Won the UK Cyber Security Challenge

UK cyber

I participated in UK Cyber Security Challenge.

Our university team won the competition.

It was an interesting experience and through teamwork we solved all the challenging puzzles other universities had submitted.

Try to crack Christmas Cipher 2012 to practice for upcoming UK Cyber Security challenges.



Enigma Machine Spreadsheet

You can try encrypting your own messages using this spreadsheet

How AES encryption works –  a flash clip demonstrating Rijndael cipher in action

A Stick Figure Guide to the Advanced Encryption Standard

Public Key Cryptography: Diffie-Hellman Key Exchange

Cloud Computing Security – A brief overview of Threats, Vulnerabilities, and Countermeasures


In 2013 the Cloud Security Alliance released a report, which identifies and describes 9 significant threats to Cloud computing [3]. This report was conducted through a survey of experts and intends to help companies in their Risk assessment. The Cloud Security Alliance (CSA) is one of the first nonprofit organizations that have tried to set up standards for best practices for secure cloud computing. They further try to offer guidance and security education.

The identified threats are listed in accordance to their severity:

1. Data Breaches: Data breaches occur when sensitive information of a company falls into the hands of its competitors and cloud computing introduces new ways of attack [1,3].

2. Data Loss: Data Loss can happen in several ways and is a terrifying thought for businesses. Accidental deletions by the CSP or physical catastrophes are examples of possible ways of loosing data in the cloud. Another example is if the consumer encrypts the data before uploading it to the cloud but then looses the encryption key [1, 3].

3. Account or Service Traffic Hijacking: There are different ways an account can be hijacked such as social engineering. If an attacker is able to get access to an account he can access, for example, sensitive data, manipulate it, and also redirect transactions [3, 9].

4. Insecure APIs: Services provided by CSPs can be accessed through APIs and therefore the security of the cloud depends also highly on the security of these APIs.  Weak credentials, insufficient authorization checks and insufficient input-data validation are some problems that can arise with APIs [3, 9].

5. Denial of Service (DoS): Cloud System Resources are being overused by an attacker, which prevent users from being able to access their data or applications [1, 3].

6. Malicious insiders: This threat refers to the fraud, damage or theft of information and misuse of IT resources caused from inside the CSP [3, 9].

7. Abuse of Nefarious Use:  CSP are known to have weak registration processes and therefore can give easy access to attackers. Possible impacts include decoding and cracking of passwords and executing malicious commands [1, 3].

8. Insufficient due diligence: Some companies do not have the right resources and understanding of the cloud environment to correctly evaluate the risk associated with responsibilities. Some implications can be contractual issues and operational and architectural issues [3].

9. Shared Technology Vulnerabilities: This threat can occur in all service models and refers to the fact that a single vulnerability could compromise the entire provides cloud [3].

Vulnerabilities in the Cloud

Vulnerability is the second factor companies have to consider when assessing the risk of migrating data to the cloud. Even though many types of vulnerabilities exist, when identifying them it is important to make sure they are cloud specific.

What makes a Vulnerability cloud specific?

According to the research conducted in [5] there are several criteria, which can be met by a vulnerability to make it cloud specific.

  • Virtualization, service- oriented architecture and cryptography are examples of core technologies of cloud computing. A Vulnerability is cloud specific if it is frequent and fundamental to these core technologies.
  • Elasticity, resource pooling and pay-as-you go mode are example on the other hand of cloud characteristics [4]. A Vulnerability is cloud specific if its root cause is in one of those characteristics.
  • Another criteria that makes a vulnerability cloud specific is if it hard to implement existing security controls to cloud innovations.
  • The last criteria they mention is that it has to be frequent in established state-of-the-art cloud services

Knowing what makes a vulnerability cloud specific one can then identify vulnerabilities in the cloud. The paper [1] has identified in total 7 major vulnerabilities of cloud computing:

1 Session Riding and Hijacking: This vulnerability is related to web applications weaknesses. Session Hijacking is unauthorized access is gained through a valid session key [8]. Session riding on the other hand is when the attacker sends commands to a web application by tricking the user open an email or to visit a malicious website [1].

2. Reliability and Availability of Service: This vulnerability takes into consideration that cloud computing is not perfect. More and more service are built on top of cloud computing infrastructures. In case of a failure a large amount of Internet based services and applications may stop working. The paper [1] give the example of an event in 2008 when Amazon’s Web Service cloud storage infrastructure went down for several hours. This caused data loss and access issues.

3. Insecure Cryptography: One of the fundamental problems in cryptography is the random generation of numbers. If numbers used in cryptographic algorithm are not truly random flaws can be found easily. The Virtual machines used on the cloud do not have enough sources of entropy and are therefore susceptible to attacks [1].

4. Data Protection and Portability: This vulnerability addresses the questions of what happens with the sensitive data in case of contract termination or in case the CSP goes out of business [1].

5. Virtual Machine Escape: This vulnerability refers to the possibility of breaking out of a virtual machine and interacting with the host operating system. Given that many virtual machine can exist in the same location increases the attack surface for the attacker [1].

6 Vendor Lock-in: The vulnerability lies in companies being dependent on the CSP they have initially chosen. Inconsistencies between CSPs and lack of standards make it hard for companies to switch providers [1].

7. Internet Dependency: Cloud Computing is very much dependent on the Internet. Users usually access services through web browsers. Some critical operation such as Healthcare systems needs to be up and running 24 hours. The question arises in situations where the Internet is not reliable [1].


 Having identified the risks of cloud computing it is then possible to assess which data or applications should be migrated and how much security is needed. Further, it is possible to come up with countermeasures or safeguards to mitigate these risks. Countermeasures may come in various forms such as policies, procedures, software configurations, and hardware devices [4].

For the threats and vulnerabilities mentioned in this report there exist countermeasures that can help mitigate the risk. Papers such as [6], [3], and [9] give possible solutions to these risks. Some of them are for example Identity and access management guidance for the threat of account or service hijacking [6]. The CSA has issued a report to provide a list of best practices such as separation of duties and identity management [2]. For the threat of data leakage for example the main countermeasure is encryption [8, 6].

Even though there are many countermeasures that have been identified a good practice for companies is to have a good Service Level agreement (SLA) with the CSP. SLAs are the only legal agreement between client and service provider and should cover aspects such as security policies and their implantation and also should discuss legal issues in case of misuse of services [7]. The CSA further has come up with a framework that can assist in looking at the aspects of Governance, Risk and Compliance (GRC) in a company’s IT policy when adopting a new solution. Their framework assists in assessing Clouds provided by CSPs against established best practices and standards.

We have looked at Threats and Vulnerabilities and come to conclude that there are still several issues to cloud computing that need to be solved. Therefore, it is only understandable that companies still view cloud computing skeptical and do not adopt it as an option without consideration. Companies themselves should ensure through service level agreements that they get the security they need. Further we are able to see through organizations such as the Cloud Security Alliance that there are efforts in trying to create standards and help companies in choosing the right provider.


[1]       Bamiah, Mervat Adib, and Sarfraz Nawaz Brohi. “Seven Deadly Threats and Vulnerabilities in Cloud Computing.” International Journal of Advanced Engineering Sciences and Technologies (IJAEST) (2011).

[2]       Brunette, Glenn, and Rich Mogull. “Security guidance for critical areas of focus in cloud computing v2. 1.” Cloud Security Alliance (2009): 1-76.

[3]       Cloud Security Alliance, “The Notorious Nine Cloud Computing Top Threats in 2013”, Cloud Security Alliance, 2013, [Online]

[4]       Dahbur, Kamal, Bassil Mohammad, and Ahmad Bisher Tarakji. “A survey of risks, threats and vulnerabilities in cloud computing.” In Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services and Applications, p. 12. ACM, 2011.

[5]       Grobauer, Bernd, Tobias Walloschek, and Elmar Stocker. “Understanding cloud computing vulnerabilities.” Security & Privacy, IEEE 9, no. 2 (2011): 50-57.

[6]       Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1 (2013): 5.

[7]       Kandukuri, Balachandra Reddy, V. Ramakrishna Paturi, and Atanu Rakshit. “Cloud security issues.” In Services Computing, 2009. SCC’09. IEEE International Conference on, pp. 517-520. IEEE, 2009.

[8]       Munir, Kashif, and Sellapan Palaniappan. “Secure Cloud Architecture.” Advanced Computing: An International Journal (ACIJ), 4 (1), 9-22. (2013).

[9]       Yu, Ting-ting, and Ying-Guo Zhu. “Research on Cloud Computing and Security.” In Distributed Computing and Applications to Business, Engineering & Science (DCABES), 2012 11th International Symposium on, pp. 314-316. IEEE, 2012.


Defining privacy is a difficult task.

No definition of privacy is possible, because privacy issues are  fundamentally matters of values, interests, and power – Alan Westin as  reported in Gellman (1997, p.194)
Privacy, however, is a concept in disarray. Nobody can articulate what it  means – Daniel Solove (2009,p.1)
It is not possible to give a unique, unitary definition of privacy that covers  all the diverse privacy interests  – Judith W. DeCew (1997, p.61)
Privacy is a value so complex, so entangled in competing and  contradictory dimensions, so engorged with various and distinct meanings,  that I sometimes despair whether it can be usefully addressed at all  – Robert C. Post (2001, p.2087)

I want to share with you several videos on privacy.

  • Short documentary: Why Privacy Matters
  • A mock up of ordering pizza by phone to show how peoples behaviour can be tracked.
  • A training video produced by the UK Information Commisioner’s Office on Data Protection Act, – Lights are on

Finally, Javvad explores the difference between security and privacy:

Governance, Risk and Compliance in the Cloud research project



A major UK-based telecommunications company proposed to conduct a joint research  with MSc Information Security students at UCL.

The use of cloud computing as a way of providing and consuming on-demand, pay-as-you-consume ICT service has revolutionised the industry.  Services like Amazon EC2 have seen a huge increase in its revenue. However, currently it is the Small and Medium Enterprises (SMEs) that are leading the way in the use of these public Infrastructure as a Service (IaaS) offerings. 

The company envisages that as these services become more mature and secure, they will be adopted and used by more “traditional” enterprises like the finance, health and government sector.

Governance, Risk and Compliance (GRC) plays a very important role in the IT policies of these institutions and as such, for any solution to be adopted by them, these aspects of the IT policies will have to be considered.  Several initiatives have been started to address this issue. The Cloud Security Alliance’s  GRC Stack is one of the most mature and accepted initiative in this area. It consists of four main stacks – Cloud Controls Matrix, Consensus Assessments Initiative, Cloud Audit and Cloud Trust Protocol.

It was very interesting to participate in the series of workshops to investigate how  this framework would impact and be used by the company. This helped me to learn a lot about the telecoms industry and the way they are adopting cloud technologies in a secure way.

Risk management and compliance tools

Citicus MOCA – iPhone/iPad tool that enables you to complete a criticality assessment in minutes, anywhere, anytime, using a highly-respected technique that has been successfully applied to many thousands of assessments over the last decade.  In essence, this highlights the maximum credible loss to your organisation if the worst happens to an asset (e.g. theft, fire, flood, malfunction).

Control Systems Security Program (CSSP) – free tool that provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

If you struggle to comply with HIPAA, the NIST HIPAA Security Toolkit Application can help you better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess implementations in operational environment.