«Abstract: Vulnerability to deception is part of human nature, owing to fundamental limitations of the human mind. This vulnerability is exploited by ...»
First, false expectations are created whenever someone misunderstands how something works [Hus97, San84]. For example, it is not uncommon for emerging computer technology to be grossly over-valued by consumers and investors. Historical examples include artificial intelligence, Java, and even the Internet. Consumers and investors who hold such false expectations are vulnerable to deception, and the vulnerability is invariably exploited by conmen who promise to deliver the emerging technology. Similarly, many hackers will also hold popular delusions about emerging technology, and these false-expectations could be exploited to deceive them. For instance, firewalls and intrusion detection systems (IDSs) are security systems whose power and effectiveness have, historically, been widely over-estimated. It may be possible to deter hackers by using deception to exaggerate the effectiveness of a network’s computer-security systems. As an example, hacking instances that are detected by conventional means could be attributed to the “new generation of powerful IDSs.” Indeed, in the mid 80s, a hacker wrongly concluded that his subsequent attempts to access a computer system at SRI International failed because of an IDS. His expectations were based on reading a report about IDSs on the machine, and deducing that the concept had been implemented. In fact, the passwords on the system had been changed following his initial break-in.
Second, trust creates expectations that can make a person vulnerable to deception [San84]. If the deception target trusts something that is corrupt, or corruptible, then that trust can be used to deceive. For example, consumers tend to trust name brands, and a corporation can deceptively exploit that trust by selling substandard products under its brand. Deception occurs when the corporation allows buyers to assume the substandard product is of the same quality as its other products. Similarly, hackers rely on a variety of systems, tools and organizations, and their trust in these things can potentially be exploited. As an example, when hackers break into Unix computers, they often download and compile hacking tools. Their trust in the resident compilers can be exploited. For instance, the compilers can be rigged to create binaries that secretly trigger security alarms whenever the code is run.
4.3 A guilty conscience King Solomon observed that “the wicked flee when no one pursues...” (Proverbs 28:1).
Apparently, criminals have a guilty conscience, and it tends to make them paranoid about getting caught and punished. They are hypersensitive to the possibility of detection and retribution.
Also, they respond fearfully. Such hypersensitivity can make them vulnerable to deceptive indicators of detection and retribution. For example, fake security cameras, and signs warning about nonexistent alarm systems, can be very effective.
DoD Cyber Crime Conference 2007 (c) 2007, by the authors 9 In computer security, most hackers are criminals, e.g., trespassing script-kiddies, cyber thieves, and state-sponsored hackers who are engaged in unjust warfare. Hackers’ guilty consciences can make them hypersensitive to deceptive indicators of detection and retribution.
For instance, well publicized hacking prosecutions can be used to exaggerate intrusion response capabilities. Also, fake displays of network intrusion-detection systems can be used to exaggerate detection capabilities, as commonly done in physical security. For example, if hackers suspect honeypots are being used, real computers can be given honeypot components that hackers look for, such as a keystroke logger.
4.4 Cravings and compulsions One of con-men’s most well known techniques is to exploit greed [BW82, San84].
Greed powerfully lulls suspicion, impairs critical thinking, and thereby makes people vulnerable to deception. In general, there are a variety of cravings and compulsions that impair thinking and make humans vulnerable to deception. The causes of these cravings and compulsions include: a) moral vices, such as greed, substance abuse, uncontrolled anger, and a lust for power and fame;
b) desperation, as seen by the perpetual sales of fraudulent remedies for terminal illnesses and excess weight; and c) psychological disorders, such as obsessive-compulsive behavior.
Cravings and compulsions make humans vulnerable to deception in two ways. First, they impair the thinking abilities needed for counterdeception. Secondly, when a deception offers the target what he wants, the opportunity will often arouse his suspicions. In such cases, cravings and compulsions can cause the target to take foolish risks and thereby fall for suspected deceptions.
Hackers are often characterized by their vices and disorders. As described earlier, most hackers are criminals, and consequently, they are engaged in vice. For example, many script kiddies covet the technical abilities that will make them “elite” and famous among their peers.
Cyber thieves are driven by greed. Hacking itself can be highly intriguing, and hackers commonly display extreme obsessive-compulsive behavior in their hacking. A good example is the hacker Matt Singer, who was unemployed and hacked constantly [FM97].
Deception can exploit the target’s impaired critical thinking, caused by cravings and compulsions. For instance, Singer’s obsessive behavior seemed to impair sober-minded reflection about his vulnerabilities and risks. When his brother cautioned him about getting caught, he replied that he was telnetting through too many systems to be tracked. Apparently, it did not occur to Singer that his initial connection was often to the same university network, and its system administrator was stealthfully monitoring his world-wide hacking adventures.
4.5 Limitations in critical thinking Another vulnerability to fraud arises from deficient critical thinking. There are two types of such thinking that con-men often exploit, and they can be used for computer security deceptions. One deficiency is credulity, or the willingness to believe something based on slight or uncertain evidence [San94]. A common cause of credulity is naiveté, as superficial knowledge can limit critical thinking and make one vulnerable to deception. Hackers can be quite naive about the networks they hack, due to their unfamiliarity with the network topology and the operation it supports, e.g., banking or military. Script-kiddies will tend to be credulous due to youthful naiveté. Another deficiency in critical thinking is laziness [San84]. It may be DoD Cyber Crime Conference 2007 (c) 2007, by the authors 10 possible for a hacker to discover a deception, but the deception will be safe if the hacker is not willing to invest the effort required for discovery. Hackers who do not fear being caught, or who act impetuously, may simply not make the effort needed for counterdeception. Many scriptkiddies are likely to act in this manner.
5 Conclusion Table 1 summarizes the eleven psychological vulnerabilities to deception presented in the paper. Exploitation of the vulnerabilities can increase a deception’s likelihood of success. An understanding of the vulnerabilities is a tool for the deception planner’s toolbox, and the vulnerabilities’ most significant uses are recapped here. In the military and intelligence deception literature, there is a resounding admonition to exploit the target’s expectations and desires. The work of fraud artists indicates that the target’s cravings and compulsions are desires that make him particularly vulnerable to deception. In general, deceptions that are contrary to the target’s expectations should be avoided, if possible.
From our analysis of deceptions that exploit psychological vulnerabilities, we make three observations regarding their application to computer security. First, deceptions that exaggerate security capabilities such as intrusion detection can potentially exploit a guilty conscience, false expectations and all of the cognitive biases. Second, things that the target expects to be hidden can often be deceptively portrayed just by showing their indicators or evidence. Such deceptions can potentially exploit biases toward causal explanations, oversensitivity to consistency, and difficulties in detecting missing evidence. Third, deceptions based on conditioning can exploit biases toward causal explanations and biases in estimating probabilities.
There are limitations to exploiting psychological vulnerabilities to deception owing to uncertainties in the target’s reaction. Fortunately, there are several ways the deception planner can manage or reduce the problems associated with this uncertainty. First, the uncertainty can be reduced by gaining a better understanding of the targets’ psychological vulnerabilities. Second, although some psychological vulnerabilities are capricious, others are more predictable, such as hackers’ expectations about network traffic. Third, when designing deception operations, the deception planner does not have to focus on exploiting the target’s psychological vulnerabilities, but rather, he can exploit the vulnerabilities when the opportunity presents itself. Lastly, for many deceptions, the exploitation of psychological vulnerabilities does not have to work all the time, just often enough to be useful.
The savvy deception target will be familiar with psychological vulnerabilities to deception. He will seek to minimize them and to detect attempts to exploit them. For instance, his counterdeception work will benefit from the knowledge that most deceptions will seek to exploit his expectations and desires. However, to a certain extent, psychological vulnerabilities to deception are unavoidable, due to the inherent weaknesses and limitations of humans. For example, although expectations are fallible, they are a necessary means for making sense of the overwhelming information received by the senses. The target must form expectations, and these expectations can often be used to advantage in deception.
WWII deception planner Lt Col Geoffrey Barkas provides an insight into the human vulnerability to deception [Bar52]. Barkas was responsible for many of the highly successful deceptions that contributed to Rommel's defeat in North Africa in 1942. After seeing the Germans capture a dummy oil port he had built, Barkas thought the Germans would never be DoD Cyber Crime Conference 2007 (c) 2007, by the authors 11 fooled again, as they had now seen what British deceptions could accomplish. However, further successful deceptions led Barkas to conclude that, "as long as the enemy has a good intelligence service and pays attention to what it says, it will be possible to fool him again and again." The British used the German intelligence service to communicate deception stories to the German military leaders. The Germans could be deceived repeatedly because their human limitations left them ever vulnerable to deception. In general, deception is always a possibility, as the target's counter-deception efforts cannot fully overcome his inherent vulnerabilities to deception. This often provides the deceiver with an advantage over the target. However, the advantage is not unilateral—the deceiver is also flesh and blood, and inherently vulnerable to deception himself.
DoD Cyber Crime Conference 2007 (c) 2007, by the authors 13 6 Bibliography [Bar52] Barkas, G. The Camouflage Story, Cassell & Co. Ltd, 1952.
[BW82] Bell, J., B. Whaley. Cheating and Deception. Transaction Publishers, 1982.
[CIA80] Deception Maxims: Fact and Folklore, Deception Research Program, Office of Research and Development, Central Intelligence Agency, 1980.
[Dew89] Dewar, M. The Art of Deception in Warfare, David & Charles, 1989.
[DH82a] Daniel, D., K. Herbig, editors. Strategic Military Deception, Pergamon Press, 1982.
[DH82b] Daniel, D., K. Herbig. “Propositions on Military Deception”, in [DH82a].
[FM97] Freedman, D.H. and C.C. Mann. At Large: The Strange Case of the World's Biggest Internet Invasion, Simon & Schuster, 1997.
[Heu81] Heuer, R. “Cognitive Factors in Deception and Counterdeception”, in [DH82a].
[Hus97] Huston, P. Scams From The Great Beyond : How To Make Easy Money Off Of ESP, Astrology, UFOs, Crop Circles, Cattle Mutilations, Alien Abductions, Atlantis, Channeling, And Other New Age Nonsense, Paladin Press, 1997.
[ISV95] Icove, D., K. Seger, and W. VonStorch. Computer Crime : A Crimefighter’s Handbook, O’Reilly, 1995.
[JDD96] Joint Doctrine Division, Joint Doctrine for Military Deception, U.S. Joint Command, http://www.dtic.mil/doctrine, 1996.
[Jer68] Jervis, R. “Hypotheses on Misperception”, World Politics, 20(3):454-479, April 1968.
[San84] Santoro, V. The Rip Off Book : The Complete Guide to Frauds, Loompanics Unlimited, 1984.
[San94] Santoro, V. Economic Sodomy : How Modern Fraud Works and How to Protect Yourself, Loompanics Unlimited, 1994.
[Sch93] Schlossberg, H. Idols for Destruction : The Conflict of Christian Faith and American Culture, Crossway Books, 1993.
[Sto89] Stoll, C. The cuckoo's egg : tracking a spy through the maze of computer espionage, Doubleday, 1989.
[TK71] Tversky, A., Kahneman, D. ”The Belief in the Law of Small Numbers”, Psychology Bulletin, 76:105-110, 1971.
[USA88] FM 90-2 Battlefield Deception, U.S. Army, 1988.
[USM89] FM 15-6 Strategic and Operational Military Deception: U.S. Marines and the Next Twenty Years, U.S. Marine Corps, 1989.
[Wha69] Whaley, B. Stratagem : Deception and Surprise in War, Center for International Studies, Cambridge, 1969.
7 Authors Jim Yuill is a PhD candidate in the Computer Science Department at North Carolina State University. This paper is related to his dissertation. Jim previously worked at IBM in operating systems development. jimyuill-at-pobox.com Fred Feer is retired from a career with the U.S. Army counterintelligence, CIA, RAND and independent consulting. Deception has been an interest and area of professional specialization for over 40 years. ffeer-at-comcast.net Dr. Dorothy Denning is a Professor in the Department of Defense Analysis at the Naval Postgraduate School. She worked in the computer security field for 30 years and is author of Information Warfare and Security. dedennin-at-nps.edu