Red Square

Image from Pixabay

You rent a small plane, fly it to Moscow, and park it on Red Square. Back in 1987, 18-year-old German Mathias Rust embarrassed the Soviet Union in spectacular fashion.

At the time, the Iron Curtain was still firmly in place, and Soviet air defense was ruthless. Just five years earlier, Korean Air Flight 007, a Boeing 747 en route from New York to Seoul, made a navigational error and entered restricted Soviet airspace. It was mercilessly shot down, killing all 269 people on board.

Naturally, the world was outraged. Rust benefited from that outrage, as the Red Army became more cautious about potentially civilian flights. He was detected by air defense and even accompanied by a MiG fighter jet, but no permission was given to shoot him down. Apparently, communication between military units was lacking, because further along his route, they had no idea and assumed the radar blip was a student pilot who forgot to turn on his transponder (a device that identifies aircraft). Elsewhere, they thought it was a rescue helicopter or a training aircraft.

And so it happened that Rust circled over the Kremlin on the evening of May 28, 1987, and landed his Cessna in the heart of Russia. He did so as a peace activist, and according to historians, his stunt accelerated the fall of the Soviet Union by giving President Gorbachev arguments to dismiss political and especially military opponents. Rust’s hero status quickly faded after serving fifteen months in prison and returning to Germany, where the media portrayed him as eccentric and mentally unstable, and he got into legal trouble.

Let’s pause to consider Russian defense. Their radar spotted Rust within minutes, but it took an hour before a fighter jet joined him—and did nothing. Despite the Cessna clearly being a West German aircraft, they simply left—allegedly due to confusion caused by a plane crash the day before. At each point where Rust was noticed, incorrect assumptions led to ignoring a potential threat.

And from the Soviet perspective, it certainly was a threat. How would our own defense react if a Russian drone appeared over our parliament buildings? Hopefully, that’s the wrong question—ideally, such a drone would be intercepted long before reaching that point, even far beyond our borders. But if an (armed) drone did make it that far, it would pose a serious threat to national leadership. That’s likely how it felt in the Kremlin, too. No wonder Gorbachev could easily dismiss hundreds of top military officials. They had failed.

This historical tale offers lessons beyond the military domain. First: you need oversight. If a threat is repeatedly detected but consistently dismissed as unimportant and not reported, its true scale remains unclear. An example from my world: a virus on a few computers that gets neutralized by antivirus software is no big deal. But if infections multiply, you’re facing an outbreak and need different measures. But that requires visibility.

Making assumptions (“it’s probably a rescue helicopter”) is also dangerous. Was there a lack of clear instructions, or just indifference? Again, in the realm of cybersecurity: if you receive a suspicious email and yet assume it’s fine, and then click the link or open the attachment, you’re making the same mistake as those Soviet radar operators—you see the threat but choose to ignore it.

If Rust’s stunt truly accelerated the fall of the Soviet Union, it’s a prime example of a small action with massive consequences. Today, we see that with ransomware: one careless click by a single employee can bring down an entire organization.

Let’s make sure the lessons from Rust’s flight don’t, well, rust away. Protect your own Red Square.

And in the big bad world…

• Russia retaliates with drones and a warship. [Danish]
• This British company knows how costly a cyberattack can be.
• A software bug can turn against your own organization.
• Microsoft’s Entra ID security contained a critical flaw. [Dutch]
• A cyberattack on a software supplier causes issues at several European airports.
• An app for reporting critics of Charlie Kirk has leaked its users’ personal data.
• Government is heavily dependent on American cloud services. [Dutch]
• A cookie debate rages in Brussels.
• It’s always good to keep thinking.
• Some security testers really go the distance.

 

Beyond Customs

Image from Pixabay

"Beyond Customs I bought a watch," said Merlijn Kaiser in the novel Magnus by Arjen Lubach. The book is highly recommended, but this sentence deserves some attention.

Merlijn was at Amsterdam Airport Schiphol and took a flight to Stockholm. You will encounter only one authority that performs a check: security. Apologies for the vague term, but that’s what the airport itself calls it. It’s the inspection of your hand luggage and yourself, checking whether you’re carrying anything that could endanger the flight. Like scissors or explosives, just to name a few.
On flights outside the Schengen area (roughly outside Europe), you also encounter the Royal Netherlands Marechaussee (military police), who check your passport. But that’s not Customs. You almost never encounter Customs when departing the Netherlands; they’re only interested in goods traffic. So, dear Merlijn, there is no "beyond Customs" when you leave the Netherlands. You only encounter Customs when returning from abroad. You know, after you’ve picked up your luggage, just before the sliding doors where people are waiting to pick you up.
It’s not uncommon for responsibilities to be confused. In the past, many organizations thought that information security was something the IT department was responsible for. And the IT department, in turn, thought the security team should handle it all. Strangely enough, that was also the time when backups weren’t made for certain systems because the client ("the business") hadn’t asked for it. One side assumed everything would be taken care of, while the other side strictly followed the assignment—and nothing more.
Now it’s the opposite. The business largely realizes that they are responsible for securing their own environment, and that they may and must set requirements. At the same time, many standard measures have been introduced. When you buy a car, you don’t need to demand that it comes with brakes, seat belts, and airbags; the law has already arranged that for you. The same applies to information security: there are laws and regulations that describe the minimum requirements a system must meet. Of course, an organization or internal client can set higher requirements – if a risk analysis shows it’s necessary. Because you never take measures just for the sake of it.
That doesn’t mean ad hoc measures can’t be taken. This can happen, for example, when security professionals encounter a dangerous situation. While we’re not responsible for "handling everything," we are responsible for ensuring the organization is safe. In doing so, we sometimes apply professional judgment. A nice term that essentially means: this must be done now because I, in my role, judge it to be necessary. And you can trust that this judgment is based on expertise.
Back to Merlijn Kaiser. Where did he actually buy that watch? Schiphol Airport has two major shopping areas: one where you enter the airport buildings, and one beyond security. That’s where he bought the watch. Without seeing a single customs officer. But still, it’s a great book.

In the big bad world ...

• ChatGPT sometimes performs passport checks.
• It’s really time to say goodbye to Windows 10. [DUTCH]
• You should be able to decide how news reaches you. [DUTCH]
• There was a major vulnerability in Entra ID.
• Students pose a threat to their schools.
• Authentication mechanisms must resist phishing.
• Columnists are now also picking up on the need for European data sovereignty. [DUTCH]
• LinkedIn will soon train AI models with your data. [DUTCH]
• The Finns are seeing a sharp increase in hacked M365 accounts.
• A worm is crawling through npm packages. [DUTCH]

 

Champions

Photo by author

 

I love this traffic sign. In other European countries, the warning for playing children is a neat triangle, just like all other warning signs. But in Croatia, they literally thought out of the box.

This sign powerfully expresses what it's about: playing children are unpredictable and can suddenly run into the street – breaking through the boundaries of their safe environment. The sign is also large and has a striking background color. You’ll find it in every village and city.

If you look under the sign, you’ll see an example of the opposite: a sign that raises questions. The sign prohibits vehicles over five tons from driving here; that’s clear enough. But there’s a sub-sign indicating that the rule only applies to trucks. Now I challenge you to name a road vehicle, not being a truck, that weighs more than five thousand kilograms.

But since I felt a bit unsure, I checked with AI: 'Are there road vehicles, not being trucks, that weigh more than 5 tons?' And yes indeed, my view was too narrow: the universe doesn’t consist solely of regular cars and trucks, but also of more exotic vehicles on our roads: heavy SUVs and pickup trucks, large RVs, special vehicles (Copilot mentions mobile medical units, mobile offices, and film production vehicles), and agricultural and construction vehicles. These are not trucks, but they are too heavy for this road. Unless that sub-sign is present.

Then you naturally wonder what the actual issue is. Apparently, the road (or is it the bridge on the left in the photo?) shouldn’t be overloaded, but a heavy load only seems to be a problem if caused by a truck. In the past, you’d have had a good discussion about such matters with colleagues, but well, remote work, right? So I asked AI again and it turns out that the weight itself – or as Copilot correctly calls it: the mass – doesn’t have to be the problem. Maybe they want to reduce noise pollution or improve traffic safety. I’ll leave out other AI arguments here because I find them less convincing.

Two signs, two totally different experiences. One causes a wow-effect and was the reason for taking this photo, the other raises questions and only stood out when I looked closely while writing this blog. Is that a problem? I don’t think so. I’m not the target audience for the second sign; my driver’s license only goes up to 3.5 tons. While driving, I wouldn’t even notice it. The first sign, however, should speak to every driver. No one wants to run over a child.

It works the same way in information security. Some things are important for everyone, like practicing good password hygiene and being alert to phishing. The importance of other matters depends on who you are. A network administrator must ensure no one gets uncontrolled access to the company network, while someone in finance must be careful not to pay fake invoices. That means we need to tailor our awareness efforts to the audience. But unfortunately, information security professionals in many organizations are too busy to differentiate their awareness activities. And so we end up with well-intentioned but sometimes too generic education.

How can we break through that? If hiring extra staff isn’t an option, maybe we can enlist help from the target groups themselves. Often, there are already people who are quite aware of the specific risks their team faces. They’re eager to share their knowledge and skills with their direct colleagues. We can support them by giving them a certain status. In some organizations, they’re called security champions. I think that’s a great title. They are our champions in the field. Let’s cherish and support them.

Will you be our first security champion?

Next week, due to a busy schedule, there may be no Security (b)log.

 

And in the big bad world …

• an international group of intelligence agencies advises on dealing with Chinese state hackers.
• cybercriminals threaten to feed stolen data into AI systems.
• this dashcam manufacturer sells your footage. And now they've been hacked.
• elderly people are being scammed in three steps.
• the Venezuelan president thinks his phone can't be hacked (I'd be more concerned about what extras the Chinese added).
• AI falls for the same psychological tricks as humans.
• sextortion is not always a bluff.
• fortunately, no one trusted these certificates anyway.
• this article provides more background on the certificate blunder.