In January 2020, we gave another lecture on social engineering and awareness at the University of Regensburg, Germany. During our interactive session, Master students had to invade the privacy of our fictional character Jessika. Each student became a social engineer for this course, and some of them managed to “hack” into Jessika’s GMX mailbox without using “hacking tools”.
This article is about becoming aware of the human factor that is crucial for information security.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
Humans can be hacked, but there is no patch
Oftentimes, we see blogs and websites that are completely focused on technology when it comes to information security. They don’t talk about management of information security, or the human factor at all (read “How some ‘security’ blogs and websites actually cause insecurity”).
However, the human factor is crucial when it comes to information security. A skilled social engineer is able to remotely control other humans without getting caught. Victims of social engineering attacks either never realize that they helped the social engineer, or it is already too late. Actually, most of today’s attacks on information security heavily rely on social engineering.
The main reason for the success of social engineering is the “social” part of it: Humans are social beings with certain character traits. And character traits can be exploited. For instance, curiosity, anxiety, and boredom can be exploited. Look at a bunch of emojis to get an idea of exploitable characteristics.
Humans need workarounds since they can’t be patched. You can’t remove the character traits of a human with an update. However, you can frequently make people aware of the dangers of social engineering. In the following, this is the mission of Jessika.
I’m Jessika, and you don’t know me (so far)
I’m Jessika. I’m using some social network to post my thoughts, and to connect with other interesting people. Recently, I switched from Twitter to Mastodon. I don’t have that many followers there, but it looks interesting.
Here the students started with a single link to Jessika’s account on mastodon.social. Their task was to invade Jessika’s privacy. What’s her full name? Where does she live? When is her birthday? What are the names of her current and former employers? Does she have any pets? If yes, what are the names of her pets?
This is actually the first step of a social engineer: Finding targets of interest (= exploitable humans), and collecting information about them. Nowadays, there are hundreds of social networks for different purposes. Most social networks expose information about you to the public internet. Some communities name this OSINT, open-source intelligence.
Jessika’s public activity on mastodon.social
After getting the link, the students opened mastodon.social. This is one of many Mastodon instances on the internet that is used by people to share short posts. Of course, most posts are publicly accessible.
By scrolling up and down, students found different pieces of Jessika’s life. For instance, she was on vacation in Innsbruck, Austria, and traveled by train. Obviously, she wasn’t alone, because she wrote “Hopefully, we will reach the connecting train to Regensburg”. This likely exposes her current place of residence, which could be Regensburg:
Later that day, Jessika posted about eating pizza. After this, she took a picture of an artificial owl (just a decorative item), and her cat. While many students found the name of the cat (Xarina), some students even realized that the owl photo shows a GMX account in the background. GMX is a e-mail provider:
Jessika likes traewelling (pronounced like traveling)
In Jessika’s Mastodon feed, there were several cross posts from traewelling.de. traewelling is a German website that can be used to record all of your movements using public transport (trains, buses, trams, subways).
In case of Jessika, students quickly realized the privacy implications of a public feed of all of Jessika’s movements: You can guess her place of work, you can guess the area where she lives, you can predict her daily movements etc. Actually, this data is also very valuable for the average burglar since everybody can see that Jessika isn’t at home:
Jessika’s professional profile on XING
Another link from mastodon.social pointed to XING, a social network for work-related activities (similar to LinkedIn). There, students found Jessika’s full name (Jessika Vogel), and the current and previous employers:
Then, the students looked at her courses of studies:
Finally, they found Jessika’s hobbies, interests, and the date of birth:
Putting everything together
After the students collected public information about Jessika, we put everything together:
Jessika Vogel is 28 years old. She lives in Regensburg. Last weekend, she traveled back from Innsbruck via Munich. She wasn’t alone on the train. She has a cat (Xarina), and she loves animals as well as hiking.
Jessika works as an IT project manager for two years. Previously, she did an internship in IT project management. She holds Master of Science and Bachelor of Science degrees in business informatics (University of Regensburg). She speaks German, English, and little Portuguese and French. Today, she commuted to work using bus number 31, shortly after 7 am. She misses her two-week long vacation in Austria.
Some students used this information to access Jessika’s mailbox on GMX. This was possible, because she used a very weak and easy-to-guess password (“Xarina1992”). Of course, accessing somebody’s mailbox exposes another load of extremely useful information:
This was only the first step of a likely successful social engineering attack. Attackers can use this information to connect with Jessika, exploiting her interests and characteristics, or they can collect more information about Jessika’s family, friends, colleagues, and other important people in Jessika’s life. It is also easy to impersonate Jessika due to the full access to her mailbox.
Of course, Jessika doesn’t exist. We crafted everything, so that the Master students could conduct social engineering. However, real-world attacks show that there are actually many of such social media profiles exposing information about people. Attackers can use this information to exploit you and other people around you. For instance, look for “Robin Sage”, a fictional American cyber threat analyst, on the internet.
Keep the following in mind:
- Just migrating from social network A to social network B doesn’t protect your data. Be aware that publicly posted information is public, and can be found with automated tools.
- Online archives may keep your publicly posted information on the internet forever. So think twice before posting anything.
- Even single pieces of useless information can become valuable when combined with other pieces of information.
- Using the same username for many different accounts makes it easier for social engineers to find you.
Follow us on Mastodon:
Addressing the human factor is absolutely important for information security. In terms of the story of Jessika, you should keep in mind that every public activity on the internet can be misused for social engineering attacks. Social networks, which claim that they value your privacy, won’t protect your publicly posted information. Frequently check your social media profiles, delete unused accounts, and use strong credentials for authentication.
Some photos used for “Jessika’s” awareness campaign are from unsplash.com (CC0 license).