[Intro Music]
Engel: Good morning, Linus!
Linus: Good morning, Sebastian!
[Applause]
I'm glad, you showed up so numerous
and fell
for this baiting title! I want
to talk about human
factors in IT security and chose "hacking
brains" for the title.
Background to this is the fact, that
when you talk about "hackers"
most people think of halfgods in black.
Nobody really knows what they are doing,
but those hackers
get into my device somehow and i don't
know what they want from me
or how they did it.
And the reality out there is
typically pretty different than most
people imagine it. I stand firm
in the believe that basically all
relevant problems in IT security
have been solved in theory. So we don't
have like... we don't miss the knowledge
on solutions for particular problems,
but we still can't make it work.
Even though we've solved everything
theoretically,
the actual IT security is a desaster.
And that's most likely, because we build
some fascinating IT-mechanisms and
we test them. As we can see this pole and
it encloses some animal now, but
if we observe it in reality, it looks more
like that...
[audience laughing]
[someone singing to "Einzug der Gladiatoren"]
That's only a small threat and somehow
we imagine, that it will be different
with bigger threats.
Let's have a look: We read about Emotet
everywhere.
Hackers compromise PCs, encrypt all the
data, demand a lot of ransom,
and Heise covered it a lot, until
they got hit by it themselves.
[laughter] That means, even those who
really should have known better
are still effected by it
and i think that's
pretty interresting. And if we have a look
at what happens in the
IT security research, even here on this
congress, which is why i handed in this
talk, so the research has to be avant
garde.
It's like big applause and Voodoo,
and another exploit there and
whatever, and remote code execution, while
the reality on the other hand
what actually happens out there, is
actually more like this.
Am I in already?
This means, we basically live,
because we as hackers and nerds find it
interessting, we live like in
this world, while the real crime that
happens outside looks more like this!
sleight of hands. and theses sleight of
hands are not addressed or solved!
And i think that's kinda counterproductive
or bad, that we don't care about
those problemfields, which prevail and
are seen everywhere
even in the "Heise" publishing company,
that we don't address them.
And we haven't made any progress
on that front for years.
I want to talk a bit about easy Scams,
a bit about password issues, a little
about malware. A scam that amused even
us in the CCC, is the scam
by the Chaos-Hacking-Group. They
sent E-Mails that said:
"Yeah i have compromised your system with
a trojan and
we are aware about your adventures on the
internet. We know, that you love
adult sites and know about
your sex addiction."
And try to blackmail those people. Provide
a Bitcoin Wallet
and, yeah, try to blackmail people.
Intresstingly
there are people, that are
really concerned. They deny everything!
Obviously this isn't true at all and
there's just no truth to any of it.
When you're practiced in blackmailing,
you know: Don't pay anything until
proof is provided. When people then
try to inform themselfs and
goolge it, they land here immediatly.
When you google "Chaos-CC group",
then some random websites explain
that it's a trojan and you should
download the next malware.
Basically how to remove this damage. That
means people are getting out of the
frying pan into the fire. "Haha you
want to get fooled! There i got another
one for you. That means the world
outside is relativly dangerous
for our unknowing users.
Let's have a look
how this looks like when done by
expierienced folks. The Linux
Kernelmailinglist is known by a bunch
of you. There recently was an E-Mail
on the 31st of October, so a while ago.
They even provided the password, yeah
that's the next Level Scam: You just
write some password leak
with it and folks will get their pumps
racing, because their password
is written in the Mail and as before they
wanted Bitcoins, amongst
other things, from the Kernel-Devs
themselfs. Bitcoin is pretty nice,
You can have a look in the Blockchain and
see how many the devs paid.
In this wallet are 2.98 Bitcoin which has
been about 19000€
some days ago. There are still
people out there claiming
you can't make a profit on linux.
[laughter]
[applause]
This E-Mail
was sent to many many more people outside
the Kernellist, but i think, you get my
point, and ask yourself: Why do we
even do all that stuff we do
,when we could easily get people
to send us their money
with some spam mails. But there's more:
transfer money, the classic! The CEO fraud
Big topic. This is one of the big
scenarios, that middle size and big
size companys are exposed to. You
get a mail, where it states
"Ey, we need to pay those bills!
It hast to happen TODAY"
most of the time it's
small amounts, that get overlooked.
but can also be a lot worse.
Acutally
happend pretty often already, with a story
like: "Yeah the big deal with the chinease
is almost through and you mustn't
talk to anybody about it,
but you have to
transfer 2 Mils to the Seychelles "
and then folks do that and those
Mails work
a litte with authority, trust, haste
and pressure and guide people
to do what they shouldn't.
This might sound funny in the first moment
but when you talk to
someone that fell for it, they are really
rattled, because they know
that it wasn't smart and damaging
for the company.
and that's not that entertaining anymore. :(
Let's get back to entertaining stuff: The
authentication. A thing that many folks
have problems with, is their password and
the problem is
that they only have one
and it lingers in such a collection
you and everyone has them and
you can look up you passwords,
i.e. 23bonobo42, Tim Pritlove, so on
The beauty of these lists: even WE who
should know better are in those lists.
When you enter my E-Mail adress in
"haveibeenpwned"
- a website where you can check if you've
been inlcuded in a leak
you can also find ME. So, i will explain
how that might have happend.
The thing that makes me furious about
this, is that since there have beeen
computers we have never really done
anything against this password problem.
We tell people: Ok your password shouldn't
be guessable, best case random,
whithout any system. It should be as long
as possible, best case not a word
And it should be different everywhere.
And NOBODY does that.
Recently i went to the dentist and
when you talk with him, he's always like:
Yeah, floss morning, lunch, evening and
everytime and so on
"yeah, yeah, first you change all your
passwords and then we can talk about
that"
[laughter]
[applause]
and yeah i've done that