Category: Cybersecurity

Applications for enrolling in M.Sc. studies with cybersecurity specialisation: deadline 15. april

Helmut Neukirchen, 10. April 2024

Currently, we are running some advertisements on social media and Icelandic news web pages in order to raise awareness of our two M.Sc. study programmes that offer specialisations in cybersecurity: M.Sc. in Computer Science/Tölvunarfræði and M.Sc. in Software Engineering/Hugbúnaðarverkfræði.

Deadline for applications is 15. April for the M.Sc. programme. If you missed that deadline: you can still apply for a related B.Sc. programme until 5. June and if you have the right qualifications (i.e. a B.Sc. degree in Computer Science or Software Engineering) change from there into the M.Sc. programme.

US Government's Cyber Safety Review Board publishes devastating report on Microsoft's Cloud security

Helmut Neukirchen, 4. April 2024

When University of Iceland switched 2018 to Microsoft Cloud for emails and other services, I warned about this and I was also concerned about the Icelandic government's cybersecurity.

At that time, our university administration argued to me that Microsoft can better protect our cybersecurity than we can do on our own. However, threat actors managed in May and June 2023 to access Microsoft Exchange Online mailboxes: while they mainly attacked US and UK government email accounts (but also others, but who exactly is not disclosed), this could apply in theory also to our emails at University of Iceland (which enables requesting and intercepting password-reset emails in order to get access to any other non-Microsoft service that offers email-based password reset) and of course to the Icelandic government that relies as well on Microsoft's cloud-based services.

While at that time, my concerns were mainly framed by what whistleblower Edward Snowden's taught us, i.e. we get eavesdropped by our friends, 6 years later, the landscape has added more awareness on the Russian aggression and Chinese and North-Korean threat actors, including the possibility to cut off the the Internet sea cables connecting Iceland to the cloud service that are all outside of Iceland. (E.g. according to a traceroute the Microsoft cloud serves that University of Iceland uses are located in the UK -- meaning that if a state actor cuts the sea cables connecting Iceland, probably the whole IT of University of Iceland is cut off because all user authentication runs via Microsoft in the UK.)

Now, the United States Secretary of Homeland Security Cyber Safety Review Board published a devastating report on Microsoft's Cloud security. As US Government-level publications are in the public domain, I provide below some extensive direct quotes (highlighting added by me) from that report:

Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.

To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.

Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources.

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul.

The Board reaches this conclusion based on:
1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

Note that this report refers to the 2023 incident and the above only bullet point 6. refers to the most recent incident from 2024 where Microsoft had to admit that other threat actors have had access to their systems and that Microsoft is unable to prevent further accesses to their system by these actors. Or with the words of Adam Meyers, a senior vice president at the cybersecurity firm Crowdstrike:

the hackers are deep inside Microsoft, and Microsoft hasn't been able to get them out in two months

We will maybe get a further report from the Cyber Safety Review Board on this new incident.

This new incident means that these actors have access to the source code of all Microsoft products, allowing them to identify zero-day exploits, i.e. vulnerabilities that are yet unknown to Microsoft, while attackers can exploit them any time and Microsoft will not have a fix for this available in time.

Note that Microsoft owns GitHub where a huge majority of open-source software is hosted that drives today's Internet and computer systems, thus making software supply chain attacks by these actors more likely by giving them the tools to compromise the software supply chains via GitHub itself.

Compare the Microsoft attitude to blanket their security mistakes with Google creating a documentary on their security incidents (HACKING GOOGLE) and using this rather as opportunity for advertisement. (Talking about advertisement: it is a completely new experience to watch that documentary on YouTube: no ads -- well just the whole documentary is the ad.)

Official Eyvör NCC-IS kickoff

Helmut Neukirchen, 4. April 2024

While Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS) has in fact started earlier, we had today the official public kick off meeting. An excerpt of the agenda is below:

We presented there the Cybersecurity research and education that is jointly done at University of Iceland and Reykjavik University. I gave the presentation on our Cybersecurity M.Sc. programmes.

ICANN and the Internet -- lunch event with ICANN representatives hosted by the Computer Science department of University of Iceland.

Helmut Neukirchen, 13. March 2024

ICANN approached the Computer Science department at the University of Iceland to facilitate a meeting with students.

Among others, ICANN allocates IP addresses globally and takes care that we have top-level domain (TLD) names in the Internet such as .is -- while this is on the one hand very technical (e.g. DNSSEC, the Domain Name System Security Extensions), it can at the same time be a political challenge (e.g. after the 2022 Russian invasion of Ukraine, the Ukraine government asked ICANN to sanction Russia by revoking the .ru TLD).

Join us for an engaging lunch event on Wednesday, the 13th of March, from 12:30 PM to 3:00 PM, where we will combine the pleasure of delicious pizza with the opportunity to learn from enlightening presentations by representatives from ICANN.

Date: Wednesday, 13th March 2024

Time: 12:30-15:00

Location: Fenjamýri, Gróska (Room "Fenjamýri" is on the first floor of Gróska more or less at the location where you would end up if you drill from the Computer Science department down two floors).

ICANN, the pivotal organization responsible for ensuring a stable and secure internet infrastructure, will be shedding light on their critical work. This presentation will not only cover the foundational aspects of how ICANN operates but also delve into the pressing policy questions currently shaping the future of internet architecture.

Agenda:
Introduction to ICANN (Chris Mondini - Vice President, Stakeholder Engagement, Europe and Managing Director for Europe)

An Overview of Current Geopolitical Challenges (Nora Mari, Government and International Governmental Organisations (IGO) Engagement Manager)

Brief Introduction to DNSSEC (Gabriella Schittek, Stakeholder Engagement Director, Nordic & Central Europe)

This is a unique chance to gain insights into the behind-the-scenes efforts that make our daily internet use possible and to understand the policy challenges that could impact the internet's framework.

Join us for an afternoon of learning, networking, and, of course, pizza. See you there!

If you are a student, at University of Iceland, we kindly request that you register for the event, as seating is limited and for pizza-estimation purposes via: https://ugla.hi.is/vidburdir/SkodaVidburd.php?sid=1448&vidburdur_id=9192.

This event is in the context of Eyvör - the Cybersecurity National Coordination Centre Iceland (NCC-IS).

Computer Science department at UT messan 2024 IT fair

Helmut Neukirchen, 13. March 2024

The Computer Science department was heavily present at UT messan 2024, the biggest IT fair in Iceland. We had booths, showcasing computer games written by our students, research on using big touch screens, and cyber security demos. Also we were moderating a session and our rector was giving a talk on research that heavily involved our AI activities. Watch out for photos.

Cybersecurity specialisation now available in our Software Engineering Master's programme / Kjörsvið Netöryggi í mastersnám í hugbúnaðarverkfræði

Helmut Neukirchen, 1. March 2024

Starting from autumn 2024, we are offering the Cybersecurity specialisation now also in our Software Engineering Master's programme (so far, it was only available in Computer Science).

For details, see the course catalogue entry for the Software Engineering Master's programme / mastersnám í hugbúnaðarverkfræði (note that the set of mandatory courses is not 100% correct and still subject to change). For applying, have a look at the Icelandic web page mastersnám í hugbúnaðarverkfræði (netöryggi) or the English web page Software Engineering MSc programme (Cybersecurity). Application deadline is 15. April for students from Iceland.

If you rather want to do the Cybersecurity specialisation in our Computer Science MSc programme (it has less focus on Software Engineering and more on Computer Networks):

For details, see the course catalogue entry for the Computer Science Master's programme / mastersnám í hugbúnaðarverkfræði. For applying, have a look at the Icelandic web page mastersnám í tölvunarfræði (netöryggi) or the English web page Computer Science MSc programme (Cybersecurity). Application deadline is 15. April for students from Iceland.

I have also web page on the Collaboration for the joint cybersecurity M.Sc. programme of Reykjavik University (RU) and University of Iceland (UoI).

Cybersecurity tabletop exercise Arctic Cranes

Helmut Neukirchen, 22. February 2024

On 29.11.2023, we had a Cybersecurity tabletop exercise entitled Arctic Cranes that was arranged by the Fulbright visiting scholar Larry Leibrock with an introduction by Sigurður Emil Pálsson from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). In this exercise, a response to a cyber-attack on the harbour infrastructure, in particular the cranes to load and unload vessels, was trained. In the worst case, this would mean that Iceland would run out of food or medicines (a limited supply might be possible to provide via air freight, though -- at least as long as there is no cyber-attack on air traffic at the same time).
In addition to the above parties who facilitated this event, this was in the context of Eyvör/NCC-IS the National Cybersecurity Coordination Centre of Iceland (co-funded by the European Union) and the Ministry of Higher Education, Science and Innovation-funded joint cybersecurity Master's programme.

Eyvör NCC-IS and ICEDEF cybersecurity talks join the Icelandic HPC Community Workshop

Helmut Neukirchen, 13. December 2023

The cybersecurity projects Eyvör NCC-IS and ICEDEF partnered with the Icelandic HPC Community Workshop event series.

At the 13th Icelandic HPC Community Workshop we have a couple of cybersecurity talks:

  • Geir Olav Dyrkolbotn (NTNU): Strengthening the Defence of Norway through knowledge
  • Skeggi Thormar (Upwind): eBPF and Cyber Security
  • Tom Welsh (University of Iceland): Adaptive Inspection of Industry 4.0 Supply Chains for Fraud Detection

December 13, 2023 5:00 PM, Gróska, Bjargargötu 1, 102 Reykjavik – Entrance A, 1st Floor, Room Fenjamýri

See the agenda for more details.

Postdoctoral Researcher in Secure Software Engineering and Vulnerability Reporting Programmes (2 years initially) at University of Iceland

Helmut Neukirchen, 2. December 2023

Update: The position is not vacant anymore.

Field of Work:

The department of Computer Science in the School of Engineering and Natural Sciences at the University of Iceland seeks applicants for a post-doctoral researcher in the area of Secure Software Engineering and Vulnerability Reporting Programmes to work as part of the Digital Europe Programme project Defend Iceland ICEDEF.

The position is initially funded for 2 years with possibility of extension.

The ICEDEF project involves the creation of a national vulnerability reporting web portal and associated services for paying bounties to ethical hackers for discovering these vulnerabilities. Once vulnerabilities are reported there are challenges in effectively integrating (and verifying the effectiveness) of the fixes into the software development life cycle. Technical challenges include poor observability of the software supply chain and an inability to affect it due to change, intellectual property, proprietary development pipelines, 3rd party libraries and infrastructure, etc. Social challenges are related to the impact of identified vulnerabilities on business continuity and clearly translating the results and impact to industry partners and stakeholders.

The responsibilities of the role are envisioned to include:

Developing and implementing a research project in vulnerability reporting programs.
Education of secure development practices and software vulnerabilities to stakeholders.
Assisting in the organisation of security events such as hackathons and workshops.
Contributing to the maintenance of cybersecurity research infrastructure.
Supervising research assistants.

Qualification requirements:

PhD in Computer Science, Software Engineering or related to Cybersecurity more broadly.
Proficiency in English.
Strong communication skills and the ability to work both individually and in groups.

Beneficial:

A strong publication history in high-quality software engineering and/or security journals and conferences. (e.g. IEEE and ACM).
Experience in developing, delivering, and innovating in cybersecurity and software engineering education.
Experience in server administration including virtualisation and cloud tools.
Application:

Interested parties should, in the first instance, send a CV and covering letter explaining their motivation for applying and their research interests in software engineering and/or cybersecurity via e-mail to Dr. Tom Welsh (tomwelsh@hi.is) and Dr. Helmut Neukirchen (helmut@hi.is).

For an informal discussion regarding research topics, responsibilities, or Iceland in general prior to this please feel free to contact Tom or Helmut as above.

Work Environment:

The University of Iceland is a flourishing community of knowledge in the heart of Reykjavik. A modern, diversified, and rapidly developing state university, it offers opportunities for study and research in over 400 programmes spanning most fields of science and scholarship.
https://english.hi.is/

The University of Iceland's School of Engineering and Natural Sciences employs about 390 people in teaching and research. The School offers an exciting working environment where about a quarter of all employees and graduate students are international. The School has about 2000 students, with about 800 students in the Faculty of Industrial Engineering, Mechanical Engineering and Computer Science.
https://english.hi.is/school_of_engineering_and_natural_sciences

The Department of Computer Science is located in the University Science Park's new "House of Ideas" together with a vibrant community of startup and tech companies of all sizes.

Iceland participates in many cooperative European programmes, such as Horizon Europe and the Digital Europe Programme. The country consistently ranks at or close to the top of the Human Development Index, Global Gender Gap Index, LGBT Equality Index and Global Peace Index. For more information on living and working in Reykjavik, see https://www.reykjaviksciencecity.is/ and https://english.hi.is/international_staff_services

Digital Europe-funded cybersecurity projects Eyvör NCC-IS and ICEDEF started

Helmut Neukirchen, 1. December 2023


While we had the the Icelandic National Coordination Centre (NCC-IS) for Cybersecurity established already in 2022, it got now even stronger by benefiting since October 2023 from a two year co-funding via the Digital Europe Programme. We even gave it an Icelandic name: Eyvör – National Cybersecurity Coordination Centre of Iceland. Eyvör NCC-IS will raise awareness and foster education in Iceland in the field of cybersecurity.

For more info, see also my research page on Eyvör NCC-IS.


Another project has started in November 2023 with three year co-funding via the Digital Europe Programme: ICEDEF – Defend Iceland. The ICEDEF project involves the creation of a national vulnerability reporting web portal and associated services for paying bounties to ethical hackers for discovering these vulnerabilities. (Our research shows that vulnerability reporting needs to be improved in Iceland.) The Icelandic Defend Iceland web page gives an idea how that could look like (do not get confused by that fact that on some screenshots depicted on that web page, still the old working title Hack Iceland is used).

Once vulnerabilities are reported there are challenges in effectively integrating (and verifying the effectiveness) of the fixes into the software development life cycle and University of Iceland will take care of this together and educate stakeholders about secure development practices and software vulnerabilities, e.g. via security events such as hackathons and workshops.

For more info, see also my research page on ICEDEF.

Vacancy: We are hiring a postdoc for ICEDEF: please contact me or our new cybersecurity professor Tom Welsh.