In this paper, we define a category of computer security exploits called "cognitive hacking." Loosely speaking, cognitive hacking refers to a computer or information system attack that relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is in contrast to denial of service (DOS) and other kinds of well-known attacks that operate solely within the computer and network infrastructure. Several cognitive hacking techniques are illustrated by example and a taxonomy for these types of attacks is developed. Technologies for preventing and mitigating the effects of cognitive hacking attacks are proposed as well.
Table of Contents
I. Introduction and Background
II. Legal Issues in Cognitive Hacking
III. Examples of Cognitive Hacking
IV. Possible Countermeasures
Introduction and Background
Computer and network security present great challenges to our evolving information society and economy. The variety and complexity of cybersecurity attacks that have been developed parallel the variety and complexity of the information technologies that have been deployed, with no end in sight for either. In this paper, we delineate between two classes of information systems attacks: autonomous attacks and cognitive attacks.
Autonomous attacks operate totally within the fabric of the computing and networking infrastructures. For example, the well-know unicode attack against older, unpatched versions of Microsoft's Internet Information Server (IIS) can lead to root/administrator access. Once such access is obtained, any number of undesired activities by the attacker is possible. For example, files containing private information such as credit card numbers can be downloaded and used by an attacker. Such an attack does not require any intervention by users of the attacked system, hence we call it an "autonomous" attack.
By contrast, a cognitive attack requires some change in users' behavior, effected by manipulating their perception of reality. The attack's desired outcome cannot be achieved unless human users change their behaviors in some way. Users' modified actions are a critical link in a cognitive attack's sequencing. To illustrate what we mean by a cognitive attack, consider the following news report:
"Friday morning, just as the trading day began, a shocking company press release from Emulex (Nasdaq: EMLX) hit the media waves. The release claimed that Emulex was suffering the corporate version of a nuclear holocaust. It stated that the most recent quarter's earnings would be revised from a $0.25 per share gain to a $0.15 loss in order to comply with Generally Accepted Accounting Principles (GAAP), and that net earnings from 1998 and 1999 would also be revised. It also said Emulex's CEO, Paul Folino, had resigned and that the company was under investigation by the Securities and Exchange Commission.
Trouble is, none of it was true.
The real trouble was that Emulex shares plummeted from their Thursday close of $113 per share to $43 -- a rapid 61% haircut that took more than $2.5 billion off of the company's hide -- before the shares were halted an hour later. The damage had been done: More than 3 million shares had traded hands at the artificially low rates. Emulex vociferously refuted the authenticity of the press release, and by the end of the day the company's shares closed within a few percentage points of where they had opened."
Mark Jacob, 23 years old, fraudulently posted the bogus release on Internet Wire, a Los Angeles press-release distribution firm. The release was picked up by several business news services and widely redistributed scale without independent verification. The speed, scale and subtlety with which networked information propagates have created a new challenge for society, outside the domain of classical computer security which has traditionally been concerned...
Please join StudyMode to read the full document