He was one of the star guests at the SecHuman Summer School at the Ruhr-Uni Bochum: Linus Neumann, speaker of the Chaos Computer Club. In our interview, he talks about his views on IT-Security and digitalisation.
Mr. Neumann, in your lecture you said: Every cyber attack also has a human component. Is the human being the biggest weak point of IT security?
Linus Neumann: The impression is obvious - but it would be wrong to complete the research at this point and not to look for possibilities to change something about it. It's too easy to say: "Our technical systems are safe, peope are just too stupid to understand or use them." That cannot be the solution.
Thanks to extensive research, we know very well the sequences of actions and situations that are susceptible to attacks by the so-called human factors. But the interesting question is: Which courses of action - especially in the security-relevant area - are less susceptible than others?
It makes sense to implement this knowledge and to design user interfaces, sequences of actions and processes that are easier to understand and because of that less susceptible. A simple example: stop mapping the process for changing passwords in e-mail and web logins would dramatically reduce the susceptibility for phishing - simply because other habits can be established. These habits can be triggered by phishing attempts, but are inherently less vulnerable.
Do people behave more carelessly in the Internet than in real life? If so, why is that?
How careful people behave depends on whether they have understood how potential dangers work. If it comes to a danger I haven't understood, I can take a lot of subjectively meaningful, but practically completely misguided protective measures. But often my precautions have nothing to do with my real threats.
In connection with the internet, this is easily illustrated by two phenomena:
First: Many people spend good money on different software that promises security - without understanding what the software can and cannot protect and how it works.
Second: The same people use the same password for all their accounts - an enormous risk behavior that multiplies the target. That certainly lead to a disaster in the medium term, because probably one of the providers will be hacked and the attackers get the password for all other providers.
Up till now, we have been satisfied describing such misguided security behavior as stupid, to prohibit it or to reduce it with more or less successful training. But what would be an approach to create login processes that solve this problem? So what if we develop security mechanisms that people understand intuitively and so operate them correctly and thus benefit more from them? There exist promising approaches that we should pursue.
In which traps do users fall most often?
In fact, there are only a few standard situations of computer use that are used over and over again in social engineering attacks: What these situations have in common is that they suggest familiar, security-relevant actions via nudging and expose us to situations in which - out of boredom or panic - we no longer think about our actions.
Let's take cryptic warning messages for users, whose default response, clicking away, is suggested and trained. An example: For many years, embedded macros in Microsoft Office documents have been used as so-called droppers (infection paths) for malware. Although the program warns users not to activate the macros, it presents a huge button to dangerously ignore the warning and hides the safer action option from users as best it can. This small design decision - not meaningfully revised for many years - leads to numerous damages for the economy and private individuals worldwide every day.
It would be fatal not to finally critically question the user interface of the program instead of blaming users.
Have you ever been a victim of social engineering yourself?
Almost! And this despite the fact that I am very closely involved with the topic, know all the tricks of the attackers and regularly carry out test attacks and trainings myself on behalf of customers.
And that's exactly the problem: Since the attacks rely on automated processes that we can carry out without high cognitive effort and without thinking - experts speak of the heuristic and resource-conserving System 1 - there is little chance of training oneself to recognize social engineering attacks through the analytical System 2: It is highly probable that System 2 is not active at all during the attack in order to intervene.
This is precisely why I plead that the everyday login and security processes should be designed in such a way that System 1 can simply complete them without becoming susceptible to deception.
In your opinion, what is more effective: to develop sophisticated technical protection mechanisms to repel cyber attacks or to sensitize users to digital dangers?
Important is the third way: to design technical protective measures in such a way that they are intuitively understandable for users and they can make as few mistakes as possible in handling them. User interfaces that people cannot master without regular training should finally be a thing of the past. The motto is: IT-Security for users, not against them.
According to your own statements, you have been enthusiastic about IT topics since your childhood. So why did you decide to study psychology and not technology?
At this time in my life I thought I would know enough about computers and should rather learn something about people. Today, as a consultant, I learn new things about both worlds every day.
As the speaker of the Chaos Computer Club you have a good overview of the developments within the IT-Security. From your point of view, what are the biggest digital threats to our society in the coming years?
The greatest danger for our society lies in the fact that we are setting social and political courses without a) a technical understanding of the consequences and b) a social vision for digitization.
We chase after digitization and try to reverse facts that have been created long ago instead of actively steering them towards a positive vision. As a result, we here in Germany profit at a slow pace from the digitization, but the disadvantages hit the economy and citizens hard every day. The lack of IT security is only one aspect - the loss of our digital autonomy is more serious.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.