In today’s increasingly interconnected and digitized world, the logistics industry plays a critical role in global trade, enabling the seamless movement of goods across essential supply chains (Reinsel et al., 2020). The rapid evolution of digital technologies has led to an unprecedented proliferation of data generated from various aspects of logistics operations. However, despite the potential of this data to drive efficiency, cost reduction, and supply chain optimization, the logistics industry has been slow to embrace large-scale data sharing practices, resulting in a fragmented data ecosystem (PwC, 2019). Large-scale data sharing in the context of the logistics industry refers to the efficient exchange of information across various stakeholders, including shippers, carriers, freight forwarders, and other logistics service providers. By enabling access to a vast pool of data, logistics service providers can gain a more comprehensive understanding of the overall supply chain, leading to numerous benefits for the industry. Multi-sided data marketplaces (MSDM) are a promising concept that can play an important role in addressing this lack of data sharing on a large scale among businesses for any domain (Koutroumpis et al. (2020b)). They take the role of the neutral middleman by providing a platform to facilitate the data transactions, the ability to search for data sets and provide complementary services. Despite their perceived benefits, however, many initiatives remain in early stages (Spiekermann, 2019) and little research is published that demonstrates the usability of the concept for the logistics industry. As no open data sharing platform currently exists for the logistics industry (Bastiaansen et al., 2020), conceptualizing a multi-sided data marketplace architecture which meets the domain-specific multi-stakeholder context may contribute with novel insights...

The rapid growth of internet-connected devices has led to a significant increase in the number of cyber attacks, resulting in security challenges related to IoT. Researchers have discovered a new attack technique that can be used for launching large DDoS attacks, which involves TCP reflective amplification by abusing middleboxes and IoT devices. In order to assist Internet Service Providers (ISP's) in mitigating this vulnerability present at their customers, a deeper understanding of this novel attack technique is needed.
The thesis primarily focuses on exploring vulnerable devices and their end-users within the consumer network of a Dutch ISP, KPN. The ultimate goal is to gather more information on the types of vulnerable devices and actors involved to eventually assist an ISP in making informed decisions to remediate the vulnerability in their network.
The study found that the problem can be described in two different issues: vulnerable middleboxes and vulnerable consumer IoT devices with broken TCP protocols. The problem of vulnerable middleboxes has been solved in the network of the Dutch ISP as manufacturers have released updates remediating the vulnerability. This is not the case for vulnerable consumer IoT, as updating consumer IoT devices does not necessarily address the vulnerability present in the devices that have been identified. However, vulnerability notifications can potentially be useful for end-users to encourage them to update their vulnerable devices.
The study highlights the presence of vulnerable devices in the ISP network that cannot be remediated by updating the device due to the unavailability of a fix. This calls for the exploration of alternative notification methods like walled garden notifications for ISP's to address the issue as mail notifications seem not feasible at the moment of writing. While updating devices is a suggested solution, it may not be feasible for end-users with vulnerable consumer IoT devices, making it crucial for manufacturers to ensure their products have secure TCP protocols. While end-users are motivated and capable to keep their vulnerable devices up to date, whether or not they receive a vulnerability notification from their ISP, this action alone will not fully address the vulnerability as long as manufacturers remain unaware of the issue or fail to provide updates to remedy it.

Mobile phones are playing an increasingly significant role. The surge of services and tasks performed on mobile phones is accompanied by an ever-increasing amount of personal data about the owner. This has made mobile phones ideal targets for cyber criminals and it has translated into an increase in malware targeting mobile phones. Social engineering threat actors have very effectively adopted SMS texts, as these are universally trusted by phone users, for Flubot, a new and very dangerous malware. The malware spreads through SMS texts and secretly harvests personal and financial information. Because of the novelty of the malware and its tactics, academic and industrial knowledge is very scarce on how to remediate such infections and how to best involve victims.
This research is focused on a better understanding of how the remediation has influenced the impact Flubot has had on victims and smartphone users in general. A quantitative research approach, based on a survey of victims within a large Dutch telecom provider’s client database, is used to gain this understanding. This is aided by desk research, an interview with an active case of Flubot and expert input (employed by telecom providers and governmental bodies). The results from these research methods are put into context by making use of the Fogg Behavior Model, to better understand what might trigger certain target groups to or not to remediate the infection. The larger environment Flubot functioned in, is analysed too, as it was developed over time and by June of 2022 it had been taken down.
This research has found that the detection methods used against Flubot, before it was taken down, were ineffective in detecting and stopping the spread of the malware. This is a result of a misunderstanding of the more recent workings of Flubot and a larger incorrect presumption that there was no urgency to do much about the malware. Furthermore, in the remediation process some important issues are unclear or unaddressed for victims, leading to a situation where it is often not clear what might have caused the infection or what can be done to prevent a future infection. It is important to prevent further infections, as similar malware does exist, functioning on similar principles, and there is a chance that Flubot might reappear.
The research is based on victims and there was no target group reached that had not been victimised. This makes for a possibly skewed understanding of the situation which should be researched. The data has been gathered through one of the largest telecom providers of the Netherlands, which is not necessarily representative for the whole Dutch industry. Researching other telecom providers in and outside the Netherlands could provide a more comprehensive understanding. The research has led recommending an adaptive notification systems and improvements to the notifications currently used.

Email communication is a crucial part of the daily processes of enterprises. Organizations can opt for traditional infrastructure on-premise or use cloud-based email services provided by (foreign) cloud service providers. In Europe in particular, organizations from crucial sectors have been adopting cloudbasedemail services. The level of cloud adoption can vary strongly within these sectors. Nevertheless, this trend towards the use of cloud-based email services brings societal implications for the sovereignty of European data. Email services hosted with foreign cloud service providers can be susceptible to surveillance by foreign governments and intelligence agencies, which violates privacy of European individuals. The attack space further includes invasion with political and monetary incentives that may also impact security, as data is hosted with cloud service providers who might have weak security protocols. We measured the level of cloud adoption for seven crucial sectors in Europe: executive governments, healthcare, SME’s, higher educational institutes, NGO’s and financial services. We have conducted a DNS analysis on MX records from a Farsight (SIE) dataset to measure the prevalence of cloud service providers. The results revealed the prevalence of extremely dominant cloud service providers, Microsoft and Google in Europe. The dominant position obtained by these providers means that two aspects in governance of this socio-technical system in Europe must be attended to if Europe wants to regain control over their data and infrastructures: (1) European regulation focus needs to shift and (2) awareness must be raised at managerial level in enterprises.

Nowadays does the internet presence of companies increase, and with it, their attack surface and the probability of breaches: every information system in the company's network may be an entry point for an outsider. Therefore, companies need to secure their information systems. However, current risk assessment frameworks fail to connect the security measures with the impact of future breaches, making it difficult for a company to prioritize their security investments: what security indicators should they look at to limit the impact of future intrusions? In this report, we study how to collect external security indicators from a company's network, and how to process this information to build an intrusion prediction model. First, we build a scanning tool to retrieve relevant security indicators from the company's network (such as services misconfigurations or vulnerabilities) and public datasets. Then, we associate the collected indicators with incidents data from a Managed Security Service Provider in order to model using a Random Forest algorithm the probability of intrusions. Finally, we analyze the most significant indicators according to the model in an effort to find which indicators are the most relevant to evaluate the company's security posture. When we assess our model on real company's data, it achieves 92% accuracy on intrusions prediction.

IoT devices keep entering our homes with the promise of delivering more services and enhancing user experience; however, these new devices also carry along an alarming number of vulnerabilities and security issues. In most cases, the users of these devices are completely unaware of the security risks that connecting these devices entail. Current tools do not provide users with essential security information such as whether a device is infected with malware. Traditional techniques to detect malware infections were not meant to be used by the end-user and current malware removal tools and security software cannot handle the heterogeneity of IoT devices. In this report, we design, develop and evaluate a tool, called NURSE, to fill this information gap, i.e., enabling end-users to detect IoT-malware infections in their home networks. NURSE follows a modular approach to analyze IoT traffic as captured by means of an ARP spoofing technique which does not require any network modification or specific hardware. Thus, NURSE provides zero-configuration IoT traffic analysis within everybody's reach. After testing NURSE in 83 different IoT network scenarios with a wide variety of IoT device types, results show that NURSE identifies malware-infected IoT devices with high-accuracy (86.7%) using device network behaviour and contacted destinations.

As the IoT is widely deployed in people’s homes, adversaries are busy exploiting the vulnerabilities of these devices. One kind of such device is the NAS device made by the company QNAP. Unfortunately, these devices are prone to the QSnatch malware. Unlike previous malware such as Mirai has this nasty habit, it settles deeper into the machine. In this way, the malware gains reboot persistence. Therefore, we consider the malware as persistent IoT malware compared to the non-persistent IoT malware. This affects the clean-up of the virus, as changing the passwords and rebooting the device is not enough to remove the virus. As a result, other steps are needed to get rid of the virus. If we take a look at the NAS device market, we see that the manufacturers of these devices have little incentive to invest a lot in the security of the devices. It is then challenging for the customer to estimate which devices are secure and are mainly tempted by discounts and devices that can be configured quickly. Then, the ISP is the link in the process that, with the help of the non-profit organisation Shadow Server, can determine which of its customers may be infected with certain malware. Shadow Server uses servers to receive the malicious traffic and forwards the corresponding IP addresses to the ISP. The ISP then knows which customer is dealing with possible infection and can inform them. This also happens for the QSnatch malware. The ISP sends the infected customer a notification informing them about the infection and providing steps to clean their device. These steps are a simplified and Dutch-translated version of the steps provided by QNAP. From that moment on, it is up to the infected customer to take action. Previous research has made a tremendous effort in understanding the efforts of infected customers in remediating the issue and showed that various resources could be used by the ISP to improve the results of this process.

Malware presents a growing problem in a world that is increasingly connected to, and reliant on, the internet. The growing, devastating potential of cyber attacks such as DDoS attacks on society and economy is largely the result of a new class of devices, the Internet of Things (IoT), whose characteristic vulnerabilities make them easy targets to be compromised and controlled by malicious actors. This study employs a mixed-method research design to examine end-users' perceptions of the security of internet connected devices, their motivations for (non-)adoption of centralized DNS-based malware mitigation measures, and the efficacy of such services in mitigating malicious activity in a real-life environment. The results indicate that centralized DNS-based malware mitigation have significant potential in reducing end-user vulnerability to malware threats, but their adoption is hindered by lacking ability to assess threats and the value and efficacy of security measures.

Ultra-Wideband (UWB) technology became unregulated within the EU in 2007. Most recently, it was integrated into mobile phones in 2019, notably Apply and Samsung adding it to all their newer models. While UWB is characterised as a radio technology with any signal above 500 MHz, it operates within the 6-9 GHz
range in mobile phones. This allows for fast data rate, low power secure
communication, multipath facilities and accurate localization. While the integration of UWB is mostly advantageous to users and innovators, its ability of accurate localisation may lead to severe privacy concerns

The aim of the thesis is to understand the privacy concerns of UWB’s integration into mobile phones by answering the main research question: how do experts and users perceive privacy concerns of UWB usage in mobile phones; and how can they be mitigated? It was subsequently broken down into three sub-research
questions: 1. What are the possible applications of UWB in mobile phones? Phones have other incumbent radio technology embedded such as Bluetooth (BLE) and Wi-Fi, however it seems like UWB is being integrated to serve additional purposes. The answer to this question seeks to understand from gray and research literature how UWB can be used in mobile phones and what advantage it gives over incumbent technology. Research shows UWB gives phones the ability for indoor navigation, gesture-based control, foot traffic analysis for smart retail, teleconference systems, proximity-based localization, key-less entry among others.

This leads to research question 2. What are the potential privacy concerns associated with UWB? The incorporation of new technology capable of accurate localization leads to privacy concerns. All privacy issues were categorised on the basis of three paradigms: social, surveillance and institutional mentioned in Gurses and Diaz, 2013. This was initially done by interviewing experts from the three groups of privacy experts, policy regulators and technology experts. Analysis of their answers showed that UWB privacy concerns seem relatively similar to BLE and Wi-Fi localization, albeit with higher granularity. UWB allows mobile phones companies, third parties and governments track people accurately indoors, push advertisements depending on location, obtain relative relationships between people based on distance leaving people with no place to hide. Subsequently, user interviews were carried out to see if they could identify the same concerns of UWB. Results showed that that from the data of users interviewed, all of them believed that accurate data
localization of people is crossing a line that users cannot push back on. A majority of them saw most of the same privacy issues as the experts showing that, as people get more adept with technology they understand
how it can affect their privacy. A common question that was asked across all the interviews was how can we protect our privacy in the face of such penetrating innovation as time lapses.

Which is the final sub-research question: 3. What are technical and societal approaches to address privacy concerns? Experts provided solutions that were more industry oriented which included decoupling UWBfrom other location-based services, provision of opt-out settings on a more prominent basis, reworking license agreements, industry wide discussion and self-regulation in terms of privacy. However, users gave answers that were more user-centric and gave more control to the common public. This included users neggotiating their own privacy agreements, compensation models for loss of privacy, a more holistic regulation process and finally, trying to break the control of big tech companies. This shows that users and experts have very similar understanding of privacy issues but very different views on how privacy should be protected. Perhaps, it may be time for regulators to pay heed to user suggestions. These suggestions were then compared with privacy mitigation strategies mentioned in literature. Notably, the most overarching concept that needs to be incorporated is the concept of Privacy-by-design which can then be broken down into technical and societal strategies. Technical approaches included concepts such as obfuscation, k-anonymiser, differential privacy, dummy localization and access control mechanisms. All the technical strategies seemingly had the same issue of requiring third-party applications to function. Sophisticated security measures and privacy statements would then be needed to ensure these companies do not choose monetary gain over user privacy. Societal approaches included concepts of data-for-all, technical regulatory bodies and finally, breaking up of big tech companies. As time passes and innovations become more pervasive, it may be too late to incorporate privacy protection actively. The time to protect privacy is now.

In the past decade, the world has experienced numerous severe and impactful data breaches, without indications of this development slowing down. Even worse, research has shown data breaches are still waiting to happen. The occurrence of a data breach has consequences for several involved parties and for society in general. It is therefore only natural that there exists a pursuit to prevent data breaches from happening. Research claims that data breaches happen because of simple and preventable errors made by human, also known as security misconfigurations. This study aims to investigate whether the root causes of severe data breaches are frequently related to security misconfigurations, which would make most data breaches preventable. No such structured research had been done before. We conducted a multiple case study, wherein a number of data breaches was analysed based on publicly available case literature. Assessing the data breaches with the help of our developed framework was part of that analysis, resulting in a systematic characterization of each data breach. The results indicate that in breaches the data are mostly subject to unauthorized access by outsiders, which frequently is made possible by poor security. The organizations directly responsible for that data are large organizations which get breached especially in their storage facilities. Next to the organization which got breached, these sizeable data breaches always affect individuals since at least part of the compromised data is about them or linkable to them. Usually this is not even discovered by the breached organization itself and sometimes only after a long period of time. Ultimately, it can be concluded that data are frequently caused by security misconfigurations and therefore are mostly preventable. On this basis, it is recommended that organizations responsible for sensitive data should be more incentivized to thoroughly combat security misconfigurations, instead of treating IT security as only a technical endeavor.

To detect malicious activities in a network, intrusion detection systems are used. Even though these solutions are widely deployed for this purpose they have one serious shortcoming which is the huge amount of false alarms that they are generating. Different measures are taken to tackle this problem such as manually changing the settings of the intrusion detection systems. However, this is an infeasible approach for organisations since a network is changing regularly and specialists that have good knowledge of both the environment and the solution are required. The existing unsupervised approaches cannot be implemented as fully automated solutions because of the need to tune hyper-parameters. Additionally,the implementation of the existing solutions is complicated since often multiple models and the constant updating thereof is required which is a computationally intensive process considering the selected algorithms. In this work, the possibilities to reduce the false alarms in an automated manner are investigated. This is done by applying unsupervised anomaly detection techniques on the resulting alert data to distinguish regular alarms from high priority ones. Real alert data is collected from a network of a large organisation and an additional synthetically generated data set is used to evaluate the proposed approach. Four unsupervised anomaly detection algorithms are chosen to model the regular alerts. These are Local Outlier Factor (LOF), Isolation Forest (IF), Histogram-based Outlier Score(HBOS) and Cluster-based Local Outlier Factor (CBLOF). We show that this approach can greatly reduce the false alarms in real environments. By adding noise to the data we evaluate the performance of the models and propose a method that can be used to determine when the model needs to be retrained. This is done by deriving a metric that is used to trigger the system to automatically retrain on the most recent historic data. This is necessary in order to make the system automated and adaptable to changes in the network.

A portion of the digital fraud occurring on the dark web comprises the illegal exchange of vouchers, coupons, and stolen accounts, defined in this research as service fraud. Despite its existence, this type of fraud had not been previously explored. This thesis employs a quantitative approach to examine which company characteristics influence the target selection process, and the financial impact of service fraud, conducted on eight prominent underground markets, from 2011 to 2017. Initial understanding of the matter is provided by mapping out the digital fraud landscape; exploring and classifying into four categories the different types of service fraud. The direct costs of such fraud for the analyzed companies are quantified, showing that the sustained losses are relatively low compared to the figures reported in various resources. Regression analysis is used to model which characteristics make companies more attractive to cyber criminals, and how they influence losses suffered by businesses. Reputation and domain popularity are able to explain to an extent the frequency of being targeted. Furthermore, companies operating locally, as well as smaller businesses seem to experience higher financial losses. The implications of the results for businesses and society are discussed. Expanding the current model with other factors or additional data, such as employed security controls and strategies, as well as using different research methods could enhance this topic and provide more insights.

As software security expert Bruce Schneier argues, the pervasive vulnerability of embedded systems today is structurally similar to the security crisis of PCs in the mid-1990s—only much worse. Embedded devices are ideal malware targets for several reasons. Firstly, Internet-connected devices are inherently more exposed to remote exploitation. Furthermore, embedded systems are notoriously difficult to update, regularly leading to unpatched vulnerabilities. Last but not least, many such devices operate in a mostly unattended fashion, which means that the timely discovery of compromise is unlikely. Hardening is the process of securing a system by reducing its surface of vulnerability. Hardening of the already deployed embedded devices that are connected to the internet is examined in this research. A method capable of automatically generating and enforcing security configuration based on the embedded system’s set of functions has been designed and implemented. The proposed system is dynamic, automatic, and seamless. Hardening level of such devices is measured through recognized security benchmarks. The objective is to harden the product as much as possible while maintaining its full functionality. This study concerns embedded systems using custom Linux-distribution software. The thesis was conducted in cooperation with Atos. OpenScape Business series X (OSBiz X) was used as a case study. OSBiz X is an embedded system used as a telephony center, with more than 150.000 systems already deployed worldwide. Implementing the system described above on OSBiz X significantly increased the hardening-level of the product while its functionality remained intact. Due to the case study’s scenario results, Atos plans to integrate the proposed system into the next version of OSBiz X’s official release. Finally, ongoing research about other internal organization’s products that could greatly benefit from this approach is being conducted.

The European financial sector is a frequent victim of banking malware leading to massive losses. It appears that not all customers’ banks are equally attractive targets among cybercriminals who deploy banking malware. This research established a comprehensive regression model explaining why certain banks are more attractive to cybercriminals. The model proves that large banks, banks that are part of a banking group, banks with a high brand value, and banks which websites have a high domain-popularity, bear a higher probability to be (more frequently) targeted. Two-factor authentication doesn’t seem as effective as might expected. The use of this security measure does not decrease the chance for a bank to be targeted. However, the presence of this measure has an influence on a lower target frequency. Furthermore, it is shown that banks offering a largely spoken language on their website do not ease the banking malware attacks. Further research is needed to enhance and improve the model. The independence in the model can be reduced and more bank characteristics could be added, especially factors related to the ease to launder money.

Developing malware variants is extremely cheap for attackers because of the availability of various obfuscation tools. These variants can be grouped in malware families, based on information retrieved from their static and dynamic analysis. Dynamic, network-level analysis of malware shows its core behavior since it captures the interaction with its developer. On the other hand, increasingly more emphasis is given to using Deep Packet Inspection (DPI) in order to cluster malware’s network behavior. However, DPI has severe privacy implications, as it involves inspecting payloads of the network traffic.

This thesis presents an exploratory study, the aim of which is to characterize and cluster malware behavior using high-level, non-privacy-invasive, sequential features extracted from its network activity. The key intuition behind the proposed solution is that if the underlying infrastructure of distinct malware samples is similar, the order in which they perform certain actions should also be similar. The results of this research show that sequence clustering allows flexible and robust clusters, as opposed to using non-sequential features. The clusters themselves reveal interesting attacking capabilities, such as port scans, and the same Command and Control server responding to different malware families. Lastly, a comparison with clusters obtained from static analysis reveals that network-based clustering is far more qualified to determine the many behaviors exhibited by a single malware family, as well as behaviors common across multiple malware families.

The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.

Many Internet of Things (IoT) devices that are currently on the market lack security and therefore many of them got infected with malware to launch powerful distributed denial of service (DDoS) attacks. Notifications from Internet Service Providers (ISPs) to their customers play a crucial role in the fight to clean up the malware infected IoT devices. It is, however, difficult for the employees of abuse departments to explain how to cleanup an IoT malware infection to a non-technical customer and provide usable action steps to clean up the infection. In particular, because there is no “one size fits all” cleanup solution, due to the heterogeneous nature of the IoT devices. The abuse department of the Dutch ISP KPN would like to know how to notify customers with IoT malware infections and how to explain the cleanup of infected IoT devices to the customers. Therefore, the objective of this research is to make a recommendation to KPN on what notification mechanism to adopt by providing insight into: (1) how to increase the effectiveness of IoT malware notifications from an ISP to its customers in terms of IoT malware cleanup; and (2) how users perceive an IoT malware notification from their ISP. To this end, an experiment has been conducted with 190 retail customers with infected IoT devices to measure the difference in cleanup among IoT malware notifications sent via different channels and with different messages. To explore the reactions of the customers to the different notification mechanisms, telephone interviews have been conducted and the communication logs between KPN and the customers in the experiment have been analysed. We have compared the influence of the notification channel on cleanup and the reactions of customers by comparing customers that received: (1) email notifications; and (2) a combination of walled garden and email notifications. The different notification messages that have been compared in this study include: (1) the walled garden notification content that KPN’s abuse department uses to notify its customers with an IoT malware infection; and (2) a newly composed more actionable walled garden notification message which clearly defines the steps that need to be taken while avoiding technical terms. It is found that a combination of a walled garden and email notification with an actionable content is the most effective in terms of IoT malware cleanup. Furthermore, the walled garden notification is most effective in getting customers to read and react to the IoT malware notification, yet it sometimes results in customers having a low satisfaction with the service they receive. The more actionable notification content results in better understanding and trust from the customer compared to a less actionable content of the notification. However, customers’ understanding of the notification content and the satisfaction with the quarantine event remain a challenge.