Exploiting Curiosity and Context
-
Upload
mark-smith -
Category
Technology
-
view
754 -
download
0
Transcript of Exploiting Curiosity and Context
![Page 1: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/1.jpg)
1
![Page 2: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/2.jpg)
• Jointworkwith─ FreyaGassmann,UniversityofSaarland,Germany
─ RobertLandwirth,FAUofErlangen-Nuremberg,Germany
• Acknowledgmentsfordatagatheringandanalysis─ NadinaHintz,AndreasLuder,AnnaGirard,GastonPugliese
2
![Page 3: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/3.jpg)
• Studiedmath(Russia)&computerscience(Germany)• PhDincomputerscience(2008),Germany
─ Accesscontrolprotocolsforwirelesssensornetworks• ResearcheratFAU,Germany
─ Friedrich-Alexander-UniversitätErlangen-Nürnberg• HumanFactorsinSecurity&PrivacyGroup
─ Groupleader
3
IntroducRon
![Page 4: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/4.jpg)
Agenda
• Spearphishingstudies─ Designðics─ Study1!piTalls&lessonslearnt
─ Study2!recommendaRons
• Roleofsecurityawareness• ChallengesinpatchinghumanvulnerabiliRes
4
![Page 5: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/5.jpg)
Technicalvs.HumanVulnerabiliRes• TechnicalvulnerabiliRes
─ Found!patch/redesign/acceptrisk
• HumanvulnerabiliRes─ Knowhowtoexploit─ Doweknowhowtopatch?• IssecurityawarenessTHEsoluRon?
5
![Page 6: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/6.jpg)
SpearPhishing
• Academicresearch:>1000paperssince2004
• Phishingasaservice(PhaaS)─ KnowBe4,PhishMe,WombatSecurity,manyothers
─ PentesRngthehumans
6
![Page 7: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/7.jpg)
Whatdon’tweknowyet?
7
![Page 8: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/8.jpg)
ResearchQuesRons
• Emailvs.Facebook
─ Differenceinclickingrates?• Reasonsforclickingandnotclicking?
─ Whycansomepeopleprotectthemselvesbeeerthantheirpeers?
─ WouldknowingthisprovideusefulinformaRonfordefenders?
8
![Page 9: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/9.jpg)
StudyIdea
• Simulatedaeack
─ Sendspearphishingmessageswithalink
─ Senders:non-exisRngpersons─ RecruituniversitystudentsforparRcipaRnginthestudy• Email/Facebook
• Measureclickingbehavior
• Asktheminafollow-upsurveywhytheyclicked/didnotclick9
![Page 10: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/10.jpg)
MessageHey<receiver’sfirstname>,herearethepicturesfromthelastweek:hep://<IPaddress>/photocloud/page.php?h=<USERID>
Pleasedonotsharethemwithpeoplewhohavenotbeenthere:-)SeeyounextRme!<firstnameofthesender>
10
accessdenied
![Page 11: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/11.jpg)
Ethics:Recruitment
─ Don’texperimentwithpeoplewithouttheirconsent!
─ ParRcipantsrecruitedforasurveyabout“onlinebehavior”• Notinformedbeforehandabouttherealpurposeofthestudy
─ IncenRve:win10x10EURonlineshoppingvoucher─ Time:August/September2013
11
![Page 12: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/12.jpg)
Ethics:ConnecRngBehaviorwithSurvey
12
sendmessagewithindividuallink
waitRll“enough”peopleclickedsendsurvey
withindividuallink
Surveyshouldbeanonymous!validityoftheanswers
![Page 13: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/13.jpg)
13
sendmessagewithindividuallink
wait3weeks sendanonymoussurveyask:clickedornot?
FinalDesign
![Page 14: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/14.jpg)
Study1:Clicked
14
0%
50%
100%
email Facebook
56%
38%
89/158 90/240
StaRsRcallysignificantdifference
![Page 15: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/15.jpg)
Study1:SurveyAnsweredsurvey:85%(339outof398)
15
0%
50%
100%
reallyclicked reportedthatclicked
68/339179/398
45%
20%
![Page 16: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/16.jpg)
Study2:DesignChanges
16
OnJanuary7th,2014:Hey,theNewYearpartywasgreat!herearethepictures:hep://<IPaddress>/photocloud/page.php?h=<USERID>
sendmessagewith
individuallink
ifclicked!wait24h senddifferentsurveylinksviaemailandonFacebook
ask:clickedornot?ifdidnotclick!wait7days
![Page 17: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/17.jpg)
Study2:Clicked
17
0%
50%
100%
email Facebook
119/280194/975
20%
42.5%
StaRsRcallysignificantdifference
![Page 18: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/18.jpg)
AddressingbyNameImportantviaemail,butnotonFacebook?
Disclaimer:Study1≠Study2!!!!Differentmessages
18
0%
50%
100%
Study1:email Study2:email Study1:Facebook Study2:Facebook
20%
42.5%56%
38%
StaRsRcallysignificantNotsignificant
![Page 19: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/19.jpg)
BothStudies:FactorsNotStaRsRcallyCorrelatedtoClicking
• Genderofsender• Genderofreceiver• FriendrequestonFacebook• AmountofinformaRononsender’sFacebookprofile
19
![Page 20: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/20.jpg)
20
![Page 21: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/21.jpg)
Study1vs.Study2:SurveyReliability
21
0%
50%
100%
Study1:actuallyclicked
Study1:reportedthatclicked
Study2:actuallyclicked
Study2:reportedthatclicked
25%16%
45%
20%
![Page 22: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/22.jpg)
Study1vs.Study2:SurveyReliability
22
0%
50%
100%
Study1:actuallyclicked
Study1:reportedthatclicked
Study2:actuallyclicked
Study2:reportedthatclicked
25%16%
45%
20%
![Page 23: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/23.jpg)
0%
50%
100%
Email:actuallyclicked
Email:reportedthatclicked
Facebook:actuallyclicked
Facebook:reportedthatclicked
Study2:Emailvs.FacebookSurveyReliability
• Email:ok• Facebook:???
23
15.5%20% 18%
42.5%
![Page 24: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/24.jpg)
ReasonsforClicking:Results• Curiosity:34%
24
![Page 25: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/25.jpg)
“Curiosity”
• “Iwascurious”• “Iwantedtoseewhatisthere”• “Outofinterest”• “Iwantedtofindoutmoreaboutthepictures”
• “Ididnotknowthesender,butwantedtoseewhoisonthepictures”
25
![Page 26: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/26.jpg)
ReasonsforClicking:Results(somepeoplereportedmulRplereasons)
• Curiosity:34%• FitsmyNewYearparty:27%
• InvesRgaRon:17%• Knownsender:16%
• Trustintotechnicalcontext:11%
26
![Page 27: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/27.jpg)
“TrustIntoTechnicalContext”• “Mycomputerblocksaccessifthereisavirusproblem”
• “Iknew,ifthiswassomethingdangerous,myKasperskywouldprotectme”
• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”
• “IusedTorBundle”
• “AOerIgoogled,photocloudseemedtobeacleanwebsite”
• “Igoogledtheemailaddress[…]Ifoundnothing”
• “IPcamefromtheuniversity”
• “Iconsiderthewebmailoftheuniversitytobesafe”27
![Page 28: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/28.jpg)
ReasonsforClicking:Results(somepeoplereportedmulRplereasons)
• Curiosity:34%• FitsmyNewYearparty:27%
• InvesRgaRon:17%• Knownsender:16%
• Trustintosystem:11%
• Reallypicturesofme?7%
28
![Page 29: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/29.jpg)
ReasonsforNon-Clicking(somepeoplereportedmulRplereasons)
• Unknownsender:51%• Virus/Spam/Phishing/Scam/Fake:44%
• DoesnotfitmyNewYearcelebraRon:36%
• Doesnotfitmywayoflife:12%
• InvesRgaRon:6%─ FBprofile:2%
29
![Page 30: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/30.jpg)
DidNotClickBecauseOfPrivacy(6%)
• “It(themessage)seemedtobeprivate”
• “Ithoughthemessagewasgenuineandwantedprotectprivacy”
• “Itsaid:pleasedon’tclickifyoudon’tknowme”
• “Themessagewasnotforme”
• “Ididnotseeanyreasontolookupprivatepicturesofastrangerwhoobviouslymadeamistake”
30
![Page 31: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/31.jpg)
FactorsNotStaRsRcallyCorrelatedwithReportedClicking
• ITsecurityknowledge(self-assessed)
• Knowledgethatemailsendercanbespoofed
• Knowledgethatlinkscanbedangerous
31
![Page 32: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/32.jpg)
AvtudetowardsParRcipaRonintheStudy(-3=verynegaRve,3=veryposiRve)
32
0
10
20
30
-3 -2 -1 0 1 2 3
non-clickersclickers
%
%
%
%
![Page 33: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/33.jpg)
ShouldSuchStudiesbeConductedinTheFuture?
33
yesnonotsure
2%
85%
13%
![Page 34: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/34.jpg)
LimitaRons
• Study1≠Study2─ OnlytentaRvecomparisonsacrosstwostudies!
• Validityofthereasons─ Cannotlookintopeople’sheadsatthemomentofclicking
• “reportedclickers”≠“realclickers”
34
![Page 35: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/35.jpg)
Lesson1:TargeRng• Curiosity/Interest
─ 78%knewthatlinkscanbedangerous• Context
─ Knownsender• 82%knewthatsendercanbespoofed
─ Plausibility:situaRon&expectaRons• Facebook:dopeoplenoRcethattheyclicked?
35
![Page 36: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/36.jpg)
Lesson2:RequirementsonUsers• Besuspicious:
─ Evenifyouknowthesender─ EvenifthemessagefitsyourcurrentsituaRon
─ EvenifthemessagefitsyourworkandlifepracRces
• Besuspiciousofeverything!
36
![Page 37: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/37.jpg)
DecepRonMode
37
![Page 38: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/38.jpg)
Letmeintroduce…• Highlytrainedspecialagent• Alotofpeoplewanttokillhim
• (Almost)anypersoninhislifecanbeatraitor
• HastobeindecepRonmodeineverylifesituaRon
• Doeshisjobexcellently• Doesnotexist"
38
![Page 39: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/39.jpg)
WantYourEmployeesBeAwareofSpearPhishing?• WantthemtobeinJamesBondmodeeveryRmetheyreadamessage?
39
• AddthistojobdescripRons• Makesuretopaythemadequately
accounRngsales
humanresources customersupport
publicrelaRons
![Page 40: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/40.jpg)
BeingSecurityAware:PersonalAdventures
40
![Page 41: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/41.jpg)
PersonalExample1:Curiosity/Interest(anonymized)
41
![Page 42: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/42.jpg)
From:[email protected]
Subject:CNNrequest--aboutyourupcomingBlackHattalk
Zinaida,
JohnatCNNhere.I’mthenewsnetwork’scybersecurityreporter.Here’salinktomywork,incaseyou’renotfamiliarwithit.
IsawthedescripRonofyourupcomingBlackHattalk.YourtopiclooksfantasRc!
Canwegetanexclusivelookatyourresearchandwritethefirstnewsstoryaboutit?
Cheers,
JohnSmith
![Page 43: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/43.jpg)
PersonalExample2:Context(anonymized)
43
![Page 44: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/44.jpg)
From:JournalofExperiments(EXPE)[email protected]:[email protected]:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQKIfyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>
44
![Page 45: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/45.jpg)
From:JournalofExperiments(EXPE)[email protected]:[email protected]:InvitaRontoPeerReviewEXPE-M-35-00737DearDr.Benenson,InviewofyourexperRse[…][…]Ifyouwouldliketoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=35189&l=GKXKMQ
Ifyoudonotwishtoreviewthispaper,pleaseclickthislink:hep://expe.editorial-expe.com/l.asp?i=87665&l=6HN7KKBestregards,Editor<nameI’veneverheardof>
45
![Page 46: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/46.jpg)
FirstClick,ThenNoRce:MessagestoHelpdeskD.Caputoetal."Goingspearphishing:Exploringembeddedtrainingandawareness.“
IEEESecurity&PrivacyMagazine,2014
• “IclickedonitinadvertentlywithoutthinkingandexitedExplorerwithoutreadingthelink.”
• “Ijustopenedthis.Thenfollowedlinklikeanidiot.ThenkilledtheprocessusingTaskManager.Pleaseadviseaswhattodo.”
• “Ican’tbelieveIactuallyclickedonthelink!Letmeknowifthere’ssomethingIneedtodotoensuremylaptopisn’tinfected,orifthisisjustaprank.”
46
![Page 47: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/47.jpg)
PersonalExample3:AnAeachment(anonymized)
47
![Page 48: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/48.jpg)
From:setup@company-I’m-dealing-with.comTo:[email protected]
Subject:MessageID:23519-0297:FRT-92362.WorkitemNumber:CMPVDM24062016157789020297
Aeachment:aeach/15072016/29375.docx
48
![Page 49: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/49.jpg)
Hi,Pleaseseerequestdetailsbelow.PleaseprovidetherequiredinformaRonbyreplyingtothisemail.QueryReason:Bankingdetails
WorkitemNumber:CMPVDM24062016157789020297
CreatedDate:15-Jul-2016
Name:ZinaidaBenenson
Comments:DearSir/MadamInorderforustocompletethesetupofyouraccountwithin
oursystem,weneedyourbankaccountdetailstowhichseelementofyourinvoicesshouldbemade.Pleasecompletetheaeachedforminfullandreturntous,ensuringithasbeensignedbyanauthorizedsignatory.
49
![Page 50: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/50.jpg)
Lesson3:PentesRng&PatchingHumans
• WhatarethereasonsforineffecRvenessofanawarenesstraining?─ Curiosity/interest!natural&creaRvehumantraits
─ “ThismessagefitsmycurrentsituaRon”/“Iknowthesender”!usefuldecisionalheurisRcs
• WhatpriceuserspayforaneffecRveawarenesstraining?─ JamesBondmode
─ FalseposiRves?Workslowdown?
─ BreakdownofsocialrelaRonships?Atmosphereofdistrust?
─ Embarrassment?Shame?Anger?
50
![Page 51: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/51.jpg)
FeasibleUserInvolvement?• Reportsuspiciousmessages?
─ Bepreparedtoget“amateursecurity”!(BruceSchneierabout“Ifyouseesomething,saysomething”)
• Reliableindicatorsforswitchinginto“JamesBondmode”─ FalseposiRvesdestroytrustintotheindicator─ Digitallysignmessages• Non-expertsmisinterpretmeaning/don’tnoRce• CanbesocialengineeredintoaccepRnganinvalidsignature
• Stopsending“phishy”legiRmatemessages
• Expectmistakes 51
![Page 52: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/52.jpg)
KeyTakeaways• Spearphishing:whatdefenseisfeasibleandbeneficialforhumans?
─ Peoplewon’tandcan’tabstainfromdecisionalheurisRcs─ Don’trequirepermanentJamesBondmode
• PentesRngandpatchinghumansistricky─ Whatdoyouwantpeopletodo?─ Thinkaboutconsequencesforpeople&forcompany─ Alwaysaskconsent
• Talktotheusers─ AutomatedobservaRonandmeasurementarenotenough─ Askdirectlyabouttheirexperiences,opinions,workpracRces
52
![Page 53: Exploiting Curiosity and Context](https://reader031.fdocuments.us/reader031/viewer/2022030312/58ee232d1a28ab1c3e8b472f/html5/thumbnails/53.jpg)
Thankyou!QuesRons?
PleasecompletetheSpeakerFeedbackSurveys
ZinaidaBenenson
53
Research&evidenceneeded!Ifyourcompanyisinterested,pleasetalktome