carl mehner's blog

Training Users to Be More Secure

One of the things that a corporation, website, or mobile application should do, is in all of its interactions with the users of its services insure that none of the actions that it requests or requires would be something that in a malicious context would compromise the security those users.

You should not do things like: have users enter credentials over a non-SSL log-in screen, force users to click through an invalid certificate to get to your site, or use a pseudo-public piece of data for a password (e.g. SSN or birthday).

Last week, LinkedIn broke the rule of not requiring the user to engage in risky behavior. The service Intro is described as a bad idea by Dave Lewis and others, was rebutted by a LinkedIn security manager which sparked a reply by Martin McKeay. Up to now, I have seen many people talking about how bad an idea the system is as a whole, so I will not rehash that part. Instead, I want to focus on the how not the what.

Which brings me back to forcing users to engage in risky behavior. The way that you 'install' Intro, is to first, go to the Intro website rather than the app store. One of iOS's most lauded features is that it is kept more secure only allowing apps from the app store. Getting an app or 'app' from elsewhere should raise red flags.

Next, you enter in your Gmail/iCloud/Yahoo/AOL/etc. email password, on LinkedIn's site. You should not enter your password for one site on another. It is reasonable for sites to want functionality that would normally need other sites credentials, but this is why things like oAuth and SAML were created.

Next, you are required to install a configuration profile. Configuration profiles very useful for giving corporations access to a phone. As Bishop Fox said, "A profile can be used to wipe your phone, install applications, delete applications, restrict functionality, and a whole heap of other things". Users should only install these profiles if they truly understand what they do, or are required to by their company.

Also, using this method, there is a set of certificates installed by the mobile config profile. This is a further potential avenue for compromise in a malicious setting. Configuration profiles in iOS are powerful things, training users to install them can lead to making it a lot easier to pull off a social engineering trick, similar to what I described in my BSides San Antonio talk (starting slide 26).

Make the Internet a better place: as a website/app/service provider you should choose an architecture using methods that propagate more secure, rather than risky, behavior.

Happy Cyber Security Awareness Month

-cem