Monday, December 14, 2015

Van de regen in de drup met het lekken van data (Dutch)

Elke organisatie die persoonsgegevens verwerkt doet het verwerken ervan, als het goed is, onder een dak. Dat dak biedt bescherming tegen nare dingen zoals weer en wind en zorgt ervoor dat alle kostbare zaken onder dat dak niet nat en dus niet beschadigd worden.

Maar wat nu als het dak lekt? Wat nu als jouw gegevens lekken? Dit is niet alleen een zorg (meer) van de grote bedrijven met grote rekencentra, maar ook de kleine bedrijven en eenmanszaken met een NAS of server thuis of op de zaak.

En als je gegevens lekt zou het zo maar eens kunnen zijn dat je dat moet melden. Hoe groot of hoe klein het bedrijf ook is en hoe veel of hoe weinig gegevens het ook betreffen. In deze blogpost wil ik een blik werpen op deze nieuwe wetgeving genaamd 'Meldplicht Datalekken' (5).

Voor wie is deze wetgeving van toepassing?

In het verleden was er al soortgelijke wetgeving van kracht voor telecommunicatiebedrijven. Met deze nieuwe wetgeving worden alle bedrijven betrokken. Dit betekent dat ook eenmanszaken zoals advocaten, notarissen, therapeuten en makelaars te maken zullen krijgen met deze wet. Maar ook eenmanszaken en kleine bedrijven zoals glaszetters, loodgieters, aannemers en alle andere voorbeelden denkbaar zijn niet uitgesloten. De enige voorwaarde die van toepassing is, is dat jouw bedrijf persoonsgegevens verwerkt.

Want wanneer je persoonsgegevens verwerkt val je onder de zogenoemde Wet bescherming persoonsgegevens (4).

Wat is de Wet bescherming persoonsgegevens?

Dit is een wet die de kaders stelt ten aanzien van het beschermen van persoonsgegevens. Deze wet is te uitgebreid om in deze post samen te vatten, en daarom verwijs ik je naar de link onderaan deze blog. In het kort kan gesteld worden dat degene die de persoonsgegevens bezit ook daadwerkelijk verantwoordelijk (als in aansprakelijk) is van de verwerking of bewerking ervan en de veiligheid die hiervoor nodig is. Dat je dit uitbesteedt aan een ander bedrijf doet geen afbreuk aan deze aansprakelijkheid. Daarnaast moet je ervoor zorgen dat alleen jouw bedrijf ook de gegevens daadwerkelijk kan verwerken of bewerken, of dat er bij uitbesteding een zogenoemde bewerkersovereenkomst bestaat.

Effectief betekent dat voor Nederlandse bedrijven meestal (let op, er zijn uitzonderingen) dat het verwerken of bewerken van persoonsgegevens alleen door jouw eigen bedrijf mag gebeuren, of dat dit uitbesteed is middels een bewerkersovereenkomst aan een bedrijf dat gevestigd is in de Europese Unie.

En wat voegt de Wet meldplicht datalekken toe?

Deze wet voegt eraan toe dat wanneer de verwerking of bewerking van persoonsgegevens zodanig verstoord is geraakt dat aan de Wet bescherming persoonsgegevens redelijkerwijs niet meer voldaan kan worden dit gemeld wordt aan de Autoriteit Persoonsgegevens (hiervoor College bescherming persoonsgegevens).

Ook stelt deze wetgeving kaders en richtlijnen op voor de feitelijke melding van een datalek. Een datalek moet in de regel binnen 72 kalenderuren na ontdekking gemeld worden. Wanneer aan de meldplicht niet voldaan wordt of wanneer (grove) nalatigheid hebben geleid tot de datalek kan de Autoriteit Persoonsgegevens een maximale boete van € 820.000 opleggen (hoogte boete d.d. 01-01-2016).

Als je spreekt van regen in de drup... Een boete kan grote gevolgen hebben voor de winstgevendheid en reputatie van jouw bedrijf!

Wat zijn eigenlijk persoonsgegevens?

Volgens de wettekst zijn persoonsgegevens als volgt gedefinieerd: "elk gegeven betreffende een geïdentificeerde of identificeerbare natuurlijke persoon" (3). Denk hierbij aan naam, geslacht, BSN-nummer, geloofsovertuiging, adres, telefoonnummer, financiële gegevens, medische gegevens, en ga zo maar door. Alle gegevens die over individuen gaat. Maar ook accounts en wachtwoorden van je klanten die opgeslagen staan in jouw systemen. En vraag jezelf eens af, verwerkt elk bedrijf deze typen gegevens eigenlijk niet?

Dat is wat mij betreft overigens ook de belangrijkste reden waarom webwinkels niet aan account registratie zou moeten doen, maar dat is een discussie voor een andere blog.

De overheid erkent drie verschillende soorten persoonsgegevens (2). Deze zijn als volgt.
  1. Directe persoonsgegevens: Sommige persoonsgegevens geven directe en feitelijke informatie over een persoon. Bijvoorbeeld iemands geboortedatum, adres of geslacht.
  2. Indirecte persoonsgegevens: Er zijn ook gegevens die indirect iets vertellen over een bepaald persoon. Bijvoorbeeld over de maatschappelijke status van deze persoon.
  3. Bijzondere persoonsgegevens: Bijzondere persoonsgegevens zijn onder andere gegevens over iemands ras, godsdienst of levensovertuiging, politieke gezindheid, gezondheid, strafrechtelijke verleden, seksuele leven, lidmaatschap van een vakvereniging. Maar ook strafrechtelijke persoonsgegevens zijn bijzondere gegevens. Let op, er gelden zeer strenge voorwaarden voor bedrijven voordat zij bijzondere persoonsgegevens mogen verwerken.
Er is eigenlijk ook nog een 4e categorie waar de Wet meldplicht datalekken ook wat (indirect) over zegt. En dat betreft de zogenoemde categorie ‘gevoelige gegevens’. Bijzondere persoonsgegevens vallen standaard onder deze categorie. Maar ook directe en indirecte persoonsgegevens kunnen hieronder vallen. Wanneer een onbevoegde de beschikking krijgt over alle namen en adresgegevens van kinderen die door Bureau Jeugdzorg onder toezicht staan, dan zijn de directe persoonsgegevens ineens gevoelige gegevens geworden. Het gaat in dit geval namelijk om een kwetsbare groep in de samenleving.

Oké, ik verwerk persoonsgegevens, en nu?

Dan is mijn eerste advies om de Beleidsregels meldplicht datalekken (1), die door de Autoriteit Persoonsgegevens uitgegeven is, echt direct te gaan lezen. In dit gratis document wordt op een toegankelijke wijze uiteengezet welke interpretatie aan de wet gegeven dient te worden. Hieronder geef ik enkele belangrijke kenmerken die ik opvallend vind en die mogelijk ook een grote(re) impact kunnen hebben.
  • Een datalek kan een set aan persoonsgegevens van een groep zijn, maar ook van één specifiek individu.
  • Het niet meer kunnen herstellen van persoonsgegevens na bijvoorbeeld een brand (omdat de backup ook vernietigd is) is ook een datalek.
  • Een malware besmetting op een systeem moet altijd gemeld worden en wordt ook altijd gezien als een (potentiele) datalek.
  • Een kwijtgeraakte laptop of USB-stick met persoonsgegevens is in de regel ook een datalek.
  • Een inbraak waarbij de NAS gestolen is betreft een datalek. Dit geldt overigens ook voor jouw fysieke dossiers.
  • Een hacker dat inbreekt op het Wifi-netwerk en zodoende de beschikking krijgt over de persoonsgegevens.
  • Een e-mail bericht met daarin persoonsgegevens dat door het bedrijf naar de verkeerde ontvanger wordt verstuurd.
Mijn tweede advies is om echt te beseffen dat dit ook jouw bedrijf raakt en dat je op deze materie voorbereidt dient te zijn. Je verwerkt immers gevoelige gegevens van jouw klanten en medewerkers en dat schept een verantwoordelijkheid in het beschermen ervan. Misbruik van deze gegevens kan tot grote schade (materieel en immaterieel) leiden bij de getroffen personen.

Ik ben een klein bedrijf en ik heb de middelen niet van dat van een groot bedrijf, kan ik wel wat doen?

Ja absoluut kan er wat gedaan worden. Allereerst zou ik een kundig ICT-bedrijf inhuren die jouw ICT-omgeving eens screent (ik noem dit bewust geen audit, want dat schiet op deze schaalgrootte zijn doel voorbij). Daarbij kunnen de volgende set aan beheersingsmaatregelen al eens getoetst worden.
  • Wordt er op elke computer met een gebruikersnaam en wachtwoord ingelogd?
  • Zijn alle hardeschijven van alle computers versleuteld?
  • Is de communicatie tussen de computer en de NAS (of server) versleuteld?
  • Is er een virusscanner op de computer en NAS actief?
  • Worden op alle apparaten automatisch (Security) Updates geïnstalleerd?
  • Staat de firewall op de router en alle computers aan?
  • Is er een gebruikersnaam en wachtwoord nodig om bij de gegevens op de NAS te komen?
  • Worden alle gebruikersnamen en wachtwoorden opgeslagen in een zogenoemde Passwordmanager?
  • Wordt er dagelijks een backup gemaakt?
  • Wordt deze backup ook op een andere locatie met voldoende geografische afstand bewaard?
  • Worden alle computers, hardeschijven en multifunctionele printers afgevoerd via gespecialiseerde bedrijven?
  • Is het Wifinetwerk tenminste beveiligd met WPA2-personal en is de ondersteuning voor het 802.11b protocol uitgeschakeld?
  • Zijn alle standaard wachtwoorden van alle administrator accounts gewijzigd?
  • Is het standaard Wifinetwerk wachtwoord gewijzigd?
  • Wordt e-mail opgehaald via een versleutelde verbinding?
  • Wanneer klanten inloggen op een website, is deze verbinding versleuteld?
  • En worden de wachtwoorden van de klanten als een hash opgeslagen?
Uiteraard zijn er nog vele andere en ook veel gedetailleerdere vragen te stellen. Het gaat er om dat alle gegevens en toegang daartoe afgeschermd zijn met een gebruikersnaam en wachtwoord. Daarnaast is er waar mogelijk een virusscanner en een firewall actief. Is alle communicatie tussen de apparaten zoveel als mogelijk versleuteld en worden Security Updates overal automatisch geïnstalleerd.

Eindwoord

Een klein kantoor kan met deze set aan maatregelen al een beter beveiligd ICT-omgeving neerzetten en zodoende ervoor zorgen dat de persoonsgegevens die hij of zij verwerkt veilig genoeg worden verwerkt. Hiermee wordt tevens de kans verkleind dat je slachtoffer wordt van een datalek en dit moet melden aan de Autoriteit Persoonsgegevens.

Mijn advies is overigens wel om een ter zake kundig ICT-bedrijf de screening te laten doen, tenzij je echt voldoende bekend bent met deze materie. Mocht je vragen hebben dan kun je deze uiteraard hieronder in de comments stellen!

Links

  1. Beleidsregels meldplicht datalekken: https://cbpweb.nl/nl/nieuws/cbp-publiceert-beleidsregels-meldplicht-datalekken
  2. Rijksoverheid, persoonsgegevens: https://www.rijksoverheid.nl/onderwerpen/persoonsgegevens
  3. Definitie persoonsgegevens: https://cbpweb.nl/nl/over-privacy/wetten/wbp-naslag/hoofdstuk-1-algemene-bepalingen-art-1-tm-5/artikel-1-sub-wbp
  4. Wet bescherming persoonsgegevens: http://wetten.overheid.nl/BWBR0011468/
  5. Wet meldplicht datalekken: http://wetten.overheid.nl/BWBR0036695/

Thursday, October 8, 2015

The Security Pyramid Model

I work in the field of IT Security for roughly two years now and before that I have worked two years as an IT Continuity Officer. And I can say, thankfully, that I have learned allot. The most important thing I probably have learned is that it is nowhere near possible to know everything. The key is to be able to create an overview of the entire situation in which you operate and, where needed, to learn the skills needed for that specific task. Truth to be told, that is much less easier done than being said.

As an IT Security Officer do I need to focus on Identity Management, Network Security, Data Security, Security Architecture or any other topic? I would likely say that you probably need to comprehend at least all fields (and more), but also choose your own specialization. To complete the gaps in your knowledge and experience you will need to look for co-workers and other sources to perform your job.

Last year I completed my exam of CISSP and I got my title in November 2014. The training course did not literately help me to extend my knowledge on very specific topics (apart from Forensics I have to say), but the training helped me to see the bigger picture in IT Security. There is many debate whether or not certifications like CISSP are sensible or not, but for me it did add value to my work as an IT Security professional.

In this blog-post I am going to share the foundations of my experience and knowledge from the last couple of years in to a model. In this model I have set out the most important topics and I am convinced that if these concepts can help you in your profession, especially when you are new to this very interesting field of work. I call this model the Security Pyramid Model. First I'll show you the model and describe the basics, ethics and the rules for success in Information Security.

As I have CISSP, did the training Ethical Hacking, and follow sources like Isaca, SANS and many more, you might find the model below influenced by their theories, frameworks and concepts.

The Security Pyramid Model

The Security Pyramid Model

The triangles

I find that many topics comes in pairs of three. Just think about concepts like people, process and technology. But also strategic, tactical and operational and of course the well known confidentiality, integrity and availability. What I did was looking at what I saw as dominant 'mantras' within Information Security. Then I formulated three words with each concept and placed it in the pyramid.

It is a gray area obviously, but in a way I modeled the pyramids in some form of a hierarchic manner. In the end, privacy needs to be protected by security. Whether it is your very own privacy or that of the company's secrets, it needs to be secure. So that is on the very top, the ultimate goal. But in order to get there you need some ground work to do.

Skipping the rules for success and the ethics (which will be talked about below), I will start with the first row of triangles. Security needs to be addressed on every level in an organisation, it needs to be scoped on all three elements within an organisation and in my opinion good Security is done based on risk-management. But in order for this to work the organisation needs to embed Security in its DNA using legislation, policies to enforce legislation and procedures to implement the policies. And the flow of information (most often the crown-jewels of an organization and also often the sensitive data of its customers) needs to be addressed properly.

In the layer on top of that there is the well known Security triage. Then there is the concept of intelligence, detection and response of Security incidents, and that is where the magic happens when it comes down to trumping on incidents like hacking and breaches that might (or will) occur. And when selecting the solutions to address risks and vulnerabilities, always think in layered defense, security by design and compartmentalization. And when that is done you will need to think about how much trust you want, control you need and secrecy you grave when you think about privacy.

Security Life Cycle Management

Everything is changing very fast. Whether it is the capability of hackers, new Security solutions, laws, markets or your very own customers, you need to respond quickly to this changing environment. On everything in your Security organization you need to have proper life cycle management. Policies can probably be reviewed on a 2-year basis, but technical solutions needs to be under constant review. So on everything that is done to keep the crown-jewels safe, life cycle it!

Rules for Success

Rules for success are important, as they determine how (yes, obviously) successful you will be at your work.

It all starts with people first. If they are not safe all else does not matter. If your co-workers are harmed by 'Security' measures or are harmed by the lack of it, it all has failed already. The second is the support of your management. For every decision, policy, security measure and investment you need management support. If you don't have it, you will likely fail eventually.

We also need to keep in mind that in the end everyone is responsible to do their part to be secure. Everyone is responsible for their security in their private lives, but at work all co-workers are responsible for the security of their organisation as a whole. You cannot outsource such responsibility. Therefore, training is needed. Some need more training then others, but continues training and growth of awareness are very important. Never waist a good crisis, so share your security failures at least internally. This helps to make everyone understand that a breach can happen fast and that a company going down effects everyone in it.

But all the above does not help if you do not have the appropriate policies. Policies are needed to show the employees what the boundaries, obligations and rights are and how the should be kept and respected. Policies do not (or at least should not) know any exceptions. An exception is document as a new policy.

Ethics

Ethics are important to prevent organisations and people going corrupt and harm either the company itself or the society the operate in. The following rules are inspired by the (ISC)2 Code of Ethics, but also by the Isaca Code of Professional Ethics.

At first, protect the society and its infrastructure first. As a person, be honorable and justly. Act responsible and comply to legal regulations and laws. Provide a component service and where-ever possible, advance the profession you work in.

End-word

There are many frameworks that address various of countermeasures and solutions for risks and vulnerabilities and all those frameworks have their of course their worth. What I hope to achieve with this model is to put it all in to one view.

I hope I was of any value to you with sharing what I know and experienced and that we can learn from each-other when we are discussing it. So feel free to agree, disagree and certainly feel free to share your thoughts and questions in the comments below.

Saturday, September 5, 2015

Social and emotional transcendence enabled by technology

I got a question from a reader on my blog-post "From hybrid thinking to the upbringing of our children". This question could not be answered in a short sentence, so I decided to write a blog-post about it.

The digital world, even for the youngest ones among us, is a totally integrated phenomenon. Toddlers are playing on the tablet of their mother or father, and I look with wonder. To be able rely on our Cloud, we’re able to enhance our wisdom every single day. Gorgeous! But I wonder… Where is the individuality of us being a person? And would it not distract us (too much) in being who we are? Is it possible that it would give proper space to develop more on social and emotional aspects because energy and efforts does not need to aimed at "learning" and "remembering" facts?

You rightfully state that digital world as we know it is an integrated part of our daily lives for people of young and old. The Cloud (used to be just The Internet :) extends our memories and information sources by a million fold than we were used to roughly 20 years ago (probably even less).

You ask about where all this technology leaves us as an individual and how we will develop on a social and emotional level.

To answer that question we need to jump back in the history of our existence. One of our greatest inventions was not fire nor the wheel. It was language, both in speech and in writing. It gave mankind the possibility to move information on to the next generation and this technology is refined every since (think about the printing press, telephone, Internet, mobile). We often say that the strongest will survive, or the ones that can adapt the fastest will survive. Although this may be truth by itself, it is not the cause, it is the effect. The cause of us humans being the strongest and perhaps the fastest to adapt is the sheer fact that we are able to process information like no other species on Earth and use that capability to our survival and advantage.

I always say we as a species have two major addictions, one leading to the other. The first is our endless hunger for information. We want more, we need more and we generate more every second. In order to sustain such an addiction we need energy. And lots of it. Everything in the universe evolves around information and energy. From the information and energy in the cells of our body to energies that flow through our galaxy. Our DNA is information, our cells are, and our brain as a culmination of cells is an information processor like no other we have seen. Yet...

I say yet, because we will transcend biology with technology in the near future. At the time of this writing we are capable to simulate one second of brain activity of 1 human in 40 minutes using the current super computer. In 2 years from now this will be 20 minutes. In 4 years from now it will be 10. In 6 years from now it will be 5. You get the point, because in 30 years from now it will take only 0,000572205 seconds to simulate 1 second of brain activity. That are 1747 human brains by just one super computer. And it is likely that such a super computer is just as big as your blood-cell.

At that point we humans have the technological means to be ever more connected than we are now. Think about 'calling' with each-other just by thinking it, visiting other countries through the senses of other humans, and really sharing emotions like we experience them ourselves. We will become hybrids. Biological humans enhanced with integrated technology to become more connected, healthier, and most important of all, smarter.

And now back to your question about how this will affect our social and emotional development. I think it will impact tremendously and in such a way we now cannot even begin to comprehend that from where we are now. We don't have the technology now to predict what our future will look like with that kind of power. But I can do some assumptions though.

I think the collective will become more 'important' than the individual. Don't get me wrong, we are not becoming one mind nor careless about human life. We become (estimated) 9 billion minds that are interconnected in one giant Cloud. Yes, we can disconnect ourselves, but I think we would feel very lonely when we do that. Because when we will be become capable of truly sharing our inner-selves, our love for one another will grow. When we really understand another person to his or hers core of their being, how can we not love them? How is that not the ultimate level of emotional connectedness?

Socially we will become much more focused on each-other and our environment, rather than ourselves (without neglecting ourselves though). The way societies work will change accordingly. Everything will become much more automated and robotized. Because people don't have to worry about survival anymore we can focus more on the people around us, arts, dance, spirituality, religion, nature, (space) travel, growth, and much more.

This process to the future technology will have its struggles though. We need to teach children how to interact with and use technology. The days parents can excuse themselves for not understanding it and thus not educating their children in it are over. There is the real danger that people will get lost in technology and find themselves alone and disconnected from people. These are serious topics we as a society need to address.


But yes, future technology can (or will in my opinion) give us energy and time to become more human, to really be connected with each-other and with ourselves. The days of people staring on their phones will come to past. TV's will be gone from our living rooms and technology will be far less visible, but ever more present. We will finally be able to truly love our planet for which it is, our home.

I like to watch dystopian movies in which the Earth falls apart and everyone feels terrible and such. But I really think that an utopian future is waiting for us. I believe that we will transcend the flaws of us humans now and become more than we are now. We will not reach that point without struggle, loss and perhaps without war though. Change never goes without fight, pain, sorrow and grieve. My worries do not lie in the future after that change, but in the future during the change. And I believe that the first steps of the beginning of that future will be in 20 to 40 years from now.

The main question is, when such a future announces itself, will you change with it? And more importantly, how do we prepare children for such a change? But that topic is for another blog-post.

Thanks for your question and I hope I answered it to your liking.

Sunday, August 16, 2015

From hybrid thinking to the upbringing of our children

For the purpose of this blog-post I yesterday re-watched the movie Limitless (apparently there will also be a TV series adaption of it). I like the movie for the question that it is letting me ask myself. What would I do if I would have an enhanced mind?

Probably the most honest answer would be that I actually do not know, because I cannot look behind the limitations of my own mind and therefore I cannot anticipate what I would do when I have an enhanced mind. That being sad, I think I would be information hungry to the core of my being. I would learn languages and my decision making would be even more based on patterns I can see clearly then. Much like the main character in the movie does. But I also would like to connect to people around me even more than I do now.

From Limitless Thinking to Hybrid Thinking

The movie is based on the assumption that a human brain is only used for about 20% of its capacity and with the help of a new drug the rest of its capacity is activated. Much the same as the movie Lucy. The fact that we only use 10 or 20 percent of our brain is most likely not true according to Robynne Boyd in an article on Scientific American. So if biologically nothing can be done, how about technologically? This is where Ray Kurzweil comes in.

In a recent article by Anthony Cuthbertson of the International Business Times Ray Kurzweil states that we will connect our brains to the Cloud by 2030. Wow, that is like... 15 years from now! Even if he is 10 years of with his prediction, 25 years is no large number either. And if we are able to connect our brain, our minds, to the Internet than the possibilities will become endless and beyond everything we can imagine today.

Imagine that we can lookup information instantly whenever needed and where ever we are with just a thought. We probably can even outsource parts our thinking to services hosted in the Cloud. We can, much like Google Goggles, look at a Sudoku puzzle and instantly see its solution. We can make 'phone-calls' with each-other by thought, truly share emotions and even use (with consent of course) each-others senses. We can walk in a different country and see everything we see and hear translated at once. The Tower of Babel is not actually a physical tower; it will be the Internet with all our minds connected to it.

Well, back to Earth now with both of our feet. It will take a couple of years before we reach such technology. Although some people try to argue against it due to ethical reasons (which has valid points I think), I believe the development will be so fast and disrupting that mankind will embrace it anyway. But that is beyond the scope of this blog-post though.

What is being smart now and in the future?

In a world where information is just a thought away, what does it mean to be smart? How differently we will look at it compared to now? We can assume that every person will have its biological boundaries such as your IQ, but being smart in the future is not about knowing allot. Well, knowing allot as in stored in your brain anyway. Because when you connect your brain to the Cloud you actually know allot, it is just not stored in your brain.

According to Academic Earth this process is already going on due to the existence of the Internet and the possibilities we have to connect to it. Our brain is trained by the things we do. And if we search allot and do not 'care' to remember, we train our brain to search and not to remember. And if we are able to store everything in the Cloud we can connect our mind to, we become masters of search in a world full of information. How often do you check Wikipedia for some facts about a holiday you have planned? How much do you remember after checking it? Or do you even care to remember, because you can look it upon for a second, third and fourth time anyway?

The following principle is widely known. There is data, and from data information will be made. Information can be interpreted and thus knowledge is created. And knowledge can lead to wisdom. I tend to say that we now live in a world that being smart is about having allot of knowledge. In the age of hybrid thinking being smart is all about being wise. And the wiser you will be, the more successful and renowned you will be.

Preparing our children

But how can you become a wise person? To answer this question, we need to look at the fundamental flaw of our education system we known today. The current educational system is focused on gaining information and hopefully knowledge, rather than gaining wisdom. There is a nice YouTube video by RSA Animate about Changing the Education Paradigms.



In this video Sir Ken Robinson talks about the need to change the paradigms of our education systems. It is a good and very relevant watch and my opinion is that new paradigms are needed to prepare our children for a future in which all knowledge can be found online. The new paradigm should be about the individual and his or her development, skills, talents and all things that makes him or her happy. We should train and educate our children to search for information and how to use the information that is found. We should focus on ethics, morality and social skills. When we inspire our kids to grow and learn, they will find their passions on their own.

The result might be a future with humans that are more aware of their society and their place in it, behave more ethically and spiritually, and advance even more then their ancestors when all that is combined with endless knowledge at the tip of their thoughts.

I firmly believe that it is our responsibility to prepare our children for such a future.

What is your take on this? Feel free to comment below and thanks for your time for reading my post.

Saturday, July 25, 2015

How are typical users handling passwords of their online accounts?


There as much been written about users and their accounts and passwords, but I recently was confronted with a rather funny story about this topic. Perhaps you can recognize yourself in a similar situation?

The story...

Someone, in my social circle, recently got a new smartphone. She was very happy with it, but there was one major thing to do. Configuring it. As I am the local IT-guy in this circle, I was asked to help with it. Of course I want to help with that (for two reasons to be honest: firstly, to help the other, but it is always nice to fiddle around with a new phone though).

So I started to do the basic stuff first and ignoring the phase to enter accounts and such. First I disabled some apps (or bloatware if you like), set some settings, made connections with WiFi, renamed the name of the Bluetooth connection and so forth. Then I went to the first account. This was the Google Account which I needed to download the apps from the Play Store.

I gave the smartphone back to her and asked if she would like to fill in the account details. It went silent and a moment later the following was said.

Oh, I cannot remember that anymore...

I asked if she could have written it down. That was a possibility, so she went to search for the piece of paper with all their user credentials on it. There are some downsides with using a piece of paper as your Password Manager, but it is sure as offline as it can be.

After a long search, the final conclusion came: the password could not be found. So we started to try out some passwords. I helped her try to remember the passwords by suggesting some other passwords that are used for other accounts and by suggesting to extend the birthday and so on. Password reuse is the tradition here, but after 20 minutes of guessing and thinking we came to the conclusion that we would need to restore the password of the Google Account.

I could have started with this of course, but often such restore with Google accounts are bit tricky. You have to have continuously updated the restore information in your account and I was not sure that was the case. But as it was now time to undergo the last resort solution and I started to restore the account credentials. Luckily the information to restore (such as a valid alternative e-mail address) were up to date and the account was marked for a new password.

She went silent for a minute, processing all the passwords that have been thought of in the last 20 minutes, and decided that she had made up a new one. She entered it twice and hit the OK-button. The following message appeared.

The password has been previously used by this account. Please use a new one.

You can imagine the hilarious situation of this. When it was time to make up a new password, the actual correct password of the account was entered as a 'new' one. We had a good laugh, made up a really new password and written it down on the paper and all was set. And I moved on with installing and configuring the smartphone.

I immediately thought that it was a nice topic to write a blog-post about. I think it really reflects how typical users commonly handle their credentials.
  • They are written down in unencrypted manners or on paper.
  • Password reuse is the norm.
  • Passwords are relatively easy to predict.
  • There is not much commitment to do it the 'right' way.
Not that I can blame her or any other user on the last bullet though. The things to do are allot and sometimes difficult to configure or even difficult to use. And the fact that there are easily over 100 accounts that needs to be managed per user does not make it any easier.

So, I want to set out a set of simple best-practices to make improvements in matters such as above.

But what are the best-practices?

First of all, every account can be compromised. Sometimes by guessing or extracting (and using) passwords and sometimes by circumventing implemented Security controls. If an attacker is really dedicated and wants fast results, buying a 5 dollar/euro wrench at a local hardware store is enough to convince most people to give up their passwords. People tend to be more protective about their fingers and knees, than they are about their passwords.

But unless that is happening, you can follow the guidelines below when it comes to protecting your accounts.
  • Always use a unique password for every account.
  • Use a lengthy password:
    • A password is at least 16 positions long and is at least mixed with numbers, capital and non-capital letters.
    • A pass-phrase of at least 16 positions is also possible. For as long as it is not a easily guessable sentence.
  • Do not use your birthday and names of yourself, your spouse, friends, pets, and so one. Do not use any information in your password that might be found online.
  • If there is support for Two-Factor Authentication, always use that.
    • This is a feature that asks for an additional code (called One-Time Password) to be entered. The code can be send to your mobile using a SMS text message or can be generated on additional hardware or apps. This is often seen with electronic banking.
  • Store your account and password details in an application (Password Manager) built explicitly for such a functionality.
  • And never ever ever share your accounts and passwords with anyone else. Unless you are very certain that it can be done (think about a shared account between spouses to follow the sale of their home online).
With the rules above you can greatly improve the security of your accounts or the accounts of your family and friends. And most importantly, almost every family or a group of friends have someone in their mists who understands this all. Ask for his or her advice and ask them to help to get you going!

Do you have any other tips or questions? Please feel free to share them in the comments below!

Sunday, July 19, 2015

From a Cybernator to an attractive or love-able Cyber-bot

Recently I wrote a blog about Terminator Genisys and the very fact that something like Skynet might emerge. As I am a huge movie-fan, and specifically in the science fiction genre, I did see two more movies that cover a bit the same topic. At least for the Artificial Intelligence (AI) part. These movies were Chappie and Ex Machina. I found the movies very nice and entertaining to watch and both movies took a different approach to the same question. Can a human care for, or even love, a robot?

The punch line here is that I do believe that we can love or feel empathy for a robot and I'll explain why we can.



For your information, I am not going to spoil the endings of the movie, so you can safely read ahead.

Love is not human-only

We all know pets like cats and dogs. They are likely the species that are kept most as a pet. Not weighing in the tigers and lions though. Non pet-owners, especially people who never had a pet, might find it difficult to believe that people who do have pets actually can really love their pets. People really do!

But why do people love their pets? Why are people grieving when their pet has died? I believe the most fundamental part in this love for a pet has something to do with reflection of human behavior. Behavior of your pet that 'shows' human-like emotions is a big part of the ability to love a pet. And not only the behavior is key in this, but also the feeling of actually connecting with an animal can result in feeling (at least) empathy for them.

Dolphins are smart and we can interact with them and learn all kinds of things. Same applies to dogs, cats, monkeys, rats, apes and many more. The more the animal resembles parts of a human, the more a human can feel empathy. The level of empathy differs from human to human of course, but the foundation holds truth here. I also believe that feeling empathy is the strongest with mammalian animals. Mosquitoes or the common-flew are not easily loved I guess (at least, I have troubles with that).

So, for arguments sake, lets state that humans can feel love or empathy for non-humans in the form of animals that represent some part of human behavior or emotions.

Chappie

Chappie is a robot who (funny, did not wrote which here...) is made sentient by the lead engineer of a corporation that makes these robots. The nice touch here is that the sentient is mentally 'born', almost like a human. It holds no knowledge yet and its brain functions are comparable to that of a human infant. Chappie grows up and throughout the movie it gets smarter real fast.

I found out that my emotional response to Chappie being mistreated is the same as to animals being mistreated. Or even a humans being mistreated. I started to care for Chappie and I hoped he would succeed in overcoming his fears and challenges he faced in this harsh world. I did say fear. It is not strange to believe that the moment a being is sentient; it will know fear of dying when it figures out that its existence can be ended. So Chappie gets to know feelings of fear, joy, happiness sorrow, loss, anger, and revenge. Including fear of death.

Physically he really looks like a robot. Metal, mechanical, rotors, buzzes and all. But in all his behaviors and all his communications he feels human. He reasons like a person and he struggles with the same questions about morality as anyone other does.

If a robot shows true AI on a level that can be recognized by and conversed with humans, is it possible to feel empathy for such a sentient being? Is it that much different than a dog or a cat? Or perhaps even a human being?

Again, I truly believe that it is possible to feel empathy for Artificial Intelligence.

Ex Machina

Whereas Chappie is more of an action movie, Ex Machina is more of a psychological one. The movie explores the very foundations of us being human and how it relates to AI. It revolves about a Turing-test that a scientist needs to perform on an AI enabled robot. Basically a Turing-test is a test that revolves around a human versus computer interaction in which the human does not know it is interacting with a computer. A spin-off thought here, what if the computer does not know it is a computer, but thinks it is a human? How can the human convince the computer that it is not human?

The robot in this movie, called Ava, is made by the company that has the world's biggest online search-engine. In a way there were many (bit scary) similarities with present reality. For that part this movie has a nicely worked out foundation on what is needed to develop an AI. Just watch the movie if you are curious how this is done.

Ava shows more similarities with humans then Chappie does. She has a female face, acts feminine, also has emotions like fear and joy, can make jokes, manipulate and lie. She even flirts with her male human opposite. It goes so far that man is starting to feel attracted (mentally and sexually) to Ava. When watching the movie, I can understand why he started to feel attracted. Especially if you see the ability of the robots to put on human skin and then actually look like a real person.

Could you love an AI enabled robot that looks like a real person? When the robot is smart and wise like a human, would you even recognize as it being artificial? And what if you do not recognize it as such, how could you not love such a robot?

Just philosophical for now

Al these questions are mostly philosophical of course, but they can become real questions for mankind in the coming decades.

The next question is, would we recognize an AI as sentient when it is an intelligence we cannot comprehend, relate with or even cannot communicate with? If so, wouldn't that be an even bigger danger for mankind then AI we can feel empathy for? A nice book that covers this topic is The Swarm. It is not artificial but biological intelligence and that is all I am going to spoil. It is a nice book and worth the read.

If you want to share anything, please do so in the comments below.

Wednesday, July 15, 2015

The Cybernator is on the rise!

Ta-da-da-dadum, ta-da-da-dadum.... Yeah, I obviously went to see the movie Terminator Genisys. This time Skynet hides his evil schemes behind an epic operating system launch, and when online, all cyber breaks lose! I missed the dragons with Daene... uhm... Sarah, but hey, evil robots and artificial intelligence will do just fine. Besides that, nothing beats the awesome Arnie fighting-skills with his crushing-opponents-through-12-concrete-walls-in-a-row skill! Not the mention me wasting 30 megs on my data-plan just to hear "get to the choppah!!" again on some soundboard app. It was well worth it though and it was a nice evening (ghehe).
First iteration of Skynet?
It is obvious (I think) not to expect a serious review on the movie itself by me. I am far to biased here. But I want to talk about something I like about this Terminator-Universe (and similar movies alike). When I was roughly 12 years old I saw the movie The Terminator (1 and 2), and I was ever since hooked on its story-line. The very fact some man-made machine would be the end of our existence fascinated me. It made me wonder, how real is this threat?

Genisys is Skynet in disguise, or is it #Cyber?

No need for a spoiler alert in this post, but it is rather obvious that Genisys is Skynet in disguise. The fun twist here is that Genisys is nothing more then an abstracted view of our integrated Cyber world with millions of devices, services, apps and users. Perhaps even billions. This Cyber world is called Skynet in Terminator 1 and 2 (and 3?), and although not explicitly mentioned, it is basically the Internet in Terminator Genisys. Some doctor says "everything will be connected" followed by Sarah saying "huh?". Obviously there is no Internet in 1984 in the way we know it today so Sarah not knowing is forgivable. Skynet in the latest movie is actually more the artificial intelligence itself that will harness its power through the ever connected and growing Internet.

The Cybernator

I do not have a time machine to jump back in time or to the future, so I cannot say that our world will ever face a similar dystopian threat as Skynet. But the ingredients for this recipe are there though.

First of all. Skynet already exists and we call it The Internet. Or the Cloud. Or everything that is preceded by the word Cyber. Second, artificial intelligence (AI) already exists also. Not in the form of Skynet, but AI is doing allot of things for us mankind at the moment. The fact that it is not self-aware (yet!) and that it is doing most of the time a specific task, its algorithms are complex and machine learning is often applied within such algorithms.

Scientist are working hard on the first real AI in the context we often mean when we say AI. Which is a computer that is self-aware and has at least the same intelligence as us (which is not very ambitious in my opinion) and can make decisions independently from pre-programmed knowledge. This post is not meant to go in-depth about this topic, but if you want to know more, start with the book "How to Create a Mind" and see where your journey on this topic ends.

I personally and truly believe (based on previous technological advancements) that mankind will see the rise of the first AI in a couple of decades. The first version (or should I say generation) will probably be not 100% right, but that will chance quickly when it can evolve by itself. It will be a very digital AI also which does not harness a body (in this phase at least).

And third, the Internet-of-Things (IoT) is a new growing phenomenon. IoT are devices and services that operate and communicate with each other through the Internet without interference and without in-process-decision making by man. They act solely, based on constraints and rules, by themselves.

Well.. is the threat real?

So we have The Internet, the fist iterations of some form of AI, scientists working on real AI and we have the Internet of Things and soon old military surveillance drones as WiFi access points. Kinda starts to sound like Skynet right? Besides if the threat is real or not, the right question is (which also is slightly touched in the movie): "Are we prepared to merge the biological and technological evolution of mankind?". When we are not prepared to do so, we as a species might become threatened by either machine or hybrid (some sort of cyborg).

Hybrids may seem far fetched now, but when considering technology such as upgrading the lenses in your eyes in a couple of years with technological replacements (to enhance your vision and infra-red and all) it might be closer then you think. When is a man considered a hybrid? What if we are capable of connecting our brains to the cloud and learn the skill of hybrid thinking? Are we then part machine? Or are we still the biological mankind from 10 years ago?

The real threat can be defined from within the understanding of our history. If hybrids are real (mankind with enhanced and deeply integrated bio-technology) then we just have to look at the period from 1492 AD and beyond. The Indians were overrun by the technological more advanced European colonists. In the beginning all was fine, but as soon the Europeans wanted more land that was habituated by the Indians, the tensions grew rapidly. You might even wonder what would have happened if the Indians killed Columbus to moment he set foot on the ground. News of a success would not have reached home and colonization would probably have been delayed for a while. Would it be inevitable though?

And now fast-forward to the present day. If you look at the way we use connected technology (smartphones, tablets, Internet, IoT, and more), perhaps 'Columbus' already has discovered a new continent called #Cyber and that it is just simply to late for us to resist successfully. This struggle (or war even) between enhanced and non-enhanced humans is mentioned in this video Transcendent Man on YouTube, from roughly 56 minutes and beyond.

With all the new technologies ahead, we are at least entering exciting times that stretch beyond our imaginations. It is up to you and me in the near future how we will evolve not only technologically, but also morally and ethically.

What is your reflection on this subject? Feel free to debate it in the comments below.

Thursday, July 9, 2015

To bloat or not to bloat?

'Bloat-fish' from Finding Nemo 3D
To bloat, or not to bloat? That is the question. Or is it really? Recently a group of Chinese consumers in China filed a lawsuit against Samsung and Oppo for delivering to much bloatware on their devices. I tend to say that indeed bloatware is not good. But the real question that needs to be answered first is: "When does software become bloatware?".

Any app that connects to a service that is optional within an ecosystem should not be pre-installed and when such an app is a replacement of a local or connected app than the local or connected app should be pre-installed.

We all know that bloatware is added for mostly economical reasons. Be that it may be good or bad, but it helps reducing the price-tag of the devices. Although we have seen that companies, such as Lenovo, also added spyware which is downward evil in my opinion.

In this post I will outline the differences in software and bloatware and, hopefully, will show why I think the statement above is what bloatware is.

Purpose of devices

There are three (generalized) reasons that people use their devices. So lets take a look at that first.

The first one is that of consuming content. That may be books, movies, series, information from websites and apps, gaming, shopping, social media, et cetera. The second one is that of organizing. This is everything that is done to organize information and relations. Think about planning (calenders), note-keeping, keeping contacts, social media and other actions that support the activity of planning. The last reason people use their devices is that of producing. Albeit this is mostly preserved for laptops and desktops, it also happens on smartphones and tablets. Producing is making content or systems in whatever context that you make it. Think about drawings, video, music, websites, programs, and more.

But there is a sort of "fourth" category. And those are the activities that in some form interact with system components. Most often just because it can (I for one, like stats on my system and all its sensors, geek-stuff I guess). Think about the LED-light on your smartphone that is used as a flashlight. And think about the sensors in your device that give you the ability to use your device as a compass. This functionality of system components are more on an Operating System level and I tend to say that they support the usage of devices to consume, organize and produce.

The layers of software

We now have established an understanding of what the purpose of a device can be, so let's plot that on the layers of software on a abstract level. For the sake of reading, I call everything an app or functionality now.

Layer: Operating System (OS)

The layer of the OS supplies all other layers with functionality. Think about sensory information and specific hardware elements such as LED-light, camera. So here is a list of functionality, sensors and other important hardware that might be present on the OS layer.
  • Camera - To sense images
  • LED-light - To create light
  • Microphone - To sense sound
  • Accelerometer - To sense acceleration
  • Gyroscope - To sense position
  • Magnetometer - To sense magnetic fields
  • Proximity sensor - To sense objects nearby
  • Light sensor - To sense light intensity
  • Barometer - To sense atmospheric pressure
  • Thermometer - To sense temperature (inside device and outside)
  • Air humidity sensor - To sense humidity of air
  • Pedometer - To sense steps made by a person
  • Heart rate monitor - To sens heart rate of a person
  • Fingerprint sensor - To sens a fingerprint of a person
  • GPS - To determine global position of a device
  • NFC - To read nearby chips
And this list is not a definitive list. This list is translated in a list of apps below.
  • Photo and video camera
  • Flashlight
  • Compass
  • Voice recorder
  • Fingerprint scanner
  • NFC reader
  • Screen control by using the procimity sensor.
  • Environment apps that reads sensors such as barometer, thermometer, and humidity sensor.
  • Location and direction apps that reads sensors such as accelerometer, gyroscope, magnetometer, and GPS.
  • Health apps that reads sensors such as pedometer and heart rate monitor.
  • Other apps that read/connects to NFC, WiFi, Bluetooth, Cellular signals, Battery level et cetera.
I think that if you have a specific sensor or hardware capability in your device that you also need the capability to read sensory information of it or use the hardware. I state that such apps are not bloatware. They are an integrated part of your system and all its sensors and hardware.

Location and health apps are specific categories though. Most often such apps are part of an ecosystem by a tech-company and those apps may have an impact on your privacy. I still think you should have an app that can read your heart rate (and perhaps switch it off!). It is another thing if such data should be stored locally or on a Cloud service. I will come back to this later in the ecosystem layer of software.

You will see that apps that resides on the Local and Connected Application are mostly about organizing and planning.

Layer: Local Application Layer

Here are examples of apps (and I state that I talk about the offline versions of them) that I think are tied to the Local Application Layer.
  • Contacts list
  • Calender
  • Tasks
  • Note-keeping
  • Clock, alarm and stopwatch
  • Phone
  • Calculator
  • Photo and Video viewer
  • Filesystem viewer

Layer: Connected Application Layer

Here are examples of apps that reside on this layer. Keep in mind that I talk about apps here that are not a part of an ecosystem, but just have to ability to independently connect to online services.
  • E-mail
  • SMS
  • Web-browser
  • Download Manager
  • Update Manager (updates should be where ever possible delivered from outside the ecosystem)

Layer: Ecosystem Application Layer

The last layer is that of the ecosystem itself. Most often this is the Google Play, Apple iTunes, Microsoft Store, Amazon, or other variations that are out there. In this layer most of the consuming apps resides and often also the producing apps. On the Windows platform Microsoft is also undertaking a move to make all Windows 10 desktop apps available through the Microsoft Store. Yes, it is still possible to install apps from outside the ecosystem (just like Android), but with Windows 10 Microsoft is slowly discouraging that.

I want to mention that only one app in this layer should reside on a device, but no more than just that one app. And that is the app to access and utilize the ecosystem itself. That might the Play Store, Appstore, and so forth. Sometimes this also comes with a video and music player and a book viewer, because that is not an integral part of the app for the store. There is a 'but' though...

Cross Layered Apps

And here is the gray area of software versus bloatware. Google, Apple, Microsoft and more companies alike, are developing ecosystem based apps that replace apps on the local and connected layer of a device. Think about Gmail, Google Drive, Outlook, OneDrive, iCloud, iCloud Drive, Calender, Contacts, People, Hangouts, iMessage, Facetime, Google Fit, S Health, S Note, and the list goes on and on. The reason this is happening is to keep you in the ecosystem by supplying an ever more integrated online and social experience.

And it works more often than not. When I look at myself I can draw that conclusion anyway.

So, when is an app bloatware again?

Any app that connects to a service that is optional within an ecosystem should not be pre-installed and when such an app is a replacement of a local or connected app than the local or connected app should be pre-installed. Here are some examples for the Android platform.
  • Gmail is not optional to the Play ecosystem (everyone with a Google account has Gmail). Therefore, Gmail could standard be present on a phone, but it might be redundant. There is in most cases also a connected version of the e-mail app available.
  • Google+ is an optional service within the Play ecosystem. It has no local or connected app as a counterpart, so Google+ should not be pre-installed on a device.
  • Play Movies is an integrated part of the Play ecosystem (to play videos rented or bought within the Play Store) and it therefore should be present on a device for the sake of user experience.
Apple does a better job concerning bloatware, although I really am wondering why there is a Stock Exchange app. It should just be an optional app. Just like the weather and news apps on all platforms of devices by the way.

Google and Microsoft are doing a better job also with the devices released by themselves. You also know that if you buy a device from them directly that you are really connecting to their ecosystem. Although this is not obligated in many cases and you can use a device outside the ecosystem (you will lose some functionality though).

But when devices are released by third-party manufacturers it suffers very often from bloatware. Especially with consumer devices from companies like Samsung, Dell, Packard Bell, LG, HTC, Sony, Hewlett Packard, Lenovo, et cetera. Most devices come pre-installed with many apps which operate within an ecosystem and often also with games.

I would rather pay a couple of bucks more for a device if it does not come with bloatware.

What do you think about all this? Please share your thoughts in the comments below.

Friday, July 3, 2015

Guide for building an Encryption Policy: The Policy in Summary - part 4


Well, now it is time to give a summary on topics I have talked about in the other parts of this blog-series. In this post I will set-out the guidelines and if you want more background information on why I choose for some directions, please check the other posts.

I will setup the policy as much as possible on the way business rules are handled. This to maintain the audit-ability of the policy.

The series of posts are divided over the following topics.

The Encryption and Hashing Security Policy

General Policy

Every algorithm that is being used...
  • complies to the Kerckhoff's Principle.
  • is NOT theoretically or practically compromised or cracked.
  • is publically known and commonly used.
  • is sufficient enough to keep the data secret for as long as it needs to be secret.
  • is considered as part of a Life Cycle program in the organisation.
Comply or explain...
  • Every implementation and use of any encryption algorithm complies to the entire policy.
  • When it is not technically possible to comply to the policy then:
    • Always choose the next best possible option.
    • Always do an additional risk-analyses on the chosen option.
    • Always implement additional controls when the risk-analyses suggest you should.
    • Always perform penetration testing to test for weaknesses.
    • Always document the chosen option (explain).

Hashing Policy

Hashing Algorithm
  • The chosen algorithm is at least SHA-2.
    • Block size: at least 512-bit, but preferably 1024-bit or higher.
    • Output size: at least 256-bit (SHA-256), but preferably 384-bit (SHA-384) or higher
  • MD5 and SHA-1 are never used.
Salting with Hashing
  • Always salt a message before hashing when used to store passwords / passphrases and other session identifiers.
  • Every salt is unique, randomized and not reused anywhere else.
  • Every salt is as long as the output size in bytes of a hash.
  • Only use one hashing technique for one message.

Encryption Policy

Symmetric Encryption
  • The chosen Stream Cipher algorithms are ChaCha20.
    • The key-length is at least 128-bit.
    • The key-length is preferably 256-bit.
  • The chosen Block Cipher algorithm is AES or TwoFish.
    • The key-length is at least 192-bit.
    • The key-length is preferably 256-bit.
Asymmetric Encryption
  • The chosen algorithm is RSA.
    • The key-length is at least 2048-bit.
    • The key-length is preferably 3072-bit.
    • The key-length of 1024-bit is never used.
  • The Key Agreement is always based on Diffie-Hellman Key Exchange

Implementation Policy

Data in Transit
  • IPSec is used when ever possible.
  • IPv6 is used when ever possible.
  • If TLS is used, it is always version 1.2.
  • If SSH is used, it is always version 2
  • SSL (any version) is never used.
Data at Rest

Every option selected for encryption of data at rest...
  • is currently maintained by the developer.
  • has undergone extensive penetration testing.
  • is publically know for its security and is commonly used.
  • can use modern day Encryption and Hashing techniques.

Traveling Policy

The Wassenaar Arrangement is an international arrangement between a set of countries to control the use and export of dual-use goods and technology (Wikipedia & Wassenaar).  Encryption is considered a technological dual use good. Therefore, it might be prohibited for people to use certain encryption technologies (or strengths) in countries that may be considered as non-friendly or even hostile. This might mean you cannot take an encrypted phone or laptop with you when traveling. 

There is also a chance that when traveling a person must give away his or her encryption keys when arriving at the customs of the destination country. Many countries have these laws to check for data on the device that potentially violate the country's laws. And when the device is holding critical business data, it's security (and secrecy) might be violated.

When traveling...
  • the encryption technologies that are used in hardware and software that is taken by the traveler are checked for legality of export by the legal department.
  • the devices that are taken do not ever have sensitive data stored locally.
  • sensitive data is always collected through a VPN tunnel secured with proper encryption from the organisation's servers when the person has arrived at its destination.

End-word

That's about it about the subject of encryption, hashing and its policies. If you feel that something is wrong or should otherwise be adjusted or enhanced, please feel free to comment below. If you have any questions or whatsoever, please feel free to comment also.

Thank you for your time to read my blog-series about the Guidelines for an Encryption and Hashing Policy.

--
This post has the tag: update, meaning it will be updated when new information becomes available and/or relevant.

Sunday, June 28, 2015

Guide for building an Encryption Policy: Encryption Implementations - part 3


16th century French cypher machine
As you can see in the image above, encryption means nothing if you don't actually implement it. The French cypher machine in the shape of a book dates from the 16th century and was owned by King Henri II which implemented a version of cryptography (Wikipedia source).

But what are the common practices today? In the first two blog-posts I have set out a baseline for the policies concerning hashing and encryption. I have described the various algorithms and stated which ones should be used and which ones shouldn't.

In this part I will look at the variety of different implementations and I will focus on the ones that are common today (and hopefully tomorrow).

The series of posts are divided over the following topics.

Encryption mapped on OSI-model

First I want to take a look in which phases of a data in transit and at rest encryption can takes place. This is important to know, but yet often overlooked. Management pressure often beholds comments like: "we need to do encryption" or "encrypt every network connection". The truth is that most likely your network is a complex network and applying encryption technique is nowhere as easy as like your management stating that you have to implement it.

For the purpose of this post I created a model that gives an overview on which places encryption can take place and in what form. After this model I will briefly explain the variety of options shown in the image. For the record, the image is released under the Creative Commons Attribution-NoDerivatives 4.0 International License, so please share it in every way you like.

Model of Encryption techniques in context to data in transit, in process and at rest
Model of Encryption techniques in context to data in transit, in process and at rest
Data has 3 stages it can be in. It can be in transit between two information systems, it can be in process within an information system and it can be stored (at rest) in an information system. All three stages have a different approach towards encryption. I will talk about the different stages of data from the OSI-model perspective.

If you want to know more about the OSI-model, click here. In the model above I have added three additional layers (after a debate with a colleague of mine) to the OSI-stack. Those are layer 8 Message, layer 9 Transaction and layer 10 Process. These layers represent the layers that are needed to actually submit a message to the Application layer. A process can contain multiple transactions, and a transaction can contain multiple messages.

A message is the actual data itself. Although (meta-)data in and of the transaction and process layer can be sensitive too. In this post I will focus on the actual message that is going to be transmitted to another node.

Data in Transit

Encryption of data in transit happens on the 3rd, 5th, 6th and 7th layer of the OSI-model. Where as layer 3 is information system independent (at least, it should be), layer 5 through 7 are more depended on what mechanism is chosen in the application layer. Important here is to know that they are different.

When applying IPSec for IPv4 or IPv6 in your network configuration you will encrypt the payload of every IP-packet. The header of every IP-packet is, for obvious reasons of delivery of the payload, not encrypted. There are also two modus of operandi here. One is host-to-host and the other one is gateway-to-gateway. I tend to say to go for host-to-host whenever possible as the route of encryption is the longest there. IPSec secures your data against unauthorized access on the wire. But anyone that is authorized to the network can see the data (makes sense I guess).

Transport Layer Security (TLS) is probably the best known protocol to encrypt data on the wire. It takes residence in the presentation and application layer. It is used in HTTP connections (the best known are the web-browsers), known as HTTPS and it is used for FTPS. Do not mistake this with sFTP which uses Secure Shell (SSH) to encrypt the data. SSH has some weaknesses prior to version 2. Secure Socket Layer (SSL) and every version of it is considered insecure, just as TLS 1.0 and 1.1 are. Do not use those protocols anymore!

In summary, TLS version 1.2 and SSH version 2 are safe to use. Therefore, HTTPS, FTPS and sFTP and other protocols based on TLS and SSH are also safe to use.

There is also the phenomenon of VPN (Virtual Private Network) Tunneling on layer 2, 3 and 7. In general every VPN tunnel is insecure when additional security measures are not taken. If you do not trust the underlying network of the VPN tunnel (for instance, the Internet), then you will have to take security measures in the VPN tunnel itself. These measures can be protocols like IPSec in conjunction to Layer 2 Tunneling Protocol (L2TP) or the use of TLS and SSH.

Data in Process

Data in process is the data that is processed by the information system (or business application if you like). It is everything between data-at-rest and data-in-transit. As far as I can see, there is hardly any configurable encryption in this stage. Although it is possible that when the information system reads the data it also encrypts it in memory.

Although this approach seems to me highly CPU and memory intensive and I doubt its usefulness for common business-practices here. And it is something the developers of such an application or the operating system it runs on needs to implement.

Data at Rest

Data at rest has a filesystem centric approach towards encryption, and a data centric approach. Let's start with the first one.

Filesystem centric approach is not about the data itself, but the storage it is stored in. It is about encrypting disks, partitions and volumes (that span multiple disks or partitions). It is also about an encrypted file in which the actual data is stored in the form of files and folders. And also your temporary files in the hibernation and swap space (pagefile) can be encrypted. These last two are especially important if you want to secure your environment for forensic analyses.

The data-centric approach is the encryption of the data itself. Storing passwords is probably the most common known variant of it. But it is also possible to encrypt entire databases or specific records and/or attributes in a database. The focus here is the data it self, and not the filesystem it is stored on.

There are tons of examples for implementation here to choose from. There is an extensive list of disk encryption software on Wikipedia. When selecting your tool for the job, consider your policy towards hashing and encryption. There might be also other corporate policies that state whether you should or should not use open source tools. There is no right or wrong here, other then it is not wise to use software which uses outdated algorithms.

Implementation and testing

Do not ever trust an implementation without testing. TLS, SSH, IPSec, and the others might be secure by itself, but these algorithms and protocols are implemented by software (and hardware in some cases). And software implementations might have (or probably have) weaknesses also.

Therefore, always perform proper testing before and after implementation and keep testing it at regular intervals as new vulnerabilities might be discovered and exploited.

End-word

I hope I gave a clear view on the variety of implementations of encryption algorithms without either going to deep or staying to shallow on this topic. In the last blog-post in this series I will summary all three other posts into one policy on how you can handle your encryption and hashing practices.

Did you see anything incorrect, or do you disagree for other reasons? Or do you want to share how you handle topics such as these? Please share your thoughts and opinions in the comments below.

--
This post has the tag: update, meaning it will be updated when new information becomes available and/or relevant.

Saturday, June 20, 2015

Guide for building an Encryption Policy: Encryption Algorithms - part 2


In part one of this blog-series we talked about hashing. This part is all about encryption. I will talk about what encryption is so the general concept is known, but then I will move on to a summarized encryption policy.

The series of posts are divided over the following topics.

Encryption versus Hashing

Encryption is, unlike hashing, an algorithm that has a two-way street. You can actually decrypt your message (or file, or whatever you want to encrypt). Encryption does not have a hash like hashing does, so it does not guarantee integrity of your data. It does protect the confidentiality of the message though. Please do keep this in mind. If you want to have confidentiality of your data and you want to safeguard the data's integrity, you will need to use hashing in conjunction with encryption.

But that is not all. Besides confidentiality encryption can also secure its non-repudiation. Non-repudiation is the fact that a party cannot deny that it has executed an activity. This can be very important to increase your audit and logging data to forensics level. But non-repudiation does not come by itself, you have to do something for it which I will explain later.

An overview on Encryption

Encryption can be symmetric and asymmetric. Symmetric encryption can be based on either stream-ciphers, or block-ciphers. Asymmetric encryption is either based on discreet logarithms or based on factoring the products of large primes. See the figure below which displays this schematically.

Cryptographic Systems (CC)

Symmetric Encryption

Symmetric key algorithms use the same key in both encryption and decryption process. This technique provides confidentiality. It does not provide non-repudiation.

Stream-ciphers

Stream-ciphers are based on generating an infinite cryptographic key-stream and it encrypts a bit or a byte at a time. Stream-ciphers is used when the amount of data that is being sent is unknown.

Algorithms (excluding niche variants, patented and specific use algorithms) that are stream-ciphers:
According to current standards (dated April 4th, 2016) are as follows.
  • Deemed insecure*:
    • RC4, Salsa20
  • Deemed secure, but uncommon:
    • HC-128, HC-256, Rabbit
  • Deemed secure and common:
    • ChaCha20
ChaCha20, HC, and Rabbit can have a variety of key lengths.
  • 128 and 256-bit
Full list of stream-ciphers can be found on Wikipedia.

Block-ciphers

Block-ciphers are roughly the same as stream-ciphers, but instead of using bits or bytes to encrypt it uses blocks of data. This is best used in situations where the amount of data to send is pre-known. There are multiple modes of block operations (to which I won't go in detail), but you can see the differentiation below.
Algorithms (excluding niche variants, patented and specific use algorithms) that are block-ciphers:
According to current standards (dated April 4th, 2016) the situation is as follows.
  • Deemed insecure*:
    • BlowFish, DES, MacGuffin, RC5, ThreeFish, Triple DES
  • Deemed secure, but uncommon:
    • CAST-128, CAST-256, RC6
  • Deemed secure and common:
    • AES, TwoFish
AES, CAST, RC6, and TwoFish can have a variety of key lengths.
  • 128, 192 and 256-bit
In any case, I would advice to go for the maximum here (whenever possible), which would be 256-bit. Although 192-bit should be enough also for the foreseeable future.

Full list of block-ciphers can be found on Wikipedia.

Asymmetric Encryption

Asymmetric has some form of a key-exchange with such a result that a different key is used to encrypt and decrypt a message. This technique provides confidentiality and non-repudiation. Confidentiality is provided when the sender uses the receiver's public key to encrypt the message. Non-repudiation is provided when the sender's private key is used to encrypt a message. If you need both confidentiality and non-repudiation the sender needs to double-encrypt the message with the private key of the sender and the public key of the receiver.

Key Agreement

Asymmetric uses a key agreement protocol to exchange the public keys between the sender and receiver of a message. There are a variety of key agreement protocols.
The most generally used protocol is the Diffie-Hellman Key Exchange protocol.

Algorithms

According to current standards (dated April 4th, 2016) the situation is as follows.
  • Deemed insecure*:
    • ECC, ElGamal, RSA (1024-bit)
  • Deemed secure, but uncommon:
    • RSA (3072-bit)
  • Deemed secure and common:
    • RSA (2048-bit)
RSA can have a variety of key lengths.
  • 1024-bit (equivalent to 80-bit symmetric keys)
  • 2048-bit (equivalent to 128-bit symmetric keys)
  • 3072-bit (equivalent to 256-bit symmetric keys)
In any case, I would advice to go at least for the 2048-bit variant of RSA. RSA with 1024-bit key should be prohibited and with sensitive data the key should be 3072-bit.

The Security Policy should be...

  • Symmetric Encryption
    • Stream-ciphers
      • None (due to patenting).
    • Block-ciphers
      • AES: at least 192-bit key-size, but preferably 256-bit
      • TwoFish: at least 192-bit key-size, but preferably 256-bit
  • Asymmetric Encryption
    • Key Agreement: Diffie-Hellman
    • Algorithm: RSA, at least 2048-bit key-size, but preferably 3072-bit.

End-word

It has become quite a post, although in the end the policy is relatively small. In the next posts I will talk about some implementation guidelines of Encryption in the next post. In the last post a will gave a proper summary of everything I will discuss in all posts in a readable view.

What is your point-of-view on this topic? Do you see any errors or do you have any questions? Please do comment and let's learn from each other!

*) Insecure can mean totally insecure, or 'only' when certain terms are met that the algorithm gets insecure. It can also just be a theoretically insecurity rather than a practical one. The main message here: if you want or need to use this algorithm proceed with extra caution and testing.

--
This post has the tag: update, meaning it will be updated when new information becomes available and/or relevant.

Thursday, June 18, 2015

Why do I use .eu as TLD for my blog?

Thinking about which Top-Level Domain (TLD) you use for your blog, personal- or company-website is very important. On one side you have the obvious reasons like the market you want to reach and the language you will use on your site. If you are aiming for your own country, you will probably settle for TLDs like .us, .nl, .uk, .de, et cetera. But if you target internationally (or multiple countries) you might also consider TLDs like .com, .net and .org.

Then there is also the fact that you might want to secure future TLDs by claiming them, just in case you want to expand to other countries or go international altogether. In essence, the perspective here is mostly business and its current and future business plans.

But did you consider the ability of seizuring domains by governments? Because this might seriously disrupt your business.

Top Level Domains and U.S. control

Wikipedia has an extensive list of Top-Level Domains and for the obvious reasons I am not going to repeat them here (Wikipedia does a way better job there). But lets take a look at the following list with the best known TLDs.
  • .com
  • .org
  • .net
  • .int
  • .edu
  • .gov
  • .mil
The TLDs .int is reserved for situations like international treaties. And the TLDs .edu, .gov and .mil are explicitly reserved for U.S. organisations (like military, governments and universities). The remaining TLDs .com, .org and .net are for commercial and organisational use and are also available to the rest of the world.

But all these TLDs are under the control and jurisdiction of the United States and therefore the U.S. has to power to seize any domain-name associated to it at once, sometimes without a court-order and without any damages being compensated for to the 'owner'.

So, if your hosting is for instance in Germany and you have a .com TLD, your site can be taken down by the U.S. for (probably in your opinion) no good reason. Your website would still be available under its IP-address or one of your other domain-names, but the specific domain would be offline (likely forever).

There is an extensive article on Wired.com (Uncle Sam: If It Ends in .Com, It's Seizable) which describes this ability of the U.S. in more detail with examples.

The fact a .com, .org and .net address can be seized by another government than my own is one reason that I did not choose for one of those three. The same applies to TLDs from other countries. Germany has control over .de, Belgium over .be, et cetera. The Dutch law also does not apply there. This is the way this is designed.

But why not the TLD .nl?

You might question now why I did not choose .nl (from The Netherlands, the country where I live). The very reason for this is the fact that my potential reach of visitors would be limited mostly to The Netherlands. I could ignore this fact and just put out English blogs on it. But ask yourself, how often do you visit a .nl domain? Or a .de? Or a .us? I hardly visit the last two for instance for (probably) no specific good reason other then the market the website is serving.

So, I cannot choose from the three public TLDs and I cannot choose for TLDs related to specific countries if I do not want other countries seizing my domain-name. I also cannot choose my own country's TLD because I don't want to bind myself to a specific country and 'exclude' all the rest of the world.

And this is where .eu comes in...

The TLD .eu is one of the few that is not bound to a country but to a supranational organisation (.nato is for instance the other one, teusink.nato probably would not happen -- frowny face here). It is international, it is under control of a government that is represented by my government and the EU law applies here. Whereas my own country's TLD is focused on domestic websites, .EU tends to be focused to and for entities in the EU, but also internationally.

And it cannot be seized by any other government, without taking the appropriate legal steps in the EU.

But what about hosting?

I have chosen on purpose a Dutch hosting provider (could be any EU hosting provider b.t.w., but why not support my own economy?). So my hosting and DNS would be Dutch and would therefore fall under Dutch law and procedures.

But what about Blogger?

And here is the one disadvantage of all considering my blog. I use many Google products (I did read the privacy and security policies of Google by the way), and Blogger is one of them. I know it is an American service and that it is most likely hosted outside the EU. I know I do not have any legal protection from my government here.

It would be a sad day if this blog would be put down by the U.S. (or Google, it is a free service after all). But that is not as harsh for me as losing my domain-name, to which I tie my identity more than a blog hosting provider.

I could build my own blogging solution of course, but I lack time to keep patching it and I am not confident enough at present moment to outsource such a (i.m.o. delicate) job to a company inside the EU. Wordpress, for instance, has also a Cloud option so they do the heavy lifting of maintenance. But it would also be a non-EU based company and then Blogger would do the job just fine for now.

Was this thought process really worth it?

In regard to my own blog, likely not (although I really really wanted a .eu for the reasons of a international oriented domain-name that is under control of the EU or my own country). It was a nice thought exercise about this topic though. I believe I can better help businesses now on questions such as these.

Have you ever thought of this? Would you make a different choice now, or are you happy the way things are now? There is no right or wrong here, there are choices and consequences. Nothing more.

Thank you for your time to read this and feel free to drop a comment! I would appreciate it and I certainly will respond to it.