A tempting side hustle

Image from Unsplash

 

“Dear Patrick, I’d like to point out a super interesting high-tech opportunity to you!” Or: “We’re impressed by your profile. How open would you be to learning more?” Those were in my own language, but they also come in English: I’m working on an exciting opportunity for an Information Security Team Lead role. Would you be open to a quick chat this week to discuss further?

Headhunters work on behalf of companies to find candidates for hard-to-fill positions. If I ever wanted to work elsewhere, I wouldn’t even need to start looking; potential employers reach out to me regularly. This mostly happens via LinkedIn, because that’s where your professional profile is up for grabs.

It’s not just companies trying to connect with professionals. Criminal organizations also attempt to recruit new people. Not via LinkedIn, but through platforms like Telegram – a space where criminals feel right at home.

They don’t want you to come and work for them.  In fact, they want you to stay exactly where you are. You only need to do one thing: give them access to your organization’s systems. They’ll handle the rest. Besides an attractive reward, you’ll probably get a few extra days off. Because their ultimate goal is to infect your organization with ransomware. Usually, everything grinds to a halt, and work can’t resume for weeks. Recently, Jaguar Land Rover’s global car production was down for three weeks. The financial damage is estimated in the hundreds of millions. Earlier this year, a German napkin manufacturer had to file for bankruptcy after two weeks of lost revenue.

Cybercriminals need initial access – a digital foot in the door. Phishing is a tried-and-true method, but now active recruitment is happening too. And it’s highly targeted. A certain ransomware gang is currently looking for employees in finance, insurance, and travel. Hospitality, the automotive industry, and oil companies are also on their radar. They’ll tell you not to worry about criminal prosecution because they take great care of their insiders; they promise to handle your login credentials discreetly. According to them, the worst that can happen is you’ll get fired. “Don’t listen to those clueless security people – they have no idea what they’re talking about!”

Handling your login credentials discreetly? Sounds nice, but that’s only half the story. You can’t exactly work anonymously – much of what you do is logged. Logs will show: user xyz performed this action on that date at that time. If there are serious indicators, there are extensive ways to hunt down the suspected culprit. And we’ll gladly use them.

It may look like easy money, but don’t be fooled. You won’t get away with “that wasn’t me” when your user ID is in the logs. That’s exactly why you should never share your password with anyone – not even a colleague. Because what if that colleague falls for a Telegram message and hands over your credentials? Such a reckless move could cost you not only your current job but your future career. Who wants to hire someone who got fired for that reason?

Better listen to the advice of one of those “clueless security people” and steer clear of such practices. If financial trouble tempts you, seek help instead.

Because of a few days off, this blog appears earlier than usual.

And in the big bad world…

…I unfortunately didn’t have time to fill this section this week.

 

Micro-awareness

Image from Unsplash

What grabs your attention first? A newspaper article buried on page seven, or a similar message in a personal email that even addresses your specific situation? The question answers itself, doesn’t it?

As an information security officer, you have a tough message to convey. There are all sorts of rules designed to ensure the confidentiality, integrity and availability of the data entrusted to us. Maybe those terms alone make you break out in a cold sweat. Let alone having to implement measures to comply with those rules – say, in a project. And then those measures get in your way because you can’t do something the way you envisioned. Even if you understand why it’s necessary, it’s hardly pleasant. And it’s a page-seven story: you just hope your audience sees it.

A personal email, on the other hand, always gets through. I’m talking about the kind of email we send to a team manager, telling them that an employee did something against security policy. In other words: someone broke the rules and needs to be addressed. We do this via the manager because they know the employee. Ideally, they can judge the response better than anyone else – and whether our report might be a puzzle piece in a bigger picture, possibly pointing to subversion.

Employee reactions vary from genuinely shocked (‘Oh wow, that was dumb!’) to businesslike (‘Here’s what happened’) to – on rare occasions – defensive-aggressive (‘I’m allowed to do this!’). In most cases, the response closes the report. There’s a plausible explanation, and no further action is needed. Sometimes I ask a clarifying question; you don’t want someone to get away with smoke and mirrors.

This approach turns out to be highly effective for boosting security awareness. I call it micro-awareness: focused on one person or team, and one specific observed fact. It’s almost unheard of for someone who received such a message to pop up again later. That personal attention really works.

Micro-awareness also reinforces the idea that the warning you see when logging in isn’t just empty words. You know, the one saying access is for authorized personnel only and you may only do what you’re allowed to do. Monitoring is real. It’s automated, and only when something pops up that deserves closer attention does a human take a look. We’re an organization with big stakes, and those stakes need protection.

Unfortunately, we have to consider insider threat. I know, all colleagues are incredibly trustworthy; most of us couldn’t name a single one who isn’t. And yet, in a large organization, statistics guarantee a certain percentage of bad apples. Plus, circumstances can turn a model employee into a risk. I dealt with that earlier this year (things went missing), and I can tell you it’s unpleasant for everyone. I might be the first to link that incident to insider threat. Maybe it could have been avoided if the organization were more aware of this often-overlooked phenomenon (and that’s not a blame game; it’s something we need to work on).

If there’s micro-awareness, then logically there’s macro-awareness. Those are the page-seven stories. Not necessarily in the newspaper, but maybe on the intranet or in presentations. Not everyone reads them, not everyone attends. The ones who do are interested in what you have to say. But you’d love to reach the ones who don’t show up.

The Security (b)log is also a form of macro-awareness. Loyal readers know it usually starts with an everyday situation and then twists toward information security. Wrapping a serious message in an appealing package helps. And honestly, it’s a lot of fun to do.

And in the big bad world…

• Wind turbines suffer from insider threat too.
• Phone numbers and profile info of all 3.5 billion WhatsApp users were up for grabs.
• Better make sure those power cables are connected properly. [DUTCH]
• Cloudflare issues led to outages across many internet services.
• Google is reading your Gmail to train its AI.
• You should only enable Windows 11’s upcoming AI agents if you understand the risks.
• The EU’s Digital Omnibus looks like a giveaway for big tech.
• Privacy activist Max Schrems is highly critical of the Digital Omnibus.

 

Don't book here

Image from Pixabay

During the autumn break, we wanted to get away for a bit with the whole family. Being as critical as we are, we embarked on an extensive search for a suitable house in a nice location. Eventually, we found what we were looking for on a booking site. Since we had booked there before, we thought we were all set. Things turned out differently.

The day after booking, I received eight messages within an hour and a half from a company I had never heard of; let’s call it Don’tBookHere. The emails were about my booking, with subjects like ‘payment failed’, ‘request for payment of deposit’ and ‘activate your customer account’. And they also wanted a copy of my passport. Although these messages all came through the booking site’s messaging system, I was highly suspicious. As mentioned, we’re regular customers there and have never been contacted by a third party before. The payment was already settled, and the deposit is normally paid on-site. Moreover, the deposit was a whopping seven hundred euros – exorbitantly high. And there was more. The messages mentioned three different internet domains: dontbookhere.eu, dontbookhere.be, and dontbookhere.es (Europe, Belgium, and Spain). In addition to the name Don’tBookHere, the name Don’tInvestHere also appeared. My suspicion escalated further.

Of course, I called the booking site. Long story short: the messages were legitimate. The only incorrect part was the message saying I still had to pay the rental amount. But I was reassured: I didn’t need to worry about that and didn’t need to fear cancellation (which Don’tBookHere had threatened). They had contacted the local landlord – which turned out to be Don’tBookHere – and sorted it out.

Great, you might think, nothing to worry about. But I still had to do almost everything mentioned in those messages. So, I had to create a customer account with Don’tBookHere and check in each family member separately, including all passports. Naturally, I didn’t just send the passports; first, I blacked out various details, including the photos. Then I got feedback: we need the photo, otherwise you can’t receive the key. Since that sounded plausible, I sent them a new scan of my own passport with the photo visible. Incidentally, the man who handed me the key had a copy of my passport with the photo blacked out. And he enthusiastically asked if I was Patrick. It would have been very easy for a villain to snatch the key right in front of me.

As long as legitimate companies keep doing things that criminals also do, it remains difficult to make people aware of risks. You can’t simply say: if you see this or that, it’s always a scam. No, you have to allow for false positives: incorrect signals that something is wrong. So you have to explain: look, if you see something like this, it could be a scam, but it doesn’t have to be; ultimately, you have to decide whether you trust it or not. That sounds much less convincing and often causes uncertainty rather than truly helping.

We see the same with phishing. We say: watch out, if an email doesn’t have a personal greeting but starts with something like ‘Dear customer’ or ‘Hello!’ (or no greeting at all), then be careful. Because criminals sending phishing emails usually only have your email address and don’t know your name. But just now, I received a perfectly legitimate email in my private inbox that greeted me with ‘Dear customer.’ Are these companies just too lazy to use my name? Or does it involve high costs? I looked into it for you.

As for those costs: it depends. With a modern email system, the costs are negligible. However, if you have an old, proprietary system where personalization wasn’t built in, you need to modify the software, and that costs money. Furthermore, many companies don’t have correct data. If they send you an email with ‘Dear {customer name},’ or greet me as ‘Dear Mrs. Borsoi,’ that undermines customer trust. Cleaning up that data is laborious and therefore expensive. There are also companies that deliberately choose a generic greeting to reduce the impact if the email is intercepted (less data leakage). In that case, the generic greeting is actually a privacy measure.

And yes, there are also companies that simply can’t be bothered to greet you properly. My message to them: make an effort and help in the fight against phishing!

And in the big bad world…

• booking sites are indeed being misused to scam people.
• your lost iPhone can still cause trouble.
• an open letter to the European Commission raises major privacy concerns about the Digital Omnibus.
• cybercrime took a heavy blow from Operation Endgame, coordinated by Europol.
• this company responded refreshingly to a ransomware attack.
• every now and then, a security update backfires.
• we want digital sovereignty, yet an American company acquires a Dutch cloud provider.
• ad blockers are important for your privacy.
• this spyware specifically targets Samsung Galaxy phones.
• DJs at Dutch broadcaster had to play music by hand after a cyberattack.
• governments use their spyware not only against top criminals and terrorists.
• no wonder they managed to break into the Louvre. [DUTCH]

 

Digging holes

Image from Pixabay

"Trenchless technology," it said on the company van. That instantly had my full attention—if you advertise your business with something you don’t do, I immediately wonder: what else don’t they do? But more importantly: what do they actually do?

It was a van from VLTT, short for Van Leeuwen Trenchless Technology. A company founded in 1969 by two brothers. Their craft is drilling. They drill under roads, railways, waterways, and underground infrastructure to install pipes and conduits underground. And they do it without digging trenches. The street doesn’t need to be opened when VLTT lays a pipe.

If it were my company, I’d include something in the name about what I *do* do. Something like Van Leeuwen Drilling (VLD). Because, well, I also use a lot of trenchless technology. In fact, I hardly do anything else. Right now, I’m trenchlessly typing a blog, and when I looked at security incidents yesterday, I did dig through the available data—figuratively—but no actual digging was involved. Anyway, you get my point: tell me what you do, not what you don’t do. By the way, I think Elon Musk’s tunnel-digging company has a brilliant name: The Boring Company. Although I wonder if the employees enjoy telling people at parties that they work for a “boring” company.

In my field, we also use tunnels. These come into existence without digging, even without drilling. All you need is some math. Or more specifically: cryptography. Those tunnels are secure connections over a public network. That public network is often the internet. If you use it to connect to your company—like I’m doing now, working from home and connected to our data center via the internet—you don’t want your data traffic to be intercepted along the way. That’s what a VPN, a Virtual Private Network, is for: a cryptographic tunnel. It’s even a single-person tunnel; only you use that specific tunnel. Reminds me of that time we traveled through the U.S. in a camper. In Zion National Park, we had to go through a tunnel, but due to its round shape, the camper wouldn’t fit. Rangers stopped traffic on the other side and urged me to drive exactly along the center line. Only then would the camper fit through. But I digress.

Because only you use that tunnel, the confidentiality of the data traffic is ensured. But those tunnels can do more: during setup, it can be checked whether you’re even allowed to establish a tunnel to that destination, and whether the destination is actually legitimate. Both endpoints of the tunnel are authenticated: their identities are verified. Setting up the tunnel involves digital certificates—think of them as passports. And you need a protocol, an agreement on the “language” you speak. Examples include TLS/SSL, IPSec, and OpenVPN.

If you use digital certificates, you’re using so-called asymmetric cryptography. This form of cryptography is especially threatened by the quantum computer. If, in a few years, a quantum computer powerful enough emerges, it will be able to break asymmetric cryptography. Your VPN tunnel will then be compromised. Unless the protocol is made quantum-proof in time. That’s being worked on worldwide with great urgency, but organizations must take action themselves to implement everything. That takes a lot of time—probably more time than we have. So there’s urgency.

Still, that term keeps nagging at me. And what do you know? “Trenchless technology” has a Wikipedia page in six languages! My surprise was simply due to ignorance. It’s not uncommon for a field to invent a term that’s not understood outside of it. Back in the day, there were computer terminals that didn’t use a screen but a printer; they were essentially printers with a keyboard. Some fellow students called them “write-printers.” It didn’t make much sense, but we knew what they meant. And that’s what matters.

And in the big bad world…

• UK carriers are going to tackle phone spoofing.
• Phishers are letting you know that an arrest warrant has been issued against you.  [DUTCH]
• The doorbell is going to recognize faces.
• The geolocation of EU employees is simply for sale.
• Apparently, a few American cybersecurity experts couldn't resist the temptation of criminal money.
• Meta earned billions from misleading advertisements.  [DUTCH]
• You can use this guide to disable certain features in the new Windows 11 version.

 

Digital dumpster

“We missed each other”. The delivery note says ‘blue dumster',
handwritten with love and a spelling mistake.

I’m not sure what irritated me most. Was it the spelling mistake, or the fact that my parcel had been dumped in the blue trash can (intended for paper recycling)? Or was it the little heart the delivery person used to justify their action?

Look, when I order something, I want to receive it as quickly as possible. But I also want to actually receive it, and it should be intact. Those last two requirements don’t quite align with delivery into a garbage container. A lot can go wrong. I wouldn’t be surprised if gangs roam quiet neighborhoods in the afternoon, searching for parcels dumped in bins. A housemate who knows nothing about it might toss a fresh load of old paper into the blue bin without noticing the package. A thoughtful neighbor, who did remember that the bins are being emptied today, might kindly put your bin out on the street. And if the bin was already empty, you’ll have to dive in to retrieve that coveted parcel. So you understand, I don’t consider the bin a substitute mailbox.
Of course, I’ve addressed many delivery drivers about this. They politely apologize and promise to do better. If you complain to their employers, you get the expected response: shame on them, we’ll discuss it internally. But nothing ever changes. There’s too much time pressure on deliveries, and depending on the setup, drivers are paid per delivered item. Taking it back means no money for some. So it’s a pragmatic choice to leave the parcel somewhere. And the bin is still a relatively safe spot. I’ve seen cases where the parcel was simply left at the front door.
You can end up in a similar situation if you don’t know where your data is stored. If you use a recent version of Microsoft Office at home, Word, Excel, and the other programs prefer – by default – to save your files in the cloud. If you want to save them ‘locally’, you’ll have to make an effort. I bet many people don’t even know their files end up in the cloud, let alone what that means. If they did know, they might be shocked or outraged: “Why didn’t anyone tell me?!” In that sense, the cloud is a digital dumpster.
Do you lose files stored in the cloud? Probably not. But you might temporarily lose access due to a cloud service outage. You also hear the term ‘digital sovereignty’ more often. That refers to a country’s right to control its own data. I see a wave pattern: in the early days of the public cloud, we often said the cloud is just someone else’s computer – and surely you wouldn’t want to store your data there? When it became clear that major cloud providers had their affairs in perfect order, there was a rush to the cloud; it was the logical place to store everything with those American tech giants, our friends. In today’s geopolitical climate, we view that American hegemony with a healthy dose of skepticism.
What applies to your private situation also applies to the organization you work for. It too wants its data to be stored thoughtfully and securely. That means clear guidelines must exist about what can and cannot go into the cloud. For government organizations, this is not just a policy choice but also a political one. And ‘clear’ means the policy must be easy to implement. Long green and red lists won’t work. Technology comes to our aid with a CASB: a Cloud Access Security Broker. It automatically enforces company policy when using cloud applications, ensuring sensitive information is stored and shared only under safe and approved conditions.
But of course, technology isn’t flawless. So we need to look more closely at alternatives close to home, under our own sovereignty. Bert Hubert is someone who actively lobbies for this. He once proposed creating a kind of  ‘Cloud Kootwijk’. He’s referencing the radio station that the Netherlands established during colonial times to avoid relying on competing foreign countries for communication with the colonies: Radio Kootwijk. The impressive building, nicknamed The Cathedral, still stands. With some adjustments, it could house a national cloud. They should also try to make good arrangements with the parcel delivery services there.

And in the big bad world…

• a cloud outage can have far-reaching consequences. [DUTCH]
• the cloud also has many good sides.
• LinkedIn will train its AI with your data, unless you opt out.
• AI browsers bring privacy and security issues.
• organizations must consider how to manage AI agents.
• you could also hack Formula 1, of course.
• you should never blindly trust AI.
• Europol is taking a stand against caller-ID spoofing.
• this (long) article updates you on post-quantum cryptography.
• you’d better avoid the Universe Browser.
• chat control is off the table.

 

Diverted

 

Image from Pixabay

On board flight KL1540 from Alicante to Amsterdam, a call was made for a medical doctor. Moments later, the captain announced that the plane had to divert to Paris due to a medical emergency.

And then things suddenly go differently than you're used to. The tone shifts from friendly-businesslike to measured-strict. The descent feels noticeably steeper than usual. The cabin crew is instructed to check seatbelts and tray tables "if time allows." There's no time left to collect trash with a cart. Once on the ground, you're quickly parked and emergency services arrive.

After everything around the patient is taken care of, you want to return to normal as quickly as possible: onward to Amsterdam. For that, the captain had to "make the necessary calls," for example to refuel and to arrange a new landing slot at Schiphol. He also mentioned choosing not to order extra catering, as that would take additional time. He did take a moment to walk through the cabin to answer any questions.

In IT, you sometimes have to divert too. Something stops working in one data center but still works in another; it's redundantly designed, as we like to say. Failover comes in different flavors. In some systems, it happens automatically and users don’t notice a thing. The system detects something is wrong and switches to "the other side." In other cases, administrators must detect the issue and manually switch things over. And unfortunately, not every situation allows for failover, and users must wait until the problem is resolved.

Just like in aviation, in IT you want to return to normal as quickly as possible after a diversion. You need to plan ahead, because there are often many dependencies that require a specific order. You document the procedures in plans and – very importantly – you regularly practice those plans. Partly to get familiar with them, and partly to catch errors in the plans. Better to encounter those errors during practice than in real life.

Sometimes there's no time to practice – or rather, no time is made. Imagine if pilots weren’t given time to train emergency procedures. And then during takeoff – a fairly critical moment – an engine fails. You don’t want the pilots looking at each other in confusion. No, they should routinely (on autopilot, so to speak) perform the correct actions. Those actions have been thought out, documented, and thoroughly practiced. So that things end well when something goes wrong.

But it can get worse: when no attention is paid at all to the continuity of a process. Sure, you can make the deliberate decision that it isn’t necessary, but in the cases I’m referring to, the topic isn’t considered at all. Out of ignorance, helplessness, lack of time – who knows. Maybe you're thinking of the recent massive AWS outage (Amazon’s cloud service), but feel free to look around your own organization too.

Flight KL1540 arrived two hours later than planned at Schiphol. Not a big issue for passengers whose final destination was Amsterdam. But there were also people on board who had a connecting flight to Kristiansand, in southern Norway. Not many flights go there from Amsterdam. I fear those passengers had to divert to a hotel.

 

And in the big bad world…

• AWS was down for a while and it had a major impact.
• Some people ended up sleeping upright in overheated smart beds due to the AWS outage.
• We could use a few more IT nerds in Parliament. [DUTCH]
• The UK government urges companies to make cybersecurity a top priority.
• You shouldn't rely too much on AI for your news coverage.
• Hackers breached a nuclear weapons facility.
• Law enforcement is increasingly interested in video doorbells.
• Microsoft secretly installs Gaming Copilot on your PC.
• You can also hack a card shuffling machine, of course.

 

Secure Purchasing

Image from Pixabay

A young family member had been in need of a new laptop for some time. You know how it goes: the device goes everywhere, the bag isn’t always handled gently, and the water bottle turns out not to be entirely leak-proof. The situation became increasingly dire: large parts of the screen had stopped working. So what do you do? You go to the store or order a new laptop online.

It certainly hurts financially, but the process usually goes smoothly. Order before midnight, receive it tomorrow (that’s how it works in the Netherlands). If you're lucky, the package is neatly delivered to your door (and not dumped in the trash bin — but that’s a story for another time).

Things are quite different at a government organization. If you need to replace laptops for tens of thousands of employees or require new software, you can’t just go to the local store or a webshop. No, you have to initiate a European tender. That’s a complex process where you must describe what you want in functional terms. You’re not allowed to specify a brand — instead, you must list desired specifications: screen size, storage capacity, amount of RAM, that sort of thing. The tender document also includes many other requirements that the product, maintenance, and supplier must meet. If a supplier cannot answer ‘yes’ to even one requirement, they’re out. The winner is the supplier who meets all conditions and offers the lowest price. You, as the buyer, have no influence over who that is or what product they offer.

Our team is responsible for security, continuity, and privacy. From these perspectives, we want to influence the ICT products and services being procured. In the past, requirements that didn’t directly relate to functionality were given a dreadful label: non-functionals. I understand the term — these requirements don’t directly concern what the product should do and thus don’t contribute to the requested functionality. But honestly, how would you feel if your input were labeled non-functional?

We came up with a solution. We created a document that bundles all the requirements we want to impose on procurement processes from our area of responsibility. And the proud title of that document is: Security Functionals Requirements (SFR). Because you know what? Security matters. Often, security actually enables things that wouldn’t be possible otherwise. Or would you want to bank online if it weren’t properly secured?

The SFR is based on the BIO document — the Baseline Information Security for Dutch government. That’s our mandatory framework, so it makes sense to use it as a starting point: if we use a product that doesn’t comply with BIO, then we as an organization don’t comply either. We’ve also added our own expertise, for example, on topics not yet addressed in BIO, such as quantum computing, which poses a serious threat to the security of our data. In other areas, we’ve included insights based on our field experience.

Our procurement officers, who formally guide such processes, naturally have opinions about the requirements. Coordination with them — including legal advisors — is therefore important. All in all, we now have a solid generic document that must be used for every ICT procurement process. It’s up to the involved architect to determine which SFR requirements are relevant for a specific tender. Often, someone from our team is also involved to support the project manager with advice and expertise.

You understand that this is not a case of ‘ordered today, delivered tomorrow’. But that was already true before the SFR existed. A European tender is inherently a bureaucratic exercise that requires due diligence. Fortunately, things are much easier for you as a consumer. Of course, even without the SFR, you’ll ensure that the product meets your security requirements. Right?

And in the big bad world…

• Security awareness is no longer enough; employees must become resilient.
• AI providers should also have their security in order. [GERMAN]
• These cybercriminals have stolen an extraordinary amount of data.
• North Korea mainly steals cryptocurrencies.
• Hospital staff must keep their curiosity in check. [DUTCH]
• Personal data has been leaked via ChatGPT in Australia.
• European chat control is on hold for now. [DUTCH]
• WhatsApp and Threema have now also spoken out against chat control. [GERMAN]
• Belgian banks are making young people cyber resilient with a game. A board game. [DUTCH]
• Your Android device will no longer receive monthly security updates by default.
• WhatsApp is being used to spread malware.