Volume 02 Issue 12
In this issue
Since Defcon 18 we have been in a non-stop whirlwind of media reports and meetings regarding our findings.
We have compiled some of the news stories that might be an interesting read. In addition, while out in Vegas I had the chance to get onto Fox News Live, thanks to Dave Kennedy.
So many people have been asking to see that clip that we finally uploaded it for your viewing pleasure.
We will be releasing the SE CTF report in the next week or two to the public. I am sure that will prove to be an interesting read to most people interested in this topic. We will keep you informed through the newsletter when this going to happen.
The podcast, released next week, is truly one of the best we have had. A brand new song done by Dual Core for the intro, the winner of the social engineer CTF came on to be part of the panel this podcast and our guest is an international TV star that just will blow your mind! Make sure you are ready when this one comes out.
Finally, Spy Associates sent us an amazing device this month. A real time live GPS tracker. This device has a 75 day battery and sends you 10 second update GPS location data to a map so you see the target traveling across the screen. You get speed, location, start and stop times. This is one of the slickest devices we have got from Spy Associates. Make sure to check it out.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support
Continuum WorldWide for their support and sponsorship for the upcoming Defcon 18 Social Engineering CTF - How Strong is Your Schmooze
Neuro-Lingustic Hacking: The difference between NLP and NLH - part II
Last month I began a series that was focusing on the differences between NLH and NLP. I covered the basics on how NLP is all about you, it is personal, internal and meant to make some major break through or changes to your mental outlook. In many ways it is like social engineering yourself. You are using your own emotions and thoughts to manipulate yourself to take some action to make a change.
Then I shared with you the core of NLH and how it uses the same principles of NLP but its major difference is to use those skills to manipulate others. Last month I focused on body language and the power it has over manipulating others. This month we will talk about something that can truly change your life – the use of Microexpressions.
A Brief History
Dr. Paul Ekman took the research to a new level in the 60’s and 70’s by studying how microexpressions were not affected by gender, race or even cultural boundaries. His researched pioneered a new breed of research that allowed many scientists, including Ekman himself, to understand human emotions on a much deeper level that previously believed possible.
Ekman found that these microexpressions are involuntary displays of emotions that are controlled by muscular movements triggered by emotions. These muscular movements are not controllable as they are involuntary and caused by muscular movements due to emotion.
What does this mean for neuro-linguistic hacking?
Dr. Ekman identified and catagorized human emotions into basic categories:
A good social engineer needs to know how each emotion is shown on ones face, which muscles are used and how to produce these emotions.
As an example try this as you read this paragraph. Squeeze your eyebrows together as if you were trying to bring the corners together to touch together. Also bring your eyebrows down as if you are tensing your whole forehead. Tighten your lips together and now glare ahead. What emotion do you feel? Practice and try it a few times.
If you are doing it properly, you will start to feel anger. Now this is an important point to keep in mind. By making your muscles on your face move to a certain direction you can manipulate your feelings to feel an emotion. That is a very important point. I have tested this theory with many people and in over 98% of the people I have tried this with, they felt the emotion and were able to identify what they were feeling.
Applying to NLH
The basic gist of the study was that they took subjects and connected dozens of mini-ekg’s to muscle points on their face. The devices would register any muscular movements in their face and head. They then played videos for them that had 1/25th of second flashes of microexpressions in frames. They found that in almost every case the subject’s muscular movement would begin to mirror that which was embedded in the video. If it was fear or sadness, the subject’s facial muscles would register showing those emotions. When interviewed about the emotion the subject was feeling it was the emotion embedded in the video.
If this doesn’t make you stand up on your seat and scream go back and re-read that: Quick flashes of emotions altered the subject’s emotional state. As a social engineer this is mind-blowing research. Imagine how you can use this. If as a social engineer, you can learn to control your emotional displays and muscular movements and you want to alter your target to be in state of mind that is more pliable then you can create that environment using your microexpressions.
Let me paint a picture to help tie this in. Let’s say I found out that my target’s HR Manager, Mrs. Smith, is out for vacation. I schedule to come to the facility as if I had an interview. I have two vectors I want to try, USB Key in the receptionist computer and “secret” USB’s dropped in employee bathrooms. These vectors will require believable story lines.
First, my resume was ruined by spilled coffee and second, when I find out my interview is really not this week, dejected, I ask if I can use their bathroom to wash off my tie and then I will go to my next appointment.
Now in both instances when I am asking for her to insert my USB key into her computer and when I am asking to be allowed into an employee bathroom my facial expressions can hurt or help my cause. Most likely, nerves, fear of failure and fear of getting caught can easily cause my facial expression to emit fear. If I am emitting fear I will cause the target to feel fear, which will NOT be conducive to success. What emotion do you think will help you achieve your goal?
As in last month’s newsletter, compassion will really help you. Also a person in this situation would be showing more sadness than fear. How can you emit an emotion that will help her feel compassion? Sadness. Now this is something you need to be very careful about. You don’t want to show extreme grief, as that sends the wrong message. Too much sadness can be off-putting and too little will not trigger the emotion.
Sadness is shown by the corner of the lips pulling downward, the eyelids being partially closed and then other factors like the rate and speed of speech all being softer and lower. All of this emits sadness and that sadness can cause the target to feel sad, which is an open gate to compassion. When you make you two requests you are more likely to receive a positive outcome with compassion on your side.
As you can probably tell this is just touching a very deep topic that will take many more newsletters to cover. What aspect of NLH do you want to see next? Send me a note to logan -@- social-engineer.org and let me know.
Till next month.
Written by Christopher Hadnagy
As a special treat for those of you who subscribe to our newsletter we are including a small section of the report of the Social Engineering CTF that will be released in the next week or two. In the meantime enjoy the little tidbit below:
Unfortunately throughout the course of the contest, the number of times contestants encountered any degree of resistance was rather minimal. In tallying these results we took a very liberal approach on classification of resistance. According to our analysis, the results show that in the calls that were made, awareness training was not effective within the targeted organizations.
As disturbing as these results are, the full picture is even worse. For instance when some degree of resistance would be encountered, bypassing this was in every case simply a matter of calling back and reaching a different employee. In only one organization there were multiple instances of resistance in consecutive calls. However, after three calls the next employee encountered was willing and able to provide the flags the caller was requesting.
Indeed, more so than resistance to questions, the biggest obstacle once a contestant had an employee on the phone was simple ignorance of the answers to questions. It was far more likely for an employee to want to answer a question but simply not have the information that was being requested. At one point when calling a target and asking about browser type and Adobe software in use, the employee was so willing to help she said, "Let me just go to the manager’s computer and give you the answers to this question." To some extent, this does speak to segregation of information as being a more effective defense than most organizations’ security awareness programs.
In the instances that resistance was encountered, it was often driven not by suspicion on the part of the employee but rather by impatience at the time being taken out of the employee’s day by having to answer these questions. In part, this was driven by the prevalence of the survey pretext, due to the fact that as a society people do not have much tolerance for what they see as “annoyance calls”. The other primary driver was the employee having other, more pressing, duties in which to attend to.
In the cases that resistance was attributable to awareness, the
calls were ended very fast by the target. They would simply state,
"These questions sound fishy. Have a good day." Then hang up. In
one instance, the target questioned the contestant about his pretext, then
even went as far as to question him about his calling number and became very
combative. This was encouraging to us as it showed a glimmer of hope that
some employees are taking these matters seriously.