Tuesday, 16 September 2014

The 11th International Conference on Computing and Information Technology (IC2IT2015)

The 11th International Conference on Computing and Information Technology (IC2IT2015) is organised by Faculty of Information Technology, King Mongkut's University of Technology North Bangkok and its partners, including:
  1. Fern University in Hagen, Germany
  2. Chemnitz University, Germany
  3. Oklahoma State University, USA
  4. Edith Cowan University, Australia.
This year's event, the IC2IT2014, was successfully held in Phuket. There were around one hundred submissions from all over the world, and thirty were accepted for oral presentation.

Next year, the IC2IT2015 will be held at King Mongkut's University of Technology North Bangkok with the emphasis on two fields:
  1. Data Mining and Machine Learning and
  2. Data Network and Communication
Again, the IC2IT2015 conference proceedings will be published by Springer. This will be the third time that the proceedings will be published by such accredited publisher as Springer. Moreover, the proceedings will be indexed by Scopus.

This is what the IC2IT2014 proceedings looks like. ^_^

Papers can be submitted here. We accept papers until the 21st December 2014. 

Call for papers can be seen here.

Thursday, 11 September 2014

Apple Pay ... Is it secure?

On the 9th September 2014, Apple finally announced two new iPhone models: iPhone 6 and iPhone 6 Plus. I won't go into any detail of the features they offer, because it looks like a lot of people have already talked about them.

However, there is one feature that I am particularly interested in. The Apple Pay. From what I have seen of it, it looks very convenient.

For now, let's look briefly at how it works. (Thanks TechCrunch for the video.)


Wow! Quick and convenient! What more can you ask for?

One question that instantly came to mind when looking at the demo of this sort. Is Apple Pay secure?

In order to answer this question, let us think about the technology involved in this. The first thing that makes this work is the NFC technology. Secondly, the credit card detail is required to be stored on the phone. Thirdly, the fingerprint of the user.

Let's analyse. Well, I will just do whatever I can here. haha!

First of all, the NFC technology is an integral part of this Apple Pay. Without it, no communication between the phone and the point-of-sale is possible. What information is to be transferred between them? Of course, the user's credential information. You should be asking questions right about now. ...

Apple said nothing at the event about how the communication takes place, and more importantly, how the communication is to be made secure. Why not? I don't really know.

NFC's range is said to be no further than 20 cm, which may be enough to prevent any information interception (during the payment by a person in line next to the payer). However, remember that 20 cm is just an estimate. Therefore, it is still possible that the information can travel a little further than expected. If this happens then we may be in trouble.

NFC's standard is the ISO14443, which does not appear to have a part on security! It is, therefore, up to Apple to answer how they have made the communication between the phone and the point-of-sale secure.

The next thing is that after using the Apple Pay to pay for anything, does the NFC get automatically turned off? If not, it means that a communication channel is left open to anyone to try to get into the phone (albeit to be within the communication range is not that easy, but still not impossible).

So ... the first component of Apple Pay, the NFC, still leaves a question.

The second aspect of Apple Pay is the storing of credit card information. Yes, it is neccessary to do so otherwise this would not work. Anyway, it was good to hear Apple say that the information is to be encrypted by Apple's "secure element" (no real algorithm has been mentioned). Another thing that was pleasing to hear is that no information will be sent to the Apple server. Good good. Personally, I do trust that Apple can do a good job in securing the information on the iPhone for us, provided that we do not lose the phone! haha!

Still, how the credit card information is securely sent to the point-of-sale for verification remains to be answered. This is actually back to the NFC question.

The third component to be discussed is the fingerprint. Apple has taken the advantage of having the fingerprint scanner on the iPhone here. Clever. I quite like the idea of using biometric as a factor of authentication. At least, it is better than using a pin code, which can easily be stolen.

Speaking of stealing, I think one of the reasons Apple decided to use fingerprint as a factor of authentication is to at least make it more difficult to use the Apple Pay when a phone is lost or stolen. But ... let's not forget that fingerprint can also be faked! This is how. (A few years ago, I had students in my information security class research on this exact topic, too. Interesting it was.)

One final point ... Apple Pay uses credit card information and user's fingerprint for verification and authentication purposes. Is this a two-factor authentication? Not sure, but it looks like a single-factor authentication to me (credit card information not being a factor since another person can easily transfer the information using the same phone), at a glance here. Hmmm ... one-factor authentication. I'm sure I have heard that there are problems with this. hehe! At least another factor should really used, I think.

Why don't they use their Apple Watch as a second factor of authentication? Just a funny idea ... haha!

On the whole, the idea of Apple Pay is to provide convenience to users. Some security questions remain to be explained, especially the security of data transfer via NFC. The final question is "would people use it because it is convenient despite some security doubts?".

Monday, 1 September 2014

Has the Apple's iCloud really been hacked?

"Celebrities' private photos have been hacked and shared on the Internet" is really today's big news. How did it happened? Did they all happen to lose their phones at the same time? Did all the phones happen to fall into the same person's hand at once? I don't think that's what has happened anyway.

Many have suggested that the photos have been shot and automatically saved on the Apple's iCloud. Somehow this person was able to access it and took those photos. The question is "has the iCloud been hacked?"

A lot of articles have agreed on the theory. But ... hacking the iCloud directly could not have been easy. Personally, I question whether the following had been done prior to getting into iCloud.

  • Is it possible that the hacker had got the usernames and passwords from somewhere else and used them on the iCloud?
Why is it that I seem to think that the above scenario could have been very possible? I even think that it might even have been easier to do the above than going directly to iCloud.

If this is actually what had happened, another security awareness must be raised. That is, people should know that password reuse is really not acceptable. Maybe the TOTP or Time-Based One-Time Password is an option.  ^_^

I am not praising Apple by any means. I am not even using any of their products at the moment. But I have seen and read every page of their security document, and I think they have their job in trying to protect the privacy of the users.

Just wanting to provide another perspective to this current and trendy news. ^_^