ACISP 2017

22nd Australasian Conference on Information Security and Privacy
Auckland, New Zealand, 3-5 July 2017

Held in conjunction with ATIS 2017 on 6-7 July, 2017

Keynote Speakers

Peter Pilley

Peter Pilley


Managing Director,
Department of Internal Affairs, NZ.

“I was sure that was my password... and other just so law enforcement stories”

Abstract

With the advent of communications devices and software being encrypted by design there is now a number of new risks presenting themselves some predicted and some only becoming apparent now.

Who owns the data that is encrypted? What right or access does a family have to the encrypted data of a sibling or Son / Daughter at the time of their death? How can law enforcement be seen to be able to successfully investigate a suspect if they have taken steps to encrypt their communications platform or device?

These are not new fears or technologies but they do raise some interesting questions and scenarios.

Encrypted networks such as TOR and platforms such as WhatsApp are potentially removing the traditional investigation methods from the investigator Agencies are turning to, and in some instances failing in the use of., more advanced interception techniques.

How do we as Law Enforcement manage this, and more importantly how as a community do we need to see it managed?

Short Bio

Peter is the manager of the CenSPEC team within the Digital Child Exploitation Team (DCET) of the Department of Internal Affairs where he is responsible for forensic analysis, training, operational tech and research and development.

DCET is a world leading team dedicated to the investigation of users trading child abuse material online. The systems that are produced within CenSPEC are world leading and are used by agencies worldwide to prosecute users trading Child Abuse Material online.

CenSPEC are the technical lead with the Interpol Technical Working Group a Subgroup within the Interpol Crimes against Children group and the Co-Founder of the Law Enforcement development community ForceForge (with RCMP).

Peter has a MSc in Forensic Computing and Cybercrime Investigation.

L. Jean Camp

L. Jean Camp


Professor of Security Informatics,
School of Informatics & Computing, Indiana University, USA.

“Security as Risk Communication”


Abstract

In usable security design, opaque designs enable the user take an action seamlessly rather than requiring some understanding of the underlying system design. However, security choices inherently require some information, or the default option is to prevent all risky behaviors without interaction. In fact, blocking desired action without communication is one reason that individuals may abandon security technologies even when the risks these technologies mitigate are known. Incentives cannot work unless there are two conditions. First, the incentives must be visible. Second, there must be a clear action to take in response to the incentives. Both of these outcomes are the goal of translucent design. A truly transparent design can overwhelm and under-inform the user with information about configuration, the nature of the security technology, and the elements of a risk that are mitigated. Risk communication allows individuals to easily see the consequences of their action. The ideal design, of making visible user-action-system-consequence, may be overwhelming or context-dependent. Risk communication is neither transparent nor opaque; but rather consists of security technologies that are easy to use, communicate risk choices only to the degree necessary to avoid inadvertent fatal choices, can be overcome in a straight-forward manner if the individual chooses to take a risk, or if the system is in error.

Short Bio

L. Jean Camp is a professor at the Indiana University School of Informatics and Computing. She was previously an associate professor at the Kennedy School, before which she was at Sandia National Laboratories. She is best known for her work which combines computer security and the social sciences. In particular her work on Economics of security dates from 2001.

Her research on open code, internet governance, and internet diffusion in developing countries primarily dates from her time at the Kennedy School. More recent work on Internet Governance addresses the full allocation of the v4 space.

Currently she has three major projects. The first is risk communication using mental models in order to inform security; the second is measuring and communicating risk using a formal mission framework; and the third is security of SDN. Her recently completed projects address macroeconomic indicators of ecrime; and privacy perception in considering both true and perceived risks. Camp is a lead researcher in the ETHOS project - Ethical Technology in the Homes Of Seniors which focuses on designing security and privacy-aware technologies for elders.

She served as the Legislative Assistant in military, telecommunications, and intellectual property in North Carolina's 2nd congressional district. Camp is a Senior Member of the IEEE, on the USACM Council, long-standing member of the IEEEUSA, and was one of the Internet engineers who were early objectors to SOPA.

Invited Speakers

Dr. Ryan Ko

Associate Professor – Head of Cyber Security Researchers of Waikato,
University of Waikato, New Zealand.

Dr. Ryan Ko

“Returning data control to users via data provenance and privacy-preserving computations”

Abstract
Despite the increased risk awareness, most computer users are 'sitting ducks' in cyber attacks. This is exacerbated by an unsustainable global situation with unique malware created every half a second, the inability to effectively attribute attack source(s), and the inability to maintain data privacy effectively in third-party environments.

The crux of this unsustainable situation stems from the lack of capabilities to control our own data, both within our machines and across third party environments in the entire network. For example, when we use Google services, we need to trust that Google employees will not access our data unethically since there is no way for us to know 'what has happened to our data' behind the scenes.

Data provenance, the derivation history of data, promises to allow us to trace and understand data changes. Provenance empowers user data control. However, current systems are vendor-centric, and are not designed with provenance-oriented capabilities such as data provenance logging in mind.

Besides knowing what has happened, it also makes sense to heighten user data control through developing capabilities in enhancing privacy preservation for not just data-at-rest, but also data-in-transit. Recent research on homomorphic encryption and related privacy-preserving computation techniques aim to empower data to remain encrypted or private while they are being processed – obviating the need to decrypt the data before it is processed, as is with several database implementations today.

This seminar will introduce the NZ$12.2million MBIE-funded STRATUS (https://stratus.org.nz) project, research reflections and breakthroughs in data provenance and privacy-preserving computations. He will also be demonstrating recent breakthroughs in data tracking and malware detection, with the goal of inspiring collaborators to join in the journey towards returning control of data to users.

Bio

Associate Professor Ryan Ko is the Head of the Cyber Security Researchers of Waikato (CROW) at the University of Waikato, New Zealand. With CROW, he established NZ's first cyber security lab and cyber security graduate research programme in 2012 and 2013 respectively. He is principal investigator of NZ govt MBIE-funded (NZ$12.23 million; 2014-2020) STRATUS project. Ko also co-established the NZ Cyber Security Challenge since 2014. His research focuses on returning data control to users, and investigates challenges in cloud computing security and privacy, data provenance, and homomorphic encryption. He is also interested in attribution and vulnerability detection, focusing on ransomware propagation.

With more than 50 publications including 3 international patents, he serves on 6 international journal editorial boards, and as series editor for Elsevier's security books. He also serves as the editor developing the ISO/IEC 21878 – Security guidelines in design and implementation of virtualized servers, and a member of the Singapore, Australia and NZ standards bodies.

A Fellow of the Cloud Security Alliance (CSA), he is a co-creator of the (ISC)2 CCSP certification - the gold standard international cloud security professional certification. Prior to academia, he was a HP Labs lead computer scientist leading data provenance innovations in HP global security products (e.g. ArcSight). He is technical and research adviser for the NZ Ministry of Justice's Harmful Digital Communications Act, NZ Cyber Skills Task Torce reporting to the NZ Minister of Communications, the NZX-listed LIC, CSA and the INTERPOL.

Dr. Henry B. Wolfe

Associate Professor – Computer Security & Forensics
Information Science Department, Otago School of Business.

Dr. Henry B. Wolfe

“Mobile Phone and General ICT Security Issues”

Abstract
We take for granted every day that we are safe from any given risk because we are protected by various standards, statutes, and laws. The mobile phone has become ubiquitous and there are currently more than 8 billion connections and almost 5 billion mobile phones in use around the world. It is really nothing more than a small computer with a radio transmitter and receiver and other communications devices (Wi/Fi, Bluetooth, etc) integrated into it. Smart phones may also have the ability to record photos, videos and sound. Most have a built in Global Positioning Satellite System capability.

Some phones may also have Near Field Communications (NFC). Each of these capabilities may result in various risks. Every generation of mobile phone has expanded its capabilities and we are now able to communicate with the Internet in addition to normal telephone activity.

A long with these capabilities come a number of risks. Some of these are normally associated with using the Internet, so mobile users are exposed to malware of various kinds from that source. However, there are other more insidious risks that are less known. The purpose of this presentation is to discuss the current risks associated with mobile phone use including malware; loss, theft, seizure; communications interception, loss of privacy; location logging and tracking; and bugging. Most people are not aware of these threats. They assume that their service provider has put in place measures to eliminate any risks as well as protect their privacy (by the use of cryptography). 100% safe mobile phone use will unlikely ever be possible. This presentation will cover mitigating alternatives that can be put in place to reduce the identified mobile phone risks. These will be graphically portrayed and clearly described and defined in terms and language that non-technical people will understand.

Bio

Dr. Wolfe has been an active ICT professional for more than 58 years. He has earned a number of university ICT degrees culminating with a Doctor of Philosophy from the University of Otago (Virus Defenses in the MS/DOS Environment). The first ten years of his career were spent programming and designing systems in the manufacturing environment; the most notable was one of the first fully automated accounting systems in the U.S. The next ten years of ever increasing responsibility was devoted to serving in the U.S. Federal Government rising to the position of Director of Management Information Systems for the Overseas Private Investment Corporation.

In 1979 Dr. Wolfe took up an academic post at the University of Otago and for the past thirty-five or so years has specialized in computer security. During that period he has earned an international reputation in the field of electronic forensics, encryption, surveillance, privacy and computer virus defenses.

Dr. Wolfe writes about a wide range of security and privacy issues for Computers & Security, Digital Investigation (where he is also an Editorial Board Member), Network Security, the Cato Institute, Cryptologia, and the Telecommunications Reports. He is a Fellow of the Institute of IT Professionals New Zealand. He was on the Board of Directors of the International Association of Cryptologic Research finishing up in January 2003.

Over the years he has provided advice on security matters to major government bodies within New Zealand as well as government organizations in Australia, Panama, Singapore and the U.S.; and additionally to New Zealand businesses and the major New Zealand Internet Service Providers. He has advised the New Zealand Law Commission in preparation for their publication of the Computer Misuse Report – Report No. 54, Electronic Commerce Part Two – Report No. 58, and Electronic Commerce Part Three – Report No. 68. He has been commissioned to provide training in electronic forensics for law enforcement organizations (New Zealand, Australia, Singapore, etc.). Since 1988 he has supervised and conducted more than one hundred and seventy-five (175) computer security audits of New Zealand businesses and government bodies in and around Dunedin. His opinions are regularly sought by the various media organizations (newspaper, radio and television).

Dr. Wolfe is a regular invited and keynote speaker at international conferences having spoken at over 60 conferences, in more than 20 countries, during the past 30 years. He addresses security and privacy issues – both technical and policy. He recently addressed all of New Zealand’s High, Appeal and Supreme Courts Justices and also separately addressed 80 Justices from the Australian Federal and Supreme Courts. During this time Dr. Wolfe has also spoken nearly 60 times at non-conference venues. The most recent being the University of the Third Age, for a third time, and previously, for example, at the US Military Academy at West Point amongst many others.

His primary research interest is centered around the discipline of mobile phone security, electronic forensics, surveillance, and private communications techniques. These all involve the implementation of various cryptographic algorithms and other techniques that are currently available, and the associated hardware and software necessary to implement such systems. He has a long history and association with both the cryptographic and the technical surveillance counter-measures communities.

Prof. Paul S. Pang

Professor – High Tech Transdisciplinary Research Network and Department of Computer Science,
Unitec Institute of Technology, New Zealand.

Prof. Paul S. Pang

“UniteCloud: A Resilient Private Cloud Platform for Education and Research Service”

Abstract
UniteCloud is a cloud-computing platform developed in Unitec Institute of Technology to provide a solution to resilient infrastructure and data services. UniteCloud has been constructed using OpenStack with its peak computational capability up to 500 virtual machines and maximum storage allocation 64 tera-bytes per virtual machine. The resiliency of UniteCloud is achieved by three novel components. CloudViz-3D is a top-level interactive cloud monitoring system that monitors the running status of cloud and notifies users before any disaster occurs. rRVM is a low latency and high consistency high availability system that generates real time backup and disaster recovery. CRaaSH is an offline disaster recovery system that provides decentralized service checkpoint/restart over commodity networks. In addition, the platform supports group collaborative working, editing, big data processing and machine learning algorithmic experiments with its open source implementation of Gitlab, ShareLatex, HadoopDataCenter and TensorFlow. With all its resilient service features, UniteCloud is specializing in supplying eLearning and eResearch services for New Zealand tertiary students and staffs.

Bio

Dr Paul Pang is a Professor of Data Analytics with Unitec Institute of Technology, the Deputy Director of High Tech Transdisciplinary Research Network and the Director of Center for Computational Intelligence for Cybersecurity. Professor Pang is the Science Leader of the Unitec team for an ongoing Ministry of Business, Innovation and Employment (MBIE) funded Security Technologies Returning Accountability, Trust and User-Centric Services in the Cloud (STRATUS) project. Also, He is the Event Editor of Neural Networks journal Elsevier, Senior Member of IEEE. He has served Chair, Co-chair and Committee Member/Track Chair of numerous international conferences, including recently as a program member of the 2017 Thirty-First AAAI Conference on Artificial Intelligence (AAAI2017).

Dr. Ian Welch

Associate Professor – Network Engineering, School of Engineering and Computer Science,
Victoria University of Wellington, New Zealand

Associate Professor Ian Welch

“Software defined networking as a security enabler for enterprises”

Abstract
Industry commentators have raised concerns about software-defined networking (SDN) as looking "like a nice squishy target to spies and crooks" and a "nightmare" from a risk assessment point-of-view. Security concerns include worries that it will be impossible to secure the perimeter because the network architecture is no longer fixed, the controller managing the control plane is centralised, and a single point of failure and the software-centric approach is highly vulnerable to exploitation as opposed to current hardware-based approaches.

We argue that some of these concerns are not new and software defined network provides an approach to implementing secure enterprise networks that can lead to better enforcement and greater assurance. This talk will address concerns and explain how we are working with other academics and commercial partners on the development of a software defined security platform that leverages these advantages over traditional approaches.

Bio

Associate Professor Ian Welch leads the security group at Victoria University of Wellington, New Zealand. The security group at Victoria has been established since 2006 and has focused on the delivery of malware via the web. More recently the focus has been on software defined networking and security.

Since 2015, he and Dr Bryan Ng have led a Google-supported software defined network research centre at Victoria University. Members work on software defined networking security, performance measurement, inter domain routing and are contributors the the Faucet open source software defined controller.

Previously he was leader of the New Zealand honeynet project chapter, co-investigator on an Australian govt ARC-funded grant ($AU 186,000), was principal investigator on a NZ govt DIA-funded grant ($156,000) working with the Porirua Pacific Islands Forum and a lead researcher on workpackage of a three year multi-institutional EU-funded grant investigating intrusion-tolerant middleware.

Dr. Dongxi Liu

Senior Research Scientist,
Data61 CSIRO, Australia.

Dongxi Liu

“Compact-LWE for Lightweight Public Key Encryption and Leveled IoT Authentication”

Abstract
Leveled authentication allows resource-constrained IoT devices to be authenticated at different strength levels according to the particular types of communication. To achieve efficient leveled authentication, a lightweight public key encryption scheme is introduced in this talk, which can produce very short ciphertexts without sacrificing its security.

The semantic security of this scheme is based on the Learning With Secretly Scaled Errors in Dense Lattice (referred to as Compact-LWE) problem designed in CSIRO. This problem is a variant of the Learning With Errors (LWE) problem, but with two improvements (i.e., secretly scaled errors, which can be very big, and dense lattice, which has small fundamental parallelepiped) that make Compact-LWE resistant against well-known lattice-based attacks to LWE. In addition to the security proof, we verify, with a public attack tool, that the lattice-based attacks, which are successful on LWE, cannot succeed on Compact-LWE even for a small dimension parameter (e.g., a lattice of dimension 13).

The evaluation of our scheme and a leveled Needham-Schroeder-Lowe public key authentication protocol on the Contiki operating system and Sky motes will also be introduced.

Bio

Dongxi Liu is a Senior Research Scientist in CSIRO since 2008. Before joining CSIRO, he was a researcher in University of Tokyo. His research interests include light weight encryption, IoT device authentication, encrypted data processing, and system security. He got his PhD in computer engineering from Shanghai Jiao Tong University in 2003, and his Master and Bachelor degrees from Taiyuan University of Technology in 1999 and 1996, respectively.

Prof. Clark Thomborson

Professor – Computer Science Department,
University of Auckland.

Prof. Clark Thomborson

“Contextual Privacy”

Abstract
Could you design a computer system which respects all forms of privacy that are relevant to its users? What forms of privacy are important to you personally, and in what contexts are they important? How can a user obtain a "private place" in a computerised system? Is it feasible and economic for a system to afford a particular form of privacy to its users? Is it socially appropriate, or legal, for a system to grant a privacy request? Which privacy requests should be denied? Can you identify all of the "assets at risk" in a privacy-protective system? I won't attempt to answer any of these questions fully! However I will get you started on finding your own answers, for the next system you design, for the next privacy analysis you perform, and for the next system you use. My explanations are grounded in Lawrence Lessig's taxonomy of control and liberty, in Alan Westin's taxonomy of private states, in Helen Nissenbaum's legal theory of contextual integrity, and in the Jericho Forum's Identity Commandments. I'll draw examples from commonly-encountered systems such as Facebook.

Bio

Clark has been a professor in the computer science department of the University of Auckland since 1996. He received the PhD degree in computer science in 1980 from Carnegie Mellon University under his birth name Clark Thompson. He has held academic positions at the U of Minnesota-Duluth, UC Berkeley and MIT. He has several years of commercial experience as a software/hardware systems integrator. For the first two decades of his research career, he focussed on performance issues; then he shifted to the design and analysis of secure and private systems. He was active in the internal discussions of The Jericho Forum during the development of some of its whitepapers, including its Identity Commandments.

Dr. Dong Seong (Dan) Kim

Senior Lecturer – Computer Science and Software Engineering,
University of Canterbury, New Zealand.

Dr. Dong Seong (Dan) Kim

“Graphical Security Models”

Abstract
Graphical security models can be used to assess the network security. Purely graph based (e.g., Attack Graphs) security models have a state-space explosion problem. Tree-based models (e.g., Attack Trees) cannot capture the attack paths information explicitly. In this talk, we briefly introduce a scalable security model named hierarchical attack representation models (HARM) to deal with the above mentioned issues. First, I present how the HARM with other methods to evaluate the effectiveness of Moving Target Defenses. Second, I present how the HARM can be used to evaluate the security of Internet of Things. Finally, research revenues in the graphical security modeling and assessment will be discussed in brief.

Bio

Dong Seong is a Senior Lecturer in the University of Canterbury with a strong focus on research areas like Cyber Security, Wireless Ad hoc and Sensor Networks, Cloud Computing, Analytic modeling and Simulation, Internet of Things, Smart Grid and Green Computing, Availability, Dependability and Reliability, Resilience, Cyber Crime, Software Defined Networking, Security Risk Assessment, and Blockchain. He is leading the Dependability and Security (DS) Research Group and Simulation Research Group (SRG), and the member of Network Research Group (NRG). He did his PhD from Korea Aerospace University.

Dr. Surya Nepal

Principal Research Scientist,
Data61 CSIRO, Australia.

Surya Nepal

“Orchestration and Automation of Cybersecurity: Issues and Challenges”

Abstract
Almost all present cybersecurity expenditure and activities (85%) focuses on designing solutions to prevent known cybersecurity threats. No matter how much efforts are put in preparation and prevention, these solutions are not working and cyberattacks and data breaches are inevitable. Current compromise-to-discovery time can be 30 to 60 days. One the one hand, the number of incidents of cyberattacks and data breaches are increasing every year; the increase in time required to detect cyberattacks and data breaches is causing higher reputational, operational and economic loss due to the impact on the continuity of the business. On the other hand, we have a limited pool of security experts who can focus on human-intensive tasks such as analysing programs/protocols, designing patches, understanding a compromise and responding/recovering from a compromise. Current approaches are mostly manual, signature base, reactive and not robust and resilient. Furthermore, the increasing complexity of the cyberspace and its dynamic nature makes it impossible for humans to effectively secure and protect the cyber system. These space requires a paradigm shift towards more orchestrated and automated cybersecurity solutions so security experts could be more efficiently utilised and small-to-medium businesses can have access to more advanced cybersecurity capabilities through software-as-a-service.

A number of organisations have already started taking some actions to automate and orchestrate incident response processes, while researchers have started to explore the coordinated response of the human bodys immune system towards building autonomic, resilient cyber systems. This talk explores the potential opportunities and issues to automate and orchestrate cybersecurity solutions.

Bio

Surya Nepal is a principal research scientist in DATA61 CSIRO Australia since 2003. He is currently leading the Distributed Systems Security Team. His research areas include Data Encryption, Computer System Security, Software Engineering, Database Management, and Distributed and Grid Systems. He got his PhD from RMIT University, Australia in 2000.

Sponsors