 Yeah, I'm happy that so many of you have come and fell victim to this title. So I've decided to call it Hacking Brains, but granted this is, as soon as you talk about hackers, there's this image of half gods in black and nobody knows what's going on, but they somehow gain access and they're inside my technological devices. But it's actually quite different than most people think. So I have the thesis that every practical problem in IT security has been already solved in theory. So we're not really lacking the knowledge of how to do IT security, we just somehow can't manage to do it. So the practical IT security is a disaster. Reason for that is that we kind of built up interesting buildings and this looks very secure, like there's fences, but and it looks very secure, but in reality this is what happens. That's a very small issue here. But yeah, we can imagine that with a bigger issue that would be quite different. We're reading a lot about EMOTED right now, hackers compromise computers and they want to have money and Heisei has been writing about that a lot until they felt victim to it. When we look at research on IT security and especially here too, that's why I'm doing this here. It has to be avant-garde and has a lot of applause and be big and in reality it's more like did I do it already? Am I in? So as hackers we kind of think it's interesting to live in the world like on the left side, that academia thing, where in reality it's more like a gamble. So one of the problem areas we have which we can see everywhere basically, we're not really attending for that. So I want to talk about simple scams about password security issues, all that kind of stuff. One scam that's been known to the CCC quite well was a scam from the chaos hacking group. They send around emails telling people that they've hacked their their sites and know a lot of private information about them and ask them to send them their Bitcoin wallet, no they give them their Bitcoin wallet and ask them to send them money in order to not distribute that information. And people think it can really be that they know that. How do they know? So we approve for that, otherwise we're not going to pay. But if someone tries to gain access to money from people to get money in their way. Okay so if people are trying to Google if this is a true threat or not they are going to a website which tries to infect them with an additional trojan. So people are going from rain into the next problem. Oh I know you wanted to be scammed so here's a little bit of snake oil for you to download. So people who don't have the training it's very dangerous. So let's look at people who have the training the Linux kernel mailing list. Many of you may know it. An email arrived changed your so it's a it's been from October 2018 so it's mentioned the password and people are supposed to be very afraid because their password is mentioned and they wanted to get Bitcoin from the Linux kernel developers. Bitcoin is quite nice. You can check the blockchain there's 2.98 bitcoins that's about 19,000 euro for a few days ago. So nobody can say that you can't make money using Linux. And the email obviously went to a lot of more people not on the Linux kernel mailing list but given that you can make easy money so easily you're asking yourself why are we doing what we're doing. There's also the classic of CEO fraud one of the scenarios that companies are afraid of. You get an email that says hey we have to pay the invoice we have to do it today. One of the ways to do it is there's a small amount which easily passes and you can also do it in an advanced level where there's well the big deal with the Chinese is impending you're not supposed to talk to anyone but you have to transfer 2.4 million to the sales and people actually do it and they use authority and trust and they ask people to do what they are not supposed to do. It looks kind of funny but if you talk to someone who's happened who has this happen to them I have a big crisis because it's obviously very bad for the company and it's not that funny anymore. So let's go back to something funny the authenticization. It's something that's hard for a lot of people their password and they all only have one password which shows up in collections such as collection one to five which we all carry them with us so we can just look at the passwords. The nice thing about these lists is that even after we are if you put my email address into have I been pwned we can check if the email address is contained in leaks you will also find my email address in there and I may talk about later how I may have end up in there so computers haven't really ever solved the password problem. We tell people you are not supposed to be able to guess it it should be as long as possible not only a word and it needs to be different for all the sites and nobody does that because I went to the dentist recently and he said well you have to use dental floss three times a day and then I say well use different passwords everywhere and then we can talk again and yes I actually did that and I'm now using a password manager and we know this is smart but I'm trying to tell people of password managers for many years and the reaction is always the same it's always the fuck and we never managed to go beyond use password managers and they ask me which one and they say I don't recommend any and the question is how do people get these passwords they either create a service and then they hack a service and then extract the passwords or they just send you an email and ask for it here is a nice example that I got yesterday I selected it yesterday because I actually fell victim to it yes PayPal important message it wants to tell me that the system has seen an unauthorized access to the account to guarantee your security please push this button and the nice thing about this is there's only one button and that alone should make you feel weird also the fact that the address wasn't PayPal but I was kind of tired and I clicked on it and here's what saved me my password manager couldn't offer me a password for this page so didn't show which parts password manager it was don't think that I find this great because this password manager got an update recently and if I would do this but I don't know the site but maybe you want to input your credit card number or your address yeah thank you very much no I don't like this password manager I can do without it if you look at phishing sites well it's not really magic if you take a website copy to another server and program a little back end that you see collects our requests and I found this for the Gmail web mail login and very nice one here and really found that quite elegant what they did so they took this one the domain from the email address and you send it along as a get request and in their source code they have the fave icon from that domain looked it up on Google and so if you use another domain it's always another logo well so it looks more convincing really if you look at it the probability of success for these mass emails is very very low it's really tiny and all these mails will be sent million fold and too many receive recipients and but if you really send so many emails and even if you get stuck in many spam filters you still find a victim who enters his password and we have a nice story this is really mass mail thing bulk email thing if you look into your spend folder and you will find these emails it's stupid if they don't land in the spam that's really bad so now we talk talked about bulk email attacks targeting the best of us but if we really have do it targeted then we don't talk about fishing but about spearfishing and we don't you don't send millions of emails but you send exactly one to exactly that person of which you want to have the password and you create a story fit fit it exactly to that person so for example the way I like to do it is password reset mails many many companies do that very every every employees have to change the number at the end of the password and incremented by one so you get an email about that and and the email login from most of the companies you don't really fake it I already have it so if you do spearfishing you have a probability of maybe 30% so the that the targeted person goes to the site and enters the password if you do it with three people then I have a business case and especially I have no spam filter that is in my way I can send a setup mail service with tiles slightly different domain names and they have an let's encrypt web certificate on the website and it everything works and it usually goes through and I will come back to that problem because I would really like to solve that but even if this it's about distributing malware it's a it's a target that is really like not using zero day exploits but really offer the software to the people and see how they install it THS talked about a tweet and I looked it up and it's really true sometimes as an IT guy you feel like a sheep like shepherd but sometimes the sheeps are drunk and and they are burning and they click on everything that's by at silly lander okay recently who listen to Torsten talk who knows that we did something with a torrent and I was it with that drive-by Paralympics here and I went to a website that I that really urged me to install something I had to do an update some strange plugins and people just do that yeah really it's really normally people sit with me sit in my office and say yeah I have a virus yeah how do you know that yeah well it said so yeah and then they just installed something and then you realize they realized maybe what's probably not so not so smart and now they have a dozen malware's that claim they remove malware and that's exactly the how fins by the state Trojan work like that they made a nice website a come on click on this you can download something here and the analysis they torsten together with Ralph Boermeyer this morning and now we are at the around of applause for torsten please now we are I have arrived at the problem which since about 2016 has been troubling the world and that is ransomware it's relatively simple you get an email in the email is some attachment in this example it was we did that in 2016 it's lock key and it's an invoice and if you open the attachment the following happens you get this one and the program Microsoft Word is opened and Microsoft Word has two warnings for you you can see them in yellow and in pink on the screen and the red warning is says it isn't an unlicent word version and so either you haven't got it or you have it and got used to it and the yellow warning is warning you that you are about to to shoot yourself in the foot very much and this warning is very simple to understand be careful fights from the internet can contain viruses unless you need to edit it's safer to stay in protected view and so consistently there's a button consistent with the warning enable editing everybody understands what it is and the danger the potential of danger is clear and just like with the paper fishing email there's this huge button and on the top right corner very small there's it's almost hidden you almost didn't see it there's a little gray cross and that's really the way to safety to security but of course you are trained to press this button because this warning pops up every every time you open Microsoft Word because there's always a macro in the word document in your in your company that's flying around your company it's not it's not that bad Microsoft Word has another warning for you and that's this security warning macros have been disabled and now you'd say enable content and in this lucky we sit in this empty page without content and what we need is content so we enable the content and on the desktop I put some files on the desktop here which are lying around here and if I press the button what happens all the files are gone the macro that was in this in this document is loading via a simple get request an exo file and execs executes lock file lock key and lock key erases the hard disk and encrypts the disk and when it's done then by the way it says all your files are encrypted and if people say encrypt think encrypted they think oh can't you decrypt it and so that says no you can't if we it would be nonsense if you could decrypt things that that I encrypted and that's why we did it right and there's a website and it explains where you can transfer how many bitcoins and they were quite generous it was only 500 euros at that time and lucky was the first big ransomware wave and everybody warned from it warned to not to open invoices and it it didn't improve the balances of the attackers and there were emails like this they looked like this hello this is the federal police and please be careful of lock key because many people asked how to protect and we have a brochure about this and you find it as an attachment and all the fun started from the beginning lucky was 2016 and a short time ago we looked at it how it looked with gantt crab that was a ransomware from I tell you in a minute where they came from from a group who retired recently with the words we showed that you can make millions with criminal actions and then you can just retired and we encourage you to do to to lead the same wonderful life as we do and we are retiring and if we do the same thing with that you learn it on this website and very nice with many psychological tricks and at the top so if you don't pay within a week then the price will double and they looked it up at booking dot com they copied it from there and then they'll explain it's encrypted you get it only back from us and there's a nice service free decrypt you can send a single file there and they decrypted and send it to you so to prove to you that they can decrypted so they're really really good businessmen and show that you can do it they're honest people and they have a chat and they have a customer customer chat and we were sitting together with our windows VM that we had just get trapped and thought go come on let's chat with them and we played dumb a little bit hello we cannot buy the Bitcoin and they sent us links where we can get big coins oh it's too much effort can't we just make a sepa transfer and we'll pay the fees that's fine and and then we couldn't think of anything else than I said to my to my friend Vladimir hello Vladimir ask them if they speak Russian and they could the answer was of course yeah of course they aren't answered in Cyrillic Cyrillic immediately and we had the German keyboard and there with the Cyrillic letters and they were very interested in hey you are Russian very interesting how have you been infected how could that happen this says you are in Germany and then asked so you are in Germany and so on and we said oh yeah I work for gas problem and they were became more and more friendly and and they wrote the sentence and I put it into Google translate to translate it for you and it's about this take a photo of your password in the background of this chat you can cover important information with your fingers if you want I just need confirmation that your citizen of the Russian Federation if you are a citizen of the Russian Federation we will send you a free decryptor sometimes it's really IT security just to have the right passport in reality again crap had some routines which checked if the systems were said to Russian time zone or Russian letters by default to prevent infecting Russian systems because Russian IT security foreign policy is about dear hackers the internet you can hack the internet as much as you want and we will not extradite you but if you check in Russia then in Russia then you will go to Russian jail and even Russian hackers don't want to go to Russian jail so they make sure that they that they don't infect their fellow countrymen real patriots Brian crabs has this uncover this group and wrote a very interesting article about it a few weeks after we did this little funny discovery of course you know the motto of each Congress is no backup no mercy and you have to prevent protect yourselves again these kind against these kinds of attacks so that you by having backups and not having to pay so what I think is very interesting is that these attacks with the these kinds of attacks with macros have been working ever since basically since 1999 and it didn't really develop since then it didn't change every other bug every other problem we have we find a solution for that one we just sit through it so I thought about it and took a look at it why do these attacks work so I found two ways to kind of explain this one of them is cycle both are psychological one is organizational psychology and the other one is individual psychology so Daniel Kamman who I think got a novel price thought about how do people think thinking fast and slow is the book he wrote so people one of the first system is people think fast and intuitively and kind of automatically if that happens when you're scared or bored so for example when you leave your home you don't have to think about how you close the door or lock the door you just do it because it's it's so natural to you it's boring so this is the first system which is primarily active when we're scared and have to act fast or when we're bored and act like we always do and most of these fishing scenarios go either of these directions either they try to scare us or they try to act upon some some movement we do or some procedure we do that we've done so often that it just gets us bored and the other one is the system too that's our analytical slower thinking so yeah but hackers act upon the first system but what's the problem with that really whenever we try to explain someone how to behave to protect themselves we explain things regarding to system too but that's not the system we act upon it's much I think it's much more interesting when we look at organizational psychology we're kind of okay to have that I keep it perimeter and we built up our walls and and we're protected and the attack itself is actually the technical attack is pretty tough and we're very well protected everything's very well defined it's it's measurable but then there's people sitting in front of the computers and they work with it and we don't really protect these people we don't think about them we we don't train them so we have attacks over social engineering social engineering which is way easier this is when risk management takes action we perceive the risk we analyze it and we ignore it so we've been sitting here for for 20 years now and one macro after the other pops up and universities like Gießen or Göttingen now it happened there so management means to to take responsibility and therefore do everything so that you you don't have to actually take responsibility but nothing else so we don't know what to do when the user does a wrong click so how can we actually solve the problem what are effective countermeasures what can we do to have people trained not to click on stuff like that how can we design our UI and UX to be less vulnerable it's always the same processes are being used the dimensions where we optimize the resistance see don't click and in an organizational context inform the IT so they can start countermeasures so I'll show you two examples from studies we've done in this area and I hope I have sufficiently done anonymization here so the first one was in Asia with 30,000 people for phishing approaches and there was a video where we explained it and we checked how often this was reported to IT and we have seen how often people fell victim to this phishing approach so what we wanted to find out how to train these people regularly so we've created a plan what kind of communication do we have we can send them emails or spam from the own company we can put posters up on the floors we can do both we can do nothing we can offer an online course and then have a quiz afterwards quiz can be text or video and I was assuming that video was probably better suited and then we created all the permutation of that so we can measure all these effects and then we created a phishing and in this phishing there was they were informed hey this this was just bad what you just did or a video or both and just one of the others and then we did a phishing again and now I'm going to mark in green what actually did something so all the information or everything that addressed system to nothing had any effect you can do you can have them do quizzes nothing is going to have any effect what had an effect was if they actually encountered a phishing and it was some slightly better if they seen a video about it because when they actually are in the phishing they actually learn something in system 2 while system 2 is active so for the first data collection we did we had success rate of 35% 55% ignored the email and 10% went to the phishing site but cancelled so they may very have realized that something was wrong and one of my colleagues said hey that's not possible a lot of we have to be able to get a lot better success rate let's check if they have even opened the email we had a small invisible pixel in the inside email so we could see if they had opened the email so if we remove everyone who has never seen the email the success rate was 55% so we had another problem 30,000 people had received an email from us and we said hey we are this IT support and there's different reactions to that we got a lot of emails from people who said hey I want to change my email but there's always this video showing up I want to change my password but there's always this video coming up and then we had people months later when they want to write an email that they just search for the last email and then reply to the threat so we were busy the next half year to do IT support so the result all of these awareness things were without any practical effect and realizing having the experience themselves had a very strong learning effect but these are very very specific so people learn when there's a password reset email don't click on it but if you sent an email hey can you enter your credit card information they say yeah sure here's my credit card information and also these scenario if you we've changed the social engineering tactics up and fishing you trained with them but that doesn't mean they are more careful with us B sticks and also these effects aren't stable that means you have a learning effect for the first three months and then it's going down so if you're doing this again after a year you're back to your 55% so you can try to reduce the problem but you can't remove it that's what I thought and until I went to the second study it was an international study multi-linguage English German Spanish and two others two thousand two thousand persons and the first result was if people reported and IT had reacted how many successful attacks could have been prevented and about 75% of the attacks could have been prevented so it's great to have people asked to to report incidents and the other result was what if on the first try they had a success rate of 10% and I was wondering how is this possible so I was talking really big results I said well 30% it's easily possible and we ended up with 10% so didn't you promise more so the difference here is this company had emails they had emails added to the subject for external males they just added a small note to the subject and the other thing is they didn't have password change in the company so here's a website put your password in so they didn't even they weren't used to that so they ended up working with their system to and didn't make the wrong decision the second and the fourth try was only with the people who were fished in the first and third try so it was like a hard refresh course and there's a few people who are very happy to to click we have ignored all the privacy rules and that the accounts were the functional accounts so those where it's part of the job that you put your password on a posted on the screen so if you look at the trend you have a reduction of 33% that that's wrong it's 66% so the 33% remaining so it's 233% so this is really good nobody in psychology believes me if you have one intervention and you have two-thirds change of what they're doing but if you look at it from an organization perspective it's a great disaster because 33% are still affected so when people come into a situation they're not used to the chance dramatically goes down so what have we learned theoretical learning is without any effect what's important is your own experience abstract defense concepts is not helping you need to show them firsthand the learn effects are reduced you need to repeat regularly you don't generalize so you have to vary your attacks scenarios and it's important that people call it to report such incidents so you need to be nice to them and it's important so but if you look at this our goal should be that our IT systems have been built in a way that they are not vulnerable to that and they have to learn processes and maybe the user interface should not be like this new installation of macOS Catalina but instead different because we cannot rely on system 2 but most protective measures do exactly that Microsoft Word explains you something and it's your problem if you don't understand what we're saying and the rest of what your computer does you don't understand so here's the button press it and we can't work like this for 20 years and it's a we can't we can't get a grip on it but there's a word there's a way to fix the problem with Microsoft Word you just deactivate macros and then the business just stops or to sign macros is a very simple code signing of macros you can do that with a group group policy and I talked to an IT guy of a big company and it's one of the few companies who did that that I know of and he said well yeah okay it took a year and I have white hair and lost half my hair but I'm really glad I solved this and it's the only person who did that in his in his company and he's hated in his company but in really he's a hero and you have to thank this guy and what we have to do is we have to secure our system one and intuitive actions have to be anticipated and we don't have to train him train the user to type passwords into browser windows and we don't have to we can't do it in browser windows anyway and maybe we should just stop the free show choice of passwords so not everyone uses one two three four as the password and it's improving slowly you can sign macros or deactivate them and you can restrict software to just have them install from app stores I know there are political problems with that but from the security point of view it's it's good if people just don't install some extra downloaded from the internet and execute macros and with Fido to and hardware based authentication it slowly improves to factor authentication is on the is on the move is increasing and the world isn't quite as bad as we think but I wish that our safe security measures we really rely on the intuitive actions and there's a brawl browser warning there's something wrong with the certificate and well they vanished it's at one time because it's encrypt came but nobody understood them and exactly the same we have wonderful SSL and it didn't work because of bad user interfaces and now browsers just refuse making the connection and that's that's a good thing I already am already over my time please make backups change your passwords and I'll send you an email about that and yes thank you very much so thanks for listening for the English translation of hacking brains at the 36 C3 your translators were pink dispatcher Mary and tribute we appreciate your feedback please email at hello at C3lingo.org and use hashtag C3T on your favorite social network. If Linus Zahnarzt now uses a password manager, use Linus now three times daily Zahnseide. I just sewed the C3T, did I really? Yes, I was actually just flossing my teeth, yes.