Giving away secrets

Image: Unsplash

If I ask: "What's your password?", you have about half a second to think. If I put it that way, everyone – well within that half second, I'd hope – arrives at the only possible answer: "I'm not telling you." And yet, this week a couple of examples landed on my desk that made the hairs on the back of my neck stand up.

In the first case, a colleague started a chat with the helpdesk because he couldn't log into a certain system. The helpdesk agent asked:

What password are you using?

Windows or mainframe?

The person looking for help replied:

iloveyou246

At which point the helpdesk agent choked and (politely) spluttered that passwords must never be shared. The user tried to wriggle out of it with "I don't share passwords", but the agent wasn't buying that. The user then added: "But you asked me what my password is. I'm passing it on so you can fix my problem."

How did it go so wrong? What rock have you been living under if you still don't know that a helpdesk never asks for your password? And – going one step further – that if someone calls you claiming to be from the helpdesk and needing your password to check something, that person is with one hundred percent certainty not from the helpdesk, but someone with bad intentions? Your password is yours and yours alone. Full stop.

Granted, the way the helpdesk phrased its question wasn't entirely clean either. By splitting the question across two lines, you could read the first line as asking for the password. The helpdesk is now looking at how to improve that.

The second case initially got a slightly disbelieving smile out of me, which unfortunately still had to be followed by indignation. This colleague wrote to the helpdesk:

When logging into my PC, my face is no longer recognised (after the holidays) and my code is not accepted. Please re-register my face and set my PIN code to 375484.

Setting aside the many human-interest questions the first line raises, this reveals a breathtaking naivety. For starters, this simply isn't possible – the user has to do it themselves (and obviously only once they've found a way to log in; the helpdesk can of course point them in the right direction). And sharing your PIN or password with a stranger really is quite remarkable.

Let me explain once more for anyone wondering what I'm getting so worked up about. Someone who has your password or PIN can log in as if they were you. What follows can range, broadly speaking, from a cheeky email along the lines of "cake for everyone tomorrow" to looking up data and passing it on to criminals. And who do you think the investigators will come knocking on when they're looking into who leaked what? Exactly. Good luck talking your way out of that one. What I mean is: it is genuinely in your own interest to keep your passwords strictly to yourself. And of course it's also in the organisation's interest – "traceability of actions" is high on its agenda. You always want to be able to trace who did what. But above all, you don't want to make life too easy for malicious actors. That can be more important than you might think.

 

And in the big bad world...

●      someone here may also have shared a password.

●      a password Excel on GitHub is also not a great idea.

●      digital autonomy doesn't have to be that hard. [DUTCH]

●      hopefully you're not using First VPN (spoiler: it's gone).

●      Dutch Defence is now very much alert to trackers. [DUTCH]

●      quantum computers matter for information security. This article tells you what you need to know.

●      I wonder how you can steal open source software.

●      ShinyHunters keeps racking up victims.

●      typosquatting is starting a second life.

 

 

Dumb iPad

Image: Adobe Firefly

This time from the three-letter security alphabet, I’m picking the A — for availability — because the colleagues I complained to in a meeting about my iPad thought I really ought to write something about it. So here goes.

What happened? Well, my iPad had decided to cut off all contact with the outside world. Neither via Wi-Fi, nor via the SIM card. Apps that needed internet access grumbled that they couldn’t connect, or simply did nothing, without so much as a word of explanation. Not a single app gave even the faintest hint about what was holding it back. The obvious fix — turning it off and on again — didn’t help either, and the battery was nicely charged.

Time to call in reinforcements. The helpdesk had a magic button combination up its sleeve: “Press the volume-up button, then the volume-down button in quick succession. Now hold the power button until the Apple logo appears.” Now, on this iPad (10th generation), the top button is not a power-off button, which immediately had me sceptical. But fair enough, worth a try. Which one is volume-up again? Ah yes, this one. Press, press, press, wait… No Apple logo.

After that, the helpdesk fired a whole series of questions at me. For instance, whether other devices were connecting just fine — a logical question, which I could confirm. So it had to be the device itself. Buried near the bottom was a question that made me go red in the face pre-emptively: whether flight mode might accidentally be switched on. It’d be just your luck, wouldn’t it — a stray finger tap silences your device and then you go complaining it won’t talk to anyone. Fortunately, I could quickly stand down: flight mode was off.

Patiently, my friendly colleague suggested the next option: resetting the network settings. That puts just that specific part back to factory defaults. No joy there either. So the helpdesk pulled out the nuclear option: a full factory reset. Well, it had been coming, but as a user that’s obviously the last thing you want. It means setting up your device from scratch, and that takes time.

I left it alone for the rest of the day, but in the evening I tried my luck with AI. The clever chatbot came up with suggestions similar to those from the helpdesk. Notably, the very first option — the button sequence — revealed that I shouldn’t be pressing volume-up then volume-down, but the other way around: first “the volume button closest to the top button”. Which is, in fact, volume-down. After going through the full ceremony, the Apple logo did appear this time, but the problem wasn’t solved.

A few suggestions later, my AI companion asked whether I might be using a VPN. As it happens, last year, when I attended a conference in the US, I had indeed activated my personal VPN on the iPad to use the hotel and conference Wi-Fi without a care in the world. I’d completely forgotten, but I checked anyway (wise lesson: never assume you know the answer — just follow the instructions of whoever’s trying to help you).

After turning off the VPN app, a miracle occurred: the iPad sprang back to life. That thing had simply gagged my iPad. AI’s response: “It happens more often than you’d think: an update to the VPN app or an expired certificate causes the app to block all traffic (the so-called Kill Switch), even if you haven’t consciously activated the VPN.” What I find most troubling about the whole affair is that the VPN didn’t bother to mention that it had shut everything down. Same as that time they’d kicked me out for an alleged violation of the terms of service. I only discovered weeks later, by accident, that I had no VPN. Anyway, my subscription is up for renewal soon, and it’s too expensive and too American anyway. I’m switching to something friendlier.

An app that was supposed to protect my device had compromised its availability. Not great. And oh yes, the other two letters? Those are, of course, the I for integrity and the C for confidentiality. There — we’ve run through the entire security alphabet again.

Next week, due to the shortened working week, there will be no Security (b)log.

 

And in the big bad world…

• security companies are hackable too.
• hackers sometimes hack other hackers.
• ShinyHunters hacked the company behind an American learning management system…
• and escalated when the company didn’t respond to the extortion.
• Dutch universities are also affected by that hack. [DUTCH]
• most passwords can be cracked in the blink of an eye. (Article contains product placement, but remains substantively interesting.)
• the Edge browser makes retrieving passwords awfully easy. [DUTCH]
• the popularity of AI is being exploited to spread malware.
• a fake moustache helps children bypass age verification.

 

 

Stone martens

Image: Pixabay

Not only nice people live in our neighborhood. There is also a stone marten. And do you know what that little creature is particularly fond of? The wiring and hoses in cars. Years ago, the windshield-washer fluid line in our car was chewed through. Recently, the neighbor’s car suffered gnawed cables as well. Once that was repaired, the marten struck again. The same car.

Children and teenagers do not like walking through our street. That is because almost every house has a device that emits a high-pitched beep as soon as it detects movement. It also fires off flashes of light. Apparently, stone martens do not like that. And young people, who have a wider acoustic frequency range, are not fond of it either (with some devices I can actually hear it myself).

There are more defensive strategies. Under our hood there’s a toilet freshener block. The neighbors use a bundle of dog hair. Someone else has placed a piece of wire mesh under the car. And finally, someone even had a kind of electric deterrent installed in the engine compartment. I asked Copilot what it thought of all this. According to it, the mesh and the (harmless) high voltage are reasonably effective, but with other solutions you also need a fair bit of luck. Forget about the scent products. Although: proven in practice, I am inclined to say. Whereupon I must immediately admit that I cannot prove a causal connection between the toilet block and the absence of bite damage.

The stone marten is a predator with a strong territorial drive. It marks its habitat with scent traces. When it encounters the scent of a competitor, it tries to remove it. For example by chewing it away. In addition, those wires have a pleasant smell and likewise a pleasant bite. It is also nice and warm there after a car has been driven, and well sheltered.

No measures had been taken for the car that was attacked twice. That implies that the measures taken by the others do work. Just as burglars are likely to choose the least secured house in a street, the stone marten also opts for a snack that does not require it to pinch its ears or nose. Or where it does not receive electric shocks. That neighbor at least has the luck of driving a leased car. Perhaps that made him more careless than the rest. But still, it causes him quite some hassle.

Yesterday I visited the datacenter of a company where a lot of money is involved. That was evident from the physical security measures. From the outside it looked a bit like a prison. Once inside, my identity was checked and my fingerprint was stored on a badge. The badge hung from a bright red lanyard stating that I was only allowed to walk around when accompanied, and the badge showed the name of my host. With the badge I could pass through a single-person airlock deeper into the building: the outer door opens, you step in, the door closes, you present your badge and your finger and if everything checks out, the inner door opens. But first you still had to pass through a detection gate (which of course triggered on my belt) and my belongings went through a scanner.

The nature of my visit meant that we also went up onto the roof. At the door to the roof, my host first had to inform security, because obviously that door was secured. Not only with a badge reader, but also with a door-open status detector – hence that phone call. Once on the roof, I saw how a swiveling camera was keeping a close eye on us. Once back inside, my host had to sign us out.

There was an impressive number of screens in the security control room, connected to an even more impressive number of cameras. Of course the guards cannot possibly watch them all constantly, but the systems alert them with a beep when they detect something out of the ordinary. From the sound of the beep, the guards know where to look.

Our neighbor has granted me access to the security camera footage at the front of his house. Two see more than one, he must have thought. Moreover, his camera captures our front garden rather generously. It also immediately provided an innocent opening to ask what the camera at the back of his house sees. Our backyard is neatly out of view. As it should be, because there we value privacy more than security provided by a third party.

And so everyone – at least everyone who gives it a thought – adjusts their security to their own needs. I just hope we do not end up in an arms race with that marten.

There will be no Security (b)log next week.

 

And in the big bad world…

• this data theft comes with a smell.
• other countries are struggling with the theft of high-value data, too.
• Microsoft says MS Teams is increasingly being used in ‘Hello, this is the helpdesk’ attacks.
• this international report explains how to defend yourself against covert Chinese networks that make use of your equipment.
• even that innocent snipping tool turns out to offer opportunities to attackers.
• ransomware criminals are arming themselves against the quantum computer, too.
• AES-128 turns out to be perfectly safe from the quantum computer.
• a ransomware negotiator passed information to the opposing side.
• quite a few governments worldwide have access to ‘exclusive’ spyware.
• Apple is fighting grabby law-enforcement agencies — and in the same time, all other curious parties.

 

 

Leonardo & Cookie Monster

Photo: author

A long time ago, somewhere in the 1980s, I was on holiday in Italy with my parents. We visited many places, including Padua. There, we wanted to see an ancient university building, but it was just closing. The friendly caretaker gestured that we were welcome to accompany him on his locking-up round. And so it happened that, moments later, we found ourselves standing at the lectern of Leonardo da Vinci.

Have you ever been somewhere where it felt like you weren’t really supposed to be there, yet the moment felt magical? That’s how it felt back then, and I felt it again this week, when I went to get a cup of hot water for tea at the office. The machine showed a red bar. Not a good sign. The screen no longer displayed the usual options for every imaginable type of coffee, but choices such as ‘remote-controlled measures’ and ‘ingredient management’. And in the top left corner was the most important label of all: ‘machine administrator’. With, right next to it, a ‘log out’ icon. So yes, we were logged in as administrator.

Let me speculate for a moment about what might have happened here. The machine had a malfunction, as evidenced by the red light (on the adjacent machine, that bar glowed white). A maintenance engineer had been called in, but couldn’t immediately fix the problem. For a moment it looked as if various things simply needed refilling, but there was more going on; the bottom message on the display read ‘middle grinder empty’, yet that container was absolutely brimming with coffee beans. So the engineer must have left to fetch spare parts, and forgot to log out.

Colleagues from my meeting stood there, grinning. Stumbling into something like this while a security officer happened to be visiting – well, that was rather perfect. I see this more often: people smile sheepishly, feeling a kind of second-hand embarrassment. Someone hasn’t followed the rules and a security officer has caught them red-handed. Oops. Here comes trouble!

Coffee machines fall well outside my official jurisdiction, but I can of course use this example to highlight the broader issue. And that issue isn’t so much that people occasionally forget to lock their workstation – you get that, don’t you – but rather the more general picture that security isn’t always top of mind. When it really should be.

Recently, I was in a discussion about AI. It was about how you’re not allowed to include personal data in your prompts; for example, you can’t just paste in an entire letter and ask the system to analyse it. A manager said that one of his employees had approached him with a brilliant idea: ‘I’ll just ask AI to remove the personal data first!’ The employee was sent away with the instruction to think very carefully about what he had just said. Hopefully by now he has realised that you shouldn’t ask Cookie Monster to keep the cookies safe before washing the cookie jar.

Look, I understand that you don’t share my professional deformation of seeing risks everywhere. But surely a certain level of basic hygiene is not too much to expect, right? You don’t have to be a Leonardo, but don’t be a Cookie Monster either.

 

And in de big bad world…

• browser extensions are turning out to be a serious problem.
• the Dutch government is investing in security for small and medium-sized businesses. [DUTCH]
• the NCSC is issuing urgent warnings about the risks posed by the AI model Mythos. [DUTCH]
• thecompetitor, too, turns out to have an AI model considered too dangerous forbroad release.
• your travel data may have been leaked via booking.com.
• the Cybersecurity Act and the Act on the Resilience of Critical Entities have been passed by the Dutch House of Representatives. [DUTCH]
• vishing can now be handed over to AI as well.
• the chief privacy officer of Logius fears US interference with DigiD. [DUTCH]
• our national privacy watchdog will start preventive audits of ICT suppliers. [DUTCH]
• once again, a fake text message about a parcel is doing the rounds. [DUTCH]

 

Ethical hacking

Image from Unsplash

After years, it was time for me to go back to training. I looked for one where the chance would be small that I’d learn very little; something that tends to happen quickly when you’ve been around the block in this field. A course on ethical hacking more than met that requirement.

For more than three decades, I’ve viewed the world from the right side of the line. My work revolves around security policies, risk analyses, and compliance, to name just a few things. I read and hear about what goes on on the wrong side of the line and try to make life as difficult as possible for the folks who hang out there. With this hacking course, I wanted to see the world from their side for once. Because, as Sun Tzu already knew in the fifth century BC: ‘Know your enemy and know yourself, and you will not have to fear the outcome of a hundred battles.’

But what is ethical hacking, exactly? Broadly speaking, there are two kinds of hackers: the good and the bad. The latter usually make the news, for instance through data breaches at the police or at telco Odido, both here in the Netherlands. That’s how hacking is known to the general public: unlawfully breaking into computer systems. The people who do this come in many shapes and sizes. At the bottom of the ladder you find the script kiddies: people who use ready‑made recipes to do things without really understanding how they work. And right at the top you have organized crime and state actors.

But there are also benevolent hackers. Like their malicious counterparts, they look for weaknesses in defenses. The big difference is that they don’t exploit those weaknesses for personal gain; they responsibly report them to the organization where they found the vulnerability. You can hire ethical hackers to test your systems, but some also operate on their own initiative. Quite often, if they play by certain rules, they even receive a reward. That can range from a T‑shirt to (a lot of) money.

Of course, after a five‑day course I am far from a seasoned hacker. Quite the contrary: last week my head was spinning from hacking tools with countless options, the many ports that can be attacked, and lots of other things that any self‑respecting hacker is expected to know by heart. Back in the MS‑DOS era, you also had to do everything from the command line (the C:\ prompt), but by today’s standards that feels rather archaic. And yet that’s still how things work in that world, only now with Linux instead of MS‑DOS.

The most important thing I learned is that hacking involves quite a lot, but that once you’ve mastered the tricks, it can be remarkably easy – at least if your opponent doesn’t defend themselves well. In the simple scenario we practiced, you find the IP address of your target, check which ports are open, investigate whether known vulnerabilities exist for the services running there, and boom, you’re in. Obviously, it’s (hopefully!) not always that easy, but the principle is likely the same: the hacker looks for weak spots in the defense. And you’d much rather have those vulnerabilities discovered by an ethical hacker than by a criminal. That only helps, of course, if you then actually act on the findings. Fortunately, everyone understands that. Right?

I’ve always had admiration for colleagues who do this for a living. Now that I better understand what they do, that respect has received a serious upgrade. It’s important, rewarding puzzle work that requires a great deal of knowledge and skill. They make discoveries that sometimes cause quite a stir. And then you see them walking around beaming. A fine sight.

Finally, I’d like to share something entirely different that I learned and that anyone who uses AI chatbots such as Copilot, ChatGPT, and Claude can enjoy. It’s about ELI5. That stands for ‘explain like I’m five’ and ensures that answers are phrased in simple terms and don’t assume prior knowledge. Not baby talk, but often using nice analogies. Just try something like: ‘ELI5: Explain what an IP address is.’

 

And in the big bad world…

• You can even hack a coffee machine.
• The Russians might be in your router (tip: reboot it from time to time).
• It’s not only the Dutch police who have been hacked.
• A romance scammer ends up in prison after accidentally trying to lure a colleague.
• Even astronauts suffer from IT problems.
• This trick exposes North Korean fake job applicants.
• Security legend Mikko Hyppönen has taken a different path these days: he fights drones.
• This new AI model is considered too dangerous to be released publicly for now.
• Some presidents still have room to grow when it comes to security awareness.
• Iranian state hackers have their sights set on critical infrastructure in the United States.

 

 

AI calling your parents

Image from Unsplash

Have you ever had no time (or no desire) to call your parents? Then there’s now a handy service that everyone will benefit from!

This is about a company offering a rather unusual AI service. They actually call your elderly parents. So you don’t have to. On their website you’ll find a photo of the Czech founder with his mother, accompanied by the story of how he lived abroad but wanted to stay in touch with her. Different time zones, a demanding job, and “the unpredictability of life” kept getting in the way. And so the idea for his company was born. It helps people feel “remembered, connected, and valued,” they say.

A bit more information from their website. “Mary” calls the elderly person and asks how they’re doing. She also remembers what you tell her. Incredibly handy, of course: if you tell her today that you need to see the doctor, she’ll ask you tomorrow how it went. She also makes use of 1,400 “life story questions” – something like a database full of opening lines. On top of that, she sprinkles interesting little facts throughout the conversation to help keep the mind sharp.

Before long, the older person will likely no longer realise they’re talking to AI. Simply because AI sounds so natural. I’d bet that you and I wouldn’t hear the difference either. And once you start considering Mary a friend, you’ll probably tell her the same things you’d tell a real friend. For example, about your health – something older people talk about quite often. The company proudly displays the logo “HIPAA compliant” on its website. HIPAA is U.S. legislation concerning the privacy and security of medical data. But it’s less strict than our GDPR. In the EU, medical data is considered special-category personal data, which is subject to extra stringent rules.

Older people are particularly vulnerable when it comes to cybercrime. Recently there are a lot of stories about fake police officers showing up to collect money and jewellery, supposedly because some great danger is looming. Criminals could easily piggyback on a service like this. For example, by pretending to be Mary and asking clever questions to manipulate their victim. Because they trust Mary, there’s a greater chance they’ll go along with the story. You can basically wait for this to happen, sad as that may be.

In your work, you may sooner or later get a phone call from a fake Mary as well. These scams already happen. Three years ago, an American named Brianna was supposedly kidnapped. Her mother received a call and heard her daughter speaking. Or so she thought. Because with AI, a few seconds of audio – stolen from social media – is enough to make someone sound lifelike while saying anything you want. The same could happen with your manager, for example, asking you to email certain data. So if you get a strange request over the phone, call the person back on the number you know to verify that it’s legitimate.

And as for Mary? I prefer to call my mother, who turned 93 today (happy birthday!), myself. Much nicer that way.

 

And in the big bad world…

… a training course got in the way of filling this section.

 

 

Rusting chains

‘The weakest link in IT security is always the one between the screen and the backrest of the office chair,’ someone joked in the comments under my previous blog. That blog was about WhatsApp and Signal accounts that had been hacked through their owners. Directly opposed to that is a statement by a former general director of our organization: ‘People are the strongest link in security.’ How do these statements relate to each other?

You often hear that first quote. It basically means: the computer user falls for it with eyes wide open because they don’t understand it all. Some even dare to speak of ‘that dumb end user.’ That, at any rate, is unfair: you simply cannot expect every employee to thoroughly understand all the ins and outs of cybercrime and information security or to be constantly alert to suspicious situations. So stupidity is almost never the issue (I will come back to that ‘almost’).

A chain consists of multiple links. According to the old saying, the weakest link determines the strength of the chain as a whole. That saying implies that one link can be designated as the weakest. But what if another link rusts faster and overtakes its already weak neighbor? Then suddenly a different link becomes the weakest. If the chain is then put under tension, it may break in a completely different place than expected. In short: I don’t believe much in the weakest-link theory. What I do believe in is a chain that is regularly maintained. If a weak spot is found, it should be repaired.

The security chain has two kinds of links: technical and human. I am keeping it simpler here than other models because this is all I need to make my point. Ideally, the technology would be able to keep all harm and inconvenience outside. Our mail filters would recognize all phishing attempts and send spam flawlessly to the trash. All DDoS attacks would be repelled before they reached your network. And hackers wouldn’t stand a chance because all break‑in attempts would be crushed instantly.

We all know that this isn’t how things work. A hundred percent protection through technology alone is an illusion. You wouldn’t think so if you walked through a security expo where vendors promote their hardware and software. They always seemed to sell perfect security, and with the rise of AI that has only become ‘worse.’ But reality is different: the links in the chain have some rusty spots. And do you know why that is? Because the links rub against each other. It’s not like one system protects everything; there is interaction. And things can go wrong there. In the interaction between technical systems, but also — more often? — in the interaction between technical and human links. Put simply: if a system gives an alert but the user dismisses it as irrelevant while something is really happening, then you have a serious rust spot.

So, are humans the strongest link? When I first heard that claim, I was surprised, because the weakest‑link theory was widely accepted then. But I have changed my mind since. Nowadays, I tell my audiences that they are indeed the strongest link. The user is my last line of defense — when all technical systems have failed, the human is the only remaining safeguard. At least, for the kinds of trouble in which the user plays a role.

Stupidity is almost never the issue, I wrote. Almost. So does that mean sometimes it is? Yes. It happens that people have a bad feeling — for example, they don’t trust a certain email. And then they still click the link or open the attachment. Just to see what happens. Because they’re curious. Or because they think: well, this isn’t for real, right? That’s not smart. Just follow the simple rule: when in doubt, assume it’s malicious.

And in the big bad world…

• See where a successful phishing attack (in this case by phone) can lead.
• A security company has uncovered a network of North Korean infiltrators.
• Hackers also use regular management software.
• You could park for free in Perm thanks to a DDoS attack.
• It’s better not to brag about running on a ship.
• Attacks on iPhones are no longer limited to high-value targets.
• You may be attacked by invisible code.
• Belgian civil servants will now message using Beam. [DUTCH]