Going up

Image from Unsplash

In 1981, we went on holiday to the Costa del Sol. We rented a distant cousin’s apartment for a friendly price, in a building right on the beach of Torre del Mar. That building had an elevator, and that elevator is what I want to talk about. Because it was quite special.

It had no memory. If you wanted to ride it, you pressed a button like with any elevator. But if the elevator was already on its way to another floor, it simply ignored you. You had to press the button again once the ride was finished, and then hope that no one else beat you to it. It could take quite a while before you managed to catch the elevator. And I don’t remember exactly, but I think the buttons inside the elevator had priority over the ones on the floors. Otherwise you might never reach your destination.

So this was an elevator for which it actually made sense to keep pressing the button. But with all modern elevators, ladies and gentlemen, that is completely pointless. Your request is registered, and sooner or later an elevator will come. Repeated pressing only leads to wear on the button. And, perhaps needless to say: only press the button for the direction you want to go, so press the down arrow if you want to go down. If you press the other arrow as well, there’s a good chance you’ll be taken in the wrong direction – to your own annoyance.

Waiting is rarely enjoyable, so we try to shorten waiting times. Sometimes we do things we know won’t help. The same is true when you’re sitting impatiently behind your computer. It doesn’t respond quickly enough, so you try again. That doesn’t help. In fact, it works against you: the computer has to spend attention on your repeated actions, and that costs capacity (though nowadays you barely notice it; in the past, that was quite different).

The power of advertising lies in repetition, according to an old marketing maxim. That’s why you see and hear some ads over and over until they become annoying. But in my field, they’re also quite good at it. At conferences and conventions, we’ve been told for years that we all need to collaborate to create a safer world. Occasionally you’ll see a good example of such cooperation at an event, but in my view, it often remains empty rhetoric. But yes, no one can oppose defeating the common enemy together, so the theme is pulled out of the closet year after year. As far as I’m concerned, a conference only needs a name; a theme is optional. But it doesn’t really matter – as long as the content is good, and fortunately that is often the case.

This week, I attended yet another together-we-can-do-it conference. And once again, the theme fortunately didn’t get in the way of the content. The head of the Dutch Military Intelligence and Security Service came to tell us that we cannot trust the Russians, and the CISO of Hema showed an AI-generated picture of chains of smoked sausages hanging in the store*, to illustrate the weakest-link mantra; I’ve forgotten most of the content of her talk, but what made an impression on the audience was that in her previous role – because of that role – she had been threatened both physically and digitally. That’s something you don’t even want to imagine.

The best talk came from my cyber hero Mikko Hyppönen from Finland. After a career spanning decades in cybersecurity – he started out as a virus analyst – he recently and to his own surprise made a switch to the defense industry. He no longer analyzes computer viruses but military drones. The war in Ukraine – ‘in the heart of Europe,’ as Mikko put it – pushed him in that direction. Because these drones cause so many casualties, he has made it his mission to help bring these weapons down. And just like with malware, this is a cat-and-mouse game. Classic drones can be tackled via the radio signals used to control them. Five percent of the drones now seen on the battlefield trail a fiber-optic cable of up to twenty kilometers (twelve miles) behind them, meaning no radio signals are needed. And more modern drones aren’t controlled by humans at all anymore, but by AI. And how do you fight that? Exactly: with AI-driven drones.

There are elevators where you don’t press an arrow, but instead enter the floor you want to go to. The computer then calculates which passengers can best be grouped together and assigns everyone an elevator. Then no one ever has to doubt whether the elevator knows they want to ride along.

*: Hema is a Dutch department store. They’re famous for their smoked sausages.

And in the big bad world…

• This list shows Dutch organizations that are completely dependent on American cloud providers. [DUTCH]
• There was another outage at one of those cloud providers.
• The British are suffering from Russian hacktivists.
• CEOs and CISOs disagree on the top three threats.
• This new IoT botnet often appears in corporate and government networks.
• The European Space Agency is struggling with cybersecurity.
• You can now see whether a doorbell video has been tampered with.
• Teams will soon warn users about impersonators.
• AI is clicking on malicious advertisements.
• LastPass users need to watch out for phishing.
• We’ll just keep using the red pencil to vote. (In the Netherlands, voters mark their choice on a paper ballot by coloring a single oval next to a candidate’s name using the traditional red pencil.)

 

Sigh

Image from Unsplash

Pssst… Can you keep a secret? I hand you a sealed envelope with a name on it. The secret is inside. You are not allowed to look into the envelope yourself. When the person whose name is on it shows up, you give them the envelope. They look inside, seal it again, and hand it back to you. You keep it until next time. And you do absolutely nothing else with it.

This is roughly how things work when two computer systems communicate in many cases. For example because one system runs a program that needs data stored on another system. System A must then log in to system B, because of course not everyone is allowed to retrieve those data – another computer system included. In the first paragraph, you stored an envelope; system A has a digital equivalent: a digital vault. It stores the password in encrypted form. When A needs to retrieve data from B, it takes the password from the vault, decrypts it, and uses it to log in to B.

The key idea is that no human is involved. And that no human ever sees the password. Which means nobody can misuse A’s account. Just like you didn’t peek into the envelope, no one ever sees the decrypted password. At least, that’s the idea. Some time ago a colleague sent me an email with the subject line: SIGH… He had discovered that someone secretly looked inside the envelope – or its digital equivalent: manually decrypted the password. And then tried to manually log in with that account ‘just to see if it works’. While such an account is really a machine-to-machine account: meaning it is intended for one machine (A) to log in to another (B).

That sigh on the subject line meant something like: do they still not get it? Mind you, we are talking about administrators and developers doing this. You would expect them to understand how it works. That opening an envelope addressed to someone else is simply not allowed. And that manually logging in with a machine account is also not allowed. The sigh was also because this was certainly not an isolated incident. It happens far too often. And that undermines our security. You might ask why this is even possible. But that’s not the point here. Of course, it shouldn’t be possible, but right now it simply is.

If you see a bench in the park with a sign saying WET PAINT, do you touch it to check if it really is? Why would you? You risk getting paint on your fingers and the bench won’t look any better. Most people understand that you're not supposed to touch it. The same goes for those encrypted passwords. That something is possible does not mean it is allowed to do, or wise.

Deep down you know that. But just to be safe, another call to everyone who sometimes takes things a bit too lightly: don’t do it. If only because my sighing colleague is getting grey hairs from it, and because I end up writing in astonishment about something I thought you would understand by now. And of course I’m grateful for all those colleagues who simply do things right <3

*: There are alternatives, but I leave those aside here.

And in the big bad world…

• Cybersecurity vacancies are shifting from technology to governance.
• The United States is seeking new allies.
• Researchers discovered a highly advanced malware framework for Linux.
• Even earbuds and speakers sometimes need an update.
• Police and prosecutors in the Netherlands want more funding for IT.
• Privacy‑friendly AI also exists.
• ENISA had a document drafted by AI—and it didn’t go well. [GERMAN]

 

Boom

Image from Unsplash

Surely no one thought: come on, it’s the last time it’s allowed, let’s do something extra dangerous with fireworks. This blog is not the place for a debate for or against fireworks, but from my perspective there are a few interesting observations to be made. So here we go, blasting our way into the new year once again!

Even though it will not have been intentional, this time it was worse. Let’s start with some figures. There were 1,239 fireworks-related injuries in the Netherlands – no less than 7% more than during the previous New Year’s Eve. More than half of the victims were under the age of twenty. Many children were seriously injured when they tried to relight unexploded fireworks. About half of all victims did not even set off the fireworks themselves; they were merely bystanders. Emergency departments were 29% busier, treating 474 people. GP out-of-hours services were slightly quieter; with 765 patients, they saw 4% fewer cases than last year. One third of the injuries involved eye damage. Fourteen children lost a hand or finger(s), almost all due to illegal fireworks, which accounted for just under half of all injuries. And then there were those two fatalities, too.

All this suffering could, of course, have been easily prevented. All it would have taken is a low risk appetite. That term is very common in my profession, but not so much in daily life. Why is that? Because in a business environment you can usually reason quite rationally about the risks you are prepared to accept, whereas people who set off fireworks do not. They do not think in terms of degrees of risk; caught up in their enthusiasm, they think only about the intended effect. A child certainly does not think: oof, this is a Cobra with a short fuse, what is the likelihood I’ll lose a hand if I light it? Adults do not think in percentages either. At best, they judge it to be too dangerous and refrain from doing it. And if they do light the fireworks, they are implicitly convinced that all will go well. In that way, it is reduced to a binary decision, whereas in reality setting off fireworks still involves a very significant risk.

And what about public information campaigns? In the past, we had a slogan which translates into You’re a fool if you fool around with fireworks. It was witty (even more in Dutch) and it carried a message. Nowadays the message has to be more forceful, and we see mutilated hands on television. But if there are so many young victims, you would also expect information campaigns specifically aimed at this target group. Were there any? Yes, partially. Primary schools could order a free lesson package. That required them to take action themselves, and only about a quarter of all primary schools did so. You might also expect campaigners to use the media where young people actually are, such as TikTok and Instagram. However, there were no specific actions on those platforms. Municipalities and police forces were active there, but honestly — which teenager follows those kinds of accounts?

In my own profession, awareness is difficult as well. After all, you are conveying a message people would rather not hear. Just look at it: fireworks are beautiful and links are there to be clicked. And then along you come, telling them to be careful. Come on, it can’t be that bad, everyone does it.

With cybersecurity, things are slowly moving in the right direction. People understand that they have to be careful; they realise that criminals are lurking, ready to cause digital harm. Hmm, could the difference with fireworks safety have something to do with that? With the presence of a malicious actor? That element is missing when it comes to fireworks. That risk has just two components: the fireworks and the lighting. There is no other party, no enemy. Yes, that almost certainly has to play a role.

From the next New Year’s Eve onwards, a nationwide fireworks ban will apply in the Netherlands. I have serious doubts about whether it will work, because enforcing the ban will be difficult. Border checks in December will not stop the true fanatic, who has already stocked up much earlier. Responding whenever a bang or rocket is detected will rarely work either – how do you determine the exact location? No, if we truly want to reduce the number of victims, we will have to make sure (if necessary via TikTok!) that people – especially children – start to understand that risk management also plays an important role in our daily lives. From that perspective, the message becomes: hands off fireworks — or hands lost because of fireworks.

 

And in the big bad world…

• non-human colleagues need our attention as well.
• HTML-defined QR codes are misleading malware scanners.
• distrust of Chinese AI is growing.
• we are losing our online privacy.
• keeping AI chatbots secure is not easy.
• of course, you can also hack a wheelchair.
• the Dutch NCSC is now also serving SMEs. [DUTCH]

 

Wrong turns and right moves

 

Image from Unsplash

They had been to the Christmas market in Germany. Just half a minute from their school, the bus turned right. We cycled behind it, eyebrows raised. Why was that huge coach driving into this narrow street in the dark, with cars parked on both sides of the bend?

It soon became clear that this was indeed not a good idea. The left side of the slowly moving bus grazed a parked car. The next car was even dragged along a bit. The bus driver seemed unaware, because he kept going, inch by inch. This had to stop. I worked my way over the sidewalk to the front of the bus, making sure I didn’t end up wedged between two parked cars. I gestured and shouted at the driver. Hesitantly, he rolled down his window. ‘You’ve hit two cars,’ I said. ‘I’m completely clear,’ he replied, surprised. ‘No, you’ve hit two cars!’ Meanwhile, voices from the back of the bus chimed in: ‘Driver, you’ve hit something!’ Eventually, the driver put on the handbrake and came to take a look.

He couldn’t deny it: there wasn’t a molecule of air between his bus and that second car. I told him we already thought it was odd that a bus drove into that street. You know what he said? ‘I checked Google Maps, it showed cars parked on only one side.’ As if those satellite images are live!

Meanwhile, my wife rang the bell at someone she knew nearby, and soon the owners of the damaged cars were tracked down. A very young couple came out to inspect the damage: both cars were theirs. At least the insurance claim could now be sorted. But another problem arose: the bus was seriously stuck. The only solution was to move some parked cars. The students, whose school trip ended two hundred meters before their destination, had already been sent home. One of them, with a giant teddy bear on the back of his bike, we passed later.

We all take a wrong turn sometimes. Where there’s chopping, there are chips; mistakes are human. What really matters is how you deal with them. Do you flat-out deny the error (‘I’m completely clear’), try to shift the blame, or take responsibility?

If a crew member on an aircraft carrier loses a tool, the consequences can be huge: it can get sucked into a jet engine, and those don’t take kindly to that. A lost screwdriver can cost lives. If someone misplaces something, they must report it immediately, and everything grinds to a halt. The missing item is searched for urgently. And most importantly: the person who caused the incident is praised for reporting it. Not punished! That’s how you encourage error reporting. Punishment would only drastically reduce the willingness to report mistakes.

We’re all on a kind of aircraft carrier. A single employee’s mistake can have disastrous consequences. Think of an admin making a configuration error, or an employee who clicks that phishing link after all. Because our carrier is so big, there are even more ‘opportunities’ to make mistakes. In risk analyses, we pay a lot of attention to these kinds of errors, which aren’t caused by a malicious actor but by a colleague acting in good faith. We call these mistakes ‘oopsies.’

Sometimes a technical glitch can lead to an awkward conversation. A report landed on my desk about an employee who tried to do something that set off alarm bells. I asked him to explain. He came up with a rather strange story, but I managed to get it confirmed. The error was known, and a fix was in the works. It just goes to show you should always be open to unlikely outcomes. So you don’t end up making a mistake yourself.

Made a mistake? Report it. So worse can be prevented and we can learn from it.

Happy holidays! The next Security (b)log will appear next year.

And in the big bad world…

• Urban VPN Proxy’s browser extension reads all your AI chats.
• You can send a fake message via the government’s Phishkraam. [DUTCH]
• Even Notepad can be dangerous. [DUTCH]
• DigiD is now officially vulnerable to American curiosity. [DUTCH]
• The same applies to Zivver. [DUTCH]
• You can also just upload files with sensitive personal data to AI websites yourself. [DUTCH]
• Millions of people face a hot Christmas.
• Cisco is struggling with a vulnerability.
• Your robot vacuum might spy for China.
• Attackers can gain access to your WhatsApp account (if you unwittingly help them).

 

Urgency en priority

Image from Unsplash 

Many of my colleagues are named Erik, and one of them came to me with something he thought might make a good blog topic. People sometimes assume I can turn anything into a story. Occasionally such ideas remain untouched, but Erik’s remark kept nagging at me.

"If you suddenly feel urgency now, then you didn’t choose the right priority back then," said Erik. That’s a fairly universal statement, not one limited to information security or IT. It applies to your private life too, for example in the Christmas season: if you’re ordering a Christmas gift today and discover it won’t arrive in time, then perhaps you should have left the vacuuming for later last week. The dust would still be there a day later, but that order was time-critical. Of course, there can be complicating factors; maybe you didn’t have the money for a gift last week. Or an important guest was coming and a clean house was a must.
In the past, we security folks often lamented that security only came into view at the very end of a project – if anyone thought of it at all. For years we argued that security should be included from the start. If you want a catchy term: we call this shift left – moving attention to the front of the timeline. Long ago (in the late nineties) we had a great mechanism for this: the ‘aspect meeting’. When a new project started, the project manager had to gather representatives of various aspects and explain what the project was about. Participants could then provide feedback and, most importantly, ensure their aspect got proper attention. For example, by supplying policy documents and explaining how they should be applied in the project. This way, as an aspect representative, you could make sure your interests were considered. That meeting format was one of the best I’ve ever known.
Has much changed since then? Yes and no. There are now far more IT professionals who understand the importance of information security. A lot more. On the other hand, shift left still hasn’t happened everywhere. My colleagues in the Security by Design program are working hard to make it happen. They do this by teaching teams how to do it. Because here too, the old wisdom applies: it’s better to teach someone to fish than to give them a fish – at least if survival is the goal. Furthermore, procurement processes have taken a good turn. As I wrote a few weeks ago, we have a ready-made set of security requirements prepared and, just as importantly, the buyers are aware of the Security Functionals Directive.
It’s not just Erik – there are plenty of Edwins, too. Yesterday I spoke to one, and the conversation was quite interesting. This Edwin had requested an exemption from a certain rule. Because I didn’t understand something in the motivation, I called him. Besides explaining the situation, he shared his view on exemptions. In his opinion, they’re granted far too easily. Teams should make more effort to stay within the lines, Edwin thought. I wholeheartedly agree, and that’s why we always scrutinize deviations carefully. However, we also deal with a multitude of systems and platforms, from cutting-edge to legacy. And especially in that latter category, we sometimes hear: what you want simply isn’t possible for us.
Sometimes that’s too easy. What they really mean is: we assume it won’t work. But if you bring together people from different disciplines, something beautiful can happen. Like: "Oh, but if you can set it up that way for us, then we can do this and that on our side, and then it fits within policy!" We try to help people take that extra step. But feel free to beat us to it. For example, by not just assuming something can’t be done.
Back to Erik. He teaches us that good planning prevents later trouble. Because when something becomes urgent, you often depend on others, who may think: poor planning on your part does not constitute an emergency on ours. Or it simply doesn’t fit into their own workload to help you out immediately.
Avoid urgency, plan well. Order that gift now.

And in the big bad world…

• Email security in iCloud should be better.
• You can sign up with this American telecom provider using nothing but your ZIP code.
• The German government conducted extensive research on password managers. [GERMAN]
• Here’s a Dutch summary of that research. [DUTCH]
• One of those password managers received a hefty fine.
• AI can also be used to spread malware.
• There’s ransomware for Android devices too.
• The new Christmas puzzle from the Dutch intelligence service is online. [DUTCH]
• There’s political unrest over the Dutch tax administration’s move to Microsoft 365. [DUTCH]

 

A Positive Sign

Photo by author

A long time ago, a quiet revolution unfolded on Dutch streets. Traffic signs disappeared – they weren’t stolen, but officially removed and replaced by others that had exactly the same effect.

The new Dutch Traffic Rules and Signs Regulation was introduced 35 years ago. The idea was to get rid of certain prohibition signs and replace them with mandatory ones. So, for example, the sign ‘no right turn’ vanished and was replaced by ‘mandatory straight ahead or left turn.’ The foundation for this was laid back in 1968 by the Vienna Convention on Road Signs, aiming for globally (roughly) the same traffic signs. You can guess why. Within Europe, uniformity is okay-ish, though I wonder if foreigners understand our sign for a narrowed or interrupted emergency lane, just to name one. While we, abroad, have no trouble understanding a simple ‘no right turn.’

Then I stumbled upon this sign in a foreign restaurant. On the trash bin, it says you must not flush paper towels down the toilet. I’ve said it before: don’t tell me what I can’t do – tell me what I should do. But there’s more: the placement of the text is odd. The sign is on the spot where you’re supposed to bring your trash. I’d expect it near the toilet bowl. Better yet, change the text to: “Throw your paper towels in here.”

Since we’re in the sanitary zone: in some places, you’re not even allowed to flush toilet paper. You’re expected to toss used paper into an often open bin, because otherwise the pipes might clog. Sometimes even I struggle with rules.

In my field, we could also be more consistent with positive messaging. So, rather “keep your password secret from everyone” than “don’t share your password.” Or: “If you want this done, then do it this way” instead of “you’re not allowed to do that.” The message isn’t just more positive – it immediately offers a solution. People appreciate that. I’ll pay extra attention to this in the coming weeks. And it’s not just my field: positive messaging helps achieve goals everywhere.

Sadly, you can’t apply this principle everywhere. You can’t just remove every ‘no parking’ sign and replace them with signs showing where you may park. And sometimes you find truly odd signs. Drive along the A73 highway near Swalmen (Netherlands), exit the tunnel, and there’s an emergency bay. There you’ll see a round white sign with a red border, a black P in the middle, and a diagonal red slash. The meaning is clear, but why on earth use a non-existent sign? Did the Dutch road authority have such bad experiences with the regular ‘no parking’ sign that they invented a fantasy version?

Communication isn’t easy. Let’s all stay sharp and improve unclear, question-raising messages. Information security is hard enough. (And yes, so is traffic.)

And in the big bad world…

• You’d never have guessed this exists.
• Apple pushes back against India’s mandate to preload a state-run security app on new phones.
• India withdraws the mandate; ‘thanks to the app’s broad acceptance.’
• Your employer might soon read your work text messages.
• Private users hardly need to worry about public Wi-Fi, QR codes, or charging cables, say eighty experts.
• Check for free if you’re part of a botnet.
• DigiD will definitely remain Dutch, they say. [DUTCH]
• The Dutch Cybersecurity Outlook 2025 has been published. [DUTCH]
• Android will better protect you against phone scams.

 

A tempting side hustle

Image from Unsplash

 

“Dear Patrick, I’d like to point out a super interesting high-tech opportunity to you!” Or: “We’re impressed by your profile. How open would you be to learning more?” Those were in my own language, but they also come in English: I’m working on an exciting opportunity for an Information Security Team Lead role. Would you be open to a quick chat this week to discuss further?

Headhunters work on behalf of companies to find candidates for hard-to-fill positions. If I ever wanted to work elsewhere, I wouldn’t even need to start looking; potential employers reach out to me regularly. This mostly happens via LinkedIn, because that’s where your professional profile is up for grabs.

It’s not just companies trying to connect with professionals. Criminal organizations also attempt to recruit new people. Not via LinkedIn, but through platforms like Telegram – a space where criminals feel right at home.

They don’t want you to come and work for them.  In fact, they want you to stay exactly where you are. You only need to do one thing: give them access to your organization’s systems. They’ll handle the rest. Besides an attractive reward, you’ll probably get a few extra days off. Because their ultimate goal is to infect your organization with ransomware. Usually, everything grinds to a halt, and work can’t resume for weeks. Recently, Jaguar Land Rover’s global car production was down for three weeks. The financial damage is estimated in the hundreds of millions. Earlier this year, a German napkin manufacturer had to file for bankruptcy after two weeks of lost revenue.

Cybercriminals need initial access – a digital foot in the door. Phishing is a tried-and-true method, but now active recruitment is happening too. And it’s highly targeted. A certain ransomware gang is currently looking for employees in finance, insurance, and travel. Hospitality, the automotive industry, and oil companies are also on their radar. They’ll tell you not to worry about criminal prosecution because they take great care of their insiders; they promise to handle your login credentials discreetly. According to them, the worst that can happen is you’ll get fired. “Don’t listen to those clueless security people – they have no idea what they’re talking about!”

Handling your login credentials discreetly? Sounds nice, but that’s only half the story. You can’t exactly work anonymously – much of what you do is logged. Logs will show: user xyz performed this action on that date at that time. If there are serious indicators, there are extensive ways to hunt down the suspected culprit. And we’ll gladly use them.

It may look like easy money, but don’t be fooled. You won’t get away with “that wasn’t me” when your user ID is in the logs. That’s exactly why you should never share your password with anyone – not even a colleague. Because what if that colleague falls for a Telegram message and hands over your credentials? Such a reckless move could cost you not only your current job but your future career. Who wants to hire someone who got fired for that reason?

Better listen to the advice of one of those “clueless security people” and steer clear of such practices. If financial trouble tempts you, seek help instead.

Because of a few days off, this blog appears earlier than usual.

And in the big bad world…

…I unfortunately didn’t have time to fill this section this week.