Play doctor

Virus still keeping you in? Bored? tired of binging shows? Let’s run some more website security scans. At the start of the virus quarantine times, I blogged a bit about security headers and how finding out what’s wrong is fairly easy (setting them correctly takes a bit more effort). But there are loads of other ways to find out what’s wrong or right with your website’s security.

These won’t fix your problems. But they will tell you that they exist. This list is also purposefully avoiding scripts that involve the command line or anything more than a reasonably modern web browser.

Get the lazyweb pentester’s toolkit here

It depends

You’re on WhatsApp, I’m on WhatsApp. Even world’s richest Lex Luther lookalike Jeff Bezos is in WhatsApp. The breathless news last week was that Jeff’s iPhone was hacked by a malicious file sent his way in a WhatsApp text from the number of Saudi Crown Prince Mohammed bin Salman. And now we’ve got an endless stream of hot-take tweets and seemingly carbon-copied news items around the idea that: If Jeff Bezos can get hacked through WhatsApp, what hope do the rest of us have?!” 

Take a deep breath. You are fine. Takes like this are ridiculous. It assumes of these giant titans are vulnerable, then so must you be, tender user. the answer to that is the annoying thing no one wants to here: “it depends.” The presumption is that Jeff’s iPhone is some kind of super device with a hundred security experts on its case. Another notion could be it’s just an iPhone, like yours is just an iPhone.

We’ve seen loads of Big Name people make stupid infosec decisions. Having the head of a country known for targeting journalists and human rights activists with highly sophisticated spyware in your special contacts list is probably a bad idea. It was a bad idea for Jeff, the owner of the Washington Post, the newspaper that had run columns by Jamal Khashoggi before he was murdered in a Saudi consulate in Turkey.

The number of “don’t be like Jeff” type posts last week are kind of silly.

Your chances for not getting targeted with a highly sophisticated hack like the one that hit Jeff are probably pretty good. You don’t own infrastructure hosting vast swathes of the internet, including data of U.S. intelligence agencies. You don’t own a media empire, you’re likely not involved in investigative projects on Saudi abuses. You’ve wiped huge amounts of your threat surface away right there.

You’re in the group with this to-do (or, to don’t) list:

  1. Keep your mobile operating system up to date.
  2. Don’t root/jailbreak your mobile.
  3. Don’t accept unsolicited conversations with unknown people.
  4. Don’t download or open unexpected attachments.
  5. Verify people’s numbers in person or in voice or video calls, not by trusting what happens to come through on the screen.

A lot of the “don’t be like Jeff” articles mentioned above include various versions of that advice, and it’s all good. There are a few problems with that:

  • We don’t know that Jeff was/wasn’t doing those things (or had someone doing them).
  • He’s getting a file from someone in his contacts. Someone who won’t be in your or my contacts.
  • Your situation (and mine) will never the fuck be Jeff Bezos’ situation.

Dude’s the richest fucker on the planet. Operating at the level that he shouldn’t be on an app or a mobile. But he is. Because the world is complex, and all of this complexity is held together with tape and glue and some glitter to make it look pretty, and a lot of blind faith that smart people are doing smart things. On most days, it’s safe to say most of them are. Statistical reality dictates that every day a few of them aren’t. Just like the rest of us.

Statistically you’ll be targeted for identity theft or credit fraud or someone wants to find if you have any lewd photos in the cloud. They won’t hire NSO Group to identify your exact mobile model and OS version and tailor a malicious package you’ll be more likely open to infect it. One thing that I won’t put on you is to work at not being like Jeff Bezos. Unless you’re him reading this, you’re not. And if you are, give me a grant.