Under the hood

Image by author

As tradition dictates, we built a Christmas village in our living room this year. It took four days and about five square meters (54 sq ft) of space, it required a structured approach and the necessary flexibility of the body. But the result is worth it, we think. From the beginning of December until mid-January we enjoy the warm appearance of this winter scene.

I look at it with completely different eyes than visitors. Because I know what lies beneath the surface. How all those lights get their power, how the rock formations were made, how meters of tape and numerous staples were incorporated. I know how the differences in height were created and I know all the parts of the railway tunnel, which I built myself – just like the ski slope. I laid out the street and know which cables lie under the asphalt. I also see straight through the snow and know exactly what it hides. And I know what is not quite right in this scene.

The age-old metaphor of the iceberg presents itself. What you see towering majestically above the water is only a fraction of the total lump of frozen water. Now, the proportions of our Christmas village are not so dramatic, but even here you should not underestimate what is hidden beneath the surface.

The internet is also like that. Above the surface there’s the internet where you and I do our daily things and where the Googles of this world rule. Below the surface, invisible to most of us, is the realm of the dark web. No Google here, but criminals who call the shots. You can go there for all kinds of services and products, from DDoS attacks to drugs. I have never been there, but I have seen enough presentations by law enforcement agencies from home and abroad to know what it is like there. It is actually not very different from the regular internet - except that you buy completely different things there and that it is not so easy to get there. Of course you can ask at the top of the iceberg how to get to the bottom, and when you find a site with serious explanations, you soon realize that your computer needs protective clothing before you descend to the dark bottom. And the URLs you visit there don't look like, for example, bbc.com, but look like this: zqktlwiuavvvqqtxxxvgvi7tyo4hjl5xgfuvxxx6otjiycgwqbym2qad.onion. As an honest citizen you have no business being there, but you can be saddled with a lot of trouble. Because as I said, these are the caverns of the internet that are populated by scum from the deep end. And by wandering around there, you could easily attract their attention.

Information security professionals, in many ways the opposites of those sneaky criminals, also like to keep a few secrets from time to time. We even have a slick term for it: security by obscurity. This is considered a reviled method of operation, because in the strict sense it means that your security is based on secrecy and the hope that your little secret does not leak. Hiding your house key under the doormat is an example of this - one that also makes it clear that it is not very likely that no one will ever discover your secret.

I don't want to see it that black and white. Let me put it this way: security by Obscurity is never enough as a single security measure, but it does help. For example: we prefer not to broadcast to the world which systems we have running, and which version. Because malicious people can use that information. It is a piece of the puzzle, and if they can gather enough pieces, they will see the whole picture. By hiding puzzle pieces, we prevent that. But because you can never trust that they won't find those pieces anyway, we must of course secure all those systems anyway, and in doing so assume that intruders are much further in than we hope. That is the assume breach principle: assume that you have already been hacked, and adjust your security accordingly. If your house key is indeed under the doormat, then you would do well to install an alarm system, to make sure that someone who has discovered your secret is still confronted with an additional barrier.

In the meantime I try to enjoy our Christmas village as if I have no knowledge of its construction. I call that delight by ignorance.

The Security (b)log will return after the Christmas holidays.

 

And in the big bad world…

• You could also replace your house key with an app. [DUTCH]
• China became better.
• SpongeBob knows how to jailbreak AI.
• U.S. government agencies must implement mandatory security measures for cloud services, starting with M365.
• Cybercriminals are at least as sophisticated as state actors.
• Tinder reveals the location of hundreds of Dutch soldiers. [DUTCH]
• The US DoD is also struggling with the security of its phones.
• AI will continue to depend on human intelligence for its security for some time to come.
• the security of Dutch government domains leaves much to be desired. [DUTCH]
• phishing can be expensive. [DUTCH]
• Criminals use captchas to break into your account.

 

Going to cyberwar in work pants

Image from Pixabay

Doing odd jobs is not really my hobby, but sometimes it has to be done, right? And when I do get to work, I wear trousers that I was given 36 years ago as a conscript. Indestructible, that stuff. And the fact that I still fit into them, perhaps says something about me too…

Do you know what my work pants have in common with the internet? There are two points of similarity: first, the internet is also of military origin, and second, it is designed to be at least as indestructible as these combat pants.

The internet started in 1969 (!) under the name ARPANET as a project of the American Department of Defense. There was a need for a robust network that would not be dependent on a central system. This desire resulted in a distributed system, so that a bomb on one server (it was the middle of the Cold War at the time) would not bring down the whole thing. They have succeeded quite well: I cannot remember the internet as a whole ever going down. Incidentally, that did happen locally in 2019 on the Tonga Islands, after a break in the fiber optic cable to New Zealand, says Wikipedia. But that is an example of how it should not be done: the idea behind robustness is that, when a connection fails, the data will find another route to its destination. If you are an island and are connected to the rest of the world via a single cable, then you have a single point of failure in your system - and that is at odds with the philosophy behind the internet.

Although the Netherlands is not an island, our internet is not as invulnerable as you would like. Almost all of our international traffic runs via one node, the Amsterdam Internet Exchange (AMS-IX). If that goes down, there are still other connections to the outside world, but they could become overloaded. Fortunately, AMS-IX is spread over multiple locations, so the chance that the node will fail completely is not that great. In the Netherlands, an awful lot happens on the internet: office workers can work from home, we shop like crazy and we are in contact with the rest of the world via social media. You don't want to think about this being disrupted for more than ten minutes, do you?

The NATO Secretary General of informed us this week that we must mentally prepare ourselves for war. I don't know how that came across to you, but Mark Rutte's statement hit me hard. War is something from from the era of my parents and is taking place elsewhere in the world in our time. Admittedly, Ukraine is less than fifteen hundred kilometres from my house, but it can't get any closer, can it? Then I'll just recall the book There's a War Going On But No One Can See It by Huib Modderkolk. A digital war probably wasn’t on top of Rutte’s mind, but in fact it has been raging for years. The intelligence services often mention the illustrious quartet of Russia, China, Iran and North Korea when it comes to state actors who attack us. Their goals are espionage, money, disruption, sabotage and influence. Rutte advocates tanks and fighter jets, but hopefully someone will whisper in his ear that digital defence must be a top priority. In the past, you had won a war if you controlled the airspace. Today, control over cyberspace is at least as important. A secure digital infrastructure is much less tangible than Leopards and F35s – I have yet to see the first camouflaged router. Hopefully this invisibility does not lead to a lack of attention.

The label on my work pants bears the name H. van Puijenbroek. This turns out to be a textile manufacturer that has been a regular supplier to our armed forces since 1925. It also turns out that the trousers are being offered for sale for €49 ($51), as a “rare find”. And if only I hadn’t given away the matching jackets: they are being offered for almost two hundred euros ($210). I would have sold them now and put the money in my war chest. Because due to the geopolitical threats, banks and ministers advise us to have some cash at home*. Because if “they” paralyze things here and we can no longer use our debit card, we still want to eat. Fortunately, most supermarkets still accept physical money as a means of exchange.

*: For some international context: people in the Netherlands heavily rely on their debit cards. Cash is not that common anymore.

 

And in the big bad world…

• NATO will get a new cyber center in 2028.
• espionage sometimes makes the news.
• Google has achieved a milestone in quantum computing.
• The cloud has been suffering from outages lately, especially Microsoft's.
• social media also suffered from outages this week.
• Microsoft Azure's multi-factor authentication could easily be bypassed.
• not all cybercriminals are trustworthy.
• Firefox is ditching a privacy setting because it allegedly doesn't work.
• Your iPhone may soon be able to remove location data from photos you share.
• The Dutch intelligence services have published a threat analysis on artificial intelligence. [DUTCH]