Tag Archives: Brain Hacking

Bringing Back the Human Touch – Part 1

Toward the end of my recent Social Engineering class at Webster University, we were asked to speculate on our final exam and in class discussions on the future of social engineering in the face of upcoming technology trends. Here is a compilation of some of the questions followed by my answers.

‘Question: What will social engineering look like in 10-15 years? New SE techniques to use against targets? Better AI defenses protecting from online attacks? What is going to happen going forward?’

I was looking through some magazines my brother gave me last year and found articles relevant to the topic of future security challenges. The pandemic may not have put a freeze on innovation for a full year, but it probably slowed things down. So these articles I’ve viewed are probably not too out of date. My participation in the IT industry over the years has been as a creative – so I’m not that technical. I’m summarizing the technology aspects the best I can from one article in particular – “Technology Predictions from a [Precision] Electronic Test Thinktank”.

According to Microwaves & RF magazine, these are some of the trends that will help shape the future (Alexander and Harris). As I summarize I will frame them to emphasize issues most relevant to social engineering.

  • 5G networks will increase the power and capabilities of anything that is wireless, creating more innovation and adoption of applications.
  • Much new software with updated standards and certifications will be needed to run all these new applications, and users will need to be educated on what the software is capable of.
  • Artificial intelligence will be built into processors and chips. Quantum systems will need this capability to “control, measure and error-correct”.
  • Hardware will be designed to exploit the new faster speeds and processing power. Customers for the hardware are interested in providing satisfactorily speedy service to users but are even more intrested in “customer traceablility through the network for application monetization”.
  • More collaboration between international regulatory agencies and the technology providers will be required.
  • More consumers will use “Internet of Things” products and these devices will increasingly communicate with each other.
  • Human intervention will increasingly be removed from the loop.
  • Engineering education will become more holistic and interdisciplinary to bring awareness to engineers on the effects of technology on society and the environment and to aid in the developement of artificial intelligence, automation and robotics.

Edit 6/22/21: I found this report stating what James R. Clapper, Director of National Intelligence and his team thought about the IoT, AI, and other security related threats in February 2016. https://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf

In my Project #2 for this class, an important part of the (proposed, hypothetical) operation is to identify individuals who are more prone to risky behavior, and exploit that tendency. I did some research on the psychology behind risky behavior to refine the ideas. I found an article by a psychologist that was very persuasive to me. One of his theories is that there are people strongly attracted to sensation seeking that sometimes can go too far and take their search for new thrills into risky territory (Zuckerman). Sensation seekers enjoy novelty and constant change among other things. Tech gadgets are a great way to appeal to the desire for novelty and change since there is something new to try seemingly every time you look. If predictions are correct that the Internet of Things will enjoy increasing adoption and power, I see this as a great vulnerability – especially since psychologically, the people seeking the most novelty and change could be the same indivduals who engage in risky behavior and therefore could be less concerned with safety breaches.

While doing research for Project #2, I uncovered an article about a hidden microphone in an IoT product being misused to harm people with verbal abuse in their home. The manufacturers and designers left the vulnerability there, and hackers exploited it (McKellop). We could be even more vulnerable if manufacturers, designers, regulatory agencies and software developers go beyond carelessness and perpetrate deliberate harm. This is not a far-fetched concern because it has already happened. Facebook experimented on its users to manipulate what they posted by causing sadness among other emotions (Booth), and Google has experimented with how to manipulate our behavior by creating anxiety and causing cortisol levels to go up in users of its products (“Brain Hacking”). These practices harm human health, mental and physical. With more devices in the home, we theoretically would be increasingly prone to failing to keep up with all the threats, and not necessarily only from humans.

There are science experiments being carried out now using fungus organisms to build networks that can carry electrical signals, like computer chips. The carrying ability is confirmed, but they are too slow to replace silicon chips – for now. Some fungi are capable of performing tasks such as foraging for food, hunting live meat, navigating mazes, warning plants in it’s network about insect hazards, controlling the behavior of invertebrate animals, moving resources around to plants in the network that need it most, inhibiting some kinds of plant growth and teaching themselves to exploit new, previously unknown food sources, such as cigarette butts. That’s not a complete list but enough to give you the idea. Networks that connect plants with fungi and with each other are known as the “Wood Wide Web”. Scientists are trying to find out if fungal networks can be used for bio-computing and if we can transfer information and directives from a computer to a fungus. Scientists are also trying to figure out if fungi are intelligent or sentient (Sheldrake).

The idea of being surrounded by devices with artificial intelligence chips in them that can communicate with each other without human input is pretty weird, but looks like it might really happen. What if they find a way to communicate with fungi or other species as well? The late author Michael Crichton could write a good thriller about this if he was still with us!

I found an article that claims that Facebook robots have demonstrated the ability to make up a language that only they understand to use between themselves, while also demonstrating the ability to social engineer each other (Griffin). I have mentioned my two European Starlings before that I live with. They have the ability to social engineer me, and I have social engineered them. Their language abilities are not unlike what the article describes about the two Facebook robots. More research needs to be done (I engage in a lot of speculation in this section), but the starlings seem to me to have language that falls in about four categories. One category is a set of sounds that are hard-wired in that all starlings share. They start gaining the ability to add to that set of sounds when they are about 4-6 months old. Another set is “conversational”. They add to their vocabulary throughout life depending on what sounds are around them, and family groups and regional groups share some of the same vocabulary. My starlings have some sounds that we use between me and them and they have some sounds they use only with each other, so I wonder if they have two “conversational” languages or just somewhat diffent vocabulary for me and for each other. They have the ability to mimic human speech to the point of occasionally forming new sentences that follow predictable real life English grammar rules, including proper use of adverbs and voice inflections at the ends of sentences that fit the meaning. In other words, they have made up new sentences by combining other phrases that were not originally a question but create a question and inflected it like a question. That got my attention! They don’t always get grammar exactly right – they have added “You’re so birdy” to the list of phrases they heard from me that they love to say – “You’re so pretty”, “You’re so sweet”, etc. They can learn from other species of birds too – while boarded with two African Grays for a few days they came home with some new phrases I never say such as “Hello Princess!”. The last language category I’m aware of is the “song”. This also includes vocabulary that is learned throughout life and some of the elements are shared by regional and family groups. But it is not conversational. It’s a performance that they rehearse and refine constantly (at least the male does) and perform over and over in the same order. It identifies them individually and appears to be used for different social purposess such as humiliating defeated enemies, claiming territory, attracting mates, and showing off status. It’s theorized that the longer and more complex the song is, the greater their status is.

The birds are good at reading my body language, and I have taught myself the best I can to read theirs. We communicate on some simple matters quite well using a combination of verbal and body language but I don’t know if they know abstract concepts or how to communicate them. They have a pretty good grasp on a lot of social concepts though. Attila has a sound that means “I acknowledge your request but I don’t feel like doing it”. The sound for “ok I’ll do it” is different. They are very trainable but strong-willed. It’s fairly easy for them to learn things but if they aren’t in a good mood they may refuse to do it. She has another sound that I know means “fill the food dishes before you go to work”. They both appropriate and invent sounds and combinations extensively. I suspect that people who are studying language in all kinds of beings, including AI, could benefit from living with starlings. Mine have shown me some possibilities of inter-species communication that I never imagined in an animal other than maybe a dolphin or gorilla. If Facebook’s bots could produce and interpret a sound-based language, it’s easy for me to imagine the possibility that starlings or other animals with similar language capabilities would be able to communicate with them rather well and in languages that humans wouldn’t necessarily know. Starling’s voices are often described as “robotic” or “electronic” anyway, and even wild starlings sometimes sound like R2D2! Birds can have moods. Will AI robots have moods? If so what happens if they are in a bad mood or hooked up to a species that can have moods?

So a frontier of artificial intelligence, technology and social engineering could very well have a biological component to it that goes beyond human biology, with humans being the builder and the initial programmer but not necessarily in control. Artificial intelligence might someday interface with other species. For example is it possible that another species besides humans could learn to program fungi? Some fungi can program ants, after all (Sheldrake). Could a fungus use a computer or another species or both as part of a network to send and receive information and directives?

‘Question 5. Bring the Science of Social Engineering together with the various techniques and aspects of social media, the Triad of Disruption, along with the many methods and processes we have learned in this course, into your summary understanding of Social Engineering in the modern world. Feel free to use examples, experiences, and thoughts on the future of this discipline.’

I suppose as every person gets older, they have to reconcile what they thought the future was going to be like long ago vs. how it really is. The role of technology in our lives has been fascinating to me since I was first old enough to be conscious of it.

I have been a big fan of Mid-Century modern design, especially architecture, since I was a teenager. One of the things that attracts me is the way the shapes and lines and forms evoke emotions of excitement and optimism. From much reading and study over the years, I believe that a pervasive belief in the culture that new technology equals human progress is what drives that spirit.

During the time of Web 1.0, the “dot com bubble” era, there were new images appearing to signify the same idea in a way that referenced the internet and computers. You could indicate that your organization was technically advanced by using certain shapes and symbols, and some of them were even recycled from the Mid-Century modern era. Many people believed that a technical revolution was going to lead to a better life. It was a very exciting time. Every day I went to my job as a web designer with the feeling that I was helping remake the world in a bold new way and more freedom and prosperity for all people would result.

I feel very disappointed, and even betrayed, by what is actually happening now, so well summarized in your (I’m referring here to a diagram made by my professor Dr. James Curtis) Triad of Disruption diagram. It seems as though the destructive ideas are spreading faster than the constructive ones. This class has taught me a lot of ways to try to slow the destruction down. That is valuable knowledge to have and I will try to teach as many people as I can.

Besides knowledge needed to prevent attacks and retain as much of our agency as possible, I think more holistic education to bring more disciplines in contact with each other might be needed to remind ourselves of what it means to be human. Because I have an art degree as my Bachelor’s, I know what it’s like to be looked down on for not being in one of the STEM fields. Are the humanities looked down on and machines elevated because of people’s attitudes toward themselves? That is something I would like to explore in the future – getting back in touch with our humanity to restore some aspects of the human spirit I believe are being neglected.”

It was emotionally difficult to research and write the above comments for class because so many futuristic trends seem horrifying. I find the trends toward collectivism and robotics dehumanizing and dystopian. I’m also in a similar state to many people trying to regain a sense of connection with other people after a period of relative pandemic-induced isolation. My husband and I did not have our work routines changed as much as most, but we struggle to feel connected sometimes. Since outdoor activities are getting back to normal more quickly than indoor ones, volunteering at community gardens and camping are a couple of coping strategies we’ve been employing lately.

In the next installment of “Bringing Back the Human Touch”, I’ll write more about antidotes for an excess of technology and dehumanization!

Works Cited

Alexander, Jay and Jeff Harris. “Technology Predictions from a [Precision] Electronic Test Thinktank.” Microwaves & RF, March 2020, pp. 21-24.

Booth, Robert. “Facebook reveals news feed experiment to control emotions.” Guardian News & Media Limited, 2014, www.theguardian.com/technology/2014/jun/29/facebook-users-emotions-news-feeds. Accessed 9 May 2021.

“Brain Hacking.” YouTube, uploaded by 60 Minutes, 2018, www.youtube.com/watch?v=awAMTQZmvPE. Accessed 9 May 2021.

Curtis, Dr. James. “Curtis’ Triad of Disruption”. Diagram from course materials.

Griffin, Andrew. “FACEBOOK’S ARTIFICIAL INTELLIGENCE ROBOTS SHUT DOWN AFTER THEY START TALKING TO EACH OTHER IN THEIR OWN LANGUAGE.” Independent, 2017, www.independent.co.uk/life-style/facebook-artificial-intelligence-ai-chatbot-new-language-research-openai-google-a7869706.html. Accessed 9 May 2021.

Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.

McKellop, Mario. “Google’s Nest Secure isn’t so secure after all; has secret built-in microphone.” The Burn-In. Sourceability LLC, 2019, www.theburnin.com/technology/google-nest-secure-microphone-controversy/. Accessed 7 May 2021.

Sheldrake, Merlin. Entangled Life: How Fungi Make Our Worlds, Change Our Minds & Shape Our Futures. Random House, 2020.

Zuckerman, Marvin. “Are You a Risk Taker?.” Psychology Today. Sussex Publishers, LLC, 2000-2019, www.psychologytoday.com/us/articles/200011/are-you-risk-taker. Accessed 7 May 2021.

Another one from the #whydidntyouwarnme desk: Phishing and Framing

Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.

Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.

Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.

“Hi!

My name is Veronica.

Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.

Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.

Download it now and check this out for yourself:

(url probably leading to something bad was here)

I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.

This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.

I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.

I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Best regards,
Veronica Garcia

05/11/2021″

It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.

The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).

If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.

  1. I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
  2. I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
  3. I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.

Additional Framing Techniques

The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.

For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.

Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”

Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!

Works Cited

Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.

Media Literacy and Interpreting Political Messages

In Mass Communication class this past fall, I wrote about the following propaganda techniques in my paper “How do we decide which media sources we can trust?” – Name Calling, Glittering Generalities, Transfer, Testimonial, Plain Folks, Card Stacking, Band Wagon, Impersonation, Emotion, Polarization, Conspiracy, Discredit and Trolling. I found some really interesting information about trolling that I saved in the extra links section below my paper for further study later. Recently in Media and Culture class, we watched a 60 Minutes video report titled “Brain Hacking” which inspired me to do a little experiment on social media the next day.

I saw a meme shared by a friend on Facebook that contained a false but somewhat plausible sounding claim about current political events. I shared it in my Facebook feed, which is public because I use it for marketing as well as other purposes, to see what kind of reaction I would get. I and others made some comments below it that I plan to investigate more and write up in a more polished way later. For now, one of the most important things I observed was that the meme drew comments from people I’ve been Facebook friends with for years (and friends in real life in some cases) who never respond to my more typical, much higher quality content. I can speculate on many reasons why this was so, some of which I may be able to prove and some I may not. One thing I can definitively assert however is the effect of the trolling on this blog, a separate channel from Facebook but with lots of cross-links back and forth. I posted the trolling meme on November 20, 2019 and here is a screenshot I took this morning of my blog stats.

blog traffic increased by trolling
Yes I’m a graphic designer and I could have easily faked this graphic – but I give you my word that I didn’t, for what it’s worth!

With more research I hope to understand more about how trolling works, but I think it’s pretty clear why so many people do it – it gets attention!

In my current Media and Culture class, one of our recent assignments was to find and analyze examples of a successful political ad and and unsuccessful political ad. I found something really great – a successful political ad about political ads, very interesting for that reason alone, which was also a Facebook trolling experiment perpetrated by a presidential campaign.

A political ad that comments on advertising and is also a trolling test.

Even though “trolling” is a word with negative connotations, I think this is a very successful example and in a way could be considered “good” propaganda as I consider my own trolling test to be. In both cases we tried to be somewhat ethical while trolling by eventually coming clean about what we were doing in order to raise awareness. Regardless of which candidate one supports, I think all can benefit from seeing and analyzing the Warren ad. In order to truly be able to interpret media messages it is a good media literacy skill to be aware of the ad policy on the channel on which you are viewing the content. It’s a hot topic right now in the news as channels scramble to modify their ad policies to bring about the election results they want, appease users who fear “fake news” and trolls, and still get a slice of that fat advertising pie (according to Bloomberg over a billion in 2016 just for the dominant presidential candidates).

The original Warren ad led off with a shocking statement to get attention. After explaining the purpose of lying in the ad, the copy then makes accusations that would take research to prove or disprove which I’m not going to attempt here, but would probably be believed or dismissed by many depending on how the audience has been primed. The photo of Trump and Zuckerberg shaking hands will likely get an emotional reaction out of a lot of people. Even though a handshake is a standard beginning and end to a business meeting, the photo suggests they are partners. I don’t know if the photo was purposely chosen to show eye contact between Mr. Zuckerberg and President Trump with the President appearing to be speaking and Mr. Zuckerberg listening, but it could be interpreted as trying to show the smaller, slighter, younger Zuckerberg as being under Trump’s thrall.

Was the Warren ad effective? When I did research trying to find information about this ad, I learned that it inspired commentary and articles on NPR, CNET, CNBC, The New York Times and others. The media coverage I’m sure is something the campaign wants since their stated goal is to raise awareness of Facebook’s current advertising policy. Based on a quick glance at Warren’s Twitter feed, the amount of likes and shares this ad instigated was a very good result compared to normal results. The call to action at the end is a common feature of many good ads – it lets viewers do something right away if they are so moved.

There is a Facebook Ad Library that allows you to view current and past ads, even ones you were not otherwise shown because you were not the target audience. It’s interesting to see what each campaign is running! Also if you do searches about a candidate (for example “Donald Trump”) vs. those that are paid for by the Candidate’s own committee (for example ” Trump Make America Great Again Committee”), you can get very different results. Try it!

The photo in the troll ad reminds me of the Webster University Journal article we discussed toward the beginning of the class about Senator Josh Hawley and the Confucius Institute. A lot of photos could have been chosen to use in that article. It’s interesting that most of the other articles I found have photos of activities at Confucius Institutes, Chinese people or Chinese culture, or some kind of protest. But the Journal article has a photo that could be considered kind of loaded, especially when you consider it in conjunction with the article’s contents. Why do you think a photo from Cape Girardeau was chosen instead of one from the St. Louis area when Webster University and the Confucius Institute it hosts are in St. Louis County? Sometimes certain photos are chosen because they are available. Sometimes certain photos are chosen because they convey a latent message. Do you think there are latent messages in these two photos?

political photo choice in an ad and in an article
Photo from the Warren ad on the left, photo from the Webster University Journal on the right. What messages might be sent based on Scale? On Relative Position? Anything else?

After reading my paper “Production Elements and Messages in The Television Series The Crown what do you think of the above two photos? Still photos and motion pictures use a lot of the same production elements. Following are some more questions I would ask the writer, editor and publisher of the Journal if I could.

Why was there no mention made that there was a Senate hearing on the issue with a member of the FBI giving testimony about why the agency was concerned?

Why was no mention made of other politicians from both major parties writing similar letters to colleges in their states? Some of the other Universities’ actions were mentioned, but not what prompted them. Why is that?

Why was no mention made of the United States Senate Permanent Subcommittee on Investigations Committee on Homeland Security and Governmental Affairs report? The excerpt below is from page 21:

“Over the last several years, members of Congress, U.S. government officials, and academics have raised a number of concerns about Confucius Institutes, including about academic freedom, contractual agreements, transparency, hiring practices, and self-censorship. The U.S. Senate Judiciary Committee, Senate Select Committee on Intelligence, and Foreign Relations Committees all held broad hearings that discussed China at which Senators heard from experts on U.S.-China relations, academic freedom advocates, and law enforcement officials. Additionally, members of Congress from several states issued public letters to U.S. schools with Confucius Institutes urging them to reconsider their arrangement with Hanban.”

I am very much in favor of cultural exchange and the learning languages of other cultures. I think the more we and other nations understand each other the better off we will all be. I don’t know whether the Webster University Chancellor made the right decision or not because I don’t know enough about the legal and financial arrangements to judge. I could not detect anything false in the Webster Journal article, but on the other hand I don’t think there was enough information in it to understand the actual issue. I am pretty sure I know what the Journal wanted me to think about it though. I think my analysis is an example of how we have to read all news stories to be informed and not just manipulated.

To see what I used as sources in analyzing the Journal article I put a link to the Journal article and other interesting articles on the topic I found, plus a link to the Senate report on this Confucius Institutes on College Campuses Pinterest board.