, and incidents explained, aiming at
novelty and promising directions. Short paper submissions should
not be more than 6 pages in standard LNCS format in total. A
short paper must be labeled by the subtitle “Short
Paper”. Accepted short paper submissions may be included in the
conference proceedings. Short papers do not need to be
anonymous. The program committee may accept full research papers
as short papers.

HACKER TALKS are presentations without an academic paper
attached. They will typically explain new methods, techniques,
tools, systems, or services within the Passwords scope. Proposals
for Hacker Talks can be submitted by anybody (“hackers”,
academics, students, enthusiasts, etc.) in any format, but
typically will include a brief (2-3 paragraphs) description of
the talk’s content and the person presenting. They will be
evaluated by a separate subcommittee led by Per Thorsheim,
according to different criteria than those used for the refereed
papers.

At least one of the authors of each accepted paper must register
and present the paper at the workshop. Papers without a full
registration will be withdrawn from the proceedings and from the
workshop programme.

Papers that pass the peer review process and that are presented
at the workshop will be included in the event proceedings,
published by Springer in the Lecture Notes in Computer
Science (LNCS) series.

Papers must be unpublished and not being considered elsewhere for
publication. Plagiarism and self-plagiarism will be treated as a
serious offense.  Program committee members may submit papers but
program chairs may not.  The time frame for each presentation
will be either 30 or 45 minutes, including Q&A. Publication will
be by streaming, video and web.

* ORGANIZERS *

– General chair: Per Thorsheim, God Praksis AS (N)
– Program co-chair and host: Markus Dürmuth, Ruhr-University Bochum (DE)
– Program co-chair: Frank Stajano, University of Cambridge (UK)

* PROGRAM COMMITTEE *

– Adam Aviv, United States Naval Academy (USA)
– Lujo Bauer, Carnegie Mellon University (USA)
– Jeremiah Blocki, Microsoft Research/Purdue University (USA)
– Joseph Bonneau, Stanford University (USA)
– Heather Crawford, Florida Institute of Technology (USA)
– Bruno Crispo, KU Leuven (B) and University of Trento (IT)
– Serge Egelman, ICSI and University of California at Berkeley (USA)
– David Freeman, LinkedIn (USA)
– Simson Garfinkel, NIST (USA)
– Tor Helleseth, University of Bergen (N)
– Cormac Herley, Microsoft Research (USA)
– Graeme Jenkinson, University of Cambridge (UK)
– Mike Just, Heriot-Watt University (UK)
– Stefan Lucks, Bauhaus-University Weimar (D)
– Paul van Oorschot, Carleton University (CA)
– Angela Sasse, University College London (UK)
– Elizabeth Stobert, ETH Zurich (CH)

* STEERING COMMITTEE *

– Per Thorsheim, God Praksis AS (N)
– Stig F. Mjolsnes, Norwegian University of Science and Technology (N)
– Frank Stajano, University of Cambridge (UK)

More and updated information can be found at the conference website
https://passwords2016.rub.de/

Inaugural Cybercrime Conference

The Cambridge Cloud Cybercrime Centre is organising an inaugural one day conference on cybercrime on Thursday, 14th July 2016.

In future years we intend to focus on research that has been carried out using datasets provided by the Cybercrime Centre, but for this first year we have a stellar group of invited speakers who are at the forefront of their fields:

  • Adam Bossler, Associate Professor, Department of Criminal Justice and Criminology, Georgia Southern University, USA
  • Alice Hutchings, Post-doc Criminologist, Computer Laboratory, University of Cambridge, UK
  • David S. Wall, Professor of Criminology, University of Leeds, UK
  • Maciej Korczynski Post-Doctoral Researcher, Delft University of Technology, The Netherlands
  • Michael Levi, Professor of Criminology, Cardiff University, UK
  • Mike Hulett, Head of Operations, National Cyber Crime Unit, National Crime Agency, UK
  • Nicolas Christin, Assistant Research Professor of Electrical and Computer Engineering, Carnegie Mellon University, USA
  • Richard Clayton, Director, Cambridge Cloud Cybercrime Centre, University of Cambridge, UK
  • Ross Anderson, Professor of Security Engineering, Computer Laboratory, University of Cambridge, UK
  • Tyler Moore, Tandy Assistant Professor of Cyber Security & Information Assurance, University of Tulsa, USA

They will present various aspects of cybercrime from the point of view of criminology, security economics, cybersecurity governance and policing.

This one day event, to be held in the Faculty of Law, University of Cambridge will follow immediately after (and will be in the same venue as) the “Ninth International Conference on Evidence Based Policing” organised by the Institute of Criminology which runs on the 12th and 13th July 2016.

For more details see here.

Cambridge and Brexit

If the UK leaves the European Union, it will cost Cambridge University about £100m, or about 10% of our turnover.

I present the details in an article today in the Cambridge News.

I reckon we will lose at least £60m of the £69m we get in European grants, at least £20m of our £237m fee income (most of which is from foreign students), at least £10m from Cambridge Assessment and Cambridge University Press, and £5m each from industry and charities. Although I’m an elected member of Council (the governing body) and the committee that sets the budget, all this comes from our published accounts.

And my estimates are conservative; the outcome could easily be worse, especially if foreign students desert us, or just can’t get visas after a popular vote against immigration.

Now everyone on Britain pays on average £4 a year to the EU and gets £2 back. The net contribution of £2 amounts to £12.5m for a town the size of Cambridge. The University alone is getting more than four times that back directly, and yet more indirectly. And the same goes for many other university towns too; even Newcastle gets more than would be raised by everyone in the city paying £2 a year.

But this is not just about money; it’s about who we are, and also about what other people perceive us to be. If Britain votes to leave Europe following a xenophobic campaign against immigrants, people overseas may conclude that Britain is to longer a cool place to study, or to start a research lab. Even some of the people already here will leave. We will do the best we can to keep the flame alight, but it will be very much harder for Cambridge to remain a world-leading university.

See also the Cambridge News editorial, and my piece yesterday on Brexit and tech.

The tech industry and Brexit

The debate on whether Britain should leave the EU has largely ignored a factor of huge importance to the tech industry – network effects.

So I’ve written an article on what Brexit means for the tech industry from the viewpoint of information economics.

Network effects mean that the value of a transaction often depends on how many other people make similar transactions. They make our industry prone to monopolies. They ensure that the UK, with 1% of world population and 3% of GDP, has little influence on tech markets, which are mostly global. But the EU has real clout; Silicon Valley sees it as the world privacy regulator, as Washington doesn’t care and no-one else is big enough to matter. And most of the other regulations that IT people find annoying, from IP laws to export controls, are also embedded in international treaties. We can’t just tear up the annoying “red tape”, as the Brexit crowd suggest.

Brexit would not only diminish our influence on the laws that affect tech – many of which reflect negative network effects. It would make startups more expensive, so UK firms would have a harder time exploiting the positive network effects that are often the key to success. And it would damage the successful tech clusters we do have in Cambridge and in London.

Tech clusters need a number of things to thrive; and it’s not just technical network effects that matter, but labour-market network effects too. And there’s quite a lot of research on that. As good engineers can earn good money and live wherever we want, we congregate in places that are good places to live. They are always open and liberal places, where it’s fine to be from an ethnic minority, or an immigrant, or gay. What would the world’s best and brightest engineers think about moving to Britain if we vote for xenophobia on Thursday?

The article is in Computer Weekly, and there’s also a pdf here.

Adblocking and Counter-Blocking: A Slice of the Arms Race

Screen Shot 2016-04-26 at 14.48.54
If you use an adblocker, you are probably familiar with messages of the kind shown above, asking you to either disable your adblocker, or to consider supporting the host website via a donation or subscription. This is the battle du jour in the ongoing adblocking arms race — and it’s one we explore in our new report Adblocking and Counter-Blocking: A Slice of the Arms Race.

The reasons for the rising popularity of adblockers include improved browsing experience, better privacy, and protection against malvertising. As a result, online advertising revenue is gravely threatened by adblockers, prompting publishers to actively detect adblock users, and subsequently block them or otherwise coerce the user to disable the adblocker — practices we refer to as anti-adblocking. While there has been a degree of sound and fury on the topic, until now we haven’t been able to understand the scale, mechanism and dynamics of anti-adblocking. This is the gap we have started to address, together with researchers from the University of Cambridge, Stony Brook University, University College London, University of California Berkeley, Queen Mary University of London and International Computer Science Institute (Berkeley). We address some of these questions by leveraging a novel approach for identifying third-party services shared across multiple websites to present a first characterization of anti-adblocking across the Alexa Top-5K websites.

We find that at least 6.7% of Alexa Top-5K websites employ anti-adblocking, with the practices finding adoption across a diverse mix of publishers; particularly publishers of “General News”, “Blogs/Wiki”, and “Entertainment” categories. It turns out that these websites owe their anti-adblocking capabilities to 14 unique scripts pulled from 12 unique domains. Unsurprisingly, the most popular domains are those that have skin in the game — Google, Taboola, Outbrain, Ensighten and Pagefair — the latter being a company that specialises in anti-adblocking services. Then there are in-house anti-adblocking solutions that are distributed by a domain to client websites belonging to the same organisation: TripAdvisor distributes an anti-adblocking script to its eight websites with different country code top-level domains, while adult websites (all hosted by MindGeek) turn to DoublePimp. Finally, we visited a sample website for each anti-adblocking script via AdBlock Plus, Ghostery and Privacy Badger, and discovered that half of the 12 anti-adblocking suppliers are counter-blocked by at least one adblocker — suggesting that the arms race has already entered the next level.

It is hard to say how many levels deeper the adblocking arms race might go. While anti-adblocking may provide temporary relief to publishers, it is essentially band-aid solution to mask a deeper issue — the disequilibrium between ads (and, particularly, their behavioural tracking back-end) and information. Any long term solution must address the reasons that brought users to adblockers in the first place. In the meantime, as the arms race continues to escalate, we hope that studies such as ours will bring transparency to this opaque subject, and inform policy that moves us out of the current deadlock.

 

“Ad-Blocking and Counter Blocking: A Slice of the Arms Races” by Rishab Nithyanand, Sheharbano Khattak, Mobin Javed, Narseo Vallina-Rodriguez, Marjan Falahrastegar, Julia E. Powles, Emiliano De Cristofaro, Hamed Haddadi, and Steven J. Murdoch. arXiv:1605.05077v1 [cs.CR], May 2016.

This post also appears on the UCL Information Security group blog, Bentham’s Gaze.

GCHQ helps banks dump fraud losses on customers

We recently reported that the Commissioner of the Met, Sir Bernard Hogan-Howe, said that banks should not refund fraud victims as this would just make people careless with their passwords and antivirus. The banks’ desire to blame fraud victims if they can, to avoid refunding them, is rational enough, but for a police chief to support them was disgraceful. Thirty years ago, a chief constable might have said that rape victims had themselves to blame for wearing nice clothes; if he were to say that nowadays, he’d be sacked. Hogan-Howe’s view of bank fraud is just as uninformed, and just as offensive to victims.

Our spooky friends at Cheltenham have joined the party. The Register reports a story in the Financial Times (behind a paywall) which says GCHQ believes that “companies must do more to try and encourage their customers to improve their cyber security standards. Customers using outdated software – sometimes riddled with vulnerabilities that hackers can exploit – are a weak link in the UK’s cyber defences.” There is no mention of the banks’ own outdated technology, or of GCHQ’s role in keeping consumer software vulnerable.

The elegant scribblers at the Financial Times are under the impression that “At present, banks routinely cover the cost of fraud, regardless of blame.” So they clearly are not regular readers of Light Blue Touchpaper.

The spooks are slightly more cautious; according to the FT, GCHQ “has told the private sector it will not take responsibility for regulatory failings”. I’m sure the banks will heave a big sigh of relief that their cosy relationship with the police, the ombudsman and the FCA will not be disturbed.

We will have to change our security-economics teaching material so we don’t just talk about the case where “Alice guards a system and Bob pays the costs of failure”, but also this new case where “Alice guards a system, and bribes the government to compel Bob to pay the costs of failure.” Now we know how Hogan-Howe is paid off; the banks pay for his Dedicated Card and Payment Crime Unit. But how are they paying off GCHQ, and what else are they getting as part of the deal?

Exploring the provision of online booter services

A manuscript authored by myself and Richard Clayton has recently been published as an advance access paper in the criminology journal Deviant Behavior.

This research uses criminological theories to study those who operate ‘booter services’: websites that illegally offer denial of service attacks for a fee. We interviewed those operating the sites, and found that booter services provide ‘easy money’ for the young males that run them. The operators claim they provide legitimate services for network testing, despite acknowledging that their services are used to attack other targets. Booter services are advertised through the online communities where the skills are learned and definitions favorable toward offending are shared. Some financial services proactively frustrate the provision of booter services, by closing the accounts used for receiving payments.

For those accessing the paper from universities, you may find the paper here. The ‘accepted manuscript’, which is the final version of the paper before it has been typeset, can be accessed here.

A dubious cyber security conference

I’ve written before about dubious “academic” journals… and today I’m going to discuss a dubious “academic” conference (which is associated with some dubious journals, but it’s the conference that’s my focus today).

Fordham University has been running the “International Conference on Cyber Security” since 2009 and ICCS 2016 (labelled “Sixth” because they skipped 2011 and 2014) will take place in New York in July. This conference has an extremely reputable program committee and is run by Fordham and the Federal Bureau of Investigation (I expect you’ve heard of them … they investigate cybercrime in the USA…).

There’s also another “International Conference on Cyber Security (ICCS 2016)” running this year as well … it will take place in Zurich in July and is run by WASET (the World Academy of Science, Engineering and Technology). The program committee for this one is somewhat less prestigious (I sorry to say that I have not heard of any of them … and to my mind the most reputable looking person is “Wei Yan of Trend Micro” … except he’s currently on his fourth job since he left Trend Micro in 2010, so that makes me wonder how many of the people on the list know that they’re mentioned ?

There’s other reasons for feeling this conference might be a little dubious, not least that this is apparently the “Eighteenth ICCS”. That might lead you to believe that there have been seventeen previous ICCS events … but I did a lot of searches and failed to find any of them !

My searches did turn up the “2nd International Conference on Cyber Security (ICCS) 2016” which will take place at the Rajasthan Technical University, India — this one looks pretty respectable, with PC members from India and the USA.

So if you fancy going to Cyber Security Conference in 2016 then you are spoilt for choice, but I would not myself recommend travelling to Zurich. A key reason is that you may find that the Dorint Airport-Hotel, where ICCS 2016 is to be held may turn out to be a little crowded… the same hotel is hosting no fewer than 160 other International conferences at exactly the same time: click here for the full list!

Alternatively, if you can’t make it this year, put a note in your diary. The “31st International Conference on Cyber Security (ICCS 2029)” is planned to take place in Zurich on July 21–22 2029… Wei Jan is on the PC for that one too … and the submission deadline is as soon as March 31, 2029, so best to get a move on with finishing that paper!

As a final note, invited papers from ICCS 2016 (the Zurich version) are to be published in a special issue of “Advances in Cyber Security”. Now you might cynically think that this was an open access journal from WASEC, but no they have no journal with that title (and in fact neither does anyone else)… but what do you know, “Advances in Cyber Security” is a fine looking book published in December 2012 by none other than Fordham University Press. Small world, isn’t it!

And the winners are…

inter-ace-logo4

The Inter-ACE Cyberchallenge on Saturday was fantastic. The event saw nearly twice as many competitors as attended the C2C competition in Boston recently, engaged in solving the most artful challenges. It was great to see so many students interested in cyber security making the effort to travel from the four corners of the UK, a few from as far away as Belfast!

IMG_5373The competition was played out on a “Risk-style” world map, and competing teams had to fight each other for control of several countries, each protected by a fiendish puzzle. A number of universities had also submitted guest challenges, and it was great that so many teams got involved in this creative process too. To give one example; The Cambridge team had designed a challenge based around a historically accurate enigma machine, with this challenge protecting the country of Panama. Competitors had to brute-force the settings of the enigma machine to decode a secret message. Other challenges were based around the core CTF subject areas of web application security, binary reverse engineering and exploitation, forensics, and crypto. Some novice teams may have struggled to compete, but they would have learned a lot, and hopefully developed an appetite for more competition. There were also plenty of teams present with advanced tool sets and a solid plan, with these preparations clearly paying off in the final scores.

IMG_5426

Between the 10 teams, their coaches, the organisers and the reporters, the lab was bustling with excitement and that intense feeling of hackers “in the zone” for the whole afternoon.

IMG_5406

I have nothing but praise for our partners Facebook, who worked hard on setting the challenges and making the CTF game run smoothly, as well as feeding the participants with pizza and endowing the prizes with hacking books and goodie bags.

IMG_5298

The biggest thanks go to the ACE-CSRs who enthusiastically supported this initiative despite the short notice. 40 students came to Cambridge to compete in the live event in teams of 4, and another 40+ competed remotely in the individuals.

 

In retrospect we should have organised a “best T-shirt” competition. I especially liked Facebook t-shirts “Fix more, whine less” and “s/sleep/hack/g” but the one I would have voted overall winner (despite not technically being a T-shirt) was Southampton’s Shakespearian boolean logic.

IMG_5310

It is with a mixture of pride and embarrassment that I announce the winners, as Cambridge won the gold in both the team and individual events.

IMG_5686

Team event:

  • 1st place (Gold): University of Cambridge
    Stella Lau, Will Shackleton, Cheng Sun, Gábor Szarka
  • 2nd place (Silver): Imperial College London
    Matthieu Buffet, Jiarou Fan, Luke Granger-Brown, Antoine Vianey-Liaud
  • 3rd place (Bronze): University of Southampton
    Murray Colpman, Kier Davis, Yordan Ganchev, Mohit Gupta

 

Individual event:

  • 1st place (Gold): Dimitrije Erdeljan, University of Cambridge
  • 2nd place (Silver): Emma Espinosa, University of Oxford
  • 3rd place (Bronze): David Young, University of Southampton

IMG_5346

I shall ignore allegations of having rigged the game except to say that yes, we did train our students rather extensively in preparation for the previously-mentioned Cambridge 2 Cambridge event with MIT. All of our winners are Cambridge undergraduates in computer science who had done well in the qualifiers for C2C. Two of them had actually been to Boston, where Gábor had been on the winning team overall and earned one gold and two silver medals, while Will (also former UK Cyber Security Challenge winner) had earned one gold, one silver and two bronze medals. Well deserved thanks also to my modest but irreplaceable collaborator Graham Rymer who designed and delivered an effective and up-to-date ethical hacking course to our volunteers. The Cambridge success in this weekend’s competition gives promising insights into the effectiveness of this training which we are gearing up to offering to all our undergraduates and potentially to other interested audiences in the future.

IMG_5359

We are once again grateful to everyone who took part. We are also grateful to the Cabinet Office, to EPSRC and to GCHQ for support that will allow us to keep the event running and we hereby invite all the ACEs to sharpen their hacking tools for next year and come back to attempt to reconquer the trophy from us.