Solomon’s Strange Tales from Cyber Security
It’s fun to laugh at so-bad-they’re-good 90’s movies about hacking into the mainframe, but therein lies a more serious problem: people don’t understand the limits, processes, and possibilities of hacking. Sadly, it seems as though This misunderstanding is a breeding ground for scare and worry within the fringes of people’s paranoia.
During my five year career as a cyber security consultant and penetration tester, I’ve dealt with an alarming number of people with an extremely specific presentation of quite serious paranoia. These are people to whom all else seems logical and reasonable, yet believe wholeheartedly in the wide reaching fiction of shady hackers controlling their every movement, or eavesdropping on their conversations. Each time I communicate with someone about their issues (usually they request a cyber security check up or network forensic services), they describe a series of beliefs which I’m now so familiar with, I can predict with ease.
Tackling paranoia in clients
Any security professional working for long enough in the industry will happily regail you with bountiful stories of bizarre
requests, people asking for illegal services, and the classically insecure spouse looking for a leg up into their partner’s Facebook account. Obviously those requests are (often politely) declined, and we all move on with our lives after having a bit of a laugh about it.
There is, however, a slightly different kind of request that both myself and other industry professionals I’ve spoken to have come across. It takes a more sinister tone and should be dealt with seriously. I’m talking about a very particular kind of paranoia exhibited by some clients. This isn’t your standard run-of-the-mill paranoia either; we’re not talking about people who believe lizards run the world, or that 5G is out to get us. I’m also not talking about people who over-estimate their risk profile and take too many precautionary steps to avoid being identified online.
Instead I’m talking about very real, honest people who sincerely believe they’ve been hacked, or that they’re being persecuted by an agency of some kind. People who, by all accounts, have complete sound of mind in all other areasapplications. I’ve so far come across five different people who’ve contacted me with extremely specific but similar stories/requests. For obvious reasons I’m going to do my best to ensure none of these people can be identified, so please bear with my sometimes vague language.
My first encounter
My first exposure to this was as a referral from a forensics company. This person (~40F) contacted the company requesting their services, but they couldn’t provide to her as an individual, so the request was forwarded to me. On first contact with her, I asked the standard preliminary questions to understand her situation and quickly discovered that she believed her home network was taken over by a group of hackers. She was also under the impression that she was being listened to constantly through her phone, and that this group of malicious actors had also compromised her work environment. A lot of her description matched some general problems that are sometimes to be expected when computers malfunction – slow performance, network cut-outs etc.
I did my best to find out how, when, and why she initially suspected an attack. I thought that even though her interpretation of events was extreme, there still may have been legitimate malicious activity which had initially triggered this belief. I have no training in handling mental health conditions, but I was of the belief that I may at least be able to confirm/deny the existence of a malicious presence on her network.
She told me that she had kept logs of information she found. I asked her to send this over to me and she agreed. In the meantime, she was insistent on using certain lines of communication and talking in specific ways. I think I focused a lot of her attention, as she would be relatively frequent in asking for updates during the process of finding out this preliminary information. I would often get told of various proofs or activity happening within this person’s network. Her son also had a similar suspicion. Every time there was an outage or some bizarre behaviour, it seemed to have originated from this hacker group.
Finally, the information arrived to me through the post. A large number of SD cards followed by around 250 sheets of hand written notes. I informed her that the documents had arrived and that they weren’t in the expected format, but that I would take a look. At this point I was concerned for her well-being but hadn’t got a clue what to do. She had mentioned to me that she was planning on taking legal action against her ISP for allowing this attack to occur.
In therapy or other confidential advisory areas, the rule of thumb is that it’s confidential unless there is an immediate risk to yourself (the discloser) or someone else. I found myself in a position where I had significant concern for this person, but an obligation of confidentiality towards her and no ability to act as an authority of whether she was a risk or not. Even if she was at risk,, would disclosing this information be the right thing, or would it make things worse? Who would I even disclose it to?
Unfortunately she began acting erratically towards me, informing me that she suspected I was driven by this group of hackers. I’d receive a number of late night messages cursing at me. I don’t believe there was anything I could have done to persuade her to keep me on, but I also don’t think there was anything I could have done to prevent her from believing what she did. Thus, the client relationship ended. I was unable to return her documents to her, and still have them now; she felt uncomfortable releasing her address to me. From what I can make out in the documents she sent, it seems as though her network had a lot of active devices on it, and her computer was old and in need of replacement. I couldn’t see any evidence of malicious activity.
The second time I received a request for help, it was from a lady in her 60s. She worked in the more controversially legitimate fringes of medicine and contacted me directly, as she thought she was being surveilled by the regulatory board for her particular brand of healthcare. After exchanging a few emails (through protonmail) I decided to agree to meet her and try to establish what was going on. Before meeting, however, I asked some industry folks what they would do. The standard consensus was ‘meet and see what happens’.
So we met. On a pub bench in Bristol. She quietly insisted that I turn off my phone and that we speak out of earshot from other customers. She was polite, caring, and showed no urgency about herself. Conversation mainly centered around the same question I’ve asked a million times before; how did she know she was being hacked/surveilled. Similarly to before, I hear answers that are indicative of computer failure, old devices, incompatiability with new web-pages etc… All things that could be easily explained away individually solitude, but as a collective it became very hard to try to convince her of the coincidence.
We spoke some more and she told me that if I were to take a look at her devices, it would give her some peace of mind. I informed her that providing device forensics as she described them was a costly affair, but she was regardless happy to continue.
At this point I didn’t know how to proceed. I don’t think I could have morally charged for a service I didn’t believe to be required by her. I suggested that perhaps I check and update her home network security, but she was entirely insistent on seeing whether I was able to find any evidence of surveillance. Eventually I told her I’d consider it and that I’d be in touch should I agree to move forward. Sadly as she insisted on the use of protonmail, and would make the effort to only access that email through public library computers, it seems as though she lost the ability to log into her account and we subsequently lost touch.
Referred by a therapist
The third time I had someone come to ask me for advice, it was late at night and through their therapist. I was informed it was an emergency situation. The therapist contacted me and told me that a client (~60M) was worried that their computer was compromised. I told the therapist about the previous experiences I had come across and the similarity of the situation, and we had a conversation about whether it was appropriate to provide some general network analytic and forensic services to this client. As I didn’t have direct contact with the client in question, I was unable to ascertain some key answers and situational information. We decided it was worth doing though, and about 30 minutes later at around 21:30 I found myself driving to the client’s residence to perform some late night analytics. I asked the client to walk me through all the problems he was experiencing, and to tell me everything he was worried about. It was bizarre to me – as if I already knew his stance on how he felt. His descriptions were achingly similar to what I’ve already heard, except this time, it was in his house and I was expected to do something about it.
A lot of the problems were just cleaning up old areas of his computer and making sure his internet connection was running smoothly. He had described experiencing latency and lagging issues while screensharing, and I informed him that his internet connection wasn’t really built for it. I did perform some pretty extensive checks for malware, and I checked the network for any activity which could be perceived as malicious. Nothing was found, and I walked him through the entire process. It did seem as though he was looking at everything I said to find confirmation of his belief. Once I was done, I thanked him for his hospitality and drove to stay at my friend’s house locally (I was about 1h30m from home and it was ~01:00 by the time I finished).
This experience was different. I wasn’t having to bear the burden of responsibility for judging whether my expertise and involvement was appropriate. I wasn’t having to make any call as to whether the person was a danger to themselves or to others. It seemed to me as though this client was far far earlier in his belief of a malicious attack than the other two I had experienced. Chiefly, I wanted to know whether my running through the network and his devices with him and walking through the process was legitimately helpful or not. Would my involvement actually have given him the reassurance he needed? Sadly, it seemed not. I was asked approximately a week later to go out and do the same thing again. I obliged, and just ran through some additional concerns with him.
"I’m aware that to a tech savvy audience likely to be reading this, certain things might seem very obvious. But an example of some of his concerns were that when the internet opens up, google.com opens in two new tabs rather than one. He took this as evidence of malicious tampering, whereas of course I had mistakenly written google.com twice on his IE homepage settings last time I was there."
At this point, I informed the therapist that I didn’t believe there was anything I could do to further reassure the client, and that his worries just seemed to transfer to some other aspect of the computer issues, rather than give qualitative support. It seems as though I wasn’t providing peace of mind, but that in reality beliefs will be beliefs, and there’s nothing I could have done as a cyber security professional to stop him from just looking for confirmation of those beliefs elsewhere.
A close friend
The fourth time this happened, I was approached by a close friend of mine whom I love dearly (~20M). He was concerned as he had visited an adult website in which someone appeared to be under-age. Don’t worry – they weren’t; the website was just displaying videos from other popular adult sites and indexing them. Once this person visited the website, they became extremely worried that they would be discovered and pursued by the police. They asked me to check to see whether their devices had some kind of malware or tracking software on them.
I asked him to visit, and I had a very long talk with him about it and how he felt. I obliged by checkingto check his devices – with no results of malicious activity at all, and told him that I didn’t believe it would help him reassure himself. The descriptors of why he thought he was being monitored were extremely similar to that of the other experiences I’ve had. I chatted to him candidly about how similar I thought his worries were, and asked that he look into getting some help should he feel worse, or should it transpire that he’s still worried about being tracked. I promised him that he didn’t have anything on his device, and that there was nothing to fear.
Each time I’ve come across situations such as this, they’ve always been extremely similar. They’ve been similar to the point of being able to guess with precision accuracy the exact nature of the problem and the convictions the client believes without having to perform any formal assessment or ask any questions. It always seems to be someone who is convinced they’ve been hacked or surveilledsueveilled, and are finding themselves looking constantly for evidence to prove them right.
Confirmation bias is nothing new, but I think it is novel within the bounds of ‘hacking’. It is my opinion that the mystique and opacity within cyber security has become a magnet for those who don’t understand it to find explanations of malice. In a time where it’s possible for zero click RCEs to exist (looking at you WhatsApp), it’s hard for anybody to believe that they’re secure and private. I’m extremely lucky in that I know what is and isn’t possible on a network, yet I still sometimes feel that compulsive paranoia.
If I truly believed that someone was out to get me, and I wanted to find a way to prove it, I couldn’t think of a better way to get people to believe me than through claiming I was hacked. For the layman it’s almost impossible to prove wrong, and feels incredibly plausible as an explanation. In the first instance of my encounters, I wrote that the lady believed she had been compromised in her work environment. Every single one of her colleagues believed her, and were starting to believe that the hackers were spreading to their devices when they were in the vicinity of this person.
It seems as though the compulsion for some of us to keep industry secrets exactly that – secret, are causing legitimate suffering for other, more vulnerable parties who are looking for explanations to confirm things they don’t believe to be true.
I believe the best approach for this is to remember a few things:
1) You can’t help people who believe this. You can’t convince them otherwise.
2) Always try to stay compassionate and understanding.
3) Don’t see it as an opportunity to make money by preying on ignorance.
4) Whenever you can, encourage professional help.
I’m aware of a lot of cyber security companies taking advantage of this misinformation in order to profit (https://www.youtube.com/watch?v=WVDQEoe6ZWY), but it only causes harm. I hope that We Fight Fraud continues to demonstrate our ability to transparently approach communication in cyber security, and I will put out an open call to all those reading in order to keep us to account should it be mislayed.
Solomon Gilbert is head of cyber and penetration testing at We Fight Fraud.