Big numbers

 

Image from Pixabay

I love numbers. My watch shows my heart rate and how fast I'm running, the cycling computer knows where and how fast I'm going and the weather station not only shows the indoor and outdoor temperature, but also air pressure, precipitation amount, humidity and wind speed. I keep track of my sporting and financial performance in Excel sheets. For your reassurance: I will not let all these numbers rule me (except for the finances, that is); the numbers are there for me – not the other way around.

Sometimes you are presented with figures that shock you. For example, I have had a tracker blocker running on my phone for a while now. If any app or website attempts to collect my data, this app will block it. As my phone sits here and I do nothing with it, I see the number of blocked tracking attempts in the last seven days counting up. There are currently 63,849 attempts and they come from 31 apps. Do you why I’m shocked? By the way, there are already 63,855 attempts. While I do nothing.

What worries me even more is the list of apps trying to track me. The Ziggo* GO app is one of the busiest apps that want to know something from me. It's made 1,409 attempts so far – and that's for today alone (and it's just past 9am). The point is, I hardly ever use that app, and I certainly haven't used it in the last week. When I click through, I see that all those attempts in the Ziggo app come from Adobe. You know, that company of PDF files and Photoshop. But they are also active in the field of mobile app analytics. They explain what they do as follows: “Adobe Analytics delivers comprehensive analytics for mobile, web, and apps, plus unprecedented visualization and reporting capabilities, so product teams can quickly and easily drive optimal interest on mobile devices. Whether it's improving retention or increasing conversion, we provide the predictive insights to help you get the most out of your mobile investments.”

So Ziggo uses Adobe's services to track its customers. But what does all that tracking entail? I see a list of twenty items they would like to see. For example, my email address, zip code, GPS coordinates, various information about my phone and even the orientation of the phone (portrait or landscape). Another app I barely use is Reddit , and that app has, through Branch Metrics , already 431 attempts to its name today. And my calendar app DigiCal , which I do use often, has made "only" 243 attempts, but uses the services of two companies: Google and Facebook. I don't have a Facebook account myself, but Facebook does have an account about me. They want to track as many as 31 items, including sound volume, my gender, how much memory my phone has, accelerometer data (apparently they want to see if I'm on the move) and where I am. Google also wants to know how full my battery is. I can go on like this for a while. Nu.nl** uses no fewer than four trackers, all of which largely request the same information. PostNL*** attacks me with three trackers and they are just as busy as Ziggo.

And why all this? Adobe already revealed it: a lot of money can be made through advertisements, and the more targeted the advertisement, the greater the response. Don't bombard me with ads for diapers, instead hit me with gadgets. And in order to know what I like, you need as extensive a profile of me as possible.

On my phone, all of these tracking attempts are blocked by a feature in my browser, the DuckDuckGo Private Browser. DuckDuckGo is already known as a privacy-friendly search engine, but they also have their own browser on both Android and iOS. The protection against app trackers is still in the testing phase. Incidentally, the browser itself also has a few quirks and that currently makes it less suitable for near-computer illiterate people (real computer illiterate people do not have a smartphone). Numerous other blockers are available. As with all apps, you have to be careful not to get a Trojan horse: you don't want an app that promises to protect your privacy and then creates the biggest leak itself. I always look at the number of downloads and the reviews.

Recently angry farmers blocked our highways with their tractors and politicians and police apparently found it difficult to act against this. On the digital highway, you as a user have the option to block trackers****. My weekly counter is now at 64,159 and it feels good to have blocked all these attempts.

 -------------

* Ziggo is an internet, tv and phone company.
** Nu.nl is a Dutch news outlet.
*** PostNL is a Dutch postal company.
**** In the Dutch language, there’s a pun in this: a tractor is also called ‘trekker’, which has the same pronunciation as ‘tracker’ (if the latter is pronounced the Dutch way). I’m sorry that I couldn’t make the pun work in English.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• we should not stare blindly at TikTok , because other apps also want to track us.
• French civil servants are no longer allowed to have 'recreational apps' on their work phones at all.
• the FBI simply buys tracking data from a company.
• the leaked Vulkan files provide insight into Russia's cyberwar plans.
• this EU report forecasts which cyber threats await us in 2030.
• it’s never wise to remain silent after a data breach. [DUTCH]
• medical equipment must finally be properly secured – at least, in the US.
• a fake Tor browser steals your bitcoins.
• British police have set up fake sites to catch cybercriminals.

 

Let's play a game

 

Image from Pixabay

"Let's play a game." The year was 1983, I was a freshman computer science student, and the movie War Games felt like professional literature: we just had to see this movie about the hacking of the Pentagon's computer that powers US nuclear bombs.

<spoiler alert>

In the film, a young hacker avant la lettre manages to make contact with that Pentagon computer via his modem (you had to push in the telephone handset at the time) – not deliberately, but simply by having his modem dial random numbers. Without wanting to, he is about to unleash a nuclear war, partly because the computer follows its pre-programmed path. The hacker frantically searches for a way to stop the computer. In the end a game of tic-tac-toe saves the day: the computer realizes that you cannot win that game, just like a nuclear war. A happy ending in the nick of time.

</spoiler alert>

A simple game was suitable for teaching a computer something. It is also well known that people learn well through play. It will therefore come as no surprise that games are also used to teach people about information security. We had such a game developed back in the early 1990s. It was on a 3.5 inch floppy disk and came in a CD case – that was very hip at the time. You let a character walk through a building to expose all kinds of abuses there. I remember that when you clicked on the trash can, there turned out to be a carelessly discarded confidential document in it. The game was entertaining, graphic (albeit 2D) but above all educational.

Nowadays we also have a game to boost our employees' security awareness: the Online Security Awareness Game (OSAG). Now I'm not a gamer for a long time, but one thing you can't ignore: this is not a game. You have to drag cards containing statements or facts to the right place on the screen. You will then receive the status of National Protector. Those are the only playful elements. So, dear creators, please change the name to Online Security Awareness Program (OSAP) or something alike. Well, I had to get that out.

Apart from that, I hear quite positive things about OSAG. That may have to do with the phasing of it: first we had level bronze and a while later silver. The appearance of silver was a trigger to pay attention to your information security awareness again. You were prompted to go through a pile of questions again and test how well you are informed. Each level is also divided into a number of steps, so that you can consume the material presented to you prior to a set of questions in pleasant portions.

In level bronze you learn, for example, about the confidentiality of data, the GDPR, data leaks and information security incidents. Phishing, password hygiene and physical security are also discussed. Level silver completes the basic knowledge with topics such as incident reporting, specific GDPR topics and two-factor authentication. This includes questions such as: what does 'processing' data mean (update/save/send/delete/everything), is the example shown phishing or legitimate mail, is it bad if someone on the train can read public information from your laptop screen?

The designations 'bronze' and 'silver' suggest that there could also be a gold level. And yes, dear colleague: if you are reading this on a Friday, then you have to do something else for a weekend. If you read this after the weekend, you can - if all goes well - get started with level gold right away! This includes access rights, physical security and the GDPR (you can see how important privacy is to us!).

Don't you work for us? Well, your organization probably also pays attention to information security in one way or another. Look for it or ask for it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Dutch civil servants are now also no longer allowed to use TikTok on their work phone. [DUTCH]
• Banning TikTok won't solve the problem.
• trackers can be used to stalk someone.
• a Stanford University ChatGPT clone has been taken offline because it was hallucinating.
• the British NCSC blogged about ChatGPT.
• artificial intelligence also generates disinformation.
• the Windows snipping tool saves the cut pieces. [DUTCH]
• DigiD loses its monopoly with the introduction of the Digital Government Act. [DUTCH]
• ENISA expects ransomware attacks on the transport sector.
• a committee will test the algorithms used at the Ministry of Finance and its agencies for privacy and ethics. [DUTCH]
• the Chinese Navy interferes with passenger aircraft communications and navigation systems.
• this (American) article advocates restraint in collecting data for monitoring purposes.

 

Responsibility

 

Image from Pixabay

“Yes officer, this is indeed my car, but the broken rear light really a fault of the garage. They serviced the car a month ago!” Most reasonable people will understand that they can't get away with that. That car is yours and you are responsible for the proper functioning of all legally prescribed facilities. And that’s the end of it.

“Information security starts with an i, so ICT owns it!” Someone actually said that. Do you see the parallels with the previous paragraph? In both cases there is someone who either wants to bluff himself out of his responsibility, or someone who doesn't know what's going on. In either case, it's high time to get things in order.

I'm not really sure where the word 'ownership' comes from. Is it ICT jargon? Is it some kind of euphemism for ‘responsibility’? Anyway, that's what it means to me: if you own something, you're responsible for it. And that responsibility – of course – also includes the security of the thing in question. There are data owners, system owners, risk owners, and yes, even our intranet has a product owner; whatever you can come up with, there will be an owner. Incidentally, ownership does not go so far as to allow you to take home the thing that you own in a business sense – you own it, but it is not your property. All very complicated.

It took years for data ownership to be well established. Everybody would dodge the issue. The word ‘owner’ often has a positive connotation, the word ‘responsibility’, on the other hand, implies a heavy burden. Especially when it comes to the kind of data we are dealing with. But it worked out in the end and progress is still being made in the area of responsible data handling. Since last year we even have data stewards. These are colleagues who supervise the correct handling of data.

Back to the quote in the second paragraph. I don't know who said that, but it shows little insight into how things work. If you leave out the first part, “information security starts with an i”, which may have been meant to be funny, what then remains has long been a fairly common view: the IT department is responsible for information security. And there will still be organizations that are set up that way, or – even worse – that work implicitly this way. That is worse because responsibilities are not assigned, but everyone tacitly assumes that ICT is running the show. But even if it's explicitly set up that way, it's no good. Why? See the first paragraph. Just as the garage is not responsible for the correct operation of your rear light, the IT department cannot be responsible for the security of an organization's systems. ICT is merely advisory, executing and enforcing: based on our specific knowledge, we help the business to determine the rules of the game, we implement those rules and monitor compliance with them – on behalf of the business.

A structure like that is also likely to be encountered if you delve deeper into the organization. I work in the IT department of our organization, in a team that is accountable for the security of everything that IT department does. It is important to understand the term ‘accountable’; that is quite different from 'responsible'. The latter term is a management thing: every manager is responsible for the security of the things he has under his care. On the basis of our accountability, we ensure that managers fulfill their responsibilities and we help to achieve and maintain that situation. We should all keep in mind that security is not a product, but a process. In other words, it's never finished, but it keeps getting better.

Yesterday I saw a nice little example of taking ownership and responsibility. I was standing in a crowded train when two men made their seats available. They worked for the railroad company and apparently company rules state that paying travelers have more right to a seat than staff. They might have thought: no one knows that we work for the railroad company, we'll stay put. But they didn't. It was 'their' train, but also (at that time) their responsibility to facilitate travellers. Neat, gentlemen!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• good documentation is a precondition for responsibility.
• Microsoft's Active Directory sometimes offers broader access than desired.
• a Russian spy arrested in The Hague was promoted to head of a notorious hacking unit of the GRU.
• tech journalist Daniël Verlaan has made an interesting podcast about identity fraud. [DUTCH]
• the European Cyber Resilience Act could do better. [DUTCH]
• the cybercharlatan saga continues. [DUTCH]
• you need to update Outlook, right now. [DUTCH]
• the Amsterdam court gave Facebook a firm privacy scolding. [DUTCH]
• a colleague tipped me off about these somewhat old, but still useful security tips for journalists (and for you). [DUTCH]
• your Samsung phone may be vulnerable to a number of unpatched vulnerabilities.
• it still makes sense to install a virus scanner on your Android phone.
• Twitter is used for scamminga.
• the police are looking for volunteers in the fight against cybercrime. [DUTCH]

Bridges, songs and car keys

 

The new bridge - Image from Pixabay

Once upon a time there was a bridge, a suspension bridge to be precise. It was 1.6 km (1 mi) long, making it at that time – the year was 1940 – the third longest suspension bridge in the world. But this proud bridge did not live for more than four months. The wind picked up, the bridge began to sway and it collapsed.

I'm talking about the Tacoma Narrows Bridge in Washington State. The physical phenomenon that led to the collapse of this bridge is called resonance. In short, this means that an object that is exposed to vibrations, amplifies that vibration on its own. You know that from rattles in the car, but playing on the swings is also a form of resonance. The wind was blowing in Tacoma at the time, and the wind happened to hit the bridge with its natural frequency (expressed in a popular way, this is a frequency at which an object is comfortable and starts participating happily: it resonates). This caused the bridge to move along with the wind and eventually the materials could not handle that much movement and the bridge collapsed. See Wikipedia for more information and the famous video of the collapse.

Bridges aren't the only things that can break due to resonance. Last year there was a news story about computers mysteriously crashing. The ingredients of that story seem to have sprung from fantasy, but the people who saw that bridge collapse couldn't believe their eyes either. Those fantastic ingredients are an old type of hard disk and Janet Jackson's hit song Rhythm Nation from 1989. All sound – and therefore also music – consists of vibrations that propagate through a medium. When I talk to you, my vocal cords vibrate the air (the medium), and your eardrums pick up that vibration. And well, the sound of Rhythm Nation contains exactly the natural frequency of that particular type of hard disk. The hard drive will then resonate and destroy itself. The computer, in which the hard disk is located, will also stop working.

As a result, the music video in question has been officially declared a cybersecurity exploit. An exploit is a way for an attacker to exploit a vulnerability in a system. The vulnerability here is the sensitivity to resonance, the exploit is playing Rhythm Nation. And that doesn't even have to be on the same laptop: other nearby laptops can also die as a result. It is not very likely that someone will attack your computer in this way. As mentioned, these are old types of hard disks (5400 rpm), and the computers you use most likely no longer even contain a hard disk, but SSD memory (and for the sake of convenience we continue to call this memory without moving parts a hard disk).

There you go with your lists of standard threats, which you use in a risk analysis. Both cases have in common that the danger came from an unexpected quarter. Well, that bridge, one might have been able to calculate that, at least with today's knowledge. But a song by Janet Jackson crashing a hard drive, you just don't make that up. And I can hardly – hardly – imagine an attacker ever looking for such a method to destroy a computer.

However, research is being done into how information can be extracted from so-called air gapped computers. An air gapped computer is one that is not connected to a network. The air gap can also relate to a network; then there actually is a network, but that in turn is not connected to other networks that are considered unsafe. In this way a situation is created in which the data is safe in its own environment. But there are smart people who are looking for ways to extract information from such systems anyway. For example, I remember an attack involving the blinking of the network card light in the past. A classic attack is eavesdropping on the electromagnetic radiation emitted by all electronic circuits. Measures against this fall under the ominous denominator tempest.

Such attacks typically target high value assets. As an ordinary private person you don't have to be worry about it. As an extension of this, what you could have to deal with is car theft. Thieves eavesdrop on the signal from your modern car key – the kind you don't have to put in the lock to unlock and start your car. That's why I've been keeping my car keys in a closed can at home for years. That works like a Faraday cage: a construction that blocks electromagnetic radiation. However, if I am sitting on a terrace, my key can still be tapped and the signal can be 'extended' to my car with certain equipment. Special key cases are being sold, that also promise to work like a Faraday cage. Only then of course you still have to take the key out of your pocket to open and start the car yourself. Choose what is more important to you: security or ease of use. I'm not going to buy such a case. How many crooks with such equipment are there, anyway?

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• users of the password manager Bitwarden should not have their password auto-filled when loading a web page. [DUTCH]
• some hardware malware is very persistent.
• a fake email attack can be done very quickly.
• Linux servers are not immune to ransomware.
• MS Word contains a vulnerability that does not even require the victim to open a received attachment.
• you have to be aware of undermining of the upcoming elections. [DUTCH]
• a storage medium can be a critical factor for system availability.
• Your bank really never asks for your PIN. [DUTCH]
• visitors to the Eurovision Song Contest run the risk of digital fraud.