Trust Me
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
I was listening to a talk the other day about trust. It brought home how often we exercise trust without even a conscious thought about doing it. We get into an elevator and we trust it won’t fall to the bottom of the shaft, but rather that it will take us to the floor we chose. We get into an airplane and we trust the pilot knows what he is doing, that he does not have a death wish, and that the plane is safe to fly. Even mundane things like an alarm clock are the recipients of our trust.
Dictionary.com defines trust this way:
- noun
- reliance on the integrity, strength, ability, surety, etc., of a person or thing; confidence.
- confident expectation of something; hope.
- confidence in the certainty of future payment for property or goods received; credit: to sell merchandise on trust
When it comes to interactions between people, sometimes we are exercising trust, which if betrayed, will have major consequences. People considering marriage are exercising a great deal of trust in the other person. When that trust is misplaced, the damage can be considerable. Investors exercise a measure of trust and when that is misplaced, it can mean financial ruin
It’s Biological
In an article about trust, Professor, Dr. Michael Kosfeld came to an interesting conclusion: “Trust is not irrational or illusory. It’s a biologically-based part of human nature.” In a study about trust, it was found that subjects playing as investors exhibited more trust when exposed to oxytocin. They then went on to hypothesize that in daily life, perceiving certain social configurations probably leads to oxytocin release in selected brain regions. This in turn enhances the exhibition of trust.
What does this have to do with security? Well, the obvious connection is that if you trust the wrong people the outcome will be bad. If someone asks to come into your house, do you trust them enough to allow it? How do you make that decision?
When it comes to your network, home, or business, how do you decide who to trust? Every time we click on a link or go to a website, we are trusting that something bad will not happen. How do you make that decision? When it comes to links to websites, we trust our eyes, first of all. Let’s take one small example of why that is a gamble. Where will this link take you? https://www.appIe.com If you just trusted your eyes you might say the link will take me to Apple’s website. If you hover over the link you will see that it in fact would take you to appie.com. In the URL, the ‘I’ was capitalized and the font makes it look very much like a lower case ‘L’. Another way to accomplish a misdirection is to use this bit of HTML < a href=”https://www.xn--80ak6aa92e.com/”>appIe.com</a> to generate what is called a homograph attack. This article describes how it is possible to use Unicode characters to generate URLs that look like something they are not. Once again, hovering over the link would reveal the deception.
Trust Takes Time
While many phishing attacks are essentially ‘spray and pray’ (send thousands of emails and hope for a few hits), some attacks are designed to take time. Scammers compromise an email account and spend time building up some sort of relationship with the victim to earn their trust. Once the trust has been established, it is easier to get the victim to do something detrimental to themselves or their company. If the victim trusts the attacker, they are more likely to open an attachment or click on a link. Once that has been accomplished, the attackers are able to do reconnaissance on the network and find the company data, and then do as they please.
Another example of how trust can go awry is this article. Emails that divulge information such as the customer’s name, home address, order number, ordered items, and partial payment card information were sent to hundreds of Home Depot customers in Canada. On the scale of today’s data breaches, this was merely a drop in the digital ocean, unless it was your information that was exposed. Home Depot customers, like all other customers of all other companies, trust that their confidential information will remain confidential. More and more, that trust is not being earned.
It can take a long time to get someone to trust us. We may have to work very hard to get the trust established and maintained. Often, it takes very little to break that trust. Unfortunately, when it comes to the digital world, mechanisms for verifying the trustworthiness of someone are not readily available. While trust is a very necessary commodity, we need to deal it out sparingly these days. Trust me, I know these things.