Creative solutions

 

Image from Pixabay

Professor Barnabas was kind enough to lend me his time machine. I take you back to the 1990s and we land at the Walterbos campus in Apeldoorn, the Netherlands, at the time the only location in this city where we had an office. The two highrise buildings were not yet there, nor were the underground passages – if you wanted to get from one building to the other, you had to go outside.

The company restaurant, which at the time we simply call the canteen, was located where tower H now stands, next to building G. The canteen had a tiled floor and a wooden ceiling; the laths were half an inch apart and above them was black cloth. At a certain point, that ceiling was replaced by a smooth, closed ceiling. It looked fresh, but had an unpleasant side effect: the acoustics of the canteen had deteriorated enormously. In the old situation, the sound was partly absorbed by the open ceiling, now everything was reflected. The canteen had become very noisy and that was certainly not pleasant.

A while later the floor was fitted with carpet tiles. I don't actually know whether that was an acoustic measure or whether this adjustment was planned anyway, but I always suspected that this was intended to compensate for the damage caused. The problem, which was caused by the adjustment of the ceiling, was solved on the floor. And it worked. But how well thought-out are carpet tiles in a canteen? Spilled tomato soup on a tiled floor is no problem. It becomes an ugly stain on carpet.

Back to the recent past. Last summer it was very hot, on occasion. So hot that the equipment in a technical room on our floor had a hard time. Such areas are equipped with additional access security – only authorized personnel can enter. But because melting equipment was not such a good idea, they had a mobile air conditioner brought in and placed in the doorway. The warm air from the technical room was blown into the office space. Problem solved. Or was it?

Followers of outside-the-box thinking may love those carpet tiles and the air conditioner. I personally tend more to solve problems where they arise. Poor acoustics due to a closed ceiling? Do something about the ceiling. Overheated technical room? Provide cooling inside that room. Especially if an outside-the-box solution has unpleasant side effects, such as a stained floor in the canteen. Or how about compromising the security of a technical room, in combination with heating up an office space which already was quite hot?

If the ideal solution is not quickly available, I understand why an alternative is chosen. But if you introduce new risks, you must take compensatory measures. Once upon a time, at that old Walterbos campus, summer also got just too hot. Then the doors of the computer center were opened, and a security guard was stationed at each door. No one was sitting at the open door on our floor. The irony of this happening where the security team is located...

Sometimes you cannot avoid solving problems somewhere other than at the source. Suppose your organization wants to put data in the cloud. But because that is someone else's computer, you see unauthorized access to your data as a risk, partly due to the fine American legislation and the fact that you almost by definition do business with the US when you go to the cloud (remember, this blog post comes to you from Europe). Then you can only do one thing: protect your data in such a way that it is of no use to anyone who gets their hands on it. Encrypt your data, and do so in such a way that no one except your organization has the key. If the cloud supplier does not have the key, he cannot hand it over, no matter how angry a government or law enforcement agency becomes.

Managing your key yourself makes things a lot more complex and you also get less value for your money, because the cloud supplier cannot provide certain functionality because they cannot read the data (think of all kinds of statistics that would be quite interesting to your organization). If you do it all yourself and get fewer functions, that will make a difference in the price, I hear you think. That's right, but in exactly the wrong direction: it will become alarmingly more expensive, as we experienced in a recent tender.

There may be no or fewer Security (b)logs appearing in the coming weeks due to a conference and days off/holiday.

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the major cloud suppliers are doing more on security under political pressure.
• Apple has secretly adjusted your privacy settings.
• you are responsible for any ChatGPT wisdom you disperse. [DUTCH]
• policymakers should go on a business trip to China to learn how we do not want to deal with biometrics.
• Facebook gives in to pressure from governments and turns a blind eye to disinformation.
• TikTok (of all things) has exposed a disinformation network.
• the very same TikTok doesn’t do anything about an account doxing random people.
• Delivery robots are also very useful for the police, because they film their surroundings non-stop.
• Bing Chat shows toxic ads.
• a zero day vulnerability is an urgent reason to update your software.
• some zero days are worth a lot of money.
• Some European countries advocate allowing spyware on journalists' phones.
• As a cybercriminal, you must of course have your own information security in order.
• the Ukrainian government has published a report on Russia's cyber tactics.

 

 

Scattered clouds

 

Image from Pixabay

Just when I had pretty much accepted that the statement “the cloud is someone else's computer” is very boomerish, an important cloud service collapsed on Wednesday: Outlook, Teams and other Microsoft services no longer worked. What is it with that cloud?

In 2016 I gave a presentation entitled The cloud is not a light cloud dessert (‘cloud dessert’ is a straightforward translation of the Dutch ‘wolkentoetje’, which is a fluffy dessert here in the Netherlands). The title slide featured a photo of Captain Kirk from the science fiction series Star Trek, followed by that series' intro. I slightly modified the epic words spoken in the intro in my subtitles:

Cloud: the final frontier

These are the storages of the computing enterprise

It's never-ending mission

To explore strange new servers

To seek out new privacy and new legislations

To boldly go where no byte has gone before.

See, that cloud is someone else's computer, that's just a fact. It simply means that you do not use your own equipment, but – depending on the chosen model – you use the infrastructure, a development platform or a complete application for end users of your cloud supplier. As a private person you are mainly familiar with the latter variant; chances are that the photos you take with your phone are stored in the Apple or Google cloud – and not on the phone itself. Your Word and Excel files are no longer on your laptop, but in the Microsoft cloud. LinkedIn, WhatsApp, Twitter, Zoom, Teams, Netflix: all of them are cloud services.

Why do companies use the cloud? Suppose you have a company that receives an enormous number of customers once or a few times a year, much more than in the rest of the year. Think, for example, of online shops around the holidays, the tax authorities during the period when everyone files a tax return or a ticket seller for a world star concert. You must have experienced that such a site told you: sorry, currently too busy, please try again later. That situation will occur more likely in organizations that have all the equipment under their own management, in their own data center. They have a limited amount of servers and storage and network capacity there. To avoid this, such a company would have to oversize its data center. A lot of equipment is just sitting there for a large part of the year.

The tempting thing about the cloud is that you purchase their services as needed, and that you can scale up and down quickly. The cloud is elastic, as they say. Cloud providers have huge data centers, with which they serve many customers from all over the world. Because they are so large, and not all customers peak at the same time, they can distribute their enormous capacity among all those customers. If one asks for more, it will not be at the expense of another customer. In addition to this flexibility, the cloud has another important advantage: you do not have to maintain and secure everything yourself. Moreover, for many organizations, a cloud supplier can do this much better than they could do themselves.

But then something like last week happens. Azure, Microsoft's cloud service, had an outage that affected users worldwide. That is quite exceptional, because the major cloud suppliers have built data centers all over the world, which also work as each other's backup. But in this case there was a network problem, which also affected the link between those data centers. If something like this happens in your own data center, only your customers will be affected. Many companies with their own data center are more likely to have disruptions affecting their customers than companies that live in the cloud, because of the elasticity and flexibility of the cloud. But the number of affected customers is much smaller: only the customers of that company are affected. A comparison forces itself upon us: flying is much safer than driving a car, but if an airplane crashes, there are often many casualties.

In my Star Trek intro I mentioned 'strange new servers'. The word ‘strange’ has multiple meanings. But 'unknown' in particular applies here: the cloud is a black box for us into which we put things, hoping that we will also get something out of it when we need it. If it fails to do so, you are just as powerless as if you were on a stranded train. It's just a matter of how comfortable you feel about that.

 

Solution

Last week I challenged you to discover which parts of the blog were written by me and which by ChatGPT. You can find the solution here.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• this example shows once again that cloud customers must encrypt their data themselves.
• hackers might just be able to retrieve your organization's data from your supplier, as in this example.
• phishers hunt for your password manager password.
• Google has shut down tens of thousands of accounts used from China for spreading disinformation.
• North Korea makes good money hacking crypto wallets.
• even Russia suffers from DDoS attacks.
• Australian police are asking parents to look into their children's privacy settings.
• international police cooperation led to the downing of a ransomware network.
• KeePass administrators need to make a configuration adjustment. [DUTCH]
• the Dutch Data Protection Authority denounces the Anti-Money Laundering Act. [DUTCH]
• the Netherlands and the US are discussing the supply of ASML chip factories to China.
• ChatGPT impacts cybersecurity.
•  

Parking in the cloud

 

Photo by author

It’s there in the distance: the car of the colleague who would take us away. You are looking through a crack in the closed steel gate of the parking garage of the International Criminal Tribunal for the former Yugoslavia in The Hague.

Let’s rewind 14 hours. That's when the two-day ONE Conference started in the World Forum, where nearly two thousand information security professionals from the Netherlands and abroad gathered to catch up on their field of expertise. Our team was also present with a delegation and because we were staying overnight in The Hague, we went to a Chinese restaurant together. After an excellent meal we wanted to take the tram or bus to our hotel, but that one colleague, who lives nearby and was by car, offered to drive us. Arriving at the parking garage (at 10:42 pm) his car seemed impossible to find at first, but after some time searching – and slight doubts about the parking memory of our colleague – we came to that steel gate where we saw it. Unreachable.

The doorman of the associated hotel was kind enough to walk with us. "Ah, I see. You are in the garage of the Tribunal." The garage is used by hotel guests, conference attendees and also by employees of the Tribunal. In the morning, our unfortunate colleague was waved into exactly that part by a traffic controller. The gate in question was then open and there was no indication that this was a special part of the garage. The traffic controller might not have known that the gate would be locked at night, or he might not have expected a conference attendee to pick up his car this late. Via the intercom at the barrier, the doorman contacted the security guard of the Tribunal. His card, with which he could open the gate, was missing. Finally we were able to leave the garage at 11.16 pm. And so by attending an information security conference, you can get caught up in physical security measures. I couldn't have made this up. But I really need to talk about the conference.

The war in Ukraine was a fairly prominent topic there. This is the first real war to be fought not only on land, at sea and in the air, but also in “cyber”, as it is called in military circles. From day one they started to attack each other not only physically but also digitally, and probably earlier as well. One of the speakers, Cristin Flynn Goodwin of Microsoft, told us that a fight against a state actor in your own data center can be compared to a hand-to-hand combat: arduous and bloody. Countries that attack you digitally are preying on the ideas and information governments need to make decisions about important current affairs, Goodwin said. In doing so, they mainly target think tanks, non-governmental organizations (NGOs), diplomats, policy advisors and academics.

Goodwin's point was that as an organization you cannot cope with all that digital violence on your own. It is therefore much better to store your data in the cloud, where you enjoy the protection of a large service provider (where it would have been nicer not just to mention her own company). The idea is that these large cloud suppliers have every conceivable means to optimally protect your crown jewels.

By nature, a country wants to keep its crown jewels close by, on its own territory. Furthermore, the GDPR prescribes that personal data of EU citizens must be stored in Europe (under certain conditions it may also be stored elsewhere). But, Goodwin argued, that's not always wise. She said that Ukraine has stored important parts of its national ICT completely outside its own borders. Other countries should also prepare for such a scenario, and test it. That sounds pretty scary, but I can imagine that it is one less headache for Ukraine. At least, as long as the connections to that distant cloud last.

The Dutch government recently adopted a new policy with regard to the public cloud. It switched from “no, unless” to “yes, provided that”. My biggest concern is the availability of the data. Having your own data center simply gives you a sense of tangibility, of being able to hold onto the data when the going gets tough. But if you think about it, that doesn't make sense. One cruise missile, one ransomware attack and your data is gone. And yet there is an extra dimension to that cloud: what if your country gets into a fight with the country of the cloud supplier?

If your car is parked in your own driveway, you can always reach it. If it is in a parking garage, the manager of that garage will determine whether you can leave. Even external factors can play a role: years ago a Ferris wheel on the Apeldoorn Market Square turned out to be so heavy that the city feared that the parking garage under the square would not be able to bear its weight. People who had parked their cars there could only get back to their cars after the Ferris wheel had been taken down. I see difficult choices coming our way.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

 

• lessons are being drawn from the war in Ukraine.
• Cloud suppliers also make mistakes of course, as witnessed by this major leak at Microsoft.
• Microsoft believes that the discoverer of that leak is grossly exaggerating.
• Dutch higher education is already abundantly in the cloud. [DUTCH]
• there is political aversion in the Netherlands to US cloud providers. [DUTCH]
• ransomware is used to prepare for physical wars.
• Not only officials have fallen victim to the ID-ware ransomware attack. [DUTCH]
• the police outsmarted a ransomware gang. [DUTCH]
• we seem to be a fairly privacy-loving people. [DUTCH]
• attackers used a vulnerability in a virus scanner to disable another virus scanner. [DUTCH]
• the difference between “to” and “bcc” is a data breach. [DUTCH]
• Texas accuses Google of collecting biometric data.

 

Do you lock the front door?

 

Image from Pixabay

“Well, I thought it was password protected.” That’s how a colleague reacted who was pointed out that his team not only had information in a questionable place, but that the information was also unprotected. And there were quite interesting things to read.

That dubious place was a cloud service. And it appears that a private account has been used for that service. All this left me completely flabbergasted. Let me explain why I feel so strongly about this.

To start with, the use of that cloud service. Is it really too much to expect our ICT specialists to know this simple rule: no cloud, unless? And that 'unless' is rather limited? Yes, change is coming, and a cloud service can be very useful, but that doesn't mean you can go into the cloud on your own.

“Ah, haven't we bought this service? No problem, we can use my private account!” Why didn't anyone on that team shout out: “You can’t be serious about that, can you?” Why was the person who suggested this idea not immediately and indignantly called to order? I'll explain it as simple as possible: use the boss's stuff for work (with some specific exceptions). If the boss doesn't offer what you need, you can ask if it can be bought, but you don't bring anything from home.

And then there was also information that cannot bear the light of day. Fortunately, it wasn’t business information, but nontheless things that certain people know how to deal with, at the expense of our information security.

But the goofiest thing that I heard was this " Well, I thought it was password protected." You should not think it, you should know it. Security doesn't happen by itself, folks. You have to do something about it. Not only in bad situations, as above, but also in normal situations.

Some people don't lock their front door when they go to run an errand. If you have a rather poor lock on your door, burglars will be inside within 1 to 2.5 minutes. They’ll happily do that in broad daylight. A good lock (three SKG stars in the Netherlands) extends this time to 3-5 minutes, which is apparently long enough to deter crooks. But even if you don't lock the door, at least you close it. And if you're not sure whether you've done that, you turn around and check. In the digital world, we use passwords, among other things, to protect our digital content. If you're not sure if you've protected access to a system, check it. Rather than thinking: I’ll just be fine.

Do you think this story is about you? That doesn't mean it actually is. There have been cases where someone thought the Security (b)log was about him, while it was based on a different (but almost identical) case. Moreover, this is a blog, in which I can take the liberty of adding to stories, romanticizing them or even making them up completely – although I rarely do the latter.

If the shoe fits, wear it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• passwords of half of our ministers can be easily found online. [DUTCH]
• the responsible State Secretary responds with an obligation to regularly change passwords (which is counterproductive). [DUTCH]
• Amazon hands over video footage of Ring doorbells to the police (at least in the US) without the owner's consent.
• Doxing will become a crime if this bill passes. [DUTCH]
• the iKCheck! app will notify you when someone checks your driver's license with the Vehicle Authority. [DUTCH]
• investments are made in the cybersecurity of education. [DUTCH]
• there will also be money for increasing the cyber resilience of companies and organisations. [DUTCH]
• Mantis is the most powerful botnet to date.
• Mozilla takes action against QWACs.
• the Dutch government warns against the use of public Wi-Fi networks. [DUTCH]
• the Australian government provides tips for using social media and messaging apps.
• cyber criminals pretend to be a security company. [DUTCH]