Category: Cybersecurity

Afternoon on Internet Security

Helmut Neukirchen, 24. January 2025

ICANN is organising a series of presentations on Internet Security that is hosted at ISCNIC on Thursday, 6th of February 2025, 13:00-16:30:
Details and registration.

Thomas Welsh from the Computer Science department of University of Iceland will be giving a talk there on Threat analysis in cyber-physical systems via topology modelling.

Note: Registration is closed because the maximum number of attendees has been reached. Also note that because of the red weather alert, this event starts 1 hour later, i.e. at 14:00.


This talk is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


Suggestion to the Icelandic state to use open-source software in order to save money

Helmut Neukirchen, 23. January 2025

The Icelandic government was asking for suggestions how to save money. I submitted together with some colleagues a proposal to use open-source software instead of Microsoft services (submission number 3797 at Samráðsgátt).

The Icelandic text is as follows:

Við fögnum framtaki um að leita til almennings eftir tillögum að sparnaði í ríkisrekstri. Í þessu bréfi bendum við á kostnað sem fylgir því að nota þjónustu Microsoft í stað ódýrari valkosta.

Síðan 2018 hefur íslenska ríkið alfarið nýtt sér þjónustu Microsoft (tölvupóstur, Teams o.s.frv.) sem hefur tvo ókosti:

1. Þessi þjónusta er dýr og með því að festa sig við þjónustu Microsoft verður íslenska ríkið sífellt háðara þjónustu Microsoft sem hefur með tímanum þrengt að öðrum hugbúnaðarframleiðendum (aukið einsleitni) og skapað Microsoft eins konar tæknilegt hreðjatak: Microsoft getur stýrt verði sem greiða þarf fyrir þessar þjónustur og Ríkisendurskoðun hefur nú þegar í samhengi við innleiðingu Microsoft bent á að „væntingar um beinan fjárhagslegan ávinning stóðust ekki“
[ https://www.rikisend.is/reskjol/files/Skyrslur/2023-samningur-rikisins-vid-microsoft.pdf ]

Í þessu samhengi má einnig nefna að Microsoft hefur nú þegar innleitt verðhækkanir í Eyjaálfu og hluta Asíu (Singapúr, Malasíu, Taívan og Tælandi).
[ https://ia.acs.org.au/article/2025/aussies-push-back-against-microsoft-365-price-hikes.html (á ensku) ]

2. Stafrænu fullveldi íslenska ríkisins er ógnað. Þjónustan sem Microsoft býður upp á er hýst utan Íslands og er því tengd um sæstrengi. Sæstrengir geta slitnað (annaðhvort óvart sem slys eða viljandi sem hluti af blönduðum hernaði) og í því tilviki gætu stjórnvöld og allar opinberar stofnanir sem nota Microsoft þjónustur ekki átt tölvupóstsamskipti eða önnur samskipti sem fara fram gegnum þjónustur Microsoft (t.d. myndsímtöl og spjallþræði á Teams) og myndu missa aðgang að skjölum sem geymd eru í Microsoft-skýinu. Annað atriði sem mikilvægt er að hafa í huga tengt stafrænu fullveldi Íslands er að Microsoft er bandarískt fyrirtæki og ekki er hægt að útiloka að bandarísk yfirvöld þvingi Microsoft til að veita þeim aðgang að viðkvæmum samskiptum og skrám íslenska ríkisins. Þekkt er að erlendar leyniþjónustur á borð við Bandarísku þjóðaröryggisstofnunina (NSA) og Samskiptamiðstöð breskra stjórnvalda (GCHQ) skanna alþjóðleg tölvupóstsamskipti. Til að tryggja þjóðaröryggi þurfa innviðir - þekking, tæknikunnátta og búnaður - að vera til staðar hér á landi svo reka megi stafrænar þjónustur á borð við samskiptakerfi. Eftir því sem meira er úthýst, líkt og raunin er með þjónustusamning við Microsoft, þeim mun minni þekking og kunnátta byggist upp hér innanlands.

Við leggjum því til að íslenska ríkið noti frekar opna valkosti í samræmi við stefnu um notkun opins hugbúnaðar.
[ https://www.forsaetisraduneyti.is/media/verkefnisstjorn-radstefna-rafraen-framtid/Frjals_og_opinn_hugbunadur_-_Stefna_stjornvalda.pdf ]
[ https://www.stjornarradid.is/media/innanrikisraduneyti-media/media/Skyrslur/adgerdaaaetlun_fyrir_innleidingu_frjals_og_opins_hugbunadar_lokaskil.pdf ]

Dæmi um slíka nálgun er frumkvæði þýskra stjórnvalda að stafrænu fullveldi: ZenDis (Zentrum Digitale Souveränität):
[ https://interoperable-europe.ec.europa.eu/collection/open-source-observatory-osor/news/centre-digital-sovereignty (á ensku) ]
[ https://zendis.de/ (á þýsku) ]

Zendis hefur þróað OpenDesk sem er opinn hugbúnaður ætlaður stjórnvöldum og stofnunum sem kemur í staðinn fyrir þá Microsoft þjónustu sem nú er notuð af stjórnvöldum.
[ https://opendesk.eu/en/ (á ensku) ]

Jafnvel þó mögulega vakni áhyggjur um að slík sjálfhýst þjónusta sé ekki eins örugg og þjónustan sem er í boði hjá Microsoft, þá verður að taka fram að netöryggiseftirlitsráð Bandaríkjanna hefur gefið út skýrslu um skýjaöryggi Microsoft þar sem fram kom að hópur sem tengist stjórnvöldum í Alþýðulýðveldinu Kína hefur brotist inn í Microsoft skýjakerfið og fengið aðgang að tölvupósti stjórnvalda, þannig að notkun Microsoft þjónustu gæti verið enn óöruggari en þjónusta sem hýst er á Íslandi.
[ https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf (á ensku) ]

Þó að hægt sé að nota opinn hugbúnað sér að kostnaðarlausu þyrfti íslenska ríkið vissulega að greiða tölvunarfræðingum og öðru starfsfólki tengdu upplýsingatækni fyrir umsjón og rekstur hugbúnaðarins. Þetta leiðir til kostnaðar, en búast má við að hann sé lægri* en það sem Microsoft rukkar (vegna þess að Microsoft er hagnaðarmiðað fyrirtæki). Auk þess væri kostnaðurinn í formi launa sem greidd eru til fólks á Íslandi, þ.e.a.s. peningarnir með sköttum haldast á Íslandi. Annar kostur er að þekking og færni skapast til að reka og þróa flókin tölvukerfi á Íslandi.

*Þetta sést til dæmis af reynslu við að reka Reiknistofnun Háskóla Íslands á sínum tíma. Kostnaður jókst við að taka í notkun Microsoft þjónustur.

Anna Helga Jónsdóttir, prófessor í tölfræði við Háskóla Íslands
Ásta Guðrún Helgadóttir, rannsakandi í netöryggi við Háskóla Íslands
Benjamin Hennig, prófessor í landfræði við Háskóla Íslands
Bjarnheiður Kristinsdóttir, lektor í stærðfræði og stærðfræðimenntun við Háskóla Íslands
Esa Hyytiä, prófessor í tölvunarfræði við Háskóla Íslands
Freyja Hreinsdóttir, prófessor í stærðfræði og stærðfræðimenntun við Háskóla Íslands
Helmut Neukirchen, prófessor í tölvunarfræði og hugbúnaðarverkfræði við Háskóla Íslands
Kristján Jónasson, prófessor í stærðfræði við Háskóla Íslands
Matthias Book, prófessor í tölvunarfræði og hugbúnaðarverkfræði við Háskóla Íslands
Orri Vésteinsson, prófessor í fornleifafræði við Háskóla Íslands
Sigrún Helga Lund, prófessor í tölfræði við Háskóla Íslands
Sigurður Örn Stefánsson, prófessor í stærðfræði við Háskóla Íslands
Thomas Welsh, lektor í tölvunarfræði og hugbúnaðarverkfræði við Háskóla Íslands
Valentina Giangreco M Puletti, prófessor í stærðfræði við Háskóla Íslands
Viðar Guðmundsson, prófessor í eðlisfræði við Háskóla Íslands

P.S.: After submitting this text I got aware that the city of Munich, Germany, even offers an Open Source Sabbatical: Professionally qualified programmers can participate in open sourceprojects for a limited time and improve them.

ICANN DNSSEC training event at University of Iceland

Helmut Neukirchen, 23. January 2025

 

ICANN (the organisation that, e.g., decided that there is an .is top-level domain) will offer a technical training on DNSSEC that is hosted by the Computer Science department of University of Iceland.

DNSSEC uses cryptography to guarantee that not everyone can fake an answer to a request to resolve, e.g. island.is, to an IP address – but only the authoritative owner of that domain will be able to that.

This training is for everyone who now or in future is in charge of a domain and wants to use DNSSEC to secure the address resolution of that domain -- or for those who just want to learn about how the Domain Name System, (DNS) works.

To quote one of our MSc students in Cybersecurity who participated at such a training event last year:
“It was really interesting to see everything that goes into securing the DNS. Really good training with talented experts! Highly recommend going!”

Topics

Introduction / DNS Recap

  • Zone Files, Resource Records and roles
  • Reverse DNS 
  • DNS Resolution Process and debugging
  • TSIG and ACL

DNSSEC

  • Signing
  • Validation
  • Non-existence
  • Key management
  • Chain of Trust
  • Policy Considerations
  • Setting up validation in a Recursive Server
  • Signing Zones (Authoritative Servers)
  • DNSSEC operations and maintenance
  • Tools: Troubleshooting and Monitoring
  • Overview of DANE, TLS and DNSSEC

Labs

  • DNS/DNSSEC debugging 
  • Zone creation and configuration: primary and secondaries
  • Zone signing: manualand automatic  signing
  • Establish and confirm chain of trust
  • DNSSEC validation (recursive resolver)

Trainer: Ulrich Wisser, ICANN Technical Engagement Manager, Europe

For the labs, you need to bring your own laptop. ICANN will provide you with virtual machines

Dates and Location

Tuesday and Wednesday, 4th and 5th of February 2025, 9:00-17:00, Askja building, University of Iceland

Registration

Limited space available for students (as it is also open for industry people): first-come-first-served.

https://www.icann.org/en/engagement-calendar/details/dnssec-training-at-iceland-university-2025-02-04


This event is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


2nd funding round of Cybersecurity grants for Icelandic SME companies

Helmut Neukirchen, 20. January 2025

After a successful first round of Cybersecurity grants for Icelandic SME companies, Rannís
Icelandic Smaller and Middle-size Enterprises (SMEs) can now for a second time apply for cybersecurity-related funding. The call topics are the same as last time:

  • strengthening cybersecurity culture and awareness,
  • efficient education, research and development,
  • secure digital services and innovation,
  • stronger law enforcement, defense and national security,
  • effective response to incidents, and
  • strong infrastructure, technology and legal framework.

This funding is in the context of the ECCC/EU co-funded project Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS). See also the official web page of Eyvör NCC-IS.


Information meeting on the courses of the joint cybersecurity master's programme.

Helmut Neukirchen, 13. January 2025

On Monday, 13.1.2025, 16:00, room M105 at Reykjavik University there will be an information meeting on the joint cybersecurity master's programme and cysec courses being offered at University of Iceland and Reykjavik University.

You can find more info here: https://uni.hi.is/helmut/cybersecurity/ -- there also the presented slides will be made available.


This joint cybersecurity master's programme would not be possible without funding from the University Collaboration Fund of the Ministry of Higher Education, Science and Innovation and co-funding from the ECCC/EU for the projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


Cybersecurity research centre (rannsóknarsetrur í netöryggisfræðum) will get funded with 67.3 m.kr. by the Ministry of Higher Education, Science and Innovation

Helmut Neukirchen, 18. December 2024

Reykjavik University, University of Iceland, and University of Akureyri and applied together for funding in order to establish a joint Cybersecurity research centre. The Minister of Higher Education, Science and Innovation announced that the thre universities will together get for the project Rannsóknarsetur um netöryggisfræði get 67.3 million ISK funding over 2 years from the university collaboration fund (Samstarf háskóla). This is a continuation of a established collaboration that created the M.Sc. cybersecurity specialisations/emphasis that received previously 2 years of funding.

However, we envisaged a significantly higher grant and with that, the idea was to use the grant to introduce a new Ph.D. program, co-funding two Ph.D. student positions, to hold community engagement activities, to organise a "Defend the Flag" contest, and to create undergraduate and M.Sc research opportunities. Now, with the lower funding, we need to adjust our vision for the Cybersecurity research centre.

The grant will also be used as co-funding for cybersecurity Digital Europe Programme projects that are funded by the EU, however only at a 50% funding rate, so that the ministry funding is needed to provide part of the co-funding.

As we will have soon a new government in Iceland, we can expect that the ministries will get re-organised and we have to see what this means for this funding.

Two cybersecurity papers at the 11th IEEE International Conference on Social Networks Analysis, Management and Security (SNAMS-2024)

Helmut Neukirchen, 7. December 2024

We have two research papers accepted at the 11th IEEE International Conference on Social Networks Analysis, Management and Security (SNAMS-2024).

  • Brynjólfur Stefánsson, Ásta Guðrún Helgadóttir, Martin Nizon-Deladoeuille, Helmut Neukirchen, Thomas Welsh: Understanding Trust in Authentication Methods for Icelandic Digital Public Services. IEEE SNAMS 2024: The 11th IEEE International Conference on Social Networks Analysis, Management and Security, IEEE, to appear 2024 or 2025. Preprint DOI: 10.48550/arXiv.2501.17548
  • Martin Nizon-Deladoeuille, Brynjólfur Stefánsson, Helmut Neukirchen, Thomas Welsh.
    Towards Supporting Penetration Testing Education with Large Language Models: an Evaluation and Comparison. IEEE SNAMS 2024: The 11th IEEE International Conference on Social Networks Analysis, Management and Security, IEEE, to appear 2024 or 2025. Preprint DOI: 10.48550/arXiv.2501.17539

The program lists only paper titles -- not authors nor presenters. Our student Brynjólfur Stefánsson presented both papers at the conference.


This research is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


Cybersecurity at Þjóðarspegillinn 2024 social science conference

Helmut Neukirchen, 12. November 2024

On Friday, 1 November 2024, we had a presentation (in Icelandic) on Cybersecurity at Þjóðarspegillinn 2024, the University of Iceland social science conference. This is to raise cybersecurity awareness, see also the NCC-IS and ICEDEF projects.


This talk is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


Sociotechnical Resilience and Cybersecurity Workshop

Helmut Neukirchen, 29. September 2024

We are holding a Sociotechnical Resilience and Cybersecurity Workshop 1.-2. October 2024 in Gróska, room Fenjamýri.

Contact the organiser Thomas Welsh for registration.


This event is in the context of our cybersecurity activities and the ECCC/EU co-funded projects ICEDEF – Defend Iceland and Eyvör – the National Cybersecurity Coordination Centre of Iceland (NCC-IS).


European Researchers' Night 2024 / Vísindavaka 2024

Helmut Neukirchen, 27. September 2024

On Saturday, 28. September 2024, 13:00-18:00, there is Vísindavaka 2024, the Icelandic family-friendly-during-daytime edition of European Researchers' Night 2024 at Laugardalshöll.

The Computer Science department of University of Iceland has a booth there, showcasing some of their research:

  • Cybersecurity: Eyvör NCC-IS, the National Coordination Centre Iceland for Cybersecurity and Defend Iceland. The Computer Science department of University of Iceland is part of Eyvör NCC-IS and we will show three pieces to raise awareness:
    • Has my user info (in the worst case: my password) been leaked? Look up who else owns your login data: https://haveibeenpwned.com
      Note: if your data shows up there to have been leaked, then this is not your fault, but the fault of the website that was storing your data in an insecure manner and you should change your password at that website (also check whether the password has been leaked or only, e.g., your email adress). However, it is your fault if you use the same password for multiple websites: should your password leak from one website, criminals will try that password on other websites and will have success if you use the same password there. Use different passwords for different services. Even better: use multifactor authentication, i.e. not just a password (that can be easily leaked), but in addition something that can be less easily stolen, such as your phone: an authenticator app running on it, an SMS sent to your phone number, or the Icelandic digital ID on your SIM card.
    • An online quiz on how good you are at identifying phishing emails, i.e. emails trying to trick you into providing information, e.g. passwords: https://cybersecuritymonth.eu/quiz (Note: solutions not provided online -- you need to visit us to get hints where you were wrong and where you were right!)
    • A LEGO model of Iceland representing critical infrastructure that is subject to attacks. Each time, a service on our Internet-connected computer is attacked via the Internet from anywhere in the world, a light goes off. So when all Iceland turns dark in our Lego model, then you know that all of our services are currently being attacked at the same time. We use just a dummy sample server, but in fact, it could be your computer or a power plant that is attacked. True Blinkenlights - next time, we should do it using the lights in the glass front of Harpa concert hall.


  • A 3D scanner that scans the shape of your ear: used in CoE RAISE in order to find with AI out how the shape of your ear influences how you hear from different directions.
  • Quantum computing: a new piece to show, therefore no photos yet -- you really need to come and see!

See you at Laugardalshöll!