At the theatre

Picture from author

The Red Hall of the Meervaart Theatre in Amsterdam looks empty in the photo. Just a few minutes later, it was filled with around three hundred employees from the National Collection Centre (LIC) of the Dutch Tax Administration. And that laptop in the picture? That’s mine.

A few months ago, the organizers of this annual event got excited about my blog posts. Probably under the slightly risky assumption that “if he can write in an engaging way, he can probably speak that way too,” they invited me to take part in the program. So, on Tuesday, I braved the railway strike and headed to the capital. I had three missions: a presentation in the breakout program before lunch, a plenary talk in that big hall after lunch, and at the end of the day, the same story from the morning, but for a different group of about forty people. The colleagues who came to hear me in Room 9 were 92% women. Someone like me, from IT and security, rarely sees that many women together in a work setting. They were a fantastic, engaged audience and gave me a great glimpse into their world.

I mainly owed the invitation to my blog about Girl’s Day. (Quick recap: for a presentation to high school girls, I googled their names and showed them what I — an amateur in that field — had managed to find out.) The LIC folks wanted to hear that story too. There was one difference: on Girl’s Day, my talk was about the girls in the room, while at the Meervaart, it was about those same girls — so, not about the actual audience itself (and of course, I didn’t mention any names or overly sensitive details in either presentation). Still, the tension was visible on the faces in the Red Hall. Especially the revelation that presentations made with the free version of PowerPoint alternative Prezi are publicly available online triggered an audible “Oh!” from the audience. A video showing a ‘psychic’ effortlessly uncovering personal details about his clients wrapped it up nicely.

My other presentation was titled Phish & Chats and covered phishing, chat apps, and artificial intelligence. The first part was a nostalgia trip for many: “Who of you has never received a phishing email?” No hands. “Hey Dad, this is my new phone number.” Murmurs in the room. English, with an Indian accent: “Hello, this is the Microsoft Helpdesk.” Nods all around. Naturally, I also gave them some tools to recognize phishing — because on a bad day, any individual employee might be the organization’s last line of defense when a phishing email lands in their inbox. And in that moment, you really want your colleague to respond appropriately.

The chat apps segment covered the pros and cons of various platforms. In short: don’t use WhatsApp for work due to privacy concerns, and don’t use Telegram at all. For internal government communication in the Netherlands, Webex is available. Signal is also an excellent choice.

Artificial intelligence (AI) also fell under the “Chats” part of Phish & Chats, because all those handy tools like ChatGPT, Gemini, and Copilot are smart chatbots — you can literally chat with them. I discussed how they work, how I view them from a professional standpoint, and what our organization does and doesn’t allow (allowed: Copilot Chat; not allowed: all others).

For me, the day was a warm bath of thumbs-ups, compliments, and thank-yous. And I hope that those who haven’t yet started reading the Security (b)log will now begin — not for me, but to become familiar with what’s happening in information security and their own role in it. Soon, I’ll be visiting a team closer to home, and after the summer, I’ll be back at our IT auditors’ annual conference. Yesterday, we discussed potential topics, and I’ll be working on finding a connecting thread in the coming weeks. In the meantime, I’ll also be a guest on a podcast. But more on that later.

And in the big bad world…

• your privacy in WhatsApp continues to erode.
• this privacy organization has something to say about that. [DUTCH]
• scammers keep finding new ways.
• the Russians are trying a new form of social engineering.
• old news sometimes stays relevant.
• this ransomware gang operated from a hotel in Thailand.
• even Switzerland struggles with the omnipresent American cloud. [GERMAN]
• you might be using a Chinese VPN app without knowing it.

The Hague brought to a standstill

Image from Pixabay

By now, you’ve probably heard, at least, if you live in the Netherlands: in just over a week, the city of The Hague will become an impenetrable fortress.

People living and working anywhere near the World Forum conference center have already been dealing with the disruptions caused by the largest security operation in history. But just like with an iceberg, what you see is only a fraction of the whole picture.

The last event of this scale was the Nuclear Security Summit in 2014, which also brought dozens of world leaders to that same conference center. In the eleven years since, the threat landscape—especially in terms of cybersecurity—has changed dramatically. Attack methods have become more sophisticated, and so have the people behind them. Much more sophisticated. And cunning. Which is troubling, because as an ordinary citizen, there’s little you can do to defend yourself.

“I’m just a regular person—what does this NATO summit have to do with me?” I hear you think. And yes, most of us won’t be directly involved. But that doesn’t mean you won’t be affected. In fact, you might be—without even realizing it.

Here’s why. Major events like this act as a magnet for what we broadly call malicious actors. Just like pickpockets flock to crowded markets, cybercriminals and spies are drawn to high-profile global gatherings. They’re after three things: money, information, and influence. The first is mostly the domain of criminals, though some rogue states aren’t above it either (looking at you, North Korea).

Stealing information is typically associated with state actors from countries like Russia, China, and Iran (plus a few others not on the public list). But don’t underestimate the criminals here either: ransomware attacks not only paralyze organizations but also steal data, which they then threaten to publish unless a ransom is paid. That increases their chances of getting paid.

Influence can be exerted in various ways. One is through disinformation—shaping public opinion, or even swaying the views of summit attendees. Some heads of state are surprisingly susceptible to such manipulation. Another tactic is disrupting the summit itself, throwing off schedules or even derailing the entire event.

Whatever the motive, these activities often start in the same place: phishing. Around events like this, phishing attempts spike—often themed around the event. You might get an email that looks like it’s from the City of The Hague: “Are you experiencing disruptions due to the NATO summit, such as being unable to get to work? Click here to apply for compensation.” Malicious actors know they’re more likely to succeed if they strike a nerve and dangle the promise of money.

Regular phishing is like shooting with a shotgun: blast it out to as many people as possible and see who bites. But there’s also targeted phishing—spearphishing—where a specific individual is the target and the message is custom-crafted. Expect to see more of that in the context of the NATO summit too.

I do wonder how they manage it in the Vatican. The Pope passed away, and five days later his funeral was held—with many dignitaries in attendance, including the U.S. President. Meanwhile, the Netherlands has been preparing for the NATO summit for months. Maybe it’s time for an educational field trip to Rome.

 

And in the big bad world…

• espionage can be highly sophisticated. [DUTCH]
• the true CISO wears a hoodie and jeans. [DUTCH]
• stolen data fuels the digital underworld.
• Wikipedia editors resist AI summaries, fearing for the integrity of information.
• AI does, in fact, make painful mistakes from time to time.
• your phone number wasn’t safe with Google.
• your data is safe with a European subsidiary of a U.S. company—at least, legally speaking. [DUTCH]

From slippers to biometrics

Image from Pixabay

Some nursing homes use facial recognition to keep elderly people with dementia inside, the Dutch tv news reported a few months ago. Because I am always on when it comes to possible topics for this blog, I made of note. And now I finally get around to explaining why that report caught my attention.

Facial recognition is a form of biometrics, just like a fingerprint scan or voice recognition. Biometrics means something like 'measuring biological characteristics'. The technology is based on the fact that every person has a number of unique characteristics. Based on these, you can identify someone. And to reassure you: biometrics doesn’t store your complete fingerprint or a photo of your face. Instead, a number of specific characteristics are recorded, such as the distance between your eyes and other proportions. When checking your access rights, a camera or scanner is used to check whether these characteristics are in its database. That is why the fingerprint scan on your phone suddenly works less well if you have been doing a lot of DIY: your finger is too rough to match.

So we use biometrics to gain access to something. Not to be denied access. But that is exactly what those nursing homes do. The front door is always open, but if the camera sees someone approaching who is not allowed outside because it is not safe for them, the door is locked. The nursing homes love it: "Otherwise we have to keep the doors closed for all residents. Now we turn that around: the doors are open."

And what if a smart resident sticks on a fake moustache, I wonder. Or puts on sunglasses. There is a good chance that he will not be recognized and will happily walk outside. Now I don't know if smart and demented can go together, but yes, I am obliged to my position to assume that things can go wrong. Edward Murphy is my role model (you know, the one with that law: everything that can go wrong, will go wrong).

What we see there is biometrics turned upside down. Why is biometrics not applied in the usual way? Everyone who is allowed to go outside is in the system. If he or she is recognized, the door swings open. If someone comes shuffling along who is not allowed to go outside and therefore is not in the system, the door stays closed. You have to be very clever to fool the system.

Before those nursing homes switched to biometrics, they used wristbands or sensors in their clients' slippers. Even then, they worked with open doors, which were locked only for some. But of course, you could easily work around that: take off your slippers and voila, you were outside. And a bit of fiddling with the wristband also turned out to work. Incidentally, the switch to biometrics has a double face: on the one hand, a band that is visible to everyone has a stigmatizing effect, on the other hand, the barely visible biometrics makes it difficult to enter an official protest – a right that also dementia patients have.

A nursing home is not a prison. Only residents who, due to their condition, are not safe to go outside alone, are kept inside – with the permission of themselves or their legal representative. Visitors are welcome and must be able to walk in and out freely. Open doors give a relaxed feeling, and thus contribute to a dignified existence. From that perspective, I understand the reverse approach, and I can imagine that there will not be that many clients who know how to hack the system. For most other applications, however, I like to stick to biometrics as they are intended.

 

And in the big bad world…

• You will soon be looking at advertisements featuring yourself on the lock screen of your Samsung phone.
• Twitter/X's new secure DMs aren't really safe.
• Microsoft hasn't turned off the International Criminal Court's email after all, Microsoft says.
• Cybercriminals sometimes attack their own kind.
• you should beware of fake versions of Zoom (and similar software).
• AI companies are moving too fast, at the expense of our safety.
• Facebook and Instagram spied on you on your Android phone. [DUTCH]
• You can read much more about how you were spied on here.
• This video warns about deepfakes.

Miscellaneous

Image from Pixabay

A few weeks ago I was at a conference. I took a lot of notes and I can watch the recorded sessions. What is the best thing to do with all that? After some browsing I made a decision: I am going to treat you to some quotes and let my own thoughts loose on them.

As a warm-up, here’s an obvious one: “If you have only met someone online, then that person is always a stranger.” This comes from a presentation on resilience against scams. You’ll have to agree with this statement, but do you also act accordingly? Or do you still want to believe that this nice person is also honest? That is very difficult. In the last century, when the internet was not yet mean, I met someone in an online forum (does anyone still remember CompuServe?). We had nice conversations about the state of the world and about observations in daily life. Later we started emailing directly, and at my wedding I met him in real life for the first time. If I had taken the above quote to heart, I would have missed out on this friendship. Back then, cybercrime did not exist and online life was a lot easier.

A handy tip to avoid becoming a victim of scammers: never pay to get paid. In other words: if someone promises you the moon but needs your money up front to make that happen, then something is wrong. It started with that Nigerian prince who wanted to share a fortune with you but needed some money to release that fortune, and nowadays you may be offered a job where a little effort will be richly rewarded – but certain costs have to be made first. Don't fall for it.

Then there’s this nice tip that you can immediately benefit from: change the name of your guest network to “faster wifi”. All your guests – and especially your children’s guests – will want to be on that network. And that is exactly where you want them. Because your guest network is separate from the network that provides access to your private data. At odds with this is the idea of connecting all your Internet of Things (IoT) devices to the guest network. The idea behind this is that IoT devices can be hacked relatively easily and that you would rather not have a hacker have access to your data. But do you want all your guests to have access to your dishwasher, dryer and solar panels? Difficult choices.

Sometimes a statement from one speaker ties in with that of another. Like these two: “8% of the users in your organization cause 80% of the risk” and “New employees are the biggest threat: they easily click on links because they do not understand the risks.” I would mainly link the first quote to employees who are in the “cannot & do’nt want to” quadrant: they don’t know how to behave safely and they are also not willing to adjust their behavior, which makes them difficult to reach. But according to the second speaker, the danger lies mainly in new employees. You can do something about that. That is why we have been involved in the onboarding program for new employees for years now. We treat the new colleagues to a presentation in which we playfully guide them through the most important aspects of information security, business continuity and privacy. And we advertise the Security (b)log, so that they will come back to our important message.

If there was one subject that ran through all those hundreds of presentations, it was artificial intelligence. One speaker thought that 90% of so-called AI experts have no idea what they are talking about, and that the other 10% know very little. And that is normal, he argued, because AI consists of many sub-disciplines and it is important that experts know a lot about their own sub-discipline. Just as you wouldn’t go to see a brain surgeon with heart problems, you should also seek out the right specialist in the field of AI.

Finally, a quote that stuck with me because it hits home so well: “ Generative AI is autocorrect/type ahead on steroids.” Let me break it down for you. Generative AI is the form of artificial intelligence known to the general public, which generates something on its own; you know it from ChatGPT, for example. You know autocorrect mainly from your phone; on the one hand, it protects you from typing errors, but sometimes it causes embarrassing situations because the “correction” turns out to be annoying (in my case, “Hi Nick” was once replaced by “Hi pig”). Type ahead is its cousin, and you also know it from your email program that, while you’re still typing an address: I know who you mean! Well, and all this on steroids, that is generative AI. With all the conveniences that come with it, but also with an amplification of all the inconveniences. I stopped the message to Nick in time, but if genAI is happily hallucinating and telling us a story that makes no sense, that’s a lot harder to discover.

There will be no Security (b)log next week.

 

And in the big bad world…

• Meta can now use European data to train its AI.
• Signal opposes Microsoft Recall.
• Comedian Arjen Lubach wonders whether Trump can digitally shut down the Netherlands. [DUTCH]
• this example shows how this shutting down works. [DUTCH]
• Telegram shares data with authorities and defends freedom of expression.
• Windows becomes quantum-proof.
• Eindhoven University of Technology has published the report on the January cyber attack. [DUTCH]
• You can recognize deepfakes by looking for blood flowing through the veins in the face. [DUTCH]

 

Dangerous by (de)sign

Picture by author

Take a good look at the photo and try to figure out why I shot this picture with only one purpose: to write a blog about it.

We are in a hotel. At the bottom of the screen there’s a staircase going down. Above it there’s this warning sign: “Caution – watch your step”. How many people have fallen down these stairs because they were looking at the sign? It draws your attention, distracting your focus from the danger itself: the stairs. You’ll walk into the pitfall with your eyes wide open. Literally.

Sometimes security measures are abused to make you feel safe while you are in a dangerous situation. For example, there are phishing emails that warn you about phishing. If you click on the 'for more information' link, you will be taken to the phishing information page of the real company. This can give you the false sense of looking at a legitimate email. Because criminals wouldn’t point out the existence of crime to you, would they? They are not going to give you a clue that something could be wrong, they don't want you to think about that, do they?

Cybercrime is all about trust. If you can gain your victim’s trust, you’re in. You can gain their trust by presenting yourself as a reliable party who, as an extra service, warns you of dangers. In doing so, they sneak into your world and together you look at the big bad world. That creates a bond. And with that, trust.

However, that same email will undoubtedly contain another link, that will take you to a fake website. Because the email seems so trustworthy, you are more likely to click on that as well. Gotcha!

The question remains: why on earth would they put a warning sign above a staircase? That must have something to do with the American claim culture. “It’s very unfortunate that you fell down the stairs, but hey, we warned you, so you can’t sue us.” Everybody knows that you have to be careful with stairs – even without a sign. Moreover, this was the only staircase in the hotel with a warning sign. Someone must have fallen into the depths at that spot at some point, after which this staircase was designated as a Dangerous Area.

 

And in the big bad world…

• messages 'on behalf of the government' are always good for building confidence.
• It is not a good idea to have your email hosted by an American company.
• AI leads to more paranoia.
• These cybercriminals got a taste of their own medicine.
• Europe has its own vulnerability database now.
• The European security organisation Enisa has been linked to the power outage in Spain and Portugal.
• You will have to take action again if you don’t want Meta to train their AI with your data.
• Cyber espionage is now a crime in the Netherlands. [DUTCH]

 

Meeting the stars

Image from Pixabay

 

I've met stars. Bruce Schneier gave a speech, Adi Shamir and Whitfield Diffie were on a panel, Ron Rivest was an arm's length away and Dave Maasland was sitting next to me in the pub.

You probably only know these names if you are in my line of business – although Dutch readers might know Dave Maasland from his tv appearances. Keep reading anyway, because even without knowing these people you can learn something here.

Ron Rivest and Adi Shamir are the 'R' and the 'S' in RSA. You may know that name from your two-factor authentication, the extra security step you sometimes have to take to log in somewhere. RSA is now a company that makes these (and other) kinds of tools, but originally RSA is a cryptographic algorithm that is important for the encryption of our data exchange. The 'A' is for Len Adleman, by the way, but I didn't see him at this conference – the RSA Conference! Whitfield Diffie, who was on the same panel as Adi Shamir, is known for another cryptographic algorithm (Diffie-Hellman).

In that panel, a number of cryptographers gave their view of the world. Shamir sneered at bitcoin and its ilk: the world would be better off without cryptocurrencies. Diffie noted that consumer products are apparently considered good enough for high-security applications – Signalgate, the affair in which high-ranking American officials were using Signal, was still fresh in the memory. Incidentally, Diffie agreed that Signal's security is well put together. The panel also discussed the threat of quantum computing, which in short means that the security offered by RSA, among others, can be cracked in the future. Moreover, foreign regimes are already stealing our data, in order to run it through the quantum computer in due course. That is why it is important to develop replacement crypto algorithms as quickly as possible, but that is not easy. Diffie: "It's like having to develop an algorithm in 1945 that still works today." Shamir advised, in line with a European recommendation, to use double encryption for the time being.

Bruce Schneier is also famous in our world. He has been distributing his free newsletter all over the world for years, providing insights and opinions on new developments. His speech was about trusting artificial intelligence. Trust is a complicated concept, he argued, especially when it comes to trusting strangers ('social trust'). We tend to considering AI as a friend, but it is a service. Moreover, it is a double agent: it serves both you and its provider. But we have no choice; we have to entrust ourselves to AI. The era of agentic AI is dawning: you’ll have a personal assistant who arranges things for you. The AI agent has access to your email and your calendar and knows everything about you. You do want this, because that way it can support you best. Schneier used a dining reservation as an example. In the past, you called the restaurant, nowadays you make a reservation via their website and soon you let the AI agent find a restaurant and make a reservation. It knows what food you like and when you have time.

So we need trustworthy AI. Integrity will be the main issue, according to Schneier, because most attacks on AI are about the correctness of data. He gave the example of stickers placed on lampposts to trick self-driving cars. Legislation is needed to achieve trustworthy AI, but current legislation (such as the European AI Act) regulates the AI itself instead of the people behind the AI, and that is the wrong way to go, Schneier says. He advocates a public AI model with political accountability, as a counterbalance to corporate AI.

Information security officers are only human, which is why the organization also brought a number of 'real' stars on stage. Such as filmmaker Ron Howard (Apollo 13 and A beautiful mind (two Oscars), just to name two), who was interviewed by his daughter and colleague. Or basketball legend Earvin “Magic” Johnson, who won over the audience with his openness and a motivating story. And finally there was actor/singer/comedian Jamie Foxx, who provided a comical closing note. But he also gave us a pat on the back: “What you do is perhaps the most important job in the history of mankind.” According to him, community is the magic word.

After that, my three colleagues and I, and 44 thousand other conference attendees, returned to our own time zone. Together we made it an interesting and fun week. And the bond between our team and the SOC has also become closer. You did a good job there, JW.

 

And in the big bad world…

• Bruce Schneier was interviewed following his RSA speech.
• Schneier praises advice from the British NCSC on advanced cryptography.
• a safety mark for AI is impossible. [DUTCH]
• Signalgate now revolves around an insecure – even hacked – clone of the Signal app.
• the Chinese cyber threat is greater than the Russian one.
• a US intelligence chief lacked basic password hygiene.
• AI is great at geo-guessing.

Fatbike brakes

 

Image from bol.com

Fatbikes. Even the word gives me the creeps. I'll stay away from the broad discussion about this young phenomenon on the road (see here why this is a problem in the Netherlands). But I do want to talk about something that I see associated with riding one of these things: braking à la Fred Flintstone.

You know how Fred slows down his car, don’t you. Literally by digging his heels in. And lately I see more and more young fatbikers trying to stop their two-wheeler just like Fred by putting both feet on the ground. Often they swing back and forth dangerously. Eventually they come to a stop just in time.

Is there anyone in the audience who has experience riding one of these things? Are the brakes really so bad that you have to do like Fred to stop in time? Or are we talking about tuned-up models, where the brakes, which barely meet the regulations, fall short as soon as the bike goes faster than intended and allowed?

Something else now; you'll soon understand why I'm bringing this up. Earlier this week I was passing through Gouda by train. At the station my eye was caught by the open-air bike parking place. On either side of the place – which is only two bike lengths plus an aisle wide – there were security cameras set up about every ten meters (roughly 30 ft). I didn't count them, but there were an absurd number of them. You'd almost think the cameras were myopic.

Here are two examples of security measures that are taken in situations where the actual measures – brakes and locks – have proven insufficient in practice. We also have measures like these in information security. Usually, this involves technology that does not fully deliver what you hope for. For example, a virus scanner that still lets that very latest virus through, or that mail scanner that does not recognize a particular phishing mail. In these situations, the problem becomes an end user thing.

And that is why we need your commitment, dear reader. You are the brake shoe that can intervene at the last moment, when all else has failed. You are our last line of defense. And that is exactly why I put so much energy into keeping your knowledge of my field up to date. You don’t have to know all the ins and outs, but you do need to know the things that can be – literally – of vital importance to the organization, such as recognizing phishing email.

I know, it can be difficult. I can't ask more of you than alertness. Help us to bring our fatbike to a stop in time.

There will be no Security (b)log for the next two weeks.

 

And in the big bad world…

• Not all awareness campaigns are equally effective. [DUTCH]
• Now your Android phone will also reboot if you don't touch it for three days.
• Ahold Delhaize suffered a major data leak last year due to a cyber attack.
• Google blocked over five billion ads last year, many of which were AI-generated.
• The end of CVEs was near.
• a facial scan will determine if you are old enough for Discord.
• the Dutch police did a bad redacting job for fourteen years. [DUTCH]
• It is better not to download cracked computer programs.
• the CISO Mindmap 2025 has been published.