Volume 02 Issue 14
In this issue
HumanHacker has been invited to numerous speeches at ISSA meetings as well as other cons on the topic of social engineering. If these are public events we will try to update and list the locations, dates and times for anyone who is interested.
The book is done and going through final editing stages. We are really excited how it all turned out and hope you will like it. The release is slated for Jan 2011.
The podcast this month, to be released next week, is taking a turn to the scientific. We hope you will enjoy it and please let us know your thoughts.
Finally, Spy Associates continues to send us cool devices to test. Please visit their page to check out some of the coolest devices around.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support
Continuum WorldWide for their support and sponsorship
Paterva continually offers our favorite information gathering tool out there. If you haven't used Maltego - you should.
We just completed an amazing Offensive Security PWB Class in Columbia MD. Another one is already in the works. If you are interested in coming or getting more information contact me at:
Neuro-Linguistic Hacking In the Real World
For the last few months, I have been discussing the new study of the psychological principles behind social engineering that I am calling neuro-linguistic hacking or NLH. Many have written in expressing their thoughts and support about our research and asking for some examples of how this is used in real life and social engineering.
Before I delve deep into the real life examples, let me quickly
recap what it is that makes up NLH.
What is NLH?
NLH consists of understanding the neurological aspects of human psychology to manipulate the five senses using body language, verbal language and facial expressions. The attacker becomes an expert at controlling and reading these displays so they can create an environment conducive to their manipulation.
Many social engineers, scammers and identity thieves do these things without even realizing what it is they are doing or the science behind it. They just know it works.
The question is: ‘how can we tap into this knowledge and
practice how to use it as well as recognize it to be protected?’
Real Life Example #1
You went into your local cell phone store to make some changes to your plan. You found a rebate online and wanted to buy a new phone, up your minute plan and add a line. The last time you made changes, they screwed up your bill so bad that there was an additional $90 on your bill at the end of the month. You want to make these changes and get a new phone so you are willing to risk the possible mess up.
When you go into the store and you tell the rep what you want, you even express your concern from the last time. She promises you there will be no problem and proceeds to help you with all your wants for your cell plan. You leave there very happy and with a good sense of accomplishment.
That is… until the bill comes. You realize that the bill should be about $15 more for the new additional services, but right away you see the bill is about $115 more. You are so angry you are about to blow a fuse. You want to run back to the store and rip that sales rep a few new orifices. But here is the first example of how NLH can help you in your every day life.
Your goal is to call customer service and not only get the charges reversed, but to be compensated for your stress and aggravation.
Now let’s first analyze how your natural reaction would be at this point. According to Nancy Daniels, a voice specialist who studies and trains people on how to get the most out of their speaking voice, states that stress and anxiety will cause a person’s voice to sound tense and can actually change tone.
In addition, more physiological changes occur that can change our ability to control emotional displays. Doctors state that stress and anxiety can increase your heart rate and blood pressure, which can cause a lack of focus, headaches and inability to concentrate.
In 2009, a team of researchers from Japan wrote a paper called, “Facial expression spatial charts for representing of dynamic diversity of facial expressions”. In this paper, the researchers talked about the effect of stress on the facial expressions. The end result was that stress and anxiety caused a person’s facial expressions to display negative emotions.
All of these things can cause a physiological change in you that will make you react negatively, angry and all your goals will be thrown out the window. How do the principles of NLH help you here?
Kendra Cherry, a psychologist who specializes in psychology, child development and education, wrote an article based on Dr. Ekman’s work, crossed referenced with Charles Darwins 1872 work titled, “The Expression of the Emotions in Man and Animals”. In this paper, she states that facial expressions are responsible for a huge proportion of nonverbal communications. Not only do our facial expressions communicate massive amount of emotions, but they can affect our body language and vocal tones.
For instance, it is impossible to be on the phone with customer service and try to be ‘friendly’ while maintaining a very angry facial expression. By having a smile on our face, even if that means having a picture of our kids in front of us to make us smile, it can cause the rest of our NLH factors to fall into line.
If your body language is warm and open, along with your facial expression, it will affect your voice and your ability to manipulate your target.
With this being said, I want to say that this not easy. It is not as simple as putting on a fake smile and sitting in a nice posture hoping you sound good. Instead, the principles of NLH say you will put yourself in the mindset that you desire the target to be in. If you want the target to be happy, compliant and laid back then your approach must be the same.
Getting your mindset into this mode will require a lot of work and a set of goals. Especially as you encounter the frustration again and tell your story to the rep on the phone, these feelings will want to creep back up. This is the time you want to emphasize that focus.
Here are a couple tips that have helped me to accomplish this goal:
• Keep a picture of the facial expression you want to
display in your view. Whether it is a smile, happiness or laughter –
researchers have proven that our brains fire neurons to mimic the expressions
These pointers can help you to accomplish your goals. Do
these factors change much in a social engineering venue?
Real Life Example #2
During an audit, you determine that a good vector of opportunity involves a man in the financial department that is on vacation. You need to know where he is so that you can make a call to him to achieve your objective. To obtain the information of where he is on vacation, you decide the best method to get this information is to call his office.
Your pretext is going to be a neighbor to the target that is watching his cat while he is away. The cat needed some medication, but you lost the address to the vet that he gave you and you have to call him. The number he gave you to call seems to be written down wrong and it goes to some business in the South.
All the same principles apply. The stress and anxiety of blowing your cover can raise your heart rate, cause an anxious facial expression and tense body language. All of this can cause your cover to be completely blown; however, in this pretext, the right kind of stress will be useful.
During your audit, it is essential to get into the mindset of the neighbor. Put yourself in "the neighbor’s" shoes. What would they be thinking? How would they react? What would their concerns and anxieties be? The sense of urgency must sound real and the need to get a hold of the target must sound not only real, but also legitimate.
As in example one, I want to display happiness. In this example, I want to display the proper levels of anxiety and stress as the target’s “cat” might be deathly ill without the medicine it needs. Again, I would have a picture with the right facial expression in front of me with my goals and questions written out so I can speak clearly and intelligently.
The Power of NLH
Clearly, dissecting and understanding the psychological principles that make up a good social engineer can take our security practices to a whole new level, but it can also add value to how we deal with people in every day life. Understanding how to control our own emotions and the display of emotion can go a long way into creating an emotional atmosphere that allows us to ask and receive for what we want.
Thank you again for the support in this research and I look forward to your future questions.
Written by Christopher Hadnagy
How to lie: Three tips
We tend to go through great pains to make sure people understand that there is far more to social engineering then just lying, but at the same time, there is no denying the fact that deception is a critical part of many social engineering engagements and one that people tend to become very nervous over. So with that in mind, I wanted to address what I feel is the three biggest components of telling a lie.
Pick the right lie
Quick story, back in high school I decided to pull a stupid joke on people I knew. So I told everyone that when I was at the mall, I ran into Bill Murray and we went shopping together. I showed him around the mall and talked about his movies. Now this sounds really ridiculous…. and it was, but this is back during a lull in Bill Murray’s career and a lot of people just remembered him as that guy from Ghostbusters who used to be on SNL.
The idea was, if I was going to lie about hanging out with a famous person, I would have the story be about someone that mattered back then, like Jean Claude Van-Dam or Steven Segal (dates this story there, eh?).
To really confuse people, pick a lie that they wouldn't expect. They are likely to believe the most ridiculous story. Pick a lie that gets you close to your goal without seeming to have anything to do with what you are after.
Keep inmind the theory behind “the big lie”. This is the idea that you lie so big and so over the top that no one would believe that someone would try to pull the lie off. While this concept has a long and storied history, the concept is sound and has stayed around for the simple reason that it is effective.
There is a wonderful example of this technique in action from the novel “On Her Majesty's Secret Service”. In the book, Bond is confronted with a challenge by an air traffic controller as to who had authorized a flight. In response, Bond answers that the air traffic controller himself had authorized it.
Consider the audaciousness of this claim and the position it places the air traffic controller in. If he denies that he took such action, but he really just forgot, he would look foolish. In an attempt to save face, he is likely to “remember” the event.
Consider how this technique may be put into use in a real world social engineering situation. If you had done a little bit of information gathering before hand on a target company and found the name of the facilities manger, called her up with an air of familiarity, and said “Hi Sandy, I was calling to touch base with you real quick here. When we last spoke, I had mentioned I will be out this coming Tuesday to conduct the annual site inspection and as we are getting close to that date, I just wanted to make sure that nothing had come up to force us to reschedule.”
Would Sandy be likely to claim to not remember this conversation at all? This would risk her sounding very rude if in fact she had just “forgotten” the conversation, but even if she did claim to not remember the conversation at all, you are still positioned to direct the conversation in your favor.
“ It’s OK Sandy, I know how it is. You sounded pretty stressed and busy when we last spoke. Let me jog your memory, the building management company has me come out on a regular basis to do a site inspection to check for foundational issues in the building so they can be addressed before they become a real problem. You had mentioned that I could just drop by, that you will be in the office, and can direct me in the right direction.
I find a lot of inexperienced social engineers are extremely worried about “selling” a lie. They think they will get called out and they start to get nervous. This nervousness shows in their behavior and that is what puts the target on guard.
There is a SNL skit about people getting punched in the face right before eating . What makes this funny is these people never see the punch coming. In a lot of ways, this is what makes a good lie. It has to catch people off guard.
In most cases, people don’t expect to be lied too. This makes things easy for us as social engineers, as people won’t see it coming. There are a few limited exceptions, such as when talking to the police. They will often expect to be fed a line, but the average person expects most interactions to be on the up and up.
The best advice is to just take a few deep breathes and to just relax, don’t worry about getting called out. If you act normal when telling a lie, even if someone suspects that things might be out of place, they are not likely to call you out. That’s considered rude and society teaches us that being rude in any circumstance is not acceptable.
You really have to get yourself in a mental state where you feel
as if you are doing nothing wrong and frankly, that should not be hard to do
as you have permission to do an audit. (And if you don’t have permission, you
should not be engaging in this action anyhow.)
Keep it simple
Something that many people get wrong when lying is making the lie far to complex. There are two primary issues with this that we need to discuss.
First off, people are lazy with their memories and their language. Think about normal interaction with people and pay attention to how much detail there really is in discussions. Most of the time, there is a fair degree of vagueness to interactions as people don’t really want to go through the trouble of getting detailed; however, when lying, most people will get very detailed all of a sudden.
This is a red flag and one that investigators are trained to watch for when interviewing suspects. Consider the question of “what were you doing two nights ago?” How much detail can you remember? If you had to explain your activities, how complete of a picture could you paint for them? Now consider if you were doing something wrong that night and you made up a lie to tell to cover your actions, you are far more likely to tell a very detailed story.
Often times, people consider this detail to be reinforcement of the lie, but in reality, it’s not. It’s an outlier and something to note.
The second issue is that by supplying too much detail right away, you become far to committed to the current narrative. If any issue comes up, you have far less flexibility in thinking on your feet and changing things up. A lie should only be as detailed as it needs to be; as detailed as everything else you are discussing is, and no more.
The lie to tell should merge with the rest of the story you are telling and should be no more or less detailed. You need to leave yourself room to further develop it as the situation evolves; letting it be natural and the lie, itself, should be based in as much truth as possible. This makes it easier to sell as most of the time, when you are telling the story, you are not lying.
Nothing wrong with a lie
Society teaches us that lying is a horrible thing to do and that we should be honest at all times. It tries to beat the concept of how to lie out of us early in life by shaming us when lies are discovered and as such, many people feel this deep-rooted guilt when telling a lie for any reason.
Social engineering is composed of many concepts that you have to master. One item that we hear on a regular basis is “Social Engineering is just lying right?” The answer is NO; it’s far more than that; however, if we consider social engineering to be a ‘stonewall’; lying is one stone making up that wall. There are many other stones there as well, and without all off them filling their role, the wall would fall.
If you want to be good at SE, there are a number of things that
you need to become good at. How to lie is just one of the items that need to
be dealt with. Drop the guilt and get better at it. Hopefully, these three
tips will help you get a better at this core concept of social engineering.
Written by James O'Gorman