Tricking people into bypassing security measures, revealing passwords, and disclosing confidential information is called "social engineering" in the computer security business. It's a huge problem, and it's one Laura Bell, founder of the New Zealand security consultancy SafeStack, was contemplating while home on maternity leave two years ago. Although many companies have mandatory security trainings, she realized there's no real way of knowing whether such training is effective until it's too late.
What her clients really needed, she decided, was a way to identifying the employees most vulnerable to social engineering attacks. There wasn't anything like that available at the time, so working in half-hour increments as her daughter slept, she created AVA, a free open-source tool for what Bell calls human vulnerability scanning. But not everyone is happy with the results.
"Some people have said I should go to prison for releasing this," Bell says.
First, a hypothetical example of social engineering at work. Imagine you're a junior help desk technician at a large company. You're low on the corporate ladder, and constantly worried about keeping your job. One night you get a text from a number you don't recognize. "It's Ted," the message reads. "I need my password reset immediately. Lots of money riding on this deal."
This isn't how password reset requests are handled, but Ted is a senior executive, and ticking him off could cost you your job. So you reset the password. But it turns out that message was from a hacker, and you've just given him access to Ted's email account.
AVA works in three "phases" to prevent this sort of thing. First, it integrates with corporate directories such as Active Directory and social media sites like LinkedIn to map the connections between employees, as well as important outside contacts. Bell calls this the "real org chart." Hackers can use such information to choose people they ought to impersonate while trying to scam employees.
From there, AVA users can craft custom phishing campaigns, both in email and Twitter, to see how employees respond. Finally, and most importantly, it helps organizations track the results of these campaigns. You could use AVA to evaluate the effectiveness of two different security training programs, see which employees need more training, or find places where additional security is needed.
The reason some people aren't happy about this is AVA could be used by the very criminals it's meant to stop. Bell knew that from the beginning, of course. But she's been surprised by just how negative some of the responses were. There are many, many security tools out there already that can be misused, but Bell says AVA gets under people's skin in a way programs like Metasploit don't. "The difference is people," she says. "If you attack a computer, there's no empathy involved."
AVA also raises significant privacy questions, since it can gather information about employees outside of work and send them messages to their personal accounts on social networks. Bell argues that this is an important part of corporate security today.
"What we're finding more and more is that the boundaries between business and personal use are blurry at best," she says. "It's not about tricking people or doing harm to people, it's about getting them to understand that risk comes from everywhere and that people might be attacked at a personal account to get at business information."
Although AVA already has been tested by companies in New Zealand, Bell says it's is in the early stages of development and it would be difficult for hackers to use at this point. "It wouldn't be worth their while," Bell says.
But as Bell and her colleagues flesh out the project, the possibility for abuse will only grow. That's why they've created an ethics and privacy board for AVA. There will always be ways to misuse it, she concedes, but the team will do its best to add safeguards, such as built-in notifications that will alert someone when their information has been added to an AVA installation. Sure, a committed hacker will be able to disable these safeguards, but Bell hopes the extra effort involved will deter most malicious uses. The team also hopes to work with companies like Google and LinkedIn to help identify normal AVA behavior and behavior that might be malicious.
Although Bell's work has met with criticism, she says most responses have been positive. There's a real need to protect employees, volunteers and activists from social engineering attacks, after all. So many companies and government organizations have approached her over the past several months as she's traveled to Australia and North America to give talks about AVA that she's thinking about founding a company dedicated to AVA.
"Not because we want to make a lot of profit, that's not what I'm about," she says. "But so we can achieve what we set out to do."
