Security (b)log - English edition

2024-04-26

Brilliant failure

Image from Pixabay

No, I wasn't giving another presentation this week. This week I took a warm bath in the presentations of others, during the Love for your Trade week, organized by passionate colleagues. For three days there were stories and workshops from and by mainly colleagues. And a small number of external speakers (plus the great Lucas de Man as host).

In the program, one external speaker immediately caught my attention: Prof. Dr. Paul Iske , CFO (Chief Failure Officer) of the Institute for Brilliant Failures (IvBM). I was curious what that could be, a brilliant failure. And I expected some humor. That was certainly there, but prof. Iske's message was deadly serious: some things simply don't turn out as intended, while the people who worked diligently on them cannot be blamed. And there is a lot to learn from that. Failures are normal, Iske taught us.

Live on stage, our organization was the twentieth to sign the Universal Declaration of the Right to Fail Brilliantly. That declaration has five articles, the first two of which regulate reputation, psychological safety and the right to personal evolution. The next two give you the right to try and to be forgiven, to put things into perspective and to learn if an attempt to make something happen should fail. The final article gives shape to the universality of the statement: anyone is allowed to fail brilliantly, no matter who and what you are. The statement defines a brilliant failure as “an attempt to create value where no avoidable or culpable mistakes have been made and yet the originally desired outcome has not been achieved: learning has taken place and the learning experiences are shared.” The aim of the declaration is to “promote appreciation for these rights and freedoms and, through progressive measures, to ensure that these rights are generally and effectively recognized and applied”.

It seemed like such a brilliant idea, but for some reason it failed. The IvBM gives us sixteen tools to learn from our mistakes, the so-called archetypes (“universal lessons, patterns or learning moments”). I'll mention a few. When you deal with 'the light bulb', you are experimenting, working towards the solution through trial and error, just like making the very first viable light bulb. With “the banana peel” you have to deal with accidents that will happen. Like the AEG microwaves, which after an update thought they were steam ovens. And with “the empty place at the table” you have not involved all relevant parties in your project. This happened on the singing road in the province of Friesland, where a ribbed pattern on the road surface was intended to ensure that motorists adhered to the maximum speed, by playing the Frisian national anthem as a reward. Here they forgot that local residents might not take this well.

A presentation like this makes you wonder whether there exist brilliant failures in your own environments. I can neither confirm nor deny – for, uh, security reasons – that I encounter them in my daily work. But I can have a closer look at my own work, and that is quite exciting. Especially to write about it. But hey, we signed that declaration, so nothing can happen to me.

The Security (b)log has been around for thirteen years now; the five hundredth instalment will soon be published. In all modesty I can say that it is a success, and management shares that opinion. Statistics, comments and spontaneous pats on the back at the coffee machine support this. In 2016 we thought it was a shame to keep all this beauty to ourselves and the blog went external (on Blogspot and LinkedIn). Moreover, there has also been this English-language version for two years now – we have more and more non-Dutch-speaking colleagues and the whole world can enjoy it, right? If the figures from Google Analytics and LinkedIn are anything to go by, the reach of external publications lags far behind the internal version. I must say that these figures are a bit difficult to interpret: on Blogspot (a Google service) I sometimes see unlikely numbers of readers from distant countries (even for the Dutch version), and LinkedIn gives figures for 'impressions' and 'views' that are far apart. A handful of regular readers give it a thumbs up every week (thanks!), supplemented by a changing but modest audience. Now, I'm not someone who expresses appreciation for everything myself, but if you're on the receiving end, it's nice to get some feedback. But only if you really like the piece, right?

In the IvBM learning environment, BriMis, you can check your own project against the archetypes. If I run my external blog through them, three pop up. First, 'the right half of the brain': “Some people are unpredictable and/or inconsistent in their reactions and decisions and that introduces an extra degree of uncertainty.” Those are the silent readers. The second, 'the skin of the bear', indicates, among other things, that your approach must also work in other circumstances. This refers to the external publication. And finally there is 'the junk': “the inability or unwillingness to stop syndrome”. That's me. And maybe I also have to deal with 'the empty place at the table', because I barely have a clue of my external audience. Moreover, that audience probably consists mainly of colleagues, while my actual target group is 'ordinary people’. Help me move forward, dear reader, by giving me feedback and by drawing the attention of people around you to the Security (b)log. Thank you in advance!

No Security (b)log will appear for the next two weeks.

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

2024-04-19

Crime

Image from Pixabay

Last week, as you could read in the previous Security (b)log, I stood in front of a group of girls from high school. This week I was invited by the next generation: the Tax and Customs Administration’s Young IT Auditors, whose annual YIA day was themed cybersecurity. The “young” turned out not to refer so much to the age of the participants, but to how long they have been in the auditor profession. And let me put it this way: this audience was still familiar with Facebook. Fortunately, I had not tailored my presentation to an overly young audience (-;

In this Utrecht conference room I talked about current developments, among other things. Lately I have been reading more and more worrying stories from the US about sickening criminal activities. Like this story. A woman receives a call from her son, who tells her that he has had a traffic accident and that he will hand over the phone to a police officer, who will tell her more. The officer tells her that her son caused the accident, which injured a pregnant woman, and that he is taken into custody. He announces that a lawyer will call her to discuss further proceedings.

A little later the lawyer calls. The son is in deep trouble, but it is possible to get him released on bail. If the mother gives $15,000 in cash to a courier arranged by the lawyer, her boy will not have to spend the night in jail. And she shouldn't tell the bank what the money is for, because then they would ask questions. No sooner said than done.

In reality, that mother did not receive a call from her son at all. It was a deepfake, in which artificial intelligence was used to create a new text with the same voice based on an existing sound recording (thanks to social media). So the mother did hear her son's voice, but he had never spoken those words himself. It was necessary to quickly hand over the phone to the officer to prevent a conversation between mother and son. And that lawyer, who called a little later, was of course not a lawyer at all, but just as much of a criminal as the fake cop.

In the above story we see a number of elements from the theories of Robert Cialdini and Ian Mann*. Cialdini says people obey authorities. Now I wonder to what extent this is true in the Netherlands, but in many countries people will indeed quickly believe that they are really dealing with an authority figure, even if it is only on the telephone. It’s just a matter of striking the right tone. Mann tells us that people are gullible. That can work both ways. On the one hand you would like to receive the reward that an African prince promises you if you help him free up a particularly well-filled bank account, on the other hand you naturally become stressed if it your child seems to be in trouble and you eagerly believe what all kinds of people tell you. Moreover, Mann says, being consciously incompetent also makes you docile: if you know that you have no knowledge of certain matters (such as an arrest), you will easily follow someone who at least radiates that he is an expert in that area.

In another story, someone received a call from the FBI saying she had been a victim of identity theft. Because fraud had been committed under her name, her bank assets would be frozen. To ensure that she could move on for a while, the helpful officer offered to put a large part of her savings in a safe bank account that would remain outside the confiscation. That money also had to be delivered in cash and you guessed it right: the money disappeared. And there was no case of identity theft whatsoever.

IT played no role at all in this case, but the criminal did act as if that was the source of the misery, because that’s how identity goes. The following case also had no IT background, but that could easily have been the case: an 81-year-old American was extorted, and when the Uber ordered by the criminal drove up to pick up “a package” (with the money), he shot the driver dead, under the assumption that she was part of the plot.

If you ever find yourself in such an unreal situation, try not to act on your emotions. Ignore instructions not to involve anyone, but ask someone you trust for help. Be alert if it suddenly becomes about money; try calling your son first to check whether he really has had an accident. Some may find it a bit scary, but in our family we can, by mutual consent, see where everyone is in an app. That would be of great help in such a scary situation.

* Robert Cialdini, Influence: The psychology of Persuasion, 1984; Ian Mann, Hacking the human: Social Engineering Techniques and Security Countermeasures, 2008

And in the big bad world...

2024-04-12

Girls Day

Image from Pixabay

It was one of those rainy Thursday mornings where you have to provide the bright spots yourself. Well, I got a chance to do just that, because I was on my way to give a special presentation. Our HR people held the annual Girls Day, for 14 and 15 year old girls from the highschool next door. I was the first male (and perhaps the oldest) speaker in the history of Girls Day. One thing was clear: I shouldn't come here with a story about how we do security. My story had to be about those girls.

I wanted to show the students something about their digital footprint. And so a few weeks ago I requested the list of participants and googled the names. You should have seen their faces when I told them! Wide-eyed, exchanging anxious looks with their friends. I told them that I was not going to mention any names and that I would not put anything recognizable on the screen. That reassured them somewhat. But I did have their full attention.

My search initially yielded a fairly innocent harvest: there were quite a few sporty girls, ranging from gymnasts to horse riders (including the horse’s names). More than half of the girls didn’t show up on Google at all. However, one particular girl revealed more. She had - probably unintentionally - made her presentations for the triangular meetings public (triangular meetings are the modern form of the parents' evening, where the tutor, the parents and the student get together and the student explains how things are going). I now know that this student sometimes lacks motivation (well, who doesn't), has attended different primary schools (someone at the back of the room breathed a sigh of relief: this isn't me!), likes teacher X but has trouble with their subject and enjoys the school parties. And a few more things that I left out because they are too personal.

This student probably didn't want to give the usual PowerPoint presentation, but something flashier. Instead she used Prezi, which allows you to create a very dynamic story. However, all your presentations are public if you use the free version. Oops. And oh yes, I was able to make the match between teacher X and the difficult subject because there is a list of all teachers on the school's website.

Instagram let me demonstrate that other people also (often unintentionally) reveal information about you. I looked up the names there too. For one name, there were three accounts. Which account belonged to the student on my list? The second account had a follower that was also on my list of names. Bingo! Then I took a closer look at the followers of that account. There was a company name in there, which also contained the girl's surname (fictional example: Balloon King Johnson). It’s a safe bet that this is the student's father or mother. The bio of that company account also included the street and city name. But no house number. It was the kind of business you could imagine being based at home. If I could find that company, I would know where this girl lived.

With Google Streetview you can virtually walk through a street. And look at the houses. When I walked through that street mentioned in the account for the second time and took a good look around me, I found what I was looking for: at one house, I saw something that was a clear reference to the company (in the fictional example there would have been a balloon arch at the front door). I told my audience: “If the letters in your zip code are AL, then this is about you.” You could have heard a pin drop.

So what, you might think. But remember: I'm one of the good ones guys. There’s plenty of scum around who would love to know where a girl like that lives. With my little finger exercise I demonstrated that the solution often consists of several puzzle pieces, which you can find in different places. I also told my audience that I am only an amateur in this field, and with this video I showed how others, who approach this with a bit of professionalism, can find out much more about you.

Of course I threw away the list of names. What remains is the memory of a special morning in which I hopefully made a number of young people think.

And in the big bad world...

2024-04-05

Showing the flag

Photograph by author

Do you know National Geographic's Science of Stupid program? That's a kind of Funniest Home Videos, but with a scientific explanation of why someone hit the ground in such a painful way. It’s an educational/entertaining program, so to speak.

I thought of that program when I saw the scene shown above yesterday. A local hotel, where our team had retreated to discuss the way forward, has erected a flagpole atop a gabled roof. It’s cool to have a flag at the highest point of your building, but did they also think about the hoisting and lowering of the flag? Or did they only think of that afterwards? And then they bought a ladder, which turned out to be too short?

The top ladder appears to hang from one hook, which extends through the roof. That hook is slightly above the middle of the ladder, which could make it a nice pivot point when someone is at the top. But luckily the ladder at the top is still tied with a rope. Or no, it isn’t: that is the rope of the flag. Because that ladder is too short, they bought another one and, as it were, pushed it into the other one. Beautiful: when one moves, the other moves with it. The bottom ladder also hangs on a hook, and - if that is the only attachment point, which I don't know - then this ladder can also tip over when there’s someone at the top. All in all, I would not like to be responsible for this flag. By the way, I doubt whether it is hoisted with military precision every day at sunrise and lowered again at sunset.

Are there any Science or Stupid-worthy events in our profession? Of course there are. It is not always cyber criminals that cause us problems. We can do that to ourselves, too. How many times have we heard about data breaches caused by organizations not having their cloud configuration in order, allowing everyone to access the data? And you may occasionally have sent an email, realizing two seconds later that the wrong name was in the to field. We all make mistakes from time to time, and depending on the nature of the mistake, it impacts our security, the privacy of our data or even business continuity.

There are all kinds of measures to prevent such errors. For example, changes are not immediately implemented in the production environment, but first in the test environment. There you can observe whether that change does exactly what it is supposed to do – no more and no less. Automated deployment then ensures that the change is sent to production exactly as it is, and is not messed up due to a human error (checkbox placed incorrectly, typo made). You can also leverage the four-eye principle and have someone watch what you’re doing. We even do that when we write notes, but then it's called a review. If I write down something that touches on technology, I like to have some technical people check whether I have written any nonsense. Just because I can come up with something doesn't mean it's feasible. I don't want to live in an ivory tower.

In that TV show you see people who have built a jumping ramp themselves and then rush towards it with their bicycles, only to find that the landing is less graceful than they expected. The voice-over, in a slightly mocking tone, provides a discussion about centers of gravity, Newton's laws and why this operation was doomed from the beginning. The message is invariably: first study the laws of nature you are dealing with and adjust your design and movement accordingly. By the way, the result depends on your skills; not everyone, once in the air, is able to obediently keep their center of gravity directly above the bicycle.

Translated into my profession, I would say: first look at rules and regulations, and take them into account during design and construction (security/continuity/privacy by design). If the system needs maintenance, check what you have to take into account and act accordingly. That may take some practice, just like a bicycle stunt. But luckily we have test environments – unlike all those unfortunate stunters.

And in the big bad world...

Outlook shares information about you with hundreds of partners (note: this article is on the site of an Outlook competitor and advertises its own product at the end, but the content still seems worthwhile to me).
Microsoft is also being criticized in an American government report.
Microsoft Copilot can reveal a lot of confidential information (you can skip the commercials here too).
A ransomware attack becomes much more expensive if the backups are also affected (again with advertising, but okay).
the hacker who single-handedly shut down North Korea tells his story here .
criminals pose as lawyers and confront companies about allegedly violated copyrights.
the German government gives tips for purchasing and using smart devices. [GERMAN]
there was a commotion about a backdoor in a popular piece of open source software.

2024-03-29

Symptom relief

Image from Pixabay

It's the perfect time of year to catch a cold. During the corona period we skipped this annual ritual, because having little contact with other people and hardly going anywhere, there was little chance of encountering a cold virus. But this year it’s business as usual for my family.

No matter how harmless a cold is for otherwise healthy people, we all know that it can make you quite miserable. One stumbles to the medicine cabinet to find relief. Nasal spray, cough syrup, paracetamol – all are standing by to relieve your complaints. Plus some home remedies, such as steaming, drinking tea with honey or licking popsicles.

What is so unfortunate about all these remedies is that they only treat the symptoms of the disease. The nasal spray allows you to breathe more freely for a while, the ice cream numbs your throat a little and the paracetamol helps against pain and fever. On the website of the united Dutch physicians, paracetamol is ignored completely on the page about colds ("Medication is not necessary for a cold"). Completely unnecessary side note: I’m not giving medical advice in this blog post.

Why is there no medicine or vaccine against a disease that is so common and causes a lot of discomfort? Seems like a gold mine for the pharmaceutical industry to me. But it turns out that there are so many viruses that can give you a cold that it’s simply a hopeless task. Moreover, those viruses mutate quickly; a vaccine developed today will be worthless tomorrow. By the way, research is still being done, especially because people with asthma can become very ill from a cold.

Of course, symptom relief also takes place outside the medical domain. For example in my own profession. To stay close to the common cold: how about a virus scanner? This relieves the complaints we have from viruses. Not like a nasal spray for a cold, but preventative: you either become infected or you don't. The relief lies in the number of infections you have to deal with. But it doesn’t contest the phenomenon of computer viruses as such. That is precisely why it is important to equip as many ICT resources as possible with those digital face masks.

The step from symptom relief to the placebo effect is not that big. If I have a sore throat and therefore eat a popsicle, I almost feel obliged to feel less pain for a while, while my mind really doubts the effect. That's harmless, but it gets bad when I think that a popsicle is also the right treatment for, for example, severe, persistent stomach pain. For some ailments you simply have to go to the doctor.

There are plenty of placebos in information security. For example, the security of a system does not really improve by carrying out a risk analysis. Only if you act upon the results of that analysis by taking measures, risks will be reduced. Another form of risk treatment is risk acceptance, but it is clear that this does won’t benefit the security of the system - no matter how legitimate acceptance may be in a certain case.

Compliance with regulations is another one. Quite a few organizations do all kinds of things because they have to. Meanwhile, no computer has ever become more secure because someone has written a mandatory document. Only when the content of that document comes to life we can make progress. Unfortunately, it often stops at the signing of a document – but the auditor will be proud of us! (I’m probably – hopefully! – wronging a friendly professional group with this comment.) Yes, I also do all kinds of mandatory stuff, but it’s always based on my drive to optimize security. The fact that I also get a green tick on a checklist somewhere is a bonus, but it should never be the goal.

To catch a cold, you need a virus. You won't catch a cold from sitting in a draft or going outside with wet hair. Likewise, nothing goes wrong with a computer due to potential risks. Problems only arise when a risk actually manifests itself. But just as I keep a little more distance from a sniffling family member, a list of risks relevant to your systems helps you avoid them.

And in the big bad world...

2024-03-22

Apple pie & solar power

Image from Pixabay

You’re going to bake an apple pie. The ingredients are lined up in battle order on the counter, eager with impatience. The mixer is shining in pride of place, ready to mix everything together nicely. You pour the first ingredients into the mixing bowl and set the switch to position one, for starters. Nothing happens. Oh, stupid, you realize with relief, of course you have to plug it in first. But still nothing happens. It slowly dawns on you: the pie is being delayed. Your once faithful mixer no longer works.

Since the invention of the light bulb, we know that electrical appliances break down over time. A few decades ago you could still assume that expensive appliances, such as a TV or washing machine, would last about ten years. If there was something wrong with them in the meantime, you had it repaired. Nowadays we often don't make it to ten years, and repairing has also gone out of fashion. But hey, things do break.

With us it was not the food processor, but a solar panel. Unlike with a food processor, this is not so easy to find out. Yes, we regularly check the solar power harvest of that day in the app, but then we see the total yield of all panels. In our colorful weather it is normal for these values to differ from day to day; so you can't tell that one panel doesn't contribute. Fortunately, there is another screen that shows the daily yield per panel. If there is a zero there, you know there’s a problem. But we didn't look at that screen that often. A reconstruction showed that the panel had been out of service for about two weeks. So I quickly called the installer. He concluded that the electronics box of that panel needed to be replaced. The technicians have been on the roof and we are fully operational again. Just turn up the sun.

We discovered this defect by chance. I talked about this with the technicians, who said that our supplier is also monitoring. But because we do not have a maintenance contract, there is no permanent monitoring. In other words: the data indicating that something is wrong is there, but no one is looking at it.

It works the same way in IT. Tons of data is logged, but not all of it is analyzed. You can think of all kinds of things when it comes to logging: a user logs in to his laptop, a printer runs dry, someone reads sensitive data, and much more. But yes, if no one is watching, error situations can survive for quite a long time. Fortunately, it is not all manual work. Smart software receives instructions as to which notifications are really important and brings them to the attention of specialized teams. The software acts as a sieve, meaning that only a fraction of all events need to be further investigated by employees.

There is also log data that is never looked at, unless there is reason to do so. Someone may have done something that is contrary to the rules. Most organizations couldn’t care less about an employee logging in to their laptop. Unless a manager has signals that the employee is going off the rails. Then he might want to know at what times the employee will start work. Things become more intense if someone is suspected of passing on internal data to criminals. In such a case, investigative authorities want to know, for example, who looked up a certain license plate and the associated details of the vehicle owner. That kind of information is not always available at the push of a button, sometimes it requires a lot of digging. Unfortunately, sometimes that is necessary, because in an organization as large as ours, statistically speaking, you are entitled to a certain percentage of black sheep. That is why I would like to see the logging of data required for this type of forensic investigation expanded - so that you can answer certain questions at the push of a button. You only know to a certain extent in advance what data you will need in an investigation. The fact is that events that you do not log now will not be available for analysis later. Another fact is that logging costs money. A good assessment is therefore necessary.

We have had a second set of solar panels for a few months now. Recently I had to be on the flat roof where they are located, and on that occasion I cleaned them. In doing so, I discovered that each of those panels showed several white spots. Not on the material, but in it. A few photos and an email later, the installer informed me that this problem was known to the manufacturer and that the panels would be replaced under warranty. Some things you really have to keep an eye on yourself.

And in the big bad world...

2024-03-15

Passkeys to replace passwords

Image from Pixabay

As early as the time of Asterix and Obelix, passwords have been around, and they have been used in computers since time immemorial (Wikipedia mentions 1961 as the year in which they were used in a system at MIT). And now, some two thousand years after our Gallic friends, we are tired of them. There are too many of them, they are inconvenient and they are unsafe – even long, complex passwords are unsafe if someone phishes them. But there is hope: the passkey is coming!

Passkeys are not yet widely available, but the word is popping up more and more and that is enough reason to take a closer look. Passkeys are fundamentally different from passwords, with the biggest advantage being that they are many times more secure. And they are easy to handle. Who would not want that?

To explain the difference, I'll start with the ancient password. Its operation is based on what is called a shared secret: both you and the site/app/application/computer know the password. About the only difference with the way the ancient Romans worked is that computer passwords, are not stored on a server as they are, but in the form of a hash value (a mathematically calculated 'distortion' of the original). On the other hand, the others must be able to check whether the combination of username and password entered matches with their data on file, so the credentials of all users are stored in a large file. That's gold for hackers if it isn’t protected. And that is why hashing is so important. Hashing is irreversible; the password 'badexample' becomes ‘833f25dab798cb9b3ff1952ccb461751’ and there is no way back: you cannot recover the original password from the hash value. When you enter your password, it is hashed again and if the result matches the stored hash value, you are allowed to enter. Just like anyone else who knows your password. Moreover, a patient hacker who stole a password file can try passwords all day long and if the calculated hash value eventually matches the value in the file, he knows your password.

Enter the passkey. It doesn’t involve a shared secret, but serious cryptography. The ancient Romans already did that. At that time it was mainly a matter of using different symbols, or shifting (a becomes d, b becomes e and so on). This involves a key: when using other characters you use a kind of legend, when shifting it’s a number (in the example the key is +3). Modern cryptography is much more complex, especially the kind used for passkeys: asymmetric cryptography. Characteristic of this is that it doesn’t use a single key (which must be shared between the parties involved, just like a password), but two keys. Those keys have a mathematical relationship. One is called the public key, the other is the secret key. The gist of the story is that the secret key remains on your device and the public key goes to the other party. If you do something with your secret key on your device, the other side can check whether it was you, using the corresponding public key. That public key does not need to be secured, as its name suggests.

Suppose you want to log in on your laptop to a site that works with passkeys. That passkey can be on your smartphone, for example. Your laptop and your phone know via Bluetooth that they are in close proximity and therefore, that no one is trying to log in remotely. You unlock the requested passkey on your phone with your fingerprint, facial scan or a code. And hey, you're logged in to that site.

Because the passkey does not leave the device, you as a user cannot leak credentials - so you are not susceptible to phishing. In my opinion, that is the big advantage of passkeys: an attacker simply cannot get in between. You can synchronize your passkeys with different devices and have them at hand on your laptop, tablet and smartphone. This synchronization is encrypted (end-to-end, so no one can break into it).

Passkeys are currently supported by major tech companies (Google, Apple, Microsoft). But some password managers, such as Bitwarden, can also handle them.

Are you curious yet? Log in to your Google account (create one if necessary), go to Settings > Security > Access keys and Security keys and create your access key here. A Bitwarden plugin runs in the browser on my PC, and it asked if I wanted to store the passkey there. From now on, when I want to log in to Google on my PC, the password manager asks whether I want to use the passkey. So it actually works the same as before, but without any secrets involved. Let's hope that passkeys become popular and we’ll familiarize ourselves with them and will soon - for the next two millennia or so - not know any better.