2024-11-01

No style

 

Image from Pixabay

If you put a sticker that says SECURE on something, does that make it secure? It depends. If that sticker is stuck on after the security has been checked, and if it’s clear that the sticker is only granted after the check, then you can indeed assume that the stickered thing is secure - at least, if the sticker shows that it is authentic. In all other cases, that sticker makes no sense at all, of course. In fact, it promotes a false sense of security.

Recently I spoke to a colleague who manages a great web application. When creating that program, they forgot one thing: the house style or, if you wish, the corporate identity. And the people who watch over the house style didn't think that was a good idea. Because, they argued, users would think that it was a fake website, where scary things could happen. Put our corporate logo on it, they said, that will prove that the site is secure.

Nonsense. If cybercriminals have become good at anything in recent years, it is the faithful reconstruction of websites. They look at what the real website looks like and copy the entire house style: logos, photos, font, writing style, and yes, even the beware-of-cybercriminals notice, which is on many sites these days. So you can't tell security from the appearance.

But, the administrator said, users of my application can see in the browser’s URL bar that the displayed web page is in our domain. But that doesn't work either. Because for the average user that is simply a bridge too far. Or have you never seen someone type 'wikipedia.org' in the search bar of Google and then go to that website via the search results? Instead of typing 'wikipedia.org' (the URL) immediately in the URL bar (at the very top of the browser), so that you immediately end up in the right place? Many users have a blind spot for the URL (or address) bar, let alone that they go and see what is there and that they could also determine whether they have ended up on a bona fide site.

Aside: the method outlined here introduces an additional problem. Cybercriminals are very successful in having their fake sites appear high in the search results. This means that you may end up on a fake site via your search engine. Tip: if you know the URL, type it into the URL bar, not into Google (or another search engine). If you visit a site often, bookmark it so that you don't have to type. Bookmarks also prevent you from ending up on a fake site due to a typo ('wikipidia.org'). Criminals like to build websites with URLs that are very similar to those of the real websites. And then they hope that you make a typo and end up on their site. This is called typosquatting.

Despite all this, I have pleaded with the administrator to apply the house style. Am I then in favor of a false sense of security? Not at all. But I want to prevent a flood of unjustified reports from users who think they are on a fake site – the colleagues at the IT service desk are busy enough as it is, so if I can spare them a number of false positives , I am happy to do so. In addition, we train users to recognize dangers. I call them red flags. The more red flags, the more likely that something is wrong. For example, for phishing, I can easily list a number of red flags: an impersonal salutation ("Dear customer"), a different sender address (amazon.ru instead of amazon.com) or a link to a different domain (amazon.com.customer.com). Tip: you should read URLs from right to left; so only if amazon.com is on the far right, you are visiting the domain of that webshop. By the way, something may be added behind that, starting with a '/': amazon.com/customerservice takes you to a page in the domain amazon.com. But amazon.com.customer.com is not an amazon.com page.

Of course I went to look at the page of that internal web application. And what do I see? In a corner, our corporate identity logo is displayed! They have made concessions, hoping that everyone is happy now. And they are going one step further: the application will be connected to single sign-on, so visitors no longer have to log in manually. A smart move, because if you think that you might be on a fake site and it asks for your credentials, it increases the feeling of insecurity.

 

And in the big bad world…

 

No style

  Image from Pixabay If you put a sticker that says SECURE on something, does that make it secure? It depends. If that sticker is stuck on ...