Cognitive Hacking

In this paper, we define a category of computer security exploits called "cognitive hacking." Loosely speaking, cognitive hacking refers to a computer or information system attack that relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is in contrast to denial of service (DOS) and other kinds of well-known attacks that operate solely within the computer and network infrastructure. Several cognitive hacking techniques are illustrated by example and a taxonomy for these types of attacks is developed. Technologies for preventing and mitigating the effects of cognitive hacking attacks are proposed as well.

Table of Contents

Page

I. Introduction and Background 1

II. Legal Issues in Cognitive Hacking 5

III. Examples of Cognitive Hacking 7

IV. Possible Countermeasures 14

V. Bibliography 20

I. Introduction and Background

Computer and network security present great challenges to our evolving information society and economy. The variety and complexity of cybersecurity attacks that have been developed parallel the variety and complexity of the information technologies that have been deployed, with no end in sight for either. In this paper, we delineate between two classes of information systems attacks: autonomous attacks and cognitive attacks.

Autonomous attacks operate totally within the fabric of the computing and networking infrastructures. For example, the well-know unicode attack against older, unpatched versions of Microsoft's Internet Information Server (IIS) can lead to root/administrator access. Once such access is obtained, any number of undesired activities by the attacker is possible. For example, files containing private information such as credit card numbers can be downloaded and used by an attacker. Such an attack does not require any intervention by users of the attacked system, hence we call it an "autonomous" attack.

By contrast, a cognitive attack requires some change in users' behavior, effected by manipulating their perception of reality. The attack's desired outcome cannot be achieved unless human users change their behaviors in some way. Users' modified actions are a critical link in a cognitive attack's sequencing. To illustrate what we mean by a cognitive attack, consider the following news report:

"Friday morning, just as the trading day began, a shocking company press release from Emulex (Nasdaq: EMLX) hit the media waves. The release claimed that Emulex was suffering the corporate version of a nuclear holocaust. It stated that the most recent quarter's earnings would be revised from a $0.25 per share gain to a $0.15 loss in order to comply with Generally Accepted Accounting Principles (GAAP), and that net earnings from 1998 and 1999 would also be revised. It also said Emulex's CEO, Paul Folino, had resigned and that the company was under investigation by the Securities and Exchange Commission.

Trouble is, none of it was true.

The real trouble was that Emulex shares plummeted from their Thursday close of $113 per share to $43 -- a rapid 61% haircut that took more than $2.5 billion off of the company's hide -- before the shares were halted an hour later. The damage had been done: More than 3 million shares had traded hands at the artificially low rates. Emulex vociferously refuted the authenticity of the press release, and by the end of the day the company's shares closed within a few percentage points of where they had opened."

Mark Jacob, 23 years old, fraudulently posted the bogus release on Internet Wire, a Los Angeles press-release distribution firm. The release was picked up by several business news services and widely redistributed scale without independent verification. The speed, scale and subtlety with which networked information propagates have created a new challenge for society, outside the domain of classical computer security which has traditionally been concerned with ensuring that all use of a computer and network system is authorized.

The use of information to affect the behavior of humans is not new. Language, or more generally communication, is used by one person to influence another. Propaganda has long been used by governments, or by other groups, particularly in time of war, to influence populations [7, 11, 12, 28]. Although the message conveyed by propaganda, or other communication intended to influence, may be believed to be true by the propagator, it usually is presented in a distorted manner, so as to have maximum persuasive power, and, often, is deliberately misleading, or untrue. Propaganda is a form of perception management. Other types of perception management include psychological operations in warfare [17], consumer fraud, and advertising [7].

Perception Management

As noted by many authors, e.g. [7, 9, 12], perception management is pervasive in contemporary society. Its manifestation on the internet is one aspect of the broader phenomenon. Not all perception management is negative, e.g., education can be considered a form of perception management, nor is all use of perception management on the Internet cognitive hacking (see definition below). Clearly the line between commercial uses of the internet such as advertising, which would not be considered as cognitive hacking, and manipulation of stock prices by the posting of misinformation in news groups, which would be so considered, is a difficult one to distinguish.

Computer Security Taxonomies

In 1981 Landwehr provided a discussion of computer system security which has framed subsequent discussion of computer security [19]. His model arose from a consideration of the requirements of military security as automated systems replaced paper based systems. He postulated that:

Information contained in an automated system must be protected from three kinds of threats: (1) the unauthorized disclosure of information, (2) the unauthorized modification of information, and (3) the unauthorized withholding of information (usually called denial of service).

He concludes his discussion by stating that "Without a precise definition of what security means and how a computer can behave, it is meaningless to ask whether a particular computer system is secure" [19]. If certain uses and