Who can harm you?

 

Image from Pixabay

Brrr-iiiing ... According to ChatGPT, that's a good onomatopoeia of a passing scooter. But that's besides the point; I will definitely write more about artificial intelligence, but for now it's about that scooter. Because it shouldn't pass me at all in that place.

I’ll explain. Our neighborhood is intersected by various cycle paths, which offer you a shorter route than if you used the normal road network. A large part of these cycle paths have a rectangular blue sign with the text 'cycle path'. That is traffic sign G13 of the Dutch traffic regulations, and it means that you can walk and cycle there. You have no business there with a scooter with a combustion engine (unless the engine is off). You guess where this is going: that sign is ignored en masse by scooterists. When another one of those cracked by recently and we were talking about it, my wife said: “Well, who's going to hurt you?” And indeed: the police and the municipality point the finger at each other and it’s already six years ago that the Cyclists' Union mentioned a municipal trial elsewhere in the city with signs reading 'prohibited for scooters', which we would have to wait for. I am still waiting.

Who can actually harm you if you do things that are not allowed in the cyber domain? Many things happen there that are a lot more intense than riding your scooter on a G13 cycle path. We are talking about cyber criminals who use their technical knowledge and/or skills to dishonestly obtain money or goods. These are the people who send you a text message about a package that could not be delivered, with a link that takes you to a fake website, where they ask for data with which they then digitally rob you. Or those that shut down hospitals with ransomware, putting healthcare services at serious risk, as recently happened in London. That appears to be a case of hacktivism, by the way: Qilin , the gang behind this attack, claims the attack is revenge for British government activities in an unspecified war (but we all know it's about Ukraine). Qilin also says they are sorry that patients are suffering from the attack but that it is not their fault. That stupid statement makes me angry.

Whether someone can harm the cybercriminal depends on two factors: how good they are at digital hide-and-seek, and where they live. Both of these factors are also linked. If you live in a civilized world, you have to erase your digital traces very carefully to prevent the police from showing up on your doorstep sooner or later. On the other hand, if you live in a country where they see cybercrime as normal work, as long as you do not target citizens of your own country, then you have little to fear. Yes, occasionally reports come out about the arrest of a Russian hacker, but the vast majority can go about their business freely and live in luxury. Some Russian malware even checks whether a computer to be attacked has a Cyrillic keyboard installed and if so, they leave it alone.

State actors (a fancy term for cybercriminals who work on behalf of a government) are also joining the fray. You can carry out a ransomware attack and make it look like you're in it for money, while the actual goal of that government is to take a company or agency offline for a while, or to steal their secrets - because that has been an additional function of ransomware for several years. It is often used as an additional threat: we will publish the captured data if you do not pay. But perhaps that data is also intended for their own use. There are also state actors who commit cybercrime to obtain foreign exchange. According to the UN, North Korea has raked in three billion dollars in six years.

And then there is that newspaper headline in the Dutch newspaper Het Parool from early last year: “Very young hackers did not come from Russia or North Korea, but from Zandvoort” (which is a town on the North Sea coast). They didn’t hide well enough, whilst living in a country where the police do go after cyber criminals and also play a leading role internationally.

Young people can playfully drift into crime, sometimes not even realizing that they are crossing a line. Parents often think that their teenager is just gaming. Both parents and their offspring must be made more aware of legislation in this area, and see to it that the available talents are used in a legal manner. If you don't know that something is not allowed, you don't feel guilty.

Which brings me back to those scooters. Older generations, who received their scooter license for free with their car driver license, may never have learned that G13 sign and therefore do not know that they are not allowed to drive there. But all those young people, they have to know that sign because they had to study for their license, right? Do they not see the sign along the road, or do they simply ignore it? Because, who can harm you?

 

And in the big bad world...

• this accusation will also be pointless.
• Chinese spies also use ransomware as a tool.
• Of course, bad things also happen in the south of the Korean peninsula.
• an ID verification company leaked data from TikTok, Uber and Twitter users, among others.
• client-side scanning (chat control) has been banned for the time being in the EU and Australia.
• Telegram employs far too few people to guarantee your security and privacy.
• security specialist is a long-term promising profession. [DUTCH]
• Temu's shopping app is accused of serious privacy violations in the US.

 

Explosive

 

Image from Pixabay

Boom! A loud bang shattered the silence in the living room. My wife, who was there alone, looked around in shock. What was that? A few seconds later she heard splashing. Her eyes followed her ears and found the source of the sound. Then she shouted upstairs, with strong urgency in her voice, “Stop what you're doing and come help now!”

Five heartbeats later I saw pink liquid dripping from the display case. There, in that cupboard, we started a modest collection of Beautiful Bottles a few years ago, when I pointed out to the children on holiday in the south of France a bottle of wine on which the gendarme of Saint-Tropez was depicted - a frenetic film role by the French comedian Louis de Funès from my youth (well, the film itself is older than me, but I have seen several films with this actor in the past – remember Fantomâs?). Even though I don't like alcoholic drinks, my son gave me that bottle as a gift because he understood the sentimental value. Since a recent stay in Croatia, there is also a beautiful bottle of vodka from Old Pilots, decorated with aviation symbols – we bought that for our son, the aspiring pilot.

My daughter also contributed a little while ago. She had a school trip to Spain and brought back a bottle with bright pink contents. For the display cabinet. It was this bottle which had exploded. Well, exploded – the cap had popped off and all but an inch of its contents had spilled out. Please note: the bottle was still upright. The liquid found its way into lower parts of the cabinet. Armed with towels and cleaning cloths, we tackled the stuff. I even had to unscrew a cupboard door to get to some spots. Ultimately, the damage was limited to that one deformed screw cap. What on earth had happened here?

The 250 ml (8.5 fl oz) bottle label says kombucha. Wikipedia says about this: “a drink resulting from fermentation of sweetened tea by acetic acid bacteria and yeast cultures”. And on the label I read that you should always keep the stuff in the refrigerator, between two and eight degrees centigrade (35-46 degrees Fahrenheit). These are circumstances that our display case cannot meet. And so those bacteria woke up, conspired with the yeast and formed gas. And about two months later, the pressure became too much for that poor screw cap, who saw only one way out: up. After which almost all the contents bubbled out of the bottle.

A few blogs ago I advocated reading manuals. I would now like to add labels to that advice. Although I wonder if that would have helped. If you're not planning on consuming something anyway, why would you refrigerate it? And if I had already read the ingredients list, would I have realized that I had something explosive in my hands? I do not think so. In retrospect, I am surprised that the stuff is allowed to be sold at all, or that there is not at least a clear warning on the label. The substance also seems to be controversial due to unproven health benefits. In fact, there can even be very dangerous molds in the drink. Maybe it's a good thing the stuff is gone now. The empty bottle is back in the display case, as a reminder of the school trip and the explosion.

Sometimes it is useful to dose manuals and instructions, because otherwise they can be overwhelming. This week I saw a clever example of that. I recently started taking out a new service from a company. After a few days they sent me an email saying: secure your account even better, enable two-factor authentication (2FA). I like that. In this way they help people who do not read manuals and labels to make a step forward. By the way, I had already enabled 2FA as soon as I saw that they supported it. Do you also have it turned on everywhere? It protects you if one of your passwords ever leaks, for example due to a hack at an organization where you have an account. Without 2FA you are the sucker, and if you use the same password elsewhere without 2FA (ugh!), then you have to change those passwords immediately.

I've said it before: use a password manager, which not only stores your passwords, but also generates them for you. Make them at least twelve characters long, and because you rarely have to type in those passwords yourself, fifteen is even better. Even the best password cannot withstand a hack at an organization that does not properly protect your password; That's why you enable 2FA wherever possible.

 

And in the big bad world...

• the EU may be on the verge of requiring client side scanning in chat apps.
• the boss of one of the chat apps strongly opposes these EU plans.
• North American cyber insurance companies processed significantly more claims in 2023.
• Dutch politicians advocate a Governmental Mail Service and a Governmental Chat Service. [DUTCH]
• this article completely ignores the security aspects of AI. [DUTCH]
• cybercrime can be deadly.
• that email from Microsoft may not be from Microsoft at all.
• The Netherlands must brace itself for criminals with cloned voices. [DUTCH]
• Google wants to train its AI with your Chrome history.
• Cyber Dad argues why you shouldn't publish photos of your young children.
• the US military conducted an anti-vax campaign in the Philippines with fake social media accounts.

Pimp your computer

 

Image from Pixabay

For many people, the car is an extension of their identity, even of their ego. They want to give their car something of their own, so that their faithful four-wheeler reflects  its owner. Others have a car that, when they bought it, was missing certain features. Both groups are served by an extensive accessories and services market, where they can find a whole range of extras, from a simple phone holder to completely pimping your car.

Computers van also be personalized. I consider stickers on a laptop or setting a different screen background to be personality-enhancing activities, but just like a car, you can also provide a PC with all kinds of extra functionality. The most obvious thing is of course installing software. At work you are often limited in this - not only because of security considerations, but also because of manageability and licenses. So this blog is particularly nice for home use.

Not only can you install additional programs, you can also install add-ons for existing programs. These so-called plug-ins are especially popular with internet browsers (and then they are called browser extensions). There are far more than a hundred thousand extensions available for Google Chrome alone. Available from both the official stores of the browser manufacturers and elsewhere on the Internet. Popular extensions are available, for example, for blocking advertisements, for password managers and for expanding Office functions. Extensions for ChatGPT have also been popular lately.

There are quite a few bad apples in the basket. Just like apps on your phone, extensions are based on permissions, which ought to limit what they are capable of. For example, an ad blocker does not need to know where you are, but a password manager must be able to see when you type a password (otherwise the question "Shall I save this for you?" is not useful). However, many extensions are not very picky about requesting permissions, and you as a user may not be very strict in managing those permissions - did you even know that you can? Extensions may be completely bona fide at the time of installation, but they can subsequently acquire malicious functions via an automatic update. Maybe because there was a criminal behind it from the start, maybe because the creator of the extension was hacked and his product was modified without his knowledge.

As always, there are two types of bad apples. One species thrives on indolence, the other on malice. If a developer doesn't feel like finding out exactly what his extension needs, he can just check everything. In doing so, he unintentionally makes his extension vulnerable. His criminal colleague is deliberately trying to get his extension to do things that have nothing to do with the reason for which you, the user, install his extension. For example, collecting all kinds of data, such as passwords, emails and documents. Or adjusting search results so that you end up on unsafe websites. Or changing your privacy settings. Your browser was already the window to your world, but it is increasingly becoming the window to the inside as more and more applications are accessed via the browser. It is therefore quite important that the security of your browser is not undermined. Whether it is Chrome, Edge, Safari, Firefox or a more exotic browser does not matter: all browsers that work with extensions face this risk.

How can you protect yourself against this while still benefiting from the joys that extensions have to offer? I have put together a number of tips and the most common is this one: only install extensions from your browser manufacturer's store (you can find them in the menu of your browser). That certainly offers no guarantees, but extensions from elsewhere are less reliable anyway. If you are looking for an extension (for example for your password manager) and you are shown multiple products, make sure you choose the right one, in this case from the makers of your password manager. Also look at the number of downloads and the reviews, and don't be fooled by glowing reviews that seem too good to be true. Also check whether independent articles have been written about it. And, very important: check whether the permissions an extension requests make sense.

The safest way to pimp your computer still involves stickers, but if you want something more functional, make sure you maintain control over what happens on your computer.

 

And in the big bad world...

• Meta will train its AI systems with our social media posts - but in Europe you can refuse.
• the British parliament may soon have a member controlled by AI.
• a student was arrested for using a self-made cheating system with AI.
• Biometrics is also not without errors.
• points the accusing finger of the MIVD at China.
• young cybercriminals are arming themselves. [DUTCH]
• London hospitals turn to the sneaker network after a cyber attack.
• Scammers already dare to pose as the American security organization CISA.
• Microsoft's Recall AI function is under fire.
• this article is certainly not positive about Microsoft's security posture.
• the US Congress is also angry with Microsoft.

 

Capture the flag

 

Image from Pixabay

Click. The door closes behind you. The light flickers. A timer indicates that you have exactly one hour left to find a way out. You look around you. You are in a fully furnished room, or perhaps in a laboratory. The atmosphere is mysterious. You’ll have to find a solution to get out of here. Welcome to the escape room.

Have you ever been locked up for fun? There are more than a thousand escape rooms in the Netherlands (and about 1500 in the UK, three thousand in the US and over fifty thousand worldwide). You usually go there with a self-composed group of people and try to find the exit within the allotted time. To do this you have to solve all kinds of puzzles; every solution takes you one step further. For example, you have to figure out the code of a combination lock, after which you can open a chest that contains the next clue. Or you have to find a hidden message, perhaps by wetting a painting. Escape rooms contain all kinds of challenges in different levels of difficulty.

Security technicians also like to solve puzzles and their game is called capture the flag. Not real flags of course, but text strings that are hidden in a computer program or on a website. The players' task is to capture as many flags as possible. The game can be played in roughly two ways: in one variant, teams play against each other, in the other against the organizer. Each flag earns you points and the person who has the most points at the end of the day wins.

Just like with the escape room, a CTF comprises multiple puzzles. In one you may have to analyze a program to understand what it does (reverse engineering), in another you may have to consult information on public sources (open source intelligence, OSINT) and in yet another you may have to perform forensic research. Another similarity with escape rooms is that the whole thing is wrapped up in a story. If you enjoyed word problems at school, then you are already on the right track to participate in a CTF.

A few of my teammates organized a CTF for colleagues earlier this week. I would have liked to take a look, but since covid it is not done to appear in the office coughing and sneezing and that is why I unfortunately cannot give you a first-hand account. We are certainly not the only organization that does CTFs for their personnel. But why exactly, I asked the organizers. Participating in a CTF increases the knowledge and skills of the participants; this could be anyone who deals with security and wants to learn more about it – also highly recommended for developers! In the CTF you see all kinds of ways in which something can go wrong. If you later encounter a similar situation in your work, hopefully it will ring a bell: hey, this is dangerous, it makes us vulnerable, this has to change! CTF’s are usually played in small teams, which adds some team building for free. Commercial companies also organize CTFs for outsiders. This provides publicity and talent scouting opportunities.

There are websites where you can do finger exercises in this area. The PortSwigger site provides fairly accessible explanations for all topics. And there’s HackShield for children aged 8-12, in different languages. For the record: there’s no intention to breed small criminals, it’s about making everyone cyber aware. Escape rooms can also be played at home: you can buy them in a box at the toy store. There will of course be much less tangible surprises, but it is still surprisingly fun. [DUTCH]

 

And in the big bad world...

• Webex leaked meeting data. [DUTCH]
• the Dutch government is angry with Cisco because of the Webex leak. [DUTCH]
• political fears about the American cloud are growing. [DUTCH]
• Many companies are already turning their backs on the cloud (due to security, costs and too high expectations).
• Google appears not to have been honest about its data collection.
• a German political party has been hacked.
• this malware asks you to cut and paste malicious code and execute it yourself.
• the Dutch government is tackling disinformation. [DUTCH]
• PostNL wants to outsmart phishers with the anti- phishing code. [DUTCH]
• Of course, your toothbrush does not necessarily have to be connected to the internet or have AI.