Mind-reading hackers are stealing your data

Hacking

IT security can often focus on patching software flaws and ensuring that network hardware is as fortified as possible, but is that the best solution?

We sat down with Drew McAdam, a keynote speaker at last week's RSA security summit in London, who says that one of the biggest security flaws could be right under our noses.

"It's all very well looking at the computer side of it," he says, "but an expression I heard once was PEBKAC", referring to the infamously snarky error code used by long-suffering IT departments. It is used to highlight issues caused by user incompetence, and stands for Problem Exists Between Keyboard and Chair'.

"It's the human side of things that I'm interested in I know that it comes down to individuals the psychology behind them". According to McAdam, that behaviour is the same worldwide: "That's where there's a weakness, which is probably often missed out".

His interest is perhaps not that surprising; McAdam is a mentalist, a quasi-magician who uses psychology, observation and behavioural analysis to deduce information about people. However, while the worlds of stage entertainment and infosecurity may seem quite different, they have more in common than they appear.

McAdam claims that the techniques he employs as part of his act can also be used by potential intruders to gain sensitive information, including passwords and other credentials. He demonstrated just how easy this was, deducing our writer's childhood house number in around a minute.

The reason he can do this so efficiently, he says, is that "only 27 per cent of all communication is verbal; the rest uses non-verbal cues." This includes things like body language and involuntary micro-expressions, and as a result, "you're giving out information all the time."

"The vulnerability is one that I use all the time on stage," McAdam says. This kind of cold reading' is one of the key components in a hacker's arsenal: the way you choose your passwords and PIN codes is based on your personal psychology, so "by getting inside your head I can work out the best way to attack."

Phishing is a good example of this phenomenon in action. Phishermen try to entice victims into clicking malicious links by examining targets and thinking "what is that person interested in, what's going to hit their hot button?"

On a basic and uninspired level, this is what the 419 scammers behind the Nigerian Prince' emails in your spam folder are trying to do, by using the broad appeal of money to lure in unsuspecting marks.

However, these attacks can often be highly sophisticated. The more information they have about you, the more convincingly these fraudsters can bait their hooks and, according to McAdam, getting this information has become frighteningly easy.

"Most of what mentalists do is based on what fake spiritualists and mediums and talkers to the dead were doing 150 years ago. They obviously didn't have a social network, but they could get information by other methods," McAdam says.

cartoon graphic of social media

This used to be done through a combination of shrewd observation and guesswork. Now, however, McAdam suggests people are giving away pieces of the security jigsaw puzzle through social media - whether that be Facebook, Instagram, Twitter or another platform.

This willingness to publish reams of information has made fraudsters jobs exponentially easier. And much detail can be gleaned as a result of just a little research.

This often lo-tech method of exploiting not the systems themselves, but the people operating them is known as social engineering'. It's not a new technique by any means in the late 1990s, Kevin Mitnick used it to become the world's most famous hacker,' allegedly gaining access to dozens of systems.

However, what worries McAdam is the increasing prevalence and prowess of this form of attack. "As far as I can see, people are becoming more skilled at that now," he observes, stating that the best method of entry is to "get somebody to open the door for you. It's that simple."

The numerous security flaws caused by the squishy bit in the middle' aren't just low-level risks, either. According to Verizon's Data Breach Investigation Report 2015, 95 per cent of attacks on web applications involved intruders simply walking in with stolen credentials.

McAdam sees the logic of this approach. He elaborates on the reasoning behind taking this method as opposed to other options like brute-force attacks by quoting Houdini: "Why pick the lock, when you can get the key?"

security on computer

The famous escapist is an apt comparison, as McAdam explains. "[When it comes to] the guys that are trying to get into these things, a lot of people would think it was ego... But what it really comes down to is people, very like myself, like solving puzzles."

Although increasing links have been found between hackers and organised crime, McAdam believes that the principal drive behind their activities is not financial but psychological.

Rather than breaking into systems for greed, the mentalist thinks they are instead motivated by the challenge of thinking "Can I do this, how can I do this, is there a better way? Now they've put that in place, can I get round it, can I get under it, can I get over it?"

This theory is lent credence by the large amount of legitimate hacker conferences such as Black Hat and GrrCon. At these events, security experts and hackers come together from all walks of life; not only those that exploit network vulnerabilities for profit, but also white hat hackers, who use their powers for good.

McAdam, however, thinks that these conventions represent a source of untapped potential. "I think you need to know your enemy. Forewarned is forearmed."

He suggests using such gatherings t to identify potential troublemakers before they act. "I would be using social engineering," he says. "[It's about] watching these people, watching the body language to work out who the guys we want to be talking to on a personal level round the back of the building [are]."

Hacker

He also brings up the fact that so much is carried out remotely, with threats treated as abstract concepts. "These are human beings, therefore they have human weaknesses. So we need to know who they are, what they're doing, what it is that motivates them," he says.

Although security breaches caused by these accidental leakages are an ongoing problem, McAdam believes that there are steps that can be taken to fix it. He suggests that simple training should be implemented, including just getting people to take a step back and think about the subject.

"Everybody's concentrating on, for example, emails coming in, phishing; should I click on that, what's the URL. That's fine, we've all been trained in that." But, he says, people need to be more aware of the malicious ways that the smallest scraps of data can be used.

He aims to change that via his appearances at events such as the RSA conference "Hopefully," he says, "people will go away thinking 'it's much easier to get information than I thought it was.'"

Though he readily admits that he's no expert when it comes to the nuts and bolts of IT security, McAdam feels that too much importance is sometimes placed on fixing the software problems rather than the human errors that cause them. "That's the [real] weakness. It's people. It all comes down to people," he concludes.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.