Bluebottle

 

Image from Pixabay

“Big bluebottle optimistic about 160th attempt to pound through the window,” the Dutch satirical website De Speld reported this week. At times I feel a great connection with that insect.

Do you that feeling that something is crystal clear to you yet not at all understood by someone else? I also sometimes sit on the other side, for example when the children have fun saying "Hey Marco, great!" and I ask them what the hell they're talking about (it’s a viral TikTok thing; you don’t need to know more about it).

However, if I myself am surprised because someone really doesn’t get it, then it is a different story. You need to respond professionally, whether in your private life or at work. An example of the former I experienced twice when the children entered high school and were taught mathematics. I used to help them with math, and when I was dealing with simple equations, I found that they had no idea what a variable actually is. Their glazed looks when I said: “Just fill in 2 for x…” spoke volumes. Then you have to reset yourself, go back to basics and find words to explain something that is completely self-evident to you. In the meantime, I do wonder how a teacher could possibly not notice something like this. By the way, it helps if you've been through a situation like this before – with the second child I quickly recognized what was going on and wasn't even surprised anymore.

But especially in my work I sometimes feel like the bluebottle, trying to smash through double glazing. Taking an extra run-up and hitting that window again at full speed definitely wouldn’t do much good. That fly doesn't understand. I do. And so I'm going to look for another window that might be open. Although that takes extra time and effort, it does offer perspective on achieving my goal.

You have to be open to this phenomenon on both sides. Yesterday I was in a meeting about how we should deal with the BIO (the Dutch government’s baseline for information security, fully bases on ISO27002) in a certain project. After a while I realized that one of the participants might not know what that BIO is all about. That's why I asked him. In this case, he was well informed, but it’s also possible that someone completely drops out because they don't know what you're talking about. On the other hand, if someone talks about something you don't know, or uses an abbreviation that doesn't mean anything to you, ask about it. After all, there is only one stupid question: the question that was never asked.

I've been struggling with passwords for a while now. Every now and then I run into colleagues who – no doubt with the best intentions – handle passwords insecurely. Typically, these are system to system passwords used in testing. These tests are often performed automatically, sometimes in the middle of the night. Now there are techniques to ensure that those passwords are in a digital vault, from which they can be retrieved by the relevant process. Without human interference. And no one knows those passwords, because they are automatically generated and immediately encrypted and stored in that vault. Sounds solid, doesn't it?

Unfortunately, there are teams that cannot or do not want to apply this. They request the password in plaintext and want to store it in their team password manager access it if necessary. When I hear about that, I'm just that bluebottle thinking: how come they don't understand that passwords for system to system access should not be known to people? But of course it is never that simple. There are always good reasons not to do it the right way. And if something works, there is usually little incentive to change it. But, I say: open your window to let the bluebottle through. This results in a win/win situation: fly happy, you happy. And your operation becomes a bit safer. Even if it is 'only' in the test environment. Which by the way should be production-like…

 

No Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

 

• online platforms, such as Google and Amazon, will no longer be allowed to manipulate their European users.
• Google will soon offer us a smoother cookie wall. [IN DUTCH]
• maybe that iOS app is still tracking you.
• Preferably arrange your privacy before critical questions arise. [IN DUTCH]
• As early as 1971, people were already concerned about the privacy aspects of computer use.
• can you not report data leaks for a while. [IN DUTCH]
• finds weaknesses in the security of systems quite a bit of pocket money.
• ill-considered implementation of zero trust can lead to security systems going blind.
• Patient records, which were stored in the cloud, were inaccessible for hours due to a DDoS attack. [IN DUTCH]

Cannot can't be

Image from Unsplash

The motto of the 2007 film K3 and the cat prince is: cannot can’t be. The Belgian/Dutch girl group K3 aims at children as its audience. That same audience sometimes shouts at home: “I can't do that”. But if they have seen that film, then as a parent you can make appropriate use of that motto for quite a long time.

This can be a bit more difficult for adults. We are currently in the process of implementing some additional security measures that will affect all users. The first is that you have to enter an extra code when booting the laptop, the second measure is that Webex (our video conferencing system) will be equipped with multi-factor authentication (more about that later). A pilot group was set up to test the extra startup code. This has resulted in some outspoken reactions: I can't do that! I don't want to participate in that! I'm about to retire! I have the memory of a goldfish, I immediately forget that code! I don't have time for this!

On the right you see the Can/Want matrix of vocational expert Hanneke Tijken. That matrix divides humanity very clearly into four groups, based on whether they can do something and whether they want to do it. People who can solder, for example, and who also want to, can easily be used for a soldering job. If someone can solder, but doesn't feel like it, you might be able to convince them to do it anyway. Still others, who would like to do it, but can't solder yet, can take a course. At the bottom left of the matrix you have a problem. There are the people who can't do it and who don't feel like it at all. Getting these people to solder would require a disproportionate effort. That is why – somewhat pessimistically – the word 'lost' appears in that quadrant: if budget and time are limited, then rather spend them elsewhere.

This matrix also applies to information security. Because there too we have to deal with people who want or don't want something and people who can or cannot do something. Sometimes people just think they can't do something, and not wanting to can be based on incomplete information. If you can explain why something is necessary, then you can convince those people. Just like you can teach people something with a tip, trick or course.

The colleagues quoted above are clearly not in the top right quadrant. They uttered can't-statements as well as unwilling-statements. With some statements, you might suspect that they both can’t and don’t want to. But I don't want to consider anyone lost on the basis of a vague suspicion. I've been making a strong case for years to keep everyone on board. And it is especially important with the upcoming changes, because they are really going ahead.

Where are you in that matrix? Especially for the people on the top left, I'd like to explain what's going on. The first adjustment, the extra boot code, is necessary because research has shown that the security of our laptops is not as good as we thought. This will be restored with this adjustment, so that our business data is also safe if your laptop ends up in the wrong hands due to loss or theft. The second change has to do with the fact that we will soon be using Webex for more than only video conferencing: we are going to chat, share files and scribble on virtual whiteboards with that app. Video conferencing is volatile: what you hear and see there is immediately gone. However, chats, shared files and whiteboards will be saved – outside our own data center, that is. We must take additional steps to ensure the confidentiality of that information. We want to make sure it's you when someone wants to log in with your user ID, and that’s where multi-factor authentication kicks in: the first factor is your password, the second is an app on a mobile device which constantly generates new codes. When logging in you have to enter the code that the app shows at that very moment. Elsewhere, those same codes run along on a system, and when you use one, both codes are compared to check whether you really entered a code that corresponds with your device. In this way you log in based on something you know (your password) and something you have (the mobile device with the app linked to you): multi-factor! The entire process of checking whether it is really you is called authentication.

The pilot also generated positive reactions. I like this one the best: “It was not too bad for me, it only took five minutes!” And I actually expect that the largest group of users will just sigh and then take it for granted.

Finally, an inspiring quote. At the town hall of Vaals, a town in the very south of the Netherlands, there’s this Latin inscription: nil volentibus arduum. Which means: nothing is impossible for those willing.

This blog post has been translated from Dutch to English by Google and edited by the author.

 

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• John Oliver apparently read last week's Security (b)log and made a program about trading our data.
• Germany is positive about a new Google button that allows you to reject all cookies. [IN DUTCH]
• the tax authorities in the Netherlands have received a hefty privacy fine for keeping a blacklist. [IN DUTCH]
• your data and processes in the cloud may just be unavailable for a while.
• an 'Order now' button does not imply and obligation to pay. [IN DUTCH]
• this malware hijacks your call to your bank's customer service.
• the European Parliament has approved new rules for data exchange with countries outside the EU. [IN DUTCH]
• chat apps also want to be updated again and again. [IN DUTCH]
• a German hosting provider offered its customers a twenty euro voucher for the loss of data. [IN DUTCH]
• your Lego bricks may be on the street. [IN DUTCH]

 

Cookies

 

Image from Pixabay

I really like American chocolate chip cookies. Just love those large chuncks of chocolate in a crunchy biscuit. It becomes a completely different story if you omit the first three words: in my country, the word cookie is solely associated with computer cookies and as such I associate them with annoying flies rather than with a delicacy.

The advertising and marketing industry – and especially its clients –have the right to earn their living. We all use all kinds of 'free' services on the internet, but of course the suppliers of those services need an income. They make money by accompanying their services with advertising. Let them have their fair share. Cookies are used to organize that advertising. A cookie is a file that is placed on your computer or mobile device and that records information about the contact with you; in other words, the relationship between your behavior and your device is recorded.

Unfortunately, shady practices are also used to earn even more money. To find out more about this, I had a conversation with my colleague Hans van Buuren, solution architect interaction and specialized in this subject. The common thread through our conversation was profiling. It is very important for advertisers that they understand our interests and needs. An offer on diapers blows me neither hot nor cold, but when I’m looking for a new phone and you send me a great offer, you have my attention. In other words, untargeted advertising generates far less revenue than a well-timed ad delivered to the right address.

But profiling is what often comes with a nasty taste. 'They' know a lot about us and those cookies are quite persistent. At a cookie wall (the 'wall' that separates you from the information you want to see) most of us quickly click on “yes go ahead” to continue. If you indicate at such a cookie wall that you do not simply agree, then all types of cookies should be disabled by default and you can turn them on one by one if you wish. In addition, you should have the opportunity to reconsider your decision afterwards. You do not give perpetual permission to any website.

So far there is not much going on: you visit webshop A, they know which products you have viewed and will spam you in the near future with advertisements for similar products. But often it doesn't stop at a 1-on-1 relationship. There is a lively trade in profiles. Webshop A sells information about you to other parties. This creates a much broader picture of what you do online. So-called third-party cookies are also used for this: they are not managed by webshop A, but by a third party: advertising companies such as Facebook and Google. These somewhat crumbly cookies are sometimes stored in hidden places, so that they remain behind when you delete your cookies. But they are in a bad light, which is why several browsers have already banned third-party cookies, and even Google is phasing them out this year. Are they shooting themselves in the foot with that? Nope, they just came up with something new that will strengthen their own position in the advertising market and will deal with annoying privacy legislation.

Not only cookies say something about you – the things you put on social media also tells tales about you. Social media therefore read everything you write and make all kinds of connections. This all happens automatically and is used, among other things, to feed you with new information that fits your alley. That way you can become addicted to such a medium – they confirm your behavior and thus become your best friend. This can also lead to tunnel vision. You see this, for example, with conspiracy theorists, who are increasingly presented with similar information and then get stuck in a certain image.

I asked Hans if marketers are people that have no scruples. The average marketer isn't like that, but they don't always realize that offering "sixty thousand cookies" actually means that just as many people are going over the counter. Ultimately, the revenue from the advertising takes precedence over an individual’s privacy. A tip from Hans: with an adblocker in your browser you keep intrusive advertisements at bay.

Once in a while we go shopping across the border. In a German supermarket, we buy American chocolate chip cookies, made in the Netherlands. But nobody else knows that. Not even Google.

This blog post has been translated from Dutch to English by Google and edited by the author.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Google delights us with a privacy guide to Chrome.
• lawyers struggle with the term social media. [IN DUTCH]
• the EU and the US are talking about the transfer of personal data again. [IN DUTCH]
• Ministers should also adhere to security guidelines. [IN DUTCH]
• The same goes for mayors. [IN DUTCH]
• Several political parties want ministers to be banned from using private e-mail accounts. [IN DUTCH]
• German police have taken down the world's largest cybercrime platform.
• several housing associations have become victims of ransomware attacks. [IN DUTCH]
• two Belgian airports were fined for taking travelers’ temperatures. [IN DUTCH]
• a lot of people still fall for bank help desk fraud. [IN DUTCH]
• you should always reset smart equipment before sale. [IN DUTCH]
• the minister wants proportional access to encrypted data for investigative services. I am curious how such a crypto algorithm will understand in which situations it should become 'weak'. [IN DUTCH]

 

 

Exclamation mark

Image: ANWB

Ten years ago on Friday January 13 I wrote something about the phenomenon Friday the 13^th. Do I have to come up with an ingenious April fool’s joke today? No, let’s not do that. I can be funny, but let’s leave thinking up and executing such a good joke to others. Such as the HEMA department store, where they announced the inside out boxer shorts: the underpants of today and tomorrow.

So you have been warned: it is April 1. In traffic we have a special road sign to warn of all kinds of danger: the triangle with a red border and a solid exclamation mark in the middle (at least, here in Europe). In the past, there wasn't an exclamation mark, by the way, but just a thick vertical line, with no dot underneath — as if using a symbol that anyone could easily understand was forbidden. Just like that garden gate that warns of crossing trains.

But as the title indicates, I'm mainly going to talk about exclamation marks. And that's for a reason. I recently did a risk analysis and asked those present what measures they had taken to protect their system against a particular threat. Do you know what they said? We've added exclamation marks in the manual! I like such creativity. It was recognized that a particular step in the installation manual is important for the security of the system and this feeling was expressed by using the universal attention symbol. While that simple symbol, consisting of a line and a dot, is not even intended for that: according to the Dutch dictionary it is only a “punctuation ­mark that ­is placed after exclamations, commands­, claims and wishing phrases”. Oh wait, maybe wishing phrases is applicable here. They obviously mean phrases like “Congratulations!”, but if you read “wishes” in a different sense, it could also mean “I wish you would pay proper attention to this!”

Is it really possible, an exclamation mark as a security measure? Oh well, it will probably help. But it is, of course, an illusion that such a character in itself could promote the security of a system. If a measure is important – whether it has to do with security or something else – then you need to make sure that the measure is implemented and working. You monitor its proper functioning, so that an alarm goes off somewhere if something is wrong. That signal is then automated or human-assessed and action is taken if necessary.

If all sentences in a text contain exclamation marks, their attention value is quickly lost! Just like that colleague, who sends all e-mails marked 'urgent'! In addition, it causes irritation! Okay, you get my point: too many alarms are not good because a person needs focus, which certain symbols can help with, unless there are too many. No way everything is super important. For the same reason, we work with a shopping list in a risk analysis. At the end of such an analysis, you will of course receive an overview of all risks with the associated severity (in five steps from 'very low' to 'very high'), but we also provide a separate list with only the high and very high risks. Because that's what your focus should be on.

The exclamation mark is also a popular object in passwords. We are often forced to use 'special characters' in addition to upper and lower case letters and numbers. Raise your hand if your password for such an account ends with an exclamation mark. Ah, I see a lot of hands. In 2017, the Washington Post headlined an article: “You added '!' or '1' to your password, thinking this made it strong. Science says no.” Despite the article being five years old, the tips are still current. An important characteristic of a good password is that it is not obvious. An exclamation mark at the end is predictable. Psst… in a password you can also have your exclamation mark in the middle! But of course you have your passwords generated by a password manager, which knows those kinds of things.

Meanwhile, I inadvertently sit here listening to Christmas music. Sky Radio has given its April Fool’s joke a special twist. Yesterday they announced that they would be treating us to a sort of catch-up white Christmas because of the snowfall (it’s unusual to have snow in this time of the year in the Netherlands, let alone the quantities we’ve seen yesterday and today). And then you think: haha, nice, I'm not falling for that. But now I'm seriously listening to Last Christmas by Wham! And that exclamation mark goes with the name of the band.

This blog post has been translated from Dutch to English by Google and edited by the author.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

… you can hardly blame the system in question for not carrying out monitoring. [IN DUTCH]

https://www.destentor.nl/binnenland/bedrijf-achter-berichtservice-voor-criminelen-stapt-naar-rechter-nadat-minister-lek-systeem-stillegt~a67fe027/

… European institutions are not well prepared for major cyber attacks. [IN DUTCH]

https://www.nu.nl/tech/6192098/europese-bedrijven-zijn-onvoldoende-voor Prepare-op-grote-cyber Attacks.html

... hacked e-mail accounts from law enforcement agencies are used to request personal data from tech companies in the US.

https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/

… a Ukrainian IT worker fights against the Russians with his keyboard and mouse.

https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html

… Google says that Microsoft's dominance in US government is a security threat.

https://www.nbcnews.com/tech/security/attacking-rival-google-says-microsofts-hold-government-security-proble-rcna22159

... Log4j still echoes in VMWare Horizon servers.

https://www.darkreading.com/vulnerabilities-threats/log4j-attacks-continue-unabated-against-vmware-horizon-servers

… criminals looted hundreds of millions from an online game. [IN DUTCH]

https://www.destentor.nl/tech/hackers-stelen-hundreds-millions-aan-crypto-bij-populaire-game~ad16bfdc/

… it is unwise to include passwords in a spreadsheet. [IN DUTCH]

https://tweakers.net/nieuws/194946/lapsus-hackers-komen-poten-bij-okta-binnen-via-spreadsheet-with-passwords.html

... 65 email fraudsters worldwide have been arrested in an international police operation.

https://www.fbi.gov/news/stories/coordinated-operation-disrupts-global-bec-schemes-033022

… fake emails from Europol and the Royal Netherlands Marechaussee (military police) accuse people of possessing child pornography. [IN DUTCH]

https://www.fraudehelpdesk.nl/alert/e-mail-europol-en-kmar-over-kinderporno/

… soon free services will also have to comply with consumer law. [IN DUTCH]

https://www.security.nl/posting/748301/Consumentenrecht+geldt+vanaf+28+mei+ook+voor+'gratis'+digitale+diensten

… your Mercedes will share information about the road with the government. [IN DUTCH]

https://www.security.nl/posting/748204/Mercedes+gaat+informatie+van+thousands+auto%27s+met+overheid+delen+-+update