Social Engineering. ... And something called “Poor usability”. Who needs usability anyways?.... Pffff !. Group no.: 6. SIN 14. Poor usability. Usability... Something that’s “easy to use” E.g.: User Interfaces.
An Image/Link below is provided (as is) to download presentationDownload Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.Content is provided to you AS IS for your information and personal use only. Download presentation by click this link.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.During download, if you can't get a presentation, the file might be deleted by the publisher.
E N D
Presentation Transcript
Social Engineering
... And something called “Poor usability” Who needs usability anyways?.... Pffff! Group no.: 6
SIN 14 Poor usability Usability... Something that’s “easy to use” E.g.: User Interfaces Source:http://www.fierysource.com/wp-content/uploads/2008/12/widows7-desktop.png http://cache.gawkerassets.com/assets/images/4/2011/09/medium_iphone-vs-winmo.jpg http://fc02.deviantart.net/fs22/f/2007/354/1/5/Ubuntu_8_04_GUI_Design_Idea_by_Mossblaser.png
Usability is a challenge Hard to get it right Problem when designing UI for security Safety is not a user’s priority Users will not spend effort on learning security Your design Many ways to “frack” things up!
Usability vs. information Too little appropriate information Too much information Too many messages Inaccurate or generic information Errors with only error codes Source:24 Deadly SINS of Software Security (2009), p. 220 http://images.sixrevisions.com/2009/12/14-01_factors_usability_leadimage.jpg
Example: your router security settings Do normal users know how to? What about admins? Do you understand what all those settings do? Source: http://thecaptainslatest.blogspot.com/2011/02/computer-update-securing-home-network.html
What to do... Know your users How do they liked to be served? Usability test Get your users in action Security is NOT an option Make the choice for the users Guide the users Help them make the right choice ...Read books about good UI design! Face it, you are a security “expert”... Not a UI-designer Source:24 Deadly SINS of Software Security (2009), pp. 224-229
Social What-the-**** Social Engineering! Trick people in doing somethingyou want (without hacking!) E.g.: Trick people into revealtheir secrets The most secure systems in theworld are still vulnerable! Its easier than you think!
Many ways of doing it PretextingCreate a scenario and engage a victim, gain their trust and use it to gain information. E.g.: Impersonate a co-worker, ask about...! PhishingGain private information by fraud. Typically via e-mail, requesting e.g.: credit card information from the victim. Diversion theft”Con” a person to deliver their stuff elsewhere than intended. E.g.: Their secret information to you! Baiting“Real world Trojan Horse”. Leave some “infested” media for others to find; USB, CD, DVD, MicroSD, etc. When media is inserted into a PC, “auto-runs” can execute some malware. Quid pro quo (something for something)Call random phone numbers, pretend to be an IT-Supporter, ... Eventually you end up with someone that needs help... Trick them to give you access to their system, so that you might “help” them. And many more! Source: http://en.wikipedia.org/wiki/Social_engineering_%28security%29
Example: Phishing $2 billion lost per year to phishing scams (Fulks, 2011) Source: http://www.brighthub.com/internet/security-privacy/articles/99607.aspx
Example: Baiting (...sort of) (2. March 2006) New types of credit card theft in DK emerged Broke into several supermarkets Installed “spy-gear” into the credit card terminals Smashed some stuff to make it look like a “regular” break-in and left When customers paid with their credit cards, their credentials etc. got stolen - Hard to spot, even by professionals Several incidents reported since then Source: http://nyhederne-dyn.tv2.dk/article.php/id-3778906:nye-tilf%C3%A6lde-af-dankortsvindel.html (Danish article – sorry!) http://multimedia.pol.dk/archive/00403/Dankortterminal_403322a.jpg
Counter measures IT-Policies User education Physicalsecurity Two-phase (or more) security
Concluding remarks Poor Usability Know your target audience Security is not an option Make the choices for the user Social Engineering The weakest link is the user Technical security is irrelevant without physical security
...Some places to start 24 Deadly SINS... Quick & Dirty info on Social Engineeringhttp://en.wikipedia.org/wiki/Social_engineering_%28security%29 Defenses against malicious USB articlehttp://blogs.computerworld.com/test_your_defenses_against_malicious_usb_flash_drives 404 Error pages (some principles can be applied on e.g. 500 error pages):http://www.smashingmagazine.com/2007/08/17/404-error-pages-reloaded/ Form Design Cheat Sheethttp://www.smashingmagazine.com/2008/04/17/web-form-design-modern-solutions-and-creative-ideas/ Resources On User Interface Design Patternshttp://www.smashingmagazine.com/2009/06/15/40-helpful-resources-on-user-interface-design-patterns/ Other stuff:Top 25 Software Errorshttp://cwe.mitre.org/top25/