The “Irrational” Human?: Part 2

“Minimum 8 characters, minimum 1 upper case, 1 lower case, 1 number and 1 special character.”

Sounds familiar? Yes, this is a fairly common password policy. Users found the shortest password that could meet these requirements, “P@ssw0rd” and used it so widely that one of the biggest data breaches in Singapore documented how the use of this password aided their adversaries!

Cybersecurity teams do not receive much love for the perception that they create inconvenience for users, such as implementation of Internet separation.

Consequently, users perceive that cybersecurity teams hinder their work and productivity. This arises because cybersecurity controls often require users to do more things, such as using a VPN to connect to company Intranet, two-factor authentication and the need to refresh passwords as part of password expiry policy.

Just as in the physical world, security brings about some inconvenience. For instance, we can compare the authentication gateway we set up for our web application to requiring keys to open a safe. However, complicating the user experience and interface is counterproductive; humans often wind up circumventing, bypassing or ignoring well-meaning cybersecurity advice.

Security professionals need to understand the behavioural aspect of security. Security is not only about technological advancement, it is also about implementation with minimum pain. However, UI/UX can differ across different user bases; what is acceptable to one user base in one context (e.g. Singpass to access one’s CPF account is reasonable because CPF accounts are tied to our identity) is not acceptable to another context (e.g. using Singpass to access Pizza Hut’s page sounds borderline nonsensical.). Overly hindering the user experience may also result in users simply avoiding your application, directly impacting the bottomline.

From an end-user perspective, we may not have high enough assurance of the security posture of an IT solution.

The End-User Lens

End-users have plenty of technology at their fingertips; securing everything reliably is difficult. However, there are some easy objectives that we can fulfil, and shall discuss two of them today.

Secure Browsing

The most common application people open on their desktops and laptops today are their browsers, both for corporate functions and personal functions. Browsers are used to access web applications. It is no surprise that web application attacks now rank as one of the most common types of attacks. Such attacks are so pervasive that there is a significant community-led effort dedicated to understanding and mitigating web application attacks.

From an end-user perspective, we might be concerned with some of the following security-related problems:

  1. Are our communications secure?
  2. How do we deal with malicious pages or content we may unwittingly visit?

The first question is best answered from the conditions for secure communications. Two of which are confidentiality and integrity. Confidentiality refers to whether messages in transit can be read by an unintended third party, while integrity refers to whether messages sent by a sender are received by a receiver as they are (i.e. they are not tampered with). A class of attack, called the “man-in-the-middle” (MitM), can compromise both confidentiality and integrity through different means. MitM attacks can be implemented through methods such as setting up a rogue wireless hotspot for unwitting victims, to redirecting users from an encrypted page to a spoofed page resembling the actual page, breaking encrypted communications.

One way of making sure we do not fall victim to an “encryption” stripping attack is to enforce encryption. In the case of web traffic, we look at enforcing the use of the secure version of HTTP, called HTTPS. One such add-on that is simple yet powerful is HTTPS Everywhere. Many websites today allow for HTTPS communications; we should use them wherever possible. The add-on also alerts you to attacks such as protocol downgrade attacks; these should trigger a warning light that there could be a malicious redirect!

The second question can be rather tricky, because malicious content comes in many different forms. These can be ads that redirect the user to a page full of malicious content, trackers that may compromise your privacy or an attacker’s successful bid at executing a cross-site scripting (XSS) attack. Merely using an ad-blocker today may not be sufficient at dealing with other threats such as crypto-mining. Thankfully, there are many browser add-ons today that deal with such threats. These include NoScript, uMatrix and for the less technically savvy, uBlock and Ghostery. Read up more about them and install an add-on that you fancy to start stripping away unwanted, unsolicited traffic.

Awareness of Common Attacks

Cyber literacy is extremely important today. Let us play the role of a mischievous mind to understand the mischief attackers try to pull off against unsuspecting users. In other words, let us simulate a would-be attacker.

Many cyber attacks still rely on good old-school methods that trick a user into doing something he or she should not have done. Let us illustrate how we can trick someone to being a victim of a cyber attack.

Let us simulate the profile of a user, X, who works as a typical 9 to 5 job, and enjoys travel. X has a public Instagram profile and enjoys “being in the moment”. Because of such tendencies, X is likely to want to show a beautiful Instagram profile for X’s followers. Let us briefly describe one way of attacking X, before analysing how such an attack could be stopped by X.

An attacker could make use of X’s habits of “beautifying” Instagram profiles to recommend him a seemingly useful application to help with X’s vain efforts. X notices an advertisement that was delivered to X, sees the application, and gets redirected to the Google Play Store. Looking at the good Google Play Store reviews, X downloads the application, which prompts him for Instagram credentials, happily supplies them, and it will be InstaGrief when X finds out what happens.

There are also other nefarious applications which may request for all sorts of permissions, such as your photo and video gallery, your microphone, and more. All of these should logically ring alarm bells, but in the heat of the moment, users may make mistakes that have lasting consequences (such as an extra illegitimate application on their phone).

This begs the question on how such a simple-sounding attack can be stopped, besides praying to Google they detect and remove all such malicious applications.

First, reviews are not enough, and only look for trusted applications by the manufacturers themselves. This usually means farewell to the multitude of third party applications, many of which we cannot verify what “extra services” they provide.

Next, anything that blatantly asks for far more than one really needs should be looked at with a discerning eye. Does one really need Instagram access to beautify pictures? An application that beautifies pictures on the phone itself would satisfy the exact same use case without the need for the application to have Instagram access. One could simply Photoshop/beautify their picture using such an application, and then manually upload it to Instagram. It is still a job well done, and your followers may still spark joy with your pretty pictures.

Lastly, another aspect to look at are permissions. It is indicative of a careless developer to ask for far more permissions than he or she requires. Reviewing the permissions any application requires is a good way of checking for suspicious applications that might creep onto your system. Think again: does that survey application you used need access to your life?

Next: what is doctrine, the good, bad and ugly on what we call “compliance” and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

eighteen + 7 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.