Making the Gromit Unleashed trail a virtual reality for hospitalised children

This summer Wallace & Gromit’s Grand Appeal partnered with engineering researchers to bring virtual reality into Bristol Children’s Hospital, helping patients unable to leave the hospital experience the award-winning sculpture trail.

a young patient tries the VR experience at Bristol Children’s Hospital

Hundreds of thousands of people from across the UK and overseas took part in Gromit Unleashed 2, the third arts trail from Bristol Children’s Hospital charity The Grand Appeal. There were 67 giant sculptures of Academy Award®-winning Aardman characters, Wallace, Gromit and Feathers McGraw – all designed and decorated by a local and high profile artists and brands, including Pixar Animations Studios and DreamWorks.

The ‘Gromit Unleashed 2 VR Experience’ was developed by Bristol Interaction Group, a research group in Engineering, and Large Visible Machine, an independent mobile platforms game studio.

PhD student Gareth Barnaby, who led the VR project, said: “It’s been a great experience to combine our technical expertise with the tireless enthusiasm of the people at The Grand Appeal to create a fun project to be deployed in the real world and brighten people’s days in hospital.

“As a PhD student, it can be hard to see where academia and the real world intersect. This project has shown the difference our work can make and the huge benefits technology can bring. Thanks to everyone at the University who has put in their time to make this project happen, and a huge thank you to The Grand Appeal for the hugely impactful work they do, and for the opportunity to be a part of it.”

Children with complex needs or those undergoing intense treatments, such as bone marrow transplants, are unable to leave hospital, so the University donated over 200 sets of Google Cardboard and two Google Pixel phones, for patients without access to a smart phone. Using the headsets, through virtual reality technology patients are transported to the streets of Bristol to see the sculptures up close and personal in a live setting with the use of 360 camera technology.

Nicola Masters, Director of The Grand Appeal said: “Bristol Children’s Hospital and the 100,000 patients it cares for each year sit at the heart of absolutely everything we do. Virtual Reality is a powerful tool, and what better way to harness this than to bring the trail to the bedsides of young patients who are too poorly to leave their bed or their ward. Taking part in such an immersive and interactive experience is having a brilliant impact not only on the child’s wellbeing, but also on their rehabilitation and recovery in hospitals.”

Email phishing… and why you’re easier to hook than you think

User receiving a phishing bank email

Phishing is coming to an inbox near you… And the attacks are getting more sophisticated by the day. Rob Larson from the University of Bristol’s Cyber Security group talks to us about the latest developments and how you can protect yourself online

Last year, 76% of organisations experienced phishing attacks, with nearly half noticing an increase from the previous year*. According to the FBI, American businesses lost $12.5 billion through corporate email attacks. Closer to home, the NHS ransomware attack of 2017 affected dozens of authorities; staff resorted to using pen and paper, and operations were cancelled, with potentially life-threatening results.

Not only are these attacks on the rise, but scammers are turning to ever-more sophisticated methods, exploiting moments in our everyday lives when we’re at our busiest and most vulnerable.

Rob Larson from the Cyber Security group
Rob Larson from the Cyber Security group

This is an area which interests Rob Larson, whose PhD focuses on online social engineering attacks. He questions the long-standing idea that individuals are the weakest link in the security chain, instead seeing them as an asset and the first line of defence. He believes that a strong organisational defence is multi-layered, with systems fortified through technology and staff trained to understand the psychology of phishing attacks.

Rob explains the prevalence of phishing attacks: “When it comes to defences, organisations have traditionally put up a perimeter, to keep the bad guys out, and locked down the systems inside it, in case they get in. So it’s often easier to just target the users of the systems, sitting behind the defences.”

We asked Rob about the wide-ranging aspects of phishing – and for some advice on what to look out for online.

Rob’s background…

“I’ve always had an interest in the psychology of social engineering, such as phishing scams, and why something so simple remains so effective.

“As a computer scientist, I wanted to understand how they’re performed, why they’re successful and what defences are available. I really wanted to bring our understanding of social engineering up-to-date and address this belief that the people who fall victim are at fault.”

On the evolving face of phishing…

“Phishing can be a very low-cost, low-overhead attack as opposed to using exploitative code to break through a hole in the system, or other costly techniques. Traditionally it was deployed willy-nilly with hundreds to thousands of emails being sent, as spam. Now, we’re seeing not only an increase in the number of attacks, but also an increase in their sophistication. Instead of casting a wide net with a mass generic email, they’re targeting a small number of people with content which is more relevant to the recipient.

“Take a university, for example, the email might talk about systems such as ‘Blackboard’ which students within the university actually use. It might reference specific personal details to seem more legitimate, such as their student ID number or course name. Links in the email might then take users through to a website which is tailored to look like the university’s web portal login, asking the target to input their username and password.

Email phishers can use personal information and a sense of urgency to trick users

“It’s common to see emails putting pressure on the target to elicit an emotional response. Fear of loss is a common one, like replicating a university email and warning the student that they’ll be withdrawn from their course if they don’t respond quickly. If the student clicks on the link they’re redirected to a fake university system and once they’ve logged in the system steals their credentials. The email will thank them for confirming attendance so they’ve no reason to suspect anything.

“These emails have a greater degree of sophistication and subtlety… They’re similar to earlier, more generic phishing scams, but are well-targeted and done in a way that users are less likely to report them, or even notice they’ve fallen victim to anything.”

On spear-phishing…

“Part of my research is trying to understand the spectrum of spear phishing and how sophisticated the attacks get. Spear phishing is a bit of a different animal to the more generic, widely distributed spam-like email; it might be a bit more specific, mentioning you by name. It could come from a contact which looks familiar or appropriate, such as a friend or a colleague, or may include some personal information. It’s quite common to see scammers deploying persuasive techniques in these emails, that leverage authority. For example, they might impersonate your boss and importantly, it might be requesting urgent action.

“Scammers often want a quick reaction – they want you to just respond on auto-pilot. You’re taking a heuristic route and going off your gut, rather than taking time to think it through. It’s something we do naturally, that we need to do to work effectively, and they take advantage of that.”

On ‘crime as a service’…

“Spear phishing used to be so labour-intensive. It was the preserve of people who had the time, money or interest; state actors; organised criminals after big money; or cyber criminals with a persistent interest in a target;

“But now you can buy this kind of service on the Dark Web, for as little as $25. Criminals can go there and say: ‘I want to impersonate a bank, I would like that bank’s website and login page cloned.’ They can pick-up a similar domain and a security certificate. It’s gotten to the point that for very little cost, they can even hire a call centre, and direct users there to steal information by a different route, or add a degree of authenticity.

“It’s a perfect storm. Stolen personal information can be bought and sold online. You can buy tools and services to generate websites, and software packages to generate phishing emails that already include these psychological ploys within the templates.”

On whaling (or ‘CEO phishing’)…

“Whaling, or Business Enterprise Compromise is also increasing dramatically. Think of whaling as ‘phishing’ for a really big fish. For example, criminals target someone in finance and the CEO of the company. They might compromise a device on the company’s network, and send an email appearing to come from the CEO instructing someone in finance to make a money transfer.

“In the past five years, according to the FBI, this kind of fraud has cost US business $12.5 billion. That’s not a small figure by any kind of reckoning. If we’re talking about subtlety or lightness of touch, whaling is right at the top end of the spear-phishing spectrum. The focus is on one person and it will be very targeted and very specific.”

On social-media phishing…

Facebook users who ‘check in’ may be a target for hackers

“Another good example of phishing is on Facebook. Someone might visit a club, and check in on Facebook – the scammers message them that they’ve been tagged in a photo at that particular club on that particular night. They click on it because it’s somewhere they actually were, maybe they’re worried that it’s a terrible photo that they don’t remember. If the hackers manage to compromise the target’s social media account they can then use that to launch targeted attacks on their contacts.

“Recruiter scams are also common. Because many legitimate companies recruit primarily through LinkedIn, it’s definitely a good place to be if you’re job hunting. People put loads of information on there about their university and educational history, crucially, the kind of job roles they’ve held in the past and are currently looking for. A prevalent attack comes from fake recruiters or head-hunters. With all the information people are sharing about themselves it’s very easy for a scammer to tailor a convincing job offer email.

“It’s easy to say be careful about what you share online, but it’s always a toss-up between the benefit you’re getting from using an online service and the risk.”

On what to look out for in phishing emails…

“Despite this greater sophistication in scams, a lot of the advice given about spotting phishing still stands up. So watch out for any of any of the following when you receive an email:

  1. It’s generic or impersonal: they don’t greet you by name or mention your account number, instead using an ambiguous greeting such as “Dear user, student, or customer”.
  2. The message looks odd: spelling or grammar errors are common in less sophisticated attacks. Company branding or logos may be incorrect or appear poorly formatted.
  3. The email address of the sender looks wrong: for example, a message might claim to come from ‘billing@yourbank.com’ but the email shows as ‘billing@y0urb4nk.com’. However, it is possible to impersonate or ‘spoof’ addresses, so you shouldn’t rely on this alone.
  4. It’s asking for sensitive or personal information: such as your password, PIN etc.
  5. It’s trying to rush you with an urgent deadline to respond.
  6. It has a suspicious link or attachment: similarly to email addresses, links that do not match the web address of the company or service the email claims to represent.

On protecting yourself online…

“As I’ve mentioned, a common goal of these scams is to steal your username and password.  Don’t forget to use different passwords for different services and use strong passwords too. It doesn’t have to be the letters, numbers and special characters thing that a lot of sites promote – you could use pass-phrases like six random words, tied together with hyphens. But make sure the words aren’t related to you and are as random as possible. Personally, my preference is to use a Password Manager which generates strong passwords and stores them securely. I’d also recommend services with two-factor authentication, that’s when you login and have a second code sent to you.  So, even if your username and password is stolen they still need another piece of information.

Two-factor authentification
Google’s two-factor authentification helps to secure your login

“There’s been a lot of advice about phishing and social engineering detection. Some of it is really questionable. For example, ‘don’t click on things’ – that’s like saying you should never leave your house if you don’t want to get mugged!

“My advice is to treat any approach like somebody coming to your door to sell you something. If you don’t have the time to check their credentials, don’t play into their time frame. If you’ve got 50 emails and one pings a red flag to you, put it into a folder, crawl through the other emails, and come back to this one when you’ve got time to look at it properly. Don’t reply to it, don’t click on the link, don’t open the attachment. If the email claims to come from an external organisation, such as your bank or University, call the bank directly via information on their official website rather than links or numbers in the message. If it’s from a friend or someone internal to your organisation, drop them a quick call to check.

“At the end of the day, it’s important for individuals and organisations to understand that even with extensive training and a detailed understanding of these scams people still fall for them, because they leverage vulnerabilities present in all of us and happen whilst we’re distracted by other things.”

On collective responsibility…

“People will still mistakes, such as choosing weak passwords, so organisations need to support them with technology and policy where possible, such as taking measures to prevent weak passwords being used or limiting the speed at which attackers can try to guess a password. An awful lot of the systems and countermeasures out there still fail to support the user adequately, meaning these relatively simple attacks remain a big problem.

“So for my PhD, I wanted to find out what’s really going on. I wanted to give something back to help people devise better training, build better defences and create software to lessen the burden on users and to ultimately make people’s jobs easier in the fight against cybercrime.”

More information

CPNI: Don’t take the bait – https://www.cpni.gov.uk/dont-take-bait

NCSC: Defending your organisation – https://www.ncsc.gov.uk/phishing

NCSC: Password guidance – https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

The University of Bristol’s Cyber Security Group is part of the Academic Centre of Excellence in Cyber Security Research (ACE-CSR) at Bristol. The group’s research focuses on three over-arching but interlinked strands: security of cyber-physical infrastructures, software security and human behaviours.

* https://www.wombatsecurity.com/news/76-organizations-report-being-victims-phishing-attacks

Nine ways our engineers are building a greener world

It’s Green Britain Week this week. While debate rages between environmental campaigners and those wandering the corridors of power, engineers are ever pragmatic and practical. Our researchers are working on a range of technological advances that will reduce the carbon in our atmosphere.

Here’s nine of our projects:

  1. Wind power: Harnessing wind power will be a key component of a greener energy mix. In partnership with Offshore Renewable Energy, the Wind Blade Research Hub is pushing the boundaries of current technology to produce a 13MW turbine. They are working on blades that will be 100m long, requiring new designs, materials and manufacturing processes. The world-leading expertise of the Bristol Composites Institute (ACCIS) is crucial in delivering this and other sustainable structures.
  2. Offshore wind and tidal lagoons: In another initiative to tap into the UK’s potential for offshore wind and tidal energy, a proposed tidal lagoon in Swansea Bay could provide electricity for more than 155,000 homes. It will take a solution that is affordable and scaleable to turn this idea into a reality. Researchers from Bristol and Plymouth Universities are part of a project to design and develop a prototype.
  3. Solar Cells: Solar energy is getting ever-more affordable. A £2 million grant from the EPSRC has funded work to develop new low-cost photo-voltaic materials. Researchers from the Bristol Electrochemistry Group’s PV Team are looking to replace elements such as gallium, indium, cadmium and tellurium which are rare, expensive to extract and toxic.
  4. Electric Vehicles: The move away from petrol/diesel and towards low carbon hybrid/fully electric vehicles depends on the availability of compact, highly efficient engines. The Electrical Energy Management Group are innovating and testing solutions. Their industrial collaboration on high performance electro-mechanical drives is important for the traction, steering and road handling of the cars of the future.
  5. Energy Storage: If the sun is shining and the wind is blowing, how can we store all that free energy? This question is being addressed by researchers from the Universities of Bristol and Surrey as part of self-funded company Superdielectrics Ltd. They have discovered new hydrophilic materials, like those used in contact lenses, that could rival the storage capacity of traditional batteries and charge much faster. Rolls-Royce recently signed a collaboration agreement with Superdielectrics, highlighting the keenness of industry to find new solutions.
  6. Microgrids: Ditching fossil fuels and halting deforestation can’t happen unless there’s a sustainable energy alternative. It’s estimated that 1.2bn people across the world don’t have access to electricity. By working with NGOs, local authorities and residents in rural areas, researchers from the Electrical Energy Management Group are designing a micro-grid system, intended for remote communities. It could generate enough power for 250 homes, using wind, solar and micro-hydro energy. A scaleable modular design means extra units can be added as and when.
  7. Water management: Climate change is having an impact on our water cycle with flood patterns already changing. The way we manage water resources will be increasingly key to mitigate natural disasters and provide clean drinking water to a growing population. The Water and Environmental Engineering group brings together engineers and scientists, taking a multi-disciplinary approach to the complex issues raised through modelling, measuring and prediction.
  8. Nuclear: Although controversial, nuclear energy will be part of the low carbon energy picture for the foreseeable future. The South West Nuclear Hub brings together academics from numerous disciplines. Their research ensures that nuclear systems are safe, reliable and efficient. Also focusing on safety, the department of Civil Engineering has been exploring the seismic integrity of nuclear reactors using the University’s impressive earthquake shaking table. The Plex project was one of the most complex shaking table experiments ever attempted anywhere in the world.
  9. Efficient Aircraft: Aviation is a major contributor to global CO2 emissions, burning more fossil fuels per passenger than any other form of transport. The Advanced Simulation and Modelling of Virtual Systems (ASiMoV) partnership aims to produce a jet engine simulation so accurate that designs can be signed off by the civil aviation authorities pre-production. It is hoped that by modelling the physical effects of thermo-mechanics, electromagnetics and computational fluid dynamics, more cost effective and energy-efficient engines will get off the ground.