In-depth

Mind-reading hackers are stealing your data

Mentalist Drew McAdam says that security experts are overlooking the human factor

Hacking

IT security can often focus on patching software flaws and ensuring that network hardware is as fortified as possible, but is that the best solution?

We sat down with Drew McAdam, a keynote speaker at last week's RSA security summit in London, who says that one of the biggest security flaws could be right under our noses.

Advertisement - Article continues below

"It's all very well looking at the computer side of it," he says, "but an expression I heard once was PEBKAC", referring to the infamously snarky error code used by long-suffering IT departments. It is used to highlight issues caused by user incompetence, and stands for Problem Exists Between Keyboard and Chair'.

"It's the human side of things that I'm interested in I know that it comes down to individuals the psychology behind them". According to McAdam, that behaviour is the same worldwide: "That's where there's a weakness, which is probably often missed out".

His interest is perhaps not that surprising; McAdam is a mentalist, a quasi-magician who uses psychology, observation and behavioural analysis to deduce information about people. However, while the worlds of stage entertainment and infosecurity may seem quite different, they have more in common than they appear.

McAdam claims that the techniques he employs as part of his act can also be used by potential intruders to gain sensitive information, including passwords and other credentials. He demonstrated just how easy this was, deducing our writer's childhood house number in around a minute.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The reason he can do this so efficiently, he says, is that "only 27 per cent of all communication is verbal; the rest uses non-verbal cues." This includes things like body language and involuntary micro-expressions, and as a result, "you're giving out information all the time."

"The vulnerability is one that I use all the time on stage," McAdam says. This kind of cold reading' is one of the key components in a hacker's arsenal: the way you choose your passwords and PIN codes is based on your personal psychology, so "by getting inside your head I can work out the best way to attack."

Phishing is a good example of this phenomenon in action. Phishermen try to entice victims into clicking malicious links by examining targets and thinking "what is that person interested in, what's going to hit their hot button?"

On a basic and uninspired level, this is what the 419 scammers behind the Nigerian Prince' emails in your spam folder are trying to do, by using the broad appeal of money to lure in unsuspecting marks.

Advertisement - Article continues below

However, these attacks can often be highly sophisticated. The more information they have about you, the more convincingly these fraudsters can bait their hooks and, according to McAdam, getting this information has become frighteningly easy.

"Most of what mentalists do is based on what fake spiritualists and mediums and talkers to the dead were doing 150 years ago. They obviously didn't have a social network, but they could get information by other methods," McAdam says.

This used to be done through a combination of shrewd observation and guesswork. Now, however, McAdam suggests people are giving away pieces of the security jigsaw puzzle through social media - whether that be Facebook, Instagram, Twitter or another platform.

This willingness to publish reams of information has made fraudsters jobs exponentially easier. And much detail can be gleaned as a result of just a little research.

Advertisement
Advertisement - Article continues below

This often lo-tech method of exploiting not the systems themselves, but the people operating them is known as social engineering'. It's not a new technique by any means in the late 1990s, Kevin Mitnick used it to become the world's most famous hacker,' allegedly gaining access to dozens of systems.

Advertisement - Article continues below

However, what worries McAdam is the increasing prevalence and prowess of this form of attack. "As far as I can see, people are becoming more skilled at that now," he observes, stating that the best method of entry is to "get somebody to open the door for you. It's that simple."

The numerous security flaws caused by the squishy bit in the middle' aren't just low-level risks, either. According to Verizon's Data Breach Investigation Report 2015, 95 per cent of attacks on web applications involved intruders simply walking in with stolen credentials.

McAdam sees the logic of this approach. He elaborates on the reasoning behind taking this method as opposed to other options like brute-force attacks by quoting Houdini: "Why pick the lock, when you can get the key?"

security on computer

The famous escapist is an apt comparison, as McAdam explains. "[When it comes to] the guys that are trying to get into these things, a lot of people would think it was ego... But what it really comes down to is people, very like myself, like solving puzzles."

Advertisement - Article continues below

Although increasing links have been found between hackers and organised crime, McAdam believes that the principal drive behind their activities is not financial but psychological.

Rather than breaking into systems for greed, the mentalist thinks they are instead motivated by the challenge of thinking "Can I do this, how can I do this, is there a better way? Now they've put that in place, can I get round it, can I get under it, can I get over it?"

Advertisement
Advertisement - Article continues below

This theory is lent credence by the large amount of legitimate hacker conferences such as Black Hat and GrrCon. At these events, security experts and hackers come together from all walks of life; not only those that exploit network vulnerabilities for profit, but also white hat hackers, who use their powers for good.

McAdam, however, thinks that these conventions represent a source of untapped potential. "I think you need to know your enemy. Forewarned is forearmed."

Advertisement - Article continues below

He suggests using such gatherings t to identify potential troublemakers before they act. "I would be using social engineering," he says. "[It's about] watching these people, watching the body language to work out who the guys we want to be talking to on a personal level round the back of the building [are]."

Hacker

He also brings up the fact that so much is carried out remotely, with threats treated as abstract concepts. "These are human beings, therefore they have human weaknesses. So we need to know who they are, what they're doing, what it is that motivates them," he says.

Although security breaches caused by these accidental leakages are an ongoing problem, McAdam believes that there are steps that can be taken to fix it. He suggests that simple training should be implemented, including just getting people to take a step back and think about the subject.

"Everybody's concentrating on, for example, emails coming in, phishing; should I click on that, what's the URL. That's fine, we've all been trained in that." But, he says, people need to be more aware of the malicious ways that the smallest scraps of data can be used.

Advertisement - Article continues below

He aims to change that via his appearances at events such as the RSA conference "Hopefully," he says, "people will go away thinking 'it's much easier to get information than I thought it was.'"

Though he readily admits that he's no expert when it comes to the nuts and bolts of IT security, McAdam feels that too much importance is sometimes placed on fixing the software problems rather than the human errors that cause them. "That's the [real] weakness. It's people. It all comes down to people," he concludes.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354801/dell-sells-rsa-security-business-to-private
mergers and acquisitions

Dell sells RSA security business to private equity firm

19 Feb 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020