Creative solutions

 

Image from Pixabay

Professor Barnabas was kind enough to lend me his time machine. I take you back to the 1990s and we land at the Walterbos campus in Apeldoorn, the Netherlands, at the time the only location in this city where we had an office. The two highrise buildings were not yet there, nor were the underground passages – if you wanted to get from one building to the other, you had to go outside.

The company restaurant, which at the time we simply call the canteen, was located where tower H now stands, next to building G. The canteen had a tiled floor and a wooden ceiling; the laths were half an inch apart and above them was black cloth. At a certain point, that ceiling was replaced by a smooth, closed ceiling. It looked fresh, but had an unpleasant side effect: the acoustics of the canteen had deteriorated enormously. In the old situation, the sound was partly absorbed by the open ceiling, now everything was reflected. The canteen had become very noisy and that was certainly not pleasant.

A while later the floor was fitted with carpet tiles. I don't actually know whether that was an acoustic measure or whether this adjustment was planned anyway, but I always suspected that this was intended to compensate for the damage caused. The problem, which was caused by the adjustment of the ceiling, was solved on the floor. And it worked. But how well thought-out are carpet tiles in a canteen? Spilled tomato soup on a tiled floor is no problem. It becomes an ugly stain on carpet.

Back to the recent past. Last summer it was very hot, on occasion. So hot that the equipment in a technical room on our floor had a hard time. Such areas are equipped with additional access security – only authorized personnel can enter. But because melting equipment was not such a good idea, they had a mobile air conditioner brought in and placed in the doorway. The warm air from the technical room was blown into the office space. Problem solved. Or was it?

Followers of outside-the-box thinking may love those carpet tiles and the air conditioner. I personally tend more to solve problems where they arise. Poor acoustics due to a closed ceiling? Do something about the ceiling. Overheated technical room? Provide cooling inside that room. Especially if an outside-the-box solution has unpleasant side effects, such as a stained floor in the canteen. Or how about compromising the security of a technical room, in combination with heating up an office space which already was quite hot?

If the ideal solution is not quickly available, I understand why an alternative is chosen. But if you introduce new risks, you must take compensatory measures. Once upon a time, at that old Walterbos campus, summer also got just too hot. Then the doors of the computer center were opened, and a security guard was stationed at each door. No one was sitting at the open door on our floor. The irony of this happening where the security team is located...

Sometimes you cannot avoid solving problems somewhere other than at the source. Suppose your organization wants to put data in the cloud. But because that is someone else's computer, you see unauthorized access to your data as a risk, partly due to the fine American legislation and the fact that you almost by definition do business with the US when you go to the cloud (remember, this blog post comes to you from Europe). Then you can only do one thing: protect your data in such a way that it is of no use to anyone who gets their hands on it. Encrypt your data, and do so in such a way that no one except your organization has the key. If the cloud supplier does not have the key, he cannot hand it over, no matter how angry a government or law enforcement agency becomes.

Managing your key yourself makes things a lot more complex and you also get less value for your money, because the cloud supplier cannot provide certain functionality because they cannot read the data (think of all kinds of statistics that would be quite interesting to your organization). If you do it all yourself and get fewer functions, that will make a difference in the price, I hear you think. That's right, but in exactly the wrong direction: it will become alarmingly more expensive, as we experienced in a recent tender.

There may be no or fewer Security (b)logs appearing in the coming weeks due to a conference and days off/holiday.

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the major cloud suppliers are doing more on security under political pressure.
• Apple has secretly adjusted your privacy settings.
• you are responsible for any ChatGPT wisdom you disperse. [DUTCH]
• policymakers should go on a business trip to China to learn how we do not want to deal with biometrics.
• Facebook gives in to pressure from governments and turns a blind eye to disinformation.
• TikTok (of all things) has exposed a disinformation network.
• the very same TikTok doesn’t do anything about an account doxing random people.
• Delivery robots are also very useful for the police, because they film their surroundings non-stop.
• Bing Chat shows toxic ads.
• a zero day vulnerability is an urgent reason to update your software.
• some zero days are worth a lot of money.
• Some European countries advocate allowing spyware on journalists' phones.
• As a cybercriminal, you must of course have your own information security in order.
• the Ukrainian government has published a report on Russia's cyber tactics.

 

 

Mr. Bean wants out

 

Image from Wikipedia

Britain has produced some great comedians, and Rowan Atkinson is undisputedly one of them – especially in the role of Mr. Bean, from the 1990s. This silent, cunning bumbler still makes me laugh.

Like in this video, in which he thinks the parking garage rate is a bit too high and thinks of all kinds of ways to get past the barrier for free. Now go watch that video first – spoilers follow.

To be able to leave the garage for free, the barrier must be raised. This usually happens when a car drives in or out. Mr. Bean waits like a predator for the right moment and eventually strikes successfully with his Mini. For my further story, it is a bit of a shame that he does not drive out right behind another car, but instead takes off via the entrance, forcing the car that wants to enter into reverse.

The word tailgating means that driving dangerously close behind another car. In addition, North America also has tailgating parties: parties where people gather at the open tailgate of their cars, barbecuing and drinking. But of course those are not the meanings I want to talk about here.

In security, we have adopted the term tailgating for unauthorized entry into a secured area by means of closely following someone, thereby free riding on that person's access rights. Take smokers, for example, who congregate at the back entrance of their business. When they are done, they go back inside. Just then someone walks up and acts like he belongs there, and there's a good chance they'll hold the door open for him, especially if he's carrying a large box and has his hands full. This practice is also called piggybacking.

I don't know all our offices, but where I have visited, electronic turnstiles were installed everywhere to prevent unauthorized persons. They open up after reading your valid ID card and they close behind you quite quickly. Almost impossible to sneak in with someone unobtrusively. And keeping the gate open for someone – if you would even consider doing so - is not really an option either. I do remember a building in Utrecht where the gates were open for months, if I remember correctly because they were incompatible with our access passes. Maybe they were still the gates of the previous occupant.

We also have entrances with revolving doors. Present your card, step into the revolving door and it gently sweeps you inside. One person at a time; if two persons step in, it starts beeping and turns the other way around, so you're outside again. How does that revolving door know that there are two people in it? Because of the weight. We have an anecdote going around about a revolving door that had to be adjusted because a big colleague kept getting spit out. I just hope that such an adjustment cannot be made from the outside by unscrewing a panel and turning a knob a little.

In an internal poll, no less than 78% of participants indicated that they are aware of the security risks of tailgating. Anyway, for that remaining quarter, and for those who did not vote: what are those risks? Suppose you arrive home, open your front door and notice that a stranger wants to come in with you. You probably don't like the idea. And that's how it works at work, too: you fundamentally don't want any unauthorized strangers inside. What is their purpose? Stealing, hacking, collecting information, who knows, even committing an attack? (Yes, sorry, I'm paid to think doom.)

Sometimes there is little you can do yourself about tailgating. When I arrive at my office by bike, the sliding gate opens when I present my card to the reader. Once I'm through the gate, it takes quite a while before it closes again. I often take advantage of this myself by cycling in behind a colleague. There are often smokers right outside that gate; Who tells me that there won't be someone there at some point who doesn't belong there at all? (Side note: could you please stand a little further away from the gate? I now always have to hold my breath when I'm waiting in front of the gate, because I don't want to inhale your smoke. Thanks in advance!)

Fortunately, our physical security consists of several layers. The fence may be a relatively weak barrier, but that's not all there is. The aforementioned gates, revolving doors, not to mention receptionists and security guards, do their best to keep unwanted people out.

 

And in the big bad world...

• the British are stoking the crypto war again.
• Trump Jr. 's hacked account tweeted that dad Donald had died.
• the International Court of Justice in The Hague was also hacked.
• Employees of tech giants also sometimes commit blunder.
• Quantum computers are (maybe) coming, so you have to guard against them.
• payment details of hotel guests are phished by first hacking the hotel.
• This Android malware first empties your bank account and then resets your device to factory settings.

Do it yourself

 

Image via flightaware.com (some parts of the flight are missing)

Our son will soon start his training as a commercial pilot. We still owed him a gift for obtaining his pre-university education diploma and we turned it into a airy outing.

Teuge Airport is just around the corner (officially called International Airport Teuge, but that name might be a tad over the top). A company on the airfield offers trial flying lessons. And it may seem a bit odd to have someone who will start professional pilot training next month make an amateur flight, but we would all like to experience a little of what he will soon be up to. The only problem was that there are four of us at home and the Cessna 172 they are flying is a four-seater. And we definitely wanted to have someone on board who had already completed their pilot training. To ensure that no one was left out, we have arranged not one, but two planes. And in that second plane I sat in the front right seat yesterday.

That was a very interesting experience. I enjoyed it, and my son did too – he was already super motivated and that fire has only been fueled further. As always, I was in security mode during this outing. As you might expect, safety is a central theme in aviation, and general aviation is no different. However, it is interpreted differently there: it is mainly a matter of do-it-yourself. There is no traffic control. Each pilot talks into the radio about what they are going to do, so that other traffic is aware of it. And at the airport someone is also listening to the radio, but that isn’t an official air traffic controller.

On the way to runway 08, pilot Tommy parked his 1970s Cessna in a 45 degree angle on the taxiway, so he could get a good look in the direction incoming traffic might be coming from. A plane was indeed coming, and Tommy had to judge for himself whether he could take off before that plane. He also had to take into account that another plane was just taking off. It didn't fit, so we had to wait a while. Once in the air, the pilot had to be constantly alert for any other air traffic. Other than that, it's not all that complicated – a bit like driving a car, but in 3D, because you can also go up and down. Moreover, time passes faster: one moment we were flying above Het Loo Palace on the north side of Apeldoorn, a few minutes later we were already above our neighborhood on the other side of the city, where we flew an extra round in order to spot our house (which was quite difficult).

Because there are rules about the flight route to Teuge, landing is quite orderly. You arrive from the south, make a left turn, followed by a right turn twice and then you are neatly aligned with runway 08. The unofficial air traffic controller requested another plane to make a longer run because parachutists were about to jump, but we could still land straight away. Tommy was shocked for a moment when he slammed the brake pedals, because the wheels of the plane locked up. He had to apply the brakes a little softer, the runway was long enough anyway. And so everyone was safely back on the ground (well, the ladies in the back had gotten a little nauseous).

In information security, we do have a kind of traffic control to some extent. This consists of all kinds of systems that ensure that we do not end up in 'turbulence', for example on suspicious websites. Still other systems provide a secure 'flight path' by encrypting connections. And the virus scanner somewhat compares to the security checks at the airport (I wrote about that recently): like the virus scanner keeps bad software out, those checks keep bad passengers on the ground.

But indeed, that all only works to some extent. Up from there, we also start with a bit of DIY. Pay close attention to everything that flies by, don't be eager to land just anywhere and don't accept sweets from strangers. You are that pilot who has to pay close attention behind your keyboard or mobile screen. You can rely on various safety systems, but you must also realize that your behavior partly determines how the flight proceeds. And in case you feel insecure: there is always a co-pilot next to you with whom you can discuss. This could be a teammate, your manager, the service desk or a security officer. Together we ensure a safe flight through the digital airspace.

And as the Germans put it so nicely when they have just experienced something wonderful: nur fliegen ist schöner (only flying is more fun). My son is indeed going to learn a fantastic profession.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• This story fits perfectly with the above.
• Basic security must be better organized. [DUTCH]
• Commercial aviation has to deal with cybercrime (of course).
• You can also make a lot of money at casinos.
• the Dutch Football Association had itself extorted. [DUTCH]
• the White House wants other governments to speak out against paying ransoms.
• even int the official app stores you have to carefully select the right apps.
• there are currently many vulnerabilities in all kinds of applications.
• This information sheet from the US government provides insight into the threat of deepfakes.
• Better security in a free product also comes at a price.

 

Copy keys

 

Photo by author

Do you remember Mister Minit? In my memory, they were those kiosks in department stores where you could have shoes repaired and spare keys made. In that same memory I see the logo, a man in a red jacket, making an inviting gesture. To my surprise, Mister Minit still exists. Nowadays he wears a blue polo and has only three stores in the Netherlands. It is much larger to the south and east of our country. And he has learned something new – he now also repairs your watch and engraves your name on a pen or nameplate.

In Australia and New Zealand Mister Minit is really big, but I don't know if he ever made it to the US. Anyway, the Americans have another solution for copying keys: vending machines. The company Minutekeys (hey, I see a similarity!) has kiosks in the entrance of large supermarkets, such as Walmart. These machines can copy home, office and padlock keys. Keys marked 'Do Not Duplicate’, school buildings keys or other keys subject to a restriction will not be copied.

It is of course my professional deformation that makes me immediately wonder what could possibly go wrong here. When I first saw such an automaton, I jumped into that mode right away. A machine where you can have a key copied completely anonymously - you can even pay with cash - offers prospects for malicious parties. Of course, that's not what those machines are intended for at all; they are there to let you copy keys to locks that belong to you. But is it so far-fetched that someone 'borrows' a key, has it quickly copied and puts the original back? You are at the gym, someone visits the locker room, picks up your home key and stops by one of those machines. He was observing the gym beforehand, so he knows who the bag in which the key was belongs to. After your workout, he follows you home. Now he knows where you live and he already has the keys to your house. He just has to wait for a good moment to empty the place. Other scenarios are welcome (for research purposes only).

As loyal readers know, this blog often starts with a real life situation, which I then twist towards information security. That's not always easy; sometimes I start writing and meanwhile wonder how on earth I can divert that situation into my field of expertise. That also bothered me a bit today, but eating an apple solved it. I can't write while eating, but I can read. And so I started reading some articles for the section And in the big bad world… So it turned out that an article appeared two days ago about someone from Boskoop, who had bought keys to the password vaults (password managers) of over a thousand people on the dark web. This granted him access to the passwords of all the accounts that someone had in there: e-mail, online stores, you name it. He could order stuff and remove the order confirmations from the email, so that no one would notice. Only the victim's bank account showed the orders.

Does that mean that password managers are not safe after all? Well no. The passwords of those vaults were stolen using malware. If you have a computer or mobile device without a good virus scanner, you run the risk of infection. Criminals can then install malware that captures the your password manager’s master password when you open the vault yourself. So it is not the vault itself that is not safe - the vault is alone in an unsafe environment. If you place a real safe in the public space, you shouldn't be surprised if some people look over your shoulder when you enter the code.

Here's my periodic call to ensure good protection against malware. That doesn't even have to cost you money. For example, the virus scanner built into Windows (Microsoft Defender Antivirus) performs well - but only if you have not turned it off. There are also excellent free and paid apps available for Android devices (which you will of course only install from Google Play). I definitely recommend securing your Android device with it. iPhone and iPad users still have to rely on the inherently secure ecosystem that Apple believes it has for these devices; there are no virus scanners in the App Store (but there are numerous other security apps).

Accessing your password manager with your fingerprint instead of with your master password also helps preventing illegal access. Mister Minit and the Minutekeys vending machines cannot yet copy that.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• digital keys can indeed be copied unnoticed. [DUTCH]
• you can read more about how that worked here.
• it appears that LastPass vaults that were stolen last year have been cracked.
• This exploit works for Apple products without any user interaction.
• your new car is a privacy nightmare on wheels.
• Chrome presents ads based on your browsing history.
• Agreements have been made (temporarily) regarding the transfer of personal data from Europe to the US. [DUTCH]
• a smart chastity belt might not be such a good idea after all.
• the Dutch government is working on a vision on the use of artificial intelligence. [DUTCH]
• This article underlines the importance of security by design.

 

 

Virtual Confidence

 

Image from Pixabay

Information security is a matter of trust. That may sound strange, because you are used to the fact that in the digital world we have to distrust everything and everyone (we even use the term 'zero trust') and that we base our security on what can go wrong. But ultimately you have to rely on the people, procedures and products that together build your security. It is sad when that trust is betrayed.

If you use the internet, you don't want snoopers around. At home, most of us rely on our ISP to behave properly. When you are away from home, however, you suddenly have to deal with all kinds of other parties that offer you internet access: shops, restaurants, hotels, airports, you name it. You have no idea who is behind it and whether those parties can be trusted. Fortunately, there is a technical solution for this, called VPN: Virtual Private Network. A VPN creates a secure 'tunnel' through which only your internet traffic passes – hence the name: it seems as if the internet has become a private network, just for you.

In effect, you are transferring your trust from the internet provider to the VPN provider. Without a VPN, the person who offers you access could watch; with a VPN, the VPN supplier could watch. Because the latter provides a security service, which you may even pay for, you trust that your internet traffic is in safe hands with them. Incidentally, you can usually choose not to use the WiFi of that restaurant or hotel, but your mobile data connection (4G/5G). This summer, however, we went on a trip outside Europe. Internet via our SIM cards would have been costly and that is why we wanted to be able to make good use of free WiFi. That's why I took out a VPN subscription for all the devices we took with us. That worked perfectly: no noticeable delay and a safe feeling everywhere. My less technical family members have not noticed anything and that is a good sign.

The trouble started when we got home. Two weeks ago I happened to notice that the VPN was off on my phone. Their app even claimed I didn't have a subscription. I checked it, just to be sure: I had really paid for two years. So I sent a message to the VPN supplier. Despite it being Sunday, a message quickly came back from the company: my subscription had been suspended due to suspicious behavior - their systems had detected that my account was being used for web scraping, which is against their terms of use. Web scraping is the automated ‘absorbing’ of websites in order to retrieve all the information there at once. This is interesting, for example, for a company that wants to know what its competitors are doing. And you may also collect information that is not actually intended for the public, such as a customer base.

I was quite angry about that response. They suspended me, a paying customer, without notice. Moreover, our devices were no longer protected and I didn't even know since when. And I was falsely accused. I asked for clarification and made it clear that I was not happy. This time the response didn't come until the next day, and it completely ignored my displeasure. They did not want to share more information about the incident, because that kind of information could benefit malicious parties. But they did give practical tips. My account password must have been leaked, they told me, and I was summoned to change my e-mail password as well. They also gave tips on strong passwords and how I could check if my credentials had been leaked (via haveibeenpwned.com, where I have been registered for years). But well, they had looked into my case once more and they were willing to restore my account.

In a new e-mail I once again told that I do not understand that they had not informed me about the suspension. And that I understand that they can't share information, but that they should be able to see for themselves that I didn't do anything wrong. And I also asked for compensation for the time they left us unprotected.

Again they had me waiting for a full day. Then they were sorry I was dissatisfied, and thanked me for taking the time to provide feedback. They declined to share further information. My account was reactivated, but if this ever happens again, my account will be suspended forever, they threatened.

There are messages on Twitter from people with exactly the same story: after two months they were kicked out on suspicion of web scraping. Maybe this Panama company (that’s where NordVPN lives) should adjust their tools. In the meantime, my confidence in this security service has taken a big hit.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the Dutch land register had to deal with a serious security breach, as a result of which everybody’s data was exposed. [DUTCH]
• you only need a credit card number to view someone's New York subway trips.
• committing cybercrime is super cheap.
• the leaders of one of the world's largest cybercrime gangs have been exposed.
• cleaning up after a ransomware attack will cost you dearly.
• law enforcement agencies from seven countries have jointly taken down a large botnet.
• Scotland Yard is facing a supply chain attack.
• bias in AI algorithms can be a threat to cloud security.
• the Tax and Customs Administration in the Netherlands is further tightening its thumb drives policy. [DUTCH]