Hacking the Mind

For those living under a rock, 2020 Presidential Elections are in the news.  Therefore, you will undoubtedly begin to hear more of the standard talking points: “we must protect the elections from being hacked” or some variation of that.  Let’s be clear: the only way you can “hack an election” is by actually changing the tabulated results through some form of computer intrusion.  (Paper ballots anybody?)

            Let’s also take information warfare/operation and psychological campaigns off the table for the purposes of this discussion.  These are not “hacks” in the cybersecurity world, even though some hacks try to convince you otherwise (reference: psychological campaigns).

            When trying to break into some computer system, nefarious actors have identified a very attractive vulnerability that is part of the system: the ability to hack your mind.  No, we’re not talking going full cyborg.  We’re talking about the fact that you are an “end point” in the system and, gosh darn it, the actual “hackers” have made the decision that you’re just too easy of a target to pass up.

            If you’ve been following along my works for a while, you’ll know where I think the big cybersecurity problem is: people.  Cited here on page 44 in the US Air Force Institute of Technology Center for Cyberspace Research in 2015, I said: “No level of technology will be able to stop an attack if the user is uneducated and constantly circumvents (unknowingly) the security protocols in place designed to protect the network.”  (You can find the full article from 2012 here.)

            You know what has changed in seven years since I wrote that?  A whole bunch of nada.

            You see, attackers are coming to the realization it’s just easier to do the easy stuff.  Look at the Top 10 most common types of attacks (the link has good, easy-to-understand descriptions of each type of attack):

  • Denial-of-service (DoS) and distributed denial-of-service (DDoS) attack
  • Man-in-the-middle (MitM) attack
  • Phishing and spear phishing attacks
  • Drive-by attack
  • Password attack
  • SQL injection attack
  • Cross-site scripting (XSS) attack
  • Eavesdropping attack
  • Birthday attack
  • Malware attack

Let’s just focus on the Top 5 for a moment.  DDoS attack?  Giving your network the firehose treatment.  Nothing sophisticated here.  MitM (or MiM) attack?  Okay, you need to know some tech knowledge here.  Phishing and spear-phishing?  Take advantage of the person.  Drive-by attack?  Take advantage of the person because another person did something dumb.  Password attack?  Well if you’re not using a strong password, you’re just making life easy for the bad guys (for the love of all things fuzzy and cute, use passphrases if you can’t remember complex passwords).

Notice something?  The most common attacks are generally unsophisticated and seek to take advantage of the user.  You see, the bad guys operate in this wonderful space of no rules, so they, in essence, get to set the table. 

What was the trend?  Malware through email, meaning that email solutions began to focus on detecting malware.  Was that the right defensive move?  At the time, probably yes, but attackers saw what was going on so they adapted, moving to malware-less emails that focus on fraud and phishing.  And with more of our personal information being scooped up (and then making it out into the wild) we’re seeing huge increases in spear-phishing attacks.  As I said in this article, if you want your entire day ruined, check out what an “OSINT creeper” does.

            I’ll tell you from personal experience, the spear-phish campaigns are becoming REAL good.  Not too long ago, I received one from a major online retailer.  I did make an order from that retailer and the delivery time was about when I expected.  It wasn’t one of these “dear user” emails.  It had my full name, the email format looked about right, the fonts seemed like they were appropriate.  Sidebar: learn to distinguish fonts, it’s always a good tell.

At first glance, the email looked all right.  And please keep in mind that everybody has different display settings on their devices.  Different operating systems and email clients display things differently in the preview pane.  My preference is to display as much information as possible (yes, that could create a cluttered view, but it’s a great way to keep an eye out for things).

Yet something felt off, even though first glance was okay.  There were two things that raised my eyebrows.  One was the subject header.  It seemed different from what the retailer normally sends out, but still within the realm of the possible (perhaps the retailer changed their practices).  And the other was the amount.  It seemed wrong.  So I logged on to my account – not through the email, I went directly to the site in a browser – and lo and behold, I did not have an order that matched that price in the email.

Next, I previewed the email on a different device (easier for hover-overs to check links, look at the full email address, headers, and so on) and I was thoroughly impressed.  The email was pulling graphics and links from the legitimate retailer.  There was only one bad link in the email: the one to the order.  And in the different view, there was another major tell: the full email address was displayed.

What was the intent of the attacker here?  To make me think, “Hmm, what’s that order?”  The attacker did get me to think that (because the rest of the email was so incredible) but my countermeasure – knowing what to look out for and how to verify – stopped this spear-phish attempt.  And all you need is that one successful attempt to create some SNAFU that has incalculable consequences (I said here that I think the spear-phish is one of the best ways to unleash calamity and my opinion hasn’t changed).

Listen, I get it.  I’ve been using computers since the time CGA graphics cards were the thing, so I have a slightly higher developed cyber-nose.  But that doesn’t stop you from upping your own personal cyber health and hygiene, like I outline here.  These are easy things to do, because, as you know, more expensive shoes don’t make you run faster.  You need to train.  Same goes for email security products.  You need them.  But without heavy lifting on your end, the email security product can only go so far.

To bring this conversation full circle, when you hear about “hacking” and how it affects people, think about it like this: you are the ultimate end point of any system. If an attacker  thinks the easiest way in is through hacking your mind, they will. Don’t let them be right. 

So learn to keep an eye out for the nasty stuff that can sneak through, because you may find yourself repeating the words of the eminent philosopher, Homer Simpson, should you click the wrong link: kablamo.

By George Platsis, SDI Cyber Risk Practice

February 5, 2019