Criminal data trade

 

Image from Pixabay

I can't stand injustice. That feeling is reinforced if financial gain is the motive for injustice, and if it deliberately affects people who are particularly vulnerable to it. Because I don’t work in law enforcement, my resources to do something about it are limited. At least my keyboard allows me to write on it, in the hope that it will save some people from harm.

Recently I heard the story of an elderly couple who had gone to the bank with their son to arrange a power of attorney. That took place in a building of concrete and steel, sitting opposite a bank employee. A day or so later, the old gentleman received a call from someone at the bank, and the call referred to his visit to the bank branch with his son. Something was wrong with their bank cards, someone from the bank would come and pick them up. They already had those people’s address, of course. “I should cut the passes, right?” “ No no, that would make them useless to the police. Just put them in an envelope from the bank. And give us the pin code so we can check it.”

Because the story seemed so plausible with all the information the criminals had, the man believed it and gave his PIN. But he did see a tiny red flag when he was told not to cut the passes. On a different phone he called his son, who was supposedly talking to another bank employee. However, the son knew nothing about it, and also immediately realized that it was not right. He urged his father not to hand over the passes and to keep the door tightly closed. In addition, the police were called.

As mentioned, the son was called with another phone; the receiver of the first phone was still on the table, so the criminal probably overheard the other call. The police therefore found nothing suspicious in the neighborhood where these people live. They told the people that such criminals are usually close by when they call – then they can strike before the victim changes his mind. Because no actual transfer had taken place, the police were done. A few days later they called again, but that was by accident: they actually wanted to speak to other people, with whom the criminals had unfortunately succeeded.

Of course our near-victims had their cards blocked and replaced with new ones. Because else, imagine that they had been shoplifted in the supermarket the next day - the criminals could still have plundered their bank account, after all, they knew the PINs. Of course, the new cards also have new PINs (otherwise the same problem persists). It is also wise not to leave more money in your current account than is necessary to pay the bills and groceries for that month. Money that is in the savings account cannot be withdrawn from an ATM – not even by a bank card thief (disclaimer: that’s how it works in the Netherlands; I don’t know if this is true elsewhere in the world). Unfortunately, for many elderly people who do not have a computer or smartphone, this is easier said than done: we youngsters easily drag money from our current account to the corresponding savings account and back. It was therefore a sensible choice of the above elderly people to enlist their son for their banking concerns.

Information is worth a lot of money. If you know that someone has been to a certain place at a certain time, and you know where to sell that kind of information, it can make you some nice pocket money. You just have to be in a place where you can access the requested information. Or… you make sure that you end up in such a place yourself. Or even better: a criminal organization places you as a pawn in an organization. That's called infiltration. The more valuable the information, the more attractive it is to have a chap in the right places. They are even largely self-sufficient - after all, they earn a salary. I hope that the bank from this story will be able to expose the mole.

The more convincing a lie is, and the more pieces of the puzzle fit together, the sooner we fall for it. I'm gullible by nature (because I want to be positive so badly), but professionally I'm suspicious. This creates some interesting – and sometimes annoying – tension. I must maintain my suspicion active without losing my faith in the good. You can help me with that by sharing stories like the above with people in your area, especially with those who are vulnerable. Let them learn from other people's experiences and thus considerably narrow the playing field of the criminals. Whether you tell the story yourself or send a link to this blog, I don't really care. But please do share.

There will be no Security (b)log next week.

 

And in the big bad world…

• you need to adjust your 2FA for Twitter before March 20th.
• the NSA offers advice for securing home networks.
• European civil servants are also no longer allowed to use tiktok .
• researchers warn of a whole new class of vulnerabilities in Apple gear.
• Amsterdam police have arrested three young ransomware criminals.
• one of the arrested men was active for DIVD, a renowned security organization.
• SMEs receive help in choosing ICT suppliers.
• far-reaching European legislation for IoT devices is being prepared.

 

Tiktoking civil servants

 

Image from tweedekamer.nl

While we are dealing with a nationwide network outage, strangely enough the sound of the internet radio can still be heard from my speakers. In the news bulletin I hear the following message: the House of Representatives no longer allows civil servants to use TikTok on their work phone.

Let this sink in for a moment (I'm still processing it). Parliament feels the need to express its concern about what civil servants do on their telephones. Apparently there are some civil servants who have TikTok on their phones. Why???

For those readers who don't have kids of TikTok age, I'll briefly explain what that is. TikTok is an app in the social media category, intended to make short videos – we're talking seconds – and of course share them. There is often dancing, singing and lip-syncing. The latter then produces, for example, a video of a teenage girl saying something stupid in the voice of Donald Trump. Those kind of things.

I copied the previous paragraph from the Security (b)log of July 24, 2020. At that time there was already (international) hassle around TikTok and in the Netherlands the Dutch Data Protection Authority investigated the privacy aspects of the app. Exactly one year later, the DPA fined TikTok 750,000 euros for violating the privacy of young children. At the time, I already advised not to use TikTok on your business phone.

Now back to my question: why are there civil servants who have TikTok on their government phone? Okay, somewhere in the civil service there will probably be a position where the use of such an app is plausible. Maybe somewhere in communication, because there they have to constantly think about how to reach their target groups. A police officer tiktoking about the importance of decent bicycle lighting might be a good one. But even then, the House of Representatives is right: don't do that on your regular work phone. Because of China.

TikTok is a Chinese product. And we know for sure that country loves espionage (with or without a balloon). Now – just like a little less than three years ago – people are afraid that China will collect information on our phones via TikTok. TikTok recently amended its privacy statement: they feel that TikTok employees in China should have access to data from European users, among others. But our privacy legislation, the GDPR, takes a completely different view: personal data of Europeans should remain in Europe, unless it has been established that another country handles them just as neatly as we do. Such a statement regarding China is expected to be issued around the day when pigs fly. But TikTok's privacy statement simply states that employees in certain countries also have access to your data without such an adequacy decision.

Espionage is serious business. The subject is discussed in detail in the Cyber Security Assessment Netherlands 2022. Some quotes: “Cyber attacks by state actors are the new normal”; “State actors can use the following digital means to this end: (…) Espionage, including economic or political espionage”; “The Netherlands is the target of an offensive cyber program from countries such as Russia and China”; “The Chinese digital espionage actor APT31 has carried out widespread and long-term attacks on political targets in Europe and North America. There were also targets of attacks and reconnaissance activities by this actor in the Netherlands.” The intelligence services define state threats as follows: “Coercive, subversive, misleading or covert activities by or on behalf of state actors, below the threshold of armed conflict, which can harm the national security interests of the Netherlands through a combination of the goals pursued, the means used and the effects." A state actor is just a country that does those kind of things.

So, dear colleagues: if you like TikTok, do your thing. But not with the boss's stuff. Now you may be thinking, well, I don't have any important or confidential information on my phone, this isn't about me. Think again. Your contacts alone can be interesting, and the network you form with them. Spies are puzzlers: they get a few puzzle pieces from you and the rest from others. With all those pieces together, they eventually manage to create an interesting picture.

A colleague told me that his daughter does not mind that the Chinese are watching: "Extra fans." That's one way to look at it. As a citizen. As a civil servant, you have other responsibilities.

  

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• TikTok 's boss is doing his utmost to convince American politicians of the innocence of his product.
• Hyundai and KIA must provide millions of cars with a software update, courtesy of a TikTok challenge.
• you need to quickly update your iPhone or iPad.
• A US city has declared a state of emergency after a ransomware attack.
• hackers use fake certificates, hoping that error messages will be interpreted as false positives.
• you can seriously derail a password reset campaign for all your customers.
• hundreds of PyPI packages target your crypto coins.
• Internet Explorer is now really a thing of the past.
• ethical hackers in Belgium are allowed to go about their business without permission. [DUTCH]
• the Dutch Data Protection Authority is being sued. [DUTCH]
• parents are liable for the damage caused by their cybercriminal children. [DUTCH]
• the Dutch General Intelligence and Security Service has published a brochure on the safe development of AI systems. [DUTCH]
• hackers hijack Telegram accounts (and that's just another reason to ditch this app).
• you can reduce your digital footprint with these tips.
• Last year, Russian hackers nearly shut down US power plants. [DUTCH]

Bus drivers on strike

 

Image from Pixabay

Hilversum was the place where I had to go to last Monday. As befits a good civil servant, I prefer to travel by public transport. Regional transport was on strike this week, but the trains were running normally, it was emphatically stated. Nice. I shouldn't have been bothered by the strike. It turned out differently.

When I travel by train, I always take the city bus to the station. I am a man of definitions; For me, regional transport is transport between places and city buses run in the city – and therefore not in the region. But because I also understand that drivers who work for a carrier that serves both the region and the city are not exclusively city bus or regional bus drivers, I had my wife take me to the station a few weeks ago, when they also went on strike. That turned out not to be necessary: the city buses ran on schedule. My definitions were correct.

So they would also run last Monday, I assumed. At one point at the bus stop, a girl asked me: “Are you going to the station?” I glanced at my watch and replied, "I don't think so." She consoled me by telling me that line 231 would arrive in six minutes. However, that would be too late to catch my train, and moreover, line 231 is a regional bus…

I had to come up with an alternative. At the Mediapark in Hilversum, students of Make IT Work (a retraining program of the Amsterdam University of Applied Sciences) would soon expect me to give a guest lecture; I had to be on time. I calculated my options. I wouldn't make it to the station in time by bike; with the car I had another chance. With big, but careful steps – it was freezing – I returned home, texting my wife what my plan was, so that she wouldn't be shocked when the car suddenly disappeared. She was willing to drop me off too, but then I might have a problem on the way back. I got in and drove off. Traffic lights, that usually show me their red light, were favorable to me for once.

On the way, I pondered my parking options. There are two ways to go in the parking lot at the station: to the left and to the right. Turning left leads to the entrance of the station, turning right leads away from it. Turning right, the chance of a free space is therefore considerably greater – after all, everyone wants to be at the front. But if you park there, you have to walk further. If you turn left and you don't find a spot there, you still have to go to the other side and that means extra time loss. I took a gamble and turned left. My courage was rewarded: there was exactly one free spot, near the entrance. Moreover, it was a place that overlooked the busy road past the parking lot, which I liked very much, because a few decades ago my car was broken into in that parking lot and the radio was stolen (by the way, thanks to an attentive witness, the crooks were caught and I got my radio back). Satisfied, I walked into the station. I reached the platform at the same time as my train and I arrived at my destination in plenty of time. Incidentally, it would not have been disastrous if I had missed this train: My itinerary had a margin, the next train would also have delivered me on time.

It probably takes a fair amount of professional deformation to relate the above to my profession. Since I have quite a lot of that, my adventures from that morning became part of my lecture, its subject being risk analysis. If you look at the above account through that lens, then you realize that risk analyses are not limited to your work as an information security officer: they do not just take place if and when your agenda states that you have to do a risk analysis on that day and at that time and there will be not always a complicated, formal method. Risk analyses are carried out in daily life – usually unconsciously but it happens all the time. You do that too.

Let me explain. My initial decision to take the bus was based on historical data (during the previous strike the city buses did run), from which I deduced that the chances of a running bus were favorable. The decision not to take the bicycle, but the car, was based on the likelihood of catching my train in this way. The fact that I didn't run home but - despite my haste - just walked, had to do with the risk of slipping. Even the text to my wife was risk management driven. Left or right in the parking lot: OK, I admit, that was an irrational guess. But hey, I'm just a human who hopes for the occasional windfall. In risk analyses, the expected consequences of wrong choices also play a role, according to the old formula: Risk = Likelihood x Severity. With all the choices I made that morning, the possibility of missing my train hung over me like the sword of Damocles.

Think of me the next time you have to make decisions. Who knows, it might help you make well-founded choices.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• no British or American citizen is allowed to do business with seven members of a Russian ransomware gang.
• there is something called a cybersecurity poverty line.
• quite a few bosses keep a digital eye on their employees. [DUTCH]
• dozens of ancient encrypted letters from Mary, Queen of Scots have been discovered and decrypted.
• Bluetooth vulnerabilities are popping up like mushrooms.
• suspicious links remain a tricky subject for the time being.
• the NIST has chosen an algorithm from Radboud University, among others, as the encryption standard for IoT devices.
• the eddit employee who reported being caught by a phish deserves a reward – for reporting it and preventing worse.
• job postings are used to distribute malware.
• unscrupulous criminals, of course, take advantage of other people's misery.
• the Dutch reported less cases of fraud last year. [DUTCH]
• the need to do principle principle also applies to police officers (you may only consult certain data if you need them for doing your job). [DUTCH]
• ransomware can also contain errors, of course. [DUTCH]
• this article explains once again how we are spied on by companies on websites and via e-mail.

 

Vicious circle

 

Image from Unsplash

A reader had ended up in a vicious circle and shared his story with me, with the opening sentence: “Maybe I have a nice input for your blog.” Well, he was right. His experiences are instructive and can prevent other readers from ending up in the same situation.

Colleague Mark de Wals's iPhone was broken. That in itself was annoying enough, but for Mark it was only the beginning of a vortex that he struggled to get out of. Oddly enough, that vortex was partly caused by two excellent security measures that Mark had taken: he used a password manager and he applied two-factor authentication (2FA, also known as MFA, with M for multi). How can these measures, which I wholeheartedly recommend to everyone, get you into trouble? And, more importantly: how do you stay out of trouble? Wait for it, but above all: learn from it.

Mark wanted his iPhone repaired (it wasn't completely dead, by the way). Before handing over the device, he performed a reset. This ensures that all data, including all accounts, are erased - it is then as if the device came fresh from the factory. It's nice to know for sure that the repairman can't poke around in your data, isn't it? The downside is of course that you have to set up the device again after the repair. Many people don't like that; for many, this is the main reason for postponing the purchase of a new device until the old one can no longer be used. But since the repairman will often need access to the device, you can hardly avoid such a reset.

When the device came back, Mark sat down for it. One of the first things the iPhone asked for was its Apple ID password (“Your Apple ID is the account that gives you access to all Apple services and allows all your devices to work together seamlessly.”) That password was in Mark’s password manager – which was not yet accessible because the device had not yet been set up. But don't worry: thanks to the cloud, the password vault could also be accessed via his laptop.

Mark typed in his password, to which the iPhone responded with: fine, and now you have to approve this login in your 2FA app. Ouch, that app was also on the iPhone – and therefore inaccessible! Voilà a textbook example of a vicious circle: you need that app to get the device going, but the app runs on the same device.

Eventually Mark requested a reset from Apple. That involved an email and a text message. Fortunately, Mark was still able to receive and read the code from the text message. Apple allows a few days to pass if you request a reset from them for security reasons. Those were two scary days, but then Mark received an email and a text message with verification codes. With that he was able to access his account again.

Mark has a few tips for us. The first one concerns the fact that he does not use a real SIM card in this device, but an e-SIM – which stands for embedded SIM and means that the card is built into the device. Your provider therefore does not send a SIM card, but uses the e-SIM. What if you need to receive a text message with a verificaation code, but you can't access your phone? With a physical SIM card, you simply put it into another device and read the message there, but that is not possible with an e-SIM. If the latter is secured with a PIN code, you will not see the received code on the lock screen as long as you are not logged in. Mark had turned off that PIN code since the device itself is protected and you cannot remove the e-SIM from the device anyway.

The next tip is the most important: make sure you keep your most important passwords somewhere you can always access them. Marks password manager ( LastPass ) offers the possibility to share passwords with others. Through this option, he can always retrieve the passwords of his email and his Apple ID. And if another family member also has an Apple ID, you can authorize each other to help each other reset your password.

Android also works with email addresses and phone numbers for account recovery. For this you need a different e-mail address than the address that is linked to the account. But be careful not to use an address that only forwards incoming mail to your primary account - after all, you cannot access it in such a situation.

Mark's experiences teach us that it is important to take measures in advance to escape from such a situation. Check this weekend if you have your affairs in order.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• password managers are still under construction.
• Facebook's 2FA feature could be bypassed.
• this PoS malware blocks the contactless payment function, in order to then be able to read the details of the payment card.
• the number of cases of payment request fraud on Dutch online market place Marktplaats fell sharply. [DUTCH]
• many webshops manipulate their customers. [DUTCH]
• the makers of ChatGPT now have a tool to recognize AI texts. [DUTCH]
• cyber criminal is an ordinary job these days.