On deaf ears

Image from Pixabay

“Have you ever written a blog about the tension between security and usability?”, a colleague asked. “Probably,” I replied, “but what’s your reason for asking about it?” “My wife.”

I understood what he meant straight away. Not that my family doesn’t understand it all, mind you. But we recently had some people over, including a couple whose ages sum up to my age. She asked for the wifi password, and I told her our guest network password. That is easy to remember and therefore not very complicated (something like bicycle3oven) – it is just the guest network and you can’t access our data with it. To my surprise, she responded with: “ Wow, that’s a complex password!” And she spontaneously mentioned their own wifi password, which I would classify as “20^th century”.

I couldn’t avoid a disapproving look, but then I made a cautious, extremely friendly attempt to explain that a password like theirs is not a good choice. And I’m really not inexperienced or clumsy in explaining those things. But in this case, my explanation fell on deaf ears. “Oh, nothing ever happens to us anyway,” said the young lady. But it was her look that spoke volumes: what is this man so worried about? I took another run-up and started talking about passwords for other, perhaps more important accounts – knowing that people who act unwisely on the left side, usually do so on the right side as well. However, the wall of incomprehension was so high that, despite all my experience, I couldn’t tear it down. And I realized that I had to leave it at that; these people were here for fun & family, not to be lectured.

My wife and daughter, who had witnessed all this, didn’t know where to look. Apart from the fact that teenagers can't stand it when their father does something like that, the two ladies had realized much faster than I had that I was on a mission impossible. Their relief was great when I dropped the subject and we switched to small talk.

Security and ease of use are at odds with each other. Just think: if you lock your house, you will be standing in the rain a little longer when you get home. However, everyone understands that this measure is intended to keep outsiders out – there’s a reason they’re called that. It works the same way with information security: you don’t want to put any obstacles in the way of legitimate users, but because most systems are simply not intended for everyone, there has to be a lock on the door.

Some of these locks are more annoying than others, and sometimes they can be downright annoying, for example because they lock often. When it becomes annoying, people tend to circumvent security measures. It should be clear that the organization does not appreciate such creativity. That is it is important to me that people understand why a certain measure is in place. And so I have made inquiries for two measures I was wondering about.

In both cases the answer was: it shouldn’t be like that. Followed by technical explanations stating that there is no security measure at all in play, or at least: no measure that explains what I experience. There is probably just something wrong. That’s always a possibility: you think that something is a crooked security measure, but meanwhile something else is going on.

Hopefully that colleague can convince his wife that some measures are important. And hopefully he recognizes situations where something is simply broken and the behavior is not on security.

 

And in the big bad world…

• Some high-ranking officials don't understand that they shouldn't use personal email for work.
• Gmail's end-to-end encryption is not true E2EE.
• Counterfeit phones with malware are around. [DUTCH]
• Last year's major disruption to the Dutch Defense network was inevitable. [DUTCH]
• Crisis communication is a profession in its own right.
• The Swedish Tax Authority is summoned to court for selling citizens' data.
• someone really wants to hack Chinese domains.

The phone isn't working

Image from Pixabay

My grandparents' phone number was 1331. Those four digits were all you needed to reach them. If you called from further away, there was also the area code 04454.

In those days you knew the numbers of family and friends by heart. Other numbers were kept in a special telephone directory: you set a slider to the first letter of the surname, pressed a button and the thing popped open and showed a card with all the names and numbers that belonged to that letter. Handwritten.

At home we didn't have a telephone at all for a long time. You could live with that in the seventies. And the one time you really had to call someone, you knocked on the neighbours' door and gave them a quarter (of the old Dutch currency, the guilder). Or you went to the telephone box in the village. You needed quarters there too. Those were important coins. Too bad they don't exist anymore.

When we finally got a phone, four digits were still enough. Ours were 4006. PTT was the monopolist and everyone had the same device: the T65, with a rotary dial and a curly cord. It sat in the living room and if you were busy in the kitchen, with the door closed, you would sometimes miss a call. And you only knew that when the caller tried again later ("Weren’t you at home?"). That's why my parents had that same PTT install an extra bell in the hall. You paid rent for that, just like for the T65.

Many years later I bought – hesitantly – my first mobile phone. A Panasonic, with an antenna that stuck out about two centimeters above the device. The device had a small LCD display and physical keys. You could call and text with it. Compared to the T65, the number of functions was doubled. Wow!

Look where we are now. Almost everyone walks around all day with a computer in their pocket, which you also happen to be able to make phone calls with. This can be done in various ways. Via your SIM card (the old-fashioned way of calling, with a phone number of ten digits nowadays), but also – with or without live video – via other apps. You can even use it to hold meetings, as we know since the covid pandemic – if necessary with people in all corners of the world. Most people have thrown their landline out the door. Or never had one.

But what if all of that suddenly stops working? No one is reachable anymore, at least not by phone. You can only communicate with each other indirectly. By email or via chat apps. What impact would that have on our social and professional existence? Many subjects benefit from live interaction; if they have to be done via email, the 'conversation' can easily go the wrong way because one person misunderstands the other.

If telephony and video conferencing were to fail for a long time, we would undoubtedly go back to the office more often. Then it would be like it used to be: working from home for a maximum of one day. Everyone has their own personal preference, but I cherish working from home. One day a week in the pandemonium (and, admittedly, also joining in the chatter) is enough for me.

What do we do to prevent a company-wide blackout? Diversity plays a key role. In the Netherlands, there are three mobile networks (Vodafone, Odido (elsewhere still known as T Mobile) and KPN (the heir to PTT!)). All other providers piggyback on these networks. It is financially and from a management perspective attractive for organizations to place their telephony with one provider. But if something goes seriously wrong there, the entire organization immediately has a blackout. So it would be better to spread your chances. You should even make sure that the employees of a team are not all with the same provider. I see a nice administrative challenge…

But is it worth it? We never have long-term failures, do we? In the current climate, I no longer dare blindly assume that it will remain that way. There are strange forces at work in the world. At some point, those forces could benefit from a country becoming paralyzed. We would rather not think about that. And that is precisely why we have to do it.

 

And in the big bad world…

• The Atlantic 's editor-in-chief was invited to join a US government Signal group.
• This is the original article from The Atlantic about US plans to bomb the Houthis.
• Lower-ranking officials cannot afford to make mistakes like this one.
• SignalGate is not about Signal.
• Signal is benefiting from SignalGate.
• One of the SignalGate participants also leaked information on Venmo.
• Signal has a handy feature to prevent you from adding the wrong person.
• you can check if your online accounts have been hacked.
• An airport under attack can always switch to whiteboards.
• ChatGPT is addictive.
• Troy ‘Havibeenpwned’ Hunt is also not safe from phishing.
• the Dutch Government Cloud is one step closer. [DUTCH]

 

Number 2

Image from Pixabay

“Up for number 2? Please do it at home, because our toilet gets clogged quickly.”

On our way home from a short vacation we stopped at a cafeteria close to home, because we had no food in the house. And there, on the otherwise neat toilet, I spotted that note. The text reminded me of Belgian roads. Instead of repairing the sometimes abominable road surface, they put a sign next to it: degraded road.

Of course, placing a sign is much cheaper than fixing the problem. At least, at first glance. Perhaps hungry guests will avoid this cafeteria in the future, because after a long walk in the area they still have to go somewhere with their number 2 before they eat their fries. That means loss of turnover. And in Belgium, cars wear out faster. Moreover, I can imagine that a bad road surface causes more accidents: you lose control of the steering wheel when you drive through a pothole, or you try to avoid the pothole and collide with another car. All of that causes extra costs, and perhaps even human suffering.

And if our southern neighbours were to halve the excessive lighting of the country's roads, wouldn't they have any money left to repair those same roads? That's a bit more complicated. My physics teacher from a long time ago once explained why the Belgians have so many street lamps. That was due to the construction of nuclear power stations. They gave the country overcapacity. You have to go somewhere with that electricity, and that's why all those lamps were planted. Even then, there was already talk of grid congestion; the generated electricity had to be used up immediately. By the way, I have no idea whether that argument still holds true decades later, but I always liked this fascinating - because unexpected - connection.

If you have a problem, you want to solve it. For example, by removing the cause. If that isn’t possible, because you have no influence on it, you can take measures to compensate for the negative consequences. And if that isn’t possible either, for example because you do not have the money for it, then… Well, then you can always put up warning signs.

An example where it is difficult to remove the cause is cybercrime. Sure, these criminals are arrested with some regularity – just like their analogue colleagues – but there are simply too many of them and they often operate from safe foreign countries, where the Dutch strong arm has little control over them (although there are rare cases known in which the Russian justice system cooperated with foreign requests for assistance, for example in the case in which a meter-long file, translated into Russian, was delivered to Moscow).

Because eliminating the cause is so difficult, we have all kinds of measures to detect and neutralize malicious actions. Think of virus scanners, mail filters and people who keep an eye on things. But because all that is not enough, we have to ask everyone to be alert. Phishing is the number 1 point of attention, because one wrong mouse click can ruin an entire organization. That sounds dramatic, but it’s still true. And there are more subjects that all users need to know something about to ensure healthy business operations.

Fortunately, there is a hunger for information about this. In the coming period, I will again be a guest speaker at various organizational units that have asked me to treat their employees to a presentation. I always ask the organizers what is on their minds, what they want to hear about. Such a conversation sometimes provides surprising insights into the success of awareness efforts. Like earlier this week, when I spoke to a colleague about a presentation in their team. The team members are loyal readers of the Security (b)log. Nevertheless, even there, very occasionally someone forgets to lock their workstation when they walk away for a moment. And then their colleagues shout: “Oh, if Patrick sees this…!” It is nice to see that the message is getting across.

 

And in the big bad world…

• a phishing campaign is going around targeting crypto investors.
• hallucinating artificial intelligence can be very harmful.
• the British appear to have pushed back the timeline for quantum-safe cryptography.
• North Korea is going to adopt AI-enabled hacking.
• Others will also abuse AI.
• hackers can easily exploit old vulnerabilities.
• we trust our colleagues, until proven otherwise.
• the American press is realizing that Europe is working on digital sovereignty.
• Athletic soldiers should get off Strava. [DUTCH]
• For the time being, European data may still be sent to the US. [DUTCH]

 

Ouch!

 

Image from Pixabay

Snap. The sound of a withered twig giving way under the footsteps of a forest walker. Only this time it wasn’t in the forest. And it certainly wasn’t a twig.

We’ve lived in this house for exactly ten years now, and the bed has been in the same spot for just as long. But when I walked into the bedroom recently, the bed must have taken a step forward. Snap. The leg of the bed showed no damage. That could only mean one thing: the sound came from my little toe. Most accidents happen in a small corner, we say here. Or in a small toe, I now know. Oh well, that bone will grow back together. (But it’s annoying.)

A day later, Maarten van Rossem, the always cheerfully grumbling Dutch tv personality, had an unfortunate fall. The historian had tripped over a curb in Utrecht, right in front of the building that served as the headquarters of the fascist National Socialist Movement during the war and which now houses a childcare centre. He was lost in historical and ironic reflections on the fate of the building. Consequences: a black and blue face and a hurt knee. So I was in good company that week, in terms of being a victim of one’s own carelessness.

Shouldn't we have been more careful? Absolutely! But one does a lot of things on autopilot. As I said, nothing has changed in the layout of our bedroom for ten years. And that curb has probably been there for a long time too. You can blindly walk a route like these a thousand times without any accidents. And on that one day you put your foot down just a little differently. There’s no footage, I can't analyze it. But there was a deviation, that's for sure.

I once heard someone say: walking is like fall in a controlled way. You lean slightly forward and prevent a fall by putting one leg forward. Seen in this light, walking is a rather clumsy activity for bipeds. Does it surprise you that we sometimes take a misstep? No doubt, thick books have been written about this that may or may not be worth reading, but this is not a blog about kinematics, so I will leave this subject alone for now.

In presentations I have sometimes made my audience think about the way they cross a road. If you see a car approaching, you make an assessment of whether you can still cross. You base this on the distance to the car and on its and your speed. If you give yourself a green light, you start walking. But now we are going to do this risk analysis again – because that is what it is – but in more detail. You not only consider distance and speed, but you also take into account the possibility that you stumble. Does the driver have enough time to brake? Can he see you at all, or is he hindered by darkness or the low sun? Or is he perhaps fiddling with his phone while driving?

If you include those factors in your analysis, you will probably increase the minimum distance that the car must have at a certain speed, in order to be able to cross the road in confidence. But who does something like that? I can tell you: people who have just had an accident. Because they have personally experienced how things can go wrong and what the consequences are. And after a while, that increased vigilance wanes again, and with that the chance of accidents increases again.

In information security, it is no different. If nothing ever happens, attention lapses. And then it becomes easier for malicious actors – our standard term for anyone who deliberately wants to do something with our systems and data that we do not agree with – to do their thing. Practicing helps against lapses in attention. Developing scenarios also helps. You have a certain interest that you want to protect and you try to think of how a malicious actor would carry out an attack on it. This can lead to surprising insights and solutions.

My bed was not malicious. Bad (!) luck, most people would say. For the time being, I walk past it with increased respect. I also put my feet down much more consciously in other places. That takes quite a bit of energy. Actually, I am already looking forward to my attention slackening a bit. Although I sincerely hope the bed will stay where it is.

 

And in the big bad world…

• AI surprisingly often misses the mark.
• the US government no longer considers Russia a cyber threat.
• Your Pokémon Go location data may be flowing to Saudi Arabia.
• Twitter/X poses a threat to countries outside the US according to this Australian article.
• The new Dutch government workstations only store metadata in the cloud. [DUTCH]
• Apple is protesting the British backdoor.
• Signal’s CEO warns of AI agents.
• Apple seems to have implemented a good idea in a messy way.
• Many Chromecasts have an expired certificate, which means the device will no longer work.
• Instagram's teenage accounts offer only a false sense of security. [DUTCH]

 

The monkey is loose

Image from Pixabay

Despite the fact that they aren’t ducks, I am inclined to call them Huey, Dewey and Louie: the three monkeys that escaped from Apenheul last week. They had only been living in this Apeldoorn zoo for a week, but apparently they were so unhappy with this accommodation that made an escape plan. Tranquilizer darts and a firm jet of water from the fire brigade were needed to get them back into their cage.

Which brings me to the expression: having a monkey on your back. I only know it with a negative connotation, because it means that you have a job to do or a problem to solve that you are not really happy with. The search engine returns this for the search “monkey back”, from an educational institute: “Monkey on your back? Learn the art of giving back.” A competitor is a bit more aggressive: “Watch out! Avoid the monkey on your back.” In short: having a monkey on your back is not a pleasant thing.

In this context too, there are sometimes monkeys that break out and end up in places where they don’t belong. Those monkeys are not sitting on the back of the right keeper. How does it end up there? Sometimes in a very strange way. For example, I once heard this remarkable statement: “Information security starts with an i, so the IT department owns it.” Can you imagine a worse reason to assign a subject to a certain department? I can’t.

By the way, it is not at all unusual – but therefore not necessarily wise – for an IT department to be promoted to the owner of information security. Because, well, information security is about computers, isn’t it? And computers belong to IT. Right?

What does 'ownership' actually mean? In private life, it usually has something positive: you are the proud owner of a beautiful house or a trendy bike. It also means that you have to take good care of it if you want to enjoy it for a long time. In business terms, you can also be proud of things that you own. Perhaps you derive a certain status from it. However, when it comes to maintenance, the story is somewhat different than in your private situation. There you could still decide for yourself whether to do maintenance, but in business terms you bear responsibility towards the organization. You cannot just let things take their course, because that could mean that people elsewhere in the organization will experience problems as a result. Or more definitely, actually: sooner or later someone will suffer from poor ownership.

Fortunately, many people in our organization are aware that information security is not an IT thing. You can see that, for example, from the fact that we have business security officers (BSOs). These are security officers who work for the business departments. And yes, in IT we also have security officers (also called information security officers (ISOs)), but they only deal with the items and services that IT makes available to the organization – and not with whatever the organization (‘the business’) actually does with them.

For many employees, the BSOs are fairly invisible. I know this because we, the ISOs, often receive questions that actually belong to the BSOs. An employee who encounters a security issue or simply has a question, goes looking for someone who can take the monkey on their back. They often knock on my specific door: "You are the only information security officer I know, because of your blog." No problem at all, I am happy to refer them to their own BSO. Many times I prefer this to a question or report remaining unanswered.

Do you know your BSO? If not, go and find them and have a chat. Even if nothing is wrong. They are very nice people.

 

And in the big bad world…

• Signal is really more secure than WhatsApp. [DUTCH]
• Apple faces an impossible choice due to UK legislation requiring a crypto backdoor.
• Of course the Americans are not at all happy with that British law.
• France also wants a backdoor.
• Dutch cloud pessimism is attracting international attention.
• North Korea has stolen $1.5 billion in a digital bank robbery.
• we have a new word: vacancy fraud. [DUTCH]
• AI chatbots gobble up information that was accidentally briefly exposed.
• Many Dutch companies avoid using AI for privacy reasons. [DUTCH]

In the waiting room

 

Image from Pixabay

In the rather crowded train I found myself sitting next to a man who was working on his laptop. A quick glance at the device and the open programs identified him as a colleague.

At one point he was in a phone conversation. I wasn't actively listening, but of course I heard something. And what I heard made me very happy. To start with, he spoke softly, and in short sentences. It was actually mostly listening and occasionally responding briefly. I didn't hear him give any information. Neat, colleague!

How different is the experience of a colleague who was sitting in the dentist's waiting room. Well, it wasn’t really a waiting room; in a corner of the reception there were some chairs. Behind the counter worked two assistants. One, Tasha*, was clicking through computer screens with some despair in her eyes and finally said: "I can't find Mrs. Decker's details in TND." Her colleague Cindy asked for Mrs. Decker's date of birth. "Aha," said Cindy, "she's from 1999 and that's why she's not in TND yet. What's her phone number, I’ll give her a call." Tasha read out the phone number and Cindy made the call.

“Good morning Mrs. Decker, this is Cindy, assistant to dentist Crown. I need some information from you to enter your treatment in our system. What are your initials? ABG? Great. And your social security number? Yes of course, I'll wait a moment. (...) Ah, there you are again. Yes, I'll write along. 1-1-2-7 5-5 9-5-0? Thank you. And finally, I need your address. 5 Brace Road? Great, then I have everything complete. Shall we make the first appointment for your root canal treatment right away? Can you come in on Friday at 9 o'clock? Fine. If I can also have your e-mail address, I'll send you a confirmation. marly@decker.com? Fine, then we'll see you the day after tomorrow. Have a nice day!”

Our colleague could hardly believe his ears. He now had a complete set of personal details of someone and he knew when Mrs. Decker would not be home. Thanks to the information about her treatment, he also knew that she would be away for a while.

“Great, with this information I can commit identity fraud.” Or: “Great, I’ll get my burglary tools ready.” I admit that the chance that the unintentionally shared information accidentally ends up in the ears of a cyber or physical criminal is not that great. But still: everyone feels in their bones that this never should have happened. If you hear all this, then you know that they are handling your data in the same way. You wouldn’t feel comfortable with that, would you? And imagine that our waiting colleague was an acquaintance of Mrs. Decker. He runs into her a week later: “Hey Marly, how is your tooth?” That would be strange, wouldn’t it?

Of course there is also a legal problem. The unsuspecting, well-meaning dental assistants have not only leaked personal data, but even medical data. Under the GDPR (the European General Data Protection Regulation) these have the status of special personal data, for which even stricter rules apply than for regular personal data.

Tasha and Cindy were just doing their job. They can't help it that dentist Crown thought a separate waiting room was a waste of money. They couldn't make the phone call elsewhere either, because then Cindy couldn't enter the data into the system. Data leaks are pre-programmed in this situation. Especially when people are not aware of what is happening. A data leak is just around the corner.

I also want to look at what happened on the other end of the line. What if it wasn't the dental assistant who called Mrs. Decker at all, but someone who was out to collect personal data? Of course, the chance that they would call when you’re actually suffering from an aching tooth is small. But if you leave that circumstance out, it's a different story. If someone you don't know asks for data, tell them you'll call back. Then call the general number of the company and ask for the person who just called you. If that's not possible, ask whether they actually needed data. That way, you prevent yourself from leaking your own data.

*) Of course, all personal and system data are the product of my imagination.

 

And in the big bad world…

• Of course you can also just buy medical information at the flea market. [DUTCH]
• healthcare has to deal with cyber threats. What these are, is stated in their threat assessment. [DUTCH]
• Securing medical data is also problematic elsewhere in the world.
• 'hybrid warfare' is a euphemism.
• Europol warns of child abuse via online communities.
• Smart traffic lights turn green thanks to your phone. [DUTCH]
• Signal users are being attacked via fake QR codes.
• the Dutch government is increasingly hesitant when it comes to the public cloud. [DUTCH]

From Asia with love

Image from Unsplash

They didn't mention it in the eight o'clock news, but the fact that the report was broadcast on the eve of Valentine's Day could hardly be a coincidence. It was about a man who got in touch with a certain Julia on this dating app. Could this finally be the one for him?

They chatted for a while, and after a few days Julia wrote: “Guess what I was just doing!” And she sent a screenshot of an impressive graph, showing that she had just made a lot of money trading cryptocurrencies. And she was quite willing to explain to our anonymous love seeker how that worked. So he received a link to a trading app. But he didn’t realize that he had fallen into the hand of scammers. Nothing was traded via that app. His entire investment – first a thousand euros, then ten thousand, a total of one hundred fifty thousand – disappeared straight into criminal pockets. When the thugs realized that there was nothing left to be gained, Julia abruptly ended the budding romance. Our Romeo found himself in a difficult time, in which he lost confidence in everyone – including himself.

In many presentations I give, there is this folk wisdom: if something seems too good to be true, it usually is. It once started with that Nigerian prince, who sent you of all people an email, promising you mountains of gold if you helped him free up a large sum of money. Lawyers from faraway countries, who told you that a large inheritance was waiting for you, were a variation on that. The only occasion when I believe a statement like that is when it is on a chance card in Monopoly. But the scams are becoming increasingly shrewd and the criminals are putting more time and effort into getting the loot. Where that prince used to target a large group in one go, hoping that a few people might fall for it, they are now investing in a good relationship with the individual victim.

The news also showed where all that misery is coming from. No longer mainly from Nigeria and the surrounding area, but from Southeast Asia. From there, some thirty scam centers operate: apartment buildings full of Julias, who together have already earned some 75 billion dollars from people who were too gullible. Many of those approximately three hundred thousand Julias do that work involuntarily. They have been lured there by human traffickers under false pretenses. They live in captivity and if they don’t perform well, they receive corporal punishment.

Last week’s blog included a link to an article saying that Thailand had cut off internet and power to the border region with Myanmar in an attempt to cripple the scam centers. That shows how powerless you really are in the fight against criminals operating from a country that doesn’t put the slightest obstacle in their way. The article didn’t say anything about the extent to which the scam centers were dependent on Thai services, but by now they will have found a way to continue operating. That probably doesn’t apply to innocent citizens and businesses in the border region, who have also been affected by this well-intentioned measure.

Cybercrime in this form is only possible thanks to technology that was never conceived with this purpose in mind. With the help of translation services such as Google Translate, Julia was able to chat with her victim in perfect Dutch. Artificial intelligence is also increasingly being used for evil. I will once again make the comparison with dynamite: when Alfred Nobel invented it in the 19th century , he did not foresee that it would be used to blow up bank vaults and soldiers. And dating apps were also not set up as a platform for crime with a romantic prelude.

If the crime is not tackled, then its potential victims must be made resilient. Unlike a street robbery, you do have a chance to escape from those fraudulent practices. It is actually quite simple: if a new contact suddenly brings up money as a topic, you have to be careful. Take off your rose-colored glasses and look at what is happening through a magnifying glass. Discuss your doubts with someone you have trusted for years; not with Julia, because she knows all sorts of ways to reassure you. Just say firmly that you are not interested. You are using that dating app to find love, not to get rich.

If necessary, print out that piece of folk wisdom and hang it above your screen.

 

And in the big bad world…

• The British want a backdoor in the encryption of iCloud backups.
• the Dutch government has published the Information Set quantum-safe cryptography. [DUTCH]
• North Korean IT workers infiltrated American companies through laptop farms.
• Governments like to distribute spyware.
• many AI buddies and therapists are detrimental to the well-being of the unsuspecting user. [DUTCH]
• AI chatbots need to learn better how to say 'no'.
• Non-human users also have a life cycle.
• US cybersecurity is suffering under the new administration's bureaucratic purge.