Let's play a game

 

Image from Pixabay

"Let's play a game." The year was 1983, I was a freshman computer science student, and the movie War Games felt like professional literature: we just had to see this movie about the hacking of the Pentagon's computer that powers US nuclear bombs.

<spoiler alert>

In the film, a young hacker avant la lettre manages to make contact with that Pentagon computer via his modem (you had to push in the telephone handset at the time) – not deliberately, but simply by having his modem dial random numbers. Without wanting to, he is about to unleash a nuclear war, partly because the computer follows its pre-programmed path. The hacker frantically searches for a way to stop the computer. In the end a game of tic-tac-toe saves the day: the computer realizes that you cannot win that game, just like a nuclear war. A happy ending in the nick of time.

</spoiler alert>

A simple game was suitable for teaching a computer something. It is also well known that people learn well through play. It will therefore come as no surprise that games are also used to teach people about information security. We had such a game developed back in the early 1990s. It was on a 3.5 inch floppy disk and came in a CD case – that was very hip at the time. You let a character walk through a building to expose all kinds of abuses there. I remember that when you clicked on the trash can, there turned out to be a carelessly discarded confidential document in it. The game was entertaining, graphic (albeit 2D) but above all educational.

Nowadays we also have a game to boost our employees' security awareness: the Online Security Awareness Game (OSAG). Now I'm not a gamer for a long time, but one thing you can't ignore: this is not a game. You have to drag cards containing statements or facts to the right place on the screen. You will then receive the status of National Protector. Those are the only playful elements. So, dear creators, please change the name to Online Security Awareness Program (OSAP) or something alike. Well, I had to get that out.

Apart from that, I hear quite positive things about OSAG. That may have to do with the phasing of it: first we had level bronze and a while later silver. The appearance of silver was a trigger to pay attention to your information security awareness again. You were prompted to go through a pile of questions again and test how well you are informed. Each level is also divided into a number of steps, so that you can consume the material presented to you prior to a set of questions in pleasant portions.

In level bronze you learn, for example, about the confidentiality of data, the GDPR, data leaks and information security incidents. Phishing, password hygiene and physical security are also discussed. Level silver completes the basic knowledge with topics such as incident reporting, specific GDPR topics and two-factor authentication. This includes questions such as: what does 'processing' data mean (update/save/send/delete/everything), is the example shown phishing or legitimate mail, is it bad if someone on the train can read public information from your laptop screen?

The designations 'bronze' and 'silver' suggest that there could also be a gold level. And yes, dear colleague: if you are reading this on a Friday, then you have to do something else for a weekend. If you read this after the weekend, you can - if all goes well - get started with level gold right away! This includes access rights, physical security and the GDPR (you can see how important privacy is to us!).

Don't you work for us? Well, your organization probably also pays attention to information security in one way or another. Look for it or ask for it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Dutch civil servants are now also no longer allowed to use TikTok on their work phone. [DUTCH]
• Banning TikTok won't solve the problem.
• trackers can be used to stalk someone.
• a Stanford University ChatGPT clone has been taken offline because it was hallucinating.
• the British NCSC blogged about ChatGPT.
• artificial intelligence also generates disinformation.
• the Windows snipping tool saves the cut pieces. [DUTCH]
• DigiD loses its monopoly with the introduction of the Digital Government Act. [DUTCH]
• ENISA expects ransomware attacks on the transport sector.
• a committee will test the algorithms used at the Ministry of Finance and its agencies for privacy and ethics. [DUTCH]
• the Chinese Navy interferes with passenger aircraft communications and navigation systems.
• this (American) article advocates restraint in collecting data for monitoring purposes.

 

Responsibility

 

Image from Pixabay

“Yes officer, this is indeed my car, but the broken rear light really a fault of the garage. They serviced the car a month ago!” Most reasonable people will understand that they can't get away with that. That car is yours and you are responsible for the proper functioning of all legally prescribed facilities. And that’s the end of it.

“Information security starts with an i, so ICT owns it!” Someone actually said that. Do you see the parallels with the previous paragraph? In both cases there is someone who either wants to bluff himself out of his responsibility, or someone who doesn't know what's going on. In either case, it's high time to get things in order.

I'm not really sure where the word 'ownership' comes from. Is it ICT jargon? Is it some kind of euphemism for ‘responsibility’? Anyway, that's what it means to me: if you own something, you're responsible for it. And that responsibility – of course – also includes the security of the thing in question. There are data owners, system owners, risk owners, and yes, even our intranet has a product owner; whatever you can come up with, there will be an owner. Incidentally, ownership does not go so far as to allow you to take home the thing that you own in a business sense – you own it, but it is not your property. All very complicated.

It took years for data ownership to be well established. Everybody would dodge the issue. The word ‘owner’ often has a positive connotation, the word ‘responsibility’, on the other hand, implies a heavy burden. Especially when it comes to the kind of data we are dealing with. But it worked out in the end and progress is still being made in the area of responsible data handling. Since last year we even have data stewards. These are colleagues who supervise the correct handling of data.

Back to the quote in the second paragraph. I don't know who said that, but it shows little insight into how things work. If you leave out the first part, “information security starts with an i”, which may have been meant to be funny, what then remains has long been a fairly common view: the IT department is responsible for information security. And there will still be organizations that are set up that way, or – even worse – that work implicitly this way. That is worse because responsibilities are not assigned, but everyone tacitly assumes that ICT is running the show. But even if it's explicitly set up that way, it's no good. Why? See the first paragraph. Just as the garage is not responsible for the correct operation of your rear light, the IT department cannot be responsible for the security of an organization's systems. ICT is merely advisory, executing and enforcing: based on our specific knowledge, we help the business to determine the rules of the game, we implement those rules and monitor compliance with them – on behalf of the business.

A structure like that is also likely to be encountered if you delve deeper into the organization. I work in the IT department of our organization, in a team that is accountable for the security of everything that IT department does. It is important to understand the term ‘accountable’; that is quite different from 'responsible'. The latter term is a management thing: every manager is responsible for the security of the things he has under his care. On the basis of our accountability, we ensure that managers fulfill their responsibilities and we help to achieve and maintain that situation. We should all keep in mind that security is not a product, but a process. In other words, it's never finished, but it keeps getting better.

Yesterday I saw a nice little example of taking ownership and responsibility. I was standing in a crowded train when two men made their seats available. They worked for the railroad company and apparently company rules state that paying travelers have more right to a seat than staff. They might have thought: no one knows that we work for the railroad company, we'll stay put. But they didn't. It was 'their' train, but also (at that time) their responsibility to facilitate travellers. Neat, gentlemen!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• good documentation is a precondition for responsibility.
• Microsoft's Active Directory sometimes offers broader access than desired.
• a Russian spy arrested in The Hague was promoted to head of a notorious hacking unit of the GRU.
• tech journalist Daniël Verlaan has made an interesting podcast about identity fraud. [DUTCH]
• the European Cyber Resilience Act could do better. [DUTCH]
• the cybercharlatan saga continues. [DUTCH]
• you need to update Outlook, right now. [DUTCH]
• the Amsterdam court gave Facebook a firm privacy scolding. [DUTCH]
• a colleague tipped me off about these somewhat old, but still useful security tips for journalists (and for you). [DUTCH]
• your Samsung phone may be vulnerable to a number of unpatched vulnerabilities.
• it still makes sense to install a virus scanner on your Android phone.
• Twitter is used for scamminga.
• the police are looking for volunteers in the fight against cybercrime. [DUTCH]

Bridges, songs and car keys

 

The new bridge - Image from Pixabay

Once upon a time there was a bridge, a suspension bridge to be precise. It was 1.6 km (1 mi) long, making it at that time – the year was 1940 – the third longest suspension bridge in the world. But this proud bridge did not live for more than four months. The wind picked up, the bridge began to sway and it collapsed.

I'm talking about the Tacoma Narrows Bridge in Washington State. The physical phenomenon that led to the collapse of this bridge is called resonance. In short, this means that an object that is exposed to vibrations, amplifies that vibration on its own. You know that from rattles in the car, but playing on the swings is also a form of resonance. The wind was blowing in Tacoma at the time, and the wind happened to hit the bridge with its natural frequency (expressed in a popular way, this is a frequency at which an object is comfortable and starts participating happily: it resonates). This caused the bridge to move along with the wind and eventually the materials could not handle that much movement and the bridge collapsed. See Wikipedia for more information and the famous video of the collapse.

Bridges aren't the only things that can break due to resonance. Last year there was a news story about computers mysteriously crashing. The ingredients of that story seem to have sprung from fantasy, but the people who saw that bridge collapse couldn't believe their eyes either. Those fantastic ingredients are an old type of hard disk and Janet Jackson's hit song Rhythm Nation from 1989. All sound – and therefore also music – consists of vibrations that propagate through a medium. When I talk to you, my vocal cords vibrate the air (the medium), and your eardrums pick up that vibration. And well, the sound of Rhythm Nation contains exactly the natural frequency of that particular type of hard disk. The hard drive will then resonate and destroy itself. The computer, in which the hard disk is located, will also stop working.

As a result, the music video in question has been officially declared a cybersecurity exploit. An exploit is a way for an attacker to exploit a vulnerability in a system. The vulnerability here is the sensitivity to resonance, the exploit is playing Rhythm Nation. And that doesn't even have to be on the same laptop: other nearby laptops can also die as a result. It is not very likely that someone will attack your computer in this way. As mentioned, these are old types of hard disks (5400 rpm), and the computers you use most likely no longer even contain a hard disk, but SSD memory (and for the sake of convenience we continue to call this memory without moving parts a hard disk).

There you go with your lists of standard threats, which you use in a risk analysis. Both cases have in common that the danger came from an unexpected quarter. Well, that bridge, one might have been able to calculate that, at least with today's knowledge. But a song by Janet Jackson crashing a hard drive, you just don't make that up. And I can hardly – hardly – imagine an attacker ever looking for such a method to destroy a computer.

However, research is being done into how information can be extracted from so-called air gapped computers. An air gapped computer is one that is not connected to a network. The air gap can also relate to a network; then there actually is a network, but that in turn is not connected to other networks that are considered unsafe. In this way a situation is created in which the data is safe in its own environment. But there are smart people who are looking for ways to extract information from such systems anyway. For example, I remember an attack involving the blinking of the network card light in the past. A classic attack is eavesdropping on the electromagnetic radiation emitted by all electronic circuits. Measures against this fall under the ominous denominator tempest.

Such attacks typically target high value assets. As an ordinary private person you don't have to be worry about it. As an extension of this, what you could have to deal with is car theft. Thieves eavesdrop on the signal from your modern car key – the kind you don't have to put in the lock to unlock and start your car. That's why I've been keeping my car keys in a closed can at home for years. That works like a Faraday cage: a construction that blocks electromagnetic radiation. However, if I am sitting on a terrace, my key can still be tapped and the signal can be 'extended' to my car with certain equipment. Special key cases are being sold, that also promise to work like a Faraday cage. Only then of course you still have to take the key out of your pocket to open and start the car yourself. Choose what is more important to you: security or ease of use. I'm not going to buy such a case. How many crooks with such equipment are there, anyway?

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• users of the password manager Bitwarden should not have their password auto-filled when loading a web page. [DUTCH]
• some hardware malware is very persistent.
• a fake email attack can be done very quickly.
• Linux servers are not immune to ransomware.
• MS Word contains a vulnerability that does not even require the victim to open a received attachment.
• you have to be aware of undermining of the upcoming elections. [DUTCH]
• a storage medium can be a critical factor for system availability.
• Your bank really never asks for your PIN. [DUTCH]
• visitors to the Eurovision Song Contest run the risk of digital fraud.

 

 

Criminal data trade

 

Image from Pixabay

I can't stand injustice. That feeling is reinforced if financial gain is the motive for injustice, and if it deliberately affects people who are particularly vulnerable to it. Because I don’t work in law enforcement, my resources to do something about it are limited. At least my keyboard allows me to write on it, in the hope that it will save some people from harm.

Recently I heard the story of an elderly couple who had gone to the bank with their son to arrange a power of attorney. That took place in a building of concrete and steel, sitting opposite a bank employee. A day or so later, the old gentleman received a call from someone at the bank, and the call referred to his visit to the bank branch with his son. Something was wrong with their bank cards, someone from the bank would come and pick them up. They already had those people’s address, of course. “I should cut the passes, right?” “ No no, that would make them useless to the police. Just put them in an envelope from the bank. And give us the pin code so we can check it.”

Because the story seemed so plausible with all the information the criminals had, the man believed it and gave his PIN. But he did see a tiny red flag when he was told not to cut the passes. On a different phone he called his son, who was supposedly talking to another bank employee. However, the son knew nothing about it, and also immediately realized that it was not right. He urged his father not to hand over the passes and to keep the door tightly closed. In addition, the police were called.

As mentioned, the son was called with another phone; the receiver of the first phone was still on the table, so the criminal probably overheard the other call. The police therefore found nothing suspicious in the neighborhood where these people live. They told the people that such criminals are usually close by when they call – then they can strike before the victim changes his mind. Because no actual transfer had taken place, the police were done. A few days later they called again, but that was by accident: they actually wanted to speak to other people, with whom the criminals had unfortunately succeeded.

Of course our near-victims had their cards blocked and replaced with new ones. Because else, imagine that they had been shoplifted in the supermarket the next day - the criminals could still have plundered their bank account, after all, they knew the PINs. Of course, the new cards also have new PINs (otherwise the same problem persists). It is also wise not to leave more money in your current account than is necessary to pay the bills and groceries for that month. Money that is in the savings account cannot be withdrawn from an ATM – not even by a bank card thief (disclaimer: that’s how it works in the Netherlands; I don’t know if this is true elsewhere in the world). Unfortunately, for many elderly people who do not have a computer or smartphone, this is easier said than done: we youngsters easily drag money from our current account to the corresponding savings account and back. It was therefore a sensible choice of the above elderly people to enlist their son for their banking concerns.

Information is worth a lot of money. If you know that someone has been to a certain place at a certain time, and you know where to sell that kind of information, it can make you some nice pocket money. You just have to be in a place where you can access the requested information. Or… you make sure that you end up in such a place yourself. Or even better: a criminal organization places you as a pawn in an organization. That's called infiltration. The more valuable the information, the more attractive it is to have a chap in the right places. They are even largely self-sufficient - after all, they earn a salary. I hope that the bank from this story will be able to expose the mole.

The more convincing a lie is, and the more pieces of the puzzle fit together, the sooner we fall for it. I'm gullible by nature (because I want to be positive so badly), but professionally I'm suspicious. This creates some interesting – and sometimes annoying – tension. I must maintain my suspicion active without losing my faith in the good. You can help me with that by sharing stories like the above with people in your area, especially with those who are vulnerable. Let them learn from other people's experiences and thus considerably narrow the playing field of the criminals. Whether you tell the story yourself or send a link to this blog, I don't really care. But please do share.

There will be no Security (b)log next week.

 

And in the big bad world…

• you need to adjust your 2FA for Twitter before March 20th.
• the NSA offers advice for securing home networks.
• European civil servants are also no longer allowed to use tiktok .
• researchers warn of a whole new class of vulnerabilities in Apple gear.
• Amsterdam police have arrested three young ransomware criminals.
• one of the arrested men was active for DIVD, a renowned security organization.
• SMEs receive help in choosing ICT suppliers.
• far-reaching European legislation for IoT devices is being prepared.

 

Tiktoking civil servants

 

Image from tweedekamer.nl

While we are dealing with a nationwide network outage, strangely enough the sound of the internet radio can still be heard from my speakers. In the news bulletin I hear the following message: the House of Representatives no longer allows civil servants to use TikTok on their work phone.

Let this sink in for a moment (I'm still processing it). Parliament feels the need to express its concern about what civil servants do on their telephones. Apparently there are some civil servants who have TikTok on their phones. Why???

For those readers who don't have kids of TikTok age, I'll briefly explain what that is. TikTok is an app in the social media category, intended to make short videos – we're talking seconds – and of course share them. There is often dancing, singing and lip-syncing. The latter then produces, for example, a video of a teenage girl saying something stupid in the voice of Donald Trump. Those kind of things.

I copied the previous paragraph from the Security (b)log of July 24, 2020. At that time there was already (international) hassle around TikTok and in the Netherlands the Dutch Data Protection Authority investigated the privacy aspects of the app. Exactly one year later, the DPA fined TikTok 750,000 euros for violating the privacy of young children. At the time, I already advised not to use TikTok on your business phone.

Now back to my question: why are there civil servants who have TikTok on their government phone? Okay, somewhere in the civil service there will probably be a position where the use of such an app is plausible. Maybe somewhere in communication, because there they have to constantly think about how to reach their target groups. A police officer tiktoking about the importance of decent bicycle lighting might be a good one. But even then, the House of Representatives is right: don't do that on your regular work phone. Because of China.

TikTok is a Chinese product. And we know for sure that country loves espionage (with or without a balloon). Now – just like a little less than three years ago – people are afraid that China will collect information on our phones via TikTok. TikTok recently amended its privacy statement: they feel that TikTok employees in China should have access to data from European users, among others. But our privacy legislation, the GDPR, takes a completely different view: personal data of Europeans should remain in Europe, unless it has been established that another country handles them just as neatly as we do. Such a statement regarding China is expected to be issued around the day when pigs fly. But TikTok's privacy statement simply states that employees in certain countries also have access to your data without such an adequacy decision.

Espionage is serious business. The subject is discussed in detail in the Cyber Security Assessment Netherlands 2022. Some quotes: “Cyber attacks by state actors are the new normal”; “State actors can use the following digital means to this end: (…) Espionage, including economic or political espionage”; “The Netherlands is the target of an offensive cyber program from countries such as Russia and China”; “The Chinese digital espionage actor APT31 has carried out widespread and long-term attacks on political targets in Europe and North America. There were also targets of attacks and reconnaissance activities by this actor in the Netherlands.” The intelligence services define state threats as follows: “Coercive, subversive, misleading or covert activities by or on behalf of state actors, below the threshold of armed conflict, which can harm the national security interests of the Netherlands through a combination of the goals pursued, the means used and the effects." A state actor is just a country that does those kind of things.

So, dear colleagues: if you like TikTok, do your thing. But not with the boss's stuff. Now you may be thinking, well, I don't have any important or confidential information on my phone, this isn't about me. Think again. Your contacts alone can be interesting, and the network you form with them. Spies are puzzlers: they get a few puzzle pieces from you and the rest from others. With all those pieces together, they eventually manage to create an interesting picture.

A colleague told me that his daughter does not mind that the Chinese are watching: "Extra fans." That's one way to look at it. As a citizen. As a civil servant, you have other responsibilities.

  

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• TikTok 's boss is doing his utmost to convince American politicians of the innocence of his product.
• Hyundai and KIA must provide millions of cars with a software update, courtesy of a TikTok challenge.
• you need to quickly update your iPhone or iPad.
• A US city has declared a state of emergency after a ransomware attack.
• hackers use fake certificates, hoping that error messages will be interpreted as false positives.
• you can seriously derail a password reset campaign for all your customers.
• hundreds of PyPI packages target your crypto coins.
• Internet Explorer is now really a thing of the past.
• ethical hackers in Belgium are allowed to go about their business without permission. [DUTCH]
• the Dutch Data Protection Authority is being sued. [DUTCH]
• parents are liable for the damage caused by their cybercriminal children. [DUTCH]
• the Dutch General Intelligence and Security Service has published a brochure on the safe development of AI systems. [DUTCH]
• hackers hijack Telegram accounts (and that's just another reason to ditch this app).
• you can reduce your digital footprint with these tips.
• Last year, Russian hackers nearly shut down US power plants. [DUTCH]

Bus drivers on strike

 

Image from Pixabay

Hilversum was the place where I had to go to last Monday. As befits a good civil servant, I prefer to travel by public transport. Regional transport was on strike this week, but the trains were running normally, it was emphatically stated. Nice. I shouldn't have been bothered by the strike. It turned out differently.

When I travel by train, I always take the city bus to the station. I am a man of definitions; For me, regional transport is transport between places and city buses run in the city – and therefore not in the region. But because I also understand that drivers who work for a carrier that serves both the region and the city are not exclusively city bus or regional bus drivers, I had my wife take me to the station a few weeks ago, when they also went on strike. That turned out not to be necessary: the city buses ran on schedule. My definitions were correct.

So they would also run last Monday, I assumed. At one point at the bus stop, a girl asked me: “Are you going to the station?” I glanced at my watch and replied, "I don't think so." She consoled me by telling me that line 231 would arrive in six minutes. However, that would be too late to catch my train, and moreover, line 231 is a regional bus…

I had to come up with an alternative. At the Mediapark in Hilversum, students of Make IT Work (a retraining program of the Amsterdam University of Applied Sciences) would soon expect me to give a guest lecture; I had to be on time. I calculated my options. I wouldn't make it to the station in time by bike; with the car I had another chance. With big, but careful steps – it was freezing – I returned home, texting my wife what my plan was, so that she wouldn't be shocked when the car suddenly disappeared. She was willing to drop me off too, but then I might have a problem on the way back. I got in and drove off. Traffic lights, that usually show me their red light, were favorable to me for once.

On the way, I pondered my parking options. There are two ways to go in the parking lot at the station: to the left and to the right. Turning left leads to the entrance of the station, turning right leads away from it. Turning right, the chance of a free space is therefore considerably greater – after all, everyone wants to be at the front. But if you park there, you have to walk further. If you turn left and you don't find a spot there, you still have to go to the other side and that means extra time loss. I took a gamble and turned left. My courage was rewarded: there was exactly one free spot, near the entrance. Moreover, it was a place that overlooked the busy road past the parking lot, which I liked very much, because a few decades ago my car was broken into in that parking lot and the radio was stolen (by the way, thanks to an attentive witness, the crooks were caught and I got my radio back). Satisfied, I walked into the station. I reached the platform at the same time as my train and I arrived at my destination in plenty of time. Incidentally, it would not have been disastrous if I had missed this train: My itinerary had a margin, the next train would also have delivered me on time.

It probably takes a fair amount of professional deformation to relate the above to my profession. Since I have quite a lot of that, my adventures from that morning became part of my lecture, its subject being risk analysis. If you look at the above account through that lens, then you realize that risk analyses are not limited to your work as an information security officer: they do not just take place if and when your agenda states that you have to do a risk analysis on that day and at that time and there will be not always a complicated, formal method. Risk analyses are carried out in daily life – usually unconsciously but it happens all the time. You do that too.

Let me explain. My initial decision to take the bus was based on historical data (during the previous strike the city buses did run), from which I deduced that the chances of a running bus were favorable. The decision not to take the bicycle, but the car, was based on the likelihood of catching my train in this way. The fact that I didn't run home but - despite my haste - just walked, had to do with the risk of slipping. Even the text to my wife was risk management driven. Left or right in the parking lot: OK, I admit, that was an irrational guess. But hey, I'm just a human who hopes for the occasional windfall. In risk analyses, the expected consequences of wrong choices also play a role, according to the old formula: Risk = Likelihood x Severity. With all the choices I made that morning, the possibility of missing my train hung over me like the sword of Damocles.

Think of me the next time you have to make decisions. Who knows, it might help you make well-founded choices.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• no British or American citizen is allowed to do business with seven members of a Russian ransomware gang.
• there is something called a cybersecurity poverty line.
• quite a few bosses keep a digital eye on their employees. [DUTCH]
• dozens of ancient encrypted letters from Mary, Queen of Scots have been discovered and decrypted.
• Bluetooth vulnerabilities are popping up like mushrooms.
• suspicious links remain a tricky subject for the time being.
• the NIST has chosen an algorithm from Radboud University, among others, as the encryption standard for IoT devices.
• the eddit employee who reported being caught by a phish deserves a reward – for reporting it and preventing worse.
• job postings are used to distribute malware.
• unscrupulous criminals, of course, take advantage of other people's misery.
• the Dutch reported less cases of fraud last year. [DUTCH]
• the need to do principle principle also applies to police officers (you may only consult certain data if you need them for doing your job). [DUTCH]
• ransomware can also contain errors, of course. [DUTCH]
• this article explains once again how we are spied on by companies on websites and via e-mail.

 

Vicious circle

 

Image from Unsplash

A reader had ended up in a vicious circle and shared his story with me, with the opening sentence: “Maybe I have a nice input for your blog.” Well, he was right. His experiences are instructive and can prevent other readers from ending up in the same situation.

Colleague Mark de Wals's iPhone was broken. That in itself was annoying enough, but for Mark it was only the beginning of a vortex that he struggled to get out of. Oddly enough, that vortex was partly caused by two excellent security measures that Mark had taken: he used a password manager and he applied two-factor authentication (2FA, also known as MFA, with M for multi). How can these measures, which I wholeheartedly recommend to everyone, get you into trouble? And, more importantly: how do you stay out of trouble? Wait for it, but above all: learn from it.

Mark wanted his iPhone repaired (it wasn't completely dead, by the way). Before handing over the device, he performed a reset. This ensures that all data, including all accounts, are erased - it is then as if the device came fresh from the factory. It's nice to know for sure that the repairman can't poke around in your data, isn't it? The downside is of course that you have to set up the device again after the repair. Many people don't like that; for many, this is the main reason for postponing the purchase of a new device until the old one can no longer be used. But since the repairman will often need access to the device, you can hardly avoid such a reset.

When the device came back, Mark sat down for it. One of the first things the iPhone asked for was its Apple ID password (“Your Apple ID is the account that gives you access to all Apple services and allows all your devices to work together seamlessly.”) That password was in Mark’s password manager – which was not yet accessible because the device had not yet been set up. But don't worry: thanks to the cloud, the password vault could also be accessed via his laptop.

Mark typed in his password, to which the iPhone responded with: fine, and now you have to approve this login in your 2FA app. Ouch, that app was also on the iPhone – and therefore inaccessible! Voilà a textbook example of a vicious circle: you need that app to get the device going, but the app runs on the same device.

Eventually Mark requested a reset from Apple. That involved an email and a text message. Fortunately, Mark was still able to receive and read the code from the text message. Apple allows a few days to pass if you request a reset from them for security reasons. Those were two scary days, but then Mark received an email and a text message with verification codes. With that he was able to access his account again.

Mark has a few tips for us. The first one concerns the fact that he does not use a real SIM card in this device, but an e-SIM – which stands for embedded SIM and means that the card is built into the device. Your provider therefore does not send a SIM card, but uses the e-SIM. What if you need to receive a text message with a verificaation code, but you can't access your phone? With a physical SIM card, you simply put it into another device and read the message there, but that is not possible with an e-SIM. If the latter is secured with a PIN code, you will not see the received code on the lock screen as long as you are not logged in. Mark had turned off that PIN code since the device itself is protected and you cannot remove the e-SIM from the device anyway.

The next tip is the most important: make sure you keep your most important passwords somewhere you can always access them. Marks password manager ( LastPass ) offers the possibility to share passwords with others. Through this option, he can always retrieve the passwords of his email and his Apple ID. And if another family member also has an Apple ID, you can authorize each other to help each other reset your password.

Android also works with email addresses and phone numbers for account recovery. For this you need a different e-mail address than the address that is linked to the account. But be careful not to use an address that only forwards incoming mail to your primary account - after all, you cannot access it in such a situation.

Mark's experiences teach us that it is important to take measures in advance to escape from such a situation. Check this weekend if you have your affairs in order.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• password managers are still under construction.
• Facebook's 2FA feature could be bypassed.
• this PoS malware blocks the contactless payment function, in order to then be able to read the details of the payment card.
• the number of cases of payment request fraud on Dutch online market place Marktplaats fell sharply. [DUTCH]
• many webshops manipulate their customers. [DUTCH]
• the makers of ChatGPT now have a tool to recognize AI texts. [DUTCH]
• cyber criminal is an ordinary job these days.