} well known vulnerabilities in human brain and behavior – common admin mistakes © wojboj...

}Well known vulnerabilities Well known vulnerabilities

in human brain and behavior in human brain and behavior – common admin mistakes– common admin mistakes

© wojboj

Confidence 2010

}

}

Vulnerabilities in human brain and behavior [2]

}

whoamiwhoami

• Nick: wojboj

• Email / facebook: ... you can find me ;)

• In 199x – linux geek, hacker, publishing in some Polish magazines

• In 200x – psychologist, hacking people, outsourcing for lot of companies

• In 201x – you will see

}

}


}

Admin needsAdmin needs

• In 199x – fixing bugs in systems and software (overflows, misconfigurations)

• In 200x – fixing bugs with system relationships (csrf, dns poisoning, bgp prefix hijacking, spam...)

• In 201x – fix bugs in staff trust relationships (sabotages, asleep spies, asleep terrorists)

}

}


}

So right now I will hipnotize youSo right now I will hipnotize you

}

}


}

No-tech hacking (DefCon 2007)No-tech hacking (DefCon 2007)

• We can find lot of useful data (eg. passwords) without using hi-tech

• People will help us

• Is that problem with system bugs or with people?

• Why we teach only how to fix bugs in software or how to exploit them, leaving alone bugs in people?

}

}


}

Hacking people – why?Hacking people – why?

• Admins and IT managers are more interested in exploits than patches.

• Who they wanna hack?

}

}


}

Prevention knowledgePrevention knowledge

• Knowledge of persuasion techniques in most cases will not reduce effects

• We want trust:

- Banana – healthy

- Openssh – secure

- Openbsd – secure

- Luser computers – vulnerable that connections help us to live.

}

}


} Bug #1 - Bug #1 - no release of no release of information contrary to our viewinformation contrary to our view

• We want the world to be easy and trusted, because its easier to live with rules we know.

• Theories contrary to our view, require effort from us.

• So I am your enemy because I will say more theories contrary to your

view?

Or because I will force you to make some effort

}

}


}

Bug #2 – People are lazy Bug #2 – People are lazy

• The best security specialist are not crafts

• they are artists

• but an artist will not work for factory

• Even if he work, he will not do his best!

• Anyway factories need some crafts and some artists – only together they could produce secure solutions!

}

}


}

I need to hipnotize you again I need to hipnotize you again

}

}


}

What Freud could say about it?What Freud could say about it?

• Freud theories are Freud theories are not scientific!not scientific!

• He wrote lot of He wrote lot of books... And now books... And now how to convince how to convince people that it is only people that it is only piece of shit?piece of shit?

• His followers want His followers want to be right!to be right!

}

}


}

Bug #3: We want to be right!Bug #3: We want to be right!

• How do we react if somebody says that we were wrong?

• How long could we fight for our theories, even if we know that they could be wrong?

}

}


}

Is memory only a storage?Is memory only a storage?

• Working vs. short therm vs. long therm memory

• Memory as a problem solving system

(stored informations could be changed even without our knowledge)

}

}


}

It’s not a bug, but feature It’s not a bug, but feature

• We can forget sth

(for example: our failures)

• But our memory is buggy when we forget important things

}

}


}

Hypnosis and suggestibilityHypnosis and suggestibility

• Suggestibility is:

- A trait of good speaker (or hipnotizer)

- The way I am talking to you (less or more suggestible)

- A trait of victim (they are suggestible

- A trait of our memory – new knowledge changes memories

}

}


}

Memory illusions – E. Loftus 2002Memory illusions – E. Loftus 2002

„Psychological studies have shown that it is virtually impossible to tell the difference

between a real memory

and one that is

a product of imagination

or some other process.”

}

}


}

Small bug, big problemSmall bug, big problem

Do you swear to tell Do you swear to tell

the truth, the truth,

the whole truth,the whole truth,

or whatever it isor whatever it is

you think you remember?you think you remember?

}

}


}

Bug #4: Seven sins of memoryBug #4: Seven sins of memory

• Transience• Absent-mindedness• Blocking• Misattribution• Suggestibility• Bias• Persistence

Sciencists say: it’s not a bug, it’s a feature

}

}


}

Bug #5: MistakesBug #5: Mistakes

• We do a lot

• We don’t notice them

• We don’t admit to them

• We try to forget them

• We don’t learn from mistakes!

• We don’t like people who point out our mistakes!

}

}


}

Psychology vs. Physics/mathPsychology vs. Physics/math

Newton’s const G

• F(Excercise) = g + error• In physics – error < 1% * g• In psychology – error < 200% * g

Woman’s G-spot

(G-point)

}

}


}

That bugs are well knownThat bugs are well known

• But how often you have to fight with their consequences?

• And what your company (or you) do to prevent?

}

}


} Solution #1: how do we monitor Solution #1: how do we monitor security on servers?security on servers?

- We run our IDS/IPS/system logs

- We look up for alerts

So maybe same way we should check ourselves?

- We tell our friend/coworker to watch us

- We listen to all alerts he produce!

Why it should not be our boss?

Who wanna be fired? .

}

}


}

Solution #2: watch up yourselfSolution #2: watch up yourself

• Check how do you react to diffrent views

• Accept that sometimes you could forget/make mistake/your system could be vulnerable

• Write down some mistakes you did at work and analyze why they happend.

}

}


}

Solution #3: learn & trainSolution #3: learn & train

• And take the right pill

}

}


}

Questions?Questions?

}

}


}

Gr3tz for #hackplGr3tz for #hackpl

See you at afterparty

} well known vulnerabilities in human brain and behavior – common admin mistakes © wojboj...

Documents

human brain

effort slide

known vulnerabilities

hacking people

hitech people

system bugs

freud theories

theories contrary