Psychology is useful in understanding the security dilemma regarding the hacker in two ways. One is to use it to understand why the hacker hacks, what motivates them. The other is to understand how hackers use psychology in order to accomplish their exploits also known as social engineering. First let’s look at why the hacker hacks and the motivation that drives them to hack. Jeremy Quittner examines this by interviewing a behavioral sciences researcher and a psychiatrist in the article who are hackers, and what makes them tick? Jeremy says this,” Two experts in the field of cyber forensics and psychology have some answers to that question. One is Marc Rogers, a behavioral sciences researcher at the University of Manitoba in Winnipeg, Canada, and a former cyber detective. The other is Jerrold M. Post, a psychiatrist at George Washington University in Washington, D.C.
Rogers and Post have identified some basic behavioral trends for hackers who commit crimes. Rogers says one characteristic is that they tend to minimize or misconstrue the consequences of their activities, rationalizing that their behavior is really performing a service to society. (Some researchers call this the Robin Hood Syndrome). They may also tend to dehumanize and blame the victim sites they attack. Post says the same hackers share a sense of "ethical flexibility," which means that since human contact is minimized over the computer, hacking becomes like a game where the serious consequences can be easily ignored.
But Rogers is careful to point out that not all hackers are criminals. He's identified four categories as follows:
1. Old School Hackers: These are your 1960s style computer programmers from Stanford or MIT for whom the term hacking is a badge of honor. They're interested in lines of code and analyzing systems, but what they do is not related to criminal activity. They don't have a malicious intent, though they may have a lack of concern for privacy and proprietary information because they believe the Internet was designed to be an open system.
2. Script Kiddies, or Cyber-Punks: Most commonly what the media calls "hackers." These are the kids, like Mafia Boy, who most frequently get caught by authorities because they brag online about their exploits. As an age group, they can be between 12 and 30 years old, they're predominantly white and male, and on average have a grade 12 education. Bored in school, very adept with computers and technology, they download scripts or hack into systems with the intent to vandalize or disrupt systems.
3. Professional Criminals, or Crackers: These guys make a living breaking into systems and selling the information. They might get hired for corporate or government espionage. They may also have ties to organized criminal groups.
4. Coders and Virus Writers: Not a lot of research has been done on these guys. They like to see themselves as elite. They have a lot of programming background and write code but won't use it themselves. They have their own networks to experiment with, which they call "Zoos." They leave it to others to introduce their codes into "The Wild," or the Internet.
Underlying the psyche of the criminal hacker may be a deep sense of inferiority. Consequently, the mastery of computer technology, or the shut down of a major site, might give them a sense of power. "It's a population that takes refuge in computers because of their problems sustaining real world relationships," says Post. "Causing millions of dollars of damage is a real power trip."(Quittner)[1]
Jeremy article did well by identifying these into various groups with different motivations. I agree with Jeremy totally on that issue there are different motivations for different groups. Sarah Gordon goes on to further detail a psychological principal concerning hacker in Frontlines article called studying the psychology of virus writers and hacker.
Sarah says,” There is a certain degree of supposed (and sometimes real) anonymity in virtual environments. This anonymity breeds feelings of "invincibility" in many cases. Time and risk also have different values in virtual environments. Whereas breaking into a bank might require two hours of planning, procurement of a getaway car, acquisition of weaponry, risk of being shot by guards, etc., breaking into a database to move some money around can take a minute or less, with none of the immediate physical risks.”(Gordon)[2]
J.A.N. Lee in an article prepared for the Macmillan Encyclopedia of Computers says this about the psychology of hacking,” There is a certain allure to computing which is difficult to replicate in other environments. In many respects computing is always "real" rather than merely an example or model, though there is equally always the hope for more power and greater facilities to do bigger and better hacks. Whereas in other endeavors the development of a project such as a hot-rod car or a trip to Hawaii costs real dollars, computing costs nothing - it is a utility. Driving a hot-rod on a dirt strip is also fraught with real physical danger, while hot-rodding a computer is safe. The computer does not hit back even when the worst of effects are programmed.”(Lee)[3]
So perhaps the thrill of the hack and prospect of it being inexpensive may be a contributing factor of why hackers hack along with the feeling of superiority and power.
Understanding the hacker is not an easy task for the psychologist by no means because they are very elusive. There may be a solution to this though. Hacker of a certain type use social engineering to accomplish their exploits. People who are very similar to them are addicts. My sister in law became addicted to crack a few years ago and she became a master social engineer. Her manipulation of people became an art form. She could look into someone’s eyes and lie and most would not see it. She used her talent to acquire people’s driver’s license social security numbers and other information and open bank accounts in their name stealing their identities. Eventually the F.B.I. caught up with her but meanwhile she became a master of deception. Social engineering seemed to come to her naturally. Perhaps if psychologists and criminal investigators studied the addict they could get a better view of the social engineer because they have many similarities.
Many people act differently on line than they do face to face and this may be a contributing factor. One thing that I quickly becoming more certain of is this, hackers use psychology and probably know more about psychology than psychologist know about hackers. Hackers are masters at social engineering and know much about human behavior. Psychologists know little about hackers because they are elusive and mysterious. In appendix A at the end of this document I have added an interview with Kevin Mitnick who is a reformed hacker. Kevin is an expert at social engineering. Kevin Mitnicks exploits cost companies over 300 million dollars at that time which isn’t much compared to the billions worms cost companies today. What is important is that Kevin Mitnick changed his ways, and by listening to him we can get a good look at how social engineers use their skills along with technology to accomplish their exploits, and perhaps take measures to secure ourselves.
Worms pose a major threat all at one time when one is released. Worms make the headlines because of there enormous impact upon the Internet community and almost instantaneous devastation the do. Other forms of hacking I believe may do an amount of damage similar to the worms in terms of costs and devastation but they add up as small hits on their marks over time and don’t grab the Medias attention as readily. When we consider Kevin Mitnick and what he cost companies just being one hacker it isn’t to hard to understand that multiple hackers like him could inflict as much potential devastation as the worms do. The way the end user poses a threat by being a source used by the technical worm writes is obvious now. Yet the end user is a threat also because of hackers of Kevin Mitnicks persuasion because they are not aware of the social engineering threats that this type hacker poses. This is why it is imperative to understand how the social engineer operates and how they use psychological principals to take advantage of the unsuspecting end user.
The social engineer takes advantage of human instincts and emotions using them to cleverly device schemes and plots that will use these emotions to get the end users to reveal data and information that should be kept secret. The social engineer will use human attributes of fear, pride, greed, anger, curiosity, guilt, lust, and trust to manipulate people into giving them the information they desire. All people posses these attributes in some form of another in the character and at some time or another will operate take actions and make decisions based on these emotions and attributes over their intelligence.
Trust is one of these attributes of humanity that the social engineer will use to his or her adavantage. The human nature of individuals to trust one another can be a way for a social engineer to take advantage of someone .This may be especially true in western culture where even today individuals seem to naturally trust others. Familiarity seems to breed this trust. Consider this example; I want to get the current invoices from a plumbing company for a client that has hired me to obtain them. First I walk into their office and talk to the secretary asking her about the location of the location of the human resources department. Her name is Dianne and she tells me that the company does not have one and the supervisors of the job sites hire the workers. I ask Diane where a job site might be and who I can talk to as I am looking for employment. She refers me to a job site 20 miles away and gives me the name of a supervisor named Bill. She has no reason to distrust me; to her I am just another plumber looking for a job. I arrive at the jobsite meet Bill telling her that Diane referred me from the office and inquire about work. By this time I have already studied up a bit on plumbing and have the basic pat answers down to convince Bill I am a potential employee. I have done looked up other plumbing companies and got the names of the owners of the companies from a book at the local library that is put out by the chamber of commerce in that city. I tell Bill I was working for another company and was laid off dues to a lack of new jobs and just wanted to work. I whip names by Bill that he is familiar with from working in the trade so long and he believes that I actually worked for these companies and have at least 30 years of experience in the trade. Bill is really comfortable with me now its lunchtime and he has a little time to chat. As I sit eating a sandwich with him in the construction trailer I notice that he has a stack of invoices on his desk. I explain to Bill that I was a supervisor also at another company that I named that I made up so he would not be familiar with the practices of that company and have a clue about me. I tell him that in March of 2002 I worked out of state for a short period of time as a supervisor at a fictional company. I go into detail about what a pain it was to fill out the invoices for that company and how strict they were about the way it was done. Bill can relate he also hates filling them out. Saying Mark in the accounting department is a jerk. We talk a little longer and bill tells me I have the job as soon as he gets the ok from the president who is currently out of town.
He gives me an application to fill out and tells me to return it to the office and when Dan the president gets back in town he will be sure to hire me. Bill feels he knows me like a brother now as we have so much in common and know many of the same people. I shake Bills hand and say thanks and ask him if he needs me to drop off anything by the office while I am there to save him some time. Bill says why yes, It would be great if you could drop these invoices off to Mark while you are there because I am busy and don’t want to listen to Mark complain today. Bill hands me the stack of invoices and I am off to the company to drop them off to Mark. On my way there I stop by Kinko’s and make copies of them all for myself. I now have all the tracking numbers and other information I need to take the next step. I soon arrive at the company and go directly to Marks office handing him the invoices and making a short conversation with him asking him some questions about the company. I ask Mark what kind of man Dan the company President is and how he likes working for him. Mark tells me he has never met Dan personally or even talked to him on the phone the only communication he has with Dan is when Dan sends a request for copies of documents from the accounting department and he usually does that by sending a fax. After a brief discussion with Mark I return to Dianne the secretary. I tell her I need to get some more information for my employment application for Mark in the accounting department so they can decide on my wage and will fax it to him as soon as I am finished. She says great I hope you get the job and I start to walk out the door. Suddenly I stop turn around look back at her and say hey wait I forgot something. She says what. I say I forgot to get Marks fax number would you possibly have it? She says yes and writes it down on a business card and hands it to me. I thank her and leave the scene. I return to my hotel room make a copy of the company’s letterhead and type up a request to Mark asking for current copies of all the invoices so that the company can get bonded for a new job and forge Dan’s signature. I fax this to mark and ask him to fax the information back to a fax number I have prearranged to get the documents at. Within 2 hours I receive copies of all the companies’ invoices and drop them off to my client and collect my fee.
I didn’t even have to use a computer to accomplish this exploit all I used was social engineering. At times I may also use a computer to get information I need, but most of my technique involves social engineering and is quite effectual. Familiarity and trust were my main tools.
These exploits produce positive results because of the nature of humans. Humans operate on three levels, emotions, logic, and conscience. Emotions almost always produce a victim if people operate on them. Logic lessens the chance but it is not foolproof either it is sometimes faulty. Mark, Dianne, and Bill may have all had a “gut feeling” that something was awry but probably dismissed it, because the logic of familiarity over road it. If anyone had just followed their gut instincts or conscience the whole exploit may not have been successful .The adept social engineer realizes this and follows his, yet he also knows because of the nature of high speed in business situations and faulty logic embraced by the multitude that the conscience more than likely will not be much of a deterrent because most suppress it. They suppress it because they are hasty from the demands of society and posses faulty logic.
Greed also works getting something for nothing will prompt people to give out personal information that they normally would not. This is why the Nigerian email scam and ones like it are so successful. These types of scams are described at the United States Secret Service’s website located at http://www.secretservice.gov/alert419.shtml The reason people fall for them is greed . The social engineer will also use pressure used by salesmen saying that the only way to take advantage of an offer is to act now. The pressure to act now can be a sure sign that one has encountered a social engineer and red flags should go up whenever on is pushed to act hastily. Social engineers also use guilt. Many times this tactic is used in reverse social engineering. In reverse social engineering the social engineer will create a problem for you, fix the problem then ask you for information and use guilt to prod you for it. The social engineer will make you feel you owe them something. This is where technology may come in handy along with the social engineering tactics. Consider this scenario; I go into a chat room using a chat program that is insecure (many are today) I engage in a conversation with a young women named Ginny. Because this program is insecure I can obtain Ginny’s IP number from it. After talking with her awhile I find that she is using a dial up connection which means she has little bandwidth. I add her to my list of buddies so I know when she is online. I choose not to appear online myself though so she cannot see me although I can tell when she is online. Over the next week whenever I see her online I use a method called a denial of service attack that will ping her with so much data that her computer won’t be able to handle it and it will cause her problems. A week later I appear online again and Ginny thinks that I am a computer technician because that’s what I told her. She sends me an instant message asking me for help. I say sure no problem anything for you Ginny you’re my best friend online you almost seem like a sister to me. I promise her that ill have it fixed that day. She thanks me and I go offline. A few days later I appear back online and send Ginny a private message asking her if I fixed her problem. She is overjoyed and says I am a genius she has had no more problems since our last conversation.(of course not I stopped the attack) She is very grateful and says if she can ever do anything to help me out just to let her know. I say Ginny I appreciate the offer because I am testing some new software I wrote and could use your help if you don’t mind it will only take about 10 minutes .She asks what can she do and I tell her all I need to do is send her a small program that will send me a message when she gets it. I tell her it’s just a test to check computer connectivity and it’s harmless. She believes my intentions are good because I just helped her fix her computer. She happily agrees to help me and downloads the program. I tell her thank you 10 minutes later and express my appreciation for her help. What Ginny does not know is I just sent her a Trojan horse. Now whenever Ginny types everything she types will be saved on a log and emailed to me. Now I move on to my next trick I stay offline a day or two and then come back online. Meanwhile I have made a webpage that offers free software by simply filling out a form. Ginny sends me a private message and ask me how I am doing. I tell her great and tell her about a great deal I found online about free software saying that since I filled out a simple form I have gotten free movies and things like that. Ginny wants to get in on this deal so I give her hyperlink to that page I made up telling her that it is safe and the personal information is just so the company can do surveys. She thanks me for passing on the information. An hour later I get an email from the Trojan she has on her machine. In the email is everything she typed on that form I now have her name address phone number credit card number social security number and much other information. This is just one example of how reverse social engineering works.
Does this behavior really go on? I can assure you after spending years online talking to white and black hat and end users it does. I have at times myself used such tactics to show individuals their vulnerabilities in hope that they would take my advice and secure themselves. I figured it would be better for me attack them and show them they where vulnerable than to have a black hat attack them and use the information to rob them.
So far all have been thankful but I have ceased using this approach for awhile because of watching the peril of Adrian Lamo and others who also used such tactics and got arrested.
Perhaps writing article like this is a better way to make people aware of this than actually performing the exploits upon them.
NEXT:Cyber Titanic