Fishy coffee

 

Image from Pixabay

“You're the one who writes those blogs about security, aren't you?” asked a colleague who came to our lunch table. “I need advice from a security officer.” “You're lucky,” I replied with a wide arm gesture, “there's a whole table full of security officers here!”

Earlier that day I had already received an email from someone else about the same matter. Both colleagues had received an email: there was a survey about the coffee in the office. Please complete before the end of the week, fifty coffee packages will be raffled among the first five hundred participants. Click on this link! If you did, you were taken to a page where you were prompted to enter your username and password. Then you proceeded to the survey. Only then did they realize that there was something suspicious going on.

Since I'm writing about it here, you probably already understood halfway through the previous paragraph that this was a typical case of phishing. The special thing about this phish, however, was that we all had it in our mailbox: it was a test, commissioned by the ministry.

Many organizations send phishing tests to their employees, on the one hand to test how alert people are, and on the other hand to make them aware of the dangers lurking ahead of us. It is better for them to fail a test than to fall for a real phishing email, is the underlying idea. Hopefully they don't fall for it the next time, in the event of a real attack.

A few facts about this test. The e-mail was sent to about 30,000 employees, spread over two days. Of these, quite a lot clicked on the link and a significant number of them also entered their password. That's a lot of people, and if a real attacker was after login details, he would have harvested quite some passwords. But if this had been a real attack, no one would have clicked at all – the attack would have been contained by our technical measures. For example, because so many incoming e-mails from one address are suspicious. Or because the link you had to click pointed to an untrusted domain. For this test, gates were deliberately opened that are normally closed.

What could a criminal have done with such a fat catch? Well, basically nothing at all! Our security has several layers and this example illustrates nicely why this is necessary. That is not a reason to loosen any layer. Vigilance remains important.

A test like this one is still quite complicated. For example, I heard that it took some persuasion not to have the entered passwords saved in a file. Some saw this as a great opportunity to investigate how many employees use weak passwords. They didn’t realize at first that storing all those passwords could pose a threat to our security. Furthermore, the privacy of employees has to be honoured; the hired agency will only report at department level, and those departments are anonymized.

At the end of the second day of action, it was revealed via the intranet that this was a test. At the moment there are 69 comments under that article and to my surprise there is not one angry reaction. In fact, people are enthusiastic – terms like fun, eye-opener and top-action have been used. People who failed the test come forward, and I think it's great that they feel that they can do that in our organization. There was also someone who regretted that his manager had warned the team, because now he doesn't know if he would have fallen for it. But as far as I'm concerned, tribute to this manager, who has understood that security goes further than his own laptop.

October has been Europe's cybersecurity month for ten years now. In that month we ask for extra attention for this important topic. We do this with all kinds of internal activities , but all kinds of initiatives are also taking place outside of our organization. This month, the Security (b)logs are aligned with the internal program.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you need to update your WhatsApp app. Now.  [DUTCH]
• Ukraine has an IT Army, with a Dutch colonel.  [DUTCH]
• an American colleague wanted to sell secret documents abroad, but that turned out differently.
• you can even hide malware in the Windows logo.
• the municipality of Buren has released the investigation report on the hacking attack they suffered.  [DUTCH]
• Swiss police officers were locked in their own smart car.  [DUTCH]
• parking apps leak a lot of information about their users.  [DUTCH]
• your spell checker may also leak information.
• political parties in the Netherlands are afraid of data breaches by sharing information about cyber threats.  [DUTCH]
• some commas are very expensive.  [DUTCH]
• you should only download your software from known, reliable sources.
• the Dutch government will soon have a nice job for you if you don't have a diploma.  [DUTCH]
• the State Secretary wants to make the Baseline for Information Security mandatory by law.  [DUTCH]
• the IRS faces the same problem as the Dutch tax administration: smishing.
• two Dutch Tax Administration employees are going to jail for selling license plate information.  [DUTCH]

 

The law is the law

 

Image from Pixabay

“Carprof and AA team use the General Data Protection Regulation (GDPR),” the garage's letter read. I burst out laughing when I read this. "Use".

They probably didn't mean it that way, but they wrote it down a bit silly. Like all legislation, privacy legislation is not a candy store where you only put the sweets you like best in the bag. Nor can you ignore the GDPR, or exchange it for, for example, the privacy law of Guatemala (a purely arbitrary example).

The special thing about the GDPR is that it is not a national law – as its predecessor, the Dutch Personal Data Protection Act (Wbp) was – but a European one (apologies if the designation 'law' is wrong in legal speech, but what I mean to say is that there are rules that you have to comply with and if you don’t you can be punished).

Earlier, I wrote about a Greek car rental company that understood that I wanted my data removed after the rental period and had a form for that. And this year I noticed that even in Italian hotels they were not surprised that I did not hand in our passports, but only copies of them. In Italy you have to be registered and they never do that at the hotel reception at the very moment you’re checking in, so they want to keep your passport for a while.

This year, they settled for a copy. I had brought a whole stack of copies with me just to be sure, but I got everything back in good order and so a single set would have been enough. On those copies I had made our social security numbers illegible and written the text 'Copy' over the photos. I noticed that the SSN is no longer on the front of the photo page in the brand new passports of the children. That is a good adjustment, which is completely in line with the GDPR principle of data minimization: do not include more data than is necessary for the intended purpose.

What was the garage company trying to tell me with that somewhat unfortunate phrase? That they have data about me and that they handle it properly – in accordance with the law. And that they don't do crazy things with it, such as selling it on to an advertising company. The fact that they occasionally send me a brochure is inherent in the business relationship I have with them (I think).

In terms of advertising, there is something strange going on. I bought my car from the local Mitsubishi dealer five years ago. That company has not been an official Mitsubishi dealer anymore for a few years; they now work under the Carprof label. The new official Mitsubishi dealer lives a few hundred meters down the road. And they also send me mail, in which they state the type, registration number and year of manufacture of my car, and an offer for that car if I buy a new one from them. I've never set a foot inside their business. Apparently a car brand can request my data purely because I have a car of that brand.

Car companies seem to cherish that data and (so?) they don’t clean up. For many years I received mail from Peugeot, my previous car brand. Until I asked them to stop. That too is an achievement of the GDPR: if you ask for it, a company must delete your data. And no, that does not apply if you have ongoing obligations to that company.

A company cannot choose to use the GDPR; they simply have to comply with it. As a private individual, however, you actually can make use of the GDPR. By knowing your rights and applying them. For example, by requiring access to what data a company has about you, having incorrect data corrected and data removed. The latter is also referred to almost poetically as 'the right to be forgotten'. But if you like all that attention, you can leave it that way. No one is forcing you to use the GDPR.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Even outside of Europe having old hard disks disposed of by just any company isn’t considered good practice.
• Spoofing and friend fraud cost us a lot of money. [DUTCH]
• Fortunately, phishing sometimes also costs the criminal. [DUTCH]
• these two professors are strongly against the use of the public cloud by the Dutch government. [DUTCH]
• we see more and more examples of supply chain attacks.
• it might not be such a good idea to connect your swimming pool to the internet.
• American Airlines leaked customer and employee data after a successful phishing scam.
• always be careful where you place the comma. [DUTCH]
• a company sometimes moves due to new legislation in a country. [DUTCH]
• Windows 11 warns you if you want to save your password in an insecure file. [DUTCH]
• multi-factor authentication is an important measure, but not a foolproof one. [DUTCH]

 

Security officers

 

Image from Pixabay

My list of topics for this blog includes the sentence: “Business security officers do exist”. Behind this sentence is the observation that many colleagues do not know this. So it is high time to explain what types of information security officers we have and what their role is.

Let me start with myself and my peers in the IT department. Not because we are so terribly important, but because that's the best way to explain it. You can put many labels on me: my official position goes by the meaningless name of staff advisor, I usually call myself an information security advisor and the title information security officer also suits me. But what do we actually do? We are accountable for the information security of everything that the IT department delivers (applications and technical infrastructure, such as networks, servers and workstations). So we’re accountable, but the responsibility for each individual product lies in the line organization – team, department, unit, in other words: team manager, department head, director. As information security officers, we help the organization in fulfilling their responsibility; we assist them with advice, we help with risk analyses and in determining whether they comply with legislation and regulations and we respond to reports of the type: “Maybe you should look into this”.

Based on our accountability, we also have an opinion about anything and everything. If we notice that something is not as it should be, we dive into it. Our opinion doesn’t come without obligations. So we act corrective, but we also act regulatory. We write and implement security standards for the IT department that give substance to the applicable policy. We try to deliver actionable standards; for this we seek coordination with the people who will eventually have to act upon the standards.

Let’s now talk about the business security officers, the BSOs, because they are the real topic of this post. They are part of the various organizational units and see to it that the security policy is also implemented and complied with there. The BSOs deal with integral security, so in addition to information security, they also deal with physical security. An employee from such an organizational unit, who needs to bring an issue to the attention of 'security', can knock on the door of his own BSO. However, many people don't even know that these BSOs exist. They search the intranet or in the internal telephone directory for someone to contact and they often end up on our doorstep. Sometimes, they come directly to me personally, because as a blogger, I’m a bit more visible. That's okay – I'd rather have a report that doesn't land in the right place immediately, than no report. But it would of course be a good thing if the BSOs would also get some more name recognition. [In the internal version of this blog a link to a list of BSOs is included.]

And finally, there’s the CSO and the CISO, respectively chief security officer and chief information security officer . The first is about integral security, the second specifically about information security. They create the security policy for the entire organization (based on 'higher' policies) and support the organization in implementing and complying with policies, frameworks and guidelines. This is only the short version of the job descriptions, by the way.

The message of this story: if you need to tell something which is security-related, first look for a contact close to home and turn to your own BSO. If you still can't figure it out, my colleagues and I are of course happy to push you in the right direction. And it goes without saying – if a BSO needs advise from the IT department, they are most welcome.

 

And in the big bad world…

• shadow IT is becoming an increasing problem for organizations.
• This phishing page “from” the Greek tax authorities steals your password as soon as you type it.
• Ransomware gangs in the US mainly target hospitals.
• the European Commission demands better protected smartphones and doorbells.
• you can – legally speaking – continue to use your old, vulnerable router (but it is not smart).
• Asian people smugglers force their 'customers' to commit cyber scams.
• US Customs misleads travelers by pretending unlocking your phone for investigation is obligatory.

 

Blue helmets and high turnstiles

 

Image from Pixabay

It was sunny, hot and Tuesday two o'clock. An elongated building vomited hundreds of men in blue helmets. Location: the port of the Italian city of Ancona. And the blue-helmeted men were dock workers, who had finished their shift. They hurried home on foot, on scooters, in vans and in cars – ignoring this tourist family, heading for Emperor Trajan's triumphal arch.

A few weeks later it was sunny, warm and Tuesday again. At last there was a business meeting elsewhere. It was wonderful to be somewhere else after such a long time, although I had to spend a two-hour journey by public transport for that. But luckily one can work reasonably well on the train. For example, you could write a blog there.

My host's office was surrounded by a sturdy fence. No wonder, because it was the type of organization where everyone understands that unauthorized persons should be kept out. I had been there before, so I knew that, as a pedestrian, I would be admitted to the site via a turnstile after reporting to the doorman. This time something strange happened: the large gate next to the pedestrian entrance remained open after a car had left the site. So I could have simply walked on. But you see, well brought up and all, I stood by that turnstile anyway. The doorman told me to proceed. Hower, the turnstile didn’t turn. Tried it a few times, really. Finally slipped through that inviting large gate. As far as I can tell, it hasn't had any ill effects on me so far.

Inside, at the reception I quickly received a badge, after all I was registered. I joined others belonging to the same meeting; we were not allowed to go through the gates on our own with our badges, we had to be picked up by our host. Someone in our party noticed that something remarkable happened when an employee presented his badge at the revolving door. His name appeared on a display: “Good afternoon, Martin Apple!” We talked for a while about whether that was a good idea. The owner of the pass usually knows his own name, but someone waiting in that room could read the name also. Then that person knows: Mr A has a badge for organization B.

So what, you might say. But let me take you into an exciting scenario, where someone (for example, a crook or a spy) really wants to get in somewhere. One doesn’t just enter such a bastion, he knows. It also doesn't help him much to simply steal a badge, because employees must, in addition to their badge, also present their fingerprint at the revolving door. And you can't steal that – oh way, not so fast. You can actually steal fingerprints. But there is something to it. Most of us really don't have to worry about someone collecting our fingerprints, making a print of them, and then using them to unlock our phone. No, if you have to take this kind of attack into account, you really are in the domain of organized crime and state actors (spies!) – two worlds that, in terms of capabilities, are getting closer and closer.

A lesser crook can try to collect all kinds of puzzle pieces. If he knows that a Martin Apple* works there, he can try to find out more about this person. It's not that hard – most of us are an open book on the internet and social media. That information can come in handy if you want to extort or threaten someone. When the criminal completes the puzzle, he can strike. For example, by inducing this Martin to grant them access to the building or to provide them with information. I am anything but cramped about my identity, but if my name appears on a screen unnecessarily, I am not amused. People who, given their position, more likely 'qualify' for 'special treatment', must adapt their behavior and their digital presence accordingly, in order to protect themselves and their environment. And that is certainly not easy.

Those dock workers also had to walk through turnstiles. In the building from which they emerged, many of those stood side by side. The port authorities likes to know who is present at the port site at all times, of course. Comes in handy in case of calamities and other irregularities. Thus, every employer has his own considerations about whether or not to implement certain security measures.

*) The name Martin Apple originated from my imagination.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• fingerprints can indeed be stolen.  [DUTCH]
• the credential stuffing attack is why you shouldn't use the same password everywhere.
• the Dutch government is going to merge a number of cybersecurity organizations.  [DUTCH]
• Instagram has been fined for failing to protect children's data.
• the term white hat bounty is being becomes devalued.
• Corona led to many more people going online to play games, and criminals have noticed that too.
• TikTok has been hacked – or hasn’t it?
• this modern form of malware prevention is easy to get around.
• the new iPhone 14 could save your life (at least, in North America).
• BitLocker can be used against you.  [DUTCH]
• Even Facebook does not know where your data is stored.  [DUTCH]

This is your butt calling

 

Image from Unsplash

Colds, traffic jams and pocket dialing are those age-old annoyances (as in: they already existed in the last century) for which science cannot find good solutions. I come to this because our son, who is currently undergoing the orientation week at the University of Amsterdam and 'therefore' does not go to bed early, accidentally called us up at 2:48 last the previous night. A typical butt call.

All we heard was a loud buzz out of the Amsterdam nightlife, and the next morning we also received the images via Snapchat. Just to be sure, we called his name into the phone a few times, and of course there wasn’t any response. Oh well, I'd rather be called out of bed like this than for a real emergency. The damage was now limited to some heart palpitations on our side of the connection and lying awake for a while because I was already sketching the contours of this blog in my mind.

Butt calls are made when a phone is inadvertently activated by pressure or movement inside a pocket. Sometimes a combination of chance inputs leads to a telephone connection. Another time it just leads to a screen that turns on and consumes power unnecessarily. My son can relate to that: his usage stats implies an enormous amount of screen time. So it doesn't surprise me that we received such a call from his pocket.

Well in this case we only heard nightlife noises, but what if your phone accidentally rings someone while you are in a confidential meeting, or have a private conversation that is no one else's business? If that takes place in an otherwise quiet room, such a conversation can be overheard on the other side. Which can lead to embarrassing situations, and perhaps even leakage of confidential information (business or private). I know of meetings where the telephones must be switched off completely.

What else can you do about ringing pants pockets? Flip phones are immune to it. For Android, there are apps available that ask for additional confirmation before actually calling. I don't think it's really handy, because if you really want to make a phone call, you always have to take an extra bump and, moreover, your pocket can also do that last action. You will not find such apps in the app hitparade. Fortunately, there is a very easy way to avoid butt calls: lock your phone before putting it in your pocket. You know, just briefly press the power button and the screen goes blank. Your phone is already secured with a pin code, fingerprint, facial scan or, if necessary, a swipe pattern (right?). Most trouser pockets will fail to unlock the phone.

Pockets seem to like to call 112 (or whatever your national emergency number is) and keep the emergency center unnecessarily busy. Taken to the extreme, this could mean that another call, where every second counts, comes in too late. Pocket dialing can cost lives.

There are more ways in which you can leak information completely unintentionally. For example, because someone looks over your shoulder at your screen, also known as shoulder surfing . If you want to work on your laptop on the train but don't want someone to watch, then you should either sit in a corner or place a privacy screen in front of your screen. Such a screen is a polarizing filter, which allows the light to pass in only one direction, so that you only see what’s on the screen when you sit directly in front of it.

A well-known analogy of data leakage is losing or accidentally showing paper documents (we had a much talked-of incident involving a Dutch minister). Notes with passwords lying around also fall into this category. Talking about it is such a natural way to leak information that I'd almost forget to mention it.

My son comes home tomorrow and then I can tease him about not being able to control his phone.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• your phone really doesn't eavesdrop on you.  [DUTCH]
• criminals try to lure you with a cost of energy adjustment.  [DUTCH]
• the Apple Mac does have antivirus measures.
• the NCSC blogs about risk minimization.  [DUTCH]
• a Russian cybercriminal had himself interviewed at length.
• smartphones should get security updates longer, says Brussels.  [DUTCH]
• the ANWB (Dutch AA) is starting a digital highway assistance service.
• many mobile apps have to deal with a vulnerable supply chain.
• the Dutch Tax and Customs Administration will wait a little longer with the introduction of the new fraud system.  [DUTCH]
• Japan bans the floppy.
• Telegram wants to hear from German users how generously the chat app should provide information to the police.  [DUTCH]
• KPN's wiretapping facility was insufficiently secured.  [DUTCH]
• the Dutch government may from now on use the public cloud.  [DUTCH]