The hotel is not on fire

 

Image from Pixabay

BEEP – BEEP – BEEP. Capital letters can hardly convey the loudness of the alarm that went off as we sat eating breakfast in a hotel in Paris, our last stop on the way home. Capital letters are also too small to convey my surprise at what happened next.

That was, at first, nothing at all. People calmly continued nibbling on their croissants or sipping their coffee. I watched that for about three seconds, fascinated. Yes, I know that resignation in the office when the evacuation alarm goes off, but in a hotel I would have expected a bit more panic, or at least shocked looks; we all know the stories of burned-down hotels and their victims.

I urged my company to leave the hotel. Then, I first had to stop two family members from neatly clearing the table. Apparently, there is no button that switches from 'normal' to 'emergency' and ensures that your routine can be broken. But anyway, we could easily reach the exit of the breakfast room, simply because almost no one else wanted to do the same. While the noise of the alarm alone was enough reason to want to get out of there.

Now comes the part that I write with some shame. The way out led past the reception. From a distance the receptionist made it clear with broad arm gestures that we did not have to evacuate and that we could just continue with our breakfast. My shame lies in the fact that I turned around like a meek sheep, instead of asking how the receptionist was so sure that nothing was wrong. Of course it is possible that she knew what had triggered the alarm and that there was no reason to evacuate. The possible horror scenario was very different: there is a false alarm every now and then, so this time it will probably be nothing either. Just carry on.

That’s what they call cry wolf. If you keep shouting: "Watch out, a wolf!", while there's no such animal to be seen anywhere, then at some point people stop looking up. And if the fire alarm goes off several times a week for no apparent reason, then at some point the staff assumes that this time too, nothing is wrong. That can have fatal consequences. The funny thing is that everyone understands that - and does nothing about it.

Why did I go along with that? That is actually food for a psychologist and it is undoubtedly described extensively in hefty books, but if I may play the amateur psychologist for a moment: it must have something to do with power relations. That receptionist is a kind of an authority – she’s the face of the hotel, the one who tells you which room to sleep in and what time the breakfast room opens. And she stands behind a counter; that creates distance and underlines her authority. If someone like that says it's okay, then it is. But because of the possible horror scenario, I wish I had approached her and asked more questions.

That's how it works with computers, too. Warning messages are hardly read anyway - we know exactly where to find the click-away button. While there may well be a message among them that is more than worth reading, for example because it can make the difference between an organization that is paralyzed by ransomware and an organization that continues to work smoothly because you did take that message seriously.

Love must come from both sides here, too. If you are bombarded with all kinds of notifications, some of which are abracadabra to you, then I cannot expect you to respond appropriately in all cases. I often find less is more to be a hackneyed expression, but we might go a bit easy on those notifications, in order to give the really important ones the attention they deserve. And then I can expect you to take the time to read them and try to understand what you need to do.

Back to that hotel. At the office I know exactly the emergency exits are and I have actually used them before, but at this unknown location it did not occur to me to look for one. No, we headed for the main entrance of the hotel. But the normal route is not always the best route. It can even be a route into danger instead of away from it. I hereby promise myself to be alert to that next time. Are you in?

 

And in the big bad world…

• young people are, through their games, easy prey for criminals.
• the Russians are targeting us, again.
• the newly discovered Russian cyber unit blends its cyber efforts with physical activities.
• sextortion now comes with a photo of your house.
• it is difficult to get a grip on state spyware.
• Companies are sometimes attacked from within (more often than you think).
• there is a whole world of sentiment behind the arrest of the boss of Telegram.
• Telegram wants to improve moderation on the platform. [DUTCH]
• Dutch military is investing heavily in cyber. [DUTCH]
• security hardware can also be vulnerable. [DUTCH]

Betrayed by your phone

 

Image from Pixabay

Last Tuesday I was in the auditorium of a hotel in Venlo. Standing on the presenter’s side in a lecture hall is a bit intimidating, but after four presentations to groups of colleagues about the risks of their online existence, it fit me like a glove.

An important part of those risks has to do with your privacy. While you can use all kinds of apps for free, most apps also do something on their own: they collect data about you. And they sell that information to advertising companies, who use this information to create profiles. Your name is not necessarily linked to this: mobile devices work with an advertising ID that is linked to your device. Is your privacy well protected by this feature? Meh.

As is often the case in information security, it is all about who you are, or sometimes also what you are. Take phishing for example. This can be done in two ways: the criminals use a dragnet and are fine with whatever they catch, or they use a spear to catch exactly the one fish they want. For example, because they know that that person has access to the company's money and is therefore a good target to receive an email 'from the CEO', stating that he must immediately transfer a nice amount of money to a certain bank account. This form of phishing is called spear phishing; you now understand why.

Back to the advertising world. As we saw, profiles are created for advertising purposes, but who says those profiles can only be used for that purpose? Suppose you have a collection of profiles. You could then create a map showing all the devices in a certain area. You don't know who they belong to, you just see the advertising IDs. Then you could single out one of those IDs and turn the question around, so to speak: where has this device been? That may provide a clue of places where the device is often found. And that in turn offers the opportunity to find out where someone works and where he lives.

For most of us, that's not a threat – we're not interesting enough for that. But what if you’re a criminal and therefore the police are looking for you? By using information, which is actually intended for placing advertisements, they may be able to get close to you. Unfortunately, it also works the other way: what if you’re in law enforcement and you have to deal with criminals that also have access to that kind of information? Of course either side also needs specialized software for this. Reputable companies that could make something like this would probably only supply such a product to law enforcement. Unfortunately, organized crime is also becoming smarter and moreover, they have plenty of money to have something like that built. That could be a serious threat. In the context of personnel care, the Dutch financial crimes unit kindly requested this blog post on the matter. But of course it can also be relevant for other colleagues and for people outside our organization.

You can do something about this quite easily. The advertising ID of your device can be turned off. This makes you invisible on the map, and your device will not appear if someone asks the question: which devices are present around this office building around eight in the morning and five in the afternoon? Advertising companies such as Google and Meta will inform you that you will then see 'less relevant' advertising. So what! I brush aside the advertising for strollers as easily as I would the advertising for running shoes. And remember, if you also have your private phone in your pocket while at work, you want to kill the advertising ID on that device as well. Here is a brief description of how to do this in iOS/IpadOS and in Android. And in this video, John Oliver explains again how trading your data works. The entire video is interesting; fast forward to 10:10 if you just want to see the part about phone location.

The above tips are of course only intended for people on the right side of the law. It is advisable for criminals not to follow the tips, because that could have all kinds of unpleasant consequences.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• America is leading the way in regulating AI. [DUTCH]
• The Netherlands is investing in its own AI language model. [DUTCH]
• Here you can read everything you need for a business case for IAM programs.
• SolarWinds CISO has been charged with fraud.
• dozens of governments have pledged never to give in to ransomware demands.
• you can read the entire statement here.
• Payment is often the easiest solution in the event of a ransomware attack.
• Government sanctions help (somewhat) against ransomware.
• a company like Boeing is undoubtedly a big fish for ransomware criminals.
• the transition to post-quantum cryptography is not at all difficult for many organizations.
• the judge has convicted an Amersfoort resident for creating and distributing a deepfake video. [DUTCH]
• a botnet is sometimes killed by others than the police.