Fourth SHB Workshop

I’m at SHB 2011, the fourth Interdisciplinary Workshop on Security and Human Behavior, at Carnegie Mellon University. This is a two-day invitational gathering of computer security researchers, psychologists, behavioral economists, sociologists, political scientists, anthropologists, philosophers, and others—all of whom are studying the human side of security—organized by Alessandro Acquisti, Ross Anderson, and me. It’s not just an interdisciplinary conference; most of the people here are individually interdisciplinary. For the past four years, this has been the most intellectually stimulating conference I have attended.

Here is the program. The list of attendees contains links to readings from each of them—definitely a good place to browse for more information on this topic.

Ross Anderson is liveblogging this event. Matt Blaze is taping the sessions; I’ll link to them if he puts them up on the Internet.

Here are links to my posts on the first, second, and third SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 18, 2011 at 1:06 PM9 Comments


Richard Steven Hack June 18, 2011 7:02 PM

The ultimate in airport security theater:

Airport Hijinks No Laughing Matter For Board Member


A new video making the rounds of the Internet shows two guys goofing around after hours at DFW International Airport.

What concerns some is that no one seems to do anything to stop them.”

And this bit of genius:

“Aviation security experts who have seen the video say it doesn’t show any major security concerns because the two guys were ticketed passengers who had already been screened by the TSA.”

Right. If that was me there, I could have destroyed the entire airport.

And this:

“DFW airport board member Betty Culbreath says while it may have been a prank, it sent the wrong message. ‘It’s not funny. It’s not going to happen again as far as I’m concerned. It should not have happened because it gives the perception the airport is sitting out there unguarded and that’s why I was concerned, and am still concerned.'”

Lady – your airport WAS “sitting out there unguarded”! It’s NOT a PERCEPTION!

Richard Steven Hack June 18, 2011 7:06 PM

RSA and Adobe talk about SecureID hack


Criminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook’s spam folder.

Criminals then managed to install malware called ‘poison ivy’, which established a connection to the hackers’ command and control server and requested commands from the network.

“I talked to a major defence contractor. They said welcome to the club,” said Uri Rivner, head of new technologies at RSA Security.

“We have a lot of evidence about what happened to us and what happened to other folks, that the team that hacked us is very organised and had a lot of practice. I can compare them to the Navy Seals team six, which hit Osama Bin Laden.”

“Think about this sort of group, very organised and experienced, going after specific targets, with most of the activity you never know about.”

End Quote

I find it interesting that a recruitment form was all that was needed to beat RSA employees’ “security awareness training” – assuming they ever had any.

Richard Steven Hack June 18, 2011 7:16 PM

Analysis: Banks seek cybershelter with “ethical hackers”


Percoco says his group almost always manages to penetrate bank firewalls or find other ways to cause mischief, from viewing confidential checking account images online to physically strolling into unsecured data centers.

“We’ll call the CIO (chief information officer) and tell them, ‘We’re standing in the middle of your data center. Do you want to come get us?'” he said.

[My Note: Is Christian Slater with them? 🙂 ]

Many financial institutions are starting to bulk up security around their treasury services divisions, which can process trillions of dollars daily for large corporate clients, according to the American Bankers Association.

But now a new push toward mobile payments by big banks, from BofA to Wells Fargo, has some cyber experts worried.

On average, only 8 cents of every dollar that banks spend on IT infrastructure goes toward sustaining and securing that infrastructure, according to Tom Kellermann, chief technology officer at AirPatrol Corp in Maryland and a member of the Obama Administration’s Commission on Cyber Security.

Bank security chiefs “are always playing second fiddle to the folks that are saying, ‘Let’s create the wonderful wireless Web portals with access to financial services through our mobile phones,” he told Reuters Insider. “Most security wonks would say ‘That’s a really, really bad idea.'”

[My Note: Ya think?]

“I think there’s been an over-emphasis in security on perimeter defenses, on the walls and moats of castles, and not enough attention is being paid on remote access and website security,” he added.

[My Note: Ya think?]

None of the largest U.S. banks would discuss the latest attacks or make security executives available for interviews.

[My Note: Heh, heh.]

Woodbury Advisor payments consultant Steven Kietz, a former credit card executive for Citigroup and JPMorgan Chase, said he helped to implement federal guidelines for Internet security standards in 2006 while at Citigroup.

But he said those standards are now far out of date, and “five years later we’ve seen really no new efforts by any of the major banks to protect customers.”

End Quotes

Someone the other day proclaimed this the “Golden Age of hacking”. Now you see why.

Nick P June 19, 2011 1:27 PM

@ Richard Steven Hack

“A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form.”

“I can compare them to the Navy Seals team six, which hit Osama Bin Laden.”

Seal Team 6? Taking Osama down with recruitment forms? Yeah, they’re hardly even trying to disguise their incompetence these days.

Dirk Praet June 19, 2011 7:54 PM

I like the “Worst-Case Thinking Makes Us Nuts, Not Safe” essay at .

In essence, it conveys the same message my grandfather gave me at age 6 when I was being bullied at school. He told me that the only thing that comes out of fear is even more fear, until such a point that it takes over your entire life. Next day I went to school, sneaked up on the other kid and “accidentaly” hit him with a chair. The bullying stopped, and so did my fear of going to school.

Richard Steven Hack June 19, 2011 8:50 PM

Another game maker gets pwned:

Data for 1.3 Million Customers Stolen in Latest Game Maker Attack

Interesting quote:

Lulz, a group of hackers that has been behind the cyber attacks against other video game companies including Nintendo, unexpectedly offered to track down and punish the hackers who broke into Sega’s database.

In its offer to assist Sega, a Twitter post from Lulz hinted that its leaders might count themselves among a small but highly loyal group of game players who still play on the aging Dreamcast console.

“Sega — contact us,” Lulz said. “We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”

End Quote

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.