usability social engineeringkursawe/sio2011/slides/humanasp.pdf · usability social engineering ....
TRANSCRIPT
Human aspects in Security
Usability
Social Engineering
Follow-on: EULA
8. Exclusion and Limitation of Liability TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE RIGHTHOLDER OR ITS PARTNERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR LOSS OF PRIVACY, FOR CORRUPTION, DAMAGE AND LOSS OF DATA OR PROGRAMS, FOR FAILURE TO MEET ANY DUTY INCLUDING ANY STATUTORY DUTY, DUTY OF GOOD FAITH OR DUTY OF REASONABLE CARE, FOR NEGLIGENCE, FOR ECONOMIC LOSS, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT OR OTHER SERVICES, INFORMATON, SOFTWARE, AND RELATED CONTENT THROUGH THE SOFTWARE OR OTHERWISE ARISING OUT OF THE USE OF THE SOFTWARE, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT, OR ARISING OUT OF ANY BREACH OF CONTRACT OR ANY TORT (INCLUDING NEGLIGENCE, MISREPRESENTATION, ANY STRICT LIABILITY OBLIGATION OR DUTY), OR ANY BREACH OF STATUTORY DUTY, OR ANY BREACH OF WARRANTY OF THE RIGHTHOLDER OR ANY OF ITS PARTNERS, EVEN IF THE RIGHTHOLDER OR ANY PARTNER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOU AGREE THAT IN THE EVENT THE RIGHTHOLDER AND/OR ITS PARTNERS ARE FOUND LIABILE, THE LIABILITY OF THE RIGHTHOLDER AND/OR ITS PARTNERS SHALL BE LIMITED BY THE COSTS OF THE SOFTWARE. IN NO CASE SHALL THE LIABILITY OF THE RIGHTHOLDER AND/OR ITS PARTNERS EXCEED THE FEES PAID FOR THE SOFTWARE TO THE RIGHTHOLDER OR THE PARTNER (AS MAY BE APPLICABLE). NOTHING IN THIS AGREEMENT EXCLUDES OR LIMITS ANY CLAIM FOR DEATH AND PERSONAL INJURY. FURTHER IN THE EVENT ANY DISCLAIMER, EXCLUSION OR LIMITATION IN THIS AGREEMENT CANNOT BE EXLUDED OR LIMITED ACCORDING TO APPLICABLE LAW THEN ONLY SUCH DISCLAIMER, EXCLUSION OR LIMITATION SHALL NOT APPLY TO YOU AND YOU CONTINUE TO BE BOUND BY ALL THE REMAINING DISCLAIMERS, EXCLUSIONS AND LIMITATIONS.
Incident of the Week
“You could spend a fortune purchasing
technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick “Amateurs hack systems. Professionals
hack people.” -Bruce Schneier
What is Social Engineering?
• Uses Psychological Methods
• Exploits human tendency to trust
• Goals are the Same as Hacking
• Our Definition—Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent)
Social Engineering
• Use a plausible story, or just bully the target
– ‘What’s your PIN so I can cancel your card?’
– ‘You have a virus, you need to install our patch’
• Frank Abagnale ‘Catch me if you can’
• Kevin Mitnick ‘Art of Deception’
• Traditional responses:
– mandatory access control
– operational security
Social Engineering: Why it works
• Social psychology: – Solomon Asch, 1951: two-thirds of subjects would deny
obvious facts to conform to group • Line experiment
– Stanley Milgram, 1964: a similar number will administer torture if instructed by an authority figure • “Teaching by torture” experiment
– Philip Zimbardo, 1971: you don’t need authority: the subjects’ situation / context is enough • “Prison Guard Experiment”
– Simons,Chabris Selective Attention Test, 2010
The Mind of a Social Engineer
• More like actors than hackers
• Learn to know how people feel by observing their actions
• can alter these feelings by changing what they say and do
• make the victim want to give them the information they need
Approaches
• Carelessness
• Comfort Zone
• Helpfulness
• Fear
Careless Approach
• Victim is Careless
– Does not implement, use, or enforce proper countermeasures
– Does not understand value of assets they reveal
• Used for Reconnaissance
• Looking for what is laying around
• Especially easy since social media
– Facebook, Linkedin, Twitter, IMDB, …
Careless Examples
• Dumpster Diving/Trashing
– Huge amount of information in the trash
– Most of it does not seem to be a threat
– The who, what and where of an organization
– Knowledge of internal systems
– Materials for greater authenticity
– Intelligence Agencies have done this for years
Careless Examples (cont.)
• Building/Password Theft
– Requires physical access
– Looking for passwords or other information left out in the open
– Little more information than dumpster diving
Careless Examples (cont.)
• Password Harvesting
– Internet sweepstakes, simple services
– Based on the belief that people don’t change their passwords over different accounts
– Given the number of accounts normal users have, that’s a fairly good assumption
Careless Examples (cont.)
• Give out small goodies to get malware on
– Free USB sticks
– Games, Corrupted websites
Comfort Zone Approach
• Victim organization members are in a comfortable environment
– Lower threat perception
– Implicit trust
• People already in the building belong there
• Other members of my Rabbit-Breeding club can’t be bad
• Usually requires the use of another approach
Comfort Zone Examples
• Impersonation – Could be anyone
• Tech Support
• Co-Worker
• Boss
• CEO
• User
• Maintenance Staff
– Generally Two Goals • Asking for a password or other authentication information
• Building access - Careless Approach
Comfort Examples (cont.)
• Shoulder Surfing
• Direct Theft – Outside workplace
– Wallet, id badge, or purse stolen
• Smoking Zone – Attacker will sit out in the smoking area
– Piggy back into the office when users go back to work
Comfort Examples (cont)
• Insider Threats
– Legitimate employee
– Could sell or use data found by “accident”
– Result of poor access control
– Asking for favors from IT staff for information
• Usually spread out over a long period of time
Helpful Approach
• People generally try to help even if they do not know who they are helping
• Usually involves being in a position of obvious need
• Attacker generally does not even ask for the help they receive
Helpful Examples
• Piggybacking – Attacker will trail an employee entering the
building
– More Effective: • Carry something large so they hold the door open for
you
• Go in when a large group of employees are going in
– Pretend to be unable to find door key
Helpful Examples (cont.)
• Troubled user
– Calling organization numbers asking for help
– Getting a username and asking to have a password reset
Fear Approach
• Usually draws from the other approaches
• Puts the user in a state of fear and anxiety
• Very aggressive
Fear Examples
• Conformity
– The user is the only one who has not helped out the attacker with this request in the past
– Personal responsibility is diffused
– User is violating social norms by not helping
– User gets justification for granting an attack
Fear Examples (cont)
• Time Frame
– Fictitious deadline
– Impersonates payroll bookkeeper, proposal coordinator
– Account will be deactivated immediately if not fixed
– Asks for password change
Fear Examples (cont)
• Importance
– Classic boss or director needs routine password reset
– Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc)
– User has already messed up (e.g., gotten a virus) and now needs to help fix it
• e.g., a new virus that is recognized by having the file /windows/system32/igfxsrvc.dll
Advanced Attacks
• Attacker takes a lot of time to gain confidence
– Gather information about target victims
– Understand processes in target organization
– Combination of social engineering with real hacking
– Patient attack (e.g., wait until key people are on vacation)
Human “Authentication”
• Sum of many pieces – Appearance
• Well dressed people don’t lie
– Language Style • Speak the lingo of the people you interact with
– Pieces of Knowledge • Birthday, Telephone number
– Context • E.g., Internal Telephone number
• All of these individually can be faked
Escalation of Authentication
• Slow escalation of access & information
– Use information about victims to get more information
• E.g., impersonate as a high school acquaintance to become facebook friend
• Use building access to get to elevator phone (internal phone number)
There is no innocent knowledge
• Every piece of knowledge can be used to “authenticate” to get more knowledge – E.g., knowing your name and birthday I can convince you
we’ve met before
– Most people will be too embarrassed to admit they have no clue who you are
• Information you consider harmless may be used to harm other people
• Who remembers what question they put into their security questions ? – The whole point is that it’s a question you can forget about
Yahoo Mail Security Questions
• Indirection: Other people may know that too
– Your siblings know your childhood questions
– Your classmates know your school teachers
• Prominent Cases
– Sarah Palin: Where did you meet your husband ?
– Mass attack on 3000 mail accounts
Abusing Complexity of Processes
• Most users have no idea how their organization/ services work exactly
• An attacker with that understanding can perform innocent looking actions whose consequences no one foresees
Abusing Complexity Of Processes
• Frank Abagnale: Advanced check fraud
Use priority of automated reading over human readable one Cause errors in the processing chain to win time
Combating Social Engineers
• User Education and Training
• Identifying Areas of Risk
– Tactics correspond to Area
• Strong, Enforced, and Tested Security Policy
User Education and Training
• Security Orientation for new employees
• Yearly security training for all employees
• Weekly newsletters, videos, brochures, games and booklets detailing incidents and how they could have been prevented
• Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).
• This doesn’t help much for external, highly volatile personnel (e.g., cleaning personnel)
K. Salah 36
Warning Signs of an Attack
• Refusal to give callback number • Out-of-ordinary request • Claim of authority • Stresses urgency • Threatens negative consequences of noncompliance • Shows discomfort when questioned • Name dropping • Compliments or flattery • Flirting
Train users how to combine politeness with security
• Offer to call back on fishy requests
• Strong policies to give users an excuse to say No
• Ready-available list of phone numbers of qualified personnel to deal with a request
• Prepare verification questions
– “Isn’t John normally in charge of this ?”
Penetration Testing
• Have regular security tests involving social engineering
• Users should expect there are consequences if they fail such tests
• Assure every action leaves audit trails to detect attacks
• Embedded testing: Automatically send test mails to keep phishing awareness high
Paternalistic Security
• Protect users from themselves: The user is the enemy!
• If you assume users are all malicious, they also cannot involuntarily collaborate with an attacker
• Disadvantage – No user-buy in
– Users may be tempted to fight the security measure to get work done
Interaction between real-and IT world
• Personal information should not be used to identify to computer systems
• Give users a chance to set their own security
– “I need to change my mothers maiden name”
Attacker Interaction
Attacker Interaction
All security mechanism will influence the attacker
• Stop it all and become a good citizen (unlikely)
• Go attack someone else
• Shift attack patterns somewhere else
Bad Example: South African car theft
In the late 90’s, the amount of car thefts in South Africa increased dramatically Security Response: Car immobilizer make it impossible to hotwire a car
Bad Example: South African car theft
Response of the Thieves: Car Jacking, Armed assaults Security Response: Remote activated theft protection
Bad Example: South African car theft
Response of the Thieves: Car Jacking turned to kidnapping Security Response: Armed cars
Due to “enhanced” security, people now die when their cars are stolen
Xbox Attacks
The main attack on the Xbox was done by people trying to run Linux on it As a side effect, the copy protection got hacked
Why did the PS/2 never get hacked that way ?
Sony released Linux for the PS/2 The most talented hackers stayed away, as there was no glory to get here The PS/2 was hacked weeks after it was locked down
Training your attackers: Set Top Box
The first set-top boxes had rather poor security. Mildly trained and equipped hackers quickly hacked it for themselves, for friends, for friends of friends. Security increased slowly enough for the hackers to learn Now, they are well trained, well equipped, and have a stable distribution network
Lessons in Attacker Interaction
• Consider where the attackers may go to circumvent your measures. This may be worse than the initial attack
• Don’t motivate attackers to join forces. Also, sometimes one can sacrifice low value assets to protect high value ones
• Don’t train your attacker. Bad security can be worse than none.
Usability
Why Jonny can’t encrypt
• User study on Encryption/ Authentication program PGP 5.0
– 90% of users could not get it right given 90 minutes
– Private / public, encryption / signing keys, plus trust labels was too much – people would delete or publish their private keys
Why Jonny can’t encrypt
Usability Evaluation (12 users)
• 3 users accidentally sent the message in clear text
• 7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem
• Only 2 users were able to decrypt without problems
• Only 1 user figured out how to deal with RSA keys correctly.
• A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails.
• One user was not able to encrypt at all
Why Jonny can’t encrypt
What’s the difference between ‘validity’ and ‘trust’ ?
Different key types for compatibility, thus confusing symbols
Why Johnny Can’t Encrypt
Defining Usable Security Software (Whitten , Tygar)
Security software is usable if the people who are expected to use it:
1. are reliably made aware of the security tasks they need to perform.
2. are able to figure out how to successfully perform those tasks
3. don't make dangerous errors
4. are sufficiently comfortable with the interface to continue using it.
Psychological Acceptability
Saltzer & Schroeder : “The Protection of Information in Computer Systems”
• Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.
Psychological Acceptability Means
• Users won't jump through hoops if they don't understand why such measures are necessary
• Users will take advantage of security that doesn't impede their work, and will undermine it otherwise
Example Undermining
A hospital requires every personnel to password authenticate to access a computer.
Result: The first to come in the morning logged in, and never logged out
Typical password policies require a password change every month to a different password
Result: Most user passwords then end on a number indicating the version
Usability Design Principles
• Designing usable security is a new science
• This is not an excuse not to try
Security by default
• Provide basic installation and maintenance for all security critical services
• Perform compatibility tests to assure they are not in the way of the user
• Ideally, users are aware what is in place, but don’t need to operate it at all
Decisions
• Don’t push unnecessary decisions on the user.
– Designers are usually more competent to decide
– Users need to get work done, thus will usually say yes
Decisions
Understandable choices instead of dilemmas
User self-auditing
• Provide simple mechanisms for users to assist with security
• Users can audit their own activity:
– Your last login was at 12:29 PM on Dec 12, 2010 from yourmachine.cs.ru.nl; you logged in 17 times from there last month
• Users will audit their own activity a lot more aggressively than you will
Abandon pre-historic technologies
• Text-passwords are designed for mainframe operators
• Random text strings are about the worst thing for a human brain to remember
– Graphic passwords
– Key items
– Biometrics
Don’t undermine users that got it right
Your own sites shouldn’t require poor security behavior to be usable
• Don’t contradict your own messages
Indications that this is a phishing site
• No https for login/payment • wrong domain (not .mcafee.com) • link was send in email
Security Compromise
Password protection in an industrial control unit:
Send_Command
Password Required Password is “Topsecret”
Topsecret
Password accepted,
awaiting command
Security Compromise
Users are usually concerned with availability more than security
Sometimes, this is actually correct
System designers need to have deep understanding of the workflows to design security that is not in the way