The monkey is loose

Image from Pixabay

Despite the fact that they aren’t ducks, I am inclined to call them Huey, Dewey and Louie: the three monkeys that escaped from Apenheul last week. They had only been living in this Apeldoorn zoo for a week, but apparently they were so unhappy with this accommodation that made an escape plan. Tranquilizer darts and a firm jet of water from the fire brigade were needed to get them back into their cage.

Which brings me to the expression: having a monkey on your back. I only know it with a negative connotation, because it means that you have a job to do or a problem to solve that you are not really happy with. The search engine returns this for the search “monkey back”, from an educational institute: “Monkey on your back? Learn the art of giving back.” A competitor is a bit more aggressive: “Watch out! Avoid the monkey on your back.” In short: having a monkey on your back is not a pleasant thing.

In this context too, there are sometimes monkeys that break out and end up in places where they don’t belong. Those monkeys are not sitting on the back of the right keeper. How does it end up there? Sometimes in a very strange way. For example, I once heard this remarkable statement: “Information security starts with an i, so the IT department owns it.” Can you imagine a worse reason to assign a subject to a certain department? I can’t.

By the way, it is not at all unusual – but therefore not necessarily wise – for an IT department to be promoted to the owner of information security. Because, well, information security is about computers, isn’t it? And computers belong to IT. Right?

What does 'ownership' actually mean? In private life, it usually has something positive: you are the proud owner of a beautiful house or a trendy bike. It also means that you have to take good care of it if you want to enjoy it for a long time. In business terms, you can also be proud of things that you own. Perhaps you derive a certain status from it. However, when it comes to maintenance, the story is somewhat different than in your private situation. There you could still decide for yourself whether to do maintenance, but in business terms you bear responsibility towards the organization. You cannot just let things take their course, because that could mean that people elsewhere in the organization will experience problems as a result. Or more definitely, actually: sooner or later someone will suffer from poor ownership.

Fortunately, many people in our organization are aware that information security is not an IT thing. You can see that, for example, from the fact that we have business security officers (BSOs). These are security officers who work for the business departments. And yes, in IT we also have security officers (also called information security officers (ISOs)), but they only deal with the items and services that IT makes available to the organization – and not with whatever the organization (‘the business’) actually does with them.

For many employees, the BSOs are fairly invisible. I know this because we, the ISOs, often receive questions that actually belong to the BSOs. An employee who encounters a security issue or simply has a question, goes looking for someone who can take the monkey on their back. They often knock on my specific door: "You are the only information security officer I know, because of your blog." No problem at all, I am happy to refer them to their own BSO. Many times I prefer this to a question or report remaining unanswered.

Do you know your BSO? If not, go and find them and have a chat. Even if nothing is wrong. They are very nice people.

 

And in the big bad world…

• Signal is really more secure than WhatsApp. [DUTCH]
• Apple faces an impossible choice due to UK legislation requiring a crypto backdoor.
• Of course the Americans are not at all happy with that British law.
• France also wants a backdoor.
• Dutch cloud pessimism is attracting international attention.
• North Korea has stolen $1.5 billion in a digital bank robbery.
• we have a new word: vacancy fraud. [DUTCH]
• AI chatbots gobble up information that was accidentally briefly exposed.
• Many Dutch companies avoid using AI for privacy reasons. [DUTCH]

In the waiting room

 

Image from Pixabay

In the rather crowded train I found myself sitting next to a man who was working on his laptop. A quick glance at the device and the open programs identified him as a colleague.

At one point he was in a phone conversation. I wasn't actively listening, but of course I heard something. And what I heard made me very happy. To start with, he spoke softly, and in short sentences. It was actually mostly listening and occasionally responding briefly. I didn't hear him give any information. Neat, colleague!

How different is the experience of a colleague who was sitting in the dentist's waiting room. Well, it wasn’t really a waiting room; in a corner of the reception there were some chairs. Behind the counter worked two assistants. One, Tasha*, was clicking through computer screens with some despair in her eyes and finally said: "I can't find Mrs. Decker's details in TND." Her colleague Cindy asked for Mrs. Decker's date of birth. "Aha," said Cindy, "she's from 1999 and that's why she's not in TND yet. What's her phone number, I’ll give her a call." Tasha read out the phone number and Cindy made the call.

“Good morning Mrs. Decker, this is Cindy, assistant to dentist Crown. I need some information from you to enter your treatment in our system. What are your initials? ABG? Great. And your social security number? Yes of course, I'll wait a moment. (...) Ah, there you are again. Yes, I'll write along. 1-1-2-7 5-5 9-5-0? Thank you. And finally, I need your address. 5 Brace Road? Great, then I have everything complete. Shall we make the first appointment for your root canal treatment right away? Can you come in on Friday at 9 o'clock? Fine. If I can also have your e-mail address, I'll send you a confirmation. marly@decker.com? Fine, then we'll see you the day after tomorrow. Have a nice day!”

Our colleague could hardly believe his ears. He now had a complete set of personal details of someone and he knew when Mrs. Decker would not be home. Thanks to the information about her treatment, he also knew that she would be away for a while.

“Great, with this information I can commit identity fraud.” Or: “Great, I’ll get my burglary tools ready.” I admit that the chance that the unintentionally shared information accidentally ends up in the ears of a cyber or physical criminal is not that great. But still: everyone feels in their bones that this never should have happened. If you hear all this, then you know that they are handling your data in the same way. You wouldn’t feel comfortable with that, would you? And imagine that our waiting colleague was an acquaintance of Mrs. Decker. He runs into her a week later: “Hey Marly, how is your tooth?” That would be strange, wouldn’t it?

Of course there is also a legal problem. The unsuspecting, well-meaning dental assistants have not only leaked personal data, but even medical data. Under the GDPR (the European General Data Protection Regulation) these have the status of special personal data, for which even stricter rules apply than for regular personal data.

Tasha and Cindy were just doing their job. They can't help it that dentist Crown thought a separate waiting room was a waste of money. They couldn't make the phone call elsewhere either, because then Cindy couldn't enter the data into the system. Data leaks are pre-programmed in this situation. Especially when people are not aware of what is happening. A data leak is just around the corner.

I also want to look at what happened on the other end of the line. What if it wasn't the dental assistant who called Mrs. Decker at all, but someone who was out to collect personal data? Of course, the chance that they would call when you’re actually suffering from an aching tooth is small. But if you leave that circumstance out, it's a different story. If someone you don't know asks for data, tell them you'll call back. Then call the general number of the company and ask for the person who just called you. If that's not possible, ask whether they actually needed data. That way, you prevent yourself from leaking your own data.

*) Of course, all personal and system data are the product of my imagination.

 

And in the big bad world…

• Of course you can also just buy medical information at the flea market. [DUTCH]
• healthcare has to deal with cyber threats. What these are, is stated in their threat assessment. [DUTCH]
• Securing medical data is also problematic elsewhere in the world.
• 'hybrid warfare' is a euphemism.
• Europol warns of child abuse via online communities.
• Smart traffic lights turn green thanks to your phone. [DUTCH]
• Signal users are being attacked via fake QR codes.
• the Dutch government is increasingly hesitant when it comes to the public cloud. [DUTCH]

From Asia with love

Image from Unsplash

They didn't mention it in the eight o'clock news, but the fact that the report was broadcast on the eve of Valentine's Day could hardly be a coincidence. It was about a man who got in touch with a certain Julia on this dating app. Could this finally be the one for him?

They chatted for a while, and after a few days Julia wrote: “Guess what I was just doing!” And she sent a screenshot of an impressive graph, showing that she had just made a lot of money trading cryptocurrencies. And she was quite willing to explain to our anonymous love seeker how that worked. So he received a link to a trading app. But he didn’t realize that he had fallen into the hand of scammers. Nothing was traded via that app. His entire investment – first a thousand euros, then ten thousand, a total of one hundred fifty thousand – disappeared straight into criminal pockets. When the thugs realized that there was nothing left to be gained, Julia abruptly ended the budding romance. Our Romeo found himself in a difficult time, in which he lost confidence in everyone – including himself.

In many presentations I give, there is this folk wisdom: if something seems too good to be true, it usually is. It once started with that Nigerian prince, who sent you of all people an email, promising you mountains of gold if you helped him free up a large sum of money. Lawyers from faraway countries, who told you that a large inheritance was waiting for you, were a variation on that. The only occasion when I believe a statement like that is when it is on a chance card in Monopoly. But the scams are becoming increasingly shrewd and the criminals are putting more time and effort into getting the loot. Where that prince used to target a large group in one go, hoping that a few people might fall for it, they are now investing in a good relationship with the individual victim.

The news also showed where all that misery is coming from. No longer mainly from Nigeria and the surrounding area, but from Southeast Asia. From there, some thirty scam centers operate: apartment buildings full of Julias, who together have already earned some 75 billion dollars from people who were too gullible. Many of those approximately three hundred thousand Julias do that work involuntarily. They have been lured there by human traffickers under false pretenses. They live in captivity and if they don’t perform well, they receive corporal punishment.

Last week’s blog included a link to an article saying that Thailand had cut off internet and power to the border region with Myanmar in an attempt to cripple the scam centers. That shows how powerless you really are in the fight against criminals operating from a country that doesn’t put the slightest obstacle in their way. The article didn’t say anything about the extent to which the scam centers were dependent on Thai services, but by now they will have found a way to continue operating. That probably doesn’t apply to innocent citizens and businesses in the border region, who have also been affected by this well-intentioned measure.

Cybercrime in this form is only possible thanks to technology that was never conceived with this purpose in mind. With the help of translation services such as Google Translate, Julia was able to chat with her victim in perfect Dutch. Artificial intelligence is also increasingly being used for evil. I will once again make the comparison with dynamite: when Alfred Nobel invented it in the 19th century , he did not foresee that it would be used to blow up bank vaults and soldiers. And dating apps were also not set up as a platform for crime with a romantic prelude.

If the crime is not tackled, then its potential victims must be made resilient. Unlike a street robbery, you do have a chance to escape from those fraudulent practices. It is actually quite simple: if a new contact suddenly brings up money as a topic, you have to be careful. Take off your rose-colored glasses and look at what is happening through a magnifying glass. Discuss your doubts with someone you have trusted for years; not with Julia, because she knows all sorts of ways to reassure you. Just say firmly that you are not interested. You are using that dating app to find love, not to get rich.

If necessary, print out that piece of folk wisdom and hang it above your screen.

 

And in the big bad world…

• The British want a backdoor in the encryption of iCloud backups.
• the Dutch government has published the Information Set quantum-safe cryptography. [DUTCH]
• North Korean IT workers infiltrated American companies through laptop farms.
• Governments like to distribute spyware.
• many AI buddies and therapists are detrimental to the well-being of the unsuspecting user. [DUTCH]
• AI chatbots need to learn better how to say 'no'.
• Non-human users also have a life cycle.
• US cybersecurity is suffering under the new administration's bureaucratic purge.

 

Artificially stupid

Image from Pixabay

Are you a good artist? Great. Then draw me a picture with two flags, each on a short pole, that make a 45 degree angle with each other.

Not that difficult, right, this assignment? However, ask ChatGPT for this and there is no way you can get that angle in there. You do get two sticks next to each other, which in the best case are intertwined. On one side there is a flag that waves to the left, on the other side one that waves to the right. If you ask specifically for that angle again, the flags are extended and folded, indeed at an angle of 45 degrees. But those sticks, they remain stoically parallel to each other.

What about this so-called artificial intelligence? Admittedly, I could never draw those flags that neatly and quickly myself. For the rest, after such a disappointment, I rather think that the thing is artificially stupid. I don’t easily stick labels on something, but if you brag about your intelligence and then don’t understand what every freshman with a set square does understand, then you’re done for.

A much smarter – but also reprehensible – application of AI is scamming people. I had barely started writing this blog when a radio conversation started about gullible people who had been scammed by criminals posing as René Froger, Max Verstappen, Mark Rutte or André Rieu on a dating site (René Froger is a well-known Dutch singer, and you know the others, I presume). Each and every one of them people who were well off. And yet, after some flirting back and forth, they begged for money, supposedly because theirs was temporarily unavailable, for example due to problems with their manager. One victim had even transferred thirty thousand euros (well over 31k USD) to “René Froger”.

According to the guest on the radio show, slightly more women than men fall for these kinds of tricks, and especially those of slightly older age – people who don't necessarily know what normal online behavior is. And if one of them receives a personal voice message from their idol, via a dating site, they must be in seventh heaven, right?

Now you might wonder what these people are doing on a dating site (well, maybe apart from Mark Rutte, who is single). Unmasking this kind of scam works with flags; the more flags, the more likely it is bad business. Celebrity on a dating site: big red flag. Celebrity who starts chatting with you? Huge red flag. Famous or not famous person who asks for money after a few nice chats: enormous red flag. Three red flags in a row? Sound the alarm!

But yes, that voice message, right? That sounds really convincing. And if you don't know anything about deepfakes, that is, artificial intelligence is used to make a voice say anything you want, then I can hardly accuse you of natural stupidity. Let's agree that from now on you think of those red flags when you come across something improbable. Maybe it will help you not to fall for it.

Back to those crossed flags (because that whole story about flirting celebrities just happened to creep in because I was listening to the radio with half an ear). That picture I wanted was for private use. For my work as a Dutch civil servant, I should not have used such an AI tool. In official terms: the use of non-contracted AI is not permitted, in principle. I prefer to turn this rule around: for your work, you may only use AI that we have purchased. Why is that better? Because then there is a contract in which the rights and obligations of both parties are described. This ensures that our data cannot simply be included in a large artificial brain and that the owner of that brain cannot use it for his own purposes. You might see the contract as a green flag.

 

And in the big bad world…

• We are not allowed to use DeepSeek at all. [DUTCH]
• DeepSeek brings with it quite a few security and privacy issues.
• Meta trains its AI with illegally obtained books.
• it is high time for our own Dutch cloud (under the name Cloud Kootwijk). [DUTCH]
• Banks want to be able to check with telecom providers whether you are making phone calls while transferring money.  [DUTCH]
• Some banks do this in a roundabout way (because the above is not yet allowed). [DUTCH]
• You can silence criminals by turning off their power and internet.
• Elon Musk’s office combs through federal databases as if there were no security and privacy regulations.