Several weeks ago on the April 4th NewsCast, the DtSR crew talked about this survey from Pew Center that “finds Americas lack understanding of cybersecurity measures.” While I don’t remember exactly what takes were made on the podcast, I know it didn’t cover a big point: This survey was pretty poorly written.
The survey consisted of 10 questions, and there was a lot to nit-pick.
What does the “https://” at the beginning of a URL denote, as opposed to “http://” (without the “s”)?
They give 3 obviously wrong answers, the “right” answer, “None of the above”, and “Not Sure”. The “right” answer is “That information entered into the site is encrypted”. But that’s not what https means. If anything, the https at the start of the url indicates that the data you’ve received thus far is encrypted. It doesn’t guarentee that further submitted info will be (though yes, all modern browsers will warn you if you are entering into an http form on a page fetched over https).
How bad: Technically inaccurate
Which of the following four passwords is the most secure?
Given four choices, and the word best, the answer is clear. While “WTh!5Z”, is more secure than”Boat123″, “into*48”, and “123456”, it’s still a really bad password. 6 characters is not acceptable in any scenario today.
How bad: Technically ok, but misleading if people think that’s a good password
What kind of cybersecurity risks can be minimized by using a Virtual Private Network (VPN)?
Two options are easily wrong, but both “Use of insecure Wi-Fi networks” and “De-anonymization by network operators” are tempting. A VPN properly configured to send all traffic (including DNS) into it will eliminate most of the threats to someone using public wifi. However, there are still layer two attacks that are in play. On the other hand, who are network operators? If they are talking about the owner of the wifi network, or even their ISP, that’s clearly correct. If they are talking about others that see you on the other side of the VPN, or even the VPN operator itself, then of course not.
How bad: Two partially correct answers, neither completely correct.
If a public Wi-Fi network (such as in an airport or café) requires a password to access, is it generally safe to use that network for sensitive activities such as online banking?
The answer they are looking for is “no, it is not safe”. But there’s a lot more nuance than that. I guess it’s ok to scare people into being more careful on public wifi. And it is more risky, ie less safe. But talking about things are “safe” or “not safe” is something that security oriented people need to stop doing. No one is ever safe. It’s all about reducing risk and reducing opportunity against the threats that are present.
Most things people would do on a public wifi network are safe. Browsing to HTTPS protected sites (and ensuring that there are green locks in their url bar) comes to mind. And while there are risks with something like SMTP, to just say it’s not safe is over simplifying, and making people’s lives unnecessarily difficult.
How bad: Vast oversimplification
Which of the following is an example of a “phishing” attack?
Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one.
Phishing is carried out by email or text, and the phishing directs people to fake websites. So the fake websites are not the phishing.
How bad: Wording is sloppy
A group of computers that is networked together and used by hackers to steal information is called a …
Choices are Botnet, Rootkit, DDoS, Operating System. Obviously the answer is botnet. But botnets aren’t typically used to steal information. They are typically used in DDOS attacks and spamming. While they are certainly capable of stealing information, to cite that as their primary role is sloppy.
How bad: Wording is sloppy
The part of the survey that I was most heartened by was their correctly contrasting site key images, captchas, and security questions as not two factor authentication.
There’s a lot we could learn by studies like these. It’s interesting to look at the results. But we don’t learn as much as we could when the questions are written by someone who clearly doesn’t possess a depth of experience in cyber security.