BSc in Computer Science (Information Security)

The Information Security Group has recently established a new undergraduate degree with the Computer Science Department. This programme, entitled Computer Science (Information Security), puts a new and highly relevant twist on a traditional Computer Science degree.

Why do we need this new programme?

Enormous volumes of information are now routinely stored on computers and transmitted world-wide over the Internet. Most aspects of our daily lives would come to a halt if that information infrastructure failed. With the benefits also come very serious threats - from fraud, from deliberate damage via hacking, viruses and worms, and from blackmailers threatening damage.

Some years ago, computer hackers were mainly in it for fun - hacking poorly configured servers and badly written server software was seen as a way of demonstrating their ability, and also poking fun at the ineptitude of the leading providers. Nevertheless, some of these attacks still resulted in serious losses for the victims. Today we are faced with a much more serious challenge. Organised crime has woken up to the possibilities of attacking corporate and end user systems, and a huge variety of malicious software and attack techniques are now available. Indeed, it could be said that the systems many of us rely on in our daily lives are under constant attack by malicious criminal gangs.

The paramount importance of restoring trust and security to today's computing environments has been recognised by the industry. For example, in 2003, Microsoft formed the Trustworthy Computing Academic Advisory Board, to advise Microsoft on security, privacy and reliability issues. Royal Holloway is unique amongst UK universities in being represented on this board. Back in 2004, Microsoft Research offered $1 million for the development of academic curricula focusing on Microsoft's Trustworthy Computing security initiatives. As part of these initiatives, Microsoft supported the development of a course on secure software currently being delivered as part of the Royal Holloway masters degree in Information Security. Much of this material is now being offered to undergraduates as part of the new Computer Science (Information Security) programme.

The huge risks to personal data have been recognised by UK government. An August 2007 House of Lords Science and Technology Committee Report on Personal Internet Security, points out many of the most serious and growing risks to our data. As this reports says, 'the Internet is now increasingly the playground of criminals. Where a decade ago the public perception of the e-criminal was of a lonely hacker searching for attention, today’s “bad guys” belong to organised crime groups, are highly skilful, specialised, and focused on profit. They want to stay invisible, and so far they have largely succeeded.'

Moreover, as acknowledged in the foreword to the 2008 White Paper on Secure Software Development, 'it is evident that many of the [IT security] problems [that] we [have] encountered would have been mitigated and sometimes removed completely if the software on ICT systems had been developed with fewer software flaws and better security design. This is a neglected area in the UK in that there are some very good examples of best practice but these are few and desperately need to be shared so all can benefit'. This White Paper was developed as part of the UK CyberSecurity KTN's Special Interest Group looking at this topic.

Across the industry, organisations are being forced to take this threat seriously. Software vendors have been forced to 'up their game', and web companies have been obliged to try to minimise the risks to their users and to their own corporate data. These efforts have been hampered by serious shortages of suitable staff - at Royal Holloway, we have sought to help address this through our internationally renowned masters degree in Information Security, probably the first in the world when it was launched in 1992. The new Computer Science (Information Security) degree programme is designed to help address the urgent need for software and computing specialists who are security aware. There are certainly huge opportunities for security aware software developers, system administrators, and IT managers.

What does the programme cover?

This programme covers the best ways of protecting businesses, governments and individuals from these threats to their information. Students will study cryptography, security of software, and architectures for trusted computer systems under the supervision of a leading researcher in information security, alongside the fundamentals of computer science including Java programming, databases and networks.

Case studies

To illustrate the importance of this new programme, we briefly present a few recent security case studies. Across the industry it is imperative that developers learn how to write software free from vulnerabilities which enable attacks to be made (such as the DNS vulnerability described below). Similarly, new ways are need to protect users against phishing attacks, which exploit their lack of understanding of complex user interfaces. These issues will be addressed in greater detail in the Computer Science (Information Security).

Parcelforce data privacy breach

A BBC investigation revealed in June 2009 that when some Parcelforce customers entered their parcel tracking numbers online, they were able to gain access to other customers' delivery details. As reported in Computer Weekly, this data breach arises from inadequate vulnerability testing of the site. As the article goes on to say, a common problem is that, while in-house developers are well acquainted with the requirements of the company, they may lack the facility for looking at the scripting code from an audit perspective.

Crackdown on botnet operator

The BBC reported in November 2007 that police in New Zealand have questioned a teenager believed to be the ringleader of an international cyber-crime group. The group is alleged to have infiltrated more than one million computers and stolen millions of dollars from bank accounts. He was detained as part of an FBI crackdown on hi-tech criminals who run botnets - networks of hijacked PCs. The FBI estimates that 1.3 million computers were under the control of this teenager, and were used to embezzle millions of dollars.

Attack on Monster

As reported in August 2007 by the BBC and Guardian Unlimited, the leading jobs website Monster was recently the victim of a very serious attack. Indeed, both the web site itself, and many users of the site, were subjected to attacks which resulted both in the compromise of large quantities of user data held by Monster, as well as the loss of data by many Monster users.

Hackers first accessed the employers' section of the website using stolen log-in credentials. User names, e-mail addresses, home addresses and phone numbers, were then stolen. In a second stage of the attack, this stolen information (very damaging in itself, for all sorts of reasons) was used as the basis of a series of very convincing phishing emails sent to Monster users. As a result, many users were fooled into running malicious software on their PCs, which encrypted their data and demanded ransom payments for it to be decrypted.

Money stolen from bank accounts

In an attack on the Dutch bank ABN Amro, reported in April 2007 in The Register, a two-factor authentication system was compromised and money stolen from the online accounts of customers who fell for a phishing scam. Two-factor authentication, in which a user is authenticated in two independent ways (e.g. using a password and a physical token), has been promoted as a means of preventing hacking for users of remote corporate or banking systems. However, such schemes are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details.

Attacks exploit Windows DNS server flaw

An April 2007 report in The Register, describes attacks exploiting a flaw in the Domain Name Service (DNS) implementation in Microsoft Windows. Attackers targeted a flaw in DNS for Windows server OSes that enabled them to hijack the servers. An attack can be carried out by executing a stack-based buffer overrun in the DNS remote procedure call (RPC) interface. A successful exploit, in which a specially crafted RPC packet is sent to a targeted machine, could allow an attacker to run code in the security context of the DNS, which by default has full privileges.