Security (b)log - English edition

2026-03-20

Rusting chains

‘The weakest link in IT security is always the one between the screen and the backrest of the office chair,’ someone joked in the comments under my previous blog. That blog was about WhatsApp and Signal accounts that had been hacked through their owners. Directly opposed to that is a statement by a former general director of our organization: ‘People are the strongest link in security.’ How do these statements relate to each other?

You often hear that first quote. It basically means: the computer user falls for it with eyes wide open because they don’t understand it all. Some even dare to speak of ‘that dumb end user.’ That, at any rate, is unfair: you simply cannot expect every employee to thoroughly understand all the ins and outs of cybercrime and information security or to be constantly alert to suspicious situations. So stupidity is almost never the issue (I will come back to that ‘almost’).

A chain consists of multiple links. According to the old saying, the weakest link determines the strength of the chain as a whole. That saying implies that one link can be designated as the weakest. But what if another link rusts faster and overtakes its already weak neighbor? Then suddenly a different link becomes the weakest. If the chain is then put under tension, it may break in a completely different place than expected. In short: I don’t believe much in the weakest-link theory. What I do believe in is a chain that is regularly maintained. If a weak spot is found, it should be repaired.

The security chain has two kinds of links: technical and human. I am keeping it simpler here than other models because this is all I need to make my point. Ideally, the technology would be able to keep all harm and inconvenience outside. Our mail filters would recognize all phishing attempts and send spam flawlessly to the trash. All DDoS attacks would be repelled before they reached your network. And hackers wouldn’t stand a chance because all break‑in attempts would be crushed instantly.

We all know that this isn’t how things work. A hundred percent protection through technology alone is an illusion. You wouldn’t think so if you walked through a security expo where vendors promote their hardware and software. They always seemed to sell perfect security, and with the rise of AI that has only become ‘worse.’ But reality is different: the links in the chain have some rusty spots. And do you know why that is? Because the links rub against each other. It’s not like one system protects everything; there is interaction. And things can go wrong there. In the interaction between technical systems, but also — more often? — in the interaction between technical and human links. Put simply: if a system gives an alert but the user dismisses it as irrelevant while something is really happening, then you have a serious rust spot.

So, are humans the strongest link? When I first heard that claim, I was surprised, because the weakest‑link theory was widely accepted then. But I have changed my mind since. Nowadays, I tell my audiences that they are indeed the strongest link. The user is my last line of defense — when all technical systems have failed, the human is the only remaining safeguard. At least, for the kinds of trouble in which the user plays a role.

Stupidity is almost never the issue, I wrote. Almost. So does that mean sometimes it is? Yes. It happens that people have a bad feeling — for example, they don’t trust a certain email. And then they still click the link or open the attachment. Just to see what happens. Because they’re curious. Or because they think: well, this isn’t for real, right? That’s not smart. Just follow the simple rule: when in doubt, assume it’s malicious.

And in the big bad world…

2026-03-13

WhatsApp and Signal hacked? No!

Image from Unsplash

Last Monday, Dutch broadcaster NOS ran the headline: ‘Russia hacks WhatsApp and Signal of government employees, intelligence services say.’ Let me explain why I label this as ‘devaluation.’

First, a reassurance: neither WhatsApp nor Signal has been hacked. At least, not if you use the common meaning of hacking: gaining unauthorized access to a computer system (not a formal definition, but the way I see it). In this case, the computer system would be the service as provided by WhatsApp and Signal. Your individual account is not the target.

Let’s pretend for a moment that these chat services really were hacked. That would mean a hacker had broken into their servers and done all sorts of things that many people would not appreciate; all – or at least many – customers would have been affected because their data had been compromised.

But that’s not what happened here at all. The actor (a polite term for perpetrator) targeted individual accounts of specific types of officials. These people received a message that appeared to come from Signal’s chatbot; it looked like an official warning from the service provider about suspicious activity. It also claimed that data might have leaked and that attempts had been detected to access private information. You could prevent this, the message said, by completing the verification process.

So what is actually happening? The actor wants to log in to your Signal account. The app then asks for a code, which is sent by SMS to the phone number Signal knows: yours. The actor needs that code, and your self‑chosen PIN, to log in. Hence the message they send you. The idea is to make you panic so that you quickly complete the ‘verification process’, which really is a trap. If you fall for it, the actor can take over your entire account and even change the linked phone number to their own. They now have access to your contacts and can read new chat messages (both one‑to‑one and in groups). They can even send messages as you. You lose access to your account, but you can create a new one and get your chat history back – because it is stored on your device. Great, no problem, nice that they helped me so well, you might think.

In another variant, they have you scan a QR code or click a link. They make you believe you are being added to a WhatsApp or Signal group chat, but in reality the attacker’s device becomes linked to your account. The actor can now see all your chats, often including chat history. You notice nothing. In this attack as well, they can read new messages and send messages on your behalf.

Now, back to the term hacking and why I think it is being devalued. From the 1960s onward, a hack was a clever technical trick in the (American) computer and model railway club world, and a hacker was an exceptionally smart programmer. In the 1980s, the term was used for people who conducted in‑depth research into computer systems and networks. If they bypassed security, it was out of curiosity and in order to test things. There were also crackers, their malicious counterparts. From the 1990s onward, the distinction faded and hackers came to be seen as criminals in general. See my personal definition above.

The NOS headline suggests that WhatsApp and Signal have been hacked, while the cyber advisory from Dutch intelligence services explicitly emphasizes that this is not the case. Apparently, NOS was reprimanded, or the editorial team corrected the intern, because later that day the headline changed to: ‘Intelligence services: Russian hackers access WhatsApp and Signal accounts of civil servants.’ And the article gained a paragraph titled: ‘No breach in the messaging service itself.’ In the original version, ‘hacking’ seemed to refer to pretty much all computer‑related trouble coming from the outside. As described above, the term was already significantly devalued, but this was simply misleading.

What actually happened here is called social engineering. In this technique, it is not the computer but the human behind the computer that is attacked. If they succeed in getting you to share a code or scan a QR code, their mission is accomplished. Social engineering is also known as hacking the human – which, ironically, is accurate.

And in the big bad world…

2026-03-06

Poor crisis communication

Photo by author

It is not my habit to blog about the same topic two weeks in a row. But this time, they really asked for it.

Yes, I'm talking about the data theft at Odido again. Last week I wrote that the press mainly portrayed Odido as a victim: they were hacked, so they must be pitied. But they weren't ‘hardcore hacked’ at all: the criminals got in through phishing combined with other forms of social engineering. They simply walked through the front door and downloaded all that data. That victim narrative is becoming less and less tenable, and the press has now picked up on that as well. Odido is facing increasing scrutiny.

The company is in crisis, and that requires solid communication. So how are they doing on that front? Well, not great. Let me be clear: I’m not an expert in crisis communication. A teammate of mine is – he completed a training program in crisis management and crisis communication. Do you know the first thing he said when I asked him about the essence of good crisis communication? Openness and transparency. Followed by speed, honesty, and taking initiative.

Earlier this week I spoke with people from various organizations. What I heard was not encouraging. One company had been told that only the data of administrators with an account on Odido’s business portal had been affected. But shortly after, employees began complaining, and it turned out that the data of several thousand employees had been leaked. People also grumbled about the very poor and sometimes simply incorrect information coming from the telecom company.

On February 13, I received an email from Odido stating that my data, as a former customer, had been leaked. I was a T-Mobile customer until 2019, the predecessor of Odido. The company wrote: ‘Odido retains – according to our privacy statement – your contact details for up to 2 years after termination of the contract and switching to another provider. Because you switched less than 2 years ago, your details were still in the system, and that is why you received this email.’ A quick calculation shows that something doesn’t add up.

The same email also stated: ‘What has not been leaked: Identification data: number and validity of your passport or driver's license.’ However, on the company’s information page – which is still difficult to find – it does state that this information has been leaked. But apparently that wasn’t important enough to send a follow-up email.

On March 1, haveibeenpwned.com notified me that my data had been leaked via Odido, and three days later my VPN provider sent a similar notification. They had even more information: through their Dark Web Monitor they could specify precisely which data had been leaked. This included the number of an ID card – the card shown here – which was valid until 2016. I had missed Odido’s email because it was sent to an account I rarely check; I only just found it. You can imagine my shock that such an old ID card surfaced while (I believed) Odido had not informed me at all. It shows at the very least that Odido does not comply with its own privacy statement. Let alone the GDPR, which explicitly states that personal data must not be retained longer than necessary. Holding data belonging to someone who was a customer of their legal predecessor seven years ago is absurd.

My knowledgeable colleague said that good communication can actually strengthen your position during a crisis, by showing honesty and integrity. These qualities are in short supply at Odido. What doesn’t help is that the company’s spokesperson badly mispronounced ‘cybercriminals’ in an interview with the Dutch public broadcaster NOS. That level of cluelessness and lack of interest is downright embarrassing. My colleague also noted (thanks, Rico) that it is far more effective to present yourself not as a victim, but as a problem-solver. I’m seeing very little of that so far. Their communication about not paying the ransom – which is a defensible choice – comes down to three sentences on that hard-to-find information page: ‘We have made a careful assessment. Leading experts and government bodies have urgently advised us not to engage with this criminal group. This advice is based on extensive experience with this specific group.’ There is no trace of empathy toward customers. Again, I don’t need them to pay, but I do expect them to clearly explain why they are not paying.

The day before yesterday, I wanted to ask my bank something. The first question their chatbot asked me was: ‘Are you chatting with us because of the recent cyberattack at Odido?’ The chatbot explained that my bank account was safe and provided additional information about data breaches in general. Now that is smart communication.

And in the big bad world…

2026-02-27

Telco hacked

Image from Unsplash

Most data breaches and hacks are the kind of inconveniences that happen to other people. This time, however, if you live in the Netherlands, there’s a good chance you’re staring rather glumly at an email from your telecom provider. After all, Odido controls roughly one third of the Dutch mobile market. On top of that, they provide fixed internet connections to a million households. And if you’re a Ben customer, you’re out of luck too.

The news is receiving wide coverage in the media. Understandable, given the scale: 6.2 million accounts were stolen from Odido’s customer contact system. Some of those accounts belonged to people who hadn’t been customers for years. Odido discovered this when these individuals responded, puzzled, to the notification email the company sent them. But the sheer size isn’t the only reason to be concerned. The kind of leaked information matters too. It wasn’t just the “usual” personal data such as name, address and email address. This hack also exposed phone numbers, bank account numbers, passport information, citizen service numbers, and even records of payment arrears.

Roughly two million records – containing nearly 700,000 unique email addresses – have already been published, because Odido didn’t comply with the demand from the criminals, who call themselves ShinyHunters, to pay “a low seven‑figure amount” (that’s at least one million euros). And they’re threatening to leak even more data. Plenty of reasons for millions of people to be worried.

Media coverage of the incident mostly focuses on sympathy for Odido and its customers. What you hear much less about is how this could have happened. I do understand that journalists focus on the victims. But still: how did this happen?

Phishing, ladies and gentlemen. In every presentation I emphasize again and again how important it is that everyone is resilient against this form of cybercrime. At Odido, that resilience failed this time. The phish reached customer service employees (possibly at a call centre abroad), who fell for it and handed over their passwords. Even two‑factor authentication (2FA) wasn’t an obstacle: the criminals called the employees, pretended to be colleagues from IT, and obtained the second factor as well. ShinyHunters executed an impressive piece of social engineering here: they didn’t hack the computer system – they hacked the computer users.

They then proceeded to download data. A lot of data. There should have been an automatic emergency brake for that. It should never be possible for a customer service account to download such vast quantities of information at once. It appears that there was no monitoring in place. If that’s true, it means not only the organisational measures (training) failed, but also the technical ones. You can hardly blame anyone for the failure of training; carefully crafted phishing emails are almost indistinguishable from the real thing. Oh, how I would love to see that phish. Employees handing over their 2FA, however, is something that deserves extra attention.

Odido itself is being notably tight‑lipped. I expected a statement on the homepage of their website, but only after some digging I found the “Information page Odido cyber incident”. First, there’s an extremely short official statement. Underneath, in giant letters, they advertise the free protection against phishing and other threats that they offer to their customers (one wonders if they use it themselves…?). Only then comes a detailed explanation of what happened, and some do’s and don’t’s. The bottom line: criminals with access to the leaked data can impersonate you and carry out all sorts of actions at your expense. So, in the coming period, keep a close eye on the invoices you receive and check your bank account for unfamiliar direct debits.

In the FAQ they raise the question of whether Odido’s security was adequate. But they don’t really answer it. Instead, we get the usual platitudes: safety is our top priority, we continuously work on improvements, but yes, criminals are very clever too.

Whether Odido was, after all, still clever in securing its assets – personnel included – will undoubtedly be investigated thoroughly. But whether we’ll ever get to hear the answer is another matter.

And in the big bad world…

…I was unfortunately too busy with other matters today to fill this section.

2026-02-18

Size matters

Click on image to enlarge

Exactly one year ago, my colleague Alexander asked a question. Some topics take a little longer to mature. His question was about passwords and whether it’s really necessary to make them overly complex. He sent along a well‑known chart that illustrates how quickly passwords can be cracked. Let me break it down for you, because it contains a lot of interesting information.

I’ll start with the title. The key term is ‘brute‑force attack’. Brute force against what? Any system you want to log into contains a file with all user accounts. After all, the system must be able to check whether you’re allowed in. Unless its designer has been living under a rock, the passwords in that file are not stored in plain text. Otherwise, anyone who manages to steal the file would have free access. Instead, the passwords are stored in encrypted form. When you log in, the password you enter is encrypted as well, so it can be compared to the stored version.

An attacker needs many attempts to crack your password. If they try logging into a website with your account, your account will usually be locked after a few failed attempts. That lockout is a security measure against brute forcing. So, that approach gets the attacker nowhere. What they really want is the full password file, so they can attack it offline without getting locked out. Of course, they first have to break into the target system to steal it.

Let’s assume they succeed. They then use a powerful computer to attack the accounts in that file. The chart shows how long that would take. Vertically, the password length increases from four to eighteen characters. Horizontally, the number of possible characters increases. The first colourful column represents ten characters: the digits zero through nine. The next columns give you 26, then 52, then 62 characters. The last column represents all possible characters – digits, uppercase and lowercase letters, and symbols (! @ # $ % ^ & * ( ) - _ = + etc.) – about 94 characters (‘printable ASCII’).

In the top-left corner, you see that a four‑digit password offers no resistance at all. There are only ten thousand possible combinations, meaning the attacker needs about five thousand guesses on average. That’s just too easy. In the bottom‑right corner is the other extreme: eighteen characters chosen from 94 possible symbols. That gives you 3.28 × 10³⁵ possible passwords – roughly a three followed by 35 zeros. According to the table, a powerful cracking computer would need 463 trillion years to guess it. A trillion is a thousand billions; the universe is only 13.8 billion years old.

What I find far more interesting is that the table changes much more vertically than horizontally. In other words: length matters far more than complexity. If you make a numeric‑only password four times longer, the attacker suddenly needs two thousand years. Meanwhile, expanding the character set (at the same length) hardly affects the cracking time. And if you look at the row for fifteen characters, a password made up of only lowercase letters already takes nearly half a billion years to crack. That square could have been coloured green, as far as I’m concerned.

Conclusion: if a password is long enough, you don’t need to worry about complexity. Many systems insist you include at least one digit, one lowercase letter, one uppercase letter, and one symbol — but that’s unnecessary if your password is sufficiently long. Allow your password manager to generate and store those long passwords for you. For the few passwords you can’t store — such as the master password for your password manager — choose something you can remember but others can’t easily guess. For example, “You won’t hack my password” or “mhallfwwasmfwas” (Mary had a little lamb…).

And in the big bad world…

2026-02-13

Receipt required

Photo from author

Do you ever find yourself in Germany? And have you ever taken a close look at a receipt there? Well, I have. And what immediately caught my eye was the cryptographic information printed on it.

To be clear: when I talk about crypto, I mean cryptography, not digital money like bitcoin. Cryptography is the mathematical art of securing data, as someone at a conference recently put it. But what exactly was on that receipt, and more importantly: why?

There were long strings of letters and numbers, as you can see in the photo. My attention went straight to the ‘PublicKey’ line at the very bottom of the receipt. Behind it: a blob of 132 characters. The receipt also contains a similar string representing a digital signature. You don’t often see information about digital signatures printed on an analogue medium (the paper slip).

The reason lies in German law: the Kassensicherungsverordnung (Cash Register Security Ordinance, or oddly abbreviated KassenSichV). It requires electronic tills to be equipped with a Technische Sicherheitseinrichtung (TSE – Technical Security Module). The TSE prevents tampering with the till: every transaction is logged in order, assigned a sequential number, and digitally signed. This allows the Finanzamt (tax administration) to check for irregularities, such as missing receipts. A shopkeeper using a till without a certified TSE can be fined up to € 25,000 (almost US$ 30,000).

All that cryptographic work happens inside the register. But why print that information on the receipt? Because the receipt itself must also be verifiable. You as a customer won’t do anything with it – you may consider the fact that I noticed it a case of professional deformation. But the tax administration can run spot checks, for instance by sending in a mystery shopper who later has their receipt verified. In the past, retailers could hand the customer a perfectly decent-looking receipt while deleting or altering the transaction inside the system. That’s no longer possible: the digital signature would expose it immediately.

On more modern receipts, the printed TSE information has been replaced by a QR code. That makes the life of inspectors easier (even though it’s marketed as a paper-saving measure). Even more eco-friendly is the digital receipt which, very un‑German, is called a fiskaly receipt (they actually use the English word receipt). The customer scans a QR code on the till. But it can be even simpler: at the supermarket we visit from time to time to buy things they don’t have here or that are much cheaper there, you can receive the receipt directly in the store’s app.

That digitalisation is great, but I do see one problem. When I buy something with a warranty, I scan the receipt and store it under a meaningful filename on my computer. I do this for two reasons: printed receipts fade, and my computer can search for me. Digitally issued receipts, however, I never find back. Once you realise that, you then need to remember which shop sold you the product, so you can search the relevant app or website. To work around this, I now store a small file in my records noting where the product was purchased. Another tip for fellow administrative nerds: since clothing tends to break or fray, I store a photo of the garment alongside the scanned receipt. Then you always know which receipt belongs to which pair of trousers.

One more thing that stood out on the receipt from Shawarma Al‑Zaiem: the line ‘Es bediente Sie: LPADMIN’ (“You were served by”). The administrator was logged in at the till. Now, Al‑Zaiem is a small place where only two people were working, but still: using an admin account for routine operations is never a good idea.

Send me photos of your bewildered travel companions the next time you find yourself attentively studying your receipt in Germany (-;

And in the big bad world…

2026-02-06

On thin ice

Image from Unsplash

Freezing rain had been forecast. On the radar you could see a mighty precipitation area rolling in from the south. Like many colleagues, I decided to go home early. I got home dry and, more importantly, without slipping, and spent the rest of the afternoon watching how, in this region, things didn’t get nearly as bad as expected.

After work I was supposed to go for a run. However, the threat of freezing rain still lingered in the air (even though I hadn’t seen anyone slip in my street). So I decided not to run outside and instead put my treadmill into action. Safely exercising indoors. Added bonus: inside it was about twenty degrees (36 °F) warmer. Shorts and a light shirt would do just fine.

After twelve minutes and fifty seconds my athletic ambitions came to an abrupt end. I made a misstep: my right foot didn’t land on the belt but on the edge of the machine. The entire right side of my body suddenly stopped, while the next step – with the left foot – was already underway. You can imagine this didn’t end well. First my left knee hit the moving belt, then the right one. My left foot had meanwhile planted itself on the ground behind the treadmill. Which meant I stood still. While the belt kept running underneath me. With my knees still on it. It burned quite a bit.

Treadmills have a safety cord. One end has a clip you attach to your clothing, the other end a plug you stick into the control panel. If you fall, the plug should be pulled out by the cord so the belt stops. The cord turned out to be slightly too long for the position I had ended up in – the safety plug stayed in place. The belt kept spinning until I pulled the cord by hand.

My wife and daughter rushed in, worried, and a bit dazed I asked for two wet washcloths to cool my knees. Three days later, the left one is almost healed, but on the right one I’m currently missing about four centimeters (1.5”) of skin. Nothing dramatic, it’s just the occasional sting and the healing wound pulling a bit.

I learned two things. First: organizational measures can backfire. I chose not to go outside because I didn’t want to fall. And that is exactly what happened. Of course I try to project this onto my work (this is still the Security (b)log, right). Do we sometimes make decisions there that ultimately cause the very thing we tried to prevent? Those decisions are usually well thought-out, thoroughly discussed, and we’ve slept on them. We’re currently revising our password requirements. Obviously with the intention of making our employees’ accounts more secure. But we must be careful not to make things so difficult that people get ‘creative’. Communication and support are crucial when implementing changes that affect everyone personally.

Second: if technical security measures are not implemented well, they won’t work in every situation. The safety cord works perfectly if you fall straight backward off the belt, but not if your fall stops halfway. You have to be very clear about the purpose of a measure, and you must examine all possible scenarios. Only then may you expect the measure to do what you intended. Example: we’ve been encrypting our data and communications for years. But if you don’t take the coming of the quantum computer into account – one that can crack today’s encryption with ease – you remain vulnerable. Maybe not today, but certainly when the data you send now can be decrypted by unauthorized parties a few years from now.

Our daughter is celebrating her eighteenth birthday today and wants to drive to school*. We’ve taken all kinds of measures: she got her driver’s license, we practiced extensively with her, we agreed on rules. The car was recently checked. And we have expressed our trust in her. And yet, as parents, you’re relieved when she gets home safely. Because you know that measures don’t always work.

*: In the Netherlands, you can take driving lessons from the age of 16.5. Once you get your license, until your 18^th birthday you have to be accompanied by a registered driver who must be no younger than 27 years.