Drained weight

 

Image from Unsplash

It's crazy that as a citizen you have to worry about your privacy. In the past, when Roger Moore still was James Bond, you only had to worry about external interest in your doings if you were a special company or a government. But nowadays? Everything has a privacy policy these days. And that means that your privacy is at stake everywhere. Otherwise that policy would not be necessary.

Well, the tone has been set for European Privacy Day, January 28. Apparently that day is necessary, too. Witness also this musing of Omri Elisha, professor of anthropology in New York:

We memorized phone numbers.
We memorized driving directions.
No one knew what we looked like.
No one could reach us.
We were god.

In those days, as a child you played outside with your friends, randomly ringing their doorbells or finding them somewhere outside. As a boy you wore rubber boots and preferred to play at the local mud puddle. At most you had a watch and a time when your mother told you to be home (and hopefully there was time taken into account to get you to the table clean). Yes, we were those gods, we just didn't realize it.

As a parent I look at this differently. It's quite nice to have your children under the digital button - at least when they respond to you. Are you worried because they are not home yet, or do you want them to run an errand? Sending an app usually works wonders. Are they going somewhere? They can then text that they have arrived safely, or they share their live location so that you know where they are in case of emergency. It also works the other way around: if help is needed, mom and dad are easily accessible. The price for this comforting technology is privacy. But because the children of this century don't know any better, they don't miss it.

Nowadays one hardly buys any device with a power plug that is not subject to a privacy policy. If you do not agree to it, you cannot use it. Not a soul reads it, everyone blindly agrees. If only because they are always those long, tough stories. You almost wish it just said: All data that this product collects about you and your environment may be used at the sole discretion of the manufacturer and all its business partners. I know of one case where this actually happens. If you travel to the US and come from a friendly country, you do not need a visa. Instead, you can simply apply for an ESTA (Electronic System for Travel Authorization) online. If you enter that process, you will receive an unmistakable security notification, which starts as follows:

You are about to access a Department of Homeland Security computer system. This computer system and data therein are property of the US Government and provided for official US Government information and use. There is no expectation of privacy when you use this computer system. The use of a password or any other security measure does not establish an expectation of privacy.

It's that simple: don’t expect any privacy when using this system. Even security measures that might give the impression of privacy are not there for your privacy. It reminds me of the greeting of the Borg in Star Trek (see this Security (b)log). Fortunately, how different things are with our own government, where people generally do their utmost to guarantee our privacy.

I recently wanted to return a product. The webshop was to send me a DHL shipping label. I received an email from DHL containing not only my shipping label, but also those of a few other customers. The webshop itself had not received those labels. It’s just a small thing, but it does indicate how easily personal data can leak.

The drained weight is stated on vegetable jars - how many grams of vegetables are in it, without the liquid? Perhaps websites should also place such a notice: given our security level, there is a 5/25/50/75/100% chance that your data will go down the drain.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• A tool like this makes all privacy policies pretty worthless.
• privacy officers are having a hard time. [DUTCH]
• Microsoft gives us a glimpse into a state actor attack on their systems.
• the British mapped out the impact of AI on cybersecurity.
• the Russians are spying on both Microsoft and HP.
• American investigators had a murderer's face reconstructed using DNA, and then they wanted to run it through facial recognition.
• at the end of the last century, the NSA feared the Furby.
• Many security products need a better user interface.
• the University of Twente researched the decision-making process of ransomware victims. [DUTCH] 
  
• Click here for the full report. [DUTCH]
• finding security vulnerabilities is not always appreciated.

 

Stairway to poetry

 

Image from author

The Hague, Ministry of Justice and Security. From the top floor, the 36^th, you have a magnificent view of the surrounding area. Even on a meteorologically challenging day like last Monday, with alternating sun, snow showers and strong winds. If you have a meeting here, you have to accept some loss of time due to looking outside. But there is more to experience.

A stairwell in an office building is often boring, because, especially in a high-rise building, hardly anyone goes there. But there, at Turfmarkt, they wrote sayings on the risers of the stairs. The following is written on the stairs between the 35^th and 36^th floor: Accidents are just around the corner. Happiness is everywhere else.

For people like me, who are professionally concerned with anything that can go wrong, this puts things into perspective, perhaps even more than for 'ordinary' people. We are looking around the corner, searching and picking, while in general we see relatively little serious misery. Yes, there are regular news reports about data breaches, ransomware and DDoS attacks, and criminal phishing actions, but most of the time, they are not disruptive. Even in Ukraine, which has been suffering from war violence for two years now and where the cyber part of the war started much earlier, the digital society is still up and running. It seams unbreakable. So you might think that in general, we don’t go around that corner, but instead we go everywhere else.

Whenever something like this comes up, I like to recall the year 2000, or more precisely: the turn into the new millennium. That is almost a quarter of a century behind us, which means that there is now a working generation that has not experienced this transition. Well, guys, there was a lot of fuss going on, and that fuss had a name: the millennium bug. While you may be reading this blog on your smartphone, which is in fact a pretty powerful computer, it's hard to imagine that computer memory was a scarce resource in the last century. Today a gigabyte is the smallest unit we talk about, but back then it was kilobytes. That makes a difference of six zeros, or a factor of a million. While you can now buy a 64 GB USB thumb drive for less than a tenner, we used to have to make do with 512 KB floppy disks, which you bought in boxes of ten. The next generation, which could store 1.44 MB (more than twice as much!), felt like a major leap forward. When installing an application on your PC, you were a disk jockey: those products came on a stack of floppy that you had to insert one by one. Downloading had yet to be invented.

Storage memory was in short supply, and it was skimped on wherever possible. For example on date fields. Why would you write 1977 if 77 was sufficient? This was common even in the real world: I learned the date format 24-5-'65 at school. The apostrophe indicated the century, but you could just as easily leave it out. In computers it would save you two positions for each date. But as the turn of the century approached, a problem came into view. Suddenly 31 would no longer necessarily mean 1931, but could also be 2031. Computers would choke on this, for example if they had to sort data. Heaven and earth were moved to avert disaster. In the Netherlands, an estimated nine billion euros were spent on this, and worldwide three hundred billion dollars, according to Wikipedia.

When the gunpowder fumes from the fireworks had dissipated, it turned out that very little had gone wrong. Then there was a lot of criticism: did we spend all that money for nothing? I still get quite excited about so much naivety. Why do you think things went so well? Because of that great effort of course! It's as clear as day: there’s a problem, you solve it, danger averted. At this level of abstraction it doesn't get any harder than this.

Back to the stairs of the ministry. That saying is wrong. An accident being just around the corner means that mischief is very likely to happen. The second sentence of the stair writings, on the other hand, pretends that hardly any accidents really happen and that most things go well. The fact that things are going relatively well in the digital society is due to all the measures taken to prevent problems, and to a quick, adequate response if something does happen. The saying on the stairs should therefore read: Accidents are just around the corner. Grab a broom and sweep that corner clean.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• foreverdays are much worse than 0-days.
• A Russian student has been arrested for allegedly helping Ukraine with cyber attacks.
• this young man not only raps about cybercrime, but also commits it.
• AI is used to make you believe that someone you know is calling you.
• Tens of millions of stolen passwords have been circulating on the Internet for months.
• the Dutch Fraud Help Desk is primarily a reporting desk. [DUTCH]
• even information security has a history.
• This study examines ransomware from the victim side.
• credit card company ICS was fined for failing to carry out a DPIA. [DUTCH]

 

Rainbow

 

Image from Pixabay

Recently, there was a newspaper article about armored passenger cars. Or rather: about the 'best secured passenger car in the world'. Due to all the extras, the colossus weighs around 4,500 kg (9,900 lbs), which means you are not allowed to drive it with a regular passenger car driving license in the Netherlands. Part of the weight is in the windows, which are up to ten centimeters (four inches) thick. But of course, quite thick steel is also involved. The doors alone weigh 200 kg (440 lbs). Per piece, that is. The car is made in Sindelfingen, Germany and is called Mercedes S680 Guard.

But rest assured, this did not suddenly become a car blog after the New Year. No, the trigger for writing a blog in response to that newspaper article was a German word from that article: Beschussamt. Chances are you don't even know how to pronounce that (‘be’ like in begin, ‘schuss’ like shoes, but shorter, ’amt’ with the British a in tomato), let alone what it means. Let's start at the back: an 'Amt' is as much as a service or authority. And 'Beschuss' means shelling. So in a literal translation you end up with something like 'shelling service'. The newspaper found a neater translation: firearms authority.

What does a firearms authority have to do with cars? Well, my own translation wasn't so bad in that respect: they are literally shooting at those cars. Because those cars want to be certified, of course, and you obviously won't get that certification just because the brochure states that the vehicle can withstand bullets from a Kalashnikov. They would like to see that with their own eyes at the Beschussamt, and moreover, there are formal standards for the protection factor of a car. And that is why they empty their weapons at those cars and then investigate what they have done to it.

I can now go in two directions with my blog: I can talk about certification, or about testing. You know what, I’ll do the second; just because it's more fun. With those cars, the bullets can come from two sides: from the good guys (the Beschussamt) and from the bad guys (anyone against whom the person being transported in such a car wants to protect themselves). You can look at IT systems in a similar way. Although bullets are not usually literally fired at them, there are two parties that are interested in the resistance that the system offers. On the right side we have the owner of the system, and on the wrong side everyone that owner wants to protect his system against.

But wait a minute; there are more parties on the right side. There is also a whole army of volunteers who look for weaknesses in systems and, if found, dutifully report them to the owner, without abusing the vulnerability found. They are traditionally called white hat hackers, by analogy with the color of the hats of the good guys in spaghetti westerns. A more modern term for this is ethical hacker. Whatever you call them, these people can try to penetrate that system completely without the knowledge of the owner of a system.

A system owner can of course also order his system to be tested. He can have this carried out by his own employees, but an entire industry has also emerged around testing systems: you can simply hire ethical hackers (although it is very pleasant and useful to have a few of them on your payroll). Whoever does it, they perform a so-called pen test. That has nothing to do with stationery, but is short for penetration test – they try to get into your system. You also come across the name A&P test; this stands for attack & penetration – of course a pen test involves an attack.

First you need to decide what their starting point will be: do they get virtually nothing upfront, do they get some more information and an account, or do they get full access and technical and design information? Like everything in this life, pen tests also come in colors: the first kind of test is called a black box (the system to be tested is largely a black box for the hacker, so he knows nothing and doesn’t have access), the second is a gray box pen test and the latter is called white box or – much nicer but not a color – crystal box. Why would you do the latter? There's no point in that, if the hacker already knows everything and gets free access, is there? Well yes, actually: the system is tested with knowledge that a malicious outsider does not have. That can certainly be useful.

 

There are even more colors that are used when conducting exercises. The attackers are on the red team, the defenders on the blue team. And then there is a hybrid called, yes, purple team; In that composition, attackers and defenders learn from each other. During such an exercise, the red team can, for example, perform a crystal box pen test, which will hopefully be seen and averted by the blue team, after which they, as a purple team, discuss what they encountered. You see, the industry has managed to come up with a nice set of terms that are incomprehensible to outsiders. And I haven't even highlighted all the colors and all the aspects.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• departure boards at an airport can of course be hacked.
• an AI job application chatbot can also be hacked.
• even a wrench can be hacked.
• your phone's location can be tracked online. [DUTCH] (See also the Security (b)log of November 3, 2023.)
• there was a lot of fuss this week about a cybersecurity company that did not have 2FA on its Twitter account and was hacked.
• there was even more to do about the Twitter account of the American regulator SEC, which was also without 2FA and had been hacked.
• the City of Beijing is able to determine the identity of AirDrop users.
• after sixteen years, we finally know who the Dutchman was who sabotaged the Iranian nuclear weapons program with Stuxnet.
• there is a new newsletter about (mainly) information security.
• Some Android phones have a repair mode, so that the repairman cannot access your data.