{"id":242,"date":"2019-07-25T15:50:43","date_gmt":"2019-07-25T15:50:43","guid":{"rendered":"http:\/\/donavan.sg\/blog\/?p=242"},"modified":"2019-07-25T16:28:54","modified_gmt":"2019-07-25T16:28:54","slug":"the-irrational-human-part-2","status":"publish","type":"post","link":"https:\/\/donavan.sg\/blog\/index.php\/2019\/07\/25\/the-irrational-human-part-2\/","title":{"rendered":"The &#8220;Irrational&#8221; Human?: Part 2"},"content":{"rendered":"\n<p>\u201cMinimum 8 characters, minimum 1 upper case, 1 lower case, 1\nnumber and 1 special character.\u201d<\/p>\n\n\n\n<p>Sounds familiar? Yes, this is a fairly common password policy. Users found the shortest password that could meet these requirements, \u201cP@ssw0rd\u201d and used it so widely that one of the <a href=\"https:\/\/www.mci.gov.sg\/~\/media\/mcicorp\/doc\/report%20of%20the%20coi%20into%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?la=en\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"biggest data breaches in Singapore (opens in a new tab)\">biggest data breaches in Singapore<\/a> documented how the use of this password aided their adversaries!<\/p>\n\n\n\n<p>Cybersecurity teams do not receive much love for the perception that they create inconvenience for users, such as implementation of <a href=\"https:\/\/tech.economictimes.indiatimes.com\/news\/corporate\/what-india-can-learn-from-the-japan-internet-separation-mandate\/63407589\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Internet separation (opens in a new tab)\">Internet separation<\/a>. <\/p>\n\n\n\n<p>Consequently, users perceive that cybersecurity teams <a href=\"https:\/\/www.information-age.com\/end-users-frustration-security-disrupting-productivity-123469255\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"hinder their work and productivity (opens in a new tab)\">hinder their work and productivity<\/a>. This arises because cybersecurity controls often require users to do more things, such as using a VPN to connect to company Intranet, two-factor authentication and the need to refresh passwords as part of password expiry policy. <\/p>\n\n\n\n<p>Just as in the physical world, security brings about some\ninconvenience. For instance, we can compare the authentication gateway we set\nup for our web application to requiring keys to open a safe. However,\ncomplicating the user experience and interface is counterproductive; humans\noften wind up circumventing, bypassing or ignoring well-meaning cybersecurity advice.\n<\/p>\n\n\n\n<p>Security professionals need to understand the behavioural\naspect of security. Security is not only about technological advancement, it is\nalso about implementation with minimum pain. However, UI\/UX can differ across\ndifferent user bases; what is acceptable to one user base in one context (e.g.\nSingpass to access one\u2019s CPF account is reasonable because CPF accounts are\ntied to our identity) is not acceptable to another context (e.g. using Singpass\nto access Pizza Hut\u2019s page sounds borderline nonsensical.). Overly hindering\nthe user experience may also result in users simply avoiding your application,\ndirectly impacting the bottomline.<\/p>\n\n\n\n<p>From an end-user perspective, we may not have high enough\nassurance of the security posture of an IT solution.<\/p>\n\n\n\n<p><strong>The End-User Lens<\/strong><\/p>\n\n\n\n<p>End-users have plenty of technology at their fingertips;\nsecuring everything reliably is difficult. However, there are some easy\nobjectives that we can fulfil, and shall discuss two of them today.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Secure Browsing<\/span><\/p>\n\n\n\n<p>The most common application people open on their desktops and laptops today are their browsers, both for corporate functions and personal functions. Browsers are used to access web applications. It is no surprise that web application attacks now rank as one of the most common types of attacks. Such attacks are so pervasive that there is a significant <a rel=\"noreferrer noopener\" aria-label=\"community-led effort (opens in a new tab)\" href=\"https:\/\/www.owasp.org\/index.php\/Main_Page\" target=\"_blank\">community-led effort<\/a> dedicated to understanding and mitigating web application attacks.<\/p>\n\n\n\n<p>From an end-user perspective, we might be concerned with\nsome of the following security-related problems:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Are our communications secure?<\/li><li>How do we deal with malicious pages or content\nwe may unwittingly visit?<\/li><\/ol>\n\n\n\n<p>The first question is best answered from the conditions for\nsecure communications. Two of which are confidentiality and integrity.\nConfidentiality refers to whether messages in transit can be read by an\nunintended third party, while integrity refers to whether messages sent by a\nsender are received by a receiver as they are (i.e. they are not tampered\nwith). A class of attack, called the \u201cman-in-the-middle\u201d (MitM), can compromise\nboth confidentiality and integrity through different means. MitM attacks can be\nimplemented through methods such as setting up a rogue wireless hotspot for\nunwitting victims, to redirecting users from an encrypted page to a spoofed\npage resembling the actual page, breaking encrypted communications.<\/p>\n\n\n\n<p>One way of making sure we do not fall victim to an \u201cencryption\u201d stripping attack is to enforce encryption. In the case of web traffic, we look at enforcing the use of the secure version of HTTP, called HTTPS. One such add-on that is simple yet powerful is <a href=\"https:\/\/www.eff.org\/https-everywhere\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"HTTPS Everywhere (opens in a new tab)\">HTTPS Everywhere<\/a>. Many websites today allow for HTTPS communications; we should use them wherever possible. The add-on also alerts you to attacks such as protocol downgrade attacks; these should trigger a warning light that there could be a malicious redirect!<\/p>\n\n\n\n<p>The second question can be rather tricky, because malicious content comes in many different forms. These can be ads that redirect the user to a page full of malicious content, trackers that may compromise your privacy or an attacker\u2019s successful bid at executing a cross-site scripting (XSS) attack. Merely using an ad-blocker today may not be sufficient at dealing with other threats such as crypto-mining. Thankfully, there are many browser add-ons today that deal with such threats. These include <a rel=\"noreferrer noopener\" aria-label=\" NoScript (opens in a new tab)\" href=\"https:\/\/noscript.net\/\" target=\"_blank\">NoScript<\/a>, <a rel=\"noreferrer noopener\" aria-label=\"uMatrix (opens in a new tab)\" href=\"https:\/\/github.com\/gorhill\/uMatrix\" target=\"_blank\">uMatrix<\/a>  and for the less technically savvy, <a rel=\"noreferrer noopener\" aria-label=\"uBlock (opens in a new tab)\" href=\"https:\/\/github.com\/gorhill\/uBlock\" target=\"_blank\">uBlock<\/a> and <a rel=\"noreferrer noopener\" aria-label=\"Ghostery (opens in a new tab)\" href=\"https:\/\/www.ghostery.com\/\" target=\"_blank\">Ghostery<\/a>. Read up more about them and install an add-on that you fancy to start stripping away unwanted, unsolicited traffic.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Awareness of Common Attacks<\/span><\/p>\n\n\n\n<p>Cyber literacy is extremely important today. Let us play the\nrole of a mischievous mind to understand the mischief attackers try to pull off\nagainst unsuspecting users. In other words, let us simulate a would-be\nattacker.<\/p>\n\n\n\n<p>Many cyber attacks still rely on good old-school methods that\ntrick a user into doing something he or she should not have done. Let us\nillustrate how we can trick someone to being a victim of a cyber attack.<\/p>\n\n\n\n<p>Let us simulate the profile of a user, X, who works as a\ntypical 9 to 5 job, and enjoys travel. X has a public Instagram profile and\nenjoys \u201cbeing in the moment\u201d. Because of such tendencies, X is likely to want\nto show a beautiful Instagram profile for X\u2019s followers. Let us briefly\ndescribe one way of attacking X, before analysing how such an attack could be\nstopped by X.<\/p>\n\n\n\n<p>An attacker could make use of X\u2019s habits of \u201cbeautifying\u201d Instagram profiles to recommend him a seemingly useful application to help with X\u2019s vain efforts. X notices an advertisement that was delivered to X, sees the application, and gets redirected to the Google Play Store. Looking at the good Google Play Store reviews, X downloads the application, which prompts him for Instagram credentials, happily supplies them, and it will be InstaGrief when X finds out <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2019\/04\/instagram-password-stealing-apps-found-on-google-play\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"what happens (opens in a new tab)\">what happens<\/a>.<\/p>\n\n\n\n<p>There are also other nefarious applications which may\nrequest for all sorts of permissions, such as your photo and video gallery,\nyour microphone, and more. All of these should logically ring alarm bells, but\nin the heat of the moment, users may make mistakes that have lasting\nconsequences (such as an extra illegitimate application on their phone).<\/p>\n\n\n\n<p>This begs the question on how such a simple-sounding attack\ncan be stopped, besides praying to Google they detect and remove all such\nmalicious applications.<\/p>\n\n\n\n<p>First, reviews are not enough, and only look for trusted\napplications by the manufacturers themselves. This usually means farewell to\nthe multitude of third party applications, many of which we cannot verify what\n\u201cextra services\u201d they provide.<\/p>\n\n\n\n<p>Next, anything that blatantly asks for far more than one\nreally needs should be looked at with a discerning eye. Does one really need\nInstagram access to beautify pictures? An application that beautifies pictures\non the phone itself would satisfy the exact same use case without the need for\nthe application to have Instagram access. One could simply Photoshop\/beautify\ntheir picture using such an application, and then manually upload it to\nInstagram. It is still a job well done, and your followers may still spark joy\nwith your pretty pictures. <\/p>\n\n\n\n<p>Lastly, another aspect to look at are permissions. It is indicative of a careless developer to ask for far more permissions than he or she requires. Reviewing the permissions any application requires is a good way of checking for suspicious applications that might creep onto your system. Think again: <a href=\"https:\/\/www.nytimes.com\/2015\/11\/25\/us\/pop-facebook-quiz-should-you-take-it.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"does that survey application you used need access to your life (opens in a new tab)\">does that survey application you used need access to your life<\/a>?<\/p>\n\n\n\n<p>Next: what is doctrine, the good, bad and ugly on what we\ncall \u201ccompliance\u201d and more. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cMinimum 8 characters, minimum 1 upper case, 1 lower case, 1 number and 1 special character.\u201d Sounds familiar? Yes, this is a fairly common password policy. Users found the shortest password that could meet these requirements, \u201cP@ssw0rd\u201d and used it so widely that one of the biggest data breaches in Singapore documented how the use&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[8,5,16,20,21],"tags":[],"class_list":["post-242","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-digital-world","category-end-user-security","category-opinion","category-thoughts"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/posts\/242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=242"}],"version-history":[{"count":1,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/posts\/242\/revisions"}],"predecessor-version":[{"id":243,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/posts\/242\/revisions\/243"}],"wp:attachment":[{"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/donavan.sg\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}