Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Why do we Click? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why do we Click?
I hope everyone had a great weekend and holiday for those in the U.S. We had a relatively queit weekend so I thought I would follow up with a question from SANSFire. It's a little less computer techie.

Introduction

SANSFIRE 2013 I did a talk about understanding online news and decided to follow up on a question. In this discussion there were many talking points but the question of “Why do we click” came up. There is no real complete “Technical” answer but I will cover some factors. First, it is pretty much well known and accepted that when you are tired you can make mistakes. There was a meta-analysis done studying self-control and they discuss other factors that might be contributors to "the click factor." Things like, diet, stress, and difficulty of current task could be contributors to reduced self-control (Hagger, Wood, Stiff, Chatzisarantis, 2010).
 

Details

 
What came out of this was a simple idea that might help. So simple we will likely ignore it :) There is usually not a good reason to check email at midnight, let alone 2AM [depending upon your sleep schedule of course]. 
 
To recap:
 
  • When you are tired you might make mistakes.
  • When you are stressed and tired you are even more likely to make mistakes.
  • When you are stressed, hungry, and tired + + + 
 
 
Personally, I consider all of our readers cynical by nature and somewhat suspicious, it's what we do right? What about your <Insert_non_techie_Here> person? In my experience Sales Account Managers are a great stereotype to pick on! I know one CIO that use the sales staff as mobile honeypots/malware collection points. That said, how many of us have seen a huge deluge of email from Account Rep A that was sent between Midnight and 1AM? Speculating on the scenario, perhaps hotel room, end of quarter, chasing the deal, etc… We can somewhat safely assume that individual is both tired and stressed. Another relatively safe component to the scenario is diet as the individual has probably been eating in hotels and restaurants for days. There is a limit to the amount of self-control a person has (Baumeister, Bratslavsky, Muraven, Tice, 1998).
 
All those people related issues can directly contribute to something we consider a security related problem. We often talk about, mostly in jest, OSI Layers 8+. Perhaps it is time to have some real discussions on things we as security operators can be aware of.
 

Conclusion

 
In closing, why do we just click on things? Not sure, but I know that it is a people issue and am starting to understand some factors. In our industry it's about mitigating risk factors. 
 
It would probably never fly but idea? Based on time zone, suggest professionals minimize emails to N working hours? 6AM to 10PM maybe?
 

References

 
Baumeister, R. F., Bratslavsky, E., Muraven, M., & Tice, D. M. (1998). Ego depletion: Is the active self a limited resource? Journal of Personality and Social Psychology, 74(5), 1252-1265. doi:10.1037/0022-3514.74.5.1252
 
Hagger, M. S., Wood, C., Stiff, C., & Chatzisarantis, N. L. D. (2010). Ego depletion and the strength model of self-control: A meta-analysis. Psychological Bulletin, 136(4), 495 - 525. doi:10.1037/a0019486
 
Richard

161 Posts
ISC Handler
Here's an idea: in order to open an email, the user must first solve a long-algebra problem. If the user's answer is correct, it's safe to assume the user is at least somewhat awake and alert. If not, the computer locks the email client for 6 hours.

Jokes aside, I've always thought that MS Outlook should be renamed to: MS Lookout.
da1212

69 Posts
I have users that would *NEVER EVER* be able to read emails if that algrebra strategy were implemented.

Your statement, "I know one CIO that use the sales staff as mobile honeypots/malware collection points." just made it into my quote-of-the-moment file! ;-)
Moriah

133 Posts
Yes tired, stressed and hungry will increase the risk, but what about the other side? They are doing everything they can to make sure that you click even when you are not tired, stressed or hungry.

Those three point also apply if you are in the middle of an implementation or recovery project.
KBR

63 Posts
Machines are more predictable than humans so I think a technical solution would still be best. To this point, I have seriously considered stripping all links from emails. Attachments are scanned by multiple security tools before they land in a user's inbox. However, links have always been more devious.

Has anyone considered simply removing links from emails as a corporate policy, and more importantly, did it work?

The solution might be to only allow and use plain text (no hyperlinks) emails while still allowing attachments.
da1212

69 Posts
Wholeheartedly agree having been a victim, despite normally verging on the paranoid and checking email properties (headers, message source in full) first.
Getting an email from 'Yulia' with a subject line, "I'm one in a million" means you don't need to be a rocket scientist to know to delete, but you never can tell!
As for our beloved Outlook users, WHY do they have to PREVIEW messages? You can train them not to, then they get lazy and open them anyway without much thought. You can suggest having 'text' only mail and then they complain they can't see all the images!
Perhaps tired admins need the help of the mining industries Fatigue Detection Technology, so as we doze off, emails are auto-displayed with header detail only in flashing colours and a loud robotic voice 'you've been p0wnd!'
No easy answers I guess, unless the detection tools become foolproof.
da1212
12 Posts
I bet if you have a corporate policy that charges user's $100 for each cyber violation/malware infection then those "clicks" would all of a sudden drop significantly...

Just sayin'.
da1212

69 Posts
I don't think detection systems will become "foolproof" and @nic you are right; there is no easy answer to this. My Diary was an attempt to point out a common factor I have noticed based on some of the research I have been doing lately.

For me, it is understand that people are likely not going to change. We can make them more aware but things will happen. Understanding why it happens is my first step in understanding if there is a solution and how.

~Richard
Richard

161 Posts
ISC Handler
Time-of-day (local and/or UTC) might be a good spam confidence heuristic, if bayesian filters don't already notice it.

On a slightly related subject, I've been tempted to schedule a re-scan or virus scan of mailboxes just before the start of the business day; you may be able to retroactively quarantine mails that were not known to blacklists or AV signatures at the time they were received, but maybe in time to stop people opening them. A batch job can also afford more extensive testing than would be viable for a real-time scanner during peak times.
Steven C.

171 Posts
I want to know more about this food angle. Like, if you eat Taco Bell burritos are you more likely to do something stupid than if you ate a chicken sandwich from Wendy's? What about those high calorie salads that fast food places sell? They are sort of like a salad. Would that trick your brain into being smarter?
Jasey

93 Posts
@JRD You have to be careful when discussing types of diet and foods that can contribute to stress. The research I have been reading indicates that poor dietary choices can be a stress factor. According to researchers it is a bit more complex than 'This fast Food' or 'That fast food'... It is clear that a higher fat diet can cause acute stress (Ghalami, Zardooz, Rostamkhani, Farrokhi, Hedayati, 2013). I'm not a doctor and would defer to general practitioner or dietition but I'm guessing that there would be no difference in Wendy's or Taco Bell. On the salad note, there is research that shows the human body does much better with higher veggie intake including reduced hyper-tention (Shenoy, Kazaks, Holt, Chen, Winters, Khoo, Keen, 2010).

The CDC.gov (U.S.) site is packed with good information. cdc.gov/nutrition/everyone/fruitsvegetables/. I don't think if you eat a salad you are going to turn into a genius, but I do think that more vegetables can contribute to better cognitive function and reduced stress.

It may seem odd that we are discussing diet as a security topic but I ask, is it so odd? The above diary was about a trend that i don't think will change.

@Steven Chamberlain, I like the idea of kicking of a pro-active mailbox scan just before working hours. I would say definitely prior to the start from a long weekend or holiday as well?

~Richard

== References ==
Ghalami, J., Zardooz, H., Rostamkhani, F., Farrokhi, B., & Hedayati, M. (2013). Glucose-stimulated insulin secretion: effects of high-fat diet and acute stress. Journal Of Endocrinological Investigation,

Shenoy, S., Kazaks, A., Holt, R., Chen, H., Winters, B., Khoo, C., & ... Keen, C. (2010). The use of a commercial vegetable juice as a practical means to increase vegetable intake: a randomized controlled trial. Nutrition Journal, 938. doi:10.1186/1475-2891-9-38
Richard

161 Posts
ISC Handler
The "last chance mailbox scan" -- I really like that idea! You could restrict it to items that had not yet been opened, and that were received since the previous "last chance" scan. Or maybe you do want to scan opened items too, to detect possible infections that might have already occurred but not yet become evident. Come on, clamav guys, put this one on the wish list!
Moriah

133 Posts
As part of the last chance malbox scan perhaps find a way to pipe those unopened attachments to Razorback [1]? Have not played with the tool yet but the VRT guys put together a cool framework for stuff like this. They also have a VM up on Sourceforge [2].

[1] snort.org/snort-downloads/…
[2] sourceforge.net/projects/razorbacktm/files/VM/
Richard

161 Posts
ISC Handler
Moriah, I think you'd probably want to rescan EVERYTHING -- the idea being that you're looking for newly-identified exploit sites that might have already been making the rounds when earlier messages were received.

It might be sufficient to only scan unread items; presumably, already-read messagees have already had a chance to do their damage, and you'd merely be closing the proverbial barn door by re-scanning them.
whurlitzer

13 Posts
Nowadays you really need host and network level malware protection. The network level detection will catch malware as soon as it attempts to communicate on the network providing defense in depth protection. I would be very nervous in an environment that only had host level protection... because the very existence of malware is proof that host level is not enough.
da1212

69 Posts

Sign Up for Free or Log In to start participating in the conversation!