|
Volume 02 Issue 10 In this issue • Social Engineering and Poker
Have an open mind: See SE Everywhere. Now say that theme fives times really fast. Yet this is
one of the ongoing themes here at social-engineer.org. From the very beginning till now, we have also thought that
you can find SE everywhere you look. We cover this every month on our podcast
where we interview guests that just don't seem to be related to social
engineering in the least bit at first. But, after speaking with them for a
little bit, it becomes clear. Some of the newsletter
articles we have done as well hit this topic, for instance looking at children
and how they manipulate situations for self gain. This is the only
way they have to get what they want, and so kids have it refined far better
then the rest of us. What can we learn about social engineering from these
topics that don't seem related to social engineering at all? The answer is simple...Everything. Which brings us to the tip for this month: Have an open mind,
and find social engineering in everyday situations. These situations are some of the most refined social engineering
situations you will ever find. They are real, they matter, and they can be
one of the best learning lessons for a social engineering enthusiast. Lets look at some simple examples. You walk into a shopping center and you see the security guard
standing by the entry way. Its an off duty police in uniform that is earning
a little bit of extra money for summer vacation. His job is to act as a
visible deterrent for any problem more then anything else. You are just there to shop, you smile to him, perhaps say hello
and walk on about your business with the quiet authority of someone that has
done this a hundred times. You don't act guilty, you don't look
suspicious. You are on a mission, to go shopping and have no reason to
interact or alert. You may nod, give a small glance or walk past. The
security guard nods back, and goes back to spacing out thinking about his
upcoming trip. What does this have to teach you about gaining entry to a guarded
facility? Everything. The guard at a business may be a security guard, or may just be
a receptionist. If your plan is to just walk on by the guard without being
molested, what is the best way to do it? Lets look at the previous example and consider. The same way you
acted walking into the mall is the way you act here. You don't act
suspicous, you don't act guilty, you are on a mission and don't need his
authority to do it. You don't want to engage more then necessary and perhaps
expose some problems in your ruse. Just like the example before, you acknowledge the guard, perhaps
exchange a quick pleasantry, and go about your business as if you have every
bit of confidence in taking this mundane action. You put yourself in the same
mental situation as if you were walking into the shopping center. If the guard stopped you walking into the shopping center to ask
why you are there, how would you act? You would be a little upset, taken back, maybe even mad that he
stopped you from your goal for no reason. Apply that to this scenario. A rational person wouldn't
flip out, but what would be the body language, vocal tone and facial
expressions of a person who is stopped for no reason? Mimic that. Another quick example. You are walking down the street in a large city and a homeless
man approaches you. He smells and has a far different sense of personal space
then you. He is asking you for five dollars, you don't want to give it to him
so you walk on. He follows you speaking in a loud voice standing way too close
smelling of urine telling you about his hard luck story drawing attention to
you and everyone is looking to see what this is all about. You just want to
get to your destination and the cost of giving the man the two one dollars
bills in your pocket is far worth it just to get rid of him. Did the homeless man really want the five dollars? Or was he
really just going to be happy with getting anything? By asking for more then
he really desired and creating a situation that made his target uncomfortable
and later compounding that by applying social pressure, the homeless man
achieved his objective in pretty short order. This is what social engineering is. Its real, and its something
we do all the time. Complex approaches and situations are really nice and a
real part of social engineering and we will be studying these as they are
part of our new NLH study. Yet in the long run, we can learn a lot by
just analyzing and studying the everyday sceneraios that surround us. There is so much to learn out there if you just keep an open
mind, realize no matter how much you have done or how educated you are there
is always something more to learn from the most mundane and simple of
situations. Keep this months tip in mind as you go through your day, see
what you can learn, and how it can be used to inform your work. Written by Jim O'Gorman & Chris Hadnagy
This month we have been given some AWESOME device by our sponsor
at SpyAssociates.com but
instead of ruining the surprises here we will be bringing them to Vegas to
show off.
If you want to listen to our past podcasts hit up our Podcasts Page and
download the past epidsodes. Want to say thank you to our sponsors this month Spy Associates
for continually giving us some awesome products to test out. The EFF for supporting
freedom of Speech Offensive
Security for their continual Support Continuum
WorldWide for their support and sponsorship for the upcoming Defcon
18 Social Engineering CTF - How Strong is Your Schmooze ...... |
Neuro-Lingustic
Hacking: The New Age of Social Engineering Social engineering is nothing new. From some of the oldest
stories recorded in mankind’s history till today, social engineering has been
used. The interesting part about social engineering is that the methods
used have not changed much. Sure there is new technology and a deeper
understanding of humans and psychology, but the underlining principles of
social engineering are the same as they were 6000 years ago. In the last 70-100 years there has been massive leaps in
understanding the human psyche. What makes a person tick? Bandler and
Grinder took understanding neuro-linguistic programming to a whole new
plain. Dr. Paul Ekman took understanding microexpressions to a new
science. Then many experts who spent decades studying influence, persuasion
and manipulation began to work hard to understand what makes a person act a
certain way. As an ardent student of the sciences and arts that make up
social engineering, I am always trying to learn how to adapt certain studies
from other professionals into social engineering as a whole. We have
interviewed radio hosts, psychologist, law enforcement, NLP gurus, dating
experts and others to try and understand what each of those fields has to
offer a social engineer. After studying a lot of the practices and what makes them
successful we have blended a few together and are going to start a new study
called Neuro-Lingusitic Hacking (NLH). What is NLH Neuro-Lingusitic Programming (NLP):
NLP is a controversial approach to psychotherapy and organizational change
based on "a model of interpersonal communication chiefly concerned with
the relationship between successful patterns of behavior and the subjective
experiences underlying them" and "a system of alternative therapy
based on this which seeks to educate people in self-awareness and effective
communication, and to change their patterns of mental and emotional
behavior" Neuro: This points to our nervous system which we process our
five senses: Linguistic: This points to how we use language and other
nonverbal communication systems through which our neural representations are
coded, ordered and given meaning. This can include things like: Programming: This is our ability to discover and utilize
the programs that we run in our neurological systems to achieve our specific
and desired outcomes. In short, NLP is how to use the language of the mind to
consistently achieve, modify and alter our specific and desired outcomes (or
that of a target). Microexpressions are the involuntary muscular
reactions to emotions we feel. As the brain processes emotions it
causes nerves to constrict certain muscle groups in the face. Those
reactions can last from 1/25th of a second to 1 second and reveal a person’s
true emotions. Combine this with the reading of body language, gestures and
posture and what you are left with is a human reading machine. That is
the core of neuro-linguistic hacking. The New Age Of Social Engineering The Team at Social-Engineer.org has been developing and working
on training. I don’t want to reveal too much, because much more will be
coming. What I can tell you is that there is no training in the market
today that is like this. Let me give you an example. Social engineering is much about influencing a target to take an
action. Many actions are taken due to an emotion that is felt.
Instead of talking just about how to manipulate, I suggest we talk about how
to cause a target to feel the emotion. Once we can trigger that emotion
we can trigger an action to follow it up. Here is a scenario a normal social engineer might
encounter. The social engineer needs to gain access to the server room
and to do it he needs to get past the secretary. Of course, he can
“lie” his way past and that may work. But to give a better chance
at success he knows that if he can engage his targets emotions she may do
what she is asked more easily. To really sell it though, the social engineer should understand
anxiety and how to display it in proper degrees. Psychologist World
states that anxiety is fear +
vanity. Along with that it talks about the effects of anxiety and how
it is displayed. Medical News Today had printed some research that can literally
change the way we understand how to use microexpressions in social
engineering. Much of the talk about using microexpressions is reading
them on our targets to give us a clue how the target is feeling. That
is a very powerful use for microexpressions. Yet what about using
microexpressions to influence our targets and manipulate them? The study done
by some top researchers proved that even though we might not consciously pick
up on a microexpression our subconscious minds do and not only do we pick
them up but they alter our perceptions and the way we treat others or are
treated by others. That is a powerful statement. Notice what Ken Paller, professor
of psychology in the Weinberg College of Arts and Science at Northwestern has
to say on this, “Even though our study subjects were not aware that they were
viewing subliminal emotional expressions, their brain activity was altered
within 200 milliseconds. As a result, the ratings of facial expressions they
did see were biased." This means they were able to see that feeding a subject images
of certain microexpressions at 200 milliseconds they can alter the way the
subject reacted. The study went on to say that our brains are designed to
pick up on subtle hints that can warn us of danger, help us detect truth and
even help us to determine true intentions. With this in mind and reflecting to our previous scenario, it
would be powerful to be able to display true anxiety, even in such small ways
that it would affect the emotions of the target and manipulate them to feel
what we wanted, would it not? Displaying Fear Dave Matthews is showing a very broad fear expression.
Notice the eyebrows raised and drawn in, the kips pulled back and his eyes
wide. Of course if the social engineer walked into the office looking
like this it would probably not have the effect he would want.
Yet in the above picture we can see a very subtle fear
expression. Notice the wide open eyes, the brows being pulled up and
together and the lips slightly pulled back. This is fear. Can you mimic this expression? Get a mirror and try.
When you do, notice the feelings it pulls up in you, notice how it will cause
you to feel...fear. This is a small sample of what NLH is and how this new method of
analyzing, dissecting and training social engineers will be approached.
Neuro-linguistic hacking will help social engineer develop the skills they
need to combat the malicious attacks, learn how to educate their customers
and continue to bring awareness to the threats of malicious social
engineering. Stay tuned as we will be releasing more information on our
training and more tips into the world of neuro-linguistic hacking. Written by: Chris "loganWHD" Hadnagy 5 SE Poker tips to make $$$
in Vegas I really enjoy the SE aspect of poker. Here are 5 tells
that can make you money while your in Vegas or at any poker table.
Don’t play poker? Just watch and see if you can pick the table winner
before the hands are shown. Tip 1: Disheveled Chips. Good hacks take planning, so
recon all the tables looking for players who are not concerned about their
chip stack. The chips are strewn unstacked and unaccounted. This
player is here to gamble and doesn’t see the chips as real money. This
player doesn’t care if they loose all their money. The best table has
several of these players who just want to give their money to you. Watch for the opposite of this player who waves money for chips
and wants immediate action. This is the player who wants to be sure
everybody knows they have money to burn. Feel free to take it.
Watch for flamboyant bids, exaggerated raises and large pots. Don’t push this player because they believe the hand is a
winner. Enter the pot cautiously and don’t waste your time bluffing. Tip 3: Instant Reactions. Most players need a few
minutes to evaluate their hands. When someone has an instant reaction
to a flop, that’s a real emotion not a fake for show. Anger can mean
the person didn’t get the card they wanted. Both joy and anger can be
show instantly without the player even knowing it. Practice recognizing
SE micro facial muscle movements at this site: www.cio.com/article/facial-expressions-test. Tip 4: Looking Away. Players watch the dealer spread
the flop, watch for the player who looks away quickly, they may not even look
at the pot or their cards. They may also feign disinterest. New
players tend to mask how they feel with the opposite emotion. Are they
looking disinterested? They’re really interested! Tip 5: The PokerClack. This is the sound made when
you put your tongue behind your top teeth, then create and release
suction. That’s the sound. It’s usually made during sad
times. Try these phrases followed by the pokerclack. “That’s
great” and “That’s terrible”. Which one fits? How does this work in poker? Most weak to intermediate
players try and act the opposite of what their hand is. So a person
making sad comment, deep sighs and PokerClack could be holding a great hand.
Don’t raise someone who clacks. Finale: While I don’t play much anymore, I know these tips
will help keep you profitable at the poker tables. Let me know how they
work for you and if you see me watching tables in Vegas, please feel free to
chat. We’ll both pick the winners. These tips are all from a Mike Caro’s book “Caro’s book of Poker
Tells: The Psychology and Body Language of Poker”. Not just tells, but
ranking on how effective each tell is against different levels of players,
how much you can earn with these tells and lots of pictures to illustrate the
concepts. Even a quiz at the end to see if you really understand the
tells. Good luck and let us know how these tells work for you! Written by Brad "theNURSE" Smith |
