ACISP 2017

22nd Australasian Conference on Information Security and Privacy
Auckland, New Zealand, 3-5 July 2017

Held in conjunction with ATIS 2017 on 6-7 July, 2017

Keynote Speakers

Peter Pilley

Peter Pilley

Managing Director,
Department of Internal Affairs, NZ.


“I was sure that was my password... and other just so law enforcement stories”

Abstract

With the advent of communications devices and software being encrypted by design there is now a number of new risks presenting themselves some predicted and some only becoming apparent now.

Who owns the data that is encrypted? What right or access does a family have to the encrypted data of a sibling or Son / Daughter at the time of their death? How can law enforcement be seen to be able to successfully investigate a suspect if they have taken steps to encrypt their communications platform or device?

These are not new fears or technologies but they do raise some interesting questions and scenarios.

Encrypted networks such as TOR and platforms such as WhatsApp are potentially removing the traditional investigation methods from the investigator Agencies are turning to, and in some instances failing in the use of., more advanced interception techniques.

How do we as Law Enforcement manage this, and more importantly how as a community do we need to see it managed?

Short Bio

Peter is the manager of the CenSPEC team within the Digital Child Exploitation Team (DCET) of the Department of Internal Affairs where he is responsible for forensic analysis, training, operational tech and research and development.

DCET is a world leading team dedicated to the investigation of users trading child abuse material online. The systems that are produced within CenSPEC are world leading and are used by agencies worldwide to prosecute users trading Child Abuse Material online.

CenSPEC are the technical lead with the Interpol Technical Working Group a Subgroup within the Interpol Crimes against Children group and the Co-Founder of the Law Enforcement development community ForceForge (with RCMP).

Peter has a MSc in Forensic Computing and Cybercrime Investigation.

L. Jean Camp

L. Jean Camp

Professor of Security Informatics, School of Informatics & Computing, Indiana University, USA.

“Security as Risk Communication”


Abstract

In usable security design, opaque designs enable the user take an action seamlessly rather than requiring some understanding of the underlying system design. However, security choices inherently require some information, or the default option is to prevent all risky behaviors without interaction. In fact, blocking desired action without communication is one reason that individuals may abandon security technologies even when the risks these technologies mitigate are known. Incentives cannot work unless there are two conditions. First, the incentives must be visible. Second, there must be a clear action to take in response to the incentives. Both of these outcomes are the goal of translucent design. A truly transparent design can overwhelm and under-inform the user with information about configuration, the nature of the security technology, and the elements of a risk that are mitigated. Risk communication allows individuals to easily see the consequences of their action. The ideal design, of making visible user-action-system-consequence, may be overwhelming or context-dependent. Risk communication is neither transparent nor opaque; but rather consists of security technologies that are easy to use, communicate risk choices only to the degree necessary to avoid inadvertent fatal choices, can be overcome in a straight-forward manner if the individual chooses to take a risk, or if the system is in error.

Short Bio

Jean Camp is a Professor at the School of Informatics and Computing at Indiana University. She joined Indiana after eight years at Harvard’s Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT. She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station and with a MSEE at University of North Carolina at Charlotte. Her research focuses on the intersection of human and technical trust, levering economic models and human-centered design to create safe, secure systems. She is the author of two monographs. In addition, she has authored more than one hundred fifty shorter publications.

Jennifer Seberry Lecture

Prof. Clark Thomborson

Clark Thomborson

Professor,
University of Auckland.


“Contextual Privacy”



Abstract

Could you design a computer system which respects all forms of privacy that are relevant to its users? What forms of privacy are important to you personally, and in what contexts are they important? How can a user obtain a "private place" in a computerised system? Is it feasible and economic for a system to afford a particular form of privacy to its users? Is it socially appropriate, or legal, for a system to grant a privacy request? Which privacy requests should be denied? Can you identify all of the "assets at risk" in a privacy-protective system? I won't attempt to answer any of these questions fully! However I will get you started on finding your own answers, for the next system you design, for the next privacy analysis you perform, and for the next system you use. My explanations are grounded in Lawrence Lessig's taxonomy of control and liberty, in Alan Westin's taxonomy of private states, in Helen Nissenbaum's legal theory of contextual integrity, and in the Jericho Forum's Identity Commandments. I'll draw examples from commonly-encountered systems such as Facebook.

Short Bio

Clark has been a professor in the computer science department of the University of Auckland since 1996. He received the PhD degree in computer science in 1980 from Carnegie Mellon University under his birth name Clark Thompson. He has held academic positions at the U of Minnesota-Duluth, UC Berkeley and MIT. He has several years of commercial experience as a software/hardware systems integrator. For the first two decades of his research career, he focussed on performance issues; then he shifted to the design and analysis of secure and private systems. He was active in the internal discussions of The Jericho Forum during the development of some of its whitepapers, including its Identity Commandments.

Invited Speakers

Dr. Henry B. Wolfe

Associate Professor – Computer Security & Forensics
Information Science Department, Otago School of Business.

Dr. Henry B. Wolfe

“Mobile Phone and General ICT Security Issues”

Abstract
We take for granted every day that we are safe from any given risk because we are protected by various standards, statutes, and laws. The mobile phone has become ubiquitous and there are currently more than 8 billion connections and almost 5 billion mobile phones in use around the world. It is really nothing more than a small computer with a radio transmitter and receiver and other communications devices (Wi/Fi, Bluetooth, etc) integrated into it. Smart phones may also have the ability to record photos, videos and sound. Most have a built in Global Positioning Satellite System capability.

Some phones may also have Near Field Communications (NFC). Each of these capabilities may result in various risks. Every generation of mobile phone has expanded its capabilities and we are now able to communicate with the Internet in addition to normal telephone activity.

A long with these capabilities come a number of risks. Some of these are normally associated with using the Internet, so mobile users are exposed to malware of various kinds from that source. However, there are other more insidious risks that are less known. The purpose of this presentation is to discuss the current risks associated with mobile phone use including malware; loss, theft, seizure; communications interception, loss of privacy; location logging and tracking; and bugging. Most people are not aware of these threats. They assume that their service provider has put in place measures to eliminate any risks as well as protect their privacy (by the use of cryptography). 100% safe mobile phone use will unlikely ever be possible. This presentation will cover mitigating alternatives that can be put in place to reduce the identified mobile phone risks. These will be graphically portrayed and clearly described and defined in terms and language that non-technical people will understand.

Bio

Dr. Wolfe has been an active ICT professional for more than 58 years. He has earned a number of university ICT degrees culminating with a Doctor of Philosophy from the University of Otago (Virus Defenses in the MS/DOS Environment). The first ten years of his career were spent programming and designing systems in the manufacturing environment; the most notable was one of the first fully automated accounting systems in the U.S. The next ten years of ever increasing responsibility was devoted to serving in the U.S. Federal Government rising to the position of Director of Management Information Systems for the Overseas Private Investment Corporation.

In 1979 Dr. Wolfe took up an academic post at the University of Otago and for the past thirty-five or so years has specialized in computer security. During that period he has earned an international reputation in the field of electronic forensics, encryption, surveillance, privacy and computer virus defenses.

Dr. Wolfe writes about a wide range of security and privacy issues for Computers & Security, Digital Investigation (where he is also an Editorial Board Member), Network Security, the Cato Institute, Cryptologia, and the Telecommunications Reports. He is a Fellow of the Institute of IT Professionals New Zealand. He was on the Board of Directors of the International Association of Cryptologic Research finishing up in January 2003.

Over the years he has provided advice on security matters to major government bodies within New Zealand as well as government organizations in Australia, Panama, Singapore and the U.S.; and additionally to New Zealand businesses and the major New Zealand Internet Service Providers. He has advised the New Zealand Law Commission in preparation for their publication of the Computer Misuse Report – Report No. 54, Electronic Commerce Part Two – Report No. 58, and Electronic Commerce Part Three – Report No. 68. He has been commissioned to provide training in electronic forensics for law enforcement organizations (New Zealand, Australia, Singapore, etc.). Since 1988 he has supervised and conducted more than one hundred and seventy-five (175) computer security audits of New Zealand businesses and government bodies in and around Dunedin. His opinions are regularly sought by the various media organizations (newspaper, radio and television).

Dr. Wolfe is a regular invited and keynote speaker at international conferences having spoken at over 60 conferences, in more than 20 countries, during the past 30 years. He addresses security and privacy issues – both technical and policy. He recently addressed all of New Zealand’s High, Appeal and Supreme Courts Justices and also separately addressed 80 Justices from the Australian Federal and Supreme Courts. During this time Dr. Wolfe has also spoken nearly 60 times at non-conference venues. The most recent being the University of the Third Age, for a third time, and previously, for example, at the US Military Academy at West Point amongst many others.

His primary research interest is centered around the discipline of mobile phone security, electronic forensics, surveillance, and private communications techniques. These all involve the implementation of various cryptographic algorithms and other techniques that are currently available, and the associated hardware and software necessary to implement such systems. He has a long history and association with both the cryptographic and the technical surveillance counter-measures communities.

Prof. Paul S. Pang

Professor – High Tech Transdisciplinary Research Network and Department of Computer Science,
Unitec Institute of Technology, New Zealand.

Prof. Paul S. Pang

“UniteCloud: A Resilient Private Cloud Platform for Education and Research Service”

Abstract
UniteCloud is a cloud-computing platform developed in Unitec Institute of Technology to provide a solution to resilient infrastructure and data services. UniteCloud has been constructed using OpenStack with its peak computational capability up to 500 virtual machines and maximum storage allocation 64 giga-bytes per virtual machine. The resiliency of UniteCloud is achieved by three novel components. CloudViz-3D is a top-level interactive cloud monitoring system that monitors the running status of cloud and notifies users before any disaster occurs. rRVM is a low latency and high consistency high availability system that generates real time backup and disaster recovery. CRaaSH is an offline disaster recovery system that provides decentralized service checkpoint/restart over commodity networks. In addition, the platform supports group collaborative working, editing, big data processing and machine learning algorithmic experiments with its open source implementation of Gitlab, ShareLatex, HadoopDataCenter and TensorFlow. With all its resilient service features, UniteCloud is specializing in supplying eLearning and eResearch services for New Zealand tertiary students and staffs.

Bio

Dr Paul Pang is a Professor of Data Analytics with Unitec Institute of Technology, the Deputy Director of High Tech Transdisciplinary Research Network and the Director of Center for Computational Intelligence for Cybersecurity. Professor Pang is the Science Leader of the Unitec team for an ongoing Ministry of Business, Innovation and Employment (MBIE) funded Security Technologies Returning Accountability, Trust and User-Centric Services in the Cloud (STRATUS) project. Also, He is the Event Editor of Neural Networks journal Elsevier, Senior Member of IEEE. He has served Chair, Co-chair and Committee Member/Track Chair of numerous international conferences, including recently as a program member of the 2017 Thirty-First AAAI Conference on Artificial Intelligence (AAAI2017).

Dr. Ian Welch

Associate Professor – Network Engineering, School of Engineering and Computer Science,
Victoria University of Wellington, New Zealand

Associate Professor Ian Welch

“Software defined networking as a security enabler for enterprises”

Abstract
Industry commentators have raised concerns about software-defined networking (SDN) as looking "like a nice squishy target to spies and crooks" and a "nightmare" from a risk assessment point-of-view. Security concerns include worries that it will be impossible to secure the perimeter because the network architecture is no longer fixed, the controller managing the control plane is centralised, and a single point of failure and the software-centric approach is highly vulnerable to exploitation as opposed to current hardware-based approaches.

We argue that some of these concerns are not new and software defined network provides an approach to implementing secure enterprise networks that can lead to better enforcement and greater assurance. This talk will address concerns and explain how we are working with other academics and commercial partners on the development of a software defined security platform that leverages these advantages over traditional approaches.

Bio

Associate Professor Ian Welch leads the security group at Victoria University of Wellington, New Zealand. The security group at Victoria has been established since 2006 and has focused on the delivery of malware via the web. More recently the focus has been on software defined networking and security.

Since 2015, he and Dr Bryan Ng have led a Google-supported software defined network research centre at Victoria University. Members work on software defined networking security, performance measurement, inter domain routing and are contributors the the Faucet open source software defined controller.

Previously he was leader of the New Zealand honeynet project chapter, co-investigator on an Australian govt ARC-funded grant ($AU 186,000), was principal investigator on a NZ govt DIA-funded grant ($156,000) working with the Porirua Pacific Islands Forum and a lead researcher on workpackage of a three year multi-institutional EU-funded grant investigating intrusion-tolerant middleware.

Dr. Dongxi Liu

Senior Research Scientist,
Data61 CSIRO, Australia.

Dongxi Liu

“Compact-LWE for Lightweight Public Key Encryption and Leveled IoT Authentication”

Abstract
Leveled authentication allows resource-constrained IoT devices to be authenticated at different strength levels according to the particular types of communication. To achieve efficient leveled authentication, a lightweight public key encryption scheme is introduced in this talk, which can produce very short ciphertexts without sacrificing its security.

The semantic security of this scheme is based on the Learning With Secretly Scaled Errors in Dense Lattice (referred to as Compact-LWE) problem designed in CSIRO. This problem is a variant of the Learning With Errors (LWE) problem, but with two improvements (i.e., secretly scaled errors, which can be very big, and dense lattice, which has small fundamental parallelepiped) that make Compact-LWE resistant against well-known lattice-based attacks to LWE. In addition to the security proof, we verify, with a public attack tool, that the lattice-based attacks, which are successful on LWE, cannot succeed on Compact-LWE even for a small dimension parameter (e.g., a lattice of dimension 13).

The evaluation of our scheme and a leveled Needham-Schroeder-Lowe public key authentication protocol on the Contiki operating system and Sky motes will also be introduced.

Bio

Dongxi Liu is a Senior Research Scientist in CSIRO since 2008. Before joining CSIRO, he was a researcher in University of Tokyo. His research interests include light weight encryption, IoT device authentication, encrypted data processing, and system security. He got his PhD in computer engineering from Shanghai Jiao Tong University in 2003, and his Master and Bachelor degrees from Taiyuan University of Technology in 1999 and 1996, respectively.

Dr. Dong Seong (Dan) Kim

Senior Lecturer – Computer Science and Software Engineering,
University of Canterbury, New Zealand.

Dr. Dong Seong (Dan) Kim

“Graphical Security Models”

Abstract
Graphical security models can be used to assess the network security. Purely graph based (e.g., Attack Graphs) security models have a state-space explosion problem. Tree-based models (e.g., Attack Trees) cannot capture the attack paths information explicitly. In this talk, we briefly introduce a scalable security model named hierarchical attack representation models (HARM) to deal with the above mentioned issues. First, I present how the HARM with other methods to evaluate the effectiveness of Moving Target Defenses. Second, I present how the HARM can be used to evaluate the security of Internet of Things. Finally, research revenues in the graphical security modeling and assessment will be discussed in brief.

Bio

Dr. Dong-Seong "Dan" Kim is the Director of Cyber Security Lab at the University of Canterbury (UC), Christchurch, New Zealand. He is a Senior Lecturer in Cyber Security in the Department of Computer Science and Software Engineering at UC. He was a visiting scholar at the University of Maryland, College Park, Maryland in the US in 2007. From June 2008 to July 2011, he was a postdoc at Duke University, Durham, North Carolina in the US.

His research interests are in cyber security and dependability for various systems and networks; in particular, Intrusion Detection using Machine/Deep Learning Techniques, Security and Survivability for Wireless Ad Hoc and Sensor Networks and Internet of Things, Security and Performability modeling and analysis of Cloud computing, and Reliability and Resilience modeling and analysis of Smart (Power) Grid, and Blockchain technologies.

Dr. Surya Nepal

Principal Research Scientist,
Data61 CSIRO, Australia.

Surya Nepal

“Orchestration and Automation of Cybersecurity: Issues and Challenges”

Abstract
Almost all present cybersecurity expenditure and activities (85%) focuses on designing solutions to prevent known cybersecurity threats. No matter how much efforts are put in preparation and prevention, these solutions are not working and cyberattacks and data breaches are inevitable. Current compromise-to-discovery time can be 30 to 60 days. One the one hand, the number of incidents of cyberattacks and data breaches are increasing every year; the increase in time required to detect cyberattacks and data breaches is causing higher reputational, operational and economic loss due to the impact on the continuity of the business. On the other hand, we have a limited pool of security experts who can focus on human-intensive tasks such as analysing programs/protocols, designing patches, understanding a compromise and responding/recovering from a compromise. Current approaches are mostly manual, signature base, reactive and not robust and resilient. Furthermore, the increasing complexity of the cyberspace and its dynamic nature makes it impossible for humans to effectively secure and protect the cyber system. These space requires a paradigm shift towards more orchestrated and automated cybersecurity solutions so security experts could be more efficiently utilised and small-to-medium businesses can have access to more advanced cybersecurity capabilities through software-as-a-service.

A number of organisations have already started taking some actions to automate and orchestrate incident response processes, while researchers have started to explore the coordinated response of the human bodys immune system towards building autonomic, resilient cyber systems. This talk explores the potential opportunities and issues to automate and orchestrate cybersecurity solutions.

Bio

Dr Surya Nepal is a Principal Research Scientist at CSIRO Data61 and leads a distributed systems security research group with 10 staff and over 30 PhD students. His main research interest is in the development and implementation of technologies in the area of distributed systems and social networks, with a specific focus on security, privacy and trust. He obtained his BE from National Institute of Technology (NIT) Surat, India; ME from Asian Institute of Technology (AIT), Thailand; and PhD from RMIT University, Australia. He has more than 170 peer-reviewed publications to his credit; his papers are published in international journals such as IEEE Trans. Parallel and Distributed Systems, IEEE Trans. on Service Computing, ACM Trans. on Internet Technologies, and IEEE Trans. on Computers. He has co-edited three books including security, privacy and trust in cloud systems by Springer. He currently serves as an associate editor in an editorial board of IEEE Transactions on Service Computing.

Sponsors