Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of

_Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of influencing human behaviour to compromise security whether it be personal and organisational security._

**More than just a 'human factor'**

Understanding what defines our humanity, recognizing how our qualities can be perceived as vulnerabilities, and comprehending how our minds can be targeted provide the foundation for identifying and responding when we inevitably become the target.

The human mind is a complex landscape that evolved over years of exposure to the natural environment, interactions with others, and lessons drawn from past experiences.

As humans, our minds set us apart, marked by a multitude of traits and emotions, often too complicated to articulate precisely.

****Human behaviour is complex****

Some of our fundamental traits can be outlined as follows:

*   **Trust** – Humans place their trust in others, assuming inherent goodness.
*   **Empathy** – Humans exhibit care for others and their feelings.
*   **Ego** – Humans harbour a competitive spirit, aspiring to outshine their peers.
*   **Guilt** – Humans experience remorse for their actions, especially when they harm others.
*   **Greed** – Humans desire possessions and may succumb to impulsivity.
*   **Urgency** – Humans respond promptly to situations demanding immediate attention.
*   **Vulnerability** – Humans often grapple with fear and are candid about their emotions.

While this list is not exhaustive, it summarises common and understandable aspects that drive human behaviour. Human interactions hold essential value, instilling life with significance and advancing cultural norms. However, for attackers seeking to exploit us, the social construct of human-to-human interactions provides a pathway for manipulation.

Our naturally social nature forces us to revert to these traits. Emotions serve as a safety net for communication, problem-solving, and connections in our everyday life and we have come to trust our emotional responses to further guide and protect us in a variety of situations.

****I think, therefore I can be manipulated****

Attackers exploit this safety net (emotions and fundamental traits) when targeting humans, as it can be manipulated to fulfil their objectives. This safety net weakens even more when we venture into the "online" realm, as certain safeguards fail due to a lack of insight. The abstraction of communication through a name on screen often misleads our minds in interpreting situations in a way that our emotions cannot accurately navigate.

In the realm of manipulation, various models and methods have been employed over centuries to influence human behaviour. In today's context, attackers exploit these models to identify human vulnerabilities, characterised as weaknesses within the system that can be exploited.

In addition to directly manipulating fundamental traits through carefully targeted attacks, attackers tend to target humans through forms of influence and persuasion. These can be summarised as follows, and humans tend to operate mentally in these realms:

*   Reciprocation – Humans feel compelled to reciprocate what they have received.
*   Authority – Humans are inclined to comply with authoritative/known figures.
*   Scarcity – Humans desire items that are less attainable.
*   Commitment & Consistency – Humans favour routine and structure.
*   Liking – Humans form emotional connections.
*   Social Proof – Humans seek validation and fame.

These aspects can be viewed as potential vulnerabilities in the human mind when combined with emotions and fundamental traits. Attackers leverage these aspects to gain direct control over our actions, an occurrence now recognised as social engineering. Social engineering encompasses various techniques and tactics, yet at its core, it exploits one or more of the areas mentioned above through accurately crafted interactions.

****Formula for attack****

To describe the modus operandi for attackers targeting humans, we can formulate simple formulas.

A standard attacker formula will be as follows:

(Target) + (Vulnerability) + (Exploit) = Compromise

But when applied to the human it could be as follows:

(Human Mind) + (Emotional Trigger/Trait) + (Social Engineering Technique) = Intended Objective through Resultant Reaction

**_The attack chain is apparent by looking at how these formulas relate to triggers and techniques in combination with vulnerabilities._**

Exploitation techniques, often seen in digital channels like email, phone calls, or text messages, are frequently used for phishing. These tactics manipulate established interactions to achieve various objectives, such as deceiving individuals into parting with funds, opening malicious files, submitting credentials, or revealing sensitive data. The consequences of these attacks can vary from individual losses to organizational breaches.

****Defending ourselves****

To safeguard against these attacks against our minds, we should align our cognitive standards with emotional triggers by asking questions like; what is the purpose, expectation, and legitimacy of the interaction. These questions could prevent impulsive reactions and allow introspection.

Establishing a "stop and assess" mentality acts as a mental firewall, strengthened by vigilance, to enhance personal and organisational security. By considering potential attacks, we heighten our awareness of vulnerabilities and work on resilience. This awareness, coupled with a proactive approach, helps mitigate threats to our minds and humanity, promoting collaboration to disarm attackers and weaken their operations.

Stay vigilant, stay informed, and continue to question everything.

This is just one of the stories found in the Security Navigator. Other exciting research like a study of Hacktivism and an analysis of the surge in Cyber Extortion (as well as a ton of other interesting research topics) can be found there as well. It's free of charge, so have a look. It's worth it!

_**Note:** This article was expertly written by Ulrich Swart, Training Manager & Technical Team Leader at Orange Cyberdefense._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacking the Human Mind: Exploiting Vulnerabilities in the 'First Line of Cyber Defense'

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.
"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.
"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.

"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.

"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments."

Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments.

When mobile apps for Android and iOS send push notifications to users' devices, they are routed through Apple and Google's own infrastructure known as the Apple Push Notification (APN) service and Firebase Cloud Messaging, respectively. Microsoft and Amazon have similar systems in place called Windows Push Notification Service (WNS) and Amazon Device Messaging (ADM).

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

As a result, the letter alleges that both companies can be compelled by governments to hand over the information. It's currently not clear which governments have sought notification data from Apple and Google.

That said, the U.S. is one among them, according to the Washington Post, which found more than two dozen search warrant applications related to federal requests for push notification data.

"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," the letter read.

"In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."

It also urged that Apple and Google should be permitted to disclose whether they have facilitated this practice, and if so, publish aggregate statistics about the number of demands they receive, and notify specific customers about demands for their data.

In a statement shared with Reuters, which first reported the development, Apple said the letter gave them the "opening" they needed to share more details about how governments monitored push notifications.

"When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device," Apple now notes in its updated Legal Process Guidelines document \[PDF\].

"Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process."

Google, meanwhile, noted that it already publishes this information in its transparency reports although it's not specifically broken down by government requests for push notification records.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Governments May Spy on You by Requesting Push Notifications from Apple and Google

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.


**Apache Struts vulnerable to path traversal**

Moderate severity GitHub Reviewed Published Dec 7, 2023 to the GitHub Advisory Database • Updated Dec 7, 2023

GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48860: security_research/TOTOLINK-N300RT-RCE.md at main · xieqiang11/security_research

DLL hijacking vulnerability in TTplayer version 7.0.2, allows local attackers to escalate privileges and execute arbitrary code via urlmon.dll.

CVE-2023-48861: POC4/README.md at main · xieqiang11/POC4

An issue in SCOL Members Card mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-43298: CVE-reports/CVE-2023-43298.md at main · syz913/CVE-reports

An issue in DA BUTCHERS mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-43299: CVE-reports/CVE-2023-43299.md at main · syz913/CVE-reports

An issue in urban_project mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-43300: CVE-reports/CVE-2023-43300.md at main · syz913/CVE-reports

A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section.

CVE-2023-49225: 20231128 | Security Bulletins | Ruckus Wireless Support

Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.

    # Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - HTML Injection# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo# Version: v5.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48825Descriptions:HTML injection, also known as HTML code injection or cross-sitescripting (XSS), is a web security vulnerability that allows anattacker to inject malicious code into a web page that is then viewedby other users. This can lead to various attacks, such as stealingsensitive information, session hijacking, defacement of websites, ordelivering malware to users.Steps to Reproduce:1. Login your panel2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48825)

Tag

#git