Friday, October 23, 2015

Dumb, dumber, and cybersecurity

The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.

An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.

But it gets better.

At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:

Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.

There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.

If your boss demands your password to your corporate accounts, of course you must give them your password.

But it gets better. Way better.

While answering the second question, this happened.
Whenever you visit this website, on pretty much any page as far as I can tell, you are going to get this popup asking to chat after a few minutes. At first I thought it was tied to this question (which would be clever), but it isn't -- it's a site-wide thing, unrelated to this quiz.

The correct answer to the underlying quiz questions is "Press Alt + F4", which closes the browser window.  That's because the unwanted popups will often position the [x] carefully in order to exploit "clickjacking" in your web browser. You should never click anywhere on a popup.

But of course, if you did hit Alt-F4 to close the window, you could never complete this "Cyber Security IQ" quiz, because you'd always get this popup.

Here's my point. The "10 steps" article and the "IQ" quiz are why we can't solve cybersecurity. They are created by marketing people with plausible sounding advice, like "make sure you have a firewall". The reason you get hacked is because you listen to this plausible advice, while ignoring the real problems you have. Phishing, password re-use, and SQL injection have been the most popular hacks for 15 years because everyone does cybersecurity the Microsoft way shown above, instead of actually paying attention to the problem. Among your cybersecurity plans you should have three documents entitled "How we stop phishing", "How we stop password re-use", and "How we stop OWASP Top 10". If you don't, you suck.

It could be that this popup is an obscenely clever trick into measuring your real IQ. But I tested it. No matter which webpage you go to on the site, after a few minutes this popup appears.


Indicator Veritatis said...

Rare that I side with MSFT, but I have to agree on not sharing passwords. If the boss wants access that is what superuser is for. If the system does not support this, then that is the real problem. But among other problems, sharing passwords blurs accountability.

Unknown said...

I understand that something like "sealed envelope" (paper or digital) - could be a great next statup.