London, UK – 31 October, 2012 – Digital Assurance, the independent security assessment and information assurance consultancy behind the monitoring and misinformation supplied to the participant in the ‘Derren Brown Apocalypse’ programme, today warned the same techniques could be used to hijack communications in targeted attacks. Aired on Channel Four on Friday 26 October and due to conclude this week, the programme aims to convince participant Steven that the world is ending by controlling his access to information over digital media. The techniques used for the show could equally be used to manipulate an individual or a group within a specific locality to misinform and control behaviour, warns Digital Assurance.
More than 250 people collaborated in the Derren Brown Apocalypse show to convince participant, Steven, that a cataclysmic meteor shower had devastated the UK. Digital Assurance provided Derren Brown with the technical expertise to hack into Steven’s phone, Internet, radio and TV communications before using a man-in-the-middle attack to intercept and inject news feeds to his mobile phone and Twitter account, with special TV and radio programmes relayed to his home and places he visited.
The attack used in the Derren Brown Apocalypse show is significant in that it used social engineering and a man-in-the-middle attack to provide misinformation in a coordinated, concerted effort over multiple media channels. Social engineering is a term used to describe the art of manipulating people into performing actions or divulging confidential information. Similar in nature to a confidence trick or fraud, it is usually carried out remotely over a single media channel with the aim of securing access to computer systems, information and of perpetrating fraud.
The inside information on Steven and the concerted attacks carried out against him could be replicated to target an individual or a particular group. In the show, a man-in-the-middle attack was carried out by compromising the laptop and phone, requiring physical access to Steven’s mobile phone and highlighting how potentially dangerous a lost or misplaced device can be. But man-in-the-middle attacks can equally be used over compromised fixed and wireless networks rather than end-points, enabling it to be used in localised attacks to influence a group of individuals.
“Entertainment aside, we felt the Derren Brown Apolcalypse programme presented us with a real opportunity to show the reliance of modern society on digital media and demonstrate that knowledge – and the subversion of that knowledge – holds real power through the ability to manipulate perceptions and ultimately decision making. The man-in-the-middle technique used in the programme could just as readily be used to hijack communications and misinform a target group or individual,” said Greg Jones, Director, Digital Assurance. “Social engineering is an attack vector that cannot wholly be solved by technical controls; it can selectively utilise information that is readily available and freely given over the Internet, and it prays upon human gullibility. If a hacker were to choose to exploit multiple media sources then they stand to gain real power and influence over that audience. We believe it’s a security issue that will continue to cause problems in the future, particularly if a targeted attack is carried out systematically over multiple vectors for disruptive reasons or for financial gain. For instance the global markets and the traders that drive them react in the short-term to news and events, if the integrity of that news or more significantly the integrity of pricing information is compromised then there is the potential for both significant disruption and even financial gains.”
About Digital Assurance
Digital Assurance delivers a range of security assessment, information assurance and security training services to public and private sector organisations. Clients range from large bluechip multinationals through to smaller independent security consultancies each of which has a business necessity to address information security assessment and reduce the cost and burden of new mandatory and regulatory compliance.
Digital Assurance has extensive experience performing Internet, internal and wireless penetration tests as well as security consultancy and best practice advice.