Image from Pixabay |
If
you put a sticker that says SECURE on something, does that make it secure? It
depends. If that sticker is stuck on after the security has been checked, and if
it’s clear that the sticker is only granted after the check, then you can
indeed assume that the stickered thing is secure - at least, if the sticker
shows that it is authentic. In all other cases, that sticker makes no sense at
all, of course. In fact, it promotes a false sense of security.
Recently I spoke to a colleague who manages a great
web application. When creating that program, they forgot one thing: the house
style or, if you wish, the corporate identity. And the people who watch over
the house style didn't think that was a good idea. Because, they argued, users
would think that it was a fake website, where scary things could happen. Put
our corporate logo on it, they said, that will prove that the site is secure.
Nonsense. If cybercriminals have become good at
anything in recent years, it is the faithful reconstruction of websites. They
look at what the real website looks like and copy the entire house style:
logos, photos, font, writing style, and yes, even the beware-of-cybercriminals
notice, which is on many sites these days. So you can't tell security from the
appearance.
But, the administrator said, users of my
application can see in the browser’s URL bar that the displayed web page is in
our domain. But that doesn't work either. Because for the average user that is
simply a bridge too far. Or have you never seen someone type 'wikipedia.org' in
the search bar of Google and then go to that website via the search results?
Instead of typing 'wikipedia.org' (the URL) immediately in the URL bar (at the
very top of the browser), so that you immediately end up in the right place?
Many users have a blind spot for the URL (or address) bar, let alone that they
go and see what is there and that they could also determine whether they have
ended up on a bona fide site.
Aside: the method outlined here introduces an
additional problem. Cybercriminals are very successful in having their fake
sites appear high in the search results. This means that you may end up on a
fake site via your search engine. Tip: if you know the URL, type it into the
URL bar, not into Google (or another search engine). If you visit a site often,
bookmark it so that you don't have to type. Bookmarks also prevent you from
ending up on a fake site due to a typo ('wikipidia.org'). Criminals like to
build websites with URLs that are very similar to those of the real websites.
And then they hope that you make a typo and end up on their site. This is
called typosquatting.
Despite all this, I have pleaded with the
administrator to apply the house style. Am I then in favor of a false sense of security?
Not at all. But I want to prevent a flood of unjustified reports from users who
think they are on a fake site – the colleagues at the IT service desk are busy
enough as it is, so if I can spare them a number of false positives , I am
happy to do so. In addition, we train users to recognize dangers. I call them
red flags. The more red flags, the more likely that something is wrong. For
example, for phishing, I can easily list a number of red flags: an impersonal
salutation ("Dear customer"), a different sender address (amazon.ru
instead of amazon.com) or a link to a different domain (amazon.com.customer.com).
Tip: you should read URLs from right to left; so only if amazon.com is on the
far right, you are visiting the domain of that webshop. By the way, something
may be added behind that, starting with a '/': amazon.com/customerservice takes
you to a page in the domain amazon.com. But amazon.com.customer.com is not an amazon.com
page.
Of course I went to look at the page of that internal web application. And what do I see? In a corner, our corporate identity logo is displayed! They have made concessions, hoping that everyone is happy now. And they are going one step further: the application will be connected to single sign-on, so visitors no longer have to log in manually. A smart move, because if you think that you might be on a fake site and it asks for your credentials, it increases the feeling of insecurity.
And in the big bad world…
- This security company fought a years-long battle against Chinese state hackers.
- the Strava accounts of bodyguards reveal where world leaders hang out.
- This article speaks of a quantum hype.
- an international police coalition has taken down an infostealer operation.
- Dismissed employees should no longer be able to log in. [DUTCH]
- ransomware is only getting worse.