Curiosity Killed the Cat and Other Cybersecurity Horror Stories

By Selena Templeton

In a recent Black Hat survey (note: opens a PDF in a new window), respondents described the weakest link in a business’ IT security as "end users who violate security policy and are too easily fooled by social engineering attacks.” If you’re shaking your head and thinking that people aren’t really that foolish, read about these two Black Hat sessions that prove otherwise.

Does Dropping USB Drives in Parking Lots and Other Places Really Work?

Let’s cut right to the chase. Yes. Dropping a USB drive in hopes that someone will pick it up, put it in their computer, and upload a virus or allow a cybercriminal to take over their computer WORKS. Why? It comes down to curiosity – the inherently human quality that no amount of security can prevent.

Elie Bursztein, who leads Google’s anti-abuse research (which invents ways to protect users against cybercriminal activities and Internet threats), and his team conducted a social engineering study in which they dropped 297 USB drives all across the University of Illinois campus – in parking lots, classrooms, hallways, etc. Some USB drives had labels saying such things as “Final Exam Answers” and others were nondescript, but it turns out that what the USB drive looked like was statistically insignificant. People just like picking up shiny objects off the ground.

Here’s what happened:

·       297 USB drives were dropped
·       290 were picked up - nearly all of them
·       135 were plugged into a computer - nearly half

USB Activity

This means that 45% of these random, unknown USB drives were voluntarily inserted into a person’s personal computer. Folders labeled “pictures” were opened the most, followed by documents labeled “resume.”

Because these USB drives were traceable, users were later asked why they put these devices into their computers.

·       68% said “to return USB”
·       18% said “curious”
·       14% said “other”

Reason for plugging in USB

So while their motives may have been pure (wanting to return the lost USB to its rightful owner), most people simply didn’t give a thought to security. Once again, this Black Hat session only confirmed that cybersecrity’s strongest adversary is human nature. Social engineering is defined as “the art of manipulating people so they give up confidential information,” but apparently there’s not much art to manipulating people, despite the constant warnings they’ve heard.

Exploiting Curiosity and Context: How to Make People Click on a Dangerous Link Despite Their Security Awareness

Zinaida Benenson, who leads the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg, Germany, went into detail about a study she had conducted about why so many people still click on unknown links despite the fact that we all know better – or ought to, anyway.

After sending an email to a group of people with a vague message that mentioned “the photos from the event,” she found that 20% of the recipients clicked on the link.

That’s bad enough, but after posting the same message on people’s Facebook page, 42.5% of them clicked on the link. In this case, Benenson’s team sent everyone a Friend request from a made-up profile with no info whatsoever on their page – which people accepted. The top two reasons stated for clicking on a link from an unknown source were “curiosity” and “I did not know the sender but wanted to see the pictures.”

According to PhishMe, over 90% of breaches are caused by successful phishing campaigns, which means that at the end of the day, no matter how secure your systems are, we still need to contend with the human factor. We teach our children not to get into cars with strangers, we teach our young adults not to have sex without protection, we teach people not to drive without buckling up – and yet for some reason, we blatantly disregard safety when it comes to cybersecurity.

With another Black Hat session so aptly titled 91% of Attacks Start with Email: Fix Your Human Firewall Flaws, it’s safe to say the theme of this year’s conference was humans versus security. I hear James Cameron is trying to option this for his next action/sci-fi movie….