In 2008, an overwhelming majority of Londoners said they would give up their passwords for a candy bar. Time and again, employees happily use (infected) USB drives they found on the ground. And advanced-fee scam emails (also known as 419 or Nigerian scams) and other forms of phishing attacks still make the rounds.
You’d think that after all these years, people would be sophisticated enough to recognize elementary social-engineering attacks. [Editor’s note: Shortly after filing this Q&A, author Derek Slater opened a suspicious email attachment and entered his log-in credentials. He is filled with shame, shame, shame, and remorse.]
Chris Nickerson, founder of Lares Consulting, has made a career out of breaking into businesses that have paid him to test their security via both technical and social attacks. He says simple methods often still work, though persistent attackers may move on to more sophisticated and customized techniques, when they’re aiming at a specific, high-value victim.
We spoke with Nickerson—a U.S. Navy veteran, former corporate-security architect, and frequent speaker at information security conferences—about what it takes to dupe a more paranoid target. Here’s an edited transcript of our conversation.
Candy bars, USB drives, phishing—do those kinds of simplistic scams work on reasonably paranoid people?
I have a kind of psycho story about that candy bar study. It sounds totally ridiculous. I read it and said, “This has to be B.S.” Then I said, “OK, if this is real, I’m going to do it at a real client that really has some super hard-core security.”
We set up a fold-up table inside the courtyard of the client’s building, with a bunch of generic marketing collateral, and we set up a password-scoring mechanism. If you had the highest score, you’d win the first prize, which was a bottle of Veuve and some tickets, like a date night package. The lowest prize—just for participating—was a candy bar.
We ended up with 40 to 50 people waiting in line at lunch time to do this exercise, where the whole time we were stealing their passwords. It was just crazy.
And that’s at a company with good security controls. How should companies toughen them?
People are people; they’re going to talk to other people, and they’re going to do risky stuff. They can make choices. The key is that the more informed they are, the safer those choices will be.
When talking to strangers, there are indicators of manipulation: urgency, authority, submission, overpowering, bullying aggression. You teach people that when you see or sense those indicators, you should put your guards up and provide less information. The best step is to shut the conversation down altogether.
Let’s say a company teaches what you’re suggesting. What would it then take to compromise it?
The most fun thing you can do on a computer is click something. If you click on something, and it doesn’t work, what do you do next? You click on it 15 more times, because you really want to see what’s behind Door No. 1.
As long as there’s bait of some interest—a promise of time savings or free money or whatever—some people are going to say, “I want to see what that is.” Humans are humans. But that does not mean that all is lost, and everyone has to turn their computer off and go back to working on paper.
You don’t need to understand every bit and byte, but it’s important to take some basic safety precautions. They should know why to be wary of email attachments, why to give only as much personal information as is necessary, and why to keep their software updated.
How would I successfully attack a very sophisticated security expert?
Very often, you’ll find individuals communicating in a specific or predictable way. Let’s say there are corporate communications around an upcoming holiday party. If you know that updates about that party will be coming out in a certain time frame, you could interject phishing messages around it, along with the natural flow of communications.
Or let’s say you’re attacking an information security expert who wants to speak at big conferences. You may be able to use the conference organizer as a middleman. Maybe there’s some sort of video release form he has to sign—so you compromise the organizer and put a zero-day exploit in one of those documents. The speaker is expecting that document, so he’s going to download it or sign it without hesitation.
How can people become more secure without unreasonably hampering their lives?
My first piece of advice to anyone is to practice password hygiene. Guidance around passwords has been very poor. Some people advise: “Has to have uppercase and lowercase letters, can’t be a word, has to be 20-characters long.”
Because people don’t have a good method to deal with unreasonable requirements, they cheat and get around it and use the same password for everything.
My own system is to use a phrase that’s easy for me to remember, then tweak it a little bit for each site. I then surround that phrase with some numbers at the beginning and some more at the end. Now I have a very long, complex password that’s different for every site, and I have a system to remember it.
Another solution is using password managers such as LastPass. It’s super easy. You only have to remember one password.
Second, every time your computer pops up a window that says Windows or OS X needs to install updates—every time you click to defer that message rather than going through with the update, you are accepting getting hacked. Many of those updates include important vulnerability patches.
And third, practice safe computing. If some stranger sends you an email saying he’s going to give you money, that’s obviously not real. In no way, shape, or form has anyone, at any point in your life, walked up to give you $20,000.
It’s not different just because you’re online.