Look at me

Image from Pixabay

How do you unlock your mobile, tablet or laptop? With a password, a pin code, your fingerprint or maybe even with your face? There are many possibilities and you could therefore sooner of later the question whether facial recognition is safe had to pop up. A few years ago my answer was: I wouldn't use it on business devices, privately I don't think it would be a problem - at least, if you have a somewhat normal life. But is that statement true? It’s time for some research, so that you don't have to dive into it yourself.

Facial recognition is a form of biometric identification, which compares unique features of your body to a stored pattern. Other forms of biometrics include fingerprint and palm scans, iris scans and voice recognition. These technologies work differently than the good old fingerprints you know from the police, where inked fingers are used to make a print on paper that is then compared to the prints left by the burglar on the window. Instead, the scan is translated into a biometric profile, which looks at things like the distance between your eyes, the distance between your nose and mouth, the shape of your cheekbones and the dimensions of your face. More advanced systems make a 3D scan and use infrared images, which makes the profile more accurate. It gets even better when the system is able to determine whether the camera is looking at a living person. When unlocking, the detected facial features are compared to the stored profile. So it’s not like photos from then and now are being compared with each other.

I read a bunch of articles on this topic this morning, and the answer to the question whether facial recognition is a safe way to unlock your device seems to be: it depends on the device. Apple's FaceID uses the more advanced techniques I described above from the iPhone X onwards and is therefore considered safe. Android devices are a different story, as the Dutch Consumers' Association discovered. In 2023, they repeated their research from four years earlier and had to conclude that little had changed: they were still able to fool 43% of the tested devices with a photo. This mainly concerns devices at the low end and in the middle of the price range, although a few more expensive devices also fell through the cracks. Almost all Samsung devices performed well.

Hello is available on Windows PCs . It uses infrared cameras to make a 3D scan of your face. The system can also check if it is looking at a living person, making it difficult to fool it with a photo. If your computer does not have the necessary cameras, facial recognition is not available.

Of course I put it to the test and let my private phone look at a photo on my screen. And then I quickly disabled facial recognition on that device… I will continue to use the fingerprint scanner, because it is more secure than a PIN code which can be copied. And while you can often fool facial recognition with a photo, that is much more difficult with a fingerprint. Some Android devices still have pattern recognition, where you draw a pattern with your finger on a grid of nine points. This option is almost unanimously discouraged, because someone looking over your shoulder can easily remember your pattern. Moreover, traces of grease on the screen also reveal a lot.

During the research for this blog I noticed something. I searched for “facial recognition safe” in both English and Dutch. The Dutch articles gave a good answer to my question, while the English articles mainly focused on the privacy aspect of facial recognition: for what purposes can this technology be abused? Privacy plays a role in particular when biometric data is stored in databases. And again we see that Chinese person crossing the road on a red light and receiving a fine in the mail a few days later. But criminals are also interested in technology that allows them to gather information about someone based on a (secretly taken) photo. And finally, quite a few people fear that the police can unlock their phone very easily – you can’t turn off your face (just like fingerprints, by the way). But you can refuse to give up your PIN code.

There will be no Security (b)log next week.

 

And in the big bad world…

• there are other ways to unlock phones. [DUTCH]
• False QR codes are being placed on parking meters. [DUTCH]
• Chinese officials are selling citizens' data on the black market.
• D-Link is urging users of certain VPN routers to replace the device.
• Phishers try to stay under the radar by using vector graphics.
• The phones of American soldiers and spies give away their location.
• we do it all for nothing.
• Criminals also like Black Friday.
• The Dutch Minister of Security and Justice believes that a decryption obligation for chat apps is a dilemma. [DUTCH]
• the same minister gets it that the police need to gain more understanding of the online world. [DUTCH]
• even the name of the Dutch NCSC is being misused in a phishing campaign. [DUTCH]

 

 

Safe water

Image from Pixabay

 Have you seen it yet? It is advancing in our offices. Without any warning – or I must have missed something. We looked at each other awkwardly. The first time that day I went to the other one, but then I could no longer contain my curiosity and I bravely walked up to it. I touched it and it flashed happy lights at me. It took me a while to figure out exactly how to do it, but eventually I got what I wanted. A mug full of hot water. We are talking about the Borg & Overström E6, a device that delivers cold, chilled, bubbling and hot water. Tea and water drinkers are in for a treat.

How did I come to dedicate the Security (b)log to a what they call a drinking water solution? Well, if the name of a water dispenser contains Overström, then you have my attention. Because, you know, the Dutch word ‘overstroming’ means flooding. Nomen est omen – what's in a name. And indeed I noticed that the device on our floor is already leaking a little. But the first part of the name is also absolutely a trigger, but only Star Trek fans understand that. A little tip for everyone else: the Borg are those friendly space creatures stating: “You will be assimilated. Resistance is futile.”

There is no manual next to the B&O (oops, that was already another company’s abbreviation). If you haven’t met the E6 in person yet, you might think: what do I need a manual for? But that device does not give up its water just like that. It has five buttons: one for each of the products mentioned plus one with a padlock on it. Aha, that’s the link with security!

So you think you have to unlock the device first with that button and then press the button of your choice. Wrong! After two touches, nothing happens. Well, you get a small light show where you expected water. But no water. Huh? After a day of practice I figured it out. You have to kiss it awake with a gentle touch, then unlock it with the padlock button and only then press the button of the desired product. Et voilà, as long as your finger rests on that spot, water keeps coming. A full mug in one go – a real improvement compared to those coffee machines where you had to tap twice for the same purpose, or use the 'pot' button.

Meanwhile, colleagues are wondering why there is a lock on these devices at all. My answer: to protect children from the hot water. Which children? Well, exactly. They are extremely rare in our office environment, and I suspect the same goes for the vast majority of the other customers of this British company (you wouldn't have thought they were from there, would you?).

I have written before about security measures that are unnecessary in a certain context and therefore cause unnecessary delays. Look, with a boiling water tap in the office I understand that there is some kind of safety on it that requires you to consciously choose boiling water. It would be a shame if you were to wash your hands with boiling water due to an operating error. But you don't do that at a water dispenser, and it is not possible to hang your mouth under it if you are thirsty but don’t have a cup. Moreover, the coffee machines don’t have a lock either.

Many Security (b)logs are preceded by thorough research. For this edition I wanted to consult the Borg & Overström website. But instead of the desired site I was presented with a screen from Cloudflare : “Sorry, you have been blocked.” I must have done something that triggered their security. But I only clicked on the company link from the search engine (startpage.com). Oh well, fortunately there are more roads to Rome and I was allowed to visit that site on another device. By the way, I didn't know you could fabricate such bombastic texts about gargoyles! You could copy most of the texts almost unchanged to sell the latest model of electric car (“evolved environmental sustainability, energy efficiency and intelligent technology ” and “we aim to inspire the every day with original design and thoughtful innovation”). Anyway, I was blocked and I have no idea why. Could they have blacklisted our organization? (Being the Tax Administration…)

The E6 can also be operated contactless, via Bluetooth – a covid-driven innovation. I'll quote my Finnish hero Mikko Hyppönen once more: if it's connected, it's vulnerable. Let's hope that doesn't lead to an ‘overstroming’.

And in the big bad world…

• America is preparing for an era of even greater government surveillance.
• license plate recognition is a part of that
• the above article links to a map showing locations of ALPR cameras worldwide (except in the Netherlands…).
• Criminals also like to use the information that the police have.
• This ransomware uses the BitLocker security tool to encrypt your hard drive.
• Your iPhone reboots itself if you haven't used it for three days.
• The Secret Service uses location data based on the permissions you give to apps on your phone.
• Europe urges Temu to respect our consumer rights.
• The FBI may have also cleaned your device, right here in the Netherlands. [DUTCH]

The EU and AI

 

Image from Pixabay

I’ve said before that you shouldn’t ask an information security officer if you can use AI for your work, because that will lead to a risk analysis that will undoubtedly say: don’t do it. No, decisions about the application of certain forms of technology should be made by ‘the business’, or perhaps a better term, by the decision makers. They may well be influenced by our risk analyses, but there are more factors that decision makers should and/or want to take into account.

Sometimes the decision is to be made at the political level. Like with AI. Enter the European AI Act, a regulation on artificial intelligence (an EU regulation is legislation that applies throughout the European Union, without country-specific interpretations). The aim of the AI Act is to ensure that we get safe AI systems that respect our fundamental rights. These rights include transparency, traceability, non-discrimination and environmental friendliness. And the systems must be under human supervision to prevent harmful consequences.

The regulation divides the AI landscape into four risk levels. The highest level contains systems that pose an unacceptable risk to the safety, livelihood and rights of people and are therefore prohibited. Examples mentioned by the EU are voice-controlled toys that encourage dangerous behavior and real-time biometric identification (think of the facial recognition at traffic lights in China: if you walk through a red light, you’ll find a ticket in your mail).

The next category contains systems that pose a high but acceptable risk. They may have a negative impact on our safety and fundamental rights, and they fall into two subcategories: systems covered by EU product safety legislation, such as toys, cars, aviation, medical devices and lifts, and systems in certain areas, such as critical infrastructure, education, employment, law enforcement and migration. Such systems are assessed before they are allowed to be put on the market, and throughout their life cycle. National regulators must set up a complaints procedure.

One risk level lower are systems that pose a risk of deception. This includes generative AI, which creates content itself, such as ChatGPT and Gemini. Artificially generated content must be labelled as such. So if you chat with an AI chatbot on a website, they must clearly tell you. Deepfakes – videos, photos and sound fragments that are manipulated to make it seem like someone is doing or saying something – must also be labelled. AI systems that pose a minimal risk are not regulated. Examples include games and spam filters. According to the EU, the vast majority of AI systems currently in use fall into this category.

The AI Act will be implemented in phases. In February next year, unacceptable systems will be banned. Six months later, the national supervisors should be sitting in the saddle. Next year, the transparency rules for general AI (such as ChatGPT) will also come into force. And a year later, the rules for high-risk systems will come into force.

It is good to see that the EU is taking this issue by the horns in a timely manner. But you need have no illusions about everyone complying with the regulations. Criminals in particular have a knack for breaking the law. They will certainly continue to use deepfakes to make people believe that a loved one is in need and urgently needs money.

 

And in the big bad world…

• the military also needs AI regulations.
• ChatGPT is not a formal source.
• the Dutch tax administration took down air traffic control.
• sometimes you have to fall back on old-fashioned systems.
• This website collects European alternatives for digital products and services.
• ethical hackers are legally protected in Germany.
• You should be alert to phishing from booking.com.
• Australia wants to ban children and teenagers from social media to protect their mental health.

No style

 

Image from Pixabay

If you put a sticker that says SECURE on something, does that make it secure? It depends. If that sticker is stuck on after the security has been checked, and if it’s clear that the sticker is only granted after the check, then you can indeed assume that the stickered thing is secure - at least, if the sticker shows that it is authentic. In all other cases, that sticker makes no sense at all, of course. In fact, it promotes a false sense of security.

Recently I spoke to a colleague who manages a great web application. When creating that program, they forgot one thing: the house style or, if you wish, the corporate identity. And the people who watch over the house style didn't think that was a good idea. Because, they argued, users would think that it was a fake website, where scary things could happen. Put our corporate logo on it, they said, that will prove that the site is secure.

Nonsense. If cybercriminals have become good at anything in recent years, it is the faithful reconstruction of websites. They look at what the real website looks like and copy the entire house style: logos, photos, font, writing style, and yes, even the beware-of-cybercriminals notice, which is on many sites these days. So you can't tell security from the appearance.

But, the administrator said, users of my application can see in the browser’s URL bar that the displayed web page is in our domain. But that doesn't work either. Because for the average user that is simply a bridge too far. Or have you never seen someone type 'wikipedia.org' in the search bar of Google and then go to that website via the search results? Instead of typing 'wikipedia.org' (the URL) immediately in the URL bar (at the very top of the browser), so that you immediately end up in the right place? Many users have a blind spot for the URL (or address) bar, let alone that they go and see what is there and that they could also determine whether they have ended up on a bona fide site.

Aside: the method outlined here introduces an additional problem. Cybercriminals are very successful in having their fake sites appear high in the search results. This means that you may end up on a fake site via your search engine. Tip: if you know the URL, type it into the URL bar, not into Google (or another search engine). If you visit a site often, bookmark it so that you don't have to type. Bookmarks also prevent you from ending up on a fake site due to a typo ('wikipidia.org'). Criminals like to build websites with URLs that are very similar to those of the real websites. And then they hope that you make a typo and end up on their site. This is called typosquatting.

Despite all this, I have pleaded with the administrator to apply the house style. Am I then in favor of a false sense of security? Not at all. But I want to prevent a flood of unjustified reports from users who think they are on a fake site – the colleagues at the IT service desk are busy enough as it is, so if I can spare them a number of false positives , I am happy to do so. In addition, we train users to recognize dangers. I call them red flags. The more red flags, the more likely that something is wrong. For example, for phishing, I can easily list a number of red flags: an impersonal salutation ("Dear customer"), a different sender address (amazon.ru instead of amazon.com) or a link to a different domain (amazon.com.customer.com). Tip: you should read URLs from right to left; so only if amazon.com is on the far right, you are visiting the domain of that webshop. By the way, something may be added behind that, starting with a '/': amazon.com/customerservice takes you to a page in the domain amazon.com. But amazon.com.customer.com is not an amazon.com page.

Of course I went to look at the page of that internal web application. And what do I see? In a corner, our corporate identity logo is displayed! They have made concessions, hoping that everyone is happy now. And they are going one step further: the application will be connected to single sign-on, so visitors no longer have to log in manually. A smart move, because if you think that you might be on a fake site and it asks for your credentials, it increases the feeling of insecurity.

 

And in the big bad world…

• This security company fought a years-long battle against Chinese state hackers.
• the Strava accounts of bodyguards reveal where world leaders hang out.
• This article speaks of a quantum hype.
• an international police coalition has taken down an infostealer operation.
• Dismissed employees should no longer be able to log in. [DUTCH]
• ransomware is only getting worse.