exploiting curiosity and context
TRANSCRIPT
1
• Jointworkwith─ FreyaGassmann,UniversityofSaarland,Germany
─ RobertLandwirth,FAUofErlangen-Nuremberg,Germany
• Acknowledgmentsfordatagatheringandanalysis─ NadinaHintz,AndreasLuder,AnnaGirard,GastonPugliese
2
• Studiedmath(Russia)&computerscience(Germany)• PhDincomputerscience(2008),Germany
─ Accesscontrolprotocolsforwirelesssensornetworks• ResearcheratFAU,Germany
─ Friedrich-Alexander-UniversitätErlangen-Nürnberg• HumanFactorsinSecurity&PrivacyGroup
─ Groupleader
3
IntroducRon
Agenda
• Spearphishingstudies─ Designðics─ Study1!piTalls&lessonslearnt
─ Study2!recommendaRons
• Roleofsecurityawareness• ChallengesinpatchinghumanvulnerabiliRes
4
Technicalvs.HumanVulnerabiliRes• TechnicalvulnerabiliRes
─ Found!patch/redesign/acceptrisk
• HumanvulnerabiliRes─ Knowhowtoexploit─ Doweknowhowtopatch?• IssecurityawarenessTHEsoluRon?
5
SpearPhishing
• Academicresearch:>1000paperssince2004
• Phishingasaservice(PhaaS)─ KnowBe4,PhishMe,WombatSecurity,manyothers
─ PentesRngthehumans
6
Whatdon’tweknowyet?
7
ResearchQuesRons
• Emailvs.Facebook
─ Differenceinclickingrates?• Reasonsforclickingandnotclicking?
─ Whycansomepeopleprotectthemselvesbeeerthantheirpeers?
─ WouldknowingthisprovideusefulinformaRonfordefenders?
8
StudyIdea
• Simulatedaeack
─ Sendspearphishingmessageswithalink
─ Senders:non-exisRngpersons─ RecruituniversitystudentsforparRcipaRnginthestudy• Email/Facebook
• Measureclickingbehavior
• Asktheminafollow-upsurveywhytheyclicked/didnotclick9
MessageHey<receiver’sfirstname>,herearethepicturesfromthelastweek:hep://<IPaddress>/photocloud/page.php?h=<USERID>
Pleasedonotsharethemwithpeoplewhohavenotbeenthere:-)SeeyounextRme!<firstnameofthesender>
10
accessdenied
Ethics:Recruitment
─ Don’texperimentwithpeoplewithouttheirconsent!
─ ParRcipantsrecruitedforasurveyabout“onlinebehavior”• Notinformedbeforehandabouttherealpurposeofthestudy
─ IncenRve:win10x10EURonlineshoppingvoucher─ Time:August/September2013
11
Ethics:ConnecRngBehaviorwithSurvey
12
sendmessagewithindividuallink
waitRll“enough”peopleclickedsendsurvey
withindividuallink
Surveyshouldbeanonymous!validityoftheanswers
13
sendmessagewithindividuallink
wait3weeks sendanonymoussurveyask:clickedornot?
FinalDesign
Study1:Clicked
14
0%
50%
100%
email Facebook
56%
38%
89/158 90/240
StaRsRcallysignificantdifference
Study1:SurveyAnsweredsurvey:85%(339outof398)
15
0%
50%
100%
reallyclicked reportedthatclicked
68/339179/398
45%
20%
Study2:DesignChanges
16
OnJanuary7th,2014:Hey,theNewYearpartywasgreat!herearethepictures:hep://<IPaddress>/photocloud/page.php?h=<USERID>
sendmessagewith
individuallink
ifclicked!wait24h senddifferentsurveylinksviaemailandonFacebook
ask:clickedornot?ifdidnotclick!wait7days
Study2:Clicked
17
0%
50%
100%
email Facebook
119/280194/975
20%
42.5%
StaRsRcallysignificantdifference
AddressingbyNameImportantviaemail,butnotonFacebook?
Disclaimer:Study1≠Study2!!!!Differentmessages
18
0%
50%
100%
Study1:email Study2:email Study1:Facebook Study2:Facebook
20%
42.5%56%
38%
StaRsRcallysignificantNotsignificant
BothStudies:FactorsNotStaRsRcallyCorrelatedtoClicking
• Genderofsender• Genderofreceiver• FriendrequestonFacebook• AmountofinformaRononsender’sFacebookprofile
19
20
Study1vs.Study2:SurveyReliability
21
0%
50%
100%
Study1:actuallyclicked
Study1:reportedthatclicked
Study2:actuallyclicked
Study2:reportedthatclicked
25%16%
45%
20%
Study1vs.Study2:SurveyReliability
22
0%
50%
100%
Study1:actuallyclicked
Study1:reportedthatclicked
Study2:actuallyclicked
Study2:reportedthatclicked
25%16%
45%
20%
0%
50%
100%
Email:actuallyclicked
Email:reportedthatclicked
Facebook:actuallyclicked
Facebook:reportedthatclicked
Study2:Emailvs.FacebookSurveyReliability
• Email:ok• Facebook:???
23
15.5%20% 18%
42.5%
ReasonsforClicking:Results• Curiosity:34%
24
“Curiosity”
• “Iwascurious”• “Iwantedtoseewhatisthere”• “Outofinterest”• “Iwantedtofindoutmoreaboutthepictures”
• “Ididnotknowthesender,butwantedtoseewhoisonthepictures”
25
ReasonsforClicking:Results(somepeoplereportedmulRplereasons)
• Curiosity:34%• FitsmyNewYearparty:27%
• InvesRgaRon:17%• Knownsender:16%
• Trustintotechnicalcontext:11%
26
“TrustIntoTechnicalContext”• “Mycomputerblocksaccessifthereisavirusproblem”
• “Iknew,ifthiswassomethingdangerous,myKasperskywouldprotectme”
• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”
• “IusedTorBundle”
• “AOerIgoogled,photocloudseemedtobeacleanwebsite”
• “Igoogledtheemailaddress[…]Ifoundnothing”
• “IPcamefromtheuniversity”
• “Iconsiderthewebmailoftheuniversitytobesafe”27
ReasonsforClicking:Results(somepeoplereportedmulRplereasons)
• Curiosity:34%• FitsmyNewYearparty:27%
• InvesRgaRon:17%• Knownsender:16%
• Trustintosystem:11%
• Reallypicturesofme?7%
28
ReasonsforNon-Clicking(somepeoplereportedmulRplereasons)
• Unknownsender:51%• Virus/Spam/Phishing/Scam/Fake:44%
• DoesnotfitmyNewYearcelebraRon:36%
• Doesnotfitmywayoflife:12%
• InvesRgaRon:6%─ FBprofile:2%
29
DidNotClickBecauseOfPrivacy(6%)
• “It(themessage)seemedtobeprivate”
• “Ithoughthemessagewasgenuineandwantedprotectprivacy”
• “Itsaid:pleasedon’tclickifyoudon’tknowme”
• “Themessagewasnotforme”
• “Ididnotseeanyreasontolookupprivatepicturesofastrangerwhoobviouslymadeamistake”
30
FactorsNotStaRsRcallyCorrelatedwithReportedClicking
• ITsecurityknowledge(self-assessed)
• Knowledgethatemailsendercanbespoofed
• Knowledgethatlinkscanbedangerous
31
AvtudetowardsParRcipaRonintheStudy(-3=verynegaRve,3=veryposiRve)
32
0
10
20
30
-3 -2 -1 0 1 2 3
non-clickersclickers
%
%
%
%
ShouldSuchStudiesbeConductedinTheFuture?
33
yesnonotsure
2%
85%
13%
LimitaRons
• Study1≠Study2─ OnlytentaRvecomparisonsacrosstwostudies!
• Validityofthereasons─ Cannotlookintopeople’sheadsatthemomentofclicking
• “reportedclickers”≠“realclickers”
34
Lesson1:TargeRng• Curiosity/Interest
─ 78%knewthatlinkscanbedangerous• Context
─ Knownsender• 82%knewthatsendercanbespoofed
─ Plausibility:situaRon&expectaRons• Facebook:dopeoplenoRcethattheyclicked?
35
Lesson2:RequirementsonUsers• Besuspicious:
─ Evenifyouknowthesender─ EvenifthemessagefitsyourcurrentsituaRon
─ EvenifthemessagefitsyourworkandlifepracRces
• Besuspiciousofeverything!
36
DecepRonMode
37
Letmeintroduce…• Highlytrainedspecialagent• Alotofpeoplewanttokillhim
• (Almost)anypersoninhislifecanbeatraitor
• HastobeindecepRonmodeineverylifesituaRon
• Doeshisjobexcellently• Doesnotexist"
38
WantYourEmployeesBeAwareofSpearPhishing?• WantthemtobeinJamesBondmodeeveryRmetheyreadamessage?
39
• AddthistojobdescripRons• Makesuretopaythemadequately
accounRngsales
humanresources customersupport
publicrelaRons
BeingSecurityAware:PersonalAdventures
40
PersonalExample1:Curiosity/Interest(anonymized)
41
From:[email protected]
Subject:CNNrequest--aboutyourupcomingBlackHattalk
Zinaida,
JohnatCNNhere.I’mthenewsnetwork’scybersecurityreporter.Here’salinktomywork,incaseyou’renotfamiliarwithit.
IsawthedescripRonofyourupcomingBlackHattalk.YourtopiclooksfantasRc!
Canwegetanexclusivelookatyourresearchandwritethefirstnewsstoryaboutit?
Cheers,
JohnSmith
PersonalExample2:Context(anonymized)
43
From:JournalofExperiments(EXPE)[email protected]:[email protected]:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQKIfyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>
44
From:JournalofExperiments(EXPE)[email protected]:[email protected]:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQ
Ifyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>
45
FirstClick,ThenNoRce:MessagestoHelpdeskD.Caputoetal."Goingspearphishing:Exploringembeddedtrainingandawareness.“
IEEESecurity&PrivacyMagazine,2014
• “IclickedonitinadvertentlywithoutthinkingandexitedExplorerwithoutreadingthelink.”
• “Ijustopenedthis.Thenfollowedlinklikeanidiot.ThenkilledtheprocessusingTaskManager.Pleaseadviseaswhattodo.”
• “Ican’tbelieveIactuallyclickedonthelink!Letmeknowifthere’ssomethingIneedtodotoensuremylaptopisn’tinfected,orifthisisjustaprank.”
46
PersonalExample3:AnAeachment(anonymized)
47
From:setup@company-I’m-dealing-with.comTo:[email protected]
Subject:MessageID:23519-0297:FRT-92362.WorkitemNumber:CMPVDM24062016157789020297
Aeachment:aeach/15072016/29375.docx
48
Hi,Pleaseseerequestdetailsbelow.PleaseprovidetherequiredinformaRonbyreplyingtothisemail.QueryReason:Bankingdetails
WorkitemNumber:CMPVDM24062016157789020297
CreatedDate:15-Jul-2016
Name:ZinaidaBenenson
Comments:DearSir/MadamInorderforustocompletethesetupofyouraccountwithin
oursystem,weneedyourbankaccountdetailstowhichseelementofyourinvoicesshouldbemade.Pleasecompletetheaeachedforminfullandreturntous,ensuringithasbeensignedbyanauthorizedsignatory.
49
Lesson3:PentesRng&PatchingHumans
• WhatarethereasonsforineffecRvenessofanawarenesstraining?─ Curiosity/interest!natural&creaRvehumantraits
─ “ThismessagefitsmycurrentsituaRon”/“Iknowthesender”!usefuldecisionalheurisRcs
• WhatpriceuserspayforaneffecRveawarenesstraining?─ JamesBondmode
─ FalseposiRves?Workslowdown?
─ BreakdownofsocialrelaRonships?Atmosphereofdistrust?
─ Embarrassment?Shame?Anger?
50
FeasibleUserInvolvement?• Reportsuspiciousmessages?
─ Bepreparedtoget“amateursecurity”!(BruceSchneierabout“Ifyouseesomething,saysomething”)
• Reliableindicatorsforswitchinginto“JamesBondmode”─ FalseposiRvesdestroytrustintotheindicator─ Digitallysignmessages• Non-expertsmisinterpretmeaning/don’tnoRce• CanbesocialengineeredintoaccepRnganinvalidsignature
• Stopsending“phishy”legiRmatemessages
• Expectmistakes 51
KeyTakeaways• Spearphishing:whatdefenseisfeasibleandbeneficialforhumans?
─ Peoplewon’tandcan’tabstainfromdecisionalheurisRcs─ Don’trequirepermanentJamesBondmode
• PentesRngandpatchinghumansistricky─ Whatdoyouwantpeopletodo?─ Thinkaboutconsequencesforpeople&forcompany─ Alwaysaskconsent
• Talktotheusers─ AutomatedobservaRonandmeasurementarenotenough─ Askdirectlyabouttheirexperiences,opinions,workpracRces
52
Thankyou!QuesRons?
PleasecompletetheSpeakerFeedbackSurveys
ZinaidaBenenson
53
Research&evidenceneeded!Ifyourcompanyisinterested,pleasetalktome