a social engineering wargame - deustopaginaspersonales.deusto.es › garaizar › papers ›...
TRANSCRIPT
![Page 1: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/1.jpg)
A social engineering wargame
42nd annual meeting of the Society for Computers in Psychology (SciP)Minneapolis, MI, November 15th, 2012
Pablo Garaizar, University of DeustoUlf-Dietrich Reips, University of Deusto, Ikerbasque, Basque Foundation for Science
![Page 2: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/2.jpg)
Social networking is the new
emailing
texting
IMing
blogging
photo sharing
...
(see Meeker, Devitt, & Wu, 2010)
![Page 3: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/3.jpg)
Social networking seems to be easy...
CC-by-nc-sa joeshlabotnik, http://www.flickr.com/photos/joeshlabotnik/7405703154
![Page 4: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/4.jpg)
...but plenty of unforeseen problems.
![Page 5: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/5.jpg)
Learning about privacy is hard.
(see Fischer-Hübner & Lindskog, 2001; Cranor, Hong, & Reiter, 2007; Ovaska & Räihä, 2009; Edbrooke & Ambrose, 2012)
![Page 6: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/6.jpg)
Privacy concerns are boring
CC-by-nc-nd jamelah, http://www.flickr.com/photos/jamelah/583341746
![Page 7: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/7.jpg)
It's not easy to balance the trade-off between security and usability
© FOX Broadcasting Company
![Page 8: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/8.jpg)
Social engineeringThe art of manipulating people into performing actions or divulging confidential information.
© Universal Studios
![Page 10: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/10.jpg)
Social Lab tackles some of these problems
providing a social engineering wargame
![Page 11: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/11.jpg)
It works because there is no patch for human stupidity
CC-by batrace, http://www.flickr.com/photos/batrace/41672951
![Page 12: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/12.jpg)
Purpose of the game
Learn some of the techniques used by social hackers
Prevent these kind of attacks in real social networks
© Columbia Pictures
![Page 13: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/13.jpg)
WargamesSecurity challenges in which players must
exploit a vulnerability in an application or gain access to a system.
www.overthewire.org, www.try2hack.nl, www.hackthissite.org, www.smashthestack.org, www.bright-shadows.net
![Page 14: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/14.jpg)
Wargames“hacker sandboxes”
CC-by-nc-sa trommetter, http://www.flickr.com/photos/trommetter/128400664
![Page 15: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/15.jpg)
Social engineering wargameA privacy challenge in which players must gain access
to user profiles in a "social sandbox" (a fake social network)
http://en.sociallab.es
![Page 16: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/16.jpg)
How to play Social Lab
![Page 19: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/19.jpg)
3. Solve social challenges
http://en.sociallab.es/profile/messages
![Page 20: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/20.jpg)
All the challenges are automated profiles with fake personal information...
(disclaimer: no privacy was harmed in the making of this site)
![Page 21: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/21.jpg)
… but real interactions between players are also possible
(and can affect the results of the game)
![Page 22: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/22.jpg)
Each time a friendship request is made, Social Lab checks if it involves an automated profile and
if that is the case, it schedules a task
http://en.sociallab.es/profile/request/id/2
![Page 23: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/23.jpg)
Scheduled tasks are like scripts
Alice Johnson (level 1 bot):● Step 0: Accept friendship.● Step 1: System message (level 2).
![Page 24: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/24.jpg)
Currently, Social Lab provides a 10-level wargame of increasing difficulty
CC-by-nc-nd -lif-, http://www.flickr.com/photos/-lif-/3485405777
![Page 26: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/26.jpg)
You can...
use it (in research, teaching)
download it
modify it
share your modifications
translate it
use it for other purposes (it's a social network)
![Page 27: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/27.jpg)
Doing research in Social Lab is comfortable:HTTP logs and a backend application
![Page 28: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/28.jpg)
Last week: more than 100 new players
181 friendship requests between players
(26 accepted, 7 rejected, 148 pending)101 status updates
629 messages between players(13 public, 616 private)
Distribution of achieved challenges:
![Page 29: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/29.jpg)
Currently we offer:
http://www.sociallab.es
Info about the project:http://www.sociallab.es
Demo servers:English version: http://en.sociallab.esSpanish version: http://es.sociallab.es
Social Lab's code:https://github.com/txipi/Social-Lab
![Page 31: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/31.jpg)
CC-by-sa mightyohm, http://www.flickr.com/photos/mightyohm/3986677172
![Page 32: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/32.jpg)
References● Cranor, L., Hong, J., & Reiter, M. (2007). Teaching Usable Privacy and Security: A guide for instructors.
Retrieved from: http://cups.cs.cmu.edu/course-guide/
● Edbrooke, O. & Ambrose M.L. (2012). Teaching Privacy in the Twenty-first Century. Social Education, 76(4):217–220.
● Fagerlund-Savisaari, A. (2010). Thanks for adding me! : The complexity of Facebook friendships and public privacy. Case: Finnish politicians. Tampereen ammattikorkeakoulu. Retrieved from: http://hdl.handle.net/10024/14558
● Fischer-Hübner, S. & Lindskog, H. (2001). Teaching Privacy-Enhancing Technologies. In Proceedings of the IFIP WG 11.8 2nd World Conference on Information Security Education. Perth, Australia, pp. 1-17.
● Johnson, M. (2011). Winning the Cyber Security Game. MediaSmarts, Media Awareness Network. Retrieved from: http://cira.ca/assets/Documents/Publications/WinningCyberSecurityGameLesson.pdf
● Johnson, M. (2011). Privacy Pirates: An Interactive Unit on Online Privacy. MediaSmarts, Media Awareness Network. Retrieved from: http://mediasmarts.ca/blog/privacy-pirates-interactive-unit-online-privacy
● Johnson, M. (2011). From Passport to MyWorld: Media Awareness Network extends digital literacy skills to secondary students. MediaSmarts, Media Awareness Network. Retrieved from: http://mediasmarts.ca/blog/passport-myworld-media-awareness-network-extends-digital-literacy-skills-secondary-students
![Page 33: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/33.jpg)
References● Media Awareness Network (2009). Privacy Playground: The First Adventure of the Three CyberPigs.
MediaSmarts, Media Awareness Network. Retrieved from: http://mediasmarts.ca/game/privacy-playground-first-adventure-three-cyberpigs
● Meeker, M., Devitt, S. & Wu, L. (2010, June 7), Internet Trends, Morgan Stanley Research. Retrieved from: http://www.slideshare.net/CMSummit/ms-internet-trends060710final
● Ovaska, S. & Räihä, K-J. (2009). Teaching Privacy with Ubicomp Scenarios in HCI Classes. Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group. OZCHI 2009, 411, pp. 105–112. ACM, New York. 2009. pp. 105-112.
● Tuten, Tracy L. (2008), Advertising 2.0: Social Media Marketing in a Web 2.0 World. Westport, CT: Greenwood.
![Page 34: A social engineering wargame - Deustopaginaspersonales.deusto.es › garaizar › papers › SCIP2012-PG... · 2013-04-25 · Wargames Security challenges in which players must exploit](https://reader036.vdocuments.site/reader036/viewer/2022081407/5f22afbba842ad15c85ec140/html5/thumbnails/34.jpg)
All rights of images are reserved by the original owners*, the rest of the
content is licensed under a Creative Commons by-sa 3.0 license
* see references in each slide