News Watch: Article Summaries and Reflections

11 articles  ·  Oldest to newest  ·  Real events, real reactions

Introduction

Over the course of the COM7098 Research Methods and Study Skills module, we were asked to engage with a range of academic and professional literature as a core element of developing research skills. This involved reading and reflecting on articles, both suggested by our lecturer and others found independently. The following entries present those summaries and reflections. Each entry reflects my thinking at the time of writing.

1. Conflicts Among the Pillars of Information Assurance

Wilson, K.S. (2013). Conflicts Among the Pillars of Information Assurance. IT Professional, 15(4), pp. 44–49. doi: 10.1109/MITP.2012.24.

The purpose of this article is to draw attention to the challenges involved in mitigating risks across the five pillars of Information Assurance (IA), and specifically how those pillars come into conflict with one another.

The key question the author addresses is how the five pillars interact, and how efforts to strengthen one can result in conflicts or weaknesses in another. This is explored by analysing combinations of two pillars at a time, though the article only covers four of the ten possible pairings.

The most important content in the article is the set of explanations and examples showing how each pillar can interfere with another:

• Availability vs. Confidentiality – Data backups improve availability, but increase the number of data copies, creating more opportunities for theft or unauthorised access.
• Confidentiality vs. Integrity – Both rely on access control, but confidentiality protects the reading of data while integrity protects its modification.
• Availability vs. Integrity – Backups that restore corrupted data can damage integrity; false alarms in integrity checks can block access, harming availability.
• Availability vs. Authentication – Authentication delays (such as waiting for ATM confirmation) can interrupt availability and slow down service.

The author concludes that the five pillars of IA are not independent but interdependent, and that strengthening one can often weaken another if not designed thoughtfully. Key concepts include the Five Pillars of IA (Availability, Integrity, Authentication, Confidentiality, Non-repudiation) and orthogonality – the idea that the pillars are not direct opposites but distinct dimensions that can still interfere with one another.

If this reasoning is taken seriously, security professionals would design systems that explicitly account for trade-offs between the pillars, resulting in more resilient outcomes where inter-pillar conflicts are identified and addressed early. If it is ignored, security professionals risk strengthening one pillar while inadvertently weakening others – leading to failures such as data breaches caused by unsecured backups, or service disruption caused by excessive authentication requirements.

The main perspective in this article is that information assurance should be treated as an engineering problem, not merely a matter of policy.

2. The Information Assurance Practices of Cloud Computing Vendors

Chakraborty, R., Ramireddy, S., Raghu, T.S. and Rao, H.R. (2010). The Information Assurance Practices of Cloud Computing Vendors. IT Professional, 12(4), pp. 29–37. doi: 10.1109/MITP.2010.44.

The main purpose of this article is to analyse and compare how different cloud computing vendors implement IA, particularly across the areas of security, privacy, and business integrity. It explores whether and how these differ based on the provider's service model (IaaS, PaaS, or SaaS), reputation (measured by web traffic), and company size.

The key question addressed is how different vendors prioritise and approach IA. Survey data from 25 vendors is used to compare their handling of encryption, compliance, access control, and business continuity.

The main findings are: PaaS vendors show lower emphasis on privacy than IaaS or SaaS providers; larger firms place greater emphasis on business integrity and uptime guarantees; company size affects security emphasis, but reputation (traffic) does not strongly influence IA practices; and privacy and business integrity are treated as baseline requirements across all vendors.

The article concludes that IA practices vary primarily based on company size and service type, not reputation. While security practices differ significantly between larger and smaller vendors, privacy and business integrity are maintained consistently across all.

Key concepts include: Information Assurance – ensuring confidentiality, integrity, and availability of data; the three cloud service models and their distinct assurance challenges; and the three IA dimensions of security, privacy, and business integrity. Core assumptions are that IA practices are measurable through public data, that web traffic is a reasonable proxy for reputation, and that different service models naturally face different assurance challenges. The article maintains an empirical and neutral tone throughout.

3. Inside the AI Arms Race: How Cybercriminals Exploit Trusted Tools and Malicious GPTs

A very interesting and informative article. I did not even mind that it was 32 pages long – which would usually send a shiver down my spine – because I find this topic quite compelling. It provides good introductory context for readers who may not have deep familiarity with all the technical terminology, before moving into more nuanced examples.

"Their design – which prioritizes adaptability and response generation based on learned patterns rather than a true understanding of intent or context – makes them inherently vulnerable to manipulation." (p. 5)

This is an interesting claim. One could argue that all reasoning, human or artificial, is based on learned patterns to some degree. What we refer to as "true understanding" of intent or context is itself shaped by prior experience and can shift over time. Perhaps the vulnerability lies not in pattern-based learning per se, but in learning that is insufficient to meet the level of contextual judgement required.

I attempted the described exploit on ChatGPT. Since the article does not reproduce the full phishing scenario, I had to reconstruct it from the description. ChatGPT responded in character as a villager but declined to produce the HTML and Python code requested, instead generating a phishing awareness email and providing helpful information about the threat. I was using the free version; the article tested version 4, and I used a newer release, so the improvement may be partly accounted for by version differences.

The same outcome occurred with Gemini. The article used version 2.0 Flash; I used 2.5 Pro with a similar scenario. The newer version directly refused to create the "DarkGemini" persona, though I acknowledge my recreation of the original scenario may not have been precise enough to replicate the conditions exactly.

What I found interesting is that the tasks given to standard LLMs in the article were more complex than those given to the malicious models. Tools such as ChatGPT were asked to generate both an HTML template and Python code for a phishing email – which was eventually achieved. FraudGPT and similar tools, by contrast, were only prompted for simple email text. This suggests that malicious GPTs may not yet be as technically capable when handling complex, multi-step tasks. That said, this distinction is unlikely to remain static.

Finding and understanding exploits in LLMs feels important not only for security reasons, but for understanding where the limits of these models currently lie – and for thinking about how we might one day defeat them if they inevitably take over the human race.

4. TREND REPORT: Sabotage Trends in the United Kingdom – March 2025

Sounds pretty rough.

5. QR Codes and Hacker Manipulation: A Literature Review Scenario

The following three entries were written as part of a formative lit review scenario exploring QR codes and the potential for malicious manipulation. Three sources were reviewed as part of this exercise.

5a. Steganography – A Data Hiding Technique

Kumar, A. and Pooja, K. (2010). Steganography – A data hiding technique. International Journal of Computer Applications, 9(7), pp. 19–23.

"Steganography is the art of hiding information and an effort to conceal the existence of the embedded information."

A key limitation of cryptography is that it does not attempt to hide the existence of the information it is protecting – only to render it unreadable. Steganography takes a different approach, concealing the very existence of the message. Using both methods together provides stronger protection: encrypting a message before hiding it makes it harder both to detect and to interpret if discovered.

Steganography has a range of practical applications: sharing information without risk of interception, secure data storage, embedding digital watermarks, securing e-commerce transactions, and enabling confidential communications.

Steganalysis is the counterpart process of detecting embedded information. It relies heavily on statistical analysis to identify anomalies such as unusual file sizes or altered data patterns. Detection approaches include pattern recognition, visual inspection, and specialised software tools such as Encase, ILook Investigator, and MD5 hashing utilities.

Digital watermarking involves embedding identifying information into digital media such that it persists even if the media is copied. It can be used to protect ownership and verify authenticity. Watermarks may be visible (logos or text clearly embedded) or invisible (hidden data extractable only via software).

Overall, a well-written and informative article. Information is presented clearly and at a good level of detail.

5b. An Introduction to QR Code Technology

Tiwari, S. (2016). An Introduction to QR Code Technology. International Conference on Information Technology (ICIT), pp. 39–44. IEEE.

This article provides an overview of how QR codes work, covering their structure, data encoding and decoding processes, and the range of QR code types. It explains the rationale behind their development and highlights key features such as high data capacity, fast scanning, and built-in error correction. It also discusses different formats, including Micro QR, Logo QR, and encrypted QR codes, and covers a broad range of applications in marketing, education, product tracking, and secure information transfer.

This article serves well as a background or foundational source on QR codes. It clearly explains how QR codes are structured, how data is stored within them, and the differences between available types.

5c. Cryptography and Steganography: New Approach

Al-Shaaby, A. and AlKharobi, T. (2017). Cryptography and Steganography: New Approach. Transactions on Networks and Communications, 5(6), pp. 25–38. doi: 10.14738/tnc.56.3914.

This article discusses how combining cryptography and steganography can enhance the security of digital communications. The two methods are first distinguished, and the argument is made that each has weaknesses when used in isolation. After reviewing existing combined approaches, the article proposes a new method in which a secret message is first encrypted using AES with a SHA-2 hashed key, then hidden within an image or other media using modified least significant bit (LSB) steganography. The results indicate that this combined approach improves security, robustness, and resistance to detection compared to standard sequential LSB methods.

The paper is not directly concerned with QR codes or malicious manipulation. However, its discussion of how encrypted or hidden data can be embedded within digital media is relevant to understanding how attackers might conceal malicious payloads within QR codes.

6. Tank Interview: A Hacking Kingpin Reveals All to the BBC

BBC News. (n.d.). Tank interview: A hacking kingpin reveals all to the BBC. BBC News.

This entry was written as a research methods exercise: analysing what methods the author employed, what alternatives might have been appropriate, and what challenges or limitations were present.

The author employed primarily qualitative methods: reading police reports, news articles, and media coverage involving "the Tank"; analysing discourse on social media; reaching out to victims to hear their accounts; and conducting a first-hand interview with the subject himself. Securing both the subject's perspective and the accounts of his victims is a key strength, as it allows both sides of the story to be presented.

An additional method that could have been employed is reaching out to known associates of the Tank, to obtain further corroborating or contrasting accounts.

The researcher faced several notable challenges: he was not permitted to take recording equipment into the prison cell and had to take notes instead; the Russian government declined to comment; and arranging the interview itself was presumably no straightforward task.

In terms of potential flaws, conflicting or false accounts present an inherent challenge in journalism of this kind. The most effective mitigation is to present both sides, which the author does – setting the Tank's own account alongside those of his victims. This does not eliminate the risk of bias entirely, but it improves the overall balance and credibility of the reporting.

7. An Interdisciplinary View of Social Engineering: A Call to Action for Research

Washo, A.H. (2021). An interdisciplinary view of social engineering: A call to action for research. Computers in Human Behavior Reports, 4, p. 100126.

This article provides a strong literature review of social engineering and its role in data breach cyber attacks, examined from IT, psychological, and business perspectives.

"Cyber attacks, in general, have been increasing at an alarming rate with one occurring about every 39 seconds (Hackers attack, 2017)."

From an IT perspective, the article discusses how MFA and network safeguards are important but insufficient on their own. Social engineering bypasses technical controls by exploiting the human element – user behaviour, legacy systems, or a combination of both.

The psychological dimension is particularly well covered. Principles including authority, reciprocity, scarcity, fear, conformity, and trust play a major role in successful attacks. The article reviews studies showing how personality traits, emotions, and cognitive biases shape an individual's vulnerability to manipulation. Understanding these factors is essential for designing effective awareness programmes and interventions.

The ethical dimension of social engineering research is also addressed. Because the field inherently involves deception, ethical frameworks – virtue ethics, utilitarianism, and deontology – are used to consider whether susceptibility testing or simulated attacks are morally acceptable.

Overall, the article makes a compelling case for more interdisciplinary research to better understand the complex, intersecting factors that enable social engineering attacks to succeed.

8. Anthropic Boss Rejects Pentagon Demand to Drop AI Safeguards

BBC News. (2025). Anthropic boss rejects Pentagon demand to drop AI safeguards. BBC News.

The article covers a public standoff between Anthropic and the Pentagon over AI safety restrictions. Anthropic refused to loosen safeguards it considers essential for ethical and constitutional reasons, while the Pentagon pressed for broader access, threatening serious diplomatic and business consequences if an agreement could not be reached.

9. Did AI Play a Role in Ocado's 1,000 Job Cuts?

BBC News. (2025). Did AI play a role in Ocado's 1,000 job cuts? BBC News.

Ocado announced plans to cut 1,000 jobs – approximately 5% of its workforce – with the move expected to generate savings of around £150 million. This immediately raised questions about whether artificial intelligence was directly responsible. Chief executive Tim Steiner stated that the company had completed a major phase of investment in robotics and automation, prompting speculation that AI had reduced the need for human staff. Ocado has long been a pioneer of warehouse automation; however, analysts suggest the redundancies are not solely attributable to AI replacing workers.

Structural factors appear equally significant: growing competition as rival retailers adopt similar technologies more quickly and cheaply, pressure on retail margins, the impact of the cost-of-living crisis on consumer spending, and the need to streamline operations to remain competitive. The company has not confirmed that AI directly replaced roles in this round of cuts, framing the decision instead as part of broader cost-saving and restructuring efforts.

A natural research extension from this article would be an investigation into the wider impact of automation and AI on employment across sectors.

10. TfL Hack in 2024 Affected Around 10 Million People, BBC Can Reveal

Tidy, J. (2025). TfL hack in 2024 affected around 10 million people, BBC can reveal. BBC News.

Around 10 million people had their personal data stolen in a 2024 cyber attack on Transport for London (TfL), making it one of the largest hacks in UK history. The attack was carried out by the Scattered Spider hacking group, who obtained a database containing names, email addresses, phone numbers, and home addresses. TfL had initially stated that only "some" customers were affected, before confirming that millions had been impacted – with over 7 million people contacted by email about the breach.

The hack also disrupted TfL's online services and is estimated to have caused around £39 million in damages, though transport operations were reported not to have been directly affected. The Information Commissioner's Office concluded that no regulatory action against TfL was necessary.

11. International Cyber Attack Disrupts Swathe of Universities and Schools

BBC News. (2025). International cyber attack disrupts swathe of universities and schools. BBC News.
IBTimes UK. (2025). Canvas Hacked By ShinyHunters: Are Your Private Messages Now Exposed In The Dark Web? IBTimes UK.

A major international cyber attack disrupted Canvas, a widely used e-learning platform, affecting universities and schools across several countries. Canvas is used for coursework, assignments, and communication between students and staff. I first heard about it through my sister, who studies at the University of Hertfordshire and was directly affected, experiencing outages and service interruptions as a result.

Students were unable to access course materials, submit assignments, or complete online learning activities. Teachers and administrators also lost the ability to communicate with students or manage coursework during the outage.

The hacking group ShinyHunters claimed responsibility. Around 9,000 institutions worldwide were affected, and a number of universities were forced to cancel final examinations. The group claimed to have obtained data including names, email addresses, student ID numbers, and user messages, and threatened to leak the information.