Security (b)log - English edition

2025-01-17

The invisible king

Image from Pixabay

His Majesty the King has been pleased to honor us with a visit. Although I myself had a meeting at the office yesterday, I didn’t see him. The traces of the royal visit were visible though: I was awaited by many security guards in the morning and in the afternoon there were almost no seats in the canteen because most chairs were still arranged in theater style. But most importantly, the theme of the visit was indeed digital security.

The king followed more or less the same program that all dignitaries are presented with: the printing line, the data center and the Security Operations Center (SOC). Because, well, those are the only tangible things we can show - the rest consists of knowledge and offices. I wasn’t there myself, but luckily some tv shows were present so we can watch some footage of the visit.

Our printing line is quite impressive (the enthusiastic team manager has also shown me around once). Large rolls of blank paper are printed with all kinds of documents. At the back of the meter-long machine, they come out of the printer as individual letters, to then be pushed into blue envelopes at dizzying speed in the envelope inserter. Mainly because of that speed, it is important that the equipment monitors the smooth running of things. The letters are weighed – not to determine how many stamps should be on them, but to check whether there is accidentally one sheet too many or too few in an envelope somewhere. Each letter has an optically readable code, so the letter itself knows how many sheets of paper long it is.

The data center is another place that you as a normal mortal cannot enter. You only enter if you have business there. The king was on a working visit and was therefore allowed in (at least, that is what I assume – I have not seen any images of it). Hopefully they kept royal earplugs available, because if they really did enter the corridors where hundreds of servers are blowing, then they certainly came in handy. It is well outside my area of expertise, but this form of safelty is also important. And for the rest, as I said, it is mainly a matter of keeping out everyone who has no business being there. We have various physical security measures for that.

On the other hand, there are the logical security measures, which ensure that employees can only do the things they are authorized to do, that potential intruders are kept out and that attackers who want to make our lives miserable are disappointed. But these measures are not visible, so why did the king visit the SOC anyway? Well, the SOC is not a normal space. The workstations are arranged in battle order, each with no fewer than four screens. A large video wall draws everybody’s attention and SOC employees notice immediately if a value goes into the red somewhere. There really is something to see at the SOC, even if you hardly understand what you are seeing.

When the king goes somewhere, he is surrounded by visible and invisible security measures. We also have to deal with this in information security. The security of the print line and the data center comprises, just like the space of the SOC, visible components. But in addition to that, we have many more things and especially people who ensure that not only our information security, but also our continuity and privacy are guaranteed. There is little to see in such a system, even for a layman of royal blood, and those many colleagues who deal with these matters on a daily basis – well, they are also just ordinary, hardly worth seeing people. And that is why the king did not join our team for tea.

Therefore, here is a generous shout-out to all those colleagues who, when managing their system or creating their application, are not only concerned with the actual functionality, but also take into account all the security requirements that are set (I know how difficult that can be). And also to all colleagues who realize in their daily work that adequate security is a matter for all of us. And, last but not least, to the colleagues in my own team, who do their best every day to make the rest of the organization color within the lines. All that work is invisible, no king comes to look at it. But that doesn’t make it any less important.

And in the big bad world…

2025-01-10

Enlightened minds

Picture by author

Did you know that no less than 78% of people between the ages of 18 and 65 use a password manager? And that even more than eighty percent of youngsters use one? The vast majority of people are sensible and use a different, strong password for all their accounts, and they allow themselves the convenience of automatic login. Are you already participating?

I made up the above figures. “ Ooooh, shame on you!”, I hear you think. Let me explain how I arrived at that. I feel cheated myself. By an article that appeared in the newspaper the day before yesterday under the headline: ‘The cyclist without lights is now noticeable – Good lighting is the norm thanks to clip-on lights and e-bikes’. A traffic psychologist (I didn’t know this profession existed) explains in the article that people are trend-sensitive herd animals; if it is obvious in your ‘subculture’ to turn on the lights, then you will do so too. According to the psychologist, the general view used to be: frumpy old people have bicycle lights and young people don’t (I prefer to make the distinction between smart and stupid). Moreover, it is becoming increasingly easier to have lights on thanks to cheap, rechargeable lights and the e-bike. Not having lights on would then be a conscious choice.

I disagree with that article on so many points that I hardly know where to begin. Well, to start anyway: where on earth did they investigate this? Certainly not in my city, where I often encounter unlit cyclists who are also wearing dark clothing. When I encounter such a person, I sometimes shout: “Light on!” A boy recently snapped back: “The light is broken, man!” There is also a lot of junk among those loose lights. Some of them barely give more light than a candle – I call them ‘shame lights’, because their only purpose is to be able to triumphantly say: “Look officer, my bike does have lights!” Those people simply don’t understand that good lighting is crucial for their own safety.

The newspaper article got me thinking. How is it possible that I read something in the newspaper that does not match my own experience at all? Okay, I am willing to believe that things are less bad than they used to be, but all this cheering about how great things are these days goes way too far for me. The article itself seems to answer my question: If psychology dictates that we do things to avoid being left out, then you can also use that mechanism to influence people. If you write in the newspaper that most people obediently cycle with lights, then you can use that to encourage dark citizens to turn the corner, because who wants to be left out?

And that's how I arrived at my fake figures about password managers. With the final remark "Are you already participating?" I even pushed you a little more. Because it's pretty important that everyone starts using those tools. It used to be easy: you had one password and no one else was interested in it. Nowadays you have dozens of accounts and there's a cybercriminal on every digital street corner. That's a dangerous combination, and there's another important factor: not all sites and companies where you have an account protect your data equally well. Sometimes user data is stolen during a hack and the criminals manage to crack the passwords. If you use the same password for multiple accounts, they're all at risk. By the way, do you know what your most important account is? No, not your bank. Your email. Because someone who has access to your email can click on "Forgot password" anywhere and, using the emails that result, set a new password. That locks you out and the criminal can do all sorts of things under your name.

An equally important measure is two-factor authentication (2FA), which ensures that you can only log in after you have performed an additional action via another device (for example, entering a code or swiping your finger). This prevents someone who has a password for you from logging in to that account. So turn it on wherever possible. Did you know that more than seventy percent…

You may find it patronizing to shout “Lights on!”. However, I do this out of pity for the motorist who will sooner or later knock an unlit cyclist off their socks. And when I say to you: “Password manager and 2FA on!”, it’s also with the best intentions. And one more thing: watch out for fake messages.

And in the big bad world…

2024-12-20

Under the hood

Image by author

As tradition dictates, we built a Christmas village in our living room this year. It took four days and about five square meters (54 sq ft) of space, it required a structured approach and the necessary flexibility of the body. But the result is worth it, we think. From the beginning of December until mid-January we enjoy the warm appearance of this winter scene.

I look at it with completely different eyes than visitors. Because I know what lies beneath the surface. How all those lights get their power, how the rock formations were made, how meters of tape and numerous staples were incorporated. I know how the differences in height were created and I know all the parts of the railway tunnel, which I built myself – just like the ski slope. I laid out the street and know which cables lie under the asphalt. I also see straight through the snow and know exactly what it hides. And I know what is not quite right in this scene.

The age-old metaphor of the iceberg presents itself. What you see towering majestically above the water is only a fraction of the total lump of frozen water. Now, the proportions of our Christmas village are not so dramatic, but even here you should not underestimate what is hidden beneath the surface.

The internet is also like that. Above the surface there’s the internet where you and I do our daily things and where the Googles of this world rule. Below the surface, invisible to most of us, is the realm of the dark web. No Google here, but criminals who call the shots. You can go there for all kinds of services and products, from DDoS attacks to drugs. I have never been there, but I have seen enough presentations by law enforcement agencies from home and abroad to know what it is like there. It is actually not very different from the regular internet - except that you buy completely different things there and that it is not so easy to get there. Of course you can ask at the top of the iceberg how to get to the bottom, and when you find a site with serious explanations, you soon realize that your computer needs protective clothing before you descend to the dark bottom. And the URLs you visit there don't look like, for example, bbc.com, but look like this: zqktlwiuavvvqqtxxxvgvi7tyo4hjl5xgfuvxxx6otjiycgwqbym2qad.onion. As an honest citizen you have no business being there, but you can be saddled with a lot of trouble. Because as I said, these are the caverns of the internet that are populated by scum from the deep end. And by wandering around there, you could easily attract their attention.

Information security professionals, in many ways the opposites of those sneaky criminals, also like to keep a few secrets from time to time. We even have a slick term for it: security by obscurity. This is considered a reviled method of operation, because in the strict sense it means that your security is based on secrecy and the hope that your little secret does not leak. Hiding your house key under the doormat is an example of this - one that also makes it clear that it is not very likely that no one will ever discover your secret.

I don't want to see it that black and white. Let me put it this way: security by Obscurity is never enough as a single security measure, but it does help. For example: we prefer not to broadcast to the world which systems we have running, and which version. Because malicious people can use that information. It is a piece of the puzzle, and if they can gather enough pieces, they will see the whole picture. By hiding puzzle pieces, we prevent that. But because you can never trust that they won't find those pieces anyway, we must of course secure all those systems anyway, and in doing so assume that intruders are much further in than we hope. That is the assume breach principle: assume that you have already been hacked, and adjust your security accordingly. If your house key is indeed under the doormat, then you would do well to install an alarm system, to make sure that someone who has discovered your secret is still confronted with an additional barrier.

In the meantime I try to enjoy our Christmas village as if I have no knowledge of its construction. I call that delight by ignorance.

The Security (b)log will return after the Christmas holidays.

And in the big bad world…

2024-12-13

Going to cyberwar in work pants

Image from Pixabay

Doing odd jobs is not really my hobby, but sometimes it has to be done, right? And when I do get to work, I wear trousers that I was given 36 years ago as a conscript. Indestructible, that stuff. And the fact that I still fit into them, perhaps says something about me too…

Do you know what my work pants have in common with the internet? There are two points of similarity: first, the internet is also of military origin, and second, it is designed to be at least as indestructible as these combat pants.

The internet started in 1969 (!) under the name ARPANET as a project of the American Department of Defense. There was a need for a robust network that would not be dependent on a central system. This desire resulted in a distributed system, so that a bomb on one server (it was the middle of the Cold War at the time) would not bring down the whole thing. They have succeeded quite well: I cannot remember the internet as a whole ever going down. Incidentally, that did happen locally in 2019 on the Tonga Islands, after a break in the fiber optic cable to New Zealand, says Wikipedia. But that is an example of how it should not be done: the idea behind robustness is that, when a connection fails, the data will find another route to its destination. If you are an island and are connected to the rest of the world via a single cable, then you have a single point of failure in your system - and that is at odds with the philosophy behind the internet.

Although the Netherlands is not an island, our internet is not as invulnerable as you would like. Almost all of our international traffic runs via one node, the Amsterdam Internet Exchange (AMS-IX). If that goes down, there are still other connections to the outside world, but they could become overloaded. Fortunately, AMS-IX is spread over multiple locations, so the chance that the node will fail completely is not that great. In the Netherlands, an awful lot happens on the internet: office workers can work from home, we shop like crazy and we are in contact with the rest of the world via social media. You don't want to think about this being disrupted for more than ten minutes, do you?

The NATO Secretary General of informed us this week that we must mentally prepare ourselves for war. I don't know how that came across to you, but Mark Rutte's statement hit me hard. War is something from from the era of my parents and is taking place elsewhere in the world in our time. Admittedly, Ukraine is less than fifteen hundred kilometres from my house, but it can't get any closer, can it? Then I'll just recall the book There's a War Going On But No One Can See It by Huib Modderkolk. A digital war probably wasn’t on top of Rutte’s mind, but in fact it has been raging for years. The intelligence services often mention the illustrious quartet of Russia, China, Iran and North Korea when it comes to state actors who attack us. Their goals are espionage, money, disruption, sabotage and influence. Rutte advocates tanks and fighter jets, but hopefully someone will whisper in his ear that digital defence must be a top priority. In the past, you had won a war if you controlled the airspace. Today, control over cyberspace is at least as important. A secure digital infrastructure is much less tangible than Leopards and F35s – I have yet to see the first camouflaged router. Hopefully this invisibility does not lead to a lack of attention.

The label on my work pants bears the name H. van Puijenbroek. This turns out to be a textile manufacturer that has been a regular supplier to our armed forces since 1925. It also turns out that the trousers are being offered for sale for €49 ($51), as a “rare find”. And if only I hadn’t given away the matching jackets: they are being offered for almost two hundred euros ($210). I would have sold them now and put the money in my war chest. Because due to the geopolitical threats, banks and ministers advise us to have some cash at home*. Because if “they” paralyze things here and we can no longer use our debit card, we still want to eat. Fortunately, most supermarkets still accept physical money as a means of exchange.

*: For some international context: people in the Netherlands heavily rely on their debit cards. Cash is not that common anymore.

And in the big bad world…

2024-11-22

Look at me

Image from Pixabay

How do you unlock your mobile, tablet or laptop? With a password, a pin code, your fingerprint or maybe even with your face? There are many possibilities and you could therefore sooner of later the question whether facial recognition is safe had to pop up. A few years ago my answer was: I wouldn't use it on business devices, privately I don't think it would be a problem - at least, if you have a somewhat normal life. But is that statement true? It’s time for some research, so that you don't have to dive into it yourself.

Facial recognition is a form of biometric identification, which compares unique features of your body to a stored pattern. Other forms of biometrics include fingerprint and palm scans, iris scans and voice recognition. These technologies work differently than the good old fingerprints you know from the police, where inked fingers are used to make a print on paper that is then compared to the prints left by the burglar on the window. Instead, the scan is translated into a biometric profile, which looks at things like the distance between your eyes, the distance between your nose and mouth, the shape of your cheekbones and the dimensions of your face. More advanced systems make a 3D scan and use infrared images, which makes the profile more accurate. It gets even better when the system is able to determine whether the camera is looking at a living person. When unlocking, the detected facial features are compared to the stored profile. So it’s not like photos from then and now are being compared with each other.

I read a bunch of articles on this topic this morning, and the answer to the question whether facial recognition is a safe way to unlock your device seems to be: it depends on the device. Apple's FaceID uses the more advanced techniques I described above from the iPhone X onwards and is therefore considered safe. Android devices are a different story, as the Dutch Consumers' Association discovered. In 2023, they repeated their research from four years earlier and had to conclude that little had changed: they were still able to fool 43% of the tested devices with a photo. This mainly concerns devices at the low end and in the middle of the price range, although a few more expensive devices also fell through the cracks. Almost all Samsung devices performed well.

Hello is available on Windows PCs . It uses infrared cameras to make a 3D scan of your face. The system can also check if it is looking at a living person, making it difficult to fool it with a photo. If your computer does not have the necessary cameras, facial recognition is not available.

Of course I put it to the test and let my private phone look at a photo on my screen. And then I quickly disabled facial recognition on that device… I will continue to use the fingerprint scanner, because it is more secure than a PIN code which can be copied. And while you can often fool facial recognition with a photo, that is much more difficult with a fingerprint. Some Android devices still have pattern recognition, where you draw a pattern with your finger on a grid of nine points. This option is almost unanimously discouraged, because someone looking over your shoulder can easily remember your pattern. Moreover, traces of grease on the screen also reveal a lot.

During the research for this blog I noticed something. I searched for “facial recognition safe” in both English and Dutch. The Dutch articles gave a good answer to my question, while the English articles mainly focused on the privacy aspect of facial recognition: for what purposes can this technology be abused? Privacy plays a role in particular when biometric data is stored in databases. And again we see that Chinese person crossing the road on a red light and receiving a fine in the mail a few days later. But criminals are also interested in technology that allows them to gather information about someone based on a (secretly taken) photo. And finally, quite a few people fear that the police can unlock their phone very easily – you can’t turn off your face (just like fingerprints, by the way). But you can refuse to give up your PIN code.

There will be no Security (b)log next week.

And in the big bad world…

2024-11-15

Safe water

Image from Pixabay

Have you seen it yet? It is advancing in our offices. Without any warning – or I must have missed something. We looked at each other awkwardly. The first time that day I went to the other one, but then I could no longer contain my curiosity and I bravely walked up to it. I touched it and it flashed happy lights at me. It took me a while to figure out exactly how to do it, but eventually I got what I wanted. A mug full of hot water. We are talking about the Borg & Overström E6, a device that delivers cold, chilled, bubbling and hot water. Tea and water drinkers are in for a treat.

How did I come to dedicate the Security (b)log to a what they call a drinking water solution? Well, if the name of a water dispenser contains Overström, then you have my attention. Because, you know, the Dutch word ‘overstroming’ means flooding. Nomen est omen – what's in a name. And indeed I noticed that the device on our floor is already leaking a little. But the first part of the name is also absolutely a trigger, but only Star Trek fans understand that. A little tip for everyone else: the Borg are those friendly space creatures stating: “You will be assimilated. Resistance is futile.”

There is no manual next to the B&O (oops, that was already another company’s abbreviation). If you haven’t met the E6 in person yet, you might think: what do I need a manual for? But that device does not give up its water just like that. It has five buttons: one for each of the products mentioned plus one with a padlock on it. Aha, that’s the link with security!

So you think you have to unlock the device first with that button and then press the button of your choice. Wrong! After two touches, nothing happens. Well, you get a small light show where you expected water. But no water. Huh? After a day of practice I figured it out. You have to kiss it awake with a gentle touch, then unlock it with the padlock button and only then press the button of the desired product. Et voilà, as long as your finger rests on that spot, water keeps coming. A full mug in one go – a real improvement compared to those coffee machines where you had to tap twice for the same purpose, or use the 'pot' button.

Meanwhile, colleagues are wondering why there is a lock on these devices at all. My answer: to protect children from the hot water. Which children? Well, exactly. They are extremely rare in our office environment, and I suspect the same goes for the vast majority of the other customers of this British company (you wouldn't have thought they were from there, would you?).

I have written before about security measures that are unnecessary in a certain context and therefore cause unnecessary delays. Look, with a boiling water tap in the office I understand that there is some kind of safety on it that requires you to consciously choose boiling water. It would be a shame if you were to wash your hands with boiling water due to an operating error. But you don't do that at a water dispenser, and it is not possible to hang your mouth under it if you are thirsty but don’t have a cup. Moreover, the coffee machines don’t have a lock either.

Many Security (b)logs are preceded by thorough research. For this edition I wanted to consult the Borg & Overström website. But instead of the desired site I was presented with a screen from Cloudflare : “Sorry, you have been blocked.” I must have done something that triggered their security. But I only clicked on the company link from the search engine (startpage.com). Oh well, fortunately there are more roads to Rome and I was allowed to visit that site on another device. By the way, I didn't know you could fabricate such bombastic texts about gargoyles! You could copy most of the texts almost unchanged to sell the latest model of electric car (“evolved environmental sustainability, energy efficiency and intelligent technology ” and “we aim to inspire the every day with original design and thoughtful innovation”). Anyway, I was blocked and I have no idea why. Could they have blacklisted our organization? (Being the Tax Administration…)

The E6 can also be operated contactless, via Bluetooth – a covid-driven innovation. I'll quote my Finnish hero Mikko Hyppönen once more: if it's connected, it's vulnerable. Let's hope that doesn't lead to an ‘overstroming’.

And in the big bad world…

2024-11-08

The EU and AI

Image from Pixabay

I’ve said before that you shouldn’t ask an information security officer if you can use AI for your work, because that will lead to a risk analysis that will undoubtedly say: don’t do it. No, decisions about the application of certain forms of technology should be made by ‘the business’, or perhaps a better term, by the decision makers. They may well be influenced by our risk analyses, but there are more factors that decision makers should and/or want to take into account.

Sometimes the decision is to be made at the political level. Like with AI. Enter the European AI Act, a regulation on artificial intelligence (an EU regulation is legislation that applies throughout the European Union, without country-specific interpretations). The aim of the AI Act is to ensure that we get safe AI systems that respect our fundamental rights. These rights include transparency, traceability, non-discrimination and environmental friendliness. And the systems must be under human supervision to prevent harmful consequences.

The regulation divides the AI landscape into four risk levels. The highest level contains systems that pose an unacceptable risk to the safety, livelihood and rights of people and are therefore prohibited. Examples mentioned by the EU are voice-controlled toys that encourage dangerous behavior and real-time biometric identification (think of the facial recognition at traffic lights in China: if you walk through a red light, you’ll find a ticket in your mail).

The next category contains systems that pose a high but acceptable risk. They may have a negative impact on our safety and fundamental rights, and they fall into two subcategories: systems covered by EU product safety legislation, such as toys, cars, aviation, medical devices and lifts, and systems in certain areas, such as critical infrastructure, education, employment, law enforcement and migration. Such systems are assessed before they are allowed to be put on the market, and throughout their life cycle. National regulators must set up a complaints procedure.

One risk level lower are systems that pose a risk of deception. This includes generative AI, which creates content itself, such as ChatGPT and Gemini. Artificially generated content must be labelled as such. So if you chat with an AI chatbot on a website, they must clearly tell you. Deepfakes – videos, photos and sound fragments that are manipulated to make it seem like someone is doing or saying something – must also be labelled. AI systems that pose a minimal risk are not regulated. Examples include games and spam filters. According to the EU, the vast majority of AI systems currently in use fall into this category.

The AI Act will be implemented in phases. In February next year, unacceptable systems will be banned. Six months later, the national supervisors should be sitting in the saddle. Next year, the transparency rules for general AI (such as ChatGPT) will also come into force. And a year later, the rules for high-risk systems will come into force.

It is good to see that the EU is taking this issue by the horns in a timely manner. But you need have no illusions about everyone complying with the regulations. Criminals in particular have a knack for breaking the law. They will certainly continue to use deepfakes to make people believe that a loved one is in need and urgently needs money.