On the backside

 

Image from Pixabay

Alarm! Nine viruses were found on a user's laptop! The virus scanner actually had too little information about a few of those infected files, but about several others it reported: we have already seen this file with hundreds of customers and we are pretty sure that the file is unreliable. Fortunately, the scanner has quarantined the files and they can no longer do any harm. The fire was extinguished before it could really break out.

We usually do not lose sleep over these types of reports; we see them dozens of times a week and they are neatly handled automatically. Exactly as a virus scanner should do. 'Virus scanner' is a somewhat old-fashioned name, which I only use here because it is commonplace. 'Malware scanner' is already better, because the term encompasses more than just viruses: malware is the contraction of 'malicious' and 'software'. In addition to computer viruses, the term malware also includes keyloggers (which secretly record your keystrokes), spyware (collects information about you), and backdoors (allow a hacker to illegally access your system), to name a few. Vendors nowadays like to talk about an 'endpoint protection platform' and by that they mean the protection of all end-user equipment in an organization – not just laptops, but also tablets, smartphones and printers, for example. The computer industry likes old wine in new bottles.

Anyway, for one reason or another, those nine reports caught the attention of a colleague, who decided to call the user in question. The reports implied that the infected files were on a USB device, but the user claimed, hand on heart, that he did not have a USB stick in his laptop. After some further questioning, it turned out that he had connected the laptop to a screen at home via a KVM switch (with a KVM switch (Keyboard, Video, Mouse) you can connect several computers to one screen, keyboard and mouse; you can easily switch between the different computers). But there was no USB stick in that KVM switch either. Finally, after some research, it turned out that the screen itself also had a USB port, and there the virus-infested USB stick was sitting.

The incident nicely illustrates that the truth is not always on the surface. If you were to rely solely on the information provided by the scanner, you would conclude that there is a USB stick with infected files in the laptop. And if the user says that's not true, you don't believe him. Whereas in this case the user was in good faith and patiently cooperated to assist my tenacious colleague. Unfortunately, we don't know how that infected USB stick got into the monitor.

There is one other thing that needs attention here. There are quite a few devices that have USB ports. Traditionally we know them from computers, but screens can also be equipped with them, and our TV, which is connected to the Wi-Fi network, also has a few. With these types of devices, they are usually located at the back and are therefore out of sight. This offers opportunities for people with less good intentions: in an unguarded moment they can simply insert a USB stick that contains software that you would rather not have at home. Now the employee in question was not authorized to use USB sticks, but the USB stick was seen by Windows.

It calls for vigilance. Do you always know exactly where you connect your laptop? And what's behind that, and what's on the backside? What do your housemates do with equipment that you also use for work? It can do no harm to make them aware that USB sticks can contain malicious files and that they should always be scanned before opening the files. This is not only in the interest of you and your housemates as private users, but also in the interest of your employers in the case of shared use of equipment. Everyone in the house should take that into account.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Of course there is also malware for your Mac.
• a supply chain chain reaction has taken place.
• China spies on us on a large scale, including digitally. [DUTCH]
• the British fear spyware and hacking mercenaries.
• the Dutch Football Association is struggling with a ransomware attack. [DUTCH]
• routers also need to be cleaned before they are scrapped.
• cybercriminals trade in stolen accounts for ChatGPT.
• employees put confidential company information in ChatGPT.

 

A year without internet

 

Image from Pixabay

It was a pleasant spring day, that April 14, 2022. Sunny, light wind, twenty degrees (68 °F). But the day started foggy. Not only from a meteorological point of view, also digitally. At 7:53 am the internet started to malfunction. An hour later all screens were black. Worldwide. That was a year ago. The internet is still broken, despite all the smart cyberheads who have weighed in on this. We've been thrown back, cyber-wise, to the floppy era.

Could such a horror scenario ever materialize? At the risk of the wish being father to the thought: I don't think so. After all, the internet is designed to survive the failure of part of the network. It has no all-important component that, if it fails, shuts down the entire Internet. The design has a military background, where availability was of the utmost importance, and this mechanism is of course also very useful in civilian society. Despite the improbable nature of this figment of my imagination, I would like to pretend that the first paragraph actually happened for the duration of this blog. In terms of information security, you could say dryly that there is an availability problem. That's nice, but that observation won't help you much if you can't pull out a recovery plan that lives up to its title.

I try to comprehend what the prolonged absence of the internet would mean. Let me take a look at myself first. For starters, I wouldn't be sitting at my desk at home right now, but in the office. Five days a week. Because working from home without internet is not possible. Well, of course I could write a blog or a memo, save it on my laptop and put it on the intranet at the office (sorry external readers, no blog for you). But that online meeting that I had this morning, that really couldn't have been done. I would have cycled to the office through the cold spring sun. Speaking of cold: without the internet I really wouldn't have known what the weather was like a year ago, and I couldn't have started this blog with the weather report from then.

It's fifteen minutes by bike for me and I find my office blindly, but suppose I had to go to an unknown destination. Would my navigation have worked? Yes and no. GPS is separate from the internet; it comprises a bunch of satellites in orbit and an antenna in my navigation device that picks up the signal from those satellites. So I know where I am and which way I'm going. However, without internet I have no current maps. If I'm lucky, the necessary maps will be in the system. If not, I have to provide the coordinates to tell the system where I want to go. But how do I find out? And I miss up-to-date traffic information anyway, so I may end up in a big traffic jam and arrive too late at my destination.

Well, I still have some old paper road maps lying around somewhere and the signposts haven't been abolished yet either; I would find my way completely without electronics. For digital natives – young people who were born with a smartphone in their hands, who don't even realize there was ever an internet-free era – analogue navigation could be a big challenge. They don't even know how to unfold a map, so to speak, and they see right through signposts.

The demand for many types of personnel would explode. Webshops no longer work - you have to go to the store for everything, which means that they need more staff. Fortunately, there are suddenly many redundant people at the distribution centers of large webshops. The tax return has to be on paper like in the old days, and all that paperwork has to be processed manually. Where do you get so many well-trained tax officials? If I want an appointment at the dentist, the barber or a restaurant, I have to call – fortunately we have not yet shut down our telephone networks under the guise of “there’s Skype and WhatsApp, who needs POTS?” (Plain Old Telephone System).

Travel agencies would shoot up like mushrooms. Because we can no longer book a nice holiday from our easy chair. You have to plan your holiday well in advance, because the travel agency has to send a paper application to the tour operator and in the meantime you have to keep your fingers crossed, because the travel agency cannot check availability online either.

And my work? That continues. Because luckily we have our own large data center, in which the systems run that our own army of IT specialists makes and maintains. We have years of work to do on that. Because security is a process, right? We throw all our energy into this job, without distraction from external emails and social media. And we only hear the news of the day in the evening, when we watch the news via the hastily restored analogue cable TV.

Well, I'm going to drop this blog in de pillar-box.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• smaller pieces of internet regularly fail for shorter or longer periods of time. [2 different articles.]
• you can see at a glance what is broken, and for how long, here.
• things are not so good for phishers in the Netherlands. [DUTCH]
• the impact of encryption on policing cannot be determined. [DUTCH]
• DdoS criminals have already had enough of IoT devices, they are moving to cloud servers.
• criminal service providers put your rogue app in Google Play for a few thousand dollars.
• you should hope that you never have to have a computer or smartphone repaired. [Ignore the commercial message at the end of the article; the story itself is relevant.]
• Artificial intelligence poses a threat to digital security.
• long passwords are more important than ever in the AI era. [Please note: I disagree with advice No. 2 in this article, and No. 3 is shaky.]

DPSTAP

Image from Pixabay

Every ICT specialist knows that, if you have made or changed something, you first have to test whether everything (everything!) still works. In a professional environment we have a multi-stage mechanism for this, which we cherish under the abbreviation DTAP: Development, Testing, Acceptance, Production. This week I heard a variation on this abbreviation that first made my ears pop and then put a big grin on my face.

That variant is DPSTAP and that stands for: Development, Production, Shit it doesn't work, Test anyway, Acceptance, Production. I heard this during a risk analysis. In a session like that we discuss what can go wrong and how bad that is, and one of the regular topics is: someone makes a mistake, what measures have been taken to ensure that this is discovered in time and therefore can cause no damage? In all the risk analyses that I have supervised so far – and there are quite a few – those present triumphantly shouted in unison on this point: DTAP!

And that was really all said. We develop something, we do a thorough test, the customer does an acceptance test and only when everyone is satisfied the new system or new version can go into production. If errors still come to light, the product goes back to the development phase. A solid working method that is in the DNA of all IT professionals and that is so self-evident that we rarely ask ourselves whether a team really works in this way all the time. Or whether shortcuts are taken, once in a while or perhaps even structurally.

That is, until this week. After all these years someone finally dared to say that apparently sometimes a makeshift path is followed – and not even necessarily with himself, I think. It couldn't be any other way, really. I do realize that the pressure to deliver on time can sometimes be so great that you have to make a choice between being ready on time or following the official route. If you opt for the former, as a conscientious employee you will then have to wait a few days or weeks to see if everything continues to go well, biting your nails.

The more you use such a shortcut, the easier it may become. And then it could become risky. You might find yourself on a slippery slope to heedlessness, perhaps even indifference. In an organization as large as ours, I cannot rule out the possibility that there may be some colleagues who have never been at the top of a slippery slope, who naturally always choose the easiest path. I know a lot of colleagues, and I haven't met one yet who made me think: there's one of those. But statistically I can't rule out that they are around. Perhaps they are kept in the lee of their team and, for example, are not appointed to participate in risk assessments and other activities in which I am involved. To these people – and to their managers – I want to say: straighten your back, stand by your craftsmanship and make sure that you do not become a risk to our business operations yourself. You may need a (refresher) course. Or – be honest with yourself – different work.

I also learned from this. I'm getting stricter. Even more than now I will go on asking questions, even when I speak to colleagues who I know for sure are very committed to security. Do you really always do it this way, or do you occasionally do DPSTAP? If you dare to admit that, you will earn bonus points. Because you then state that there might be a risk somewhere, and we can only do something about it if we know it. It also marks the difference between running risks (which happens unconsciously) and taking risks (consciously and based on trade-offs).

Finally, a special greeting from this place to one of my most loyal readers: my mother. She turned ninety today. Congratulations!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you may be a victim of a global cybercrime case.
• a Dutchman lost a considerable amount of money because of this matter. [DUTCH]
• you can't afford to remain silent after a major data breach, the judge says. [DUTCH]
• April is Seniors and Safety Month, with a dedicated campaign website. [DUTCH]
• you should not use security tools for criminal purposes.
• Tesla employees shared footage your car took, and they joked about it.
• IoT device manufacturer Nexx has not understood the importance of security, making it easy to open garage doors anywhere in the world, for example.
• the government now has a toolbox for red teaming. [DUTCH]
• another toolbox steals credentials for eighteen cloud services.
• a hacked phone system steals passwords from browsers.
• Telegram is a marketplace for phishing tools.
• biometrics is not automatically safe a safe technology. 

Big numbers

 

Image from Pixabay

I love numbers. My watch shows my heart rate and how fast I'm running, the cycling computer knows where and how fast I'm going and the weather station not only shows the indoor and outdoor temperature, but also air pressure, precipitation amount, humidity and wind speed. I keep track of my sporting and financial performance in Excel sheets. For your reassurance: I will not let all these numbers rule me (except for the finances, that is); the numbers are there for me – not the other way around.

Sometimes you are presented with figures that shock you. For example, I have had a tracker blocker running on my phone for a while now. If any app or website attempts to collect my data, this app will block it. As my phone sits here and I do nothing with it, I see the number of blocked tracking attempts in the last seven days counting up. There are currently 63,849 attempts and they come from 31 apps. Do you why I’m shocked? By the way, there are already 63,855 attempts. While I do nothing.

What worries me even more is the list of apps trying to track me. The Ziggo* GO app is one of the busiest apps that want to know something from me. It's made 1,409 attempts so far – and that's for today alone (and it's just past 9am). The point is, I hardly ever use that app, and I certainly haven't used it in the last week. When I click through, I see that all those attempts in the Ziggo app come from Adobe. You know, that company of PDF files and Photoshop. But they are also active in the field of mobile app analytics. They explain what they do as follows: “Adobe Analytics delivers comprehensive analytics for mobile, web, and apps, plus unprecedented visualization and reporting capabilities, so product teams can quickly and easily drive optimal interest on mobile devices. Whether it's improving retention or increasing conversion, we provide the predictive insights to help you get the most out of your mobile investments.”

So Ziggo uses Adobe's services to track its customers. But what does all that tracking entail? I see a list of twenty items they would like to see. For example, my email address, zip code, GPS coordinates, various information about my phone and even the orientation of the phone (portrait or landscape). Another app I barely use is Reddit , and that app has, through Branch Metrics , already 431 attempts to its name today. And my calendar app DigiCal , which I do use often, has made "only" 243 attempts, but uses the services of two companies: Google and Facebook. I don't have a Facebook account myself, but Facebook does have an account about me. They want to track as many as 31 items, including sound volume, my gender, how much memory my phone has, accelerometer data (apparently they want to see if I'm on the move) and where I am. Google also wants to know how full my battery is. I can go on like this for a while. Nu.nl** uses no fewer than four trackers, all of which largely request the same information. PostNL*** attacks me with three trackers and they are just as busy as Ziggo.

And why all this? Adobe already revealed it: a lot of money can be made through advertisements, and the more targeted the advertisement, the greater the response. Don't bombard me with ads for diapers, instead hit me with gadgets. And in order to know what I like, you need as extensive a profile of me as possible.

On my phone, all of these tracking attempts are blocked by a feature in my browser, the DuckDuckGo Private Browser. DuckDuckGo is already known as a privacy-friendly search engine, but they also have their own browser on both Android and iOS. The protection against app trackers is still in the testing phase. Incidentally, the browser itself also has a few quirks and that currently makes it less suitable for near-computer illiterate people (real computer illiterate people do not have a smartphone). Numerous other blockers are available. As with all apps, you have to be careful not to get a Trojan horse: you don't want an app that promises to protect your privacy and then creates the biggest leak itself. I always look at the number of downloads and the reviews.

Recently angry farmers blocked our highways with their tractors and politicians and police apparently found it difficult to act against this. On the digital highway, you as a user have the option to block trackers****. My weekly counter is now at 64,159 and it feels good to have blocked all these attempts.

 -------------

* Ziggo is an internet, tv and phone company.
** Nu.nl is a Dutch news outlet.
*** PostNL is a Dutch postal company.
**** In the Dutch language, there’s a pun in this: a tractor is also called ‘trekker’, which has the same pronunciation as ‘tracker’ (if the latter is pronounced the Dutch way). I’m sorry that I couldn’t make the pun work in English.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• we should not stare blindly at TikTok , because other apps also want to track us.
• French civil servants are no longer allowed to have 'recreational apps' on their work phones at all.
• the FBI simply buys tracking data from a company.
• the leaked Vulkan files provide insight into Russia's cyberwar plans.
• this EU report forecasts which cyber threats await us in 2030.
• it’s never wise to remain silent after a data breach. [DUTCH]
• medical equipment must finally be properly secured – at least, in the US.
• a fake Tor browser steals your bitcoins.
• British police have set up fake sites to catch cybercriminals.

 

Let's play a game

 

Image from Pixabay

"Let's play a game." The year was 1983, I was a freshman computer science student, and the movie War Games felt like professional literature: we just had to see this movie about the hacking of the Pentagon's computer that powers US nuclear bombs.

<spoiler alert>

In the film, a young hacker avant la lettre manages to make contact with that Pentagon computer via his modem (you had to push in the telephone handset at the time) – not deliberately, but simply by having his modem dial random numbers. Without wanting to, he is about to unleash a nuclear war, partly because the computer follows its pre-programmed path. The hacker frantically searches for a way to stop the computer. In the end a game of tic-tac-toe saves the day: the computer realizes that you cannot win that game, just like a nuclear war. A happy ending in the nick of time.

</spoiler alert>

A simple game was suitable for teaching a computer something. It is also well known that people learn well through play. It will therefore come as no surprise that games are also used to teach people about information security. We had such a game developed back in the early 1990s. It was on a 3.5 inch floppy disk and came in a CD case – that was very hip at the time. You let a character walk through a building to expose all kinds of abuses there. I remember that when you clicked on the trash can, there turned out to be a carelessly discarded confidential document in it. The game was entertaining, graphic (albeit 2D) but above all educational.

Nowadays we also have a game to boost our employees' security awareness: the Online Security Awareness Game (OSAG). Now I'm not a gamer for a long time, but one thing you can't ignore: this is not a game. You have to drag cards containing statements or facts to the right place on the screen. You will then receive the status of National Protector. Those are the only playful elements. So, dear creators, please change the name to Online Security Awareness Program (OSAP) or something alike. Well, I had to get that out.

Apart from that, I hear quite positive things about OSAG. That may have to do with the phasing of it: first we had level bronze and a while later silver. The appearance of silver was a trigger to pay attention to your information security awareness again. You were prompted to go through a pile of questions again and test how well you are informed. Each level is also divided into a number of steps, so that you can consume the material presented to you prior to a set of questions in pleasant portions.

In level bronze you learn, for example, about the confidentiality of data, the GDPR, data leaks and information security incidents. Phishing, password hygiene and physical security are also discussed. Level silver completes the basic knowledge with topics such as incident reporting, specific GDPR topics and two-factor authentication. This includes questions such as: what does 'processing' data mean (update/save/send/delete/everything), is the example shown phishing or legitimate mail, is it bad if someone on the train can read public information from your laptop screen?

The designations 'bronze' and 'silver' suggest that there could also be a gold level. And yes, dear colleague: if you are reading this on a Friday, then you have to do something else for a weekend. If you read this after the weekend, you can - if all goes well - get started with level gold right away! This includes access rights, physical security and the GDPR (you can see how important privacy is to us!).

Don't you work for us? Well, your organization probably also pays attention to information security in one way or another. Look for it or ask for it.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Dutch civil servants are now also no longer allowed to use TikTok on their work phone. [DUTCH]
• Banning TikTok won't solve the problem.
• trackers can be used to stalk someone.
• a Stanford University ChatGPT clone has been taken offline because it was hallucinating.
• the British NCSC blogged about ChatGPT.
• artificial intelligence also generates disinformation.
• the Windows snipping tool saves the cut pieces. [DUTCH]
• DigiD loses its monopoly with the introduction of the Digital Government Act. [DUTCH]
• ENISA expects ransomware attacks on the transport sector.
• a committee will test the algorithms used at the Ministry of Finance and its agencies for privacy and ethics. [DUTCH]
• the Chinese Navy interferes with passenger aircraft communications and navigation systems.
• this (American) article advocates restraint in collecting data for monitoring purposes.

 

Responsibility

 

Image from Pixabay

“Yes officer, this is indeed my car, but the broken rear light really a fault of the garage. They serviced the car a month ago!” Most reasonable people will understand that they can't get away with that. That car is yours and you are responsible for the proper functioning of all legally prescribed facilities. And that’s the end of it.

“Information security starts with an i, so ICT owns it!” Someone actually said that. Do you see the parallels with the previous paragraph? In both cases there is someone who either wants to bluff himself out of his responsibility, or someone who doesn't know what's going on. In either case, it's high time to get things in order.

I'm not really sure where the word 'ownership' comes from. Is it ICT jargon? Is it some kind of euphemism for ‘responsibility’? Anyway, that's what it means to me: if you own something, you're responsible for it. And that responsibility – of course – also includes the security of the thing in question. There are data owners, system owners, risk owners, and yes, even our intranet has a product owner; whatever you can come up with, there will be an owner. Incidentally, ownership does not go so far as to allow you to take home the thing that you own in a business sense – you own it, but it is not your property. All very complicated.

It took years for data ownership to be well established. Everybody would dodge the issue. The word ‘owner’ often has a positive connotation, the word ‘responsibility’, on the other hand, implies a heavy burden. Especially when it comes to the kind of data we are dealing with. But it worked out in the end and progress is still being made in the area of responsible data handling. Since last year we even have data stewards. These are colleagues who supervise the correct handling of data.

Back to the quote in the second paragraph. I don't know who said that, but it shows little insight into how things work. If you leave out the first part, “information security starts with an i”, which may have been meant to be funny, what then remains has long been a fairly common view: the IT department is responsible for information security. And there will still be organizations that are set up that way, or – even worse – that work implicitly this way. That is worse because responsibilities are not assigned, but everyone tacitly assumes that ICT is running the show. But even if it's explicitly set up that way, it's no good. Why? See the first paragraph. Just as the garage is not responsible for the correct operation of your rear light, the IT department cannot be responsible for the security of an organization's systems. ICT is merely advisory, executing and enforcing: based on our specific knowledge, we help the business to determine the rules of the game, we implement those rules and monitor compliance with them – on behalf of the business.

A structure like that is also likely to be encountered if you delve deeper into the organization. I work in the IT department of our organization, in a team that is accountable for the security of everything that IT department does. It is important to understand the term ‘accountable’; that is quite different from 'responsible'. The latter term is a management thing: every manager is responsible for the security of the things he has under his care. On the basis of our accountability, we ensure that managers fulfill their responsibilities and we help to achieve and maintain that situation. We should all keep in mind that security is not a product, but a process. In other words, it's never finished, but it keeps getting better.

Yesterday I saw a nice little example of taking ownership and responsibility. I was standing in a crowded train when two men made their seats available. They worked for the railroad company and apparently company rules state that paying travelers have more right to a seat than staff. They might have thought: no one knows that we work for the railroad company, we'll stay put. But they didn't. It was 'their' train, but also (at that time) their responsibility to facilitate travellers. Neat, gentlemen!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• good documentation is a precondition for responsibility.
• Microsoft's Active Directory sometimes offers broader access than desired.
• a Russian spy arrested in The Hague was promoted to head of a notorious hacking unit of the GRU.
• tech journalist Daniël Verlaan has made an interesting podcast about identity fraud. [DUTCH]
• the European Cyber Resilience Act could do better. [DUTCH]
• the cybercharlatan saga continues. [DUTCH]
• you need to update Outlook, right now. [DUTCH]
• the Amsterdam court gave Facebook a firm privacy scolding. [DUTCH]
• a colleague tipped me off about these somewhat old, but still useful security tips for journalists (and for you). [DUTCH]
• your Samsung phone may be vulnerable to a number of unpatched vulnerabilities.
• it still makes sense to install a virus scanner on your Android phone.
• Twitter is used for scamminga.
• the police are looking for volunteers in the fight against cybercrime. [DUTCH]

Bridges, songs and car keys

 

The new bridge - Image from Pixabay

Once upon a time there was a bridge, a suspension bridge to be precise. It was 1.6 km (1 mi) long, making it at that time – the year was 1940 – the third longest suspension bridge in the world. But this proud bridge did not live for more than four months. The wind picked up, the bridge began to sway and it collapsed.

I'm talking about the Tacoma Narrows Bridge in Washington State. The physical phenomenon that led to the collapse of this bridge is called resonance. In short, this means that an object that is exposed to vibrations, amplifies that vibration on its own. You know that from rattles in the car, but playing on the swings is also a form of resonance. The wind was blowing in Tacoma at the time, and the wind happened to hit the bridge with its natural frequency (expressed in a popular way, this is a frequency at which an object is comfortable and starts participating happily: it resonates). This caused the bridge to move along with the wind and eventually the materials could not handle that much movement and the bridge collapsed. See Wikipedia for more information and the famous video of the collapse.

Bridges aren't the only things that can break due to resonance. Last year there was a news story about computers mysteriously crashing. The ingredients of that story seem to have sprung from fantasy, but the people who saw that bridge collapse couldn't believe their eyes either. Those fantastic ingredients are an old type of hard disk and Janet Jackson's hit song Rhythm Nation from 1989. All sound – and therefore also music – consists of vibrations that propagate through a medium. When I talk to you, my vocal cords vibrate the air (the medium), and your eardrums pick up that vibration. And well, the sound of Rhythm Nation contains exactly the natural frequency of that particular type of hard disk. The hard drive will then resonate and destroy itself. The computer, in which the hard disk is located, will also stop working.

As a result, the music video in question has been officially declared a cybersecurity exploit. An exploit is a way for an attacker to exploit a vulnerability in a system. The vulnerability here is the sensitivity to resonance, the exploit is playing Rhythm Nation. And that doesn't even have to be on the same laptop: other nearby laptops can also die as a result. It is not very likely that someone will attack your computer in this way. As mentioned, these are old types of hard disks (5400 rpm), and the computers you use most likely no longer even contain a hard disk, but SSD memory (and for the sake of convenience we continue to call this memory without moving parts a hard disk).

There you go with your lists of standard threats, which you use in a risk analysis. Both cases have in common that the danger came from an unexpected quarter. Well, that bridge, one might have been able to calculate that, at least with today's knowledge. But a song by Janet Jackson crashing a hard drive, you just don't make that up. And I can hardly – hardly – imagine an attacker ever looking for such a method to destroy a computer.

However, research is being done into how information can be extracted from so-called air gapped computers. An air gapped computer is one that is not connected to a network. The air gap can also relate to a network; then there actually is a network, but that in turn is not connected to other networks that are considered unsafe. In this way a situation is created in which the data is safe in its own environment. But there are smart people who are looking for ways to extract information from such systems anyway. For example, I remember an attack involving the blinking of the network card light in the past. A classic attack is eavesdropping on the electromagnetic radiation emitted by all electronic circuits. Measures against this fall under the ominous denominator tempest.

Such attacks typically target high value assets. As an ordinary private person you don't have to be worry about it. As an extension of this, what you could have to deal with is car theft. Thieves eavesdrop on the signal from your modern car key – the kind you don't have to put in the lock to unlock and start your car. That's why I've been keeping my car keys in a closed can at home for years. That works like a Faraday cage: a construction that blocks electromagnetic radiation. However, if I am sitting on a terrace, my key can still be tapped and the signal can be 'extended' to my car with certain equipment. Special key cases are being sold, that also promise to work like a Faraday cage. Only then of course you still have to take the key out of your pocket to open and start the car yourself. Choose what is more important to you: security or ease of use. I'm not going to buy such a case. How many crooks with such equipment are there, anyway?

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• users of the password manager Bitwarden should not have their password auto-filled when loading a web page. [DUTCH]
• some hardware malware is very persistent.
• a fake email attack can be done very quickly.
• Linux servers are not immune to ransomware.
• MS Word contains a vulnerability that does not even require the victim to open a received attachment.
• you have to be aware of undermining of the upcoming elections. [DUTCH]
• a storage medium can be a critical factor for system availability.
• Your bank really never asks for your PIN. [DUTCH]
• visitors to the Eurovision Song Contest run the risk of digital fraud.