A tempting side hustle

Image from Unsplash

 

“Dear Patrick, I’d like to point out a super interesting high-tech opportunity to you!” Or: “We’re impressed by your profile. How open would you be to learning more?” Those were in my own language, but they also come in English: I’m working on an exciting opportunity for an Information Security Team Lead role. Would you be open to a quick chat this week to discuss further?

Headhunters work on behalf of companies to find candidates for hard-to-fill positions. If I ever wanted to work elsewhere, I wouldn’t even need to start looking; potential employers reach out to me regularly. This mostly happens via LinkedIn, because that’s where your professional profile is up for grabs.

It’s not just companies trying to connect with professionals. Criminal organizations also attempt to recruit new people. Not via LinkedIn, but through platforms like Telegram – a space where criminals feel right at home.

They don’t want you to come and work for them.  In fact, they want you to stay exactly where you are. You only need to do one thing: give them access to your organization’s systems. They’ll handle the rest. Besides an attractive reward, you’ll probably get a few extra days off. Because their ultimate goal is to infect your organization with ransomware. Usually, everything grinds to a halt, and work can’t resume for weeks. Recently, Jaguar Land Rover’s global car production was down for three weeks. The financial damage is estimated in the hundreds of millions. Earlier this year, a German napkin manufacturer had to file for bankruptcy after two weeks of lost revenue.

Cybercriminals need initial access – a digital foot in the door. Phishing is a tried-and-true method, but now active recruitment is happening too. And it’s highly targeted. A certain ransomware gang is currently looking for employees in finance, insurance, and travel. Hospitality, the automotive industry, and oil companies are also on their radar. They’ll tell you not to worry about criminal prosecution because they take great care of their insiders; they promise to handle your login credentials discreetly. According to them, the worst that can happen is you’ll get fired. “Don’t listen to those clueless security people – they have no idea what they’re talking about!”

Handling your login credentials discreetly? Sounds nice, but that’s only half the story. You can’t exactly work anonymously – much of what you do is logged. Logs will show: user xyz performed this action on that date at that time. If there are serious indicators, there are extensive ways to hunt down the suspected culprit. And we’ll gladly use them.

It may look like easy money, but don’t be fooled. You won’t get away with “that wasn’t me” when your user ID is in the logs. That’s exactly why you should never share your password with anyone – not even a colleague. Because what if that colleague falls for a Telegram message and hands over your credentials? Such a reckless move could cost you not only your current job but your future career. Who wants to hire someone who got fired for that reason?

Better listen to the advice of one of those “clueless security people” and steer clear of such practices. If financial trouble tempts you, seek help instead.

Because of a few days off, this blog appears earlier than usual.

And in the big bad world…

…I unfortunately didn’t have time to fill this section this week.

 

Micro-awareness

Image from Unsplash

What grabs your attention first? A newspaper article buried on page seven, or a similar message in a personal email that even addresses your specific situation? The question answers itself, doesn’t it?

As an information security officer, you have a tough message to convey. There are all sorts of rules designed to ensure the confidentiality, integrity and availability of the data entrusted to us. Maybe those terms alone make you break out in a cold sweat. Let alone having to implement measures to comply with those rules – say, in a project. And then those measures get in your way because you can’t do something the way you envisioned. Even if you understand why it’s necessary, it’s hardly pleasant. And it’s a page-seven story: you just hope your audience sees it.

A personal email, on the other hand, always gets through. I’m talking about the kind of email we send to a team manager, telling them that an employee did something against security policy. In other words: someone broke the rules and needs to be addressed. We do this via the manager because they know the employee. Ideally, they can judge the response better than anyone else – and whether our report might be a puzzle piece in a bigger picture, possibly pointing to subversion.

Employee reactions vary from genuinely shocked (‘Oh wow, that was dumb!’) to businesslike (‘Here’s what happened’) to – on rare occasions – defensive-aggressive (‘I’m allowed to do this!’). In most cases, the response closes the report. There’s a plausible explanation, and no further action is needed. Sometimes I ask a clarifying question; you don’t want someone to get away with smoke and mirrors.

This approach turns out to be highly effective for boosting security awareness. I call it micro-awareness: focused on one person or team, and one specific observed fact. It’s almost unheard of for someone who received such a message to pop up again later. That personal attention really works.

Micro-awareness also reinforces the idea that the warning you see when logging in isn’t just empty words. You know, the one saying access is for authorized personnel only and you may only do what you’re allowed to do. Monitoring is real. It’s automated, and only when something pops up that deserves closer attention does a human take a look. We’re an organization with big stakes, and those stakes need protection.

Unfortunately, we have to consider insider threat. I know, all colleagues are incredibly trustworthy; most of us couldn’t name a single one who isn’t. And yet, in a large organization, statistics guarantee a certain percentage of bad apples. Plus, circumstances can turn a model employee into a risk. I dealt with that earlier this year (things went missing), and I can tell you it’s unpleasant for everyone. I might be the first to link that incident to insider threat. Maybe it could have been avoided if the organization were more aware of this often-overlooked phenomenon (and that’s not a blame game; it’s something we need to work on).

If there’s micro-awareness, then logically there’s macro-awareness. Those are the page-seven stories. Not necessarily in the newspaper, but maybe on the intranet or in presentations. Not everyone reads them, not everyone attends. The ones who do are interested in what you have to say. But you’d love to reach the ones who don’t show up.

The Security (b)log is also a form of macro-awareness. Loyal readers know it usually starts with an everyday situation and then twists toward information security. Wrapping a serious message in an appealing package helps. And honestly, it’s a lot of fun to do.

And in the big bad world…

• Wind turbines suffer from insider threat too.
• Phone numbers and profile info of all 3.5 billion WhatsApp users were up for grabs.
• Better make sure those power cables are connected properly. [DUTCH]
• Cloudflare issues led to outages across many internet services.
• Google is reading your Gmail to train its AI.
• You should only enable Windows 11’s upcoming AI agents if you understand the risks.
• The EU’s Digital Omnibus looks like a giveaway for big tech.
• Privacy activist Max Schrems is highly critical of the Digital Omnibus.

 

Don't book here

Image from Pixabay

During the autumn break, we wanted to get away for a bit with the whole family. Being as critical as we are, we embarked on an extensive search for a suitable house in a nice location. Eventually, we found what we were looking for on a booking site. Since we had booked there before, we thought we were all set. Things turned out differently.

The day after booking, I received eight messages within an hour and a half from a company I had never heard of; let’s call it Don’tBookHere. The emails were about my booking, with subjects like ‘payment failed’, ‘request for payment of deposit’ and ‘activate your customer account’. And they also wanted a copy of my passport. Although these messages all came through the booking site’s messaging system, I was highly suspicious. As mentioned, we’re regular customers there and have never been contacted by a third party before. The payment was already settled, and the deposit is normally paid on-site. Moreover, the deposit was a whopping seven hundred euros – exorbitantly high. And there was more. The messages mentioned three different internet domains: dontbookhere.eu, dontbookhere.be, and dontbookhere.es (Europe, Belgium, and Spain). In addition to the name Don’tBookHere, the name Don’tInvestHere also appeared. My suspicion escalated further.

Of course, I called the booking site. Long story short: the messages were legitimate. The only incorrect part was the message saying I still had to pay the rental amount. But I was reassured: I didn’t need to worry about that and didn’t need to fear cancellation (which Don’tBookHere had threatened). They had contacted the local landlord – which turned out to be Don’tBookHere – and sorted it out.

Great, you might think, nothing to worry about. But I still had to do almost everything mentioned in those messages. So, I had to create a customer account with Don’tBookHere and check in each family member separately, including all passports. Naturally, I didn’t just send the passports; first, I blacked out various details, including the photos. Then I got feedback: we need the photo, otherwise you can’t receive the key. Since that sounded plausible, I sent them a new scan of my own passport with the photo visible. Incidentally, the man who handed me the key had a copy of my passport with the photo blacked out. And he enthusiastically asked if I was Patrick. It would have been very easy for a villain to snatch the key right in front of me.

As long as legitimate companies keep doing things that criminals also do, it remains difficult to make people aware of risks. You can’t simply say: if you see this or that, it’s always a scam. No, you have to allow for false positives: incorrect signals that something is wrong. So you have to explain: look, if you see something like this, it could be a scam, but it doesn’t have to be; ultimately, you have to decide whether you trust it or not. That sounds much less convincing and often causes uncertainty rather than truly helping.

We see the same with phishing. We say: watch out, if an email doesn’t have a personal greeting but starts with something like ‘Dear customer’ or ‘Hello!’ (or no greeting at all), then be careful. Because criminals sending phishing emails usually only have your email address and don’t know your name. But just now, I received a perfectly legitimate email in my private inbox that greeted me with ‘Dear customer.’ Are these companies just too lazy to use my name? Or does it involve high costs? I looked into it for you.

As for those costs: it depends. With a modern email system, the costs are negligible. However, if you have an old, proprietary system where personalization wasn’t built in, you need to modify the software, and that costs money. Furthermore, many companies don’t have correct data. If they send you an email with ‘Dear {customer name},’ or greet me as ‘Dear Mrs. Borsoi,’ that undermines customer trust. Cleaning up that data is laborious and therefore expensive. There are also companies that deliberately choose a generic greeting to reduce the impact if the email is intercepted (less data leakage). In that case, the generic greeting is actually a privacy measure.

And yes, there are also companies that simply can’t be bothered to greet you properly. My message to them: make an effort and help in the fight against phishing!

And in the big bad world…

• booking sites are indeed being misused to scam people.
• your lost iPhone can still cause trouble.
• an open letter to the European Commission raises major privacy concerns about the Digital Omnibus.
• cybercrime took a heavy blow from Operation Endgame, coordinated by Europol.
• this company responded refreshingly to a ransomware attack.
• every now and then, a security update backfires.
• we want digital sovereignty, yet an American company acquires a Dutch cloud provider.
• ad blockers are important for your privacy.
• this spyware specifically targets Samsung Galaxy phones.
• DJs at Dutch broadcaster had to play music by hand after a cyberattack.
• governments use their spyware not only against top criminals and terrorists.
• no wonder they managed to break into the Louvre. [DUTCH]

 

Digging holes

Image from Pixabay

"Trenchless technology," it said on the company van. That instantly had my full attention—if you advertise your business with something you don’t do, I immediately wonder: what else don’t they do? But more importantly: what do they actually do?

It was a van from VLTT, short for Van Leeuwen Trenchless Technology. A company founded in 1969 by two brothers. Their craft is drilling. They drill under roads, railways, waterways, and underground infrastructure to install pipes and conduits underground. And they do it without digging trenches. The street doesn’t need to be opened when VLTT lays a pipe.

If it were my company, I’d include something in the name about what I *do* do. Something like Van Leeuwen Drilling (VLD). Because, well, I also use a lot of trenchless technology. In fact, I hardly do anything else. Right now, I’m trenchlessly typing a blog, and when I looked at security incidents yesterday, I did dig through the available data—figuratively—but no actual digging was involved. Anyway, you get my point: tell me what you do, not what you don’t do. By the way, I think Elon Musk’s tunnel-digging company has a brilliant name: The Boring Company. Although I wonder if the employees enjoy telling people at parties that they work for a “boring” company.

In my field, we also use tunnels. These come into existence without digging, even without drilling. All you need is some math. Or more specifically: cryptography. Those tunnels are secure connections over a public network. That public network is often the internet. If you use it to connect to your company—like I’m doing now, working from home and connected to our data center via the internet—you don’t want your data traffic to be intercepted along the way. That’s what a VPN, a Virtual Private Network, is for: a cryptographic tunnel. It’s even a single-person tunnel; only you use that specific tunnel. Reminds me of that time we traveled through the U.S. in a camper. In Zion National Park, we had to go through a tunnel, but due to its round shape, the camper wouldn’t fit. Rangers stopped traffic on the other side and urged me to drive exactly along the center line. Only then would the camper fit through. But I digress.

Because only you use that tunnel, the confidentiality of the data traffic is ensured. But those tunnels can do more: during setup, it can be checked whether you’re even allowed to establish a tunnel to that destination, and whether the destination is actually legitimate. Both endpoints of the tunnel are authenticated: their identities are verified. Setting up the tunnel involves digital certificates—think of them as passports. And you need a protocol, an agreement on the “language” you speak. Examples include TLS/SSL, IPSec, and OpenVPN.

If you use digital certificates, you’re using so-called asymmetric cryptography. This form of cryptography is especially threatened by the quantum computer. If, in a few years, a quantum computer powerful enough emerges, it will be able to break asymmetric cryptography. Your VPN tunnel will then be compromised. Unless the protocol is made quantum-proof in time. That’s being worked on worldwide with great urgency, but organizations must take action themselves to implement everything. That takes a lot of time—probably more time than we have. So there’s urgency.

Still, that term keeps nagging at me. And what do you know? “Trenchless technology” has a Wikipedia page in six languages! My surprise was simply due to ignorance. It’s not uncommon for a field to invent a term that’s not understood outside of it. Back in the day, there were computer terminals that didn’t use a screen but a printer; they were essentially printers with a keyboard. Some fellow students called them “write-printers.” It didn’t make much sense, but we knew what they meant. And that’s what matters.

And in the big bad world…

• UK carriers are going to tackle phone spoofing.
• Phishers are letting you know that an arrest warrant has been issued against you.  [DUTCH]
• The doorbell is going to recognize faces.
• The geolocation of EU employees is simply for sale.
• Apparently, a few American cybersecurity experts couldn't resist the temptation of criminal money.
• Meta earned billions from misleading advertisements.  [DUTCH]
• You can use this guide to disable certain features in the new Windows 11 version.