ncsra symposium 2015€¦ · • control what a user can see on the internet to influence the...

NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation

NCSRA Symposium 2015

#NCSRA15 Wifi code: nbmc2015


ELLY VAN DEN HEUVEL INTRODUCTION


CHRIS KRUEGEL Securing the Future


Securing the Future

Exploring Challenges and Opportunities for Research in

Computer Security

Christopher Kruegel UC Santa Barbara and Lastline, Inc.


The Future


The Future

Innovation and new technology

Advances in offensive technology


The Future

Disclaimer: My bias is that I am a systems security researcher.

Innovation and new technology

Advances in offensive technology


Hype Cycle: Emerging Technologies

Source: Gartner, August 2015


#1: INTERNET OF THINGS


• Embedded software is everywhere – captured through many buzzwords

• pervasive, ubiquitous computing • Internet of Things (IoT)

– sensors and actuators

Blend between real and virtual worlds


Massive Growth


Security Challenges • Quantity has a quality all its own • Vulnerability analysis

– binary blobs (binary only, no OS or library abstractions) – software deeply connected with hardware

• Patch management – devices must be cheap – vendors might be long gone


Security Challenges • Remote accessibility

– device authentication – access control (pacemaker during emergency) – stepping stone into inside of perimeter

• Additional vulnerability surface – attacks launched from physical world – supply chain attacks


#2: INFORMATION MANIPULATION


Information Manipulation • Control what a user can see on the Internet to

influence the user’s mind and actions – Manipulate content and in turn, target the human mind,

instead of machines or code – Affect the users’ decision-making processes

• economic gain (buying) • influence (voting) • credibility (social world)


We “See” Only Some Information


Information Flow

Publishers Internet Intermediaries Users

Event Web sites/portals ISPs/CDNs


Information Flow

Publishers Internet Intermediaries Users

Event Web sites/portals ISPs/CDNs

Fake reviews Sock puppets Astroturf Misleading Wikipedia entries

Production Search-related attacks and misuses Performance degradation

Dissemination Pollution of browsing history Tracking of user activities

Consumption


Taxonomy of Manipulation Production Dissemination Discovery

Changing the choice set

News agencies may choose not to report a story

Social network may remove (or add) content (e.g., Weibo censorship)

Search engine may change the set of results for different users (“filter bubbles”)

Changing the presentation layout (ordering, etc.)

Sites may move content to top/bottom of a page.

News outlets can use social networks to “broadcast” certain stories (e.g., NYTimes Twitter feed)

User profile pollution and poisoning can change the ranking of results

Changing the content Bogus reviews, “astroturfing”, false Wikipedia entries

“Sock puppets” can create/amplify false content


#3: HUMAN DATA


Human Data • From personal data to data about a person


Quantifiable Self • Initially, mostly fitness-related

metrics – steps, sleep, heart rate, …

• Newer wearable sensors go further – blood pressure, sweat, glucose

levels, … • Non-wearable biosensors

– typically take a drop of blood and run 100s of tests


One step further … • DNA analysis services


Security Challenges • Risks are underrated

– attackers not yet targeting human data • everyone understands that a stolen credit card is bad • not clear why anyone would want your health data or DNA

– everyone happy to upload and share their human data – impossible to change

• changing your credit card number is trivial • what if attackers find a reason to access the information

• How can one provide services without revealing data?


#4: ADVANCED MALWARE


Isn’t malware solved already?

26

Fraction of malware-related publications in Top-4 security conferences (NDSS, Oakland, Usenix Sec., CCS) over last 10 years

0,00%

2,00%

4,00%

6,00%

8,00%

10,00%

12,00%

14,00%

16,00%

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Malware (incl. Android)

Malware Publications


But the world has missed it …

27

Source: Google News Trends

Interest in Advanced Malware Protection


But the world has missed it …

28


Lots of interesting things to do • Mobile malware – difference to traditional

malware implies opportunities and challenges – apps are much easier to analyze statically

• use of Dalvik bytecode instead of x86 – centralized control

• vet applications before they enter store • can remotely remove installed applications • carriers might have more complete picture of users and

traffic – interesting GUI issues

29


Summary • Rapid technical progress and new attacks make increased

(research) efforts necessary to protect critical systems and data

• Four challenges/opportunities for future research 1) Secure the Internet of Things 2) Defend against Information Manipulation 3) Protect Human Data 4) Detect Advanced Malware


Thank You!


MARTIN BORRETT Security - What matters?


RENÉ PENNING DE VRIES Chairman ICT in Topsectors


ICT KIA en Commit2Data: Open for Business!

02/11/2015 René Penning de Vries Boegbeeld ICT Team


p. Top Sectors and ICT: ICT Innovation Contract signed

, The ICT Team aims to enhance ICT based innovation. The ICT Team creates usage inspired public-private R&D partnerships. The ICT Team works across Top Sectors. The ICT team develops a Human Capital agenda and develops a Branding approach.


ICT One can Rely on ICT Systems for Monitoring and Control ICT for a connected World Data, Data, Data: Big Data

Energy Transition Life Science and Health Smart Industry Cyber Security


1. We have two new instruments to close the gap between R&D and application

2. Alignment with NCSRA on

program and HCA are logical next steps

ICT KIA en Commit2Data: Open for Business!


JAN PIET BARTHEL Program Manager Cybersecurity Research NWO


THIS CAP FITS ALL OF US


535 REGISTRATIONS SUBDIVISION


National & International Upcoming HIGHLIGHTS, EVENTS and CALLS for proposals

• CHIST-ERA call: deadline January 13, 2016 (EU 7 FP instrument) • National Cybersecurity Best Research Paper Award contest: March 22, 2016 • NWO-NSF call (US-NL) privacy research (MoU we are about to sign): deadlines Q1, Q2 2016 • Scientist on the Job instrument (NWO-TNO): Q1 2016 • Joint STW-NWO Physical Sciences call on Smart Industry (including cybersecurity): Q2 2016 • Cybersecurity Matchmaking Event: Q3 2016 • National call on cybersecurity research with MaGW/SIA: Q4 2016, synchronized with SBIR

tender: Q4 2016 • Joint call with DHS: Q1 2017 (Doug Maughan will explain) • (Third) NCSRA-Symposium: Q2 2017 • Two AiO - Multidisciplinary research call, Computer Sciences (EW) together with Social

Sciences (MaGW): 2017-2018 • SIA Taskforce for Applied Research will fund two HBO-lector positions,

one at NSCR (cybersecurity) and one at CWI-Amsterdam (big data and cybersecurity)


DOUGLAS MAUGHAN Division Director at DHS (US)


DHS 2016 Events and Activities

• DETER – Research Testbed – See http://cybersecurityexperimentation.org for more information

• PREDICT – Data Repository – Available to Dutch researchers through NCSC – Incorporation of additional data – Advances in ICTR Ethics

• Joint research call with Netherlands: Q1 2017 • Opening of DHS Silicon Valley Office

– Possible opportunities for young companies (age 6-24 months) to provide technologies for DHS operational applications

• Annual Principal Investigator Showcase and Technical Workshop: Feb 17-19, 2016 in WDC

http://cybersecurityexperimentation.org/


Joint Research Call Process

53

Notice of Intent Matchmaking Portal

Solicitation Published Proposals Submitted Proposals Reviewed

Notice of Award Procurement Actions DHS – US Performers NWO – NL Performers

Unofficially Today July 1, 2016 60 Days to Sept. 1 Sept 1, 2016 Nov 1, 2016 Completed Jan 1, 2017 Feb 1, 2017 Completed May 1, 2017

Presentator

Presentatienotities

Suggest using icons for WH, State/Local, Departmental, Interagency, Critical Infrastructure and using fewer examples


Joint Research Call Process - 2

54

US Participants NL Participants Academic Industry Labs (e.g. DOE)

Academic (main applicant) Industry (co-applicant)

Possible Teams US Academic – NL Academic (with US and/or NL Industry) US Industry – NL Academic US Labs – NL Academic (with US and/or NL Industry)

Presentator

Presentatienotities



Joint Research Call Process - 3

55

Topics under consideration

• Identity Management • Data Analytics • Mobile Security • Cyber Physical Systems Security / IOT • Cybersecurity and the human factor

Presentator

Presentatienotities



For more information, visit http://www.dhs.gov/cyber-research

Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) [email protected] 202-254-6145 / 202-360-3170

56

http://www.dhs.gov/st-csd

mailto:[email protected]


HANS DE VRIES Head of NCSC


ELLY VAN DEN HEUVEL CONCLUSIONS


IIP-VV Board Dick Brandt Eelco Stofbergen Erik Poll Herbert Bos Jan Piet Barthel Michel van Eeten Paul de Jager Pieter Hartel Sandro Etalle Wim Hafkamp


Project Team Henk de Poot Jeroen van den Ham Joep van Wijk Juul Brouwers Karin van Es Kas Clark Mariska Warnars Marit van Galen Naomi Messing Tobias Paulissen

ncsra symposium 2015€¦ · • control what a user can see on the internet to influence the...

Documents