OCTOBER 2017, NO 12

Cryptacus Newsletter

October 2017
Cryptacus Newsletter
Welcome to the October edition of the monthly newsletter, offering a glimpse into re-
cent developments in the cryptanalysis of IoT & re-
lated areas. Send more of your contributions, com-
ments & feedback at

News from the Chair Lejla Batina. Opportunities

by G ILDAS AVOINE ENISA Call for IoT Experts
Another important point I would
like to speak about in this newsletter
The European Union Agency for
is a specific budget to allow mem-
Network and Information Security
bers of Inclusiveness Target Coun-
(ENISA) has launched a Call for Par-
tries (ITC) to attend conferences if
ticipation to invite experts in security
they give a talk or present a poster.
of Internet of Things into its expert
This is a new tool provided by
Dear Cryptacus Members, COST, and a significant budget for it
has been allocated by the COST Of- The creation of the ENISA IoT SE-
fice. Curity (IoTSEC) Experts Group aims
The program of our Cryptacus’
The requirements to get the grant at gathering experts in the domains
workshop in Nijmegen (Nov. 16th-
are: (i) the application must be sub- of the entire spectrum of Internet of
18th, 2017) is currently under prepa-
mitted at least 45 days before the Things to exchange viewpoints and
ration. You still have time to submit a
conference start date, (ii) the appli- ideas on cyber security threats, chal-
short abstract to give a presentation,
cant must be engaged in an official lenges and solutions.
until October 15th, 2017.
research programme as a PhD Stu-
If you are interested in giving dent or postdoctoral fellow (iii) the I highly recommend you to read
a talk, please submit a short ab- applicant must give a talk or present more about the IoTSEC group at
stract, according to the instruc- a poster during the conference. and/or
tions provided on the web page As for STSMs, the application pro- join it by filling the form at https: cedure is lightweight and processed //
submission.shtml through the e-cost online appli-
cation. Do not hesitate to apply! It will be great to have a more sig-
Speakers will be reimbursed even The guide for applicants is avail- nificant presence of Cryptacus mem-
if they are not MC Members. Note able at bers in a group that will likely in-
also that a demo session about hard- conferencegrants_userguide. fluence European Security policies
ware and software tools will be or- Best regards, regarding IoT for years to come.
ganized. If you are interested in pre-
senting such a tool, please contact Gildas Avoine The first meeting is taking place

in the Europol Headquarters in the All in all, an awesome and very
Hague later this month. informative piece of work.

Recommended reading Funding News

There is a second video, in which

an otherwise unremarkable camera
is leaking a password and an access
pin that could be aimed at facilitating
anybody to break and enter the build- The European Commission has
ing without triggering any alarms. pre-published the draft 2018-2020
work programme part for the Marie
Sklodowska-Curie Actions (MSCA).
You can find it here https:// It contains many
changes, mostly improvements in my
This month we will cover a great opinion, over the past rules for Marie
paper titled ’aIR-Jumper: Covert Air- Curie Actions.
Gap Exfiltration/Infiltration via Se-
curity Cameras & Infrared (IR)’ that The European Commission has
you can find at pre-published the draft 2018-2020
abs/1709.05742. work programme part for Societal
Challenge 6 - "Europe in a changing
Its authors are Mordechai Guri, The researchers in addition dis- world - Inclusive, innovative and re-
Dima Bykhovsky, Yuval Elovici, from cuss interesting technical details, flective societies”. You can access it
the Ben-Gurion University of the such as the maximum distance at at
Negev and the Shamoon College of which reliable communication is pos-
Engineering in Israel. sible and the maximum bit rate. The European Commission re-
cently published its tenth progress
Of course, this depends of the report ’Towards an effective and gen-
It deals with two of my favourite particular camera used, but rates of uine Security Union’, which discusses
topics: data exfiltration and IoT se- around 15bits/s for exfiltrating data progress over the last years and
curity. In this case, they propose to and 120bits/s for infiltrating seems planned actions to improve security,
bypass air gapped systems by infect- achievable, together with effective including systematic checks and a re-
ing infrared cameras and prove it is distances that, in the case of direct vamping of the EU entry/exit system,
possible to both send and receive in- line of sight between the devices can the establishment of an ’European
formation to/from them without any be from ten to hundreds of meters Travel Information and Authorisation
human noticing because, of course, for exfiltration to up to kilometers for System (ETIAS)’, reinforce Europol,
infrared light is invisible to humans. infiltration. approving a new directive on combat-
ing terrorism and firearms traffick-
They added a couple of videos The method can also work when ing, as well as explosives-precursors
showing their ideas and associated no direct line of sight exists, and the to combat home-made explosives,
tools. This one signals are reflected, which makes etc. It’s a good read, that you can
nPP1pq is particularly impressive, the attack even more threatening. access at
with a car in a car park far away
from the targeted building, and in Finally, the authors propose a se- The European Commission, and
the upper limit of the infected cam- ries of countermeasures, which are in particular the DG for Research &
era vision, transmitting data (com- not popular nowadays, not trivial to Innovation has launched a prize on
mands) in an operation which not implement nor cheap, so probably online security as part of H2020 In-
even security personnel surrounding this threat will be with us for some dustrial Leadership pillar. This Hori-
the building would be able to notice. time. zon prize aims to significantly im-
prove citizen’s overall experience

on online authentication, looking the UK and this investment is Blogs, posts and other
for a solution enabling citizens to starting to bore fruit. The com- good reads
seamless authenticate across a wide mon deadline for these posi-
range of applications and devices. tions is the 3rd of November.
The ultimate objective is to foster the The Lecturer position https:
widespread adoption of services and // has a salary
products provided within the Digi- range of £34,520 to £47,722
tal Single Market of the European and the Senior Lecturer posi-
Union. The call is a single stage and tion
has an estimated budget of 4 Mil- goes from £50,618 to £56,950.
lion EUR. The deadline for the sub-
mission of proposals is 27 Septem-
• Lecturer or Senior Lecturer at
ber 2018. You can get more info at
the University of Cambridge - NSA botched attempt at star-
Department of Computer Sci- dardisation in the news
ence and Technology. This is It is not frequent that cryptogra-
Open Positions a full time and permanent po- phy gets in the news. This piece
sitions located at Aston. The by news agency Reuters https:
deadline is the 10th January // was later repro-
2018. The Lecturer position duced in many other media, much has to the chagrin of the NSA team that
a salary range of £53,691 to is attempting to make Simon and
£56,950. Interviews will be Speck into ISO standards. Our own
held on 19-20th March 2018. Orr Dunkelman had a memorable
contribution to the piece, and was
quoted saying ”I don’t trust the de-
For other interesting positions
signers. There are quite a lot of peo-
all across Europe, please check the
Please send us any employment op- ple in NSA who think their job is to
recently revamped “Researchers in
portunity you want to publicize in subvert standards. My job is to se-
Motion” portal https://euraxess.
the newsletter. cure standards.” This is not a won
battle yet, and if you want to know
how you can contribute to stop this
• Hamilton Professorships in Proposals for STSMs from happening, please contact your
Computer Science at Maynooth By now, you should be already country representatives on the ISO
University. The areas of interest familiar with what Short Term Scien- Committee and let them know.
cover, between others, Cyber- tific Missions (or STSMs, for short)
security and Privacy. Plenty of are, but we have a healthy budget for
time to decide whether to ap- them within the Cryptacus project
ply, with a deadline on Friday and not enough demand.
20th of October. Salary could
be e110,060 to e139,501 p.a. Please send your willingness to
for Professor A and e80,650 receive STSMs proposal to me for
to e106,655 p.a. for the Pro- publishing here. Until I do not have
fessor B range. More info at any more, I’ll just publish mine.

• Lecturer and Senior Lecturer

in Cyber Security at Lancaster
University, Department of Com-
puting and Communications. Pray for every minute this is
These are two full time and just a comic situation and not a
permanent positions at one of reality, for it will be.
the few prestigious GCHQ ac-
credited Centers of Excellence • I will be very happy to receive Or, as a more rational alternative
in Cybersecurity Research. The anyone interested in investigat- to prayer, which by the way doesn’t
people at Lancaster are build- ing randomness generation and work as Sir Francis Galton showed
ing one of the largest and most testing, particularly on IoT de- 145 years ago in his ’Statistical In-
visible cybersecurity groups in vices. quiries into the Efficacy of Prayer’

cus on this threat and work to fight
against it, right now.

The creepiest webcam: Hola


Not a great deal of technical nov-

elty, but loads of nightmarish possi- The 23rd Australasian Conference
bilities in this piece of news: A lady on Information Security and Privacy
Event calendar
in the Netherlands bought a camera (ACISP 2018) will be held in Wollon-
to check on her dog while away, and Eurocrypt 2018 will take place in gong, Australia on July 11-13, 2018.
after two months it started to behave Tel Aviv, Israel, from April 29 to May It will be organized by the Univer-
strangely (the camera). 3. The notification on the 15 January. sity of Wollongong. The submission
Orr Dunkelman is the General Chair. deadline is the 25 February 2018 at
At the beginning it followed her 11:59pm AEST and the notification
movements across the apartment will be on the 8th April.
(the camera, this is normal for a
dog) which should have been more Financial Cryptography and Data
than enough to throw it (the cam- Security 2018 (FC18) is taking place,
era, not the dog) over the window, as usual, in an exotic location. This
but it was not until it (the camera) time in Nieuwpoort in Curacao, from
started producing strange noises that February 26 to March 2. The notifica-
she worried. tion will arrive on the 17 November.

Things went even worse when

it (the camera) started speaking to
her in a variety of languages (but
The 3rd International Workshop
mostly French) and asked her to
on Boolean Functions and their Ap-
engage in sexual activities of the
plications (BFA) is organized by the
type described in Chapter IX of the
Selmer Center of the University of
Kama Sutra. Probably has happened
The 2018 edition of the new kid Bergen.
hundreds of times, but this time she
captured the whole scene on video on the block, a.k.a. Real World Crypto will take place in Zurich, Switzer- It will take place at the Alexan-
land, from January 10-12, 2018. The dra Hotel, Loen, in Norway during
submission deadline was 5 October, June 17-22, 2018. The deadline for
It is curious how she shouts at
with a quick notification on Decem- submission is April 1st, 2018 (no kid-
the hacker multiples times to ’Get
ber the 4th. ding) and the notification will be one
the f*** out’ as if that were a tech-
week later, on April 7th.
nique with any possibility of working.
I hope she has taken more drastic
measures against it (the camera) by

The 10th International Confer-

ence on Cryptology, AFRICACRYPT See you all back in November!
2018 will take place in Marrakesh,
Morocco from the 7-9 May. The sub- Best,
mission deadline is on January 7 and Julio Hernandez-Castro
the notification on February 20th.

