Pension

 

Image from Pixabay

Despite the fact that, all being well and regulations unchanged, I should be enjoying my retirementa for already more than six months in ten years' time, I still feel so young that I unemotionally archive mail from the pension fund. There is a vague realization that I should be more interested in my financial future, but at the same time there’s also resignation; On the one hand, based on the general feeling that everything has been well arranged for me, and on the other hand, because it is probably too late to take additional measures, should I want to do so.

A while ago I spoke with a colleague about the involvement of non-peers in the subject of information security. Or rather: about the lack of involvement. He made a striking comparison (thanks Hugo!): would you listen with interest to a pension advisor, or would you rather think: here's my money, do the right things with it?

Oh, there you caught me. I've never talked to a pension advisor before. From the age of 25, pension contributions are deducted from my salary and the pension fund regularly lets me know how I am doing. If I retire at the normal age, I will receive this amount of money every month, and if I die, my surviving relatives will also receive something; that kind of information. I take a quick glance at it and at most think: “Well well!” and proceed to the order of the day. So I'm quite literally saying: here's my money, do the right things with it.

Do pension advisors ever complain that people show far too little interest in their pensions? That it would be in their own interest to look into it and take the right measures? And that few people have the sense to worry about this at a young age? If I had to arrange a supplement to my pension now, it would probably be unaffordable. However, if you start in your early years, you can spread your investment over many years.

In any case, information security professionals regularly complain that people show too little interest in their security. They live in the vague hope that everything will be more or less well arranged. The internet connection at home costs money, so the provider must have supplied a secure modem, right? And that WiFi connection of your dishwasher, dryer and air conditioning from a renowned brand, isn’t that just fine? The apps on your phone and the websites you visit all have a privacy policy, so you don't have to worry about that, do you? These are all assumptions that appease our conscience, if we think of them at all.

Reality is more stubborn. A device is relatively safe if it has had the latest update in which the manufacturer has fixed the known errors. If you do not have that update, your device carries vulnerabilities that can be exploited by attackers. You can easily ensure that you always have the latest updates on your laptop and phone by having everything happen automatically. Of course, if a program or app asks you to do something to effect the update, you still have to actually do it.

There are also people at work who think that the people from the security team will take care of things. That is true to a certain extent: we write down what you should do and not do to keep things safe. We call that policies, standards, regulations – whatever the name. After that, however, it is up to those who are responsible for their part of the equation to also take responsibility for the information security aspect (and privacy, and continuity). And so they have to think at an early stage about what all these regulations mean for their field of work and actually do something with them.

I know, this is easier said than done. My devices at home also feel neglected. It is quite a job to do something about it, which makes it easy to hide behind the argument “not right now, it takes too much time”. But sometimes you just have to make that time. You know what? I have next week off, but we're not going away. I hereby promise our smart devices that I will check whether there is anything to update (which remains to be seen) and if so, that I will do so.

It would be so much easier if many more devices did an automatic update. Then you don't have to figure out where to get your updates from and how to install them. I think many non-ICT professionals shy away from the latter in particular. Hopefully manufacturers will do more to help us with this. And the European Cyber Resilience Act will force them into this. We want security by design: take all this into account from the start and pay attention to it throughout the entire lifespan of the product.

Still wanted: pension by design …

There will be no fresh Security (b)log next week.

 

And in the big bad world...

• manufacturers can have their products cyber certified.
• manufacturers of security equipment also sometimes have difficulties updating.
• this long but fascinating story about how scammers framed the author is really worth reading.
• Americans paid a total of ten billion dollars to scammers last year.
• BMW does not understand the consequences of a data breach very well.
• it is not wise to use your private email for work.
• advertising without tracking is no longer possible.
• as a company, you are responsible for what your chatbot says.
• phishing can also take place as a two-stage rocket.
• naughty countries are no longer allowed to use ChatGPT.
• this battery factory is currently under stress.
• twenty percent of British children are cyber criminals.
• the European Court prohibits the weakening of end-to-end encryption.

Kafka upside down

 

Image from Pixabay

Last summer I visited countries where I do not speak the language. In some countries I couldn't even read the writing. In one of those countries I bought a backpack with a card attached to it. “ATTENTION!” it said on the front. But the back was printed with characters that I wasn’t able to interpret.

Thanks to the wonderful technology of Google Lens, I was able to find out what was so urgently requiring my attention. It says that the backpack may become discolored, that I should avoid washing and ironing, that I should use “accessories such as closures, hooks, buttons, metal fittings, belt straps, buckles and rings” properly or they may break, and finally, that the product does not protect the contents in the event of a fall or impact; the manufacturer is especially concerned about my precision instruments, precious metals and fragile objects.

A couple of months ago, I asked you in the Security (b)log whether you know Franz Kafka's novel Der Prozess (The Trial). I assume you've read it by now. And then you may recognize a Kafkaesque trait in the text of that backpack card: you have to use the backpack accessories correctly, but it does not say what the correct way is. For me,  backpacks leave me sometimes wonder what that strap or loop is for, let alone whether I know how to use the thing properly. And it also strikes me as rather vague that I should 'avoid' something – what if I do it anyway? Admittedly, I wouldn't have thought of ironing a backpack, but my previous backpack regularly ended up in the washing machine (and it survived).

I'm not going to lecture you further about Kafka now. No, I'm going to turn Kafka upside down. In his novel you have to adhere to rules that you do not know and if you break those rules, you are punished. Kafka upside down is when you know the rules all too well and at the same time you know that if you stick to them, sooner or later something will happen that is very detrimental to you. What would you do if a law were introduced that required you to drive a car at a minimum speed of 100 km/h (62 mph) in built-up areas (and 50 km/h in a residential area)? Are you going to stick to this, even though you know for sure that in the best case scenario you will end up in the hospital, or will you accept,  for the sake of self-preservation, that you will be fined?

Earlier this week, intelligence services in the Netherlands revealed that Chinese state hackers hacked into a Defense network. They were able to enter through a known (!) vulnerability in American-made security equipment. Continuing to use something with a known vulnerability is like knowing that the left headlight of your car is not working, but still driving in the dark - because replacing the light yourself is no longer possible in many modern cars, the garage is already closed and you really have to go somewhere. And you continue to use that network equipment the same way, because, well, you need that network anyway and you can't easily replace it. Regardless of the question of whether another product is completely safe.

I don't know how they figured out that China is the culprit; attribution of cyber attacks is a difficult matter. Anyway, the report states that the intelligence services determined “with high confidence ” that it must have been China – spy talk for “we actually know for sure”. And it is not the first time that the West has pointed the finger at China in such cases. So we are more or less certain that China is spying on us.

If a Dutch government institution wants to purchase a service or product, it must follow the Public Procurement Act 2012: if the value of the contract exceeds a certain amount, a European tender must be carried out. So you cannot just go to a supplier and place your order. You must describe in a thick document what you need and what requirements you set for it. You cannot “target” that document to a specific product by including requirements that you know only your favorite product meets. Companies from all over the EU may register for such a tender.

Suppose you are a government service and you want to, say, purchase cell phones. There are Chinese mobile phones on the market that meet all your requirements and they are cheaper than the competition's products. There is a good chance that European companies will offer those Chinese mobile phones. The competitive pricing forces you to do business with that company. The contractor may be little more than a box pusher who outsources technical support to the manufacturer. And before you know it, you not only have Chinese equipment in your organisation, but also the accompanying Chinese personnel. Both the equipment and the maintenance technician may do things that were not included in your package of requirements, but are included in those of the Chinese government.

You dutifully complied with all the rules, but in doing so you brought in the Trojan horse with full consciousness. That's Kafka, upside down.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• there are concerns about the Chinese scanners used by Dutch Customs. [DUTCH]
• Here is the news item about the DoD hack. [DUTCH]
• listen to a radio fragment about the DoD hack. [DUTCH]
• deepfakes pose a problem for remote identification.
• deepfake crime will not skip the Netherlands. [DUTCH]
• you can of course hack a bicycle helmet.
• a Swiss newspaper and an American security company (coincidentally the same one from the hacked DoD equipment) are arguing about a DDoS attack with toothbrushes.
• Every now and then a fake app slips through Apple's strict controls.
• BitLocker is easy to crack on some computers if no PIN has been set. [DUTCH]
• Rich countries suffer more from ransomware. [DUTCH; linked paper in English]
• the Dutch tax administration are not yet GDPR ready. [DUTCH]
• it is better not to use a separate app for scanning QR codes. [DUTCH]
• security researchers from all over the world have reservations about a UN treaty on cybercrime.
• Dutch plumbers are no longer allowed to advertise with Google. [DUTCH]

Ingredients

 

Image by author

Ingredients: white beans 61%, water, tomato purée 16%, sugar, sea salt, natural vinegar, corn starch, natural herbal flavoring. Thus the back label of the jar, which on the front is called 'white beans in tomato sauce'. Does this product fit into a low-salt diet? I wouldn’t know, because luckily my health doesn't have to worry about that. But if it ever becomes necessary, I would like to read on the label of any product whether it contains salt, and preferably how much.

It's purely a coincidence that I'm back in the canning business just like last week - I'm not considering switching to that industry, nor have I been asked to promote their products (eat fresh vegetables, people!). But I'm a fan of metaphors, and a jar of vegetables turns out to be a rewarding object.

Usually you won't care what else is in a jar of white beans in tomato sauce besides white beans and tomato sauce, unless you have a specific reason, such as a doctor's recommendation. And then you're happy that it's all on the label.

And what turns out? It’s just the same in ICT. As long as everything goes well, no one cares which programming language, which framework and which libraries are used, which open source components are included or which platform the system runs on. But when word starts circulating that a certain, widely used ingredient contains a serious vulnerability, you all of a sudden want to know whether that ingredient is in your systems. Because you want to switch to a low-salt diet if necessary, or you want to replace the sea salt with regular table salt, or perhaps you need to switch - temporarily or permanently - to green beans.

For ICT, what the label is for foodstuffs is the SBOM: the Software Bill of Materials, the list of components that are incorporated into the product. When it was announced in December 2021 that Log4j contained a serious vulnerability, the world was in turmoil. Log4j is like a type of salt that is used in many products. If one day you hear that contaminated salt has been used, as a manufacturer you immediately want to know which of your products contain that salt, so that you can recall the right products from the supermarkets and stop your production process until you have a shipment of clean salt.

I recently learned that the administrators of some systems assume that Security knows which components are in which product and will alert them if something is wrong with one of them. But of course it doesn't work that way. The Food and Consumer Product Safety Authority doesn’t know which canning factory products contain salt either. They can only sound the alarm if a bad batch has been delivered. It is then up to the manufacturer to determine which products the salt may have ended up in and to take the correct measures. It is the same with us, in IT. Security knows if something is wrong, but the administrator needs to know whether his system is affected and whether he needs to take action. Of course, coordination will always take place in major situations, but you remain responsible for your own system.

The attentive reader may have noticed that above I always talked about systems and products, while the s in SBOM stands for software. But why limit an ingredients list to software? Hardware components can also be vulnerable, as Meltdown and Spectre, both vulnerabilities in certain CPUs, made painfully clear in 2018. Of course you want to know whether you have equipment that contains the vulnerable processors. Well, fortunately there is also such a thing as the HBOM: the Hardware Bill of Materials. Ideally, you would like to see all the components in there, down to the smallest chip. I just don't know whether manufacturers would be happy to cooperate, because competitors are of course reading along. That does not necessarily have to be a problem, if you can rely on the manufacturers having  their BOMs in order and also having linked their customer base to them and that communication is well organized. You can agree all this contractually. In your CBOM.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• You can of course use AI to make biological weapons. [DUTCH]
• AI steals AI articles from journalists.
• it's time to stop deepfakes.
• a hack led to the accidental release of a murder suspect.
• large companies fear the AI Act, but Europe is keeping a tight rein. [DUTCH]
• an Indian hacking company is trying to prevent negative publications worldwide through judges.
• there is a risk involved in .lnk files.
• an update sometimes has the opposite effect.
• there is a fuss about verification by LinkedIn (and that leads to discussion in the comments below this
• article). [DUTCH]
• it would be a good idea to agree on a family password in the fight against deepfakes.
• The Netherlands does not meet the deadline for the NIS2. [DUTCH]