Skip to 0 minutes and 12 seconds My name’s Dylan Clarke and I’d like to give you an insight into the motivations of people who attack computer systems. Now, when a lot of people think about personal security, they often just think about how they’re going to make themself secure. They don’t tend to think so much about the people who might want to attack them. And when you do this, it’s easy to fall into the trap of thinking that adversaries simply want to defeat your security system. Whereas in reality, adversaries have a goal, and they’re happy to achieve that goal by following the path of least resistance, by doing whatever’s easiest for them. Now, this could involve exploiting technology, which is what we typically think of.
Skip to 0 minutes and 56 seconds But it could also involve exploiting psychology or even making use of third parties. For example, if somebody wants access to a particular computer, they could steal the encrypted password file and use a dictionary attack to attempt to find a user’s username and password combination. This is what we typically think of. But they could more easily impersonate an engineer and just ask a user for access. Or even call the help desk, pretend to be a user, and ask for a password reset. So with this in mind, it’s important to look at what the actual goals that adversaries may have. These can include financial gain, for example, somebody trying to steal money from your bank account or stealing your credit number.
Skip to 1 minute and 46 seconds It could involve access to resources, such as somebody wanting hosting space for a website, your online game account, or somewhere to store pirated software. It could be revenge, either against you or against an organisation you’re part of. It could be a political agenda. It could be the attacker wants to harm you because of your politics or that they want to use you as an example while trying to achieve a political end. It could just be bullying, somebody who wants to lash out. It could also be curiosity, somebody who just wants to see what’s on your computer. Now some goals have a specific target, whereas some are general.
Skip to 2 minutes and 29 seconds If the goal has a general target, then the adversary will be looking for an easy victim and if you don’t look like an easy victim, they may just pass you by. On the other hand, if the goal has a specific target, then the adversary will be evaluating whether it’s worth the cost, both in terms of the effort that they’d have to put in to achieve it and the risk that they’re going to take. So now I’ll give you some examples of real world attacks. The first of these is what’s known as the verification scam. Here, you’re using social media or maybe a dating site.
Skip to 3 minutes and 6 seconds Somebody contacts you, you have a quick exchange with them, after which they suggest that you meet up. You agree. At which point, the other party tells you that they’ve had problems in the past with people not being who they said they were. And asks you to use a verification site. Now, this verification site will ask you for credit card details. And either you’ll have to pay a small fee or it’ll claim that no fee will be taken. Once you’ve done this, the attacker then just disappears. The attack here is financial. And the goal is either to get you to pay the small fee or to sell your credit card to a third party.
Skip to 3 minutes and 48 seconds This attack’s very low risk for the attacker. It can be launched from anywhere in the world and doesn’t open up any of their real world details to you. And it’s very low effort as well as it can just be a simple script that you’re interacting with. And as long as you say the most likely things, you’re unlikely to realise that it’s not a person. The second attack I’ll talk about is the romance scam. Here, again, you’re using a dating site or a social media site and somebody starts talking to you. This time, though, it’s a real person.
Skip to 4 minutes and 22 seconds And you have a much more in-depth interaction, which could in the extreme cases involve somebody talking to you for half an hour a day for months or years. And the goal here is to get a much larger sum of money, anywhere typically from $500 up to millions if they think that you can afford that. The third attack that I’m going to talk about is one that some of you may be familiar with from the newspapers and television. This is the case of Edward Snowden. Snowden leaked details about the NSA’s global surveillance programme. Now to do this, he had to leave a job and take a different job.
Skip to 5 minutes and 2 seconds He had to put in months of planning, months of information gathering, and to think very hard about how he was going to release this information and how he was going to get away. This took a lot of effort. He also took on a lot of risk. In fact, in Snowden’s case, you could almost look at it as not being a risk, but more he knew that certain negative consequences were going to happen. There was a fair chance he could end up in prison for the rest of his life. And if not, he would have to flee certain countries in the world, and potentially never go back to them.
Skip to 5 minutes and 35 seconds However, because of what Snowden believed, he was prepared to put in that effort and tolerate that risk. So when you think about your personal security, you need to consider what type of attackers you might attract, what their goals will be, and how much efforts they’re prepared to put in and how much risk they’re prepared to tolerate.
Why would anyone want your data?
It is easy to fall into the trap of thinking that adversaries simply wish to defeat our security systems. In reality they have a goal and are happy to achieve it by following the path of least resistance.
In this video Dr Dylan Clarke presents some examples of attacks and explores the motivations behind these.
How does being aware of these motivations help us protect ourselves?
© Newcastle University