Cognitive Hacking

In this paper, we define a category of computer security exploits called "cognitive hacking." Loosely speaking, cognitive hacking refers to a computer or information system attack that relies on changing human users ' perceptions and corresponding behaviors in order to be successful. This is in contrast to denial of service (DOS) and other kinds of well-known attacks that operate solely within the computer and network infrastructure. Several cognitive hacking techniques are illustrated by example and a taxonomy for these types of attacks is developed. Technologies for preventing and mitigating the effects of cognitive hacking attacks are proposed as well.

Table of Contents Page I. Introduction and Background 1 II. Legal Issues in Cognitive Hacking 5 III. Examples of Cognitive Hacking 7 IV. Possible Countermeasures 14 V. Bibliography 20
I. Introduction and Background

Computer and network security present great challenges to our evolving information society and economy. The variety and complexity of cybersecurity attacks that have been developed parallel the variety and complexity of the information technologies that have been deployed, with no end in sight for either. In this paper, we delineate between two classes of information systems attacks: autonomous attacks and cognitive attacks.

Autonomous attacks operate totally within the fabric of the computing and networking infrastructures. For example, the well-know unicode attack against older, unpatched versions of Microsoft 's Internet Information Server (IIS) can lead to root/administrator access. Once such access is obtained, any number of undesired activities by the attacker is possible. For example, files containing private information such as credit card numbers can be downloaded and used by an attacker. Such an attack does not require any intervention by users of the attacked system, hence we call it an "autonomous" attack.

By contrast, a cognitive