2024-10-11

Water distress

 

Image generated by ChatGPT

Apeldoorn (the Netherlands), Friday 4 October 2024, 18:22 – 70 thousand households receive a mail bomb: the tap water is contaminated with the e.coli bacteria (lovingly referred to in the newspaper as the 'poo bacteria'). We need to boil the water for three minutes before drinking it. We should also use boiled water for brushing our teeth and washing vegetables. [For some context to strangers: tap water is delicious in this country.]

People are rushing to the supermarket en masse to stock up on bottled water. The need is great – in one supermarket people are even fighting over the last few bottles. We see images that we know from faraway countries, with people pushing shopping carts that are filled to the brim. By the end of the evening there are no more bottles for sale anywhere. The next step would be looting. A shopkeeper tells the newspaper how quickly the water was sold out, and that he has ordered not the usual thousand litres (264 US gal), but ten times as much for the next day. The local press photographer captures a car with a boot completely filled with water bottles. I counted them: there are around 140 litres (37 gal) of water in that car.

And us? We stayed home quietly. Because on the one hand we trust that the water company when they say that boiling for a few minutes is sufficient, and on the other hand we have had an emergency supply of drinking water for years, precisely for these kinds of occasions. And we pay attention to the expiration date, so that the water is swapped in time (nevertheless it tastes a bit stale). And there are more things that you better have in the house in case something strange happens. A supply of food is of course obvious; remember that you may not have gas or electricity to prepare it and that you must be able to eat it cold. Rechargeable lamps are only of service as long as there is power - lamps that (also) work on batteries are better, provided you have enough fully charged batteries in the house. A battery-powered radio is handy to stay informed about the progress of the misery.

In IT, this is the field of Business Continuity Management. BCM professionals ensure, among other things, that if something goes terribly wrong, if our IT is hit by a disaster, the impact is limited and we return to normal as quickly as possible. They do this by ensuring that teams responsible for keeping IT services up and running are optimally prepared for eventualities. Plans are ready and these plans are tested. And for major, far-reaching events, they train the crisis management team, so that these people also know what to do if things go completely off track.

As the example of the water distress in Apeldoorn and the surrounding villages indicates, it is also useful to do something about BCM at home (although I would perhaps rather call it HCM: Home Continuity Management). Above I already gave an idea of a shopping list; on the government website denkvooruit.nl you can find even more information. There you can read, for example, that it is also useful to have some cash at home. Because in the event of a massive power failure or network failure, you will no longer be able to shop cashless, and the ATM will also show its sorry screen. Then you are happy if you have emergency cash at home and can still go shopping. [For you strangers: the Netherlands is rapidly transforming into a cashless society, where paying with your phone or debit card is common and where people often don’t have any cash on them.]

But don't start hoarding right away, okay? Here in our city, the mayor had to intervene to call on the population not to grab what you can grab and to take each other into account – let others have some water too, he begged. I had to think back to that video from the covid period, in which a forklift driver, roaring with laughter, drove through an immense warehouse that was filled to the brim with toilet paper. That was the product that we then feared to run out of. The run on water in Apeldoorn is even more remarkable because it is a local problem. Incidentally, many people have already moved to surrounding cities to get water.

Meanwhile, boiling tap water is a great alternative. Admittedly, it is a bit tricky. I am so used to tapping my tea water from the boiling water tap that this morning I looked right past the filled thermos and filled my mug under the tap and only when the tea was ready did I realize that I was wrong. For brushing our teeth, we have a bottle of water in the bathroom, simply because it is more convenient. Boiled water has to cool down before you can use it for such applications.

In the meantime, the water company is busy inspecting four water reservoirs, each containing three million litres of water (792.516 gal). They have to be emptied for this, but it has to be done one by one because else our taps would run dry. That’s why it’s taking so long – at least until the 14th, we have to be suspicious of our tap water. Today (Friday) we’ll get another update. Hopefully with good news. And I’m also curious about the cause. In the meantime, I just wiped my daily apple with a paper towel instead of washing it with water. Oh well, those minor inconveniences.

 

And in the big bad world…

 

2024-10-04

The Sandman

 

Image from Pixabay

In some countries in the world, criminal organizations kidnap poor devils and force them to send out scams seventeen hours a day, said Nathaniel Gleicher, global head of counter fraud from Meta this week at the annual ONE Conference in The Hague.

Meta, the parent company of Facebook, Instagram and WhatsApp, among others, is not exactly the darling of privacy-minded citizens. But what Gleicher had to say at this conference matters. Because let the above sink in for a moment: people are being held against their will to bombard you, with bags under their red-rimmed eyes, with deceptive messages. In my world, scam refers to deception via false messages. For example, that text message about a troubled delivery, a WhatsApp message that starts with "Hi dad, I have a new phone number" or an email in which "the bank" announces a security check for which they need your cooperation. In short, pretty much everything that can be classified as phishing.

The reprehensible activities of cybercriminals are a problem for Gleicher, because they abuse his platforms. And apart from the moral obligation to do something about it, Meta also has a clear business interest here: if users are confronted with fraud on Instagram over and over again, they will eventually stay away, or at the very least they will become so suspicious that they will no longer click on anything, not even on bona fide contributions. And that means loss in revenues.

Meta divides fraud and scams into three types of problems: actors, behavior, and content. Actors include everything that has to do with false identity: you think a message is from a friend or a celebrity, but in fact there is a criminal behind it. Behavior includes everything a criminal does: deception, spam, even playing on your (romantic) feelings. The content type of problem encompasses celebrity bait, financial deals and charity, to name a few.

Gleicher wants to combat this vigorously, but his billions of normal, well-intentioned users should not suffer too much from it, because that would be bad for business. And so he focuses on the malicious ones. An important part of that is taking down fake accounts as quickly as possible. To do that, they look at the behavior of an account. For example, if a biography states that you live in the Netherlands, but all activity comes from a country far away, that is a red flag. And they use artificial intelligence to detect whether someone is misusing photos of celebrities. Think of a photo of Elon Musk with a golden tip to purchase bitcoins 'via this link' .

Criminals use mechanisms that are intended for honest people. Did you forget your password? Then click on a link and you can set a new password via the email sent to you. But if a criminal has hacked your email, he can do so on your behalf (it is therefore important to realize that your email is by far your most important account). Meta is trying to put a stop to this with innovative developments. For example, they are currently piloting a new method for account recovery: you have to supply a new selfie, which they compare to photos in your profile. The idea behind this is that criminals cannot simply get a fresh selfie of you.

Scams run across multiple layers, such as social media and banks. This makes it difficult for one party alone to recognize scams. At the ONE Conference, Gleicher announced the FIRE program ( Fraud Intelligence Reciprocal Exchange), in which British and Australian banks provide information to Meta. In an earlier phase of the program, this had already led to the removal of some 20,000 fake accounts.

The British talk about throwing a spanner in the works, the Americans throw a wrench, but the Dutch throw sand. Hence the title of this blogpost: Meta throws as much sand as possible in the works of internet criminals. You could say that Gleicher is the sandman of social media.

 

And in the big bad world…

 

2024-09-27

Intruders

 

Image from Pixabay

In 2007, a Dutch engineer walked into the Iranian nuclear complex of Natanz and installed a water pump there. This Erik van Sabben had a second client: the Dutch intelligence service AIVD. And that is how it happened that the centrifuges, which are needed to enrich uranium, went haywire because of the infamous Stuxnet virus. This is of course the ultra-short version of the story. The long, exciting story is in the book There's a War Going On But No One Can See It by investigative journalist Huib Modderkolk.

Earlier this week, a Dutch engineer walked into the Dutch nuclear complex of Almelo. Not to install anything, and not with a secret agenda. No, because that was me, together with about thirty colleagues, and we came for a tour and a presentation on a holistic view of security.

So I walked from the parking lot and came across a fence that was several meters high. There was a pedestrian gate in it, with an intercom. People were just walking from the other side, so I thought, I'll ask them. Because I was curious how they would react. It turns out that the gate wasn't locked at all. I was welcomed with a wide arm gesture and I was kindly shown where I had to report.

Is it really that easy to get in there? Well, fortunately it is not. You get a pass and with that you can go through a gate. After that, as a visitor, you can actually only go one way: to the reception building. And from there you are constantly accompanied.

October is traditionally security month. Many organizations – including ours – pay extra attention to security. One of the topics that we are putting in the spotlight this time is physical security. As an employee, you play a somewhat uncomfortable role in this. We want you to be a little less friendly. Intruders often enter because a friendly employee holds the door open for them. Most of the time, this doesn’t work at the entrances of our buildings, because you have to go through a swing gate. But think for a moment about those internal doors, which you have to open with a badge. Those secured doors are there for a reason: only authorized personnel should enter. Of course, you can hold the door open for someone you know belongs there, but for strangers, a friendly “Would you mind using your own badge?” is appropriate. And if you see someone walking around without a badge, you could just as kindly ask if that they have lost their pass, and if necessary, accompany them to the reception. I know this is difficult and that is why I am glad that this situation usually doesn’t arise. Usually, indeed. Maybe that is an extra reason to say something anyway if you see this.

Let's go back to the visit. The security manager first talked about the physical threats that a uranium enrichment plant has to deal with. You can easily figure out where those threats come from: criminals, terrorists and activists. The security measures are not that difficult either: fences, security guards, alarm systems. Then he went on to digital threats, in which the same actors play a role. And that's where the holistic ('all-encompassing') nature of their approach comes into play: the measures against cyber threats are of the same kind as those against physical threats. You have to look at it as a whole, because an attacker will not make a distinction between them either. He might try to disable the alarm systems via a virus or a hack, after which he gains physical access to the complex. And maybe he is not after uranium at all, but after data. In most organizations, crooks and spies will try to get the coveted data via the Internet, but in facilities like these, the really important data is air gapped : there is literally air between the computers in question and the outside world, in other words: they are only attached to a strictly closed network. So you really need to make entrance to get to it.

During that tour I came face to face with exactly the kind of installation that Stuxnet was all about: the centrifuges that enrich uranium in order to turn it into fuel for nuclear power plants. With Modderkolk's book in mind, this was quite a special moment. It really takes something to break those things. The oldest installation in Almelo has been running non-stop for forty years, without any maintenance. You can't find that in ICT.

Thanks to Urenco for the hospitality and to the Security Academy for the organization.

 

And in the big bad world…

 

2024-09-20

Fighting a loosing battle

Image from Pixabay

 My search yielded 359 documents. Admittedly, a few of them were about research into and lamentations about the phenomenon sought. But that still leaves about 350 documents in which colleagues had written it down without batting an eyelid: Welcome01.

In the past, if you had forgotten your password after the holidays, you had to call the helpdesk. You would often get Welcome01 as a new password. I went to talk to them and explained that that wasn't such a good idea. After all, everyone got the same password. The thought behind it was probably: this is easy for the user and after logging in for the first time, they have to set a new password anyway. But hey, if I have bad intentions and know in advance what someone else's new password will be, I can use that. The helpdesk came to its senses and switched to generated - and therefore unpredictable - passwords. This service was automated away years ago and that put an end to Welcome01.

But not really, judging by the results of my search. Incidentally, I knew in advance what I would find, because it remains a loosing battle. We are an organization where applications and infrastructure are built. Of course, those things have to be tested. That’s often an automated process or at least a team effort. For testing, you need valid credentials. And precisely because testing is not a solitary activity, all team members who are involved must have the passwords of the test accounts. I get that. Two other things I do not understand: the password that is chosen, and the fact that I can find out about it.

Let's start with the first one: come on people, Welcome01! Can't you think of anything better? Yeah okay, it has a capital letter and no less than two numbers. Phew. The big weakness is of course the predictability of the password. There is a snicker when this password is mentioned, because we all know that it is used in so many places. Effectively it means that I know your password. And many others with me. You know that this is not what we want.

My second sneer is for the fact that I got hundreds of hits on my query. I don't have any special magic that gives me access to all information. That means that all those internal pages, where teams explain how and with what you can test all sorts of things, are not protected. And that anyone can access them. You're putting your house key under the flower pot, dear colleague.

Oh, they're just test accounts, you sigh. We would never do that in production! So why do it in test? It's a small effort to (a) have a decent password generated and (b) properly protect that password. It all comes down to attitude and behavior. Just as I'm convinced that secure behavior in your private environment radiates to work, I'm also convinced that your behavior in one environment influences your behavior in another; laxity on the left side easily leads to an "I'll just do it the same way on the right side" attitude when something needs to be fixed quickly. And when the problem is solved, everyone forgets that something still needed to be fixed.

In the past, it may not have been that bad. Back then, there was a strict separation between development and operations. With the advent of devops, that boundary has blurred: in many teams, all employees perform all activities – so both development and operations. And so they have to be able to access everything. Right through all DTAP streets. These are separate environments for development, testing, acceptance and production. But if you can access everything, then you can copy behavior from the 'less exciting' environments to the environment where it does matter. That makes us vulnerable.

The myth says that production data is only in the production environment. Yes, in the past we used test files that consisted of purely fictitious data. After a functional adjustment, the test data was adjusted or expanded. Nowadays, this is considered too laborious. And so (anonymized) production data is used. But it’s still production data. Combine that with the other myth that all employees are super reliable, and there’s your recipe for disaster. We like to look the other way when it comes to insider threat, but statistically speaking, every organization is entitled to a certain percentage of black sheep. Don't make it too easy for them. Let's agree that all those simple passwords will be replaced by something decent and that next week, I will no longer be able to access all those pages with passwords that I have open now.

 

And in the big bad world…

 

2024-09-13

Witches and dark patterns

 

Image from Pixabay

She’s called Magica De Spell, Miss Tick, or Gundel Gaukeley, only to mention a few international names of this Disney character, and she lives on Mount Vesuvius. She is the sworn enemy of Scrooge McDuck, because she wants to steal his Number One Dime to melt it in the lava of her volcano into an amulet that should give her unprecedented powers.

The name of this cartoon character comes to mind when I hear the term dark patterns. Not only because of the similarity in color, but also because they have a similar goal: secretly taking something from you for their benefit.

You encounter dark patterns every day when you enter the internet and get one of those annoying cookie notifications. You have probably noticed that the button to agree to everything is often very prominent, while the option to deviate from it is really hard to find. Or you have to click very often because the option 'none' is missing. A dark pattern misguides the user in a certain direction and has you click on the most favorable option for that site, or entices you to make a purchase, or makes you provide more data than you should want. There are many forms of dark patterns. I will go through a few with you, and you will recognize them all. Incidentally, different sources use different names.

-        Confirshaming is a nice contraction of confirmation and shaming: when asked whether you want to order that delicious fresh food, the option 'no' is accompanied by an addition such as: "I'll have a microwave meal tonight".

-        Another great term is privacy zuckering, which of course includes a reference to Mark Zuckerberg's Facebook. This is about sharing more personal information with your network than you would actually like.

-        Maybe you wanted to download some software that you found on the internet. You clicked on that big green download button and got something completely different than what you wanted. You looked again and discovered that for the software you actually wanted, you should have clicked on a less obvious button. That's called disguised ads.

-        “Book now! Only 3 rooms left!” If you’ve ever booked a holiday, you’ll probably be familiar with this one. It’s called fake scarcity. By pretending that the offer is about to expire, they want to entice you to make a quick decision.

-        Sometimes you wonder if reviews are real. Reviews from fellow customers can help you make your choice, but if the provider himself is behind those cheering texts, then it is fake social proof.

-        I ran into Hard to Cancel when a lottery offered a guaranteed “prize” in the first month if you would subscribe. I don’t like to leave free money behind, but I had planned to cancel after the first month from the start. Unlike getting in, getting out could not be done online; I had to call them, and after a long wait I got someone on the line who reacted rather grumpily to my cancellation.

-        Another well-known form of dark patterns is called nagging. For example, you will repeatedly receive offers in an app to switch to the paid version, or to enable a certain function. Sometimes the rejection option takes the form of “maybe later”, which is like a promise on your part. The idea behind nagging is – as in real life – that you agree to something in order to get rid of it.

-        Oh yes, preselection: the option "I would like to receive your newsletter" is already conveniently checked. Often there is more behind it - such as wanting to give you the feeling that other people also choose a certain option.

All this brings us to the question: is all this allowed? Well, that depends. Sometimes it is just smart marketing, as in the example of confirshaming. The story is different if deception is evident, like with false reviews. The European Data Protection Board has published a report on this subject. Of course, the GDPR is discussed in it, because transparency is an important concept there, while the term dark patterns already indicates that transparency is hard to find. The GDPR also applies the principle of fairness: your data is processed in your interest and that is done in line with what you could reasonably expect. Privacy by default is also an important principle; all options that could infringe on your privacy must be turned off by default. The example of the newsletter is an example where they didn’t comply with this rule, just like those pages where you can set cookie preferences and where everything is turned on.

Some things are allowed, even if they are not so nice or even unethical. Maybe you did not know that this phenomenon is called dark patterns and what world lies behind it. Now that you know, you might deal with it differently in the future. I myself like to get back at someone who wants to deveice me, by doing the opposite of what they want. Magica De Spell will not get my Number One Dime!

 

And in the big bad world…

 

2024-09-06

The hotel is not on fire

 

Image from Pixabay

BEEP – BEEP – BEEP. Capital letters can hardly convey the loudness of the alarm that went off as we sat eating breakfast in a hotel in Paris, our last stop on the way home. Capital letters are also too small to convey my surprise at what happened next.

That was, at first, nothing at all. People calmly continued nibbling on their croissants or sipping their coffee. I watched that for about three seconds, fascinated. Yes, I know that resignation in the office when the evacuation alarm goes off, but in a hotel I would have expected a bit more panic, or at least shocked looks; we all know the stories of burned-down hotels and their victims.

I urged my company to leave the hotel. Then, I first had to stop two family members from neatly clearing the table. Apparently, there is no button that switches from 'normal' to 'emergency' and ensures that your routine can be broken. But anyway, we could easily reach the exit of the breakfast room, simply because almost no one else wanted to do the same. While the noise of the alarm alone was enough reason to want to get out of there.

Now comes the part that I write with some shame. The way out led past the reception. From a distance the receptionist made it clear with broad arm gestures that we did not have to evacuate and that we could just continue with our breakfast. My shame lies in the fact that I turned around like a meek sheep, instead of asking how the receptionist was so sure that nothing was wrong. Of course it is possible that she knew what had triggered the alarm and that there was no reason to evacuate. The possible horror scenario was very different: there is a false alarm every now and then, so this time it will probably be nothing either. Just carry on.

That’s what they call cry wolf. If you keep shouting: "Watch out, a wolf!", while there's no such animal to be seen anywhere, then at some point people stop looking up. And if the fire alarm goes off several times a week for no apparent reason, then at some point the staff assumes that this time too, nothing is wrong. That can have fatal consequences. The funny thing is that everyone understands that - and does nothing about it.

Why did I go along with that? That is actually food for a psychologist and it is undoubtedly described extensively in hefty books, but if I may play the amateur psychologist for a moment: it must have something to do with power relations. That receptionist is a kind of an authority – she’s the face of the hotel, the one who tells you which room to sleep in and what time the breakfast room opens. And she stands behind a counter; that creates distance and underlines her authority. If someone like that says it's okay, then it is. But because of the possible horror scenario, I wish I had approached her and asked more questions.

That's how it works with computers, too. Warning messages are hardly read anyway - we know exactly where to find the click-away button. While there may well be a message among them that is more than worth reading, for example because it can make the difference between an organization that is paralyzed by ransomware and an organization that continues to work smoothly because you did take that message seriously.

Love must come from both sides here, too. If you are bombarded with all kinds of notifications, some of which are abracadabra to you, then I cannot expect you to respond appropriately in all cases. I often find less is more to be a hackneyed expression, but we might go a bit easy on those notifications, in order to give the really important ones the attention they deserve. And then I can expect you to take the time to read them and try to understand what you need to do.

Back to that hotel. At the office I know exactly the emergency exits are and I have actually used them before, but at this unknown location it did not occur to me to look for one. No, we headed for the main entrance of the hotel. But the normal route is not always the best route. It can even be a route into danger instead of away from it. I hereby promise myself to be alert to that next time. Are you in?

 

And in the big bad world…

2024-08-30

Like a thief in the night

 

Image from Unsplash

The road was winding, hilly and above all pitch dark. I had lit all the front lights: low beam, high beam and wide beam. She appeared out of nowhere. A darkly dressed woman who walked in the middle of the other half of the road, her gaze directed downwards.

We were more or less used to foxes crossing the road in the Provence at night, but this was something else. You are scared stiff. As your hand reflexively goes to the horn, all sorts of things go through your mind: what is that crazy person doing there, what a relief that she was on the other side of the road, and that one question that would haunt me for days: how would this have ended if she had been on my side of the road?

There wasn't much time to think. Because a car was approaching from the other side. The driver had to be warned! There are two ways to do that: honk, and signal with your lights. I did both, and an old annoyance about operating the high beams came to the fore again: the lever has no clear click between signaling and locking the high beams. Which means that when you want to signal, you often lock the high beams instead. And that's how the message gets lost - alarming flashing becomes irritating blinding. Other cars do it better: there you pull the lever towards you to signal and push it away from you to lock the high beams. Incidentally, the other driver had understood that something was wrong, because they slowed down.

Unexpected things that require due haste will always happen. Sometimes you’ll trust your reflexes (braking for a child crossing the road), other times you’ll make a note that you have to look at it sometime (a rattle in the car). The desired reaction time depends on two aspects. One is the time factor: how much time do you have to avert the disaster, or to repair damage that has already occurred? The other is the impact factor: how quickly do you have to react to minimize the undesirable consequences of an event?

In the past few days the Netherlands have seen an event in the 'urgent' category: a malfunction in the Defence network NAFIN, which not only affected Defence itself, but also the rest of the country. Eindhoven Airport (also a military airbase) came to a complete standstill, the communication networks of the emergency services failed, municipalities could not issue driving licences and citizens could not log in to government services because the authentication service, DigiD, was not available. In short: the impact (even socially) was great and a quick recovery was very much desired. Of course we all want to know what caused this malfunction. The Minister of Defence reported on this: "The cause of the problem was in the access to the so-called Netherlands Armed Forces Integrated Network (NAFIN). Due to an error in the software code, a problem arose in the time synchronization on the network. As a result, it was not possible to connect to this network. There is currently no indication that the malfunction was caused by a malicious party."

The latter was said quite quickly, so quickly that I initially wondered whether it was not more of an incantation than reality. But now there is a plausible story: components of the network that wanted to connect to each other were denied access because their clocks were not running in sync; that is how I interpret the ministerial explanation. Compare it to a link that you get when you click on "I forgot my password" somewhere. Those links often have a limited validity period. If a clock is not set correctly somewhere, those links won’t work, no matter how quickly you get to it.

The Minister of Justice and Security joined the discussion with a striking statement: “Get used to it”, was his much-quoted opinion. This ministry also includes the NCTV (National Coordinator for Terrorism and Security) and the NCSC (National Cyber Security Centre), so it is not just anyone who said this. Should we be concerned about this statement? Some think so, because it would mean that people at the highest levels do not see the seriousness of the situation. I myself think: hey, we have been used to it for a long time already, because things often go wrong and then they are simply fixed. However: most incidents do not have such a big impact. I can think of a few scenarios in our own organisation, for example, which would give us a bit more than the usual headache and could have a significant social impact. We would rather not get used to that.

The NAFIN malfunction had actually already been resolved, but this morning (Friday) it turned out that the airport police is still experiencing problems. If you are going to fly in the coming days, don't forget your passport. Because issuing an emergency passport is not an option for the time being.

 

And in the big bad world…

Water distress

  Image generated by ChatGPT Apeldoorn (the Netherlands), Friday 4 October 2024, 18:22 – 70 thousand households receive a mail bomb: the tap...