As part of National Cybersecurity Month, I am traveling the country giving my talk on Hacking Your Mind – How you are being exploited by hackers of all sorts! pro bono to public and private organizations alike. Here are the slides, the notes and so forth! As always, I am better in person
Below are each slide (and the videos) with my speaker notes. Enjoy!
Hi and thanks for attending this presentation on how you are being exploited by hackers of all sorts!
Welcome to Hacking Your Mind!
My name is Kai Roer, and this presentation is all about me. So let me start:
I have been working with leadership, computers and information security since 1994, a ride that has enabled me to write several books, travel to more than 30 countries, appeared on radio, TV and printed media more times than I can remember.
Simply put, as you can see on this slide, I am an awesome guy!
But don´t take just my word for it:
Rather, take a look at what some of the people that I have been working with over the years, say about me. Obviously, so many people saying so much great stuff means something, right?
Not only am I an awesome guy, I know what Im doing too!
And there is more! People from all over the world go nut´s when Im around.
That is what I do. I hack their minds. Into doing what I want.
Today, I am sharing some of secrets about how the human mind helps social engineers and hackers to make you do what they want.
I will be talking about how your mind is being exploited by hackers of all kind – from sales people to your boss, from the social engineer who tries to gain access to your offices, to the phishing attempt you are receiving in this moment.
Broken down, I will look at three mental mechanisms that plays together to turn you into a victim.
- I will look at how our social abilities and our need to be accepted and liked, makes it easy to ask for a favor.
- I will show how our brains have evolved in to a dangerous tool that prefers to make shortcuts – shortcuts that make you click that phishing link.
- Finally, I will explain how social structures are being exploited to make us follow those who lead us into temptation.
But first, let us establish a fact.
That fact is: You like me. Yes you do! I made you laugh, and I have established myself as an authority on hacking your mind. You are curious, and even if you don´t like the fact that you do like me, the fact remains. You like me. Enough to make you vulnerable.
As you saw in the #HolaKai video, requests can be small, and non-intrusive, making it easier to comply.
This trick is being used by hackers of all sorts to convince you that it is perfectly safe for you to spend your time and money with this person. It works like this:
As social creatures, we form groups of our friends (and colleagues, family and others), groups of which we are members of. We call these groups in-groups. Everyone who are not a member of a particular in-group of ours, is automatically considered to be in an out-group – i.e. a group that may be competing with our resources, interests, politics and what not. Think of your favorite sports-team. Your team is the best, other teams are…well, not relevant, right?
Think of a fellow fan of your sports-team, let us call him John. John is approaching you, and ask you for a favor. You have never really spoken to John before, but because you both are fans of the same team, you accept to help him out.
Had John not been a supporter of your sports-team, the chances for you to help him out would be slim.
So how do hackers exploit this vulnerability? Easy! They do like I did: they make you laugh, they make you enjoy their company, and they quickly build an in-group where you both are members. An example:
These are musicians. Or pleasure-hackers, if you like. They are making you feel good, because they want you to give them money. Take a close look at how they flirt with the participants (the camera in this case), and how they interact with the audience. All is done to make you give up your hard earned cash so they can go and buy some beers (and there is nothing wrong with that, especially when they are also great musicians!)
A hacker would use similar tactics (possibly without the instruments!) to have you open a door to your office space, to ask you for information or to have you visit a website where they will automatically compromise your computer.
Now, let´s take a look at how your brain is handling those requests!
Your brain is an amazing computing unit. It handles a large number of different information at any time – even when you sleep. It is also amazingly fast at arriving at conclusions, and there is bound to be false positives and negatives. In other words – amazing as your brain is – it is not without flaws.
According to Daniel Kahneman, your brain consists of two kinds of circuits: Lightning Fast Shortcuts; and Process Intensive Hard Work. Shortcuts or Hard Work – what do you think your brain prefers?
Just like me, your brain is lazy, and tries to avoid hard work as best as it can! So if you leave the choice to your brain, it choose shortcuts every time. Plain, simple and fast.
So how does your brains laziness make you vulnerable to hackers?
Let´s take a look!
(Recommended reading: «Thinking fast and slow» by Daniel Kahneman)
The best trick you can play on anyones brain, is to tell it that something is urgent. Somehow, when your brain thinks that we are running out of time, it just accept anything at face value.
This shortcut has been used by marketeers since forever to make you buy stuff you never needed in the first place. A bad manager also use this shortcut to make you do things he believes should be done (while good managers have learned a lesson or two from Dr. Stephen Coveys Time/Importance Matrix).
A hacker may use urgency in any number of ways. In a spear phishing attack, a hacker may send you an e-mail that resonates well with you, perhaps referring to a current and important project you are managing. The email may even be sent to you at a time when you are heading into an important meeting, and the email may use a title that relates to the current project to catch your attention.
Because you are in a hurry, and the project is important to you, you are more likely to open the email and any attachments, effectively opening your computer and your workplace to malicious code execution.
Stress and urgency make you vulnerable to attack. Hackers know that. Hackers exploit that. Your job is to slow your brain down and review the information requests you receive – every time, all the time.
Suggested reading: «The seven habits of highly effective people» by Dr. Stephen Covey
Humans are social creatures, we live in groups, we form complex societies. To make such complex societies work, we need rules and policies, and we need to be able to recognize friend and foe – preferably before said foe kills us. More importantly, we need to be able to recognize who is in charge – what is the pecking order, and where do we fit in?
Some studies suggests that humans are able to decipher the pecking order automatically, just like Kahnemans shortcuts from earlier. What is more, it seems like this is so ingrained in our organism that even small babies are able to recognize the power structure of a group of people.
And there are, of course, tricks to use to make other people perceive you as an authority – tricks used by hackers all the time. You have already witnessed one such trick today:
By showing off what I have done, what I do, and what people say about me, I have effectively shown that I am someone who matters on this topic. I have established myself as an authority on the subject.
Of course, since I am here as a speaker, and you are here to listen to me, we have established that authority-relationship even without the need for me to show off. However, by enforcing the message, and giving you even more reason to build that awe, you are less likely to challenge me, and more likely to accept my claims at face value.
Just like the hacker want you to do too.
There are many kinds of authorities out there, this is just one example. The important about the power of authorities is the perceived value of their requests and orders, which make them harder to refuse. In this picture, the command structure is clear and not disputed, and the soldier to the left follows the orders without questions.
When you encounter people who you perceive as an authority, you are less likely to question their instructions and requests. You are more likely to accept their arguments, and to do their bidding. You are, after all, accepting them as more knowledgable, smarter, better or just more worthy than yourself, effectively stripping yourself off the power to say No!
Hackers use this strong urge to comply with authorities to force their way with you. One example is the so called Windows Support phone call scam, where the suport person on call tell you to open your browser and visit a particular link. As a support person, (s)he is perceived by you as more knowledgable, an authority, and because of that, you do not question the perhaps strange request to have you visit a website, a website that will have you download malware.
I have just told you about how your mind is being exploited by hackers of all kinds. Sales people, managers, social engineers – and your kids too!
The fact that you like someone, makes you more likely to do what they request from you. So as a social engineer, I will use this to befriend you, and then make a request you would otherwise decline.
Next, I looked at how our heuristics, the shortcuts in our brains, makes us vulnerable to urgency. Remember that, next time you see a Limited Time Offer!
Finally, I shared some of the ways authorities may be using us, and how hackers use the pecking order to have you stop questioning their actions.
What questions do you have?
I may be hanging around the shadows if you have any questions and comments you´d like to share with me.
Thank you for being here! I hope you had as great a joy as I did!