Volume 02 Issue 10
In this issue
• Social Engineering and Poker
Have an open mind: See SE Everywhere.
Now say that theme fives times really fast. Yet this is one of the ongoing themes here at social-engineer.org.
From the very beginning till now, we have also thought that you can find SE everywhere you look.
We cover this every month on our podcast where we interview guests that just don't seem to be related to social engineering in the least bit at first. But, after speaking with them for a little bit, it becomes clear.
Some of the newsletter articles we have done as well hit this topic, for instance looking at children and how they manipulate situations for self gain. This is the only way they have to get what they want, and so kids have it refined far better then the rest of us. What can we learn about social engineering from these topics that don't seem related to social engineering at all?
The answer is simple...Everything.
Which brings us to the tip for this month: Have an open mind, and find social engineering in everyday situations.
These situations are some of the most refined social engineering situations you will ever find. They are real, they matter, and they can be one of the best learning lessons for a social engineering enthusiast.
Lets look at some simple examples.
You walk into a shopping center and you see the security guard standing by the entry way. Its an off duty police in uniform that is earning a little bit of extra money for summer vacation. His job is to act as a visible deterrent for any problem more then anything else.
You are just there to shop, you smile to him, perhaps say hello and walk on about your business with the quiet authority of someone that has done this a hundred times. You don't act guilty, you don't look suspicious. You are on a mission, to go shopping and have no reason to interact or alert. You may nod, give a small glance or walk past. The security guard nods back, and goes back to spacing out thinking about his upcoming trip.
What does this have to teach you about gaining entry to a guarded facility? Everything.
The guard at a business may be a security guard, or may just be a receptionist. If your plan is to just walk on by the guard without being molested, what is the best way to do it?
Lets look at the previous example and consider. The same way you acted walking into the mall is the way you act here. You don't act suspicous, you don't act guilty, you are on a mission and don't need his authority to do it. You don't want to engage more then necessary and perhaps expose some problems in your ruse.
Just like the example before, you acknowledge the guard, perhaps exchange a quick pleasantry, and go about your business as if you have every bit of confidence in taking this mundane action. You put yourself in the same mental situation as if you were walking into the shopping center.
If the guard stopped you walking into the shopping center to ask why you are there, how would you act?
You would be a little upset, taken back, maybe even mad that he stopped you from your goal for no reason.
Apply that to this scenario. A rational person wouldn't flip out, but what would be the body language, vocal tone and facial expressions of a person who is stopped for no reason? Mimic that.
Another quick example.
You are walking down the street in a large city and a homeless man approaches you. He smells and has a far different sense of personal space then you. He is asking you for five dollars, you don't want to give it to him so you walk on.
He follows you speaking in a loud voice standing way too close smelling of urine telling you about his hard luck story drawing attention to you and everyone is looking to see what this is all about. You just want to get to your destination and the cost of giving the man the two one dollars bills in your pocket is far worth it just to get rid of him.
Did the homeless man really want the five dollars? Or was he really just going to be happy with getting anything? By asking for more then he really desired and creating a situation that made his target uncomfortable and later compounding that by applying social pressure, the homeless man achieved his objective in pretty short order.
This is what social engineering is. Its real, and its something we do all the time. Complex approaches and situations are really nice and a real part of social engineering and we will be studying these as they are part of our new NLH study. Yet in the long run, we can learn a lot by just analyzing and studying the everyday sceneraios that surround us.
There is so much to learn out there if you just keep an open mind, realize no matter how much you have done or how educated you are there is always something more to learn from the most mundane and simple of situations.
Keep this months tip in mind as you go through your day, see
what you can learn, and how it can be used to inform your work.
Written by Jim O'Gorman & Chris Hadnagy
This month we have been given some AWESOME device by our sponsor at SpyAssociates.com but instead of ruining the surprises here we will be bringing them to Vegas to show off.
If you want to listen to our past podcasts hit up our Podcasts Page and download the past epidsodes.
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support
Continuum WorldWide for their support and sponsorship for the upcoming Defcon 18 Social Engineering CTF - How Strong is Your Schmooze
Neuro-Lingustic Hacking: The New Age of Social Engineering
Social engineering is nothing new. From some of the oldest stories recorded in mankind’s history till today, social engineering has been used. The interesting part about social engineering is that the methods used have not changed much. Sure there is new technology and a deeper understanding of humans and psychology, but the underlining principles of social engineering are the same as they were 6000 years ago.
In the last 70-100 years there has been massive leaps in understanding the human psyche. What makes a person tick? Bandler and Grinder took understanding neuro-linguistic programming to a whole new plain. Dr. Paul Ekman took understanding microexpressions to a new science. Then many experts who spent decades studying influence, persuasion and manipulation began to work hard to understand what makes a person act a certain way.
As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole. We have interviewed radio hosts, psychologist, law enforcement, NLP gurus, dating experts and others to try and understand what each of those fields has to offer a social engineer.
After studying a lot of the practices and what makes them successful we have blended a few together and are going to start a new study called Neuro-Lingusitic Hacking (NLH).
What is NLH
Neuro-Lingusitic Programming (NLP): NLP is a controversial approach to psychotherapy and organizational change based on "a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behavior and the subjective experiences underlying them" and "a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behavior"
Neuro: This points to our nervous system which we process our
Linguistic: This points to how we use language and other
nonverbal communication systems through which our neural representations are
coded, ordered and given meaning. This can include things like:
Programming: This is our ability to discover and utilize the programs that we run in our neurological systems to achieve our specific and desired outcomes.
In short, NLP is how to use the language of the mind to consistently achieve, modify and alter our specific and desired outcomes (or that of a target).
Microexpressions are the involuntary muscular reactions to emotions we feel. As the brain processes emotions it causes nerves to constrict certain muscle groups in the face. Those reactions can last from 1/25th of a second to 1 second and reveal a person’s true emotions.
Combine this with the reading of body language, gestures and posture and what you are left with is a human reading machine. That is the core of neuro-linguistic hacking.
The New Age Of Social Engineering
The Team at Social-Engineer.org has been developing and working on training. I don’t want to reveal too much, because much more will be coming. What I can tell you is that there is no training in the market today that is like this. Let me give you an example.
Social engineering is much about influencing a target to take an action. Many actions are taken due to an emotion that is felt. Instead of talking just about how to manipulate, I suggest we talk about how to cause a target to feel the emotion. Once we can trigger that emotion we can trigger an action to follow it up.
Here is a scenario a normal social engineer might
encounter. The social engineer needs to gain access to the server room
and to do it he needs to get past the secretary. Of course, he can
“lie” his way past and that may work. But to give a better chance
at success he knows that if he can engage his targets emotions she may do
what she is asked more easily.
To really sell it though, the social engineer should understand anxiety and how to display it in proper degrees. Psychologist World states that anxiety is fear + vanity. Along with that it talks about the effects of anxiety and how it is displayed.
Medical News Today had printed some research that can literally change the way we understand how to use microexpressions in social engineering. Much of the talk about using microexpressions is reading them on our targets to give us a clue how the target is feeling. That is a very powerful use for microexpressions. Yet what about using microexpressions to influence our targets and manipulate them? The study done by some top researchers proved that even though we might not consciously pick up on a microexpression our subconscious minds do and not only do we pick them up but they alter our perceptions and the way we treat others or are treated by others.
That is a powerful statement. Notice what Ken Paller, professor of psychology in the Weinberg College of Arts and Science at Northwestern has to say on this, “Even though our study subjects were not aware that they were viewing subliminal emotional expressions, their brain activity was altered within 200 milliseconds. As a result, the ratings of facial expressions they did see were biased."
This means they were able to see that feeding a subject images of certain microexpressions at 200 milliseconds they can alter the way the subject reacted. The study went on to say that our brains are designed to pick up on subtle hints that can warn us of danger, help us detect truth and even help us to determine true intentions.
With this in mind and reflecting to our previous scenario, it would be powerful to be able to display true anxiety, even in such small ways that it would affect the emotions of the target and manipulate them to feel what we wanted, would it not?
Dave Matthews is showing a very broad fear expression. Notice the eyebrows raised and drawn in, the kips pulled back and his eyes wide. Of course if the social engineer walked into the office looking like this it would probably not have the effect he would want.
Yet in the above picture we can see a very subtle fear expression. Notice the wide open eyes, the brows being pulled up and together and the lips slightly pulled back. This is fear.
Can you mimic this expression? Get a mirror and try.
When you do, notice the feelings it pulls up in you, notice how it will cause
you to feel...fear.
This is a small sample of what NLH is and how this new method of analyzing, dissecting and training social engineers will be approached. Neuro-linguistic hacking will help social engineer develop the skills they need to combat the malicious attacks, learn how to educate their customers and continue to bring awareness to the threats of malicious social engineering.
Stay tuned as we will be releasing more information on our training and more tips into the world of neuro-linguistic hacking.
Written by: Chris "loganWHD" Hadnagy