In this issue
- Defeat Priming
- Social-Engineer News
- Upcoming Classes
- What's coming...
- Social Engineering Penetration Tests
The team at Social-Engineer is really excited to announce our brand new service - The Social-Engineer Mastermind Group. For more info click below:
As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.
Check out the schedule of upcoming training on Social-Engineer.com
Ireland, April 2013
Detroit MI - June, 2013
We are limiting the number of attendees in each class to 22 and under, so first come first serve.
- 5 days of ground breaking training
- The Social Engineering Penetration Testing Course guide
- Special tools to enhance your SE practice
- A Chance to take the first ever Social Engineering Pentesting Certification
- Lots more
If you want to ensure your spot on the list register now - Classes are filling up fast and early!
Do you like FREE Stuff?
How about the first chapter of Chris Hadnagy's Best Selling Book: Social Engineering: The Art of Human Hacking?
If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!
UNSUBSCRIBE by sending an email to firstname.lastname@example.org
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
To contribute your ideas or writing send an email to email@example.com
What's coming up..
If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.
Want to say thank you to our sponsors this month
- Spy Associates for continually giving us some awesome products to test out.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.
A special thanks to our Editor:
John 'J' Trinckes, Jr
Check out Robin Dreeke's amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!
Can Priming Be Defeated?
Those of you that have been following our work at Social-Engineer.org know we’ve been doing research into priming and how priming applies to social engineering. Priming is exposing your target to specific stimulus in order to predictably influence their behavior when exposed to future stimulus. If you are not familiar with priming, we recommend you read A Primer on Priming which provides an excellent introduction to the topic. In Priming: For Better or Worse, we show how simply priming the ‘professor’ stereotype will lead to increased performance in general knowledge testing. In Stereotype Priming, we show that individuals primed with words relating to the elderly actually walked slower than the control group. We also looked at how hostility and rudeness can be brought out in people without their conscious knowledge.
The fascinating thing about priming is that unless you’re purposely priming yourself to improve your mood (or chances of success), you won’t know when you’re being primed or who is priming you. This brings up an interesting problem. How can we protect ourselves from being primed, if we’re not aware that we’re being primed? How do we intercept signals designed to influence our unconscious mind? Peter Gollwitzer, Professor of Psychology at NYU, has answered this question for us. The trick lies not in our ability to identify the priming as it’s happening, but in what Gollwitzer calls ‘if-then plans’, or implementation intention.
An if-then plan is developing contingency plans for when certain events arise. It’s basically building a predetermined course of action in response to anticipated stimulus. Clearly defining and spelling out to yourself how you will react if xyz happens is the key to defeating priming and avoiding unconscious action that may not be in your best interest. Specifically defining the how, when, and where as it relates to how we’re going to react in the future is the key to success. Gollwitzer, in a series of experiments published under the title “Self-Regulation of Priming Effects on Behavior”, proves that using ‘if-then plans’ defeats priming by taking control of behavior away from the self and giving control to anticipated situational cues.
He proved this through a series of experiments. Let’s take a closer look to see what we can learn from his work.
Experiment One: Fast vs Slow
The first one started out like many other priming experiments. Volunteers were divided into two groups, an A group and B group. Both groups were told to perform two unrelated tasks. Task 1 was to read a fictitious scientific article titled “The Genetic Comparability of Humans and Animals” which emphasized the similarities between humans and animals with respect to genetics. The prime was applied by referencing five animals that either exemplified slowness (slug, tortoise, hedgehog, caterpillar, and turtle) or quickness (cheetah, puma, hare, horse, and greyhound). Group A was given the slow animal prime and Group B the fast animal prime. The idea was that these primes would influence the speed at which the participants would work through the next portion of the experiment.
After the prime had been applied, the groups were given Task 2 which was a word classification task. Participants were presented with letter characters and asked if the presented stimulus was a word or not by pressing buttons labeled “Yes” or “No”. For instance, the participant would be presented with the stimulus “ocean” and then would, in this case, hit “Yes” because “ocean” is a word. Two seconds later, another stimulus would appear on the screen and the participant would again be asked to categorize the stimulus as a word by hitting “Yes” or a non-word by hitting “No”.
Now, here’s where the implementation intention, or ‘if-then plan’, comes into play. Participants were given the ‘if-then plan’ of “If the non-word ‘avenda’ appears, then I respond especially quickly!”. The participants were given 100 words total, 50 words and 50 non-words. The critical stimulus non-word of ‘avenda’ was given six times. The time it took participants to classify the stimulus as either a word or a non-word was measured in milliseconds.
The results are fascinating!
|Concept Prime ||Regular Words ||'avenda' |
|Slow ||1,171 ms ||680 ms |
|Fast ||951 ms ||689 ms |
As you can see, for the regular words (or the noncritical stimulus), the participants responded exactly how we would expect. Those primed with words of slow animals responded more slowly than those primed with fast animals. Pretty standard priming research so far, right? Now, let’s look at the far right column. Regardless of the prime (slow vs. fast), all participants, when encountering the critical stimulus non-word of ‘avenda’ responded “especially quickly”. By creating an ‘if-then plan’, participants defeated the prime of the “slow animals”!
Experiment Two: Social vs Non-Social
Gollwitzer’s next experiment used two groups of individuals again: Group A and Group B. The groups were given a set of tedious math problems to complete. Before the arithmetic test, Group A (the control group) read a biography about Margaret Thatcher and Group B (the pro-social group) was given a biography about Mother Teresa detailing her many pro-social activities. The idea was to prime altruism to Group B. Both groups were instructed to write “I will try to find as many correct solutions as possible!”. Half the participants were also instructed to write down an implementation intention, or an ‘if-then’ plan of “If I get distracted then I will concentrate even more!”. The groups were led into the arithmetic concentration portion of the experiment.
During the concentration portion, the participants were interrupted by a research assistant posing as another participant. The time the participant spent entertaining the interruption was measured in seconds. As expected, Group B, primed with altruism, spent more time entertaining the interruption than the control group, Group A.
|Goal Prime ||No if-then plan ||If-then plan |
|Control (Group A) ||18.26 sec ||12.84 sec |
|Pro Social (Group B) ||24.77 sec ||13.31 sec |
What we see here is that the sub-group that laid out an ‘if-then plan’, regardless of prosocial, altruistic priming, all spent significantly less time entertaining the interruption. The prime, once again, was defeated!!
Experiment Three: Speed vs Caution
Experiment three, for our purposes, was almost identical to experiment two. This experiment dealt with speed (fast vs. slow) in driving and errors made during the driving process. Individuals primed with speed actually drove faster and were more prone to errors during the driving simulation. Those primed with speed were then given an ‘if-then plan’ of “If I enter a curve, then I will slow down and if I enter a straight road, I will accelerate!” The primed group were resistant to the prime and drove safer.
So, what does all this mean? How can we apply this information and knowledge into our everyday lives?
Using Priming Defense as a Social Engineer
As a social engineer, it is extremely advantageous to always be a few steps ahead of the game, like in chess. When we enter into an engagement, whether it be a physical on-site break-in attempt or a phone elicitation, planning is imperative. Analyzing the situation, predicting what may happen, and then formulating ‘if-then plans’ based on those possible actions can greatly increase your chances of a successful penetration test. Also, as a social engineer, you must be prepared for your target actually having an ‘if-then contingency plan’. Recently, in our 5-Day Social Engineering for Penetration Testers class, Chris Hadnagy told a story from the trenches about the importance of sticking to your story, regardless of the opposition and even if you get caught. During one engagement, he was actually called out as not being part of the company. The instant human response is to throw in the towel admitting you are caught, but by Chris sticking to his story and priming himself ahead of time that he was from the company’s tech team, he was able to overcome this obstacle and gain successful entry. Consistency in your story can help you get out of tricky situations.
Where this information really becomes valuable is from the perspective of a company or an organization trying to protect itself from nefarious social engineers. We see time and time again social engineering techniques are used with great success to attack a company. Over the last three years, we have sat in awe during the Social Engineering Capture the Flag contest as amateur social engineers sweet talk phone representatives into revealing all sorts of information. This happens for a variety of reasons, but often, it can be linked back to one simple thing: the employee is caught off guard.
In Chris Hadnagy’s book, Social Engineering: The Art of Human Hacking and in Social-Engineer, Inc’s security awareness talks, Chris stresses the importance of critical thinking on the part of employees. Critical thinking is paramount to stopping these types of attacks. As an employee, you must stop and analyze your interactions with customers. Why is the customer asking for specific information? Does the line of questioning seem out of place or out of context? We understand that good customer service, especially in our current economic state, is extremely important, but there is a fine line between providing good customer service and spewing information not necessary for the interaction. A good technique is to simply play ignorant to the questions.
Attacker: “What type of anti-virus do you guys use there?”
Employee: “Gosh, I really don’t know, IT doesn’t bother us with that type of information.”
Another great technique to diffuse and confuse a potential attacker is to simply escalate the call to a manager. Often this will scare the attacker or even throw off the attacker’s ‘if-then plans’. We saw this technique used successfully at this year’s Capture the Flag contest. By diverting the phone call to a manager, the contestant panicked and disconnected the call.
With ‘if-then contingency plans’ in place, even when under attack by the most experienced and suave manipulator of social psychology, the company or organization remains protected and the employees stay impervious to penetration.
Source: “Self-Regulation of Priming Effects on Behavior” http://www.psych.nyu.edu/gollwitzer/
written by: Eric "urbal" Maxwell
As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.
Also check out our website sponsor: