Bad Surveys About Cyber Security [DtSR 239]

Several weeks ago on the April 4th NewsCast, the DtSR crew talked about this survey from Pew Center that “finds Americas lack understanding of cybersecurity measures.” While I don’t remember exactly what takes were made on the podcast, I know it didn’t cover a big point: This survey was pretty poorly written.

The survey consisted of 10 questions, and there was a lot to nit-pick.

The Bad

What does the “https://” at the beginning of a URL denote, as opposed to “http://” (without the “s”)?

They give 3 obviously wrong answers, the “right” answer, “None of the above”, and “Not Sure”. The “right” answer is “That information entered into the site is encrypted”. But that’s not what https means. If anything, the https at the start of the url indicates that the data you’ve received thus far is encrypted. It doesn’t guarentee that further submitted info will be (though yes, all modern browsers will warn you if you are entering into an http form on a page fetched over https).

How bad: Technically inaccurate

Which of the following four passwords is the most secure?

Given four choices, and the word best, the answer is clear. While “WTh!5Z”, is more secure than”Boat123″, “into*48”, and “123456”, it’s still a really bad password. 6 characters is not acceptable in any scenario today.

How bad: Technically ok, but misleading if people think that’s a good password

What kind of cybersecurity risks can be minimized by using a Virtual Private Network (VPN)?

Two options are easily wrong, but both “Use of insecure Wi-Fi networks” and “De-anonymization by network operators” are tempting. A VPN properly configured to send all traffic (including DNS) into it will eliminate most of the threats to someone using public wifi. However, there are still layer two attacks that are in play. On the other hand, who are network operators? If they are talking about the owner of the wifi network, or even their ISP, that’s clearly correct. If they are talking about others that see you on the other side of the VPN, or even the VPN operator itself, then of course not.

How bad: Two partially correct answers, neither completely correct.

If a public Wi-Fi network (such as in an airport or café) requires a password to access, is it generally safe to use that network for sensitive activities such as online banking?

The answer they are looking for is “no, it is not safe”. But there’s a lot more nuance than that. I guess it’s ok to scare people into being more careful on public wifi. And it is more risky, ie less safe. But talking about things are “safe” or “not safe” is something that security oriented people need to stop doing. No one is ever safe. It’s all about reducing risk and reducing opportunity against the threats that are present.

Most things people would do on a public wifi network are safe. Browsing to HTTPS protected sites (and ensuring that there are green locks in their url bar) comes to mind. And while there are risks with something like SMTP, to just say it’s not safe is over simplifying, and making people’s lives unnecessarily difficult.

How bad: Vast oversimplification

Which of the following is an example of a “phishing” attack?

This question comes with three answers, and “All of the above”. Two are very clearly examples of phishing: “Sending someone an email that contains a malicious link that is disguised to look like an email from someone the person knows” and “Sending someone a text message that contains a malicious link that is disguised to look like a notification that the person has won a contest”. The third describes a component of a phishing attack: “Creating a fake website that looks nearly identical to a real website in order to trick users into entering their login information”. But the creation of the website isn’t the phish. Getting people to it is. From wikipedia:

Phishing is typically carried out by email spoofing[4] or instant messaging,[5] and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one.

Phishing is carried out by email or text, and the phishing directs people to fake websites. So the fake websites are not the phishing.

How bad: Wording is sloppy

A group of computers that is networked together and used by hackers to steal information is called a …

Choices are Botnet, Rootkit, DDoS, Operating System. Obviously the answer is botnet. But botnets aren’t typically used to steal information. They are typically used in DDOS attacks and spamming. While they are certainly capable of stealing information, to cite that as their primary role is sloppy.

How bad: Wording is sloppy

The Good

The part of the survey that I was most heartened by was their correctly contrasting site key images, captchas, and security questions as not two factor authentication.

So what?

There’s a lot we could learn by studies like these. It’s interesting to look at the results. But we don’t learn as much as we could when the questions are written by someone who clearly doesn’t possess a depth of experience in cyber security.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s