 |
| Image from Pixabay |
Recently,
there was a newspaper article about armored passenger cars. Or rather: about
the 'best secured passenger car in the world'. Due to all the extras, the
colossus weighs around 4,500 kg (9,900 lbs), which means you are not allowed to
drive it with a regular passenger car driving license in the Netherlands. Part
of the weight is in the windows, which are up to ten centimeters (four inches) thick.
But of course, quite thick steel is also involved. The doors alone weigh 200 kg
(440 lbs). Per piece, that is. The car is made in Sindelfingen, Germany and is
called Mercedes S680 Guard.
But
rest assured, this did not suddenly become a car blog after the New Year. No,
the trigger for writing a blog in response to that newspaper article was a
German word from that article: Beschussamt. Chances are you don't even
know how to pronounce that (‘be’ like in begin, ‘schuss’ like shoes, but
shorter, ’amt’ with the British a in tomato), let alone what it means. Let's
start at the back: an 'Amt' is as much as a service or authority. And 'Beschuss'
means shelling. So in a literal translation you end up with something like
'shelling service'. The newspaper found a neater translation: firearms
authority.
What
does a firearms authority have to do with cars? Well, my own translation wasn't
so bad in that respect: they are literally shooting at those cars. Because those
cars want to be certified, of course, and you obviously won't get that
certification just because the brochure states that the vehicle can withstand
bullets from a Kalashnikov. They would like to see that with their own eyes at
the Beschussamt, and moreover, there are formal standards for the protection factor
of a car. And that is why they empty their weapons at those cars and then
investigate what they have done to it.
I can
now go in two directions with my blog: I can talk about certification, or about
testing. You know what, I’ll do the second; just because it's more fun. With
those cars, the bullets can come from two sides: from the good guys (the
Beschussamt) and from the bad guys (anyone against whom the person being
transported in such a car wants to protect themselves). You can look at IT
systems in a similar way. Although bullets are not usually literally fired at
them, there are two parties that are interested in the resistance that the
system offers. On the right side we have the owner of the system, and on the
wrong side everyone that owner wants to protect his system against.
But
wait a minute; there are more parties on the right side. There is also a whole
army of volunteers who look for weaknesses in systems and, if found, dutifully
report them to the owner, without abusing the vulnerability found. They are
traditionally called white hat hackers, by analogy with the color of the hats
of the good guys in spaghetti westerns. A more modern term for this is ethical
hacker. Whatever you call them, these people can try to penetrate that system
completely without the knowledge of the owner of a system.
A
system owner can of course also order his system to be tested. He can have this
carried out by his own employees, but an entire industry has also emerged
around testing systems: you can simply hire ethical hackers (although it is
very pleasant and useful to have a few of them on your payroll). Whoever does
it, they perform a so-called pen test. That has nothing to do with stationery,
but is short for penetration test – they try to get into your system. You also
come across the name A&P test; this stands for attack & penetration – of
course a pen test involves an attack.
First
you need to decide what their starting point will be: do they get virtually
nothing upfront, do they get some more information and an account, or do they get
full access and technical and design information? Like everything in this life,
pen tests also come in colors: the first kind of test is called a black box
(the system to be tested is largely a black box for the hacker, so he knows
nothing and doesn’t have access), the second is a gray box pen test and the
latter is called white box or – much nicer but not a color – crystal box. Why
would you do the latter? There's no point in that, if the hacker already knows
everything and gets free access, is there? Well yes, actually: the system is
tested with knowledge that a malicious outsider does not have. That can
certainly be useful.
There
are even more colors that are used when conducting exercises. The attackers are
on the red team, the defenders on the blue team. And then there is a hybrid
called, yes, purple team; In that composition, attackers and defenders learn
from each other. During such an exercise, the red team can, for example,
perform a crystal box pen test, which will hopefully be seen and averted by the
blue team, after which they, as a purple team, discuss what they encountered.
You see, the industry has managed to come up with a nice set of terms that are
incomprehensible to outsiders. And I haven't even highlighted all the colors
and all the aspects.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- departure boards at an airport can of course be hacked.
- an AI job application chatbot can also be hacked.
- even a wrench can be hacked.
- your
phone's location can be tracked online. [DUTCH] (See also the Security
(b)log of November 3, 2023.)
- there was a lot of fuss this week about a cybersecurity company that did not have 2FA on its Twitter account and was hacked.
- there was even more to do about the Twitter account of the American regulator SEC, which was also without 2FA and had been hacked.
- the City of Beijing is able to determine the identity of AirDrop users.
- after sixteen years, we finally know who the Dutchman was who sabotaged the Iranian nuclear weapons program with Stuxnet.
- there is a new newsletter about (mainly) information security.
- Some Android phones have a repair mode, so that the repairman cannot access your data.
.jpg)
No comments:
Post a Comment