dcypher.nl

U bent hier

dcypher verenigt onderzoekers, docenten, producenten, gebruikers en beleidsmakers in Nederland om kennis en kunde over cyberveiligheid te verbeteren

Impressie dcypher Symposium 2017

Actueel

In the last 20 years, the Dutch information security community grew from a handful of brilliant mathematicians to a large community of cybersecurity researchers with representatives from many of the technical and the social sciences. The Netherlands Organisation for Scientific Research (NWO) and the European Commission have provided over a hundred million Euros of funding in long term Dutch Cyber Security Research. This has led to dozens of new businesses, hundreds of highly skilled employees in all major corporations, government departments and universities, and thousands of scientific publications and patents. Dutch Cyber Security best Research Paper (DCSRP) AwardAnnouncing the winner of the Dutch Cybersecurity best Research Paper award at ICT.OPEN is becoming a tradition. This contest will be organized for the fourth time! ICT security research groups at Dutch universities and knowledge centres are invited to nominate their best recent (2017/2018 accepted) research papers, with a maximum of two papers per group. Again a jury of international scientists in the fields of cybersecurity will be formed and asked to judge submitted papers. Dutch ICT cybersecurity research group leaders are asked to send in a maximum of two papers per research group before January 19th, 2018 to dcypher.Out of all nominated papers the jury selects both the top three as well as the winning paper. In the first week of March dcypher will inform all three selected nominees. They are expected to present their paper March 20th at ICT.OPEN in the Cybersecurity Track. All presenters receive a signed certificate. The winner receives the Dutch Cyber Security best Research Paper Award. More information about the DCSRP Award contest in previous ICT.OPEN editionsICT.OPEN is the principal ICT research conference in the Netherlands. It features two distinguished plenary key notes and invited speakers, as well as many oral and poster presentations. The state of art in ICT research is presented and discussed here. More information: www.ictopen.nl 
Study by SDSC’s CAIDA group finds millions of network addresses subjected to denial-of-service attacks over two-year period. For the first time, researchers have carried out a large-scale analysis of victims of internet denial-of-service (DoS) attacks worldwide. And what they found is, in a phrase from their study, “an eye-opening statistic”.Spanning two years, from March 2015 to February 2017, the researchers found that about one-third of the IPv4 address space was subject to some kind of DoS attacks, where a perpetrator maliciously disrupts services of a host connected to the internet. IPv4 is the fourth version of an Internet Protocol (IP) address, a numerical label assigned to each device participating in a computer network.“We’re talking about millions of attacks,” said Alberto Dainotti, a research scientist at CAIDA (Center for Applied Internet Data Analysis), based at the San Diego Supercomputer Center (SDSC) at the University of California San Diego  and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.”Added the study’s first author, Mattijs Jonker, a researcher with the University of Twente in The Netherlands and former CAIDA intern: “These results caught us by surprise in the sense that it wasn’t something we expected to find. This is something we just didn’t see coming.”The study – presented November 1, 2017 at the Internet Measurement Conference in London and published in the Proceedings of the Association for Computing Machinery (IMC ’17) – sheds light on most of the DoS attacks on the internet, its victims, and even the adoption of commercial services to combat these attacks.Two predominant types of DoS attacks, intended to overwhelm a service by a sheer mass of requests, are highlighted:“Direct” attacks, which involve traffic sent directly to the target from some infrastructure controlled by the attackers (e.g. their own machines, a set of servers, or even a botnet under their command.) These attacks often involve “random spoofing”, characterized by faking the source IP address in the attack traffic. “Reflection” attacks, during which third-party servers are involuntarily used to reflect attack traffic toward its victim. Many protocols that allow for reflection also add amplification, causing the amount of reflected traffic sent toward the victim to be many times greater than that sent toward the reflector initially. To detect attacks, the researchers – a collaborative effort from UC San Diego, University of Twente, and Saarland University in Germany – employed two raw data sources that complement each other: the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses; and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.Their data revealed more than 20 million DoS attacks that targeted about 2.2 million “slash 24 or /24” internet addresses (part of a routing number that denotes bit-length of the prefix), which is about one-third of the 6.5 million /24 blocks estimated to be alive on the internet. A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely that the network infrastructure of the entire /24 block is affected.“Put another way, during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day,” said Dainotti. “These absolute numbers are staggering, a thousand times bigger than other reports have shown.”That said, one of the researchers added she’s worried these statistics are likely “an under-estimation of reality.”“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” said Anna Sperotto, an assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks, while Russia is a prime example of a country that ranks higher than estimates for internet space usage, suggesting a relatively dangerous country for these attacks.Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.“Most of the times, it’s the customer who is being attacked,” explained Dainotti. “So if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”Aside from quantifying the number of DoS attacks on the internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services. Their study noted that people were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, the migration to a third-party service might take place even within 24 hours of an attack.“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” said Jonker.Although the study does not address the causes for the well-recognized rise in DoS attacks in recent years, in an interview the researchers noted several strong possibilities including: cyber-extortion, cyber-crime, cyber-warfare, political protest aimed at governments, censorship from authoritative regimes, attacks relating to on-line gaming (e.g. to gain a competitive advantage), school kids who may attack to avoid taking an exam, and disgruntled former employees.“Even non-technical people can launch significant attacks through DDoS-as-a-Service providers (i.e. Booters),” said Jonker. “People can pay others with a subscription in exchange for just a few dollars.”As for future studies, the researchers said they wanted to assess the impact of the attacks, to see if they managed to take down the targeted network; they’re also studying political attacks similar to those witnessed in Egypt and Libya that were subject to a 2012 study led by CAIDA researchers.Under a grant for the U.S. Department of Homeland Security (DHS), the CAIDA team also plans to continuously monitor the DoS ecosystem to provide data for analysis to agencies and other researchers in a timely fashion.Also participating in the study were: Alistair King, a CAIDA researcher; and Johannes Krupp and Christian Rossow, both from CISPA, Saarland University.Support for the study came from the DHS; the Air Force Research Directory; the Netherlands Organization for Scientific Research; and OpenINTEL, a joint project of the University of Twente, SURFnet, and SIDN.http://ucsdnews.ucsd.edu/pressrelease/a_third_of_the_internet_is_under_attack   
Waar buurlanden zoals Duitsland jaarlijks vele tientallen miljoenen investeren in cybersecurityonderzoek, doet Nederland vrijwel niets. Ondertussen wordt er door de buitenlandse onderzoekscentra hard getrokken aan de meest getalenteerde onderzoekers in Nederland. Er moet iets gebeuren om een brain drain naar omliggende landen te voorkomen. Er ligt een regeerakkoord met allerlei ambities in de sfeer van veiligheid en dan in het bijzonder op het gebied van cybersecurity. Bottom line: onze digitale veiligheid moet worden vergroot! Het tegendeel dreigt echter te gebeuren. Namens de cybersecurity onderzoeksgemeenschap in Nederland geven Herbert Bos, Michel van Eeten en Bart Jacobs een duidelijk signaal af. Ze schreven een noodplan voor het redden van cybersecurity-onderzoek en -innovatie in Nederland.Helaas is het regeerakkoord specifiek over cyber capacity building bij met name politie, defensie en het nationaal cyber security centrum, maar zwijgt het over de broodnodige capaciteitsverhoging bij Nederlandse kennisinstellingen! Onze universiteiten zijn de toeleveranciers van de experts waar politie, defensie en bedrijfsleven om zitten te springen. De kennis die gegenereerd wordt bij het onderzoek (naar privacybescherming, cyberwapens, post-quantum cryptografie, en geavanceerde cyberaanvallen) is van strategisch belang voor Nederland, nu en in de toekomst. Het is gevaarlijk om op deze terreinen geen eigen expertise te hebben en uitgeleverd te worden aan wat het buitenland met ons wil delen. Een voorbeeld. Het door een Amerikaanse universiteit ontwikkelde systeem om automatisch computers te hacken, winnaar van de DARPA Grand Challenge, werd onmiddellijk opgekocht door het Pentagon en zal zeker niet gedeeld worden met Nederland. Zonder eigen cybersecurity expertise worden we steeds kwetsbaarder.Er worden drie instrumenten voorgesteld die samen een publieke en deels private investering van 10 miljoen Euro per jaar vergen, en ervoor moeten zorgen dat Nederland ook op het hoogste kennisniveau een eigen positie heeft en behoudt:1. Een competitie voor promotietrajecten en postdocs ten behoeve van onderzoekers in tijdelijke dienst;2. Een gerichte ondersteuning van vaste staf, waaronder assistent hoogleraren, om sterke onderzoeksgroepen te bouwen;3. De vorming van een ‘pool’ van cybersecurity experts, om academische en operationele kennis te laten circuleren tussen kennisinstellingen, overheid en bedrijfsleven.Download: Document: Behoud en Versterking Nederlandse Cybersecurity Capaciteit (v1.5 pdf)Bijlage: Overzicht van universitaire groepen in cybersecurity (v21112017 pdf)De noodzaak tot Nederlandse zelfredzaamheid gebaseerd op de nationale behoefte aan eigen hoogwaardige expertise, via kennisontwikkeling en circulatie.Herbert Bos VU, Michel van Eeten TUD, Bart Jacobs RU 

Nieuws

Naar aanleiding van het advies WTI-Diplomatie hebben raadslid Martin Schuurmans en de raadsmedewerkers Hamilcar Knops en Ruud Verschuur een artikel geschreven voor de Clingendael Spectator.Talent, kennis en innovatie worden steeds belangrijker voor de concurrentiepositie van Nederland. Om internationaal onze kansen te pakken en Nederland als ‘kennisland’ op de kaart te zetten is een krachtige ondersteuning vanuit de diplomatie nodig. Terwijl concurrerende landen, zoals Duitsland, het Verenigd Koninkrijk of Zwitserland, stevig inzetten op hun diplomatie voor wetenschap, technologie en innovatie, blijft Nederland achter. Dat moet veranderen. In het artikel laten de AWTI-auteurs zien hoe Nederland kennis, innovatie en handel op een effectieve manier kan koppelen in de diplomatie van de toekomst. Op die manier kan Nederland ook op termijn concurrerend blijven. https://www.awti.nl/actueel/nieuws/2017/11/20/artikel-nieuwe-diplomatie-voor-wetenschap-technologie-en-innovatie
CFP: Fourth International Workshop on Privacy Engineering (IWPE'18) - co-located to the 3rd IEEE European Symposium on Security and Privacy - 27 April 2018 - LONDON!!! IMPORTANT DATES Deadline of abstract submission:   12 January, 2018Deadline of paper submission:      19 January, 2018Notification of acceptance:        5 February, 2018Accepted Paper camera ready:       23 February, 2018 We are pleased to invite you to participate in the premier annual event of the International Workshop on Privacy Engineering (IWPE'18).http://iwpe.info/ https://www.ieee-security.org/TC/EuroSP2018/This year’s program seeks to highlight challenges to privacy posed by widespread adoption of machine learning and artificial intelligence technologies. One motivation for this focus stems from goals and provisions of the European General Data Protection Regulation (GDPR), including requirements for privacy and data protection by design, providing notices and information about the logic of automated decision-making, and emphasis on privacy management and accountability structures in organizations that process personal data. Interpreting and operationalizing these requirements for systems that employ machine learning and artificial intelligence technologies is a daunting task.As engineering is asked to play a larger role in privacy governance, software developers need tools for understanding, systematizing, and embedding privacy into systems and workflows. This work also requires greater engagement with design, legal, and public policy departments.Methods and tools for bridging privacy work across these communities are essential to success. Furthermore, research that focuses on techniques and tools that can aid the translation of legal and normative concepts into systems requirements are of great value.Organizations also need tools for systematically evaluating whether systems fulfill users’ privacy needs and requirements and for providing necessary technical assurances. Methods that can support organizations and engineers in developing (socio-)technical systems that address these requirements is of increasing value to respond to the existing societal challenges associated with privacy.In this context, privacy engineering research is emerging as an important topic. Engineers are increasingly expected to build and maintain privacy-preserving and data-protection compliant systems in different ICT domains such as health, energy, transportation, social computing, law enforcement, public services; based on different infrastructures such as cloud, grid, or mobile computing. While there is a consensus on the benefits of an engineering approach to privacy, concrete proposals for models, methods, techniques and tools that support engineers and organizations in this endeavor are few and in need of immediate attention. Also of great relevance are the development and evaluation of approaches that go beyond the one size fits all mantra, and that attend to the ever evolving practice of software engineering in agile service environments across different domains.To cover this gap, the topics of the International Workshop on Privacy Engineering (IWPE'18) focus on all the aspects surrounding privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale across the software ecosystem. Specifically, we are seeking the following kinds of papers: (1) technical papers that illustrate the engineering or application of a novel formalism, method or other research finding (e.g., engineering a privacy enhancingprotocol) with preliminary evaluation; (2) experience and practice papers that describe a case study, challenge or lessons learned in a specific domain; (3) early evaluations of tools and other infrastructure that support engineering tasks in privacy requirements, design, implementation, testing, etc.; (4) interdisciplinary studies or critical reviews of existing privacy engineering concepts, methods, tools and frameworks; or ! (5) vision papers that take a clear position informed by evidence based on a thorough literature review.IWPE’18 welcomes papers that focus on novel solutions on the recent developments in the general area of privacy engineering. Topics of interests include, but are not limited to:-Integrating law and policy compliance into the development process -Privacy or data protection impact assessments in the engineering context -Privacy engineering and data driven software development -Privacy engineering and machine learning -Privacy engineering and artificial intelligence -Privacy engineering and data subject access rights -Privacy risk management models -Privacy breach recovery methods -Privacy engineering and data portability -Technical standards, heuristics and best practices for privacy engineering -Privacy engineering in technical standards -Privacy requirements elicitation and analysis methods -User privacy and data protection requirements -Management of privacy requirements with other system requirements -Privacy requirements elicitation and analysis techniques -Privacy design patterns -Privacy-preserving architectures -Privacy engineering and databases, services, and the cloud -Privacy engineering in networks -Engineering techniques for fairness, transparency, and privacy in databases -Privacy engineering in the context of interaction design and usability -Privacy testing and evaluation methods -Validation and verification of privacy requirements -Privacy Engineering and design -Engineering Privacy Enhancing Technologies (PETs) -Integration of PETs into systems or the development ecosystem -Models and approaches for the verification of privacy properties -Tools and formal languages supporting privacy engineering -Usable privacy for developers -Teaching and training privacy engineering -Adaptations of privacy engineering into specific software development processes -Pilots and real-world applications -Evaluation of privacy engineering methods, technologies and tools -Privacy engineering and accountability -Privacy engineering and business processes -Privacy engineering and manageability of data in (large) enterprises -Organizational, legal, political and economic aspects of privacy engineeringThis topic list is not meant to be exhaustive; since IWPE'18 is interested in all aspects of privacy engineering. However, to screen out off-topic papers early in the review process, we request authors to submit an abstract prior to their paper submission. Abstracts of papers without a clear application to privacy engineering will be considered outside the scope of this workshop and may be rejected.PAPER FORMAT & SUBMISSIONWe solicit unpublished short position papers (up to 4 pages) and long papers reporting technical, research or industry experience (up to 8pages) on all dimensions of the privacy engineering domain. Each paper, written in English, must follow IEEE Proceedings format.Authors must submit an extended abstract prior to the paper submission.This abstract is aimed at 1) helping organizers understand whether the paper is on-topic early in the review process; and, 2) allowing reviewers to choose their preferred manuscripts in advance of the paper submission.Submission of a paper should be regarded as an undertaking that, should the paper be accepted, at least one of the authors will attend the workshop to present the paper. All papers must be submitted via EasyChair at https://www.easychair.org/conferences/?conf=iwpe18If you have any questions regarding IWPE'18, please contact iwpe18@easychair.orgIWPE’18 Organizing CommitteeJose M. del AlamoAnupam DattaAleksandra KorolovaDeirdre K. MulliganSeda GürsesJose M. SuchArunesh Sinha 
De Vereniging van Universiteiten, Vereniging Hogescholen en SURF hebben een Versnellingsagenda voor onderwijsinnovatie 2017 gepresenteerd. Hierin benoemen ze concrete speerpunten voor doelen als het verbeteren van aansluiting op de arbeidsmarkt, flexibilisering van het onderwijs en het slimmer en beter leren met technologie.Nieuwsbericht VSNU 
Het hoger onderwijs moet zich serieus gaan buigen over de manier waarop we mensen – van jong tot oud – opleiden en hoe we leraren trainen in de vaardigheden en kennis die we nodig hebben voor de vierde industriële revolutie. Denk aan robotica, virtual reality, cloud technologie big data enzovoort. Het hoger onderwijs bereidt studenten en werkenden hier nu onvoldoende op voor, aldus een artikel van University World News.Artikel University World News 
Het World Economic Forum (WEF) heeft een verzameling gemaakt van 20 verhalen. Ze gaan over creatieve manieren waarop steden over de hele wereld gebruik maken van big data om diensten te verbeteren, de kwaliteit van leven, de economie, het bestuur, de infrastructuur en het milieu. Een artikel van Futurism waarschuwt: het massale gebruik van big data kan wel ten koste gaan van de privacy van burgers. Twee artikelen van GovTech zetten uiteen hoe stedelijke overheden dit probleem kunnen aanpakken, bijvoorbeeld met goede regulering van de bescherming van data. Een derde artikel van GovTech waarschuwt: het benutten van big data moet geen doel op zichzelf zijn, maar een middel om een doel te bereiken.Nieuwsbericht The Next Silicon ValleyRapport WEF (pdf)Artikel FuturismArtikel GovTech – 1Artikel GovTech – 2Artikel GovTech – 3 
Bekijk het volledige nieuwsoverzicht >