Noise box for 007

 

Image from author

What do Desmond Llewelyn, John Cleese and Ben Whishaw have in common? Well, they all played the role of Q in James Bond films. You know, that grumpy man who provides Bond with all kinds of technical gadgets, such as shoes with a poisonous blade incorporated into them, a lipstick bomb and a watch with a powerful built-in laser. Not that I'm a big 007 fan or a Q-groupy, but I recently came across something special that wouldn't look out of place in the arsenal of a double-zero agent.

It looks like a sushi box, someone said. But a heavy one, because the case weighs 600 grams (1,3 lb), partly due to the thick bottom and ditto lid. The lid closes hermetically and the round thing on the front says automatic pressure purge. Inside you will see a small switch, plus and minus buttons and a few LEDs. No, this is not a sushi box. This is really something from Q's lab.

If you turn on the device - because that is what it is - and close the lid, you will hear noise. The volume buttons give you six different settings; no matter what setting you select, you can hear the white noise through the closed box, and in the loudest setting it is downright annoying. As soon as you open the lid, the noise stops.

Have you figured it out yet? I'll just tell. This thing is meant to store your phone during confidential meetings. The noise ensures that any eavesdroppers who have hacked your phone to secretly eavesdrop on you will only hear noise. And through the transparent lid you can see when something arrives on your phone, for example a message or a call. That is the advantage of this box over a Faraday cage, which blocks all electromagnetic radiation and actually creates an airplane mode environment - although it cannot be ruled out that malware makes a recording and sends it later. In short, with this box you are accessible and uneavesdropable at the same time. Wow.

I can totally see it. James Bond in M's office, who is about to reveal the next assignment. But first the phones go into a box like the one you see. Because that meeting is, of course, top secret. And officials like those two are by definition a target to the kind of hackers who have the knowledge and resources to plant eavesdropping software (I'm thinking of our beloved state actors). And of course our film heroes must be reachable at all times, because their American colleague Felix Leiter may call with important news.

In real life, the market for this product will also be the world of spies. In addition, top industrialists and other people who know something that others would also love to know will also be among the customers of the Dutch company that developed this thing. You are less likely to encounter it in an online store with nice gift ideas for Christmas, if only because it seems to be quite pricey.

In less exciting ecosystems, they use a poor-man's version of this high-tech device: a preserving jar. You know, one of those glass jars with a rubber ring and a snap closure, intended for preserving fruit and vegetables. Well, you can also put your phone in such a hermetically sealed jar, while it still remains visible (but first remove the food and clean it thoroughly, please). Due to the lack of a preserving jar, I cannot test whether this contraption is soundproof, but I do want to believe that its use is not pointless. If only that awareness about confidentiality gets a boost when there are suddenly preserving jars on the conference table.

Happy holidays from Borsoi, Patrick Borsoi.

The Security (b)log will return next year.

 
And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• a marketing company claims that it can listen to conversations via your phone or smart speaker in order to send you targeted advertising.
• The EU now has AI regulations, but not much is happening yet.
• This Polish train will no longer run as soon as a third party tinkers with it.
• those leaking password managers from last week aren’t that bad after all.
• British soldiers sometimes have difficulty with the difference between 'to' and 'bcc'.
• the cyber war in Ukraine rages on as well.
• Libyan officials are taught how to deal with cyber threats in future elections.
• the Dutch government warns us about messages from fake delivery services. [DUTCH]
• the British government fears a catastrophic ransomware attack.
• Adobe is being taken to court for placing tracking cookies. [DUTCH]
• chatbots such as ChatGPT are 'in principle' taboo for government officials. [DUTCH]

 

USB condoms

 

Image from Pixabay

Customs wondered whether they could charge their mobile equipment at public charging points. That question came to our team and when we talked about it, I was looked at favorably: something for a blog?

Of course, we could easily have answered, “No, don't do that!” (And I will definitely do that later on.) But it is of course much better to explain the ins and outs of the matter, and what alternatives there are. And it would also be a shame to only serve my colleagues in the once green uniform, while this is important for everyone - and also for you privately.

This concerns charging via a USB cable. Something you probably do every day with your phone or tablet - even if you have an iThing from Apple, because although the slightly older iPhones and iPads do not have a USB connection, but instead a Lightning connection, which plug is there again on the other side, on the side of the charger? That's right, USB-A! And what's so dangerous about USB? Well, it can do more than just charge: you can also send data through it. Perhaps your printer is connected to your PC via a USB cable, or your laptop is connected to an external screen with such a cable. Here is proof that data is passing through your USB connection. So what? Ah, now we're touching on my area of expertise. If data can flow somewhere, it can do so without you noticing. And that can have consequences for the confidentiality of your data, or that of your employer. Data can of course be anything: photos, contacts, texts, spreadsheets, you name it. All things digital.

Criminals know that too. On the pretext of 'data is the new oil' (in other words: you can make a lot of money with it) they like to explore new paths. And what does that have to do with those public charging points that Customs asked about? Well look, such a public charging point is a USB socket on the train, the bus, in a hotel room, you name it; you see them everywhere these days. Or it's a USB cable dangling somewhere. Sometimes you’ll run into those small lockers for charging your phone (I even saw them once at a security conference...). The problem with all those generous electricity suppliers is that you don't know what – and who – is behind them. And here's the thing: you can add something to those sockets and cables, or plug something in it that is more than just a charger. There are even cables available with plugs that transmit information to their owner via WiFi. All this outlines the risk scenario at stake here: that someone steals data from your device via a seemingly innocent, free charging option. This phenomenon even has a name: juice jacking. Your data is being kidnapped via the power cable.

However, in more than nine out of ten cases, such a public charging point will not be a problem at all. I don't see a hacker easily taking a train apart, hiding something in a USB port and then hoping that one day someone with important information will connect their phone to exactly that charging point. With a power cord dangling from a well-intentioned pole in the city, or in one of those charging lockers, it’s a different story, because they are much easier to manipulate. The majority of victims of these attacks, however, are targeted, because they possess specific information. When I talk about targeted attacks to my primary audience, I always mention two organizations: Customs and the FIOD (the Dutch Fiscal Information and Investigation Service). Both have information that is interesting for criminals, and for sure Customs officers sometimes make their appearance abroad, and that sometimes makes things a little more exciting.

What can you do to avoid the use of public charging points? Leave home with a full battery, and if you know you won't make it, be prepared: bring your own charger and cord. Going somewhere where you won't find an electrical outlet? Then put a power bank in your bag. Preferably a slightly more expensive one, that charges your device quickly. If you really cannot avoid a public charging point, use a USB condom (or a juice-jack defender, if you don’t like the former term). That’s a plug that goes into your device and takes that public charging cable in the other end. USB condoms only allow electricity to pass through, not data. Never use a charging cord or charger that you found somewhere; they may not have ended up there by accident. And if your device lets you choose between data transfer and 'charging only', choose the latter option.

Well, as predicted above, it comes down to this: just don't use public charging points. Nowhere, never, even if you are 'not important'. If you apply that principle, you will never have to think about it again.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• researchers constructed an exploit that compromises computers during startup.
• QR codes can be misused in all kinds of ways.
• the Dutch Intelligence Service’s annual Christmas puzzle is online. [DUTCH]
• this vulnerability wasn't one after all.
• data of millions of clients of a commercial DNA testing company has been leaked.
• you can make a lot of money if you help the US fight North Korean hackers.
• these phishers hide behind a made-up vulnerability in Wordpress.
• “Have I been pwned ?” turned ten.
• of course you can also hack a nuclear power plant.
• a Russian hacker pleaded guilty in the US.
• your password manager may be leaking passwords to apps.
• the Dutch privacy regulator is concerned about generative AI. [DUTCH]
• the same applies to the British.

Quantum pathfinder

 

Photo Petra Wevers

The Dutch word ‘kwantum’ easily translates into the English quantum, meaning quantity, although I mainly think of large quantity. This is probably due to the term quantity discount: buy a lot of something and it becomes cheaper. There is also something orange in my mind's eye, and that is due to that Dutch home furnishings store chain with its orange logo, which once started under the name Kwantum Hallen (‘Quantum Halls’).

For some time now, the word has been buzzing around the international IT community in its English spelling. It's all about the quantum computer, that strange machine that came straight from the film set of Back to the future, with its system of elegant pipes that provide cooling. Because the quantum computer likes it cold: in the heart of the machine the temperature is only ten milliKelvin (a tiny bit colder, 0 K or rounded off -273 °C, is absolute zero: it can't get any colder). 'Quantum' in this context depicts not at lot, but rather revolves around minimal quantities.

In addition to its bizarre appearance and the conditions required to function, the quantum computer has another peculiar property. As long as computers have existed, we have been used to the bit: a value that can be 0 or 1 and with which the computer can do calculations. But that crazy quantum computer works with qbits, which can be 0 and 1 at the same time, and everything in between. Until you look at it, because then the qbit has to show its colour. Sort of like Schrödinger's cat, which is in a closed box and is therefore simultaneously dead and alive to an observer, until the moment he opens the box and determines the state of the animal. With those qbits you can perform some calculations very quickly, because you can follow multiple paths at the same time. While ordinary computers work according to the pattern 'if this is true, then do this, else do that', the quantum computer simply does both and ultimately sees where it ends up. As a result, it makes many mistakes, but because it performs the calculations very often, a winning outcome emerges.

I talked about this with our brand new team member Petra Wevers, who calls herself a pathfinder in the field of quantum security. Quantum computers threaten the current way we protect our data which is, to a very important extent, based on a complex mathematical problem. To encrypt files you need keys, which are created by multiplying very large prime numbers. An attacker who wants to obtain the key does have the outcome of that calculation, but finding the two prime numbers (factorization) is extremely difficult. At least, for regular computers. For quantum computers, however, it is a piece of cake. The quantum computer therefore poses a major threat to the confidentiality of our data.

Current quantum computers cannot yet do that. Predictions vary widely, but you often hear that it will take somewhere between 7 and 10 years. Elsewhere I learned that from 2030 there is a real but small chance of breaking cryptography. Breaking RSA 2048 (a certain cryptographic algorithm, with a key length of 2048 bits) is expected to require a quantum computer with a million qbits, while the most powerful known (!) computer has only 433. Oh, you think, so we're not in a hurry. Think again. A lot of information that is confidential now will still be confidential in ten years. Long-term attackers, such as certain countries, are already stealing that information, even though they can't do anything with it yet. But if they can read that information a decade later, it will still be useful to them. Steal now, decrypt later, is their motto. Petra calls the situation we are in now the quantum squeeze. Others talk about Qday or even the Quantum Apocalypse, but it all comes down to the same thing: we have to do something before it's too late. And we have to act now.

We do not yet have quantum-safe cryptography, and the route to it has not yet been crystallized, says Petra. There are stopgap measures. Making keys longer, for example, so that even it will even take a quantum computer a while to figure them out. And – allow me to get specific for a moment – switching to TLS 1.3, because previous versions, which are still in full use, cannot handle hybrid algorithms (an accumulation of different algorithms). In addition, we can also be quantum annoying by frequently changing keys, so that the quantum computers choke in a tremendous workload. And if you as an organization purchase items, include quantum safety in your requirements. Ask your suppliers about their plans in this area.

Governments and science are serious about our safety, says Petra. Such as in the Dutch Quantum secure Cryptography Gov program. Next year, NIST (the American Standards Institute) will publish standards in this area, which are expected to be incorporated into commercial products three years later. According to Petra, it is generally overlooked that soon everyone will be able to work on quantum computers via some website, including criminals. Just as we can now all use artificial intelligence. It is not all doom and gloom: quantum computers, for example, will also help in the development of new medicines and batteries, it is expected. Let's fight to ensure that the positive use of this groundbreaking technology wins.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you don't always need a quantum computer to obtain crypto keys.
• the danger of hacked artificial intelligence lurks.
• Aviation over the Middle East is struggling with attacks on navigation systems.
• NameDrop shares your contact information (too) easily on your iPhone.
• Chinese spies have been snooping in the computers of a Dutch chip manufacturer for years.
• International police forces have busted a Ukrainian ransomware gang.
• the Dutch parliamentary elections were quite safe. [DUTCH]
• there is now a mattress with a privacy policy.