Wet laptop

 

Picture from author's collection

Last night my daughter (14) came to me: "Dad, my screen is not working." She has a separate screen in her room for her laptop. According to the old adage check cables first I checked that both ends of the cable were in place. I then grabbed another HDMI cable to find out if her cable might be the culprit. No result.

She came home just before the end of the world yesterday (it's been quite stormy here), so I asked if her things had gotten wet. Well, not really, only the cap had come off her water bottle in the bag. But luckily that water bottle was empty. She thought.

I opened the laptop and immediately saw that something was wrong: it was damp in several places. First I took out the battery and patted the damp spots dry with tissues, and I gave the HDMI port the same treatment. The speakers also had to be dried, because no sound came out of the laptop, as my daughter reported reluctantly. I loosened quite a few screws in order to reach several spots. That I dare to do so, I owe largely to a colleague, with whom I once went to a computer fair a long time ago, where we bought individual parts and then put together a PC ourselves.

It’s been said one should put a telephone that has fallen into the toilet or into the sea in a bag of rice, because the rice absorbs the moisture. I hesitated for a moment whether I would give the laptop such a treatment, but decided against it because I was afraid that the rice grains would get stuck in various places and that didn't seem like a good addition to the hardware. Instead, I grabbed the hair dryer and worked the guts of the laptop on a low setting—for both heat and blowing power.

“Never use a hair dryer”, I just read in two different articles, which looked up because I really wanted to know more about that rice advice (no one is talking about that, by the way). Ouch, that hair dryer wasn't such a good idea, because the heat can damage the sensitive parts and the wind can blow the moisture in the direction of extra moisture-sensitive parts. Fortunately, the hair dryer was on low; I'm pretty sure the laptop itself produces more heat than it endured from my action. And the laptop wasn’t like soaking wet, so I don’t think that a lot of moisture could have been moved. But I didn't unscrew enough components to see everything.

In the event of a disaster, you have to act quickly, but if you have to think about what exactly to do at that very moment, you may end up doing things you shouldn't have done. A wet laptop must be switched off completely as soon as possible, all plugs must be removed and then you dry it as well as possible inside and out. So far I've done the right things. At that point I should have done what I only did this morning: get information about the next steps. And of course it would have been even better if all this had been ready knowledge.

I pointed out to my daughter that she should have come to me as soon as she noticed that the laptop was damp – because she certainly had. She looked taken aback when I told her that her laptop would be left open to dry for at least a day. “But then I can't do anything for school!” she exclaimed indignantly. Yes that's right. And this event also reminds us that she should not store her files on the laptop, but on the NAS (hard drive in our home network). I told her this long ago, but after that I never checked whether she actually acts upon my directive, and whether she understands how to do it at all.

Moral of the story: as soon as you know or suspect that something is wrong, you must report it to a competent authority. My daughter should have brought the damp laptop to me right away. And if you come across something in your work that could harm security, report this to the service desk and/or the security officer. And of course informing your manager is always a good thing – they are supposed to be able to tell you what to do (see previous sentence). Don't try anything yourself, except of course pull the plug from a smoking device and things like that.

The laptop is now sunbathing on the windowsill. Hopefully it will recover.

There will be no new Security (b)logs for the next two weeks.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

 

• you preferably don’t save your passwords in the browser; use a password manager instead. [DUTCH]
• working from home leads to more data breaches and security incidents. [DUTCH]
• Bluetooth was never intended to unlock cars; now it can be used to steal cars.
• you should watch out for (among other things) digital scams when booking your holiday. [DUTCH]
• the Apeldoorn City Pass leaked login data of citizens. [DUTCH]
• a man faces court for trading in the personal data of a quarter of a billion people. [DUTCH]
• privacy and law enforcement sometimes clash. [DUTCH]
• you can try to hack a song festival, of course. [DUTCH]
• more Linux malware has been observed. [DUTCH]
• a Swiss bank account is no longer a safe haven for cyber criminals. [DUTCH]
• the NCSCs of various countries jointly give tips to organizations about frequently made security errors.
• the Tax and Customs Administration should take a closer look at the GDPR. [DUTCH]

 

Resilience

 

Image from Pixabay

Barely recovered from World Password Day, the calendar shows us a campaign from an adjacent field: from 16 May we celebrate Business Continuity Awareness Week. And because business continuity management (BCM) is about as important as information security, this event also deserves attention in the Security (b)log.

BCM is the field that – as the name suggests – is concerned with the continuity of business operations, under what they call ‘unfavorable circumstances'. The word disaster plays an important role in this. The BCM people want to prevent these, and if one does occur, they want to control it as best as possible. Disaster is defined as an unexpected event with such negative consequences that regular problem-solving activities are insufficient to restore the normal situation. In addition to the continuity of the business process, they also have an eye for the safety of employees and visitors and for the reputation of the organization.

The motto of the upcoming special week is 'building resilience in the hybrid world'. Now I'm always a bit wary of mottos of conferences and other activities, because they’re often a bit pompous, while in the end it's about filling the program with contributions that are as appealing as possible and which are preferably presented in a nice way. Anyway, let's peel this motto off.

That hybrid world from the motto, that is of course the world we live in since the coronavirus conquered the world. Before the world became hybrid for us office workers, it was almost pure: we worked in the office, people with young children might have a fixed working day at home, a single daredevil didn’t show up at the office on two working days. During the pandemic, this turned into a situation that was even purer than the old one, but completely at the other end of the scale: from one day to the next we were all working entirely from home. In those two years I went to the office five times to do things that could only be done there. And then you still needed permission from your department head.

When the light came into view at the end of the covid tunnel, we started doing the opposite of what we used to do: we went to the office once in a while. And we prepared for that new hybrid world, because one thing was certain: we would never go to the office full-time again. And that impacts the way in which we have to look at continuity management. That is a statement, not necessarily a fact.

There is a data center just outside my residential area. I pass there every now and then and every time there is at most one car inside the gate. And that's basically how it should be: a technician only comes by when something is wrong, or for routine maintenance. In contrast, the complexes that house our own data centers also have an office function. A few thousand employees walked around every day, pre-corona. In our hybrid world, that has changed drastically. On any given day of the week, more colleagues work from home than at the office. What does that mean in the event of a disaster?

On the one hand, this is a disadvantage, because you are much less likely to have the necessary people present to cope with the event, simply because they are not in the office at the time. But yes, “together” is something very different today than it used to be. We meet virtually just as easily, although many will agree that in certain situations you can work together more smoothly if you are together in real life. In the event of a disaster, you may consider this flexibility as a luxury.

On the other hand, working from home is an advantage, for exactly the same reason: many people are not in the office. If it is a physical disaster, such as a fire, you do not have to worry about colleagues who are not there. An evacuation will be completed more quickly and the number of potential victims will be smaller. Furthermore, if part of the office workplaces are no longer available due to the disaster, you do not have to search for an alternative location: the affected employees have to 'just' work from home continuously for a while. Nowadays you no longer have to perform technical feats for this, because the necessary infrastructure is already there.

However, the reasoning in the two preceding paragraphs only applies if the disaster has not affected the infrastructure required for working from home. We must develop the necessary resilience there, insofar as this has not already happened. The rest of BCM is business as usual for which hardly anything changes in the hybrid world.

By the way, today is Friday the 13th. A perfect day to talk about disaster.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Apple, Google and Microsoft are joining forces to enable secure, passwordless logins.
• you can’t disguise your advertisement as a service message.  [IN DUTCH]
• data about you and your house may be on the street.  [IN DUTCH]
• cabinet members  are setting a bad example with the use of private mail and chat apps.  [IN DUTCH]
• the European Commission wants to use mass surveillance in the fight against child pornography.
• IT services and products in Germany can receive a security label from the government.  [IN DUTCH]
• managed service providers are often the target of cyber threats.
• Many websites leak your email address and password, often before you click send.
• Colonial Pipeline may be fined for a ransomeware attack on the company.

 

Bye password

 

Image from Pixabay

Tuna Day, Star Wars Day, Nude Gardening Day – just a few of the countless 'days-of' you could be celebrating these days. Some days may appeal to you more than others, but the day I want to talk to you about is World Password Day. That day was created in 2013 by tech company Intel “to raise awareness about the role strong passwords play in securing all of our digital lives”

So the password has its own celebration, but it is also maligned. You have too many of them, they have to meet all kinds of complicated requirements, you forget them, they want to be refreshed regularly and they are far too important for the security of all those accounts. Isn't it time for the password to give up that important role that Intel assigned it almost a decade ago? In favor of something easier and safer?

Look around you. It's already there. How do you unlock your phone? You can do it very easily with your fingerprint or with your face. Your fingerprint is more secure than a PIN, because no one can copy it. And yes, I am aware of those James Bond scenarios where fingerprints are taken from a beer glass with tape and then imitated in latex, but mere mortals really don't have to worry about that. Officials, for whom these kinds of high-tech attacks can pose a threat, are aware of this all too well – I hope. Consumer-grade facial recognition, as used in mobile phones, is often still too easy to get around with a photo, so I don't recommend using it for business/important applications.

Microsoft has been promoting 'passwordless authentication' for some time: the system can determine that it is really you without the need for a password. For a year now, business users have been able to log into Outlook and OneDrive without a password. Instead, they use the Authenticator app, Windows Hello, a physical security key or a verification code that you receive on your phone or by email.

An authenticator app (not only from Microsoft, but also from Google and RSA, for example) generates a numerical code for every account that you protect with it, which is usually valid for one minute. You must enter this code when logging in. Currently, we mostly use this mechanism in the context of multi-factor authentication (password + something extra), but Microsoft wants us to get rid of the password entirely with this.

Windows Hello, for example, works with an infrared camera that, among other things, looks at the thermal image of your face, the distance between your eyes and the depth of your eye sockets and the position of your mouth and nose. Without taking pictures. You can also use a PIN instead of this. Huh? Isn't a PIN more insecure than a password, because you only use ten different characters? For starters, the Hello PIN does not have to consist of only numbers, but more importantly: the PIN is linked to a specific device, for example your laptop. Moreover, the PIN is not something like a surrogate password, but a code to unlock your own secret key. Using that key, a cryptographically secured login request is sent to a server. Your PIN itself will not be sent. And there is no server where your PIN is stored. This is different with passwords: at an online store they know your password because they have to be able to check it. That's why the world is always in turmoil when a large company's password file is stolen.

Windows Hello is just one example of a passwordless future, chosen here because I think there's a good chance this will be - or already is - your first experience with it on a computer. In order to be comfortable using such technology, it is important that you have some understanding of how it works. A few years ago, when I unpacked my new computer and Windows 10 wanted me to make up a PIN instead of a password, I too thought that was weird. But with some explanation, the puzzle pieces fall into place.

Many properties of passwords have become obsolete, such as complexity requirements and the requirement to change them regularly. We can modernize those features, but we can also take a big step right away and do away with passwords altogether. Intel, which came up with this theme day, is also participating in the FIDO Alliance, a worldwide group in which technology companies work together on a strong way to authenticate users without passwords, because they believe in its security. We are moving towards easier, safer times. But in the meantime: use a password manager, which makes up and stores passwords for you, and which logs in automatically for you. That is always safer than messing around yourself. Because that's just what we humans usually do when it comes to passwords.

 

And in the big bad world…

… a lot has undoubtedly been going on again, but this week I didn't have time to select that information and present it here.