2024-11-15

Safe water

Image from Pixabay

 Have you seen it yet? It is advancing in our offices. Without any warning – or I must have missed something. We looked at each other awkwardly. The first time that day I went to the other one, but then I could no longer contain my curiosity and I bravely walked up to it. I touched it and it flashed happy lights at me. It took me a while to figure out exactly how to do it, but eventually I got what I wanted. A mug full of hot water. We are talking about the Borg & Overström E6, a device that delivers cold, chilled, bubbling and hot water. Tea and water drinkers are in for a treat.

How did I come to dedicate the Security (b)log to a what they call a drinking water solution? Well, if the name of a water dispenser contains Overström, then you have my attention. Because, you know, the Dutch word ‘overstroming’ means flooding. Nomen est omen – what's in a name. And indeed I noticed that the device on our floor is already leaking a little. But the first part of the name is also absolutely a trigger, but only Star Trek fans understand that. A little tip for everyone else: the Borg are those friendly space creatures stating: “You will be assimilated. Resistance is futile.”

There is no manual next to the B&O (oops, that was already another company’s abbreviation). If you haven’t met the E6 in person yet, you might think: what do I need a manual for? But that device does not give up its water just like that. It has five buttons: one for each of the products mentioned plus one with a padlock on it. Aha, that’s the link with security!

So you think you have to unlock the device first with that button and then press the button of your choice. Wrong! After two touches, nothing happens. Well, you get a small light show where you expected water. But no water. Huh? After a day of practice I figured it out. You have to kiss it awake with a gentle touch, then unlock it with the padlock button and only then press the button of the desired product. Et voilà, as long as your finger rests on that spot, water keeps coming. A full mug in one go – a real improvement compared to those coffee machines where you had to tap twice for the same purpose, or use the 'pot' button.

Meanwhile, colleagues are wondering why there is a lock on these devices at all. My answer: to protect children from the hot water. Which children? Well, exactly. They are extremely rare in our office environment, and I suspect the same goes for the vast majority of the other customers of this British company (you wouldn't have thought they were from there, would you?).

I have written before about security measures that are unnecessary in a certain context and therefore cause unnecessary delays. Look, with a boiling water tap in the office I understand that there is some kind of safety on it that requires you to consciously choose boiling water. It would be a shame if you were to wash your hands with boiling water due to an operating error. But you don't do that at a water dispenser, and it is not possible to hang your mouth under it if you are thirsty but don’t have a cup. Moreover, the coffee machines don’t have a lock either.

Many Security (b)logs are preceded by thorough research. For this edition I wanted to consult the Borg & Overström website. But instead of the desired site I was presented with a screen from Cloudflare : “Sorry, you have been blocked.” I must have done something that triggered their security. But I only clicked on the company link from the search engine (startpage.com). Oh well, fortunately there are more roads to Rome and I was allowed to visit that site on another device. By the way, I didn't know you could fabricate such bombastic texts about gargoyles! You could copy most of the texts almost unchanged to sell the latest model of electric car (“evolved environmental sustainability, energy efficiency and intelligent technology ” and “we aim to inspire the every day with original design and thoughtful innovation”). Anyway, I was blocked and I have no idea why. Could they have blacklisted our organization? (Being the Tax Administration…)

The E6 can also be operated contactless, via Bluetooth – a covid-driven innovation. I'll quote my Finnish hero Mikko Hyppönen once more: if it's connected, it's vulnerable. Let's hope that doesn't lead to an ‘overstroming’.


And in the big bad world…

2024-11-08

The EU and AI

 

Image from Pixabay

I’ve said before that you shouldn’t ask an information security officer if you can use AI for your work, because that will lead to a risk analysis that will undoubtedly say: don’t do it. No, decisions about the application of certain forms of technology should be made by ‘the business’, or perhaps a better term, by the decision makers. They may well be influenced by our risk analyses, but there are more factors that decision makers should and/or want to take into account.

Sometimes the decision is to be made at the political level. Like with AI. Enter the European AI Act, a regulation on artificial intelligence (an EU regulation is legislation that applies throughout the European Union, without country-specific interpretations). The aim of the AI Act is to ensure that we get safe AI systems that respect our fundamental rights. These rights include transparency, traceability, non-discrimination and environmental friendliness. And the systems must be under human supervision to prevent harmful consequences.

The regulation divides the AI landscape into four risk levels. The highest level contains systems that pose an unacceptable risk to the safety, livelihood and rights of people and are therefore prohibited. Examples mentioned by the EU are voice-controlled toys that encourage dangerous behavior and real-time biometric identification (think of the facial recognition at traffic lights in China: if you walk through a red light, you’ll find a ticket in your mail).

The next category contains systems that pose a high but acceptable risk. They may have a negative impact on our safety and fundamental rights, and they fall into two subcategories: systems covered by EU product safety legislation, such as toys, cars, aviation, medical devices and lifts, and systems in certain areas, such as critical infrastructure, education, employment, law enforcement and migration. Such systems are assessed before they are allowed to be put on the market, and throughout their life cycle. National regulators must set up a complaints procedure.

One risk level lower are systems that pose a risk of deception. This includes generative AI, which creates content itself, such as ChatGPT and Gemini. Artificially generated content must be labelled as such. So if you chat with an AI chatbot on a website, they must clearly tell you. Deepfakes – videos, photos and sound fragments that are manipulated to make it seem like someone is doing or saying something – must also be labelled. AI systems that pose a minimal risk are not regulated. Examples include games and spam filters. According to the EU, the vast majority of AI systems currently in use fall into this category.

The AI Act will be implemented in phases. In February next year, unacceptable systems will be banned. Six months later, the national supervisors should be sitting in the saddle. Next year, the transparency rules for general AI (such as ChatGPT) will also come into force. And a year later, the rules for high-risk systems will come into force.

It is good to see that the EU is taking this issue by the horns in a timely manner. But you need have no illusions about everyone complying with the regulations. Criminals in particular have a knack for breaking the law. They will certainly continue to use deepfakes to make people believe that a loved one is in need and urgently needs money.

 

And in the big bad world…

2024-11-01

No style

 

Image from Pixabay

If you put a sticker that says SECURE on something, does that make it secure? It depends. If that sticker is stuck on after the security has been checked, and if it’s clear that the sticker is only granted after the check, then you can indeed assume that the stickered thing is secure - at least, if the sticker shows that it is authentic. In all other cases, that sticker makes no sense at all, of course. In fact, it promotes a false sense of security.

Recently I spoke to a colleague who manages a great web application. When creating that program, they forgot one thing: the house style or, if you wish, the corporate identity. And the people who watch over the house style didn't think that was a good idea. Because, they argued, users would think that it was a fake website, where scary things could happen. Put our corporate logo on it, they said, that will prove that the site is secure.

Nonsense. If cybercriminals have become good at anything in recent years, it is the faithful reconstruction of websites. They look at what the real website looks like and copy the entire house style: logos, photos, font, writing style, and yes, even the beware-of-cybercriminals notice, which is on many sites these days. So you can't tell security from the appearance.

But, the administrator said, users of my application can see in the browser’s URL bar that the displayed web page is in our domain. But that doesn't work either. Because for the average user that is simply a bridge too far. Or have you never seen someone type 'wikipedia.org' in the search bar of Google and then go to that website via the search results? Instead of typing 'wikipedia.org' (the URL) immediately in the URL bar (at the very top of the browser), so that you immediately end up in the right place? Many users have a blind spot for the URL (or address) bar, let alone that they go and see what is there and that they could also determine whether they have ended up on a bona fide site.

Aside: the method outlined here introduces an additional problem. Cybercriminals are very successful in having their fake sites appear high in the search results. This means that you may end up on a fake site via your search engine. Tip: if you know the URL, type it into the URL bar, not into Google (or another search engine). If you visit a site often, bookmark it so that you don't have to type. Bookmarks also prevent you from ending up on a fake site due to a typo ('wikipidia.org'). Criminals like to build websites with URLs that are very similar to those of the real websites. And then they hope that you make a typo and end up on their site. This is called typosquatting.

Despite all this, I have pleaded with the administrator to apply the house style. Am I then in favor of a false sense of security? Not at all. But I want to prevent a flood of unjustified reports from users who think they are on a fake site – the colleagues at the IT service desk are busy enough as it is, so if I can spare them a number of false positives , I am happy to do so. In addition, we train users to recognize dangers. I call them red flags. The more red flags, the more likely that something is wrong. For example, for phishing, I can easily list a number of red flags: an impersonal salutation ("Dear customer"), a different sender address (amazon.ru instead of amazon.com) or a link to a different domain (amazon.com.customer.com). Tip: you should read URLs from right to left; so only if amazon.com is on the far right, you are visiting the domain of that webshop. By the way, something may be added behind that, starting with a '/': amazon.com/customerservice takes you to a page in the domain amazon.com. But amazon.com.customer.com is not an amazon.com page.

Of course I went to look at the page of that internal web application. And what do I see? In a corner, our corporate identity logo is displayed! They have made concessions, hoping that everyone is happy now. And they are going one step further: the application will be connected to single sign-on, so visitors no longer have to log in manually. A smart move, because if you think that you might be on a fake site and it asks for your credentials, it increases the feeling of insecurity.

 

And in the big bad world…

 

2024-10-18

Inside and under the mine

 

Image from Pixabay

In the previous century, mining flourished in the south of Dutch province of Limburg. Incidentally, this activity began around the year 1100, when the monks of the Rolduc Abbey in Kerkrade were already digging in the ground. From the 17th century , things became a bit more serious, and in 1902 the Dutch State Mines were established. I remember two striking points from my youth: a large, pitch-black mound in the landscape when we drove on the highway to Heerlen and the Lange Jan (“Long John”), the 135-metre-tall (443 ft) chimney of the power station that belonged to a mine, in the center of that same town. In 1973, the government closed the mines. In Landgraaf, several street names still remind us of that time: Koempel (Miner), Pungel (Bundled Clothes), Houwer (Mason), Zeverij (Sievery), Mijnlamp (Miner’s Lamp), Galerij (Gallery), Aan de Schacht (At the Shaft) and more.

Perhaps it is this history that makes it somewhat difficult for me to grasp the term undermining. After all, those mine shafts are already underground, what else could be under them? On the other hand, there is a beautiful metaphor in it. Because undermining indicates the intertwining of the underworld and the straight world, or criminality and legality. Things happen in the underworld that cannot stand the light of day, and in the mine shafts it was also dark.

But what exactly is this undermining? The government website does not provide a very specific definition either: “Criminals use legal companies and services for illegal activities. As a result, standards blur and the feeling of safety and liveability decreases. This effect is also called undermining.” If you click through, it becomes a lot clearer. It’s about influencing and suppressing of, for example, members of parliament, civil servants and “innocent citizens” (as if the other two are always guilty…). Serious violence can be used, “even to the point of liquidations and explosions in residential areas”.

Examples shed some more light on what it is all about when legal companies are involved in criminal activities: banks are used to launder criminal assets, drug and human trafficking takes place via ports and airports, and an electrician is needed to set up a cannabis farm. Civil servants are pressured or paid to pass on information. This may involve the address details of someone with whom they still have a bone to pick. This brings us to the jurisdiction of the Internal Investigations Department: an investigative service that falls directly under the Public Prosecution Service. Tracking down and investigating possible criminal behaviour by civil servants is one of their most important tasks.

Our intranet has a mandatory e-learning course on the topic of undermining. Using compelling videos, it makes clear how insidious undermining works: a concerned acquaintance notices that you are a bit short of money, lends you a few thousand euros and then urges you to return the favor, leveraging moral obligation. Once you get caught up in that, there’s no easy way out. The e-learning course was impressive.

What is a pity, however, is that according to the same course there are no less than five different reporting points: four internal ones plus 112 (911 and the likes) in case of acute danger. "How well do you know the different reporting points to turn to?" Well, you know, if I ever happen stumble upon a case of possible undermining, then I will find out where I can go. It seems a bit pointless to me to learn by heart which counter I should go to in a specific situation.

Criminals do not distinguish well between what is theirs and what is of others. That is the distinction between mine and thine. Which takes me back to that coal mine of old.

There will be no Security (b)log next week.

 

And in the big bad world…

 

2024-10-11

Water distress

 

Image generated by ChatGPT

Apeldoorn (the Netherlands), Friday 4 October 2024, 18:22 – 70 thousand households receive a mail bomb: the tap water is contaminated with the e.coli bacteria (lovingly referred to in the newspaper as the 'poo bacteria'). We need to boil the water for three minutes before drinking it. We should also use boiled water for brushing our teeth and washing vegetables. [For some context to strangers: tap water is delicious in this country.]

People are rushing to the supermarket en masse to stock up on bottled water. The need is great – in one supermarket people are even fighting over the last few bottles. We see images that we know from faraway countries, with people pushing shopping carts that are filled to the brim. By the end of the evening there are no more bottles for sale anywhere. The next step would be looting. A shopkeeper tells the newspaper how quickly the water was sold out, and that he has ordered not the usual thousand litres (264 US gal), but ten times as much for the next day. The local press photographer captures a car with a boot completely filled with water bottles. I counted them: there are around 140 litres (37 gal) of water in that car.

And us? We stayed home quietly. Because on the one hand we trust that the water company when they say that boiling for a few minutes is sufficient, and on the other hand we have had an emergency supply of drinking water for years, precisely for these kinds of occasions. And we pay attention to the expiration date, so that the water is swapped in time (nevertheless it tastes a bit stale). And there are more things that you better have in the house in case something strange happens. A supply of food is of course obvious; remember that you may not have gas or electricity to prepare it and that you must be able to eat it cold. Rechargeable lamps are only of service as long as there is power - lamps that (also) work on batteries are better, provided you have enough fully charged batteries in the house. A battery-powered radio is handy to stay informed about the progress of the misery.

In IT, this is the field of Business Continuity Management. BCM professionals ensure, among other things, that if something goes terribly wrong, if our IT is hit by a disaster, the impact is limited and we return to normal as quickly as possible. They do this by ensuring that teams responsible for keeping IT services up and running are optimally prepared for eventualities. Plans are ready and these plans are tested. And for major, far-reaching events, they train the crisis management team, so that these people also know what to do if things go completely off track.

As the example of the water distress in Apeldoorn and the surrounding villages indicates, it is also useful to do something about BCM at home (although I would perhaps rather call it HCM: Home Continuity Management). Above I already gave an idea of a shopping list; on the government website denkvooruit.nl you can find even more information. There you can read, for example, that it is also useful to have some cash at home. Because in the event of a massive power failure or network failure, you will no longer be able to shop cashless, and the ATM will also show its sorry screen. Then you are happy if you have emergency cash at home and can still go shopping. [For you strangers: the Netherlands is rapidly transforming into a cashless society, where paying with your phone or debit card is common and where people often don’t have any cash on them.]

But don't start hoarding right away, okay? Here in our city, the mayor had to intervene to call on the population not to grab what you can grab and to take each other into account – let others have some water too, he begged. I had to think back to that video from the covid period, in which a forklift driver, roaring with laughter, drove through an immense warehouse that was filled to the brim with toilet paper. That was the product that we then feared to run out of. The run on water in Apeldoorn is even more remarkable because it is a local problem. Incidentally, many people have already moved to surrounding cities to get water.

Meanwhile, boiling tap water is a great alternative. Admittedly, it is a bit tricky. I am so used to tapping my tea water from the boiling water tap that this morning I looked right past the filled thermos and filled my mug under the tap and only when the tea was ready did I realize that I was wrong. For brushing our teeth, we have a bottle of water in the bathroom, simply because it is more convenient. Boiled water has to cool down before you can use it for such applications.

In the meantime, the water company is busy inspecting four water reservoirs, each containing three million litres of water (792.516 gal). They have to be emptied for this, but it has to be done one by one because else our taps would run dry. That’s why it’s taking so long – at least until the 14th, we have to be suspicious of our tap water. Today (Friday) we’ll get another update. Hopefully with good news. And I’m also curious about the cause. In the meantime, I just wiped my daily apple with a paper towel instead of washing it with water. Oh well, those minor inconveniences.

 

And in the big bad world…

 

2024-10-04

The Sandman

 

Image from Pixabay

In some countries in the world, criminal organizations kidnap poor devils and force them to send out scams seventeen hours a day, said Nathaniel Gleicher, global head of counter fraud from Meta this week at the annual ONE Conference in The Hague.

Meta, the parent company of Facebook, Instagram and WhatsApp, among others, is not exactly the darling of privacy-minded citizens. But what Gleicher had to say at this conference matters. Because let the above sink in for a moment: people are being held against their will to bombard you, with bags under their red-rimmed eyes, with deceptive messages. In my world, scam refers to deception via false messages. For example, that text message about a troubled delivery, a WhatsApp message that starts with "Hi dad, I have a new phone number" or an email in which "the bank" announces a security check for which they need your cooperation. In short, pretty much everything that can be classified as phishing.

The reprehensible activities of cybercriminals are a problem for Gleicher, because they abuse his platforms. And apart from the moral obligation to do something about it, Meta also has a clear business interest here: if users are confronted with fraud on Instagram over and over again, they will eventually stay away, or at the very least they will become so suspicious that they will no longer click on anything, not even on bona fide contributions. And that means loss in revenues.

Meta divides fraud and scams into three types of problems: actors, behavior, and content. Actors include everything that has to do with false identity: you think a message is from a friend or a celebrity, but in fact there is a criminal behind it. Behavior includes everything a criminal does: deception, spam, even playing on your (romantic) feelings. The content type of problem encompasses celebrity bait, financial deals and charity, to name a few.

Gleicher wants to combat this vigorously, but his billions of normal, well-intentioned users should not suffer too much from it, because that would be bad for business. And so he focuses on the malicious ones. An important part of that is taking down fake accounts as quickly as possible. To do that, they look at the behavior of an account. For example, if a biography states that you live in the Netherlands, but all activity comes from a country far away, that is a red flag. And they use artificial intelligence to detect whether someone is misusing photos of celebrities. Think of a photo of Elon Musk with a golden tip to purchase bitcoins 'via this link' .

Criminals use mechanisms that are intended for honest people. Did you forget your password? Then click on a link and you can set a new password via the email sent to you. But if a criminal has hacked your email, he can do so on your behalf (it is therefore important to realize that your email is by far your most important account). Meta is trying to put a stop to this with innovative developments. For example, they are currently piloting a new method for account recovery: you have to supply a new selfie, which they compare to photos in your profile. The idea behind this is that criminals cannot simply get a fresh selfie of you.

Scams run across multiple layers, such as social media and banks. This makes it difficult for one party alone to recognize scams. At the ONE Conference, Gleicher announced the FIRE program ( Fraud Intelligence Reciprocal Exchange), in which British and Australian banks provide information to Meta. In an earlier phase of the program, this had already led to the removal of some 20,000 fake accounts.

The British talk about throwing a spanner in the works, the Americans throw a wrench, but the Dutch throw sand. Hence the title of this blogpost: Meta throws as much sand as possible in the works of internet criminals. You could say that Gleicher is the sandman of social media.

 

And in the big bad world…

 

2024-09-27

Intruders

 

Image from Pixabay

In 2007, a Dutch engineer walked into the Iranian nuclear complex of Natanz and installed a water pump there. This Erik van Sabben had a second client: the Dutch intelligence service AIVD. And that is how it happened that the centrifuges, which are needed to enrich uranium, went haywire because of the infamous Stuxnet virus. This is of course the ultra-short version of the story. The long, exciting story is in the book There's a War Going On But No One Can See It by investigative journalist Huib Modderkolk.

Earlier this week, a Dutch engineer walked into the Dutch nuclear complex of Almelo. Not to install anything, and not with a secret agenda. No, because that was me, together with about thirty colleagues, and we came for a tour and a presentation on a holistic view of security.

So I walked from the parking lot and came across a fence that was several meters high. There was a pedestrian gate in it, with an intercom. People were just walking from the other side, so I thought, I'll ask them. Because I was curious how they would react. It turns out that the gate wasn't locked at all. I was welcomed with a wide arm gesture and I was kindly shown where I had to report.

Is it really that easy to get in there? Well, fortunately it is not. You get a pass and with that you can go through a gate. After that, as a visitor, you can actually only go one way: to the reception building. And from there you are constantly accompanied.

October is traditionally security month. Many organizations – including ours – pay extra attention to security. One of the topics that we are putting in the spotlight this time is physical security. As an employee, you play a somewhat uncomfortable role in this. We want you to be a little less friendly. Intruders often enter because a friendly employee holds the door open for them. Most of the time, this doesn’t work at the entrances of our buildings, because you have to go through a swing gate. But think for a moment about those internal doors, which you have to open with a badge. Those secured doors are there for a reason: only authorized personnel should enter. Of course, you can hold the door open for someone you know belongs there, but for strangers, a friendly “Would you mind using your own badge?” is appropriate. And if you see someone walking around without a badge, you could just as kindly ask if that they have lost their pass, and if necessary, accompany them to the reception. I know this is difficult and that is why I am glad that this situation usually doesn’t arise. Usually, indeed. Maybe that is an extra reason to say something anyway if you see this.

Let's go back to the visit. The security manager first talked about the physical threats that a uranium enrichment plant has to deal with. You can easily figure out where those threats come from: criminals, terrorists and activists. The security measures are not that difficult either: fences, security guards, alarm systems. Then he went on to digital threats, in which the same actors play a role. And that's where the holistic ('all-encompassing') nature of their approach comes into play: the measures against cyber threats are of the same kind as those against physical threats. You have to look at it as a whole, because an attacker will not make a distinction between them either. He might try to disable the alarm systems via a virus or a hack, after which he gains physical access to the complex. And maybe he is not after uranium at all, but after data. In most organizations, crooks and spies will try to get the coveted data via the Internet, but in facilities like these, the really important data is air gapped : there is literally air between the computers in question and the outside world, in other words: they are only attached to a strictly closed network. So you really need to make entrance to get to it.

During that tour I came face to face with exactly the kind of installation that Stuxnet was all about: the centrifuges that enrich uranium in order to turn it into fuel for nuclear power plants. With Modderkolk's book in mind, this was quite a special moment. It really takes something to break those things. The oldest installation in Almelo has been running non-stop for forty years, without any maintenance. You can't find that in ICT.

Thanks to Urenco for the hospitality and to the Security Academy for the organization.

 

And in the big bad world…

 

Safe water

Image from Pixabay   Have you seen it yet? It is advancing in our offices. Without any warning – or I must have missed something. We looked ...