Resistance is futile

 

Starship of James T. Kirk, Jean-Luc Picard's predecessor.
Image from Pixabay

“We are the Borg. You will be assimilated. Resistance is futile.” These three sentences gave the crew of the USS Enterprise starship, led by Captain Jean-Luc Picard, a lot of headaches. No, don't drop out now if you don't like Star Trek! As so often, my blog is ultimately about something completely different.

The Borg are a collective life form, consisting of many beings who share one consciousness and therefore no longer have a will or personality of their own. They move through the universe and violently assimilate everyone who can contribute to their pursuit of perfection into their collective. They are very powerful; that is why they tell you right away that it is useless to oppose them. The Borg grow in power as the biological and technological characteristics of their subjects are added to the collective. All Borg are equipped with various technological implants - they must of course be recognizable to the viewer. When they have nothing to do, the Borg are stowed away in a regeneration alcove. While the body is in a kind of sleep, the brain is used for collective tasks.

That's all nice on TV, but in real life living in such a society would be horrible. Although sometimes I wish certain people had a little more collective intelligence and decency. But yes, certainly in Western society we value individuality above everything else, and that includes differences in intelligence and behavior. To some extent that diversity is great; if it becomes willfully extreme, it can hinder a pleasant society.

Artificial intelligence (AI) is on the rise. As a kind of consumer version of AI, ChatGPT has quickly established itself in our society. Many people understand that such a tool can greatly facilitate their lives. Just think of pupils and students, who eagerly use it – often to the sorrow of their teachers. Incidentally, AI detection tools are also being developed, enabling them to check whether someone is submitting work that originated from biological or artificial intelligence. ChatGPT is a 'large language model', which I find difficult to understand. But things got a little clearer earlier this week when a colleague asked me what the term is for a particular phenomenon. I didn’t know that off the top of my head either, so I consulted Google, which also yielded nothing. A language model is much better in understanding what you actually mean to say than a search engine, and ChatGPT came up with the right term.

AI is like dynamite: invented with the best of intentions, often used maliciously. We still got the Nobel Prizes from that. ChatGPT and its ilk follow the same path. You can ask them to look for a security hole so you can close it, but you can also use that to break in. And so lately we often get asked whether we should limit the use of ChatGPT in our organization.

Maybe you shouldn't put such a question to an information security officer. We will perform a risk analysis and, by definition, look at it from the starting point: what could go wrong? Well, I assure you AI is going to come out of that as a major threat. Subsequently, you have to do something with all those identified risks. You may be able to mitigate some of them, and management may accept other risks. With all that, however, we are looking into the bad side, while AI can also be a blessing. I don't want to be the one who stops the introduction of the steam train because it can travel so terribly fast.

A wise long-retired colleague used to say: “A measure without control is no measure.” I may have control over which websites you are allowed to visit with your work laptop and keep you away from ChatGPT, but I can't prevent you from using private devices to do so. At least, not technically; we have all sorts of rules for this from an organizational point of view. And then I can only hope that you know them and that you stick to them.

We need a policy for applying artificial intelligence to our work. From a security perspective, the leakage of information must be taken into account if (too) specific questions are asked of an AI tool. By the way, you can just as easily leak information via search engines. Perhaps AI is not so special for information security officers after all. In any case, it is pointless to resist it: it is there and it will not go away. But it is important that we know what is real and what comes from the collective brain of the computer.

 

And in the big bad world…

• According to this author, AI is mainly used for evil.
• the Dutch cabinet wil come up with a position on ChatGPT cs
• you can now train ChatGPT with your company documents (and there are probably risks involved).
• the customers of a Danish cloud provider can whistle for their data.
• North Korea made a fortune with its summer cybercrime.
• companies cannnot ask you for a copy of your passport when you make a GDPR access request.
• this phone hacking company asks law enforcement not to talk about their stuff.
• Ransomware is discovered more quickly these days.
• this malware traces its location through Wi-Fi routers.
• this smart lamp isn't so clear-headed after all.

 

Surprising security

 

Photo by author

If you're going on a long trip, you can't pack clean underpants for every day. We did not seriously consider the option of turning a pair inside out after use and wearing it again the next day. No, really.

Fortunately, many hotels have a guest laundry. That is always a hassle. For starters, you usually need coins in the local currency. I had the ambition to make this a cashless trip. At our hotel in Seattle, I miraculously got away with this: the front desk manager asked how much we needed, pulled out his purse, and gave us the quarters we needed. In another hotel we could pay with a credit card. But most of the time we really needed coins. It left me with a colorful collection of international change.

But tumble dryers are also a hassle. Usually you have three options, which do not match the options in my mother tongue: cold, permanent press and hot. The first does little to help, while with the latter one might expect ending up with gnome clothes; at home we only throw towels in the dryer, which makes that option extra scary when you are traveling. That word "permanent" in the middle option also sounds pretty definitive, but since it's the middle option, it must be okay. At least, that’s what we thought. The laundry still came out clammy. Even after one more round. And that all takes time that you actually wanted to spend on tourist activities. And you can’t just leave: you keep the machines occupied, or you’ll find your laundry in a corner somewhere upon your return, while you have no idea who and what touched it. Ugh.

A hotel in Tokyo tackles this mild form of fear of contamination in a striking way. Their combined machines (washing and drying, already a godsend for tourists anyway) are equipped with a code lock. When you start your laundry you have to think up a code, and you will only get your laundry back after entering that same code. This way you are assured that nothing and no one can access your belongings. Of you are not supposed to keep the machine occupied all day long. But at least your laundry is safe.

That ‘s security where you do not expect it, but are happy with it. Do we have something similar in ICT? I thought about it for a long time, but I couldn't come up with anything. This is probably because in ICT we expect a lot from security and we would be surprised if this was not implemented these days. Even in situations where you find security a nuisance, you resign yourself to it – it's normal.

There are still plenty of opportunities. IoT equipment (the Internet of Things) still too often lacks proper security. We now have quite a few of those things at home. The dishwasher, the dryer, the solar panels, the air conditioning and the sound system: they all talk to our phones. But once installed, none of those devices ever ask: who are you? The solar panels only provide data, but I can instruct the other devices via my smartphone to do something or to stop doing so. And a hacker can do damage with that. Turn the stereo to max volume when no one is home and you're bound to have a neighborly fight. Dishwashers and tumble dryers may overheat or leak water if operated inappropriately. Fortunately, we don't have a smart kettle or toaster, because overheating is much easier to achieve with such devices.

IoT device manufacturers need to do better. “The letter S in IoT stands for security”. Yes exactly, that letter is not in the abbreviation at all. What also doesn't help, is the absence of a security section in the manual for devices that want to connect to my home network. The inner workings of security is explained nowhere, and I'm afraid that I already know why that information is missing. Meanwhile, all those devices know the password of my network.

What can you do yourself? If a "progressive" device has a password, change it immediately upon installation - otherwise the entire world will know your password. You could also place IoT devices in a separate network, for example your guest network. This prevents an intruder from accessing your data. Then again, many devices only communicate with your phone if they are on the same network. But with that phone I want to be on the trusted network, not on the untrusted network on which I allow everyone.

There is still a lot to be done in the field of IoT security. Surprise me.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you can read more about IoT security here.
• LinkedIn is under attack.
• this cybercrime gang has a problem with its own infrastructure.
• computer clocks sometimes run wild.
• Meta is diligently looking for a way to color within the lines of the GDPR. [DUTCH]
• shame for mistakes sometimes harms security. [DUTCH]
• identity orchestration helps in the transition to cloud services.
• this short course makes you aware of manipulation by social media. [DUTCH]
• your iPhone is a willing victim for spoofing.
• China is just as afraid of us as we are of them.
• attacks via QR codes are not just theoretical.
• most ransomware attacks start with a phishing attack. [DUTCH]

 

Airport Security

 

Image from Unsplash

At Schiphol Airport, you can happily bring your water bottle through security. In Houston you have to take off your shoes. In Vancouver, you must remove the liquids bag from your hand luggage, and in Honolulu, all your electronics must also be removed from your carry-on bag. Unlike elsewhere, in Tokyo your trolley doesn’t travel through the X-ray in a tray. In Singapore you can go to the faster line with your EU passport, with do-it-yourself passport control. And in Dubai you even have to take off your watch. And the iron smoked sausage - well, that's a special case.

I went on a big trip this summer with my family. That involved going through the hassle of airport checks before reaching our seats a lot. Frankly, I don't know if I've assigned the right rules to the right airports above; only about Schiphol and Singapore I am still sure. The point is that there are quite a few differences. And as a result, as a casual flyer you never know where you stand. What do they want unpacked on the X-ray belt? Can I keep my shoes on? Am I going to forget something on the other side because everything is scattered? And that under the often grumpy looks of security staffers (fortunately there are also exceptions) and the pressure of the travelers behind you, who also want to go through this hell quickly and want to put their shoes back on, suspend their trousers with their belts and want mount their backpack.

How easy would it be if procedures and rules were the same everywhere. If you knew in advance where you stand. I have to show my passport there, they want to inspect the boarding pass there, I don't have to take off my shoes and I don't have to unpack anything. Take off your belt, because a metal buckle sets off the alarm. Such simple rules, which you are already presented with when booking your flight, could improve the flow at many airports and reduce traveler stress. The same also applies to matters that are not related to security, such as exactly how much hand luggage is allowed (right now that differs at least per airline, aircraft type and the class booked), the check-in procedure and the seat allocation: sometimes you choose yourself in advance – which may cost you (dearly) – sometimes you can make adjustments at check-in, sometimes you as a family are apparently deliberately spread over the entire plane (you should have paid for those next-to-each-other seats, you know).

How are we doing in that respect in information security? As a user, do you always know exactly where you stand in advance? Or are you often surprised by other rules? Let me start with myself for convenience. It will not surprise you that I rarely run into unexpected rules. I know the regulations, I have often contributed to them myself. If I don't get what I want, I understand why and I know what to do. But let’s have a look at you now, as an 'ordinary' user (as in: not a security professional). You use several systems. With one you do not have to log in at all, with the next it happens automatically (single sign -on), with yet another system you have to log in with your Windows password and then there are also systems for which you have a separate password. You know how your every day systems work. But if you only use some application or website occasionally, it might seem strange to you when you're asked for your Windows password. Is that okay? Yes, it is, as far as an internal system or an internal application is concerned. Briefly explained: those are connected to the Windows user administration (the so-called Active Directory), which is why they ask for your Windows password. Of course, if an external system asks for your Windows password, that's bad! The tricky thing is that sometimes you don't know whether a system is internal or external. Think of that app that you use for work.

Sometimes you want to go to a website and you are not allowed to go there. Others you can visit freely. There is a system of categories behind it. Our supplier scours the entire internet and puts each website in one or more categories, for example government, education, gambling or pornography. As an organization, you set which categories you want to block. As a normal internet user you will not often encounter blockages; however, for gambling or porn, and a few other categories, you'll need to go elsewhere.

Perhaps there are more situations in which you think: that could be a bit clearer. I'm curious about that.

When scanning my hand luggage at Schiphol, the security guard said: “I have seen something in your luggage that I have never seen before. It looks like an smoked sausage made of iron.” Of course my carry-on had to be opened and the culprit came to light: a phone holder for the dashboard of the rental car. That holder consists of a platform, on which the actual holder is placed with a suction cup. The contraption sits on the dashboard and must of course have sufficient weight not to slide. That's why it has a U-shaped weight, which looked like an iron smoked sausage on the scanner image.

 

And in the big bad world…

• Belarusian hackers have been spying on foreign diplomats for a decade.
• researchers secretly watched over the shoulders of hackers for a hundred hours.
• millions of British voters' data have been hacked.
• the Northern Ireland Police have accidentally put personal data of their entire workforce online.
• most DDoS attacks are nothing.
• James Bond has a new way to spy on you.
• facial recognition works better in TV shows than in real life.