Executive Summary
Vectors of attack on individuals or organisations have increased greatly since digitisation of human existence. Now most activity is mediated through the internet all individuals and all organisations in ‘modern’ digital societies are open to attacks. In the analogue era snail mail intercept was one of the only ways to engage in man in the middle MITM. With the telegraph and then telephony wire taps. Software as a Service SaaS, and other XaaS offerings, make vectors of attacks many times greater. Most private sector and public sector service offerings are now via digital channels. Some services are only available via digital channels.
“There are many reasons an insider can be or become malicious including revenge, coercion, ideology, ego or seeking financial gain through intellectual property theft or espionage.” - ASD
Use Case 01
Title: compromise service integrity to individual
Scenario: man in the middle attack
- Social media algorithms force people down dangerous content rabbit holes. To reputational harm, legal harm, financial harm, radicalisation harm, and so on.
- Groups, and individuals, with appropriate knowledge and skills can deliberately put content liable to harm an individual into the ‘recommendations’ stream. So that it appears as the content was suggested by the social media algorithm.
2.1 By people at a social media org. Which might be, directed by the social media orgs management hierarchy or directed by external groups who control social media employees.
2.2 By people external to social media who inject content into the http stream.
Threat actor (perpetrator): Malicious insider, Insider threat,
User actor (target): Anybody,
Use Case 02
Title: Release / publish private or sensitive information
Scenario: Doxing
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 03
Title: Radicalise someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 04
Title: Discredit / malign someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 05
Title: Impersonate someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 06
Title: Induce anxiety/fear in someone
Scenario: man in the middle attack, very similar to social media MITM
- Use multiple channels to psychologically harm individual
- Use digital channels, social media, sms, email, …
- Use analogue channels, local advertising, local services MITM actors, …
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Extension points: Intrude by click bait, Intrude by Email, Intrude by SMS, Intrude by phone call, Intrude track by phone, …
Use Case 07
Title: Intrude by click bait
Scenario: MITM attack, Click bait, induce anxiety/fear in someone
- Click bait news sites, manipulate the news story feeds, headlines and images, to psychologically manipulate someone.
- To purposely lead someone to content which might harm them.
- Induce negative emotion to manipulate them.
- Cause them to go into a negative emotional spiral.
- Cause them to go down specific internet rabbit holes. Into human spider traps of endless harmful content.
- Cause them to go to ‘find’ other content which would lead to negative outcomes; reputational harm, legal harm, occupational harm, worst case radicalisation harm, and so on.
- Sow fear paranoia and distrust. Presenting images other third parties, or headlines about them, who might be know, to the target even if tangentially. Implying some negative or harmful action by the third party against the target.
- Sow fear paranoia and distrust. We know you know we are doing this to you. But who are we? We’re coming to get you? But at a time of our choosing.
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 08
Title: Intrude by Email
Scenario: MITM attack, similar to click bait news, social media, induce anxiety/fear in someone
- Email subscriptions, manipulate content and links
- Unsolicited emails, job advertisement phishing
- Unsolicited emails, click bait, multiple links to other sources
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 09
Title: Intrude by SMS
Scenario: MITM attack, SMS, mobile phone, induce anxiety/fear in someone
- Send unsolicited phone messages
- Include malicious links in message body
- Request call backs
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 10
Title: Intrude by phone call
Scenario:
- Unsolicited calls
- Phishing calls
- Nuisance calls
- Intrusive calls
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 11
Title: Intrude track by phone
Scenario: triangulation
- Use triangulation to track target
- Map routes taken by target
- Intrude into targets life by placing third parties in tracked paths of target
- Have third parties harass, intimidate, threaten, abuse target
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 12
Title: falsification of records
Scenario:
- Medical records
- Financial records
- Utility records
- Postal records
- Local gov services records
- National gov services records
- …
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 13
Title:
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
BOSCARD
Background
Might be carried out by any individual lone actor. Might be a carried out by a group with similar ideological views. Criminal networks, political networks, ideological networks, and so on, and lone actors of same inclination.
A non comprehensive list of some vectors of attack.
Telco cable infrastructure
Internet provider
Data centre
XaaS provider (cloud)
Network infrastructure (Bluetooth, Wi-Fi, 3G, 4G, … )
Personal computing (desktop, laptop, tablet, PDA, mobile, smartphone, smart device, IIoT, IoT, … )
Operating system (windows, ios, android, unix, linux, …)
Browser / App
Domain TLD ([.]gov, [.]com, [.]org, [.]net, [.]ac, [.]edu, …) or by country (ac[.]be, ac[.]in, ac[.]fj, ac[.]uk, ac[.]zm, …)
Digital service (financial services, shopping, games, social media, email, blogs, … )
As part of some of these the conceptual abstractions described by the OSI seven layer model for system interconnection. And a mapping of four of the abstraction layers of the OSI model to the four abstraction layers of the internet protocol suite as a concrete vulnerability vector example.
Objective
Protect individual users from harm from use of now ubiquitous and unavoidable digital services which are interfered or tampered with and compromises the integrity of service to the user.
Man in the middle for any digital service. Email applications. Also applies to all social media and most other internet hosted applications and services.
< todo: refactor this bit. too specific. not clear enough. not DRY enough. >
Digital service integrity (gov, com, org, net, ac, …)
Email privacy
Email subscriptions
Email links
Email attachments
Text messages
Single ring
Digital Security
Account high jacking, email, social media
Account impersonation, social media
Man in the middle attacks email
Inserting false information into emails or email threads
So as to mislead to recipient into believing the content or message was from the sender
Malign messages to discredit sender
Malign messages to disrupt relationships and sow distrust between sender and recipient
Man in the middle attacks social media
Insert content into social media stream liable to cause harm to the receiver if engaged with
Scope
The entire post digital age digital ecosystem.
Unregulated red and tooth and claw caveat emptor.
For example.
Brave search results brought back from ‘whatsapp disinformation riots’
- Indian WhatsApp Lynchings: Between 2018 and 2019
- Wakeley Riot (Australia): In April 2024
- Palghar Lynching (India): On April 16, 2020
- Bristol Riots (UK): During the 2024 Bristol riots
Brave search results brought back from ‘social media January 6th 2021’. Investigative reports and whistleblower testimony key findings included;
- Failure to moderate content: Facebook, Twitter, and YouTube,
- Lack of action on extremist rhetoric: despite warnings from staff and internal documents
- “Stop the Steal” groups: Facebook groups dedicated to “Stop the Steal” movement
- Twitter’s delayed response: Twitter employees warned management about likely violence January 5, 2021,
- Inadequate policies: Social media companies’ policies and guidelines not enforced
- Profit-driven business model: prioritizes engagement and advertising revenue over user safety and well-being
- Missed opportunity for accountability: Role of social media was not fully explored in Jan 6th Committee’s final report
Constraints
In the face of exponential change and vast complexity there is no renaissance man solution . If there is no renaissance man solution what hope mere mortals.
Capability skill poverty.
Epistemic poverty.
Human interaction poverty.
Time poverty.
Jurisdiction poverty.
The jurisdictional limitations are a critical issue. Jurisdictional boundaries. Adherence in practice to letter and spirit of multilateral jurisdictional agreements.
Assumptions
If someone can be radicalised accidentally falling down a harmful internet rabbit hole. Then someone profiled can be radicalised by purposely leading/channelling/directing them to content that will engage a negative emotional spiral. Fear, anger, hatred, and so on.
Specifically engaging base primal instinct. Fight or flight. And human weakness and vulnerabilities. Companionship/romance/sex, resource insecurity/finance/money/employment/housing, hunger/food/ , health/mental/physical/emotional, and so on.
The more immersive and the most senses utilised the more effective. Games, videos, 3d,
Gaming the internet to manipulate and exploit and control.
Gamification of applications and services to maintain addictive levels of engagement. Building brand loyalty, points mean prizes, and political loyalty inclusive extremism and radicalisation. Behavioural modification, incentivisation to copycat behaviour.
In the digital era anyone with the skills or who controls relevant malicious insiders can reach into the lives of anyone else in the world from anywhere else in the world. In the analogue era for the most part a perpetrator would have to travel to, or hire someone at, the location, or near, the target for MITM attacks for example.
Risks
Risks to recipient/receiver/user ; reputational, social, financial, legal, occupational, behavioural …
Risks to sender; Reputational, Social, Financial, …
Behavioural - radicalisation in extreme cases, self harm in other cases,
Deliverables
Regulation, oversight, enforcement,
Compliance, detection, deterrence,
Conclusion
Integrity of digital service provision must be protected by law. Non interference in service provision must be guaranteed. Individuals and organisations are at more risk now than at any other time due to digitalisation.
There is a related issue of the digital divide and digital poverty.
There is a related issue in corporate externalisation of capability and service provision onto users, so that users must know become subject matter experts on the topic of service provision concern instead of this being provided by the organisation.
There is a related issue here with externalisation and outsourcing and offshoring and IVR with DTMF and cloud and the like.
The digitalisation of human existence has had some remarkable positive change to humanity. It has also had some remarkably negative ones too. Which we are battling to address as individuals and society and look likely to for some time to come.
Humanity is maladapted to a life mediated through the digital realm. Yet more and more of human existence is funnelled toward it.
Postscript
The big tech companies are dealers in applied digital addiction. Attention as income. Attention channelled through AI algorithmic negative emotion filters. And anti reality filters of other sorts.
CrackTube, MethX, SmackGram, FentFace, and so on and so forth. The entire part of the online planet is warped and disrupted by it. It is akin to digital slavery. Slavishly inflating Big Tech bottom line with our lives time stock.
The digital domain does not represent reality it distorts it. It saps the on line planets attention. Attention that should be focused on the functioning of society and its people. Attention that is no longer paid to family and friends.
The online planet are causalities of digital vampirism enslaved to attention financialization as servi in human battery pods. Servi aut nascuntur aut fiunt slaves are born or they are made. Children born into this world are made attention deficit financialization battery drone servi.
See related posts
Block Internet Search Query Terms - HTTP Request intercept, Brave Community
Security - DNS Blacklists and Whitelists, Brave Community
Browser Ontology - terminology and term relations, Brave Community
References
Attacks
Attacks (social engineering)
Gaming the system, Wikipedia
Gamification, Wikipedia
One ring phone scam, Federal Communications Commission
Caller ID Spoofing, Federal Communications Commission
Attacks (software), OWASP
Browser session recorders
Cross site request forgery CSRF, XSRF, Wikipedia,
Cross site scripting XSS,
Keyloggers
boy-in-the-browser (BitB, BITB), MITM type attack
Man-in-the-middle attack, (MITM), Wikipedia
Man-in-the-browser, OWASP
Man-in-the-browser, (MITB, MitB, MIB , MiB ), Wikipedia
man-in-the-mobile (MitMo)
Manipulator-in-the-middle, OWASP
< more to list … >
Attacks (Operating System)
Smart Multi Honed Name Resolution (MS Windows), Brave, Brave VPN can help to block it
Internet protocols
Second level domain, Wikipedia
Personal computing devices
personal computing device definition, Law Insider
Personal computing definition, Law Insider
Personal computer, Wikipedia
Personal Computing Devices Market Insights, 11 June 2024, IDC
Personal computer technology, Britannica
< more defs to list … >
Terms of reference
BOSCARD, 21 Oct 2021, Duncan Haughey, Project smart
Threat Actor
What is a threat actor?, IBM
Malicious insiders, 23 Jun 2020, ASD
Vulnerabilities, attack vectors
Vulnerabilities (software), OWASP
Glossaries security
Security vocabulary, NICCS, US
Standards/Specifications/Models
Protocols
OSI Model (the seven layer model), Wikipedia
Layer 8 +, Wikipedia
Internet Protocol Suite, Wikipedia
Comparison of software and protocols for distributed social networking , Wikipedia
Modelling
UML Use Case Include, UML Diagrams org
UML Use Case Extend, UML Diagrams org
Newspapers
Gamification
The El Paso Shooting and the Gamification of Terror, 4 August 2019, Evans, Robert Bellingcat, Retrieved 8 September 2024.
Complexity
Pensioner accidentally pays £2,700 for Oasis tickets, 7 September 2024, Tony Fisher & Louise Parry, BBC News, Retrieved 9 Sept 2024
The Good and the Bad, 2024-06-21, Tim Berners-Lee, W3C, Retrieved 15 September 2024
The Dysfunction of Social Networks, 2024-02-28, Tim Berners-Lee, W3C, Retrieved 15 September 2024
Papers
Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V. et al. Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13, 113–170 (2014). https://doi.org/10.1007/s10207-013-0208-7
Andy Jones, The changing nature of malicious attacks, Computer Fraud & Security, Volume 2008, Issue 6, 2008, Pages 15-17, ISSN 1361-3723,
https://doi.org/10.1016/S1361-3723(08)70100-3
Law/regulation/directives
Data protection in the EU, EU Commission
Regulation (EU) 2022/2554 (DORA), Official Journal of the European Union
Digital Operational Resilience Act (DORA), European Insurance and Occupational Pensions Authority IEOPA
Digital Operational Resilience Act (DORA), European Securities and Markets Authority ESMA
The Digital Services Act, European Commission,
< todo: source digital services integrity law, right not to have services interfered with by hostile actors, right not to have services compromised by hostile actors, right to security and integrity of service, >
< todo: source digital services access law, right not to be denied service, right not to have services denied by hostile actors, >
< todo: source digital services good faith law, not to be an unwitting experimental subject, convenience services and lazy click and agree T&C’s because there is little alternative or the barriers to access without doing so too high or convenience exploitation, , >
Resources
pushsecurity / saas-attacks, < Private company, no due diligence done, link in relation to a Linked in artic