Wrong turns and right moves

 

Image from Unsplash

They had been to the Christmas market in Germany. Just half a minute from their school, the bus turned right. We cycled behind it, eyebrows raised. Why was that huge coach driving into this narrow street in the dark, with cars parked on both sides of the bend?

It soon became clear that this was indeed not a good idea. The left side of the slowly moving bus grazed a parked car. The next car was even dragged along a bit. The bus driver seemed unaware, because he kept going, inch by inch. This had to stop. I worked my way over the sidewalk to the front of the bus, making sure I didn’t end up wedged between two parked cars. I gestured and shouted at the driver. Hesitantly, he rolled down his window. ‘You’ve hit two cars,’ I said. ‘I’m completely clear,’ he replied, surprised. ‘No, you’ve hit two cars!’ Meanwhile, voices from the back of the bus chimed in: ‘Driver, you’ve hit something!’ Eventually, the driver put on the handbrake and came to take a look.

He couldn’t deny it: there wasn’t a molecule of air between his bus and that second car. I told him we already thought it was odd that a bus drove into that street. You know what he said? ‘I checked Google Maps, it showed cars parked on only one side.’ As if those satellite images are live!

Meanwhile, my wife rang the bell at someone she knew nearby, and soon the owners of the damaged cars were tracked down. A very young couple came out to inspect the damage: both cars were theirs. At least the insurance claim could now be sorted. But another problem arose: the bus was seriously stuck. The only solution was to move some parked cars. The students, whose school trip ended two hundred meters before their destination, had already been sent home. One of them, with a giant teddy bear on the back of his bike, we passed later.

We all take a wrong turn sometimes. Where there’s chopping, there are chips; mistakes are human. What really matters is how you deal with them. Do you flat-out deny the error (‘I’m completely clear’), try to shift the blame, or take responsibility?

If a crew member on an aircraft carrier loses a tool, the consequences can be huge: it can get sucked into a jet engine, and those don’t take kindly to that. A lost screwdriver can cost lives. If someone misplaces something, they must report it immediately, and everything grinds to a halt. The missing item is searched for urgently. And most importantly: the person who caused the incident is praised for reporting it. Not punished! That’s how you encourage error reporting. Punishment would only drastically reduce the willingness to report mistakes.

We’re all on a kind of aircraft carrier. A single employee’s mistake can have disastrous consequences. Think of an admin making a configuration error, or an employee who clicks that phishing link after all. Because our carrier is so big, there are even more ‘opportunities’ to make mistakes. In risk analyses, we pay a lot of attention to these kinds of errors, which aren’t caused by a malicious actor but by a colleague acting in good faith. We call these mistakes ‘oopsies.’

Sometimes a technical glitch can lead to an awkward conversation. A report landed on my desk about an employee who tried to do something that set off alarm bells. I asked him to explain. He came up with a rather strange story, but I managed to get it confirmed. The error was known, and a fix was in the works. It just goes to show you should always be open to unlikely outcomes. So you don’t end up making a mistake yourself.

Made a mistake? Report it. So worse can be prevented and we can learn from it.

Happy holidays! The next Security (b)log will appear next year.

And in the big bad world…

• Urban VPN Proxy’s browser extension reads all your AI chats.
• You can send a fake message via the government’s Phishkraam. [DUTCH]
• Even Notepad can be dangerous. [DUTCH]
• DigiD is now officially vulnerable to American curiosity. [DUTCH]
• The same applies to Zivver. [DUTCH]
• You can also just upload files with sensitive personal data to AI websites yourself. [DUTCH]
• Millions of people face a hot Christmas.
• Cisco is struggling with a vulnerability.
• Your robot vacuum might spy for China.
• Attackers can gain access to your WhatsApp account (if you unwittingly help them).

 

Urgency en priority

Image from Unsplash 

Many of my colleagues are named Erik, and one of them came to me with something he thought might make a good blog topic. People sometimes assume I can turn anything into a story. Occasionally such ideas remain untouched, but Erik’s remark kept nagging at me.

"If you suddenly feel urgency now, then you didn’t choose the right priority back then," said Erik. That’s a fairly universal statement, not one limited to information security or IT. It applies to your private life too, for example in the Christmas season: if you’re ordering a Christmas gift today and discover it won’t arrive in time, then perhaps you should have left the vacuuming for later last week. The dust would still be there a day later, but that order was time-critical. Of course, there can be complicating factors; maybe you didn’t have the money for a gift last week. Or an important guest was coming and a clean house was a must.
In the past, we security folks often lamented that security only came into view at the very end of a project – if anyone thought of it at all. For years we argued that security should be included from the start. If you want a catchy term: we call this shift left – moving attention to the front of the timeline. Long ago (in the late nineties) we had a great mechanism for this: the ‘aspect meeting’. When a new project started, the project manager had to gather representatives of various aspects and explain what the project was about. Participants could then provide feedback and, most importantly, ensure their aspect got proper attention. For example, by supplying policy documents and explaining how they should be applied in the project. This way, as an aspect representative, you could make sure your interests were considered. That meeting format was one of the best I’ve ever known.
Has much changed since then? Yes and no. There are now far more IT professionals who understand the importance of information security. A lot more. On the other hand, shift left still hasn’t happened everywhere. My colleagues in the Security by Design program are working hard to make it happen. They do this by teaching teams how to do it. Because here too, the old wisdom applies: it’s better to teach someone to fish than to give them a fish – at least if survival is the goal. Furthermore, procurement processes have taken a good turn. As I wrote a few weeks ago, we have a ready-made set of security requirements prepared and, just as importantly, the buyers are aware of the Security Functionals Directive.
It’s not just Erik – there are plenty of Edwins, too. Yesterday I spoke to one, and the conversation was quite interesting. This Edwin had requested an exemption from a certain rule. Because I didn’t understand something in the motivation, I called him. Besides explaining the situation, he shared his view on exemptions. In his opinion, they’re granted far too easily. Teams should make more effort to stay within the lines, Edwin thought. I wholeheartedly agree, and that’s why we always scrutinize deviations carefully. However, we also deal with a multitude of systems and platforms, from cutting-edge to legacy. And especially in that latter category, we sometimes hear: what you want simply isn’t possible for us.
Sometimes that’s too easy. What they really mean is: we assume it won’t work. But if you bring together people from different disciplines, something beautiful can happen. Like: "Oh, but if you can set it up that way for us, then we can do this and that on our side, and then it fits within policy!" We try to help people take that extra step. But feel free to beat us to it. For example, by not just assuming something can’t be done.
Back to Erik. He teaches us that good planning prevents later trouble. Because when something becomes urgent, you often depend on others, who may think: poor planning on your part does not constitute an emergency on ours. Or it simply doesn’t fit into their own workload to help you out immediately.
Avoid urgency, plan well. Order that gift now.

And in the big bad world…

• Email security in iCloud should be better.
• You can sign up with this American telecom provider using nothing but your ZIP code.
• The German government conducted extensive research on password managers. [GERMAN]
• Here’s a Dutch summary of that research. [DUTCH]
• One of those password managers received a hefty fine.
• AI can also be used to spread malware.
• There’s ransomware for Android devices too.
• The new Christmas puzzle from the Dutch intelligence service is online. [DUTCH]
• There’s political unrest over the Dutch tax administration’s move to Microsoft 365. [DUTCH]

 

A Positive Sign

Photo by author

A long time ago, a quiet revolution unfolded on Dutch streets. Traffic signs disappeared – they weren’t stolen, but officially removed and replaced by others that had exactly the same effect.

The new Dutch Traffic Rules and Signs Regulation was introduced 35 years ago. The idea was to get rid of certain prohibition signs and replace them with mandatory ones. So, for example, the sign ‘no right turn’ vanished and was replaced by ‘mandatory straight ahead or left turn.’ The foundation for this was laid back in 1968 by the Vienna Convention on Road Signs, aiming for globally (roughly) the same traffic signs. You can guess why. Within Europe, uniformity is okay-ish, though I wonder if foreigners understand our sign for a narrowed or interrupted emergency lane, just to name one. While we, abroad, have no trouble understanding a simple ‘no right turn.’

Then I stumbled upon this sign in a foreign restaurant. On the trash bin, it says you must not flush paper towels down the toilet. I’ve said it before: don’t tell me what I can’t do – tell me what I should do. But there’s more: the placement of the text is odd. The sign is on the spot where you’re supposed to bring your trash. I’d expect it near the toilet bowl. Better yet, change the text to: “Throw your paper towels in here.”

Since we’re in the sanitary zone: in some places, you’re not even allowed to flush toilet paper. You’re expected to toss used paper into an often open bin, because otherwise the pipes might clog. Sometimes even I struggle with rules.

In my field, we could also be more consistent with positive messaging. So, rather “keep your password secret from everyone” than “don’t share your password.” Or: “If you want this done, then do it this way” instead of “you’re not allowed to do that.” The message isn’t just more positive – it immediately offers a solution. People appreciate that. I’ll pay extra attention to this in the coming weeks. And it’s not just my field: positive messaging helps achieve goals everywhere.

Sadly, you can’t apply this principle everywhere. You can’t just remove every ‘no parking’ sign and replace them with signs showing where you may park. And sometimes you find truly odd signs. Drive along the A73 highway near Swalmen (Netherlands), exit the tunnel, and there’s an emergency bay. There you’ll see a round white sign with a red border, a black P in the middle, and a diagonal red slash. The meaning is clear, but why on earth use a non-existent sign? Did the Dutch road authority have such bad experiences with the regular ‘no parking’ sign that they invented a fantasy version?

Communication isn’t easy. Let’s all stay sharp and improve unclear, question-raising messages. Information security is hard enough. (And yes, so is traffic.)

And in the big bad world…

• You’d never have guessed this exists.
• Apple pushes back against India’s mandate to preload a state-run security app on new phones.
• India withdraws the mandate; ‘thanks to the app’s broad acceptance.’
• Your employer might soon read your work text messages.
• Private users hardly need to worry about public Wi-Fi, QR codes, or charging cables, say eighty experts.
• Check for free if you’re part of a botnet.
• DigiD will definitely remain Dutch, they say. [DUTCH]
• The Dutch Cybersecurity Outlook 2025 has been published. [DUTCH]
• Android will better protect you against phone scams.

 

A tempting side hustle

Image from Unsplash

 

“Dear Patrick, I’d like to point out a super interesting high-tech opportunity to you!” Or: “We’re impressed by your profile. How open would you be to learning more?” Those were in my own language, but they also come in English: I’m working on an exciting opportunity for an Information Security Team Lead role. Would you be open to a quick chat this week to discuss further?

Headhunters work on behalf of companies to find candidates for hard-to-fill positions. If I ever wanted to work elsewhere, I wouldn’t even need to start looking; potential employers reach out to me regularly. This mostly happens via LinkedIn, because that’s where your professional profile is up for grabs.

It’s not just companies trying to connect with professionals. Criminal organizations also attempt to recruit new people. Not via LinkedIn, but through platforms like Telegram – a space where criminals feel right at home.

They don’t want you to come and work for them.  In fact, they want you to stay exactly where you are. You only need to do one thing: give them access to your organization’s systems. They’ll handle the rest. Besides an attractive reward, you’ll probably get a few extra days off. Because their ultimate goal is to infect your organization with ransomware. Usually, everything grinds to a halt, and work can’t resume for weeks. Recently, Jaguar Land Rover’s global car production was down for three weeks. The financial damage is estimated in the hundreds of millions. Earlier this year, a German napkin manufacturer had to file for bankruptcy after two weeks of lost revenue.

Cybercriminals need initial access – a digital foot in the door. Phishing is a tried-and-true method, but now active recruitment is happening too. And it’s highly targeted. A certain ransomware gang is currently looking for employees in finance, insurance, and travel. Hospitality, the automotive industry, and oil companies are also on their radar. They’ll tell you not to worry about criminal prosecution because they take great care of their insiders; they promise to handle your login credentials discreetly. According to them, the worst that can happen is you’ll get fired. “Don’t listen to those clueless security people – they have no idea what they’re talking about!”

Handling your login credentials discreetly? Sounds nice, but that’s only half the story. You can’t exactly work anonymously – much of what you do is logged. Logs will show: user xyz performed this action on that date at that time. If there are serious indicators, there are extensive ways to hunt down the suspected culprit. And we’ll gladly use them.

It may look like easy money, but don’t be fooled. You won’t get away with “that wasn’t me” when your user ID is in the logs. That’s exactly why you should never share your password with anyone – not even a colleague. Because what if that colleague falls for a Telegram message and hands over your credentials? Such a reckless move could cost you not only your current job but your future career. Who wants to hire someone who got fired for that reason?

Better listen to the advice of one of those “clueless security people” and steer clear of such practices. If financial trouble tempts you, seek help instead.

Because of a few days off, this blog appears earlier than usual.

And in the big bad world…

…I unfortunately didn’t have time to fill this section this week.

 

Micro-awareness

Image from Unsplash

What grabs your attention first? A newspaper article buried on page seven, or a similar message in a personal email that even addresses your specific situation? The question answers itself, doesn’t it?

As an information security officer, you have a tough message to convey. There are all sorts of rules designed to ensure the confidentiality, integrity and availability of the data entrusted to us. Maybe those terms alone make you break out in a cold sweat. Let alone having to implement measures to comply with those rules – say, in a project. And then those measures get in your way because you can’t do something the way you envisioned. Even if you understand why it’s necessary, it’s hardly pleasant. And it’s a page-seven story: you just hope your audience sees it.

A personal email, on the other hand, always gets through. I’m talking about the kind of email we send to a team manager, telling them that an employee did something against security policy. In other words: someone broke the rules and needs to be addressed. We do this via the manager because they know the employee. Ideally, they can judge the response better than anyone else – and whether our report might be a puzzle piece in a bigger picture, possibly pointing to subversion.

Employee reactions vary from genuinely shocked (‘Oh wow, that was dumb!’) to businesslike (‘Here’s what happened’) to – on rare occasions – defensive-aggressive (‘I’m allowed to do this!’). In most cases, the response closes the report. There’s a plausible explanation, and no further action is needed. Sometimes I ask a clarifying question; you don’t want someone to get away with smoke and mirrors.

This approach turns out to be highly effective for boosting security awareness. I call it micro-awareness: focused on one person or team, and one specific observed fact. It’s almost unheard of for someone who received such a message to pop up again later. That personal attention really works.

Micro-awareness also reinforces the idea that the warning you see when logging in isn’t just empty words. You know, the one saying access is for authorized personnel only and you may only do what you’re allowed to do. Monitoring is real. It’s automated, and only when something pops up that deserves closer attention does a human take a look. We’re an organization with big stakes, and those stakes need protection.

Unfortunately, we have to consider insider threat. I know, all colleagues are incredibly trustworthy; most of us couldn’t name a single one who isn’t. And yet, in a large organization, statistics guarantee a certain percentage of bad apples. Plus, circumstances can turn a model employee into a risk. I dealt with that earlier this year (things went missing), and I can tell you it’s unpleasant for everyone. I might be the first to link that incident to insider threat. Maybe it could have been avoided if the organization were more aware of this often-overlooked phenomenon (and that’s not a blame game; it’s something we need to work on).

If there’s micro-awareness, then logically there’s macro-awareness. Those are the page-seven stories. Not necessarily in the newspaper, but maybe on the intranet or in presentations. Not everyone reads them, not everyone attends. The ones who do are interested in what you have to say. But you’d love to reach the ones who don’t show up.

The Security (b)log is also a form of macro-awareness. Loyal readers know it usually starts with an everyday situation and then twists toward information security. Wrapping a serious message in an appealing package helps. And honestly, it’s a lot of fun to do.

And in the big bad world…

• Wind turbines suffer from insider threat too.
• Phone numbers and profile info of all 3.5 billion WhatsApp users were up for grabs.
• Better make sure those power cables are connected properly. [DUTCH]
• Cloudflare issues led to outages across many internet services.
• Google is reading your Gmail to train its AI.
• You should only enable Windows 11’s upcoming AI agents if you understand the risks.
• The EU’s Digital Omnibus looks like a giveaway for big tech.
• Privacy activist Max Schrems is highly critical of the Digital Omnibus.

 

Don't book here

Image from Pixabay

During the autumn break, we wanted to get away for a bit with the whole family. Being as critical as we are, we embarked on an extensive search for a suitable house in a nice location. Eventually, we found what we were looking for on a booking site. Since we had booked there before, we thought we were all set. Things turned out differently.

The day after booking, I received eight messages within an hour and a half from a company I had never heard of; let’s call it Don’tBookHere. The emails were about my booking, with subjects like ‘payment failed’, ‘request for payment of deposit’ and ‘activate your customer account’. And they also wanted a copy of my passport. Although these messages all came through the booking site’s messaging system, I was highly suspicious. As mentioned, we’re regular customers there and have never been contacted by a third party before. The payment was already settled, and the deposit is normally paid on-site. Moreover, the deposit was a whopping seven hundred euros – exorbitantly high. And there was more. The messages mentioned three different internet domains: dontbookhere.eu, dontbookhere.be, and dontbookhere.es (Europe, Belgium, and Spain). In addition to the name Don’tBookHere, the name Don’tInvestHere also appeared. My suspicion escalated further.

Of course, I called the booking site. Long story short: the messages were legitimate. The only incorrect part was the message saying I still had to pay the rental amount. But I was reassured: I didn’t need to worry about that and didn’t need to fear cancellation (which Don’tBookHere had threatened). They had contacted the local landlord – which turned out to be Don’tBookHere – and sorted it out.

Great, you might think, nothing to worry about. But I still had to do almost everything mentioned in those messages. So, I had to create a customer account with Don’tBookHere and check in each family member separately, including all passports. Naturally, I didn’t just send the passports; first, I blacked out various details, including the photos. Then I got feedback: we need the photo, otherwise you can’t receive the key. Since that sounded plausible, I sent them a new scan of my own passport with the photo visible. Incidentally, the man who handed me the key had a copy of my passport with the photo blacked out. And he enthusiastically asked if I was Patrick. It would have been very easy for a villain to snatch the key right in front of me.

As long as legitimate companies keep doing things that criminals also do, it remains difficult to make people aware of risks. You can’t simply say: if you see this or that, it’s always a scam. No, you have to allow for false positives: incorrect signals that something is wrong. So you have to explain: look, if you see something like this, it could be a scam, but it doesn’t have to be; ultimately, you have to decide whether you trust it or not. That sounds much less convincing and often causes uncertainty rather than truly helping.

We see the same with phishing. We say: watch out, if an email doesn’t have a personal greeting but starts with something like ‘Dear customer’ or ‘Hello!’ (or no greeting at all), then be careful. Because criminals sending phishing emails usually only have your email address and don’t know your name. But just now, I received a perfectly legitimate email in my private inbox that greeted me with ‘Dear customer.’ Are these companies just too lazy to use my name? Or does it involve high costs? I looked into it for you.

As for those costs: it depends. With a modern email system, the costs are negligible. However, if you have an old, proprietary system where personalization wasn’t built in, you need to modify the software, and that costs money. Furthermore, many companies don’t have correct data. If they send you an email with ‘Dear {customer name},’ or greet me as ‘Dear Mrs. Borsoi,’ that undermines customer trust. Cleaning up that data is laborious and therefore expensive. There are also companies that deliberately choose a generic greeting to reduce the impact if the email is intercepted (less data leakage). In that case, the generic greeting is actually a privacy measure.

And yes, there are also companies that simply can’t be bothered to greet you properly. My message to them: make an effort and help in the fight against phishing!

And in the big bad world…

• booking sites are indeed being misused to scam people.
• your lost iPhone can still cause trouble.
• an open letter to the European Commission raises major privacy concerns about the Digital Omnibus.
• cybercrime took a heavy blow from Operation Endgame, coordinated by Europol.
• this company responded refreshingly to a ransomware attack.
• every now and then, a security update backfires.
• we want digital sovereignty, yet an American company acquires a Dutch cloud provider.
• ad blockers are important for your privacy.
• this spyware specifically targets Samsung Galaxy phones.
• DJs at Dutch broadcaster had to play music by hand after a cyberattack.
• governments use their spyware not only against top criminals and terrorists.
• no wonder they managed to break into the Louvre. [DUTCH]

 

Digging holes

Image from Pixabay

"Trenchless technology," it said on the company van. That instantly had my full attention—if you advertise your business with something you don’t do, I immediately wonder: what else don’t they do? But more importantly: what do they actually do?

It was a van from VLTT, short for Van Leeuwen Trenchless Technology. A company founded in 1969 by two brothers. Their craft is drilling. They drill under roads, railways, waterways, and underground infrastructure to install pipes and conduits underground. And they do it without digging trenches. The street doesn’t need to be opened when VLTT lays a pipe.

If it were my company, I’d include something in the name about what I *do* do. Something like Van Leeuwen Drilling (VLD). Because, well, I also use a lot of trenchless technology. In fact, I hardly do anything else. Right now, I’m trenchlessly typing a blog, and when I looked at security incidents yesterday, I did dig through the available data—figuratively—but no actual digging was involved. Anyway, you get my point: tell me what you do, not what you don’t do. By the way, I think Elon Musk’s tunnel-digging company has a brilliant name: The Boring Company. Although I wonder if the employees enjoy telling people at parties that they work for a “boring” company.

In my field, we also use tunnels. These come into existence without digging, even without drilling. All you need is some math. Or more specifically: cryptography. Those tunnels are secure connections over a public network. That public network is often the internet. If you use it to connect to your company—like I’m doing now, working from home and connected to our data center via the internet—you don’t want your data traffic to be intercepted along the way. That’s what a VPN, a Virtual Private Network, is for: a cryptographic tunnel. It’s even a single-person tunnel; only you use that specific tunnel. Reminds me of that time we traveled through the U.S. in a camper. In Zion National Park, we had to go through a tunnel, but due to its round shape, the camper wouldn’t fit. Rangers stopped traffic on the other side and urged me to drive exactly along the center line. Only then would the camper fit through. But I digress.

Because only you use that tunnel, the confidentiality of the data traffic is ensured. But those tunnels can do more: during setup, it can be checked whether you’re even allowed to establish a tunnel to that destination, and whether the destination is actually legitimate. Both endpoints of the tunnel are authenticated: their identities are verified. Setting up the tunnel involves digital certificates—think of them as passports. And you need a protocol, an agreement on the “language” you speak. Examples include TLS/SSL, IPSec, and OpenVPN.

If you use digital certificates, you’re using so-called asymmetric cryptography. This form of cryptography is especially threatened by the quantum computer. If, in a few years, a quantum computer powerful enough emerges, it will be able to break asymmetric cryptography. Your VPN tunnel will then be compromised. Unless the protocol is made quantum-proof in time. That’s being worked on worldwide with great urgency, but organizations must take action themselves to implement everything. That takes a lot of time—probably more time than we have. So there’s urgency.

Still, that term keeps nagging at me. And what do you know? “Trenchless technology” has a Wikipedia page in six languages! My surprise was simply due to ignorance. It’s not uncommon for a field to invent a term that’s not understood outside of it. Back in the day, there were computer terminals that didn’t use a screen but a printer; they were essentially printers with a keyboard. Some fellow students called them “write-printers.” It didn’t make much sense, but we knew what they meant. And that’s what matters.

And in the big bad world…

• UK carriers are going to tackle phone spoofing.
• Phishers are letting you know that an arrest warrant has been issued against you.  [DUTCH]
• The doorbell is going to recognize faces.
• The geolocation of EU employees is simply for sale.
• Apparently, a few American cybersecurity experts couldn't resist the temptation of criminal money.
• Meta earned billions from misleading advertisements.  [DUTCH]
• You can use this guide to disable certain features in the new Windows 11 version.