The King of Doodles

 

Image from author

It was a year ago, in a conference room in Utrecht. A strange room it was, because one of the walls consisted almost entirely of large shutters – on the inside that is. I still don't really know what was hiding behind those shutters. But that's not the point. The point is that I sat next to the King of Doodles. And that I wanted to do something with that in my blog, but couldn't find a link with security. Until now.

A doodle, as explained by Wikipedia, is a drawing made while a person's attention is otherwise occupied. You know, like someone is sitting in a meeting with a writing pad on the table and they’re drawing all kinds of frills on it: doodles. Well, that colleague I was sitting next to at the time, boy was he skilled at that. He scribbled like his life depended on it - that's why I crowned him the King of Doodles for myself. And I watched with fascination. What was also fascinating was that the drawing didn't seem to distract him in the slightest: he just joined the conversation, with a lot of sensible input in fact.

Recently, the same meeting took place again. Again in Utrecht, but now in a different place, without indoor shutters. The King of Doodles was there again, and he was scribbling as usual. We talked about it during a break, and I confessed that I had been wanting to blog about this spectacle for a year, but couldn't find the right hook. And that ate at me, because, as regular readers know, I can usually give the craziest observations such a twist that they suddenly have a connection to my profession. Only those cursed doodles, they resist my urge to write. Until another colleague looked at the drawing and casually said: “That looks like a QR code.” I looked at him in bewilderment: that was it! There is a lot to write about QR codes from my profession.

QR codes can no longer be ignored in everyday life. You come across them everywhere. “Scan me!” they shout to unsuspecting passers-by, “I'll give you information!” They are often featured on pamphlets and advertisements. If you want more information after reading it, you can do so by scanning that QR code. But you sometimes come across QR codes separately. On a sticker that someone just put on a traffic light, for example. Or on a shop window. They are much more mysterious.

The problem with QR codes is that we humans cannot read them. So you have no idea where such a code will take you. It can just contain a link to www.scammers.com (this domain name is still available, by the way). In my memory, it used to work that if you scanned a QR code, you immediately went to the linked website. That is now different (better): a pop-up shows you the destination and then you can still decide whether you want to go there. But then you often don't know much – or do you have any idea if something like s5.productinfo.com is a bona fide site?

Now you don't have to worry immediately that a QR code next to a recipe in your supermarket’s magazine will take you to a rogue site that steals your data or provides your device with a nice virus. However, I'd be a bit more careful with QR codes that you come across in the wild that have no context. Or with codes on advertising posters or shops. They have context, but maybe someone has pasted their own code over them; then you think you are going to fineshop.com but you still end up at scammers.com.

My advice: make conscious use of QR codes. See if you understand where they're going, and if that doesn't seem right, or you don't have a clear context (like with that yummy recipe), better back off. You can always google it by hand to get more information on the subject in question.

At those Utrecht meetings I mentioned, our internal bloggers and the intranet editors met. The editors treated us to lunch and figures that showed that our blogs are important crowd pullers. But for me, the most important thing was that I can finally feature my esteemed fellow blogger, the King of Doodles, in my blog.

The Security (b)log returns after the summer holidays.

 

And in the big bad world…

• it is a bad idea to give everyone the same password
• MITRE has published the latest list of 25 most dangerous vulnerabilities.
• Rian van Rijbroek now officially is a charlatan.
• Android contains a secret browser.
• Russia brags that only 1% of their fake accounts would be discovered.
• artificial intelligence threatens our security.
• the big tech companies are resisting British legislation that wants to weaken cryptography.
• the UK government has a clear goal in mind in this crypto issue.
• this discussion is also raging in the Netherlands.
• this company is better at storing lemonade leak-proof than data.
• you have to take cash with you when you fill up in Canada because of a cyber attack
• Ireland wants to ban criticism of their privacy watchdog and big tech companies.

 

Alphabets

Image from Unsplash

It is a somewhat strange sensation when suddenly everyone is talking about something and you have no idea where it came from. My teammates came to the rescue: it was on Facebook, which is just a corner of the internet I never visit. You may have seen it, though: that message that warns about links that are not what they seem because they contain letters from a different alphabet. It was adopted by the popular newspaper USA Today and then things went fast.

Homoglyphs is the term for characters that look like letters. The best-known examples of homoglyphs in our own world are the 0 and the O: the first is a number, the second a letter. Always hard to tell the difference. And what about the l and the I? The first is the lowercase L, the second the uppercase i. Since we usually use sans-serifs in modern texts, you won't see the difference. If you choose a font with serifs, you will see this: “And what about the l and the I?” ( Courier New font).

The Cyrillic alphabet, used in Russia and its surroundings, also contains homoglyphs. In the example shown on Facebook, our a and its Cyrillic counterpart are mentioned. Incidentally, the letter, which is called the Cyrillic a in that message, is the Greek letter alpha (ɑ). Because the Cyrillic a looks like this: а.

All letters, numbers and other characters that you can type on your keyboard are defined in tables. The best-known table is ASCII, IBM mainframes speak EBCDIC and the most extensive is Unicode, because it defines the letters of all alphabets – not just the Latin alphabet we are familiar with. The Cyrillic letter at the end of the previous paragraph was created by typing the Unicode for that letter (0430) and then pressing Alt and X. With the help of the Unicode tables you can therefore make all characters, even if they do not appear on your keyboard. Like for example Њ and ß.

In the address bar of your browser you will not see the difference between amazon.nl and аmаzon.nI (the latter contains the Cyrillic a and a capital i). While you might think that this URL will take you to the Dutch website (.NL) of that company, it will take you to a website hosted in Nicaragua, as the top level domain (TLD) .ni belongs to that country. You see how easily criminals can lure you to their fake website, where they then steal your data or install malicious software on your device. Dutch domains, which fall under the TLD .NL, are relatively safe because no domains can be registered with characters from other than our own alphabet. But beware: the trick with the i and the L does work here.

Your browser can protect you from a homoglyph attack simply by not supporting them or by rejecting a mix of different alphabets. In addition, many domain registrars also ensure that no domains are registered that are no good. So you could say that all the attention to homoglyphs is a bit exaggerated – after all, effective measures have been taken.

In this context, I would also like to mention another form of trickery and deceit called typosquatting . In this trick, someone registers a domain name that looks like a real one, and then hopes people will make typos or get the name wrong and end up on their site. Think for example of googel.com, amazone.com or microsof.com. The holders of the official websites of these organizations can protect themselves against this by registering all domains that are similar to their own. If a smart guy manages to score a similar domain, the holder of the real domain can demand that the fake domain be cancelled.

My guess is that homoglyphs won't get you in trouble anytime soon. The chance that you type in a wrong web address that happened to be thought of by a typosquatter is somewhat higher. But I think the most remarkable thing about these techniques is that they exist at all. This shows once again that criminals can be particularly inventive and possess a great deal of knowledge.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you can of course also hack a satellite. [DUTCH]
• a lot of crypto currency has disappeared into the pockets of criminals. [You can ignore the advertisement in the article.]
• you can unlock many mobile devices with a photo of the owner. [DUTCH]
• there is a powerful lobby in Europe to make regulations on artificial intelligence not too strict.
• hacked ChatGPT accounts are traded eagerly.
• criminal service providers provide the 'crypting' of malware.
• There are several of flavors of two-factor authentication.
• America is committed to combating state actors. [DUTCH]
• your abandoned shopping cart provides an entry point for attackers. [DUTCH]
• even with pet feeders, it's a bad idea to hard code passwords. [DUTCH]
• Telegram is becoming increasingly popular with criminals. 

Awaremess

 

Image from Unsplash

If you master touch-typing, then you know that your fingers sometimes have a mind of their own. Fortunately, you usually realize that they have written something different than intended and then the backspace key is your best friend. Recently I had such a case where I couldn't suppress a grin: I didn't type 'awareness', but 'awaremess'. That small error led to this blog post.

In my profession, awareness means security awareness: the extent to which employees realize that they play an important role in information security, have the associated knowledge and act accordingly. But sometimes, things get a little messy.

So where did that grin on my face come from? The word awaremess does not exist, but you could interpret it as a mess that arises in the field of consciousness. And that's exactly where we are right now. For example, we do a lot to teach you how to recognize phishing mail. But at the same time, you are being bombarded with legitimate email that looks like it's phishing. And then it becomes a mess.

I give two examples. All civil servants have received (or are still receiving) mail from Shuttel, stating that they need to apply for a new card for public transport. That e-mail contained quite a few phishing indicators. The main red flags were the general salutation (“Dear Employee”), the warning that your old card would be revoked and – the most important – a link that, when you hovered over it, showed a very different destination than what was shown in the mail itself: not my.shuttelportal.nl/[etc], but something like fbdecbh.r.af.d.sendiobt2.com/tr / cl/[etc]. The funny thing is that employees also hit on something that is not a phishing indicator at all. The Shuttel company wanted some words in the e-mail shown in bold, but that went wrong in the first series of e-mails: it did not say look & feel, but —look & feel’. The codes, which were supposed to make the text bold, didn't work properly. But that has nothing to do with phishing. However, the other indicators were very phishy. The only thing that went well here is that the exchange was announced in advance on the intranet (but not everyone reads that). And what went well afterwards is that I quickly found someone in the responsible department who understood me and made sure that the Shuttel company was held accountable. Unfortunately that came too late for us, but things should be better at other ministries now.

The second example is closer to home, because it concerns a medium on which this blog is published: our intranet. That intranet was radically changed a while ago. And so there was an email with the subject: “Survey: What do you think of the personalized intranet?” That e-mail comes from an external address, but it does show the name of our organization as the sender: red flag! The general salutation (“Dear reader!”) and the chance to win an “exclusive personalized gift with your avatar on it”, along with time pressure (“We are giving away 15, so be on time”), only made it but worse. And finally, the e-mail was signed impersonally (“Team Online Editors”) and the survey was not announced on the intranet (!). The first email from a concerned colleague has already arrived, and more will follow. Rightly so. Now last week we had a nice meeting with the bloggers and the intranet editors, and then we were told that there would be a survey. So by chance I know that this e-mail is real and I have informed the editors about the phishy nature of their e-mail.

Things can also go wrong the other way. Employees received an email from a foreign address, without subject and text; it only contained a vague link. You would think: this can't be right, wouldn’t you? Despite this, fifteen colleagues clicked on that link. Our security systems blocked it, so we know who clicked. I have spoken to some of these colleagues. They told me stories that make me understand how someone could be “stupid enough” to click. Most poignant was the case of a manager of a colleague who had recently died – and this colleague's surname matched the sender's name. The manager therefore thought that the family was seeking contact. In another case, the mail also contained the addresses of someone's brother (with whom he has long lost contact) and of another acquaintance. It is likely that hackers captured address books and made good use of them when compiling the mail. So it's way too easy to say, how could one be that stupid. Their actions were not stupid, but humane. It saddens me that criminals undermine that humanity.

And so it is quite a mess in terms of security awareness. My typo wasn't that bad after all.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• a test phish about salary increases is a distasteful idea.
• you also have to cover your power-led now.
• an official falsified reports about the security of the Dutch government’s identity management platform. [DUTCH]
• financial and ICT service providers must get started with DORA.
• an organization can suddenly be bombarded with a deluge of access requests. [DUTCH]
• the police are starting an international network to prevent and disrupt cybercrime. [DUTCH]
• Belgian judges and police officers are spied on. [DUTCH]
• a DDoS attack delayed the announcement of exam results. [DUTCH]
• mandatory periodic password changes are an outdated practice. [DUTCH]
• artificial intelligence is trained with private data, fake news and copyrighted stuff. [DUTCH]

 

Pippi Longstocking

 

Image from Pixabay

“Pippi Longstocking follows you and invites you to connect.” If you don't recognize this text, then you are one of the few readers who are not on LinkedIn, I think. If you are a member, then I have two questions for you: how do you respond to such invitations and how would you respond better?

For your convenience, the invitation mentions that you and Pippi have some mutual friends: Tommy and Annika. That should serve as a kind of reference. However, I don't trust that, especially since I once asked a colleague how he knew such a Tommy or Annika. “Who?” was his telling response. Many people blindly click the button to befriend the new contact.

LinkedIn, the Facebook for professionals, like all social networks, benefits from a growing number of members. They therefore make it extra tempting to click on 'yes': Pippi only asked if you wanted to be friends, LinkedIn added Tommy and Annika on their own initiative. But who is that Pippi anyway? You can already view her profile before accepting her friendship. If Pippi Longstocking, as we all know her, were on LinkedIn, her profile would look something like this. Job Title: Boss. Company: Villa Villekulla. Education: none. Knowledge: everything. Skills: being strong and rich. Number of connections: millions.

On LinkedIn I found three accounts under the name Pippi Longstocking. Those accounts have a lot in common: one or no followers, never posted a message, no photo and a very empty profile at all. One of them claims that she graduated from Harvard Business School in 2016 and is the founder of a candy factory in Kansas. Number two is the boss of a sportswear and accessories company in California and the third is a self-employed menu planner in England.

I have no idea what the point of these accounts is, but I do have an idea of what one can do with fake accounts. The platform has been reported as a highly prominent tool of phishing cybercriminals. LinkedIn explains it this way: “Fraudsters may use a practice called phishing to try to obtain your sensitive data such as usernames, passwords, and credit card information. These fraudsters impersonate legitimate companies or people, sending emails and links that attempt to direct you to false websites, or infect your computer with malware.” And they provide even more information and examples of LinkedIn-related phishing.

The three Pippi accounts I found are far too bare-bones to be used for phishing purposes. Real fake accounts usually contain an impressive profile, which makes them appear realistic. The photo shows a pretty young lady rather than an ugly guy. And often those photos are fake too: last year, researchers at the Stanford Internet Observatory discovered more than a thousand artificial intelligence-generated profile photos on LinkedIn. Sigh – now you not only have to recognize phishing mail, but you also have to learn to recognize AI photos. And that's not easy, especially with stamp-sized photos. In addition, fake accounts paint the image of a highly experienced professional in your field. Basically, you see someone you'd like to add to your stamp collection.

Incidentally, phishing is not the only thing you can do with this. Connecting via LinkedIn can also be used more broadly for social engineering – hacking the human – with the aim of getting someone to get information or do certain things. At first there may be just be some (professional) chitchat, and then gradually move on to topics that your employer might prefer you not to talk about.

Back to the questions at the beginning. Do you blindly accept connection requests? And if so, what do you think about it after reading this blog? I handle them this way: I always accept requests from colleagues (after checking whether they are really colleagues), and I only accept other people if I have met them in real life before. That's what it says in my profile. Not everyone reads that – I decline some connection requests every week. Very rarely will there be a criminal among them, but at least I keep them out this way, too. Does that mean I have fewer connections? Yes, but so what? And if you would like to read the Security (b)log on LinkedIn, you can simply follow me.

And so, dear intranet editor-in-chief, Pippi Longstocking made it into a work-related blog (-;

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• North Korean state hackers have been targeting academics and media in the US and South Korea.
• We've all been victims of a data breach at least once. [DUTCH]
• scammers advertise on US government websites.
• extortionists make nude photos of you with artificial intelligence.
• the British warn us about the risks of neurotechnology.
• the Dutch privacy regulator asks for clarification about ChatGPT. [DUTCH]
• it will take some time before the Dutch government meets all security standards. [DUTCH]
• Shell leaks data (who again said: data is the new oil?)

 

 

Metaverse

 

Image from Pixabay

We once referred to the internet with the term “the digital highway”. It was the time of 14k4 modems and - if you were lucky - ISDN lines, and compared to today you should have spoken of a digital service road. You regularly found yourself stuck in traffic or having a breakdown along the road. But now there is the metaverse: a virtual 3D world, a parallel universe, whether or not integrated into the real world, in which you can fully immerse yourself and interact with other people and companies.

This sounds very familiar to fans of the science fiction series Star Trek: as early as the late 1990s, Captain Jean-Luc Picard, number one Will Riker and the rest of the crew used the so-called holodeck for recreational and training purposes. There they trained in a safe environment for situations they would later encounter in the real world. However, the metaverse does not work with holograms and force fields, but with 3D glasses and augmented reality (Wikipedia: an interactive experience that combines the real world and computer-generated content).

Winn Schwartau was in the Netherlands a few weeks ago. He is an American security analyst and a thought leader in my field. He came to Utrecht to share his view on the metaverse, and that was certainly not a rosy picture. Just look at the following quote: “We are digitally terraforming the future cognitive infrastructure. We have ONE chance to get it right.” Terraforming is what you do on an alien planet to make that planet habitable - literally forming an Earth. Schwartau applies this mechanism to our future knowledge infrastructure and believes that we should be very careful what we do.

Why these concerns? Schwartau calls the metaverse the most powerful reality distortion machine ever. You choose your own reality, in which you can then be indoctrinated, radicalized and bombarded with advertisements. He emphatically warns of the danger of addiction. I've never been addicted to anything myself, but I can understand that alcohol, drugs, and the metaverse all provide ways to escape the reality where you may not be doing so well. Schwartau substantiates his view with data from neuroscience: our subconscious mind processes data many times faster than our conscious mind – two hundred million times faster. About 84% of that processing capacity is used for seeing, hearing accounts for 10% and then there is still a little left over for smelling, tasting and feeling. If you provide someone with 3D glasses and bombard their subconscious with all kinds of stimuli, while they feel they are doing something fun, you can strongly influence that person. And make them an addict.

And then suddenly the term metawar appeared on the screen. Wait a minute: the metaverse is still in its infancy, but a war is already raging? In the non-English speaking world, ‘war’ is exclusively understood as armed conflict between nations, but (especially in the US?) it also means struggle, of fight, as for example in the war on drugs. Schwartau distinguishes three classes in this struggle: personal, corporate/commercial and nation-state. The stage for the personal battle is the gaming and advertising world, where deceit lurks. In the commercial world we have to fear deep surveillance capitalism, indoctrination of employees and the end of privacy. And nation-state wise, we are threatened by religious extremism, political radicalism and brainwashing.

Disinformation plays a role in all three classes of metawar. To defend ourselves against this, Schwartau advocates three developments: ChatGPT detection (what is real and what has been made by artificial intelligence?), deepfake detection (is that picture, film or sound fragment real?) and teaching critical thinking. I wholeheartedly agree with the latter in particular: use your common sense, and remember that if something seems too good to be true, it usually is.

To end on a somewhat positive note, I don't think the metaverse is any worse than the 'regular' internet. After all, the old incarnation is also widely abused. But with Schwartau's story in mind, I do think that the bad guys in the metaverse have a lot more potential to do evil, because they have much more direct access to your brain - and especially your unconscious. I'd say enjoy it, but watch out crossing the road.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Twitter pulls out of an EU agreement against disinformation. [DUTCH]
• AI advises on the impact of AI. [DUTCH]
• iPhones can be infected with malware without user intervention. [DUTCH]
• the US may have used that iPhone vulnerability to spy on Russia.
• professional cybercriminals sign their malware digitally, because then they get through more easily.
• hackers are also sometimes hacked.
• US border guards can no longer search your phone at will.
• Tesla is as leaky as a sieve, and the Dutch Data Protection Authority has to investigate.
• an AI model called DarkBERT is based entirely on knowledge from the dark web.