Cybersecurity: how safe are we online?

02 September 2012
Presented by Chris Smith, Dave Ansell.

How is data sent safely online, and how can we keep prying eyes away? This week we investigate the basis of cybersecurity, ask if chip and pin is safe and talk to a team of hackers who attempt to penetrate websites legitimately. We also reveal the dangers of wifi as we find out what your mobile phone is revealing about you. Plus the genetic basis of movement, a new form of flexible battery and, in our Question of the Week, how one telephone line can have multiple uses!

In this episode

01:47 - Securing the Internet - Data Protection and Encryption

Our lives are increasingly moving online, which means that more and more of our personal and financial information is being stored in cyberspace. But just how secure is our data? Ross...

Securing the Internet - Data Protection and Encryption
with Prof. Ross Anderson, Computing Security Group, University of Cambridge

Chris -   According to the Office for National Statistics, in the UK, over 75% of households now have internet access and increasingly, our lives are shifting online.  The financial sector say that over 20 million people bank online in the UK and a number of government services, including parts of the tax system are now paperless and operate exclusively over the web.  Also in the pipeline are systems for accessing medical records for anywhere in the country, and the benefits system is due to be put onto the internet too.  Now this means that sensitive personal data has to be transmitted over the web.  So, how can it actually be kept safe?  Well, someone who's a pioneer in this field is Ross Anderson.  He's from the computing security group at the University of Cambridge.  Ross, the idea of data protection and encryption, that isn't actually new though, is it?

A computerRoss -   Well, not at all.  Data protection goes back to the 1960s and encryption goes back many, many centuries.  People have been enciphering their messages using all sorts of techniques for a long, long time.  But there has been a big change recently.  In the old days, 50 years ago or 100 years ago, the limiting factor in your ability to encrypt data or information security was the ability of the people at the end points to perform computations to substitute letters for numbers, shuffle letters around, and so on, and so forth.  This meant that it was difficult to make systems that were complex enough to resist mathematical analysis.  But over the past 20 years or so, now that we've all got PCs and mobile phones that can run software, that problem has gone away, and instead, the problem now is how secure at all the end points.

Chris -   You say it's gone away, is that because the computer basically doesn't have an attention span like a person.  It can just relentlessly plough on trying one thing after another, after another until it gets the code broken.

Ross -   No.  What's happened with the advance of the technology is that this has favoured the code makers over the code breakers because if you increase the length of key just a little bit, you can increase the difficulty of breaking decipher an awful lot.  And over the past 20 years, we've had the development of a number of encryption algorithms that are now really pretty good.  They're no longer the weak point in the chain.

Chris -   Could you just explain, when you say an encryption algorithm, what exactly does that mean?  What are people doing to data so that someone can't just come along and work out what is says?

Ross -   Well, I'm not going to into describing the internals of modern encryption algorithms because it's hard enough doing mathematics at a blackboard, let alone over the air.  But roughly speaking, what happens in modern encryption algorithms such as AES is  you've got a series of rounds where transpositions and substitutions follow one after another together with mixing of key material.  And this means that unless you know or can guess the key, it's in practice not possible to recover plaintext from ciphertext.

Chris -   So you have a key.  That's when you're on your router at home and you see PSK (Pre-shared Key), that's some combination of letters and numbers, or symbols.  And that's mixed-in in some way with the data, so that the data is changed using information in that key so that unless you know what that key is, you can't reverse the process.

Ross -   That's more or less right, but that isn't the interesting or relevant thing nowadays.  That's essentially a solved problem.  A much bigger problem is the fact that about 6% of PCs in Britain have malware in them.  So even if you think you share a key with your bank, that's not actually so.  6% or so, may actually be sharing that with some bad guys in Russia.

Chris -   In other words, when I log on to my bank account and I'm generating some kind of random series of, usually numbers with one of those little handheld devices, the bank knows what that number is, I know what that number is, so the data should be secure, but I am without realising it, also giving that number via software on my computer to somebody else so they can eavesdrop on the conversation I am having with the bank.

Ross -   That's fundamentally the problem.  If your computer is infected with malware or if the bank's computer is infected with malware, then the bad guys may be able to intercept the order that you give to pay 20 pounds to Sainsbury's and instead turn it into an order to pay 20,000 pounds to Mafia Real Estate Incorporated in Bermuda.  And as bank payments become ever faster and ever more voluminous, the risk and the exposure from all this goes relentlessly up.

Chris -   Why can't clever people like you spot when that kind of interception has occurred?  Because the whole point about Schrödinger's cat and sort of quantum things was that a photon knows if it's been observed during its course from one place to another.  Can we not do the sort of equivalent on the internet if a piece of data is probed or examined by someone other than the person it's intended for, you can tell?

Ross -   Well, the promise that was initially held out by quantum cryptography, 20, 25 years ago hasn't in fact come to pass for various technical reasons.  But in any case, it wouldn't be a viable technology for large scale use.  The problem is that the majority of banks have decided that rather than giving special software or special devices to their customers, they're going to use the commodity products, the web browser that came with your PC when you bought it.  And this means that the bad guys in Russia or Brazil, or Nigeria, or wherever just have to write an attack once and it can then run everywhere.

Chris -   So you can have this absolutely fantastic encryption and decryption system, but it's only as good as the thing that keeps the key safe.  And if that's leaky because you have dodgy software on your computer, you may as well have a much weaker system because it's effectively not watertight.

Ross -   Exactly.  So the mathematics of cryptography are no longer the weak point and where you have to start looking is in the game theory and the incentives that face the various banks, the incentives that face the malware writers.  Now, it's not particularly more difficult to write a virus for say, Mac OS or Linux than it is for PCs, but because there are so many more PCs, there are many more people writing malware for Windows operating systems.  And so, you're much more likely to be the victim of an attack involving malware if you're using a PC with Windows.  Now this isn't cryptography, this is game theory which is another kind of mathematics altogether.

Chris -   A tweet has just come in @nakedscientists.  Shib says, "What is the difference between malware and a computer virus?"  Are they effectively one and the same thing?  There isn't really a distinction, is there?

Ross -   Well viruses are a kind of malware.  So, for the current purposes, there isn't really a distinction.

Chris -   Effectively, what's the source of these things?  Do we not just tackle the root cause or origin of this malware?  Do we not just say, "Okay, we know this stuff exists. We'll just write better software that finds it and stops it installing itself on your computer?"

Ross -   The best thing to do would be for the world's police forces to put serious effort into catching the people who write malware and putting them in jail.  There are one or two police units, particularly the FBI, who put some effort into this, but I'm afraid that many police forces just consider it to be in the 'too hard' category.  After all, if these guys are in somewhere like St. Petersburg, you're talking mutual legal assistance, you're talking extradition, you're talking hundreds of thousands of pounds per case.

Chris -   Of course there you're talking about hiring them and turn them into employees because they might be quite useful against other countries.

Ross -   There is a problem, in that many governments find that they've got a conflicted mission.  On the one hand, if the government puts its priority to policing, it would try and drain the swamp.  It would clean up the botnet, stop people writing malware, and so on, and so forth.  But on the other hand, the people on the offensive side of things, GCHQ, the MOD and so on, rather like the idea that there's a big swamp out there because it means that they can hide their nefarious activities in it.  And so, you end up with a tension between policing missions and intelligence missions, between offensive and defensive missions.  And unfortunately, the offensive often wins out because GCHQ has got the ear of the prime minister, much more than the commissioner of the Met has.

Chris -   And the taxpayer, and bank customers are picking up the bill effectively. Thanks Ross.

10:36 - Securing the Internet - Chip and PIN

Credit and debit cards now almost universally use chip and PIN technology, to enable consumers to make secure purchases. But how does it work and exactly how secure is it?

Securing the Internet - Chip and PIN
with Steven Murdoch, Computer Security Group, Cambridge University

Dave -   In recent years, credit and debit card issuers have replaced signature strips with computer chips and we now type in a pin when we want to buy something.  It's said to be more secure, but how does this technology actually work and does it too have an Achilles heel?  Steven Murdoch is from the computer security group of Cambridge University and he investigates the safety of banking systems.  Now Chip and PIN is something I use every day.  I don't really think about it.  How does it actually work, Steven?

Chip and PIN credit cardSteven -   So, your credit or debit cards has got a computer chip in it and this is essentially a small computer.  It's not very far away in terms of computation power from the PCs that were on people's desks in the 1980s and it's got some special software loaded onto it.  And more importantly, it's got some cryptographic keys loaded onto it by the bank which issued you the card.  And these keys are used to allow the card to prove that it's present at a particular point in time and allow it to calculate a digital signature over that transaction, and then the bank which issued you the card can verify the digital signature.

Dave -   So, that's essentially when you put your pin number into the machine and the shop tells it that you want to pay 20 pounds, all that kind of gets mixed up together and sent back to the bank?

Steven -   So, with Chip and PIN, the PIN aspect of it and digital signature aspect of it are almost completely separate.  And in fact, that's the root of some of the security vulnerabilities.  So in addition to all the digital signatures and keys, it's also got a copy of your PIN and when you type in your PIN, that gets sent to the card.  The card compares it and then if it's happy it says yes and if it's unhappy, it says no.  And hopefully, it also tells the bank whether the PIN was correct or not, but that's actually one of the mistakes that was made in Chip and PIN.

Dave -   So how can you attack this if you're a nefarious person?

Steven -   Well, one way that we discovered back in 2010 that this could be attacked is because - well as I was saying, the digital signature is not mixed up with the PIN.  So, what you can do is put a little bit of electronics between the card and the terminal, and then when the PIN is sent to the card, this bit of electronics intercepts it and then just sends the answer 'yes' back to the terminal.  And the terminal will be happy.  The card never received a PIN, but it turns out the cards are happy not seeing a PIN at all because at least it didn't fail, it just never saw something, and the banks, when they get that message back from the card, see a message from the card, a legitimate card, digitally signed that says that everything is fine, but in fact, the PIN that was typed in was wrong.

Dave -   So, as long as you can kind of hide the electronics from the person in the shop, you could essentially use a stolen credit card without anyone knowing.

Steven -   Yes, so when we initially mentioned this to the banks, we told them before we disclosed publicly to allow them to fix it.  They didn't, but we at least we gave them a chance.  They said that this will be infeasible to do and in fact, one of my colleagues, Omar Choudary, built some electronics that could be put up the sleeve and he was able to use that without being noticed, and it turns out that they caught some criminals, who were doing an even more sophisticated variant of this attack.  They embedded the evil computer into a stolen card so the card looked perfectly legitimate, it just had one good chip and one evil chip.

Chris -   When you're doing this work Steven, do you have a sort of Chip and PIN machine in your office and you're continuously running up a huge credit card bill, in order to test these things out?  Do people give you their gadgets to try?  Is that how it works?

Steven -   So, one thing we did do, is we bought a lot of Chip and PIN terminals off eBay.  When a shop goes bankrupt or they upgrade they sell their old ones. The other thing that we did was when we go to the local café in the university and then run through a 5 pounds minimum transaction and experiment that way.

Dave -   So, are they very suspicious of you at the local?

Steven -   I think they recognise us and they're not too worried when we plug evil electronics into their terminal because they get paid and in the end we do all our experiments on our own cards.

Dave -   Fair enough.  So, is this possible to solve, this problem?  I guess it just involves some way of checking, of combining the two together.

Steven -   Yes, it is possible to solve.  We mentioned some ways that the banks could do this in our academic paper and this is essentially doing more robust checks at the bank.  It turns out that this was more difficult to do because there's lots of bugs in the system and sometimes the banks were seeing transactions that were supposedly suspicious.  It looked like this attack was happening, but actually, it was just a bug at some point in the system, the data got corrupted.  And the banks have a big challenge here because they've got so many transactions.  Only a tiny, tiny proportion of them is going to be fraudulent.  So if they start rejecting transactions because they think they're suspicious, they'll mainly be rejecting legitimate transactions, not fraudulent ones.

Chris -   Have you any idea, Steven, of the scale of abuse of the system then?  Do you know whether people are implementing the strategy that you proved could work and if they are, how much money this is costing us?

Steven -   It's very hard to tell because there aren't good statistics that are collected on this.  We're pretty confident that the banks weren't looking for this attack before we told them about this attack and that means that there's no way of knowing what was going on before that stage.  We now know that some criminals are doing that because they got caught in France and there's a trial going on at the moment.  But in general, when fraud happens, if it's not one of the standard techniques that the banks know about, the customer loses the money and the banks don't keep totals of how much customers lose, only how much that they lose and shops lose.

Chris -   And conveniently, they've said that it's so secure that if someone has a transaction, they must have shared the PIN with someone.  So it's no longer the bank's responsibility,  it's your problem.  So they've kind of conveniently passed the buck onto the customer too, haven't they?

Steven -   Yes, this is one of the very unfair things that's happened with Chip and PIN.  Now, the responsibility from fraud has been put on the customers, even when it's a flaw in the bank computer systems.

Chris -   Steven, thank you very much.

Will quantum security change online security?

Ross - Quantum computing appears to be somewhat stalled. It showed great promise back in the 1990s where there was a prospect of algorithms that wouldn't allow people to factor large numbers quickly and the Los Alamos report, which looked at the state of the art in prospects said 10 years ago, that within a decade, that is by now, we should have proper working quantum computers that we could use to explore architecture. But we're still stuck at the stage of messing around with machines with a maximum of 7 cubits. And now, scientists are beginning to wonder why it is that quantum computing doesn't work as it promised and this, with luck, may lead to breakthroughs in physics, but I don't see it as changing the world of cryptography any time soon.

Dave - So, by 7 cubits, you mean that they can factor a number up to that 128?

Ross - Well in fact, the largest number they've been able to factor so far is 15.

Dave - Probably not that useful.

Ross - So, there's something missing there and what's missing is a source of interesting research in its own right.

What is the future of passwords?

Steven - I think it would be great if there was some replacement for passwords because they have so many problems, but so far, all of the solutions that have come out have been problematic in some way or another because you really need to have something that is linked to that person because they want to be able to use the same security credentials regardless of where they're going. So probably, the best way of trying to manage passwords nowadays is to use different passwords for every website and then have some software maybe running on your phone, maybe running on your PC that tries to manage all of those and stop you having to remember them all.

19:23 - Flexible batteries

Cable-like batteries which can be tied into a knot have been developed in Korea...

Flexible batteries

One of the big reasons that mobile phones and other personal gadgetry are still simple cuboids, and not more interesting shapes, is that they need a lot of energy storage, and batteries are simple cuboids.

Yo Han Kwon and colleagues working for LG Chem in South Korea are working on something a bit moreSome wire flexible - Lithium ion batteries, like those in your phone or laptop, which look like a piece of cable.

Chemically the battery is conventional, but rather than using flat metal plates for the anode and cathode, the cathode is arranged around the outside and the anode is a hollow copper spiral coated with Niobium and Tin which runs down the middle.

The hollow spiral increases the surface area, which increases the capacity of the anode. It also makes the battery easy to fill with electrolyte, by injecting it down the middle, and makes it much more flexible.

The battery will still work when bent or even tied in a knot, and has powered LED displays and an mp3 player. They are still working on increasing the capacity which is about 100mAh per meter, but this technology could mean that you could use your headphone cable as a topup battery for your phone, make a flexible bracelet or belt which powers your devices, or even weave a battery into an item of clothing.

21:44 - Resistance is fertile: soil bacteria to blame

Soil-dwelling bacteria are the source of the antibiotic resistance genes that are making many infections hard to treat, researchers have shown this week...

Resistance is fertile: soil bacteria to blame

Soil-dwelling bacteria are the source of the antibiotic resistance genes that are making many infections hard to treat, researchers have shown E. coli bacteriathis week.

Writing in Science, Washington University St Louis scientist Kevin Forsberg and his colleagues collected soil samples from a range of environments including farmland, towns, cities and forests across the US.

The soils, together with their resident microbial populations, were added to culture medium in the presence of hefty doses of the common classes of antibiotics used clinically.

The idea was to select out from these non-pathogenic soil microbes any that were already naturally resistant to the drug compounds. DNA was then extracted from these bugs and transferred to a fully antibiotic sensitive laboratory E. coli strain which was also then cultured in the presence of antibiotics.

Under these conditions, any bugs that grew must have acquired a piece of DNA containing resistance genes from the drug-resistant soil-dwellers.

The researchers then sequenced the DNA from the surviving bugs and compared it with similar sequences obtained previously from drug-resistant clinical isolates obtained from patients.

At least seven resistance genes mapped by the team, including the neighbouring DNA sequences that control the genes themselves, were "a perfect match" between the two, meaning that they were, without doubt, from the same source.

In other words, the resistance cropping up clinically must have its origin in environmental organisms. This lays to rest previous claims that the antibiotic resistance seen in human pathogens overwhelmingly represents new mutations picked up by bugs.

Instead, human pathogens are picking up their resistance traits by borrowing genetic material from non-pathogenic soil organisms.

"This is probably something we should worry about," says Forsberg. Because antimicrobial use in agriculture accounts, weight for weight, for the vast bulk of antibiotic consumption worldwide and represents a direct route for drug agents straight into the environment where resistant bugs can be enriched.

The process may also not be a one-way street: resistance and virulence factors arising in human pathogens, the team point out in their paper, might then also be shuttled back into soil microbial communities leading to the emergence of new humans threats amongst previously innocuous environmental organisms.

"It's the stuff nightmares, not dreams, are made of," says Forsberg, sombrely.

25:08 - Tracking Movements with Mobiles

Smartphone usage has grown in recent years, as has the amount of information we keep on them. A new system has been developed that can secretly track smartphones and even find out where...

Tracking Movements with Mobiles
with Daniel Cuthbert and Glenn Wilkinson, SensePost

Chris -   This week the 44 Con information security conference will be taking place in London; top international experts will be getting together to discuss the latest developments in information security. Among the presentations will be one from Sensepost, a UK and South African-based company who have developed a system to track and profile peoples' movements using information given away in public by their mobile phones. Meera Senthilingam visited one of London's busiest railway stations where she met Glen Wilkinson and Daniel Cuthbert to see the system in action...

Daniel -   Smartphone usage in the UK has grown at such an alarming rate and we looked at Ofcom and in 2009, only 1.2 million smartphones were purchased.  Now if we fast-forward to August 2012, 2/5 of UK adults now have a smartphone and 40% of those actually use it as their sole, primary internet device.  If you look at traditional methods of connecting it is either 3G or Wi-Fi, and so, what we've done with this bit of research is to look at vulnerabilities in the Wi-Fi protocol and to see how we could use that gather as much information as we can do about the person they're tracking, their usage habits et cetera.

Meera -   We're located in Liverpool Street Station in the City of London at the moment, which sees 148 million people passing through here every year.  Just around us now, there are thousands of people readily armed with their smartphones.  How much can you know about all of these people walking around here, just busily emailing or potentially updating their Facebook?

Daniel -   So, one of the flaws that was found back in 2004 was that a mobile device will probe for the last X number of connected access points.  To put that in basic terms, when you go to your home and you connect to "home net" and you save that as a connection, that's stored in the device.  A lot of people move around with their phone, right?  So if you can imagine, you're probably connected to, let's say conservatively, 8 access points.  Every time you leave the house, your phone is going, where's this?  Where's that?  So what Glenn and I have done is build up a framework where we can now figure out where these people are, where they travel to, where they've been, and in places like Liverpool Street, where it's got a high concentration of people, you can gather a lot of information in a short period of time.

Meera -   Glenn, you've actually ldeveloped the technology that helps find out all of this information through people's phones.  I mean, what are the main things you're able to do?

Glenn -   The project has two main components and I built software for two main areas.  The one is tracking people and the other is profiling people.  And as Daniel mentioned, your mobile phone or your laptop or any wireless devices, is constantly sending out these, what we call "probe requests", looking for networks that they were previously connected to, and in that message, it discloses a unique serial number for that device.  It's called the MAC address.  If someone walks past now with their Wi-Fi on and they send out a bunch of probe requests, I can see their MAC address, I can record it on some listing software I have and then if they walk past me later today, I would see that same unique serial number, same unique MAC address.  What that means is that at any given location and point in time, I know if there is someone around me and later in time, at some other point in space and time, I can see them again.  That's perhaps nothing new, but what I built that is new is a distributed framework for this.  So, what we can do is then drop what we call "drones" all over a certain location.

Meera -   These are essentially devices that - this one here you've got is just a Nokia smartphone.

Glenn -   So essentially, it's any device that can run Linux, has a wireless card, and has drivers that support the kind of things that we're doing.  So in my hands here, I've got a Nokia N900 with some special software and some special drivers, a small access point called an alpha which is battery powered and solar powered.  We can also plug devices into a wall socket and they will all collect this data, and upload it to a central server and process it.

Meera -   So essentially, you're gathering information about thousands of smartphones in many different locations say, around London and just getting a good profile or tracking the movements of the people of London.

Glenn -   Yes, exactly and where that becomes interesting is on the larger scale.  So if you were to drop one of these devices in every underground station for a day say, you will then notice, okay, at 8:04 am, this Apple product walked past us.  40 minutes later, it popped up at Oxford station, and an hour later, it popped up outside Oxford Circus Station.

Meera -   So, you're really seeing somebody's daily movements?

Glenn -   And that becomes quite interesting on the large scale when you have tens of thousands of people, and you can see the daily movement patterns between various locations.

Meera -   Well, so this is very much, I guess, tracking movement, but you also mentioned profiling.  So, having seen that there are these phones around, are you able to tap into them and actually get information off them?

Glenn -   If we walk around some location with a device that has Wi-Fi and GPS capabilities, each time we notice a wireless network, we can note its GPS coordinates and put that in a big database for later.  We have these say, 50 drones deployed in the field.  They're all watching for these various people and all that data gets uploaded as one central webserver.  On that central server, we can start looking, okay, here's an Apple device.  It's looking for these 5 networks.  Let's see if we can map those two locations.  So, BT home hub something, something - that maps to 6 Main Street London.  So very quickly, I can work out, "Hey, that person who just walk pass me, they live at this address, they work at this address. We then interface that into Google APIs, get their street address, and a street-view photograph of their house.

Meera -   Well, you've actually got something setup here and you've already mapped a range of phones that are nearby.  One of which, you've even located down to a house in Yorkshire!

Glenn -   Yeah, somebody walk past about 5 minutes ago and yeah, it maps to a location in Yorkshire.  There's their street address,  I won't say it on air.

Meera -   And a picture of their house.

Glenn -   Yup, yup.

Meera -   And what about the actual information on their phone?  So, I mean, they're using it to write emails, possibly do their banking.  Can you actually tap into and get information there?

Glenn -   Because your phone is constantly sending out these probe requests, what my drone can also do is it can pretend to be those networks.  And then your iPhone or your Blackberry, your laptop, whatever will connect to this device and receive its internet via this device.  Everyone's network traffic will go through this one spot and I can monitor everyone's communications on this one spot.

Meera -   Now moving back to you Daniel then.  So, you've got these various ways of tracking people, profiling people, but is this the kind of thing that we should be worried about at the moment?  So, are there hackers potentially going out at these times, to try and find out information about people?

Daniel -   I wouldn't say no.  I think it's an exciting area for the scammers and the criminals to try and look at exploiting.  We keep everything in our devices these days - your banking, your passwords, your social media stuff, your email accounts.  So getting hold of these devices, there's such a wealth of information and I think as we evolve and use these devices, people are going to look at ways of exploiting it.

Meera -   To summarise really, what's the main things people need to remember at the moment?  I'm thinking, I just need to turn my Wi-Fi off when I'm not using it.

Daniel -   I think we need to try to start treating smartphones as we would do at our laptops.  We generally put everything onto the smartphone, we trust it a lot, but we also lose a lot of them.  Smartphones, by nature are very chatty.  There are people out there that try and abuse this.  Be a bit more careful.

32:46 - Urban Heat Islands - Planet Earth Online

The urban heat island effect sees artificial surfaces in built up areas acting as storage heaters - making cities warmer than the surrounding rural landscape. A new project to create the...

Urban Heat Islands - Planet Earth Online
with Dr Catherine Muller, Urban Climate Laboratory, Birmingham University

Chris - If summer ever arrives in Britain, the nation will need to switch from worrying about potential floods to the effects of excess heat.

Cities and towns experience elevated temperatures compared to rural areas because artificial surfaces, such as roads and buildings, absorb solar radiation during the day, store this heat up and then slowly release it during the evening.  It results in some parts of the city - so-called urban heat islands - getting warmer than others.

Catherine Muller, from Birmingham University's Urban Climate Laboratory, is studying the problems of urban heat in a project called 'Hi Temp'.

Selfridge store, Birmingham Bull RingPlanet Earth podcast presenter Sue Nelson went to meet Catherine in a fenced off piece of grass in the City, containing various pieces of equipment, and asked her how urban temperatures can compare to surrounding areas...

Catherine - During heat wave events you can get them up to five, six, seven degrees warmer, for a city like London you could be looking at, maybe, 10 degrees warmer.   One of our partners is the Birmingham City Council and they are particularly interested in where the high risk areas are within Birmingham.  For example, if you cast your mind back to the 2003 heat wave, which does seem a long time ago today, we had in the UK alone about 2,000 excess deaths. Most of those were occurring within the city centre and that was always attributed to the increase in temperatures.  So you are seeing a big impact on human health in these regions.

Sue -   So you've got to measure temperatures certainly for a start, so I'm assuming then that some of these bits of equipment, quite a few of which I've not actually seen before, and couldn't quite tell what it is although I'm suspecting that the spinning cups on some of them are measuring wind speed...

Catherine -   That is correct.  We've got rain gauges which are monitoring rainfall...

Sue -   And next to it is that a...it looks like a long temperature-

Catherine -   These are surface temperature probes. We have a few on the grass which is measuring grass temperature and we've got a few on the concrete which is just giving us the artificial surface temperatures.

Sue -   Now, this is just one weather station in one part of Birmingham.  We're talking about Britain's second largest city here, how are you measuring across the city itself in terms of so that you understand the differences in temperature and other effects that cross the city?

Catherine -   This site here is essentially measuring urban background conditions, it's not completely in the city centre it's just slightly out in leafy Edgbaston, so we call this an urban background site.  At Paradise Circus within the city centre the Met Office have just opened up a truly urban weather station site.  That's bang in the middle of town, so that will give us some urban readings but that has just opened up in the last 12 months or so.  What has traditionally happened in terms of getting an idea of these urban heat islands is we've actually used the data from this site here and we've compared it to the Met Office's rural station site which is just outside of the Birmingham conurbation.  So what we've done is actually just taken those pairs of data sets and actually looked at how they differ to get an indication of how temperatures vary.  Obviously that's not good enough to be able to assess how weather and air temperatures vary across a region as big as Birmingham. We've got so many different land uses in the area; we need to get a better indication of how they actually do vary.

Sue -   And how have you done that?

Catherine -   This is where Hi Temp comes in. We're setting up the Birmingham Urban Climate Laboratory which will be a very dense network of weather equipment across Birmingham.  In fact we think it should be the world's densest urban network once it's actually completed.  So it's a big thing for the UK, let alone Birmingham.  What we will do is we will have 25 automatic weather stations very similar to some of the equipment you can see here.  They will be located in primary electricity substations.  The reason we've gone for electricity sub stations is that one of our partner is Eon, specifically Western Power, a part of Eon.  They are actually interested in how urban heat and excess temperatures can actually have an impact on energy supplies.  In the future with changing climate obviously temperatures will increase and this could have an impact on energy supplies.  We've got 130 or so going out into schools across the region.  These are Wi-Fi battery powered so all the data gets sent across the school Wi-Fi.  We are putting them into school sites so that they are secure, we can use their Wi-Fi to transmit the data and also to get the school kids involved because it's really nice to get kids at school actually involved in some real science.

Sue -   This is quite an exciting stage you're at now, it's getting it underway.

Catherine -   It's just taking off at the moment.  We're starting to install the equipment.  That's a big job in itself.  Once we've got that set up though it shouldn't take too much to actually look after them because all the data is coming in automatically to us every hour, all we need to do is process the data, quality check it and then we can upload it onto a website that anyone can actually access if they want to have a look at what the temperatures and the weather is actually doing across the region.

Sue -   And as you've already highlighted this will give you an insight into a whole range of procedures, be it energy usage, temperature, buildings...

Catherine -   Well we've mentioned about the health and the energy impacts of urban heat.  Obviously that has an impact on the transport infrastructure so we get rails that can buckle under excess heat, even tarmac can be melted on the roads.  So we obviously need to know what areas of the city have a higher risk of these things occurring and then we can actually think about ways to mitigate and adapt to any kind of changes that are going to occur with climate change.

38:37 - An Ethical form of Hacking

Is it possible to be ethical yet hack into a company's website and online data? Apparently it can be, when the company asks you to, as Stuart Coulson explains...

An Ethical form of Hacking
with Stuart Coulson, Secarma

Chris -  Most people want to keep hackers out.  So the idea of paying them to attack your computer system sounds utterly mad.  But this is a growing industry and it's now worth 200 million pounds annually in the UK.  The idea is to use these legitimate attacks to try to find and plug security breaches in systems.  It goes by the name 'ethical hacking' although not everyone likes to call it that, including Stuart Coulson who is from
Secarma, a company that specialises in doing just this...

A computerStuart -   I personally don't call it 'ethical hacking', I would call it 'ethical security testing.'  I think that's actually a more accurate title for it.  The H word means many things to many different people.  The general media would try and put the word 'hacker' as being some mastermind criminal who's out to get your credit card details and deface your website.  Ethical security testing is a much more easy thing to actually digest.  We are invited in by organisations to come and test their systems, their infrastructure, their websites potentially, just to see if they have holes, vulnerabilities that someone can easily exploit, someone who can easily use the tool off the internet, they've download it and walk through a website and potentially pull out credit card details, user names, passwords, or anything which is sensitive off that website.

Chris -   So if I give you the URL of our website, nakedscientists.com, you could run a scan to see if you can penetrate that or look for loopholes, areas where we might be vulnerable for example.

Stuart -   Not a problem at all.  It would be quite a simple thing for us to do.  We've got the tools which are on the machines in front of us here.  We use several tools, so we'll set several off at the same time.  If you want, we'll set one off now for you if that's okay?

Chris -   Thank you, got a free security check into the bargain.  Where do you get people from who can do this though?  Because as a friend of mine once said, the only thing you can do with someone who writes computer viruses is to hire them and turn them into writers of anti-virus software.  Is it the same for doing what you do?  You have to get people who are very good at breaking into the systems and hire them because they all know how to stop people getting in.

Stuart -   There's a very big debate at the moment, which has been circulating around is to "hire the hacker".  There are quite a few people who say no, a lot of people say yes.  I've got a guru here with amazing skillset.  Is it well worth using them?  Absolutely.  However, you always have to think about that, the 'ethical' word.  The chaps that we use within Secarma have gone away and done a training course from a company called EC Council and they hold the CH certificates, "Certificate of Ethical Hacking".  So, they've actually gone and turned themselves from what I would say were "tinkerers".  The chaps that we've sent off on the course are "tinkerers".  One of them, who I've been working with closely at the moment, he's our hard drive recovery specialist.  So he's well used to being around this environment and obviously he's just turned his skillset into a new skillset of looking after and exploiting websites.

Chris -   If I were actually to engage you professionally, how would you approach that?  How do you effectively come and size up an operation, and work out where the vulnerabilities are?

Stuart -   The first thing we have to do is work out what is it you're actually trying to achieve.  For example, something like nakedscientists.com, you've got a very simple website.  There's a lot of material on there and also users can be, within that, on your forums for example, so you may say, "Okay, we want to make sure that our forums specifically are safe."  The rest of the website, "Okay, don't touch it."  So we'll actually scope out the engagements.  We'll actually have a written scope from yourself just to say, "Touch these areas, don't touch those areas."  And that's where we start from the specifics of it.  We'll also then talk to you about what attack methods do you want us to use.  Do you want us to overload the database and potentially get it to fall over, or do you want us just to do almost like a light touch on it.  From that, we then go into a recognisance phase and this is where we're now in control.  We'll do two things. We do a passive and we can do an active. 

The passive is where we basically don't touch your website at all, so we go to the public domain, have a look at email accounts, what domain names link into this, whether there's nakedscientists.com, is there something out there which links into the thenakedscientists.com which is part of your address domain.  These are all very simple, Google searches almost of your site.  We'll also do an active scan as well, which is relatively start touching the business.  So we're actually - the phrase that our chaps use is 'rattling the doorknobs'.  So we are knocking on the doors virtually of your environment.  So we will actually be testing various things on the network.  Once we finish that phase, we've worked out what doors are loose, if you like. 

We'll then go into a scanning phase where we're actually looking at what you've actually got as an infrastructure, what is the operating system, so your listeners will be aware of things like Windows and Linux.  There are other operating systems out there and we'll be testing at the moment to see if we can actually work out whether you've got specific flavour of an operating system.  It may have some vulnerability because using an older version for example, that obviously will then give us the next step, which is gaining access.  This is us getting through the vulnerabilities and actually doing something with your servers, trying to actually get access.  Very, very simple tools, a lot of this is free software as well and published by what we call the 'Black Hat' hackers.  So these are cyber criminals of the world.  We use a lot of their tools because we're simulating what those guys are actually doing.

Chris -   But doesn't that require you to sort of step across to the dark side?  Don't you actually have to engage with the bad guys and effectively know them, in order to know what they're doing, so that you can then defend the good guys?

Stuart -   We monitor, if you like the bad guys, we monitor them on a permanent basis.  We have to know what they're doing.  We have to be one step ahead of the game.  That's the hardest part of our industry is to know where they're going to go to next.  So when you have something as large as "Anonymous", the hacktivist group, there's a couple of million people out to watch.  There's no point in us going in with nice clean squeaky tools trying to test maybe test the Naked Scientists website when they're going to go in dirty and rough, and use it any way which about loose to actually get into your servers.

Chris -   Have you come across any scary situations where you've gone in and actually said, "We're going to have to stop this right now because we have found you are so vulnerable.  You're leakier from the Titanic"?

Stuart -   We did a research paper recently.  We were using Google searches and a year ago, we found millions of credit card details, full credit card details on the internet, as clear as you could see them.  So we decided we'd run it again a year later just to see the state of the market and we were looking for personal details this time, how many organisations were leaking personal details of potential clients, and we have found some absolutely horrendous stuff there.  One of the companies, we actually phoned them up and so, we've been doing this scan off the internet and it's just a simple Google search, and we're literally looking at a copy of someone's passport and his bank statement from 2011 and it was on a webserver, fully available, off the internet.

Chris -   Now, what have you found in your quick scrutiny of our server?  Are we leakier than the Titanic?

Stuart -   Well, you'll be glad to know, you're not bad at all actually.  One that you have got is something called SNMP.  What SNMP basically is, it's an announcement of who you are on the internet.  So, what this is actually telling me at the moment, so I can tell you the version of your operating system, I can say what your network card is, I can even tell you the maker of your computers or servers that this is sat on.  I can tell you every process that's currently running off your server. 

What else have I got in here... one of the web pages you've got on there has actually got an email address which I can also use as a contact by potentially phoning you up and say, "Hi, my name is..." and I can get back into your business from there.  The trick is, how you now use it because obviously, I know a lot of information about Naked Scientists servers and its infrastructure.  The trick is, what you now do with that information.  That's where it stumps your - what I would say, the 90%, the people out there who are just playing with being a hacker.  The more serious guys will know what to do with this information, that's where we would - if we're taking this scan onwards, we would then use that as a potential target for someone to gain access.

Do hackers leave a trail?

Steven - It's very hard not to leave a trail with your breaking into a computer system. Some hackers will try to cover up what there is, but there'll generally be something left over.

Ross - Well, even although there's a trail, the problem is doing anything about it and the root problem in the UK is that back in 2005, the home office agreed that frauds should in future be reported not to the police, but to the banks. This had the effect of reducing the fraud figures to near zero. It also had the effects of removing the police incentives to look into the problem.

Chris - Indeed. Oh, dear! That's an important aspect in terms of who actually claims the credit for discovering this.

How safe are landlines?

Steven - They're moderately safe in that they're not really connected to the internet, but increasingly, landlines are moving over to Voice Over IP (VOIP) systems and then they are essentially internet computers, and they have all the same vulnerabilities that internet computers have.

Are mac's infected in the same way as PC's?

Ross - At the technical level, all operating systems are roughly as vulnerable as each other, but here, the economics come into play and that if you're a bad guy, you'd far rather write your malware for Windows because there's more than 10 times as many Windows machines as Mac's. So as a result, most of the malware out there is for Windows and Windows users are more vulnerable in practice. Chris - Although that trend is changing as more people do use more Macs for example.

Ross - Well, as people move from laptops to smartphones, we're seeing a rapid uptake in the amount of malware for android for example and we expect this to continue.

Why do US banks not use chip and pin?

Steven - So, US banks currently don't use chip cards, but they are increasingly doing so. The main reason they are not or up until recently is not a technical reason, but economic. The US banks make more money when a customer signs for transaction, rather than enters in a PIN and it got so ridiculous that a US bank, which was also had UK branches was saying to their UK customers, use the PIN its safer and telling their US customers pen not PIN, signature is safer.

How can we get around key tracking?

Steven - It really depends on the model of the keyboard. Bluetooth keyboards and mice are reasonably secure, not perfect. Other ones often aren't, but you can still pick up some information, and in fact, research has shown that even though if you can just see the timing of when someone places in a key, you can work out what they're pressing because it takes longer to move from one side of the keyboard to the next, than just moving from one finger to the next.

Chris - Because Ross, one of the things I noticed when logging in to a bank I bank with today is that people are not asking me to type physical keys on the keyboard anymore but showing me graphics on screen and asking me to click the number 1 or 2, or 3 on the computer screen because presumably, software can understand numbers and the codes for keys, but it doesn't understand a picture.

Ross - Well, this is something that was tried out by Brazilian banks and the hackers couldn't find a way around it because if you put malware in your PC, then when this was tried in Brazil, what it will simply do is capture a little image around where you clicked and that gave them enough money to reconstitute the password. So nice try, but it's been tried before and it will predictably fail.

Is it possible to look at all emails going in and out of a country?

Ross - Well, yes. There's a communications data bill currently before parliament which would give the home secretary the power to order all communication service providers, so not just firms like BT and Talk Talk, but people like Google and Facebook as well, to install surveillance equipment that would harvest data of interest to the government. And the equipment, once it's in, could be used to harvest, for example, all emails coming into or out of the UK or going from one place in the UK to another.

Chris - Would that be the entire email and all the data connected there too, or would it just be the footprint, I sent you a message at whatever time or whatever day.

Ross - The communications data bill gives the secretary of state the power to install surveillance equipment to get the footprint, as you call it the traffic data, who sent data to whom and when. However, once the equipment is installed and other parts such as the Intersection of Communications Acts and the Regulation Investigatory Powers Act, would enable GCHQ to use this for surveillance for content. So what we're talking about is spending perhaps a couple of billion pounds and putting in enough black boxes into the country's communication service providers, that the police and intelligence agencies could record everything. And this would be a huge change because at present, there's only the capability to wiretap about 100,000 internet connections at any one time. And if you increase that to 20 million internet connections, then we go from a country where the government can watch anybody into a country where the government can watch everybody.

Chris - All the time. Ross - And what's more, to record it and what they want to do is to keep the data for at least 6 months. Perhaps, some have said for 5 years, so that if you ever do a bad thing, they can go back and see all the people that you were talking to last year.

Chris - Does this worry you, Steven?

Steven - Yes, I think it's quite concerning and particularly because the computer systems that are being used from answering are no more secure than other computer systems, and it could be that criminals will break into these and monitor people even without permission of the police. And this happened in Greece. Some criminals - we don't know who they were - broke into the Greece telephone exchange and were wiretapping the Prime Minister, and was doing so for a year before they discovered that the interception equipment have been tampered with.

55:05 - How can I use one telephone line for multiple uses?

Using one telephone wire, we can have a conversation with a distant relative, download emails, stream live TV and, of course, catch up with the latest Naked Scientists Podcasts - all at the...

How can I use one telephone line for multiple uses?

Hannah - When you talk into a phone the vibrations in the air that make up the sound are converted into vibrations in the electrical current carried by the copper wire of the telephone line. In the same way that your voice is made up of different pitches, this electrical vibration can be a wide-range of different frequencies. But according to Mark Smith, Network Engineer and Telecommunications Consultant, a telephone call uses a narrow range of frequencies. Mark - Basically, there's a pair of wires from the local exchange, all the way to your phone, but the telephone conversations are actually quite a low-frequency signal, they only go up to 4 kilohertz. Hannah - This leaves a lot of other frequencies that can transfer data above the range of human hearing. Using an electronic filter, you can transfer data at frequencies above the range that you can hear. A modem or "modulator-demodulator" converts digital data into these vibrations. As this is done at vibrations of at least 25,000 hertz, you can send voice and internet data along the same wire at the same time, without interfering with your telephone conversation. Mark - The modem uses all the frequencies up to about 10 megahertz and it divides the frequency into bands, a bit like the spectrum of rainbow and based on how good your line is, it allocates different frequencies to different parts of a band. The things like YouTube and just file transfer and you're watching your television, they're all data that needs to go as noughts and ones over the line. All that data's split into packets of data and it's sent over a line using a very special modem that decides the maximum amount of data it can get over that and works at how to do that. With things like video for example, if the line is good enough, you'll always get that, but if the line isn't good enough, then it will start to break up. If you're transferring things like files, if the line is really good, it would be really quick, and if the line is not good, it will be very slow. Hannah - On the forum, Evan A-U adds that these packets of data each have an address on the front and a return address like letters in the postal service. The network equipment uses this address to send each packet to the right destination. This means that even though the packets are sent mixed up and out of sequence, the data doesn't get scrambled. We next move on to reflect on a question just in.

Add a comment