Passwords - yes, again

 

Image from Pixabay

It's National Check Your Passwords Day today (in the Netherlands). This is an initiative of tech website Tweakers and the Public Prosecution Service, and the intranet editors asked me to dedicate an extra blog to this day. I am always open to special requests, which I then give substance to in my own way.

First let’s take a look at the website of initiative. It states the following: As an internet user you are confronted with many websites that require you to create a user account and choose a password. Many people find it difficult to come up with and remember all those different passwords. Unfortunately, this means that many Dutch people do not handle their passwords securely, for example by choosing passwords that are easy to guess, or by reusing passwords. Through the National Check your Passwords Day, we want to make people aware of this and explain that coming up with and remembering good passwords does not have to be difficult.

The password tips page, to my surprise, only contains four tips. Let's take a look at those tips. Number 1: Use a password of at least eight characters. Well, eight characters is an echo from the past, I’m afraid. Today, twelve is considered a safe minimum. Maybe they are afraid that passwords that long would be too difficult to remember? There’s an app for that; see below.

Tip #2: Never set a single word as your password. Agreed, because then your password would be in the dictionary and hackers are very good at automatically checking captured password files against a dictionary. So a password like bungalow doesn’t stand a chance. It’s just as bad as bung@l0w, by the way, because that trick is also in the hacker dictionaries.

The third tip is: use at least one word and a number combination that only you know. So something like bungalow2022? This will at least make the password longer, and length is really the most important factor. Unfortunately, the recommended number combination tends to be a year, birthday or the pin code of your bank card, which does not really make the password stronger and may even introduce a risk (yes, I mean that pin code).

But luckily they state in tip #4: don't use dates of birth, addresses or anything else that is easy to guess. I totally agree with that. This tip is mainly intended to avert targeted attacks. If an attacker has his eye on you instead of just anyone, he will use everything he can find about you for his attack. All personal information, even if it is far fetched, is therefore taboo for use as (part of) a password.

After the numbered tips on the website, there are still a few extra tips. Like you shouldn't write your password on a post-it note. And about security questions - there still exist sites that require you to provide your first pet/school teacher/ sweetheart's name, or similar questions - they tell you not to choose questions that others know the answer to. Let me express this a little stronger: Lie! What is your place of birth? Banana. What was your first school teacher's name? Government. Of course you have to save those lies somewhere, otherwise they are of no use.

And that brings me to the promised solution to remember all those secrets: the password manager - an app that remembers your passwords and other secret information for you, while you only have to remember the password of that app. According to research commissioned by Tweakers, only 7% of the Dutch use such an app. That’s a very low percentage. So here's a call to the other 93%: download a password manager now and start using it. See which one suits you best; the website lists only three, but there are many more (pssst: my favorite is Bitwarden). And an extra tip: password managers are also great at coming up with strong passwords.

This is a Security (b)log special. That's why there is no news from the big bad world this week.

Protecting the universe

 

Image from Pixabay

It's not a fair fight. A hacker only needs to find one tiny hole to break into a system, while we have to protect the entire universe. If the hacker manages to find a system where the latest security patch is missing and he can exploit this vulnerability, he is in. We have so many systems that run so much software that there is always a vulnerability somewhere. It's not fair. I have thrown this lamentation at my audience during countless presentations.

Do you know MythBusters , the often spectacular show with Jamie Hyneman and Adam Savage, which aired on the Discovery Channel? Last Wednesday I felt like I was in a special episode of it, when Etay Maor gave a keynote at ISACA's Risk Event entitled “Busting cyber security myths”. The very first myth, which he busted, was exactly what is stated in the paragraph above. Ouch.

He used the MITRE ATT&CK matrix to make his point (I’m sorry, but the MITRE Corporation thinks you should write “attack” that way). That matrix is fourteen columns wide, and the last one lists the types of impact an attack can have: data manipulation and destruction, data encryption (ransomware) and denial of service, to name a few. And all other columns list things an attacker can do to achieve the desired impact. It starts in the first column with all kinds of reconnaissance, followed by finding the necessary resources, gaining access and then all kinds of steps aimed at owning the intended system. Each column is a kind of drop-down menu. Not that an attacker will use this matrix to determine how to proceed - this matrix focuses on analysts, who can gain a better understanding of an attack.

To make his point, Etay Maor has mapped REvil ransomware to the MITRE ATT&CK matrix. That was actually quite easy, because that ransomware has already been completely dissected on the MITRE website; Maor only had to colour the corresponding boxes in the matrix. This resulted in no less than fourteen red squares in seven different columns. Many of those boxes contain sub-items. The last column, with the impact, contains another four red boxes. So the maker of REvil had to do a lot more than find just one hole. The complete table of activities for REvil is forty rows long. By the way, REvil is not just ransomware, but ransomware-as-a-service (RaaS). This means that REvil is a service that can be hired by others. Yes people, the underworld has service providers, too.

Back to the allegedly unfair fight. My starting point was a ratio of one to infinity – one hole compared to the entire universe. Maor's example brings the ratio to forty to infinity. I still think that it is unfairly distributed, although I now look at it in a more nuanced way.

The question is: what do you do about it? How do you protect the universe, or more specifically: the cyber universe? It starts with security by design, including security from the outset in the design of your application and your infrastructure. Because if the design of a new car is already completely finished and you only then find out that it still needs brakes, then you’re looking at a quite difficult – and expensive – job. Later on in the process, during the realization, it is important to maintain that security mindset. This is where craftsmanship comes into play. The brake lines must be properly connected and testing for leaks is always a good idea. And once the product is running, it is important to maintain it properly (in the car analogy you take that for granted). That includes understanding that hardware and software by definition contain errors, and that some of those errors not only can be harmful to the security of the product itself, but also can have an impact on other products. You must keep looking for this as long as the product is in use, and any defects found must be remedied in a timely manner. Before someone else finds them and uses them unfairly.

On Thursday 24 November, a special will be published on the occasion of Check-your-passwords-day. That week’s regular Security (b)log is cancelled.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the Digital Trust Center has already warned many companies about vulnerabilities. [DUTCH]
• Google pays hundreds of millions of dollars for collecting location data.
• you can, of course, also hack a satellite, says this head of space security.
• You shouldn’t hide your security cameras.
• Meta employees have hijacked Facebook and Instragram user accounts. [DUTCH]
• maybe there is Russian software in your phone. [DUTCH]
• the government should better describe the privacy risks of using US cloud storage services. [DUTCH]
• the number of reports of WhatsApp fraud is falling. [DUTCH]
• Here's how to get back money lost due to WhatsApp fraud. [DUTCH]
• the football world cup harms your privacy. [DUTCH]
• a hospital employee accessed almost a hundred patient files illicitly. [DUTCH]

 

Solutions seeks problem

 

Image: Reviver

In California, Arizona and Michigan everyone can now equip their car with an electronic license plate. When I read this my first thought was: what could possibly go wrong?

First let's take a look at the (alleged) advantages of such a screen on your car. It's hip, and California is certainly a state where a lot of hip people live. And what can such a screen do for those hipsters? Well, to start with, of course, the obvious: display the license plate of the car. Furthermore, Americans have to renew their registration annually and that can be done automatically with that plate. After that it gets a bit more frivolous: you can choose between light and dark mode and add a personal line of text. And of course the screen can also show advertisements.

The company Reviver, the patent holder, attributes several possibilities to its product, the RPlate, that can improve public safety. For example, the screen can show a notification if the vehicle has been stolen, or if an amber alert has been issued for a missing child. And you can manage it very conveniently with your smartphone, via Bluetooth. And of course it has 5G connectivity and the more expensive version has GPS, so you can always find your car.

Of course, the manufacturer has also thought of the security of this device: “encrypted TLS/SSL communication, advanced data encryption, zero hardware data storage”. So – reading backwards – no data is stored, but that data is encrypted with advanced technology (whatever that means). Communication is secured in the same way as between your browser and a website.

Well. Leaving aside the obvious questions about usefulness and necessity, I would like to take a look at the security and privacy aspects of this solution without a problem (a characterization of security guru Bruce Schneier). Another celebrity in my field, Mikko Hyppönen, always says: when it's connected, it's vulnerable. You should assume that this license plate can be hacked. An obvious 'use' for a hacked license plate is, of course, forging it. But how about a false report that a car has been stolen? Especially in America, where cops quickly raise their hands to their hips, I don't think it's fun to drive around with a car that shouts that it's been stolen, or that displays "HELP!". The inventors also envision applications for paid parking (where the license plate replaces the receipt behind the windscreen) and for the disabled (displaying a wheelchair). If you can influence that, then an dishonest life of free parking – even in reserved spaces – lies ahead.

In terms of privacy, the obvious questions arise: who can follow me? Where you are and when can reveal a lot of information about your life. How comfortable do you feel with that thought? Of course, we don't need digital license plate for that at all – depending on your settings, your phone, which you have with you even more often than your car, knows all that too, and shares it with advertising companies like Google and Apple. The privacy aspect does not even seem that exciting with this product.

The question remains: why would you? The marketing focuses on two spearheads: lifestyle and automatic license plate renewal. The first point is reflected in the reviews, which mainly show cars that you and I cannot afford. And on the second point, commenters are being rather cynical: like it would be so hard to renew your license plate the old-fashioned way. And why you shouldn’t buy such a thing? Perhaps because of the security risks, and otherwise because of the price: the cheapest version costs $19.95 per month.

I don't see us driving around with a gimmick like that so quickly in the Netherlands. Should it ever happen, then you don't have to be afraid of coarse language on the personal banner. You can only show texts that have been approved by the authorities. Without this restriction, the plates would of course fly over the counter in the Netherlands.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• of course you could have foreseen that paying-for-authentication causes all kinds of unwanted uses.
• you wonder what's going on at a company if the top people for security, privacy and compliance all resign on the same day.
• you do not have to provide your real name for online orders. [DUTCH]
• health insurance blackmailers in Australia, who didn't get their way, released information about abortions.
• Pixel phones could be unlocked by reinserting the SIM card.
• your browser also trusts certificates that are not necessarily trustworthy.
• Nowadays even ordinary newspapers write about securing smartphones. [DUTCH]
• The Dutch NCSC has updated the factsheet on choosing messaging apps (but they still don't make a value judgment). [DUTCH]
• A cyber criminal who has fled from Ukraine is waiting for his extradition to the US by the Netherlands.
• A primary school pupil accidentally ordered half a million euros worth of teaching materials. [DUTCH]

 

A day at the zoo

 

Image from Pixabay

Last Tuesday, accompanied by a bright autumn sun, I walked with a teammate through the Dinosaurs department of the zoo in Amersfoort. Crazy, isn't it, that a zoo, which generally collects living creatures, has also furnished a piece of forest with statues of long-extinct animals. Just as crazy as the presence of a playground, by the way. Did you come to watch animals or to seesaw?

If you think our presence there, during working hours, is even stranger, then you have to consider that zoos also have spaces that they rent out for gatherings. And so that afternoon we had a meeting of our organizational unit, the CTO Office, responsible for the optimal and effective use of technology throughout the organization. After a clear talk from our director (the chief technology officer, or CTO) we had to split up into groups to talk about a certain theme. You know the drill: the groups are composed in advance in such a way that you do not sit together with your own teammates, so that you also come into contact with other people. I was, however, in a group of which I already knew two IT architects; one through work, the other through a chat at the coffee machine. The others, a license manager and a contract manager, I knew by sight.

The theme to be discussed te was called: fast, better, safer. Technology must be made quickly available to our employees. Apparently the quality can also be improved a bit and well, the realization that it has to be safer has fortunately also penetrated the higher echelons. In many organizations this means little more than comfortably abstractly shouting that everything must become safer, leaving the workplace behind in a despairing "Yes, but how?" Because the gap between the acknowledgment that it has to be safer and the practical implementation of such an ukaze soon has canyonesque dimensions. Welcome to the field of tension between 'that is not allowed' and 'but otherwise it won't work'.

The fact that they put us to work with this theme shows both guts and the need to actually give substance to it. The first thing we wrote down was that you should not only be fast, better and safer, but also flexible. That is, as it were, the catalyst that lends a helping hand to the other three properties. Flexible in combination with safer means that you do not strive for maximum security, but for optimal security. That also means that you can be more flexible in certain situations – I am thinking of test environments, for example. However, security policies and standards do not provide for this; such documents seem to be blind to the complex environment of a large ICT organization.

This brings us to risk appetite. How much risk is an organization willing to take? A company that produces things with a short time to market will generally have a greater appetite for risk than, say, a government agency. After all, that product has to arrive in the shops quickly and then you can't afford an overly frivolous security overhead. Just look at smart devices such as baby monitors, security cameras and toasters, which turn the Internet of Things into a dangerous mess.

Our conclusion was that we need to differentiate between the risks we face. An inextricable part of this is the unambiguous determination of who is responsible for what. One of the architects wanted to keep that responsibility as low in the organization as possible. I was able to convince him that it should at least lie at the level of a department head, because otherwise self-interest might weigh too heavily: if a team has to achieve a goal, a team manager will generally accept risks more easily. However, risks tend to have a broader impact than one team and must therefore also be weighed in that broader context. Some distance from the work floor helps with this.

Yesterday I spoke to a department head who often deals with risk treatment. We have set up a process that regulates that when someone wants something that is not allowed according to the rules, but is (at that time) necessary to ensure progress, they must write down what that means and what risk the organization runs. And that form must be submitted to the head of department. Because things have been getting out of hand lately, he is actively engaging with his peers to bring about change. In many cases, taking those risks is not really necessary, provided that some effort is made to work on a robust solution. This head of department clearly takes responsibility for security, while not losing sight of the importance of the operation. Because security is also about availability.

Another zoo group, which was also discussing of the 'fast, better, safer' theme, had written down: read the Security (b)log! That is of course a great always-good action.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Arjen Lubach explains what ransomware is. [DUTCH]
• the recently discovered bugs in OpenSSL are not as bad as previously feared.
• TikTok staff in China and other non-European countries can access data of European users.
• Dropbox has been hacked via phishing. [DUTCH]
• a data breach can also simply be done on paper. [DUTCH]
• the Russians allegedly hacked into the phone of the previous British Prime Minister.
• US government wants to take action against disinformation on social media.
• the Red Cross wants a digital emblem to protect the IT of the organization in war situations.
• Austria has put a stop to a European Commission plan to monitor all European chat messages. [DUTCH]
• this company made a lot of money by applying dark patterns. [DUTCH]
• rogue PyPI packages steal your login details. [DUTCH]
• the US government advises on multi-factor authentication that cannot be circumvented through phishing.
• Strava 's privacy zone is not watertight. [DUTCH]