Social Engineering for the Rest of Us: Protection for Humans

Social Engineering attacks can be devastating. They are so effective, that they make up the  basis of many modern attacks, and according to McAfee, 46% of browser attacks were directed toward PDFs. This is of course a combination of weak security in Adobe’s Code, as demonstrated by Logan’s video, but it also carries with it the implicit notion that the target has to open the pdf. This means SE tactics will be required.

Phishing attacks are another example of widespread social engineering attacks that we have seen for years yet are still hitting hard and heavy. The fact they are still happening so much just means that people still fall for them regardless of numerous warnings.

Take these traditional attack vectors and combine them with the widespread adoption of “social media” sites by the mainstream public, and times are great for attackers. More and more the general public is entering into areas that increase their exposure to social engineering attacks, and they are just not ready for it. Traditional advice for these users, while well intentioned, is just not resonating with them. This has been explained quite well in the paper “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” from Microsoft Research. The question becomes: What advice can we give non-technical people that will help protect them from Social Engineering based attacks?

Last week I was given the opportunity to speak with a community group about this topic. This was a great chance for me to interact with a segment of this user base and see what problems they are facing, what concerns they have. By no means do I think that they are representative of users everywhere, but it was a start.

After working with them, I walked away with a few concepts I tried to boil down to ten of the most basic, foundational, items that everyone needs to know The following list is written to help non-technical people, but really all in the community can benefit from the information it contains.

1. Common sense you use in day-to-day life applies online as well.
Stop thinking about Online and Offline as separate “places” with a different set of rules. People will still try to take advantage of you, make fun of you, cliques will develop, and reputations matter. There are so many areas that people are “online” with as well, that the omnipresence of it has made it as such that it is here all the time. Cell phones alone have put is there, not to mention video game systems and even televisions that are going online.

The primary difference between the two is that the online world makes it easier for a single person to pretend to be multiple people. The base concept still applies even in that situation: don’t just assume people are who they say they are. Its true in real life as it is online.

2. The Internet is not evil.
Despite all the negative things you hear on the news, the Internet is not a bad place. More people pay attention to negative stories, which sells more advertising. Just like real life, there are very bad places, real sewers, off the Internet that all the waste and refuse go. If you don’t like that sort of thing, don’t go there.

More than anything else, the Internet is a tool that provides amplification. The same actions, interactions, and content can be found online or offline. However in all cases these actions, interactions and content become louder if it is online. There are a multitude of reasons for this that include the one to many contacts which can be made to the permanence of any action taken online. The reasons don’t matter; just know that something that happens on the Internet is going to be “louder”.

3. You can’t buy your way to safety.
There is no product that can be bought which will do everything that needs to be done to protect you. This just is not possible. Many people I interact with think that because they run antivirus, or use a Mac, or they run Linux, that they are safe. Nothing is a better defender than an educated target.

In fact there is a strong argument some make that states too much reliance on software such as anti-virus encourages people to engage in unsafe behavior. When people think that they are protected from malicious code by a quality anti-virus product they are more likely to download and run unknown software. We all know how effective that is. This aspect of human behavior where a consistent risk level is maintained in the face of imposed safeguards is the basis of risk compensation theory.

4. Don’t be scared.
Too many people that are new to technology are scared of it. It does not help that “computers” have obtained such a reputation over the years of being problematic to operate and fall apart at a moment’s notice. When an inexperienced person first starts using a computer they are scared that they will “break” it if they make one wrong move. However, those that always have technology around find it mundane and there is nothing scary about it. I learned years ago when I used to work for a non-profit whose mission was teaching senior citizens how to use computers and the Internet, that age is not a factor. Its fear, and a preconceived notion of “I can’t do it.”

This fear drives much decision-making, putting many in situations where they “spend” on the wrong problems. Everyone has a limited amount of time and energy to put into online safety issues, so it is important that what effort that will be put out gets put where it matters most. Deciding where it matters most is not something that can be done without being familiar with the problem set. Give up the fear, and jump in. Where possible, deal with root causes of issues and not symptoms. Spend energy on the highest impact locations, and accept the fact you will never be 100% protected.

5. Be aware of behavior modeling.
Behavior modeling is extremely important. In any given situation, people will look to those around them to see how they should be dealing with a situation. A great example of this is Twitter. When you initially sign up for an account the first thing that Twitter presents to you is other users they suggest you follow. They don’t do this because they love the people they are suggesting, but rather they want you to look at these accounts to see how people use Twitter. Another example of this is Apple with the release of the iPad. Upon release of this new class of computing device, Apple presented users with a large number of videos for users to watch and see how to use this device.

It’s important to also ask yourself, who models their behavior off of you? If you are a parent with kids using Twitter or Facebook, are they modeling their behavior on those networks off of you? Or is that not possible because you are not using those services? If they don’t model their behavior off of you, then whom are they modeling it off of? And are you comfortable with that selection?

6. Assume everything you do on a social network is public.
Accounts will be compromised, privacy settings will be used incorrectly or changed, and friends will pass along what is supposed to be private communications. This is all going to happen. So regardless of what social network you are using and how you have configured the settings, assume everything you place up there can be seen by everyone. If you are not comfortable with the creepy guy at the bus stop looking at it, that’s a good indicator it should not be online.

7. If you don’t respect your privacy, no one else will either.
Privacy is a funny thing as some people guard it tightly, while others see no value in it at all. Many people will post up a multitude of information without realizing how it can all be accumulated to become the foundation of a very solid social engineering attack. There is a reason that so many companies will spend so much money organizing and storing data about you. Information has value, so understand what can happen when you just give it away.

Much emphasis in recent years has been put on credit ratings. Your online reputation is just as important. Personally, I have Googled everyone that I have ever interviewed before the interview. For right and for wrong, what I have found has either made me more excited to speak to the applicant or decide not to bring them in at all. You have to understand that this is happening all the time, for many different reasons. If you have no respect for your privacy and online reputation, it will affect you. This is one reason why some behaviors such as sexting can be so devastating. Content that is placed online can not be removed, so any sort of embarrassing content will stay around for far longer then was ever intended

8. You can lie.
Nothing is forcing you to tell the truth online. And this can be used both for and against you. Expect that much of what you receive is false. E-mails will lie about where they are from and where they are sending you when you click on links. Sites will lie about what they are for, or about how secure they will keep your information. People will lie to you about who they really are. Don’t accept something as fact without verification. For instance, if you get a friend request don’t just accept it without talking face to face or on the phone with the requestor and verifying that they actually sent it.

On the flip side, you can lie as well. If a site is asking for information from you, and there is no reason for them to have it, either leave it blank or make something up.  Does a site really need your birthday? Do they really need to know your relationship status? Your annual income? Your address? Take a moment to think critically about what sites are requesting of you and if there is any good reason to provide it. If there is not and they insist on some value being entered, make something up

9. There is no such thing as free.
No website is online just to provide you value. I think this was summed up in a post by  Joey Tyson which I will quote:
As Bruce Schneier notes in an excellent video presentation, however, you and I are not Facebook and Google’s customers. We are their products. They sell information about us, and hence they have a business interest in us sharing more information with more people.” 
This is very true, and a point that many people don’t see. In many respects, most of us live in a state of symbiosis with many services such as Google. They provide a service for us which we find very useful, and in return we provide them with information about ourselves which they can then profit off of. This is not inherently negative, but it is something to keep in mind before using any service or software. Always ask yourself: What are they getting out of this?

10. Expect problems.
If you live in a city, eventually you will have a neighbor that gives you problems. When you do, it can be upsetting and put a strain on your life, but it’s not that surprising.  That’s because we know and are expecting problems at some point. This same expectation is not as wide spread when it comes to problems online. But they will happen, you will have problems, and you have to know how to deal with them.

You will be harassed online at some point, and just like in real life there are appropriate ways to deal with the situations when it occurs.  Never think you are the first and only person to encounter an issue. If you look around, you will find resources that specifically address your problem.

In recommending protective measures, we have to be respectful of people’s time and knowledge. We can’t expect them to become experts in order to be safe online, that’s just not reasonable. This list is a starting point in trying to answer the questions of: What rules does everyone need to know when he or she goes online? What defenses do we need to ensure that everyone has? We would love your input on this, so we can continue to improve and validate this list.

Feel free to put this in front of those you think might need it. In your business, at your school, or perhaps even in your family. If you have anything of value, someone is going to want to take it from you. Everyone could use some additional defense.

 Jim O'Gorman - A chief contributor for and consultant for Continuum Worldwide

Oxytocin the "Trust" Hormone

 Most modern social-engineering (SE) techniques are used to analyze observable facets of human behavior and social interactions, but when it comes to bio-chemistry the field is wide open.  While various crude pharmaceutical means can be used to provide a leg up in applied social-engineering efforts few if any appear to offer the promise of a simple hormone naturally produced by the human body.

    Enter Oxytocin. Oxytocin is a hormone that acts as a neuropeptide (Neuropeptides are small protein-like molecules used by neurons to communicate with each other) in mammalian species which holds promise for a multitude of uses including treatments for diseases, behavioral disorders and of course, soft target manipulation - aka social engineering.

First synthesized in 1953 by Nobel Prize winner Vincent du Vigneaud, Oxytocin was initially developed and later marketed as a medication to treat postpartum hemorrhages and to reduce the occurrence of premature birth in human and veterinary subjects.  The drugs that contain the hormone are typically delivered via injection or by use of a nasal spray rather than via ingestion as they are broken down without significant absorption into the blood stream by the digestive system.  Other direct applications include studies for the treatments of social bonding in autistic children and treatments of postpartum depression.  The neuropeptide is theorized to be produced by neurons for uptake into receptors.  It is released in large doses by cert illicit drugs including 3,4-Methylenedi! oxymethamphetamine (ecstasy) which is believed to be the cause of the drug's feelings of empathy and closeness to others. In addition to uses in maternity studies concerning its efficacy in the formation of trust relationships between peers has also been raised.

Beginning with studies in rats in the late 1980s and leading ultimately to a study in 2005 concerning the effects of Oxytocin on new trust relationships and reduction of apprehension towards peers provides evidence that it has a profound influence in this arena.  The primary human study on this subject utilized an "investor dilemma" trust experiment in a double-blind study with 128 participants as well as a risk experiment consisting of 66 participants used as a control group.  The study showed that in the group given a dose via nasal spray of Oxytocin in the trust experiment had a mean average of 15.6% greater chance of investing in a trust relationship where those without potential gain in the risk group showed no statistically significant increase in their willingness to grant trust to another.  What this study indicates is that when an opportunity for monetary gain was presented to a person under the influe! nce of the hormone as opposed to the placebo they had a greater chance of investing that trust in the other party, but in the cases where no gain could be garnered from giving away their money they did not wish to do so.  An additional study designed to measure the duration of oxyticin levels in the bloodstream after being administered showed that the drug has a relatively short half-life of 1-6 minutes, which as the 2005 study on trust also noted points to the fact the effect of the synthetic drug is very short-lived.

Knowing the results of these studies may not on the surface provide for any significant effect on the social-engineering techniques that you employ, but there is but more to this hormone other than simple trust experiments using nasal sprays and illicit drugs.   The naturally occurring formation of Oxycontin varies in the adult human brain due to established factors that are related to the levels of regular sleep a person experiences and the duration of sustained stress levels that they experience.  In a 2009 study it was shown that individuals that were under raised psychological stress levels for periods of several days or more had reduced levels of of Oxytocin in their systems and showed signs of increased distrust and hopelessness as compared to those that had not been under these circumstances.  Additionally the study showed that people that had been in reduced stress situations that involved increase! d levels of natural sleep had increased levels from the median average.  When this information is taken into account some interesting attack vectors become relevant if some additional research is performed.

Using some basic information gathering techniques, such as including checking social media updates for activity times when sleep would otherwise be occurring, notices of vacation or extended work-hours or personal relationship conflicts can all be indicators as to which parties might be more apt for forming the kind of trust relationship a social-engineer is looking for.  Otherwise it could point out parties that you may want to avoid or that you might otherwise approach as an attack vector when other opportunities present themselves.  These guidelines may give a social engineer the edge they need to succeed where they might otherwise fail in an engagement or at least give them greater confidence that their target is susceptible to trust based manipulation.

There are certain websites that offer the sales of "Liquid Trust", which is a spray on version of Oxytocin.  The claim is that by using this as a perfume you can instantly build trust with those around you. Whether this works or not, we are unsure, but for $50 it might be worth checking out the claims.

Until a better delivery mechanism arrives for artificially produced oxytocin it is likely not a reliable tool for use in SE attacks, but knowing how it is produced naturally and using the queues about its production may be just as important to a talented social-engineer.  In order to best apply this knowledge towards this end a social engineer must work hard to build a trust relationship using techniques that could allow for disclosure of sensitive information. Additionally the person could have a greater willingness to preform minor tasks for the social engineer including plugging in a usb key to retrieve some information from it or to allow them access to sensitive areas when posing as service personnel requiring such access to complete a task.  Trust relationships in these situations prove crucial to an effective compromise to the human barriers that would otherwise complicate an engagement.
Reference Sources:
Inspiration for this

Articles used for reference:

Written by Nicholas "aricon" Berthaume & Chris "logan" Hadnagy