Symptom relief

 

Image from Pixabay

It's the perfect time of year to catch a cold. During the corona period we skipped this annual ritual, because having little contact with other people and hardly going anywhere, there was little chance of encountering a cold virus. But this year it’s business as usual for my family.

No matter how harmless a cold is for otherwise healthy people, we all know that it can make you quite miserable. One stumbles to the medicine cabinet to find relief. Nasal spray, cough syrup, paracetamol – all are standing by to relieve your complaints. Plus some home remedies, such as steaming, drinking tea with honey or licking popsicles.

What is so unfortunate about all these remedies is that they only treat the symptoms of the disease. The nasal spray allows you to breathe more freely for a while, the ice cream numbs your throat a little and the paracetamol helps against pain and fever. On the website of the united Dutch physicians, paracetamol is ignored completely on the page about colds ("Medication is not necessary for a cold"). Completely unnecessary side note: I’m not giving medical advice in this blog post.

Why is there no medicine or vaccine against a disease that is so common and causes a lot of discomfort? Seems like a gold mine for the pharmaceutical industry to me. But it turns out that there are so many viruses that can give you a cold that it’s simply a hopeless task. Moreover, those viruses mutate quickly; a vaccine developed today will be worthless tomorrow. By the way, research is still being done, especially because people with asthma can become very ill from a cold.

Of course, symptom relief also takes place outside the medical domain. For example in my own profession. To stay close to the common cold: how about a virus scanner? This relieves the complaints we have from viruses. Not like a nasal spray for a cold, but preventative: you either become infected or you don't. The relief lies in the number of infections you have to deal with. But it doesn’t contest the phenomenon of computer viruses as such. That is precisely why it is important to equip as many ICT resources as possible with those digital face masks.

The step from symptom relief to the placebo effect is not that big. If I have a sore throat and therefore eat a popsicle, I almost feel obliged to feel less pain for a while, while my mind really doubts the effect. That's harmless, but it gets bad when I think that a popsicle is also the right treatment for, for example, severe, persistent stomach pain. For some ailments you simply have to go to the doctor.

There are plenty of placebos in information security. For example, the security of a system does not really improve by carrying out a risk analysis. Only if you act upon the results of that analysis by taking measures, risks will be reduced. Another form of risk treatment is risk acceptance, but it is clear that this does won’t benefit the security of the system - no matter how legitimate acceptance may be in a certain case.

Compliance with regulations is another one. Quite a few organizations do all kinds of things because they have to. Meanwhile, no computer has ever become more secure because someone has written a mandatory document. Only when the content of that document comes to life we can make progress. Unfortunately, it often stops at the signing of a document – but the auditor will be proud of us! (I’m probably – hopefully! – wronging a friendly professional group with this comment.) Yes, I also do all kinds of mandatory stuff, but it’s always based on my drive to optimize security. The fact that I also get a green tick on a checklist somewhere is a bonus, but it should never be the goal.

To catch a cold, you need a virus. You won't catch a cold from sitting in a draft or going outside with wet hair. Likewise, nothing goes wrong with a computer due to potential risks. Problems only arise when a risk actually manifests itself. But just as I keep a little more distance from a sniffling family member, a list of risks relevant to your systems helps you avoid them.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Google saw doubling the amount of zero-day exploits last year.
• a virus scanner can also become infected. [DUTCH]
• Dutch police discovered more than seven million email addresses among criminals, intended for phishing. [DUTCH]
• Facebook had a secret project to intercept Snapchat traffic.
• Telegram came up with a bizarre premium subscription giveaway.
• China is often mentioned in the context of cyber attacks. [DUTCH]
• China now also distrusts Western stuff (or, they take revenge). [DUTCH]
• we can all learn something from the ransomware attack on the British Library.
• a British nuclear company is being prosecuted for alleged IT security violations. [DUTCH]
• The German government is certifying video conferencing services. [DUTCH]
• the European Council has approved the European digital identity.

Apple pie & solar power

 

Image from Pixabay

You’re going to bake an apple pie. The ingredients are lined up in battle order on the counter, eager with impatience. The mixer is shining in pride of place, ready to mix everything together nicely. You pour the first ingredients into the mixing bowl and set the switch to position one, for starters. Nothing happens. Oh, stupid, you realize with relief, of course you have to plug it in first. But still nothing happens. It slowly dawns on you: the pie is being delayed. Your once faithful mixer no longer works.

Since the invention of the light bulb, we know that electrical appliances break down over time. A few decades ago you could still assume that expensive appliances, such as a TV or washing machine, would last about ten years. If there was something wrong with them in the meantime, you had it repaired. Nowadays we often don't make it to ten years, and repairing has also gone out of fashion. But hey, things do break.

With us it was not the food processor, but a solar panel. Unlike with a food processor, this is not so easy to find out. Yes, we regularly check the solar power harvest of that day in the app, but then we see the total yield of all panels. In our colorful weather it is normal for these values to differ from day to day; so you can't tell that one panel doesn't contribute. Fortunately, there is another screen that shows the daily yield per panel. If there is a zero there, you know there’s a problem. But we didn't look at that screen that often. A reconstruction showed that the panel had been out of service for about two weeks. So I quickly called the installer. He concluded that the electronics box of that panel needed to be replaced. The technicians have been on the roof and we are fully operational again. Just turn up the sun.

We discovered this defect by chance. I talked about this with the technicians, who said that our supplier is also monitoring. But because we do not have a maintenance contract, there is no permanent monitoring. In other words: the data indicating that something is wrong is there, but no one is looking at it.

It works the same way in IT. Tons of data is logged, but not all of it is analyzed. You can think of all kinds of things when it comes to logging: a user logs in to his laptop, a printer runs dry, someone reads sensitive data, and much more. But yes, if no one is watching, error situations can survive for quite a long time. Fortunately, it is not all manual work. Smart software receives instructions as to which notifications are really important and brings them to the attention of specialized teams. The software acts as a sieve, meaning that only a fraction of all events need to be further investigated by employees.

There is also log data that is never looked at, unless there is reason to do so. Someone may have done something that is contrary to the rules. Most organizations couldn’t care less about an employee logging in to their laptop. Unless a manager has signals that the employee is going off the rails. Then he might want to know at what times the employee will start work. Things become more intense if someone is suspected of passing on internal data to criminals. In such a case, investigative authorities want to know, for example, who looked up a certain license plate and the associated details of the vehicle owner. That kind of information is not always available at the push of a button, sometimes it requires a lot of digging. Unfortunately, sometimes that is necessary, because in an organization as large as ours, statistically speaking, you are entitled to a certain percentage of black sheep. That is why I would like to see the logging of data required for this type of forensic investigation expanded - so that you can answer certain questions at the push of a button. You only know to a certain extent in advance what data you will need in an investigation. The fact is that events that you do not log now will not be available for analysis later. Another fact is that logging costs money. A good assessment is therefore necessary.

We have had a second set of solar panels for a few months now. Recently I had to be on the flat roof where they are located, and on that occasion I cleaned them. In doing so, I discovered that each of those panels showed several white spots. Not on the material, but in it. A few photos and an email later, the installer informed me that this problem was known to the manufacturer and that the panels would be replaced under warranty. Some things you really have to keep an eye on yourself.

 

And in the big bad world...

• three million hotel doors worldwide will open for these researchers.
• certain Apple chips have a serious crypto vulnerability.
• the aerospace sector has become a prime target for cybercriminals.
• there is now coincidentally an investigation into security and privacy at American airlines.
• a quantum computer can do jigsaw puzzles very quickly.
• cloud configuration is still very difficult.
• the internet lawyer is annoyed by a ruling by the Supreme Court.
• AI checks the programmer's work.
• it is still quite a job to investigate whether a data breach is real.
• the Spa Grand Prix has been hacked.

 

Passkeys to replace passwords

 

Image from Pixabay

As early as the time of Asterix and Obelix, passwords have been around, and they have been used in computers since time immemorial (Wikipedia mentions 1961 as the year in which they were used in a system at MIT). And now, some two thousand years after our Gallic friends, we are tired of them. There are too many of them, they are inconvenient and they are unsafe – even long, complex passwords are unsafe if someone phishes them. But there is hope: the passkey is coming!

Passkeys are not yet widely available, but the word is popping up more and more and that is enough reason to take a closer look. Passkeys are fundamentally different from passwords, with the biggest advantage being that they are many times more secure. And they are easy to handle. Who would not want that?

To explain the difference, I'll start with the ancient password. Its operation is based on what is called a shared secret: both you and the site/app/application/computer know the password. About the only difference with the way the ancient Romans worked is that computer passwords, are not stored on a server as they are, but in the form of a hash value (a mathematically calculated 'distortion' of the original). On the other hand, the others must be able to check whether the combination of username and password entered matches with their data on file, so the credentials of all users are stored in a large file. That's gold for hackers if it isn’t protected. And that is why hashing is so important. Hashing is irreversible; the password 'badexample' becomes ‘833f25dab798cb9b3ff1952ccb461751’ and there is no way back: you cannot recover the original password from the hash value. When you enter your password, it is hashed again and if the result matches the stored hash value, you are allowed to enter. Just like anyone else who knows your password. Moreover, a patient hacker who stole a password file can try passwords all day long and if the calculated hash value eventually matches the value in the file, he knows your password.

Enter the passkey. It doesn’t involve a shared secret, but serious cryptography. The ancient Romans already did that. At that time it was mainly a matter of using different symbols, or shifting (a becomes d, b becomes e and so on). This involves a key: when using other characters you use a kind of legend, when shifting it’s a number (in the example the key is +3). Modern cryptography is much more complex, especially the kind used for passkeys: asymmetric cryptography. Characteristic of this is that it doesn’t use a single key (which must be shared between the parties involved, just like a password), but two keys. Those keys have a mathematical relationship. One is called the public key, the other is the secret key. The gist of the story is that the secret key remains on your device and the public key goes to the other party. If you do something with your secret key on your device, the other side can check whether it was you, using the corresponding public key. That public key does not need to be secured, as its name suggests.

Suppose you want to log in on your laptop to a site that works with passkeys. That passkey can be on your smartphone, for example. Your laptop and your phone know via Bluetooth that they are in close proximity and therefore, that no one is trying to log in remotely. You unlock the requested passkey on your phone with your fingerprint, facial scan or a code. And hey, you're logged in to that site.

Because the passkey does not leave the device, you as a user cannot leak credentials - so you are not susceptible to phishing. In my opinion, that is the big advantage of passkeys: an attacker simply cannot get in between. You can synchronize your passkeys with different devices and have them at hand on your laptop, tablet and smartphone. This synchronization is encrypted (end-to-end, so no one can break into it).

Passkeys are currently supported by major tech companies (Google, Apple, Microsoft). But some password managers, such as Bitwarden, can also handle them.

Are you curious yet? Log in to your Google account (create one if necessary), go to Settings > Security > Access keys and Security keys and create your access key here. A Bitwarden plugin runs in the browser on my PC, and it asked if I wanted to store the passkey there. From now on, when I want to log in to Google on my PC, the password manager asks whether I want to use the passkey. So it actually works the same as before, but without any secrets involved. Let's hope that passkeys become popular and we’ll familiarize ourselves with them and will soon - for the next two millennia or so - not know any better.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• hackers can often read your chats with AI bots, despite encryption.
• Some entrepreneurs have two faces.
• Google pays attention to Post Quantum Cryptography.
• some physical electronic locks have a secret backdoor.
• Meta previously had to pay a privacy fine of five billion dollar, but the same lawsuit has now been reopened. [DUTCH]
• criminals appear to be unreliable after all.
• Europe will have relatively strong AI legislation.
• In France, they no longer find it logical to periodically change all passwords. [DUTCH]
• the European Commission was reprimanded for the use of Microsoft 365.
• the Dutch police increase the cyber resilience of youth with a game. [DUTCH]
• Dutch people are becoming increasingly critical of their privacy. [DUTCH]

RITA

 

Image from Pixabay

Recently, RITA came into my life. She just fluttered in during a risk analysis, and I listened with fascination to what a colleague had to say about her (thank you Henk!). Later I Googled her and was impressed by her engaging personality. Her image is a bit less flattering, but I still prefer to judge RITA on her character rather than her appearance.

RITA is an acronym that stands for Reliable Internetwork Troubleshooting Agent. It's an April Fool's joke from 1998, presented as an RFC. That abbreviation stands for Request for Comments. An RFC is literally a request to comment on something. That ‘something’ are protocols and other documents that describe the operation of the internet. Ultimately, an RFC becomes a standard, but strangely enough it’s still called an RFC.

RFC 2321 describes “usage of Nondeterministic Troubleshooting and Diagnostic Methodologies as applied to today’s complex nondeterministic networks and environments”. The difficult word, which appears twice in the previous sentence, means that outcomes are variable even when the conditions are the same. I put aside the common assumption among laymen that computers always produce the same output in identical situations - especially with identical input - at the very beginning of my career. At the time, I was responsible for the COBOL software that took care of the nightly processing of income tax data. One evening an operator (hello Oscar!) called me because the processing had stalled. I told him to just restart the processing. Never heard anything about it again.

RITA is charmingly simple, and the way she makes her diagnosis is equally so. Moreover, the outcome is easy to understand because it is binary: it is right or wrong, there is no in between. RITA's primary area of use is hardware and software, but I think RITA can also be successfully used in countless other environments, even outside IT.

RITA is a rubber chicken with a length of 51.25 cm (20 3/16”) and its operation is very simple. You place it on the device to be analyzed or, in the case of software, on a still packaged copy of the software, or if necessary on a printout of the source code (that old COBOL software of mine was easily a decimetre (4”) thick). And here’s the punchline: if RITA flies away, then the object to be analyzed is error-free. If, on the other hand, RITA remains down, then something is wrong. You get the idea: rubber chickens don't fly – unless they're thrown, of course.

Moral of the story: hardware and software always contain errors, because they are incredibly complex. And, I always add, some of those errors have bad consequences for the security of the object, and possibly even for the security of the wider environment in which it is active (a hacked baby monitor is not only annoying because the hacker is in your home, but also because the device can be misused in a DDoS attack on an organization on the other side of the world).

In our risk analyses, we always ask how vulnerable a particular object is to errors in software, broken down into self-built and purchased software. Vulnerability is determined by the measures you have taken to address a threat. The application of the DTAP model is invariably mentioned as a measure: the development, testing, acceptance and finally running of the software in production takes place in separate environments, the intention being that an error will come to light in one of these phases. Attack & penetration testing is often used to determine whether an attacker can gain access to the object. And vulnerability scanning regularly checks whether a product contains known vulnerabilities. What remains after all this good work are the mistakes that have still been overlooked. And believe me: RITA will never take to the skies. The only question is who will discover a risky error first: a crook or an honest person.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Laxity is a factor that few take into account.
• Signal now protects your privacy even better.
• cloud computing is sucking in government. [DUTCH]
• This American newspaper article predicts a positive effect on the US of a ruling by the European Court of Human Rights.
• there is still something to be gained in the high ranks of the Luftwaffe in the field of security awareness. [DUTCH]
• the US government is leaning toward banning ransom payments.
• Ivanti 's problems keep the NSA busy.
• the NSA also gives tips about security in the cloud.
• the beer supply will not be in danger for the time being.
• the man in the middle takes off in your Tesla.
• sometimes the opponent is in your own organization.
• many Dutch passports are for sale on the dark web. [DUTCH]

 

 

Security (b)log: Updates

 

Image from Pixabay

Two weeks ago I promised here, as an incentive to myself, to give my smart equipment some attention. I was to investigate if they needed a software update and do so if necessary. This week I will report on my search. I also mention company and brand names; not as an advertisement or to criticize them, but because it's nice in case you have those things yourself.

My search started at the front door: at the modem/router. That is from my internet provider Ziggo and is called Connectbox Giga (a rebranded Arris TG3492). If you log in to the modem's management page, you can find out which software version it is running. It just doesn't say from when that software is, or it must be hidden in the very long version number (AR01.04.092.09_ 071423 _7248.SIP.10.LG.X2). I asked the Ziggo community how you can find out which is the current version. They say that this is the correct one, but I’m afraid that if you want to check it yourself you will probably have to get that information from the manufacturer.

Then the LG dryer. The accompanying app displays the version of four pieces of software under device information, and says: “Software is up to date”. Apparently the app checks this online itself. I just can't tell from when those updates are. I mean: if that software has never been updated after it was released - years ago - then my software is indeed up to date, but there is probably quite a bit of room for improvement in the meantime. And perhaps such a necessary improvement was related to the security of the device. But that remains guesswork. I want to act as a normal user here and will therefore not go all the way as to find out exactly from when version SAA39935009.0000B455 of 'Firmware 0' is. They could easily add that to the already provided information.

The Bosch dishwasher lets you choose between automatically downloading software (including installation, I hope) and confirming the individual steps (download/installation). It also shows a version number somewhere, but it is not clear whether this concerns software or the device itself, and from when that version is. There is also something that I have not seen before on a device: the validity period of a certificate. You know certificates from websites, from the lock that indicates that the site is secured, and from the s in https. I am positively surprised that this device apparently uses a certificate for communications security.

Next candidate: Philips Hue smart lamps. The accompanying app says: “Everything is updated”. The automatic updates option is turned on and you can even choose the time at which the updates should be performed. Furthermore, each device has a version number, but here too it is not clear from when that version is.

The stereo system also has a few components that are connected to the WiFi network: the Yamaha receiver and, since last week, two wireless surround speakers from the same brand. The latter's installation manual states that you must ensure that all components have the latest firmware version. During the installation of the speakers, the app indeed indicated that a new version had to be installed, which then happened. The app says about the receiver: “Firmware is up to date”. Unfortunately, again without a date, only - in a different place in the app - a version number.

Finally, there are the solar panels. We have two different installations: the first works via the SolarEdge app, the second uses Enlighten/Enphase. SolarEdge does not provide a version number, but – yes, finally! – the date of the last update. That was February 18 of this year, so very recently. It also means that the updates are done automatically, because I didn't do anything. Enlighten provides information about two types of devices. The gateway, which communicates with me, shows a firmware version number and a date when it was last connected to the Enphase cloud. It is not clear whether updates are checked. The micro inverters (each panel has one, rather than a central inverter) all have two firmware version numbers and a communication date, and again it is not clear whether they are related.

Conclusion of this operation: it seems as if everything is fine, but it is not certain, except for the SolarEdge panels and (to a slightly lesser degree of certainty) the modem. Manufacturers still have some work to do to provide consumers with real information and to take away the bad feeling that I am being lulled to sleep with the meaningless term 'up to date'.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the FBI handles updates for your router.
• you can hack this doorbell by ringing the doorbell.
• Clingendael advocates European sovereignty in the cloud.
• We simply put our important e-mail in the American cloud. [DUTCH]
• Russia runs a misinformation campaign against Navalny's widow.
• 2FA codes have been leaked due to an error by an SMS company.
• gas stations in New Zealand were unable to cope with the leap year.
• the Dutch government has launched the NIS2 Quickscan. [DUTCH]
• GitHub is full of malicious repositories.
• the Dutch police advertise on Google to prevent cybercrime. [DUTCH]
• you can also be infected through your agenda.
• the White House promotes the use of memory safe programming languages.
• young people think that anyone can become a victim of cybercrime, except themselves. [DUTCH]
• the LockBit ransomware gang is back.