Understanding the hacker psyche

Steve Gold (freelance journalist)

http://dx.doi.org/10.1016/S1353-4858(11)70130-1, How to Cite or Link Using DOI
Permissions & Reprints

Analysing the psychology of the modern cyber-criminal is not as difficult as many IT security
experts have opined in the media of the last few years. We've had a long time to study hackers
and other online renegades, as their origins date back to the days of phone phreaking in the
1970s and 1980s.
What drives the cyber-criminal mind? Hackers, cyber-criminals and other online renegades now
have a long history and we can determine a number of types, ranging from unskilled n00bs
through technologically curious old-school hackers right up to hardened cyber-criminals and
cyber-terrorists.
What many have in common is a particular form of psychopathology. Steve Gold looks at how
hackers think and, in particular, their exploitation of neuro-linguistic programming.
Steve Gold
Figure options
Phone phreaking as exemplified by John Draper, aka Captain Crunch is the dark art of
making non-standard phone calls on the regular phone network. Calls are typically made using
non-standard, touch-tone codes and calling routes to exotic destinations without the caller
paying and/or being billed. Draper was an electronics expert who discovered that a free penny
whistle, given away in a box of Capt'n Crunch breakfast cereal, generated a steady 2600Hz
tone the kind used by phone systems.1 Draper in those days has been characterised as a
smart but lonely deviant an adult male who was long on technology but short on social skills.
But whereas the phone phreakers of the 1970s and 1980s were technical mavericks who
delighted in beating the system, the early hackers of the 1980s and 1990s were more
destructive. They were responsible for the release of what we now call malware that caused
technical problems on users' computers. In many ways, the psychology of the early hackers
was textbook teenage angst material, with disgruntled teens remotely vandalising computers at
a distance, rather than spray-painting the walls of their local shopping arcade.

John Draper, aka Captain Crunch.

Figure options

New psychology
Fast-forward to the second decade of the 21st Century and we have a new criminal psychology
in our midst: the suit-wearing professionals who steal data to assist in the completion of
electronic frauds. Behind these cyber-criminals, who are motivated by the usual greed and
avarice that drives most petty criminals, are the hackers who develop the programs and social
engineering methodologies that assist the cyber-criminals in their frauds.
Generally speaking, there are six types of cyber-criminal profile, ranging from n00bs (newbies)
with a limited grasp of technology and reliant on scripts to perform their electronic crimes, all the
way up to cyber-terrorists, who are ideologically driven, technically savvy and have access to
state-of-the-art hardware.
Just above the n00bs are cyber-punks, who have a basic understanding of the systems they
defrauding. They are likely to be extroverts and will brag about their exploits. Then we have the
coders, who are either driven by financial reward or, more dangerously, by social psychopathic
tendencies.
The fourth category of cyber-criminals are the old-style hackers, who are often evolved phone
phreakers and show an alarming disregard for the social norms most adults take for granted.
They are also more focused on intellectual prowess, with scant regard for morality or personal
property.
Then we have professional criminals who operate as electronic mercenaries, offering their
electronic skills on a guns-for-hire basis. They are highly motivated and highly trained, and have
access to state-of-the-art technology.
Finally we have the sixth grade, the true cyber-terrorists, who are ideologically or politically
motivated people of shifting morality, operating wholly outside social norms and with little or no
moral compass to guide their actions.
Kevin Mitnick.
Figure options

Ira Winkler, ISAG.

Figure options

Kevin Mitnick
One of the most fascinating examples of an old-style hacker is Kevin Mitnick, a retired hacker
with a total of 25 counts of alleged federal computer and wire fraud violations still pending
against him.3 He is an arch-exponent of the art of social deception and, arguably, is the most
perfect example of a social psychopath you will find in the world of hackers and ex-hackers.
Almost certainly one of the most famous of reformed hackers, Mitnick is highly intelligent. After
being hunted down by the FBI in the 1990s, he was sentenced to several years in prison for
computer fraud. One of the courts that sentenced Mitnick ruled that he was dangerous when
armed with a keyboard a term that he uses to the present day to illustrate his abilities.
Back in 2004, Mitnick gave a speech at the University of Arlington, Texas entitled The Art of
Deception as part of his bid to relaunch himself as a security consultant. According to Mitnick,
the weakest link in security is always the human factor: humans, he says, are easy to
manipulate in industrial sabotage and theft.
In technical hacking attacks, the attacker's goal is to execute what they call arbitrary code,
arbitrary instructions, on the targets computer system, he told his audience in 2004. Social
engineering actually deceives the person that has control over the computer, [in order] to
execute those instructions. When an industrial spy or a hacker combines technical exploits,
being able to find technical vulnerabilities, and being adept at using influence to manipulate
people, makes for a very volatile mix.

Basic stupidity
One security expert who has analysed Mitnick's profile and many other security threats to the
world of corporate IT is Ira Winkler, president of the Internet Security Advisory Group (ISAG).
He argues that social engineering covers a lot of areas and, as a result, the term is bandied
around as a new science, with the added frisson that the hacking science is unstoppable.
That's not correct. Basic stupidity is unstoppable, he says, adding that social engineering has
one primary aim a short-term hit. This compares with the art of spying, which typically has a

longer agenda, he explained during a Q&A session at the RSA Europe event in October 2011.
Social engineering, he went on to say, is actually espionage carried out at a lower level, with
psychological drivers that include money, ideology, coercion and ego. As such, he claims, social
engineering is a science, in that the actions are repeatable. Once you understand this, he says,
it can be defeated using logical security processes and technology, though he cautions that
stupidity is quite different from manipulation in this regard.
A classic case of this involves phoning the helpdesk of a major corporate and posing as a senior
manager calling from a foreign hotel, asking that the helpdesk ship him a new laptop as his old
one has gone missing. The hapless help desk staffer then tries to work around the fact he or
she does not have the seniority to ship a new laptop to the Big Cheese and, through a sense of
inferiority will often circumvent the organisation's security rules in order to save face
Is there a solution to social engineering? Possibly, says Winkler, but while you might expect
people to have some common sense when dealing with the issue in real life, he argues that, in
order for this to happen, there has to be common knowledge. Against this backdrop, he says
that human weaknesses can be exploited, but his number one advice is to stop saying don't do
that, as this a psychological invite to do the exact opposite.
The other way to solve this psychological conundrum, he went on to say, is to use penalties as
an incentive, with IT security technology as a failsafe. If you give people common knowledge,
then they can use this to generate common sense, he explained.

Microcosm of society
Winkler's analysis of the current state of hacker play with regard to social engineering and
psychology is backed up by research from data security specialist Imperva, whose researchers
analysed the activities of a large hacker forum for a year and found that members operate as a
microcosm of society. According to Imperva, hackers are often perceived as isolated, alienated
individuals working alone or in small groups. In reality, however, the firm says, hackers are quite
social, frequenting online forums and chat rooms to brag about their exploits, exchange tips and
share knowledge.
Online forums are critical to the hacking community and are used by hackers and criminals to
learn, communicate and collaborate with other like-minded individuals, says Imperva's State of
Hacker Forums report that was published in October 2011.2 The forums, says the report, are

generally not easily discoverable or accessible to all comers, but interested n00bs will find
plenty of resources and support to get started.
Amichai Shulman, Imperva's CTO, says that the underground forums provide ways for the
community to communicate and collaborate with each other, recruit new talent as well as buy
and sell stolen data and tools. Imperva's research found that, although the exact number of
forums devoted to hacker activity is unknown, some are quite large. Others are smaller and
quite exclusive, requiring permission from an existing member to join.
Shulman says that his team used content-analysis tools to search and analyse chats by topic,
using keywords as part of their year-long observations. Studying hacker forums is essential to
providing critical insights into hacker psychology and technical strategies, he says. He looked
at the content and activities of a forum that has around 250,000 members. Members spent
about 25% of their time in forums offering others beginner tips, as members rely on forums to
share the latest techniques and learn new tricks; about 22% of the tutorial-style discussions
were related to hacking tools and programs; while 21% focused on how to hack websites and
forums.
Hackers devote most of their time 25% towards discussing beginning hacking,
says the report. The strongest category with nearly 25% of discussions was on
hacking tutorials. This means there's a strong, steady interest in content to learn
hacking, ensuring a steady supply of new talent.

Hacker reprogramming and NLP

Regardless of what motivation drives a hacker, one psychology that they constantly use is the
science of NLP neuro-linguistic programming.
Neuro relates to your neurological system and how you use your five senses, both to
experience the external world and to create your own internal world by remembering and
imagining. Your conscious and unconscious thought processes activate your nervous systems,
which then influence your physiology, how you feel and what you do and say.
Linguistic refers to the way in which people use language to make sense of their experiences
to talk to themselves and to communicate with others. Every adult has distinct patterns in which
they use language, and these patterns provide an incredible insight into the way a person
thinks.

Programming defines the way to achieve the results you want and the impact you have on
yourself and others.
Hackers use NLP on a regular basis, both on the conscious and sub-conscious levels, often
mirroring the actions of police officers. They manipulate using the spoken word and
sometimes threats or coercion to achieve their short-term or longer-term aims. The art of
using effective NLP is rather like a mild form of hypnotism, but with the key proviso that as
with hypnosis you cannot persuade someone to do something that is against his or her moral
compass.
Hackers typically use the same baby steps approach that professionals use when conducting
psychoanalysis on an unwilling subject (senior police officers once again spring to mind).
Through a series of smaller steps, they talk through the various stages using positive language,
the interviewer verbally steps the other person through to the required result without the subject
being aware that he or she is being manipulated.
The hackers' use of NLP allows them to build models of others' capabilities that enhances their
interpersonal effectiveness. At its most basic, NLP is the process of developing an awareness of
yourself and others, building a rapport and influencing language plus handling emotions.
The archetypal social manipulator, Kevin Mitnick whether consciously, or unconsciously
used the four main manipulators when practising his art: leading, influencing, achieving and
negotiation. Using these manipulators allows a competent social hacker to change his own
emotional state and in doing so, change the emotional state of the person he is
communicating with. This paves the way to achieving the aim of the hack, thanks to the
assistance of the other person.

References

John Markoff

The Odyssey of a Hacker: From Outlaw to Consultant. New York Times, 29 Jan
2001. Accessed Nov 2011

<http://www.nytimes.com/2001/01/29/technology/29CAP.html>

Hacker Intelligence Summary Report Monitoring Hacker Forums. Imperva,

Hacker Intelligence Initiative, Monthly Trend Report #5, Oct 2011. Accessed Nov 2011

<http://www.imperva.com/download.asp?id=327>

Goodell, Jeff. The Cyberthief and the Samurai: The True Story of Kevin Mitnick

And the Man Who Hunted Him Down. 1996. ISBN 978-0440222057.
2.

Resources

Hafner, Katie; Markoff, John. Cyber Punk Outlaws and Hackers On The
Computer Frontier. 1995. ISBN 1-872180-94-9.

2600 Interview with Kevin Mitnick. Google videos, Jan 2003. Accessed Nov
2011

<http://video.google.com/videoplay?docid=8690427088949208642&q=mitnick>

John Leyden

Social net sites do wonders for crooks, spooks and bosses. The Register, 13
Oct 2011. Accessed Nov 2011

<http://www.theregister.co.uk/2011/10/13/social_networking_spy_risk/>

Vitae
About the author
Steve Gold has been a business journalist and technology writer for 26 years. A qualified
accountant and former auditor, he has specialised in IT security, business matters, the Internet
and communications for most of that time. He is technical editor of Infosecurity and lectures
regularly on criminal psychology and cybercrime.
Copyright 2011 Elsevier Ltd. All rights reserved.