Day 1 – Tues June 11 2013:
9:50am – “The Honey Stick Project: Opportunistic threats and human vulnerabilities”, Scott Wright, @streetsec, security coach and consultant, Security Perspectives
Scott’s presentation was one of my favourites at SC Congress 2013. Here’s a summary of Scott’s presentation:
In 2011, an experiment was conducted where “lost” smartphones were allowed to be picked up by the public in order to gather data about human threats to data accessible on those devices. What were the results?
Some additional links:
- Symantec’s Honey Stick project introduction
- Scott Wright’s Honey Stick project overview
- Symantec’s Honey Stick project final report (pdf)
What a fantastic experiment! Scott shared some statistics from his experiment:
Of all of the people that “found” the phones:
- 50% of people offered to return the phone;
- 89% of people accessed personal data;
- 83% of people accessed business data;
I was interested to hear how Scott’s work was funded by Symantec. This is a great example of industry funding some great independent research.
Scott also talked about the need to limit the collection of personal data during his research. In a project like this, the potential to capture photos, location info and behavioural information from those that took the phones could lead to embarrassing or otherwise awkward disclosures of data. Scott did a good job of avoiding the collection of personal info by stating which info he would and would not collect during his research.
Scott left me with a parting thought that still resonates: “We still need more innovation in human studies. People pay attention to stories about other people.”
And, Scott also left me wondering, “what will Scott work on next?”! I look forward to hearing about future projects.
Todd H Dow 