Volume 02 Issue 17
In this issue
A main topic lately has been the new release of the book, Social Engineering: The Art of Human Hacking. The positive reviews and feedback have been overwhelming, thank you.
The January SE Poll is almost ended, get your vote in now!
Offensive Security is filling up their April class fast. There are a few seats left and we are offering our readers a chance to save their seat at the early bird price. if you want some of the most hands on, real world security training around shoot an email to email@example.com to save your spot.
Finally, Spy Associates continues to send us cool devices to test. Please visit their page to check out some of the coolest devices around.
This month they sent us a Motion Activated SPY AC Adaptor Hidden Color Camera and Video Recorder.
This awesome little device looks just like an AC adaptor making it very easy to hide in plain site. With a motion activated camera you don't waste space recording useless video, but what you catch is all very useful.
Drop this in an SE Audit and you can catch every moment of the targets movements, in color, with audio! This device is worth every penny.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Offensive Security for their continual Support. Are you looking for world class security training? Offensive Security has live classes scheudled now. Sign up before they fill up!
A special thanks to our Editor: John 'J' Trinckes, Jr
Offensive Security Live classes constantly sell out - register early to make sure you don't miss out of the next class.
Email Chris anytime at firstname.lastname@example.org
Lightning Social Engineering: When there is No time To Prep
Recently, I was discussing how social engineering skills are used in everyday life. Yet, one of the most widely asked questions is: "how one can practice these skills?" We have written about this very topic a number of times, most recently, Jim wrote about it in newsletter #15.
This month, the focus is on how you can develop "lightning
social engineering" skills. That is the ability to turn these skills on
with lightning speed and obtain your desired results without fear or
Many times in social engineering engagements, there are circumstances that cause us to need some skills to get out of sticky situations with no time to prep for a response. How we respond to these scenarios can determine the level of success or failure we achieve.
Let's analyze this topic in more depth so we can see clearly how these skills might mean success or failure in many situations.
Lightning SE in the Wild
Or maybe this scenario: All your intel has told you that Mrs. Smith is at the receptionist desk Monday-Wednesday. Your information gathering has given you some juicy details to quickly build rapport and you know this will work. But, as you walk up to the front desk, she is not the one there. In fact, she has been called away for a family emergency and the person replacing her is completely unknown to you.
The list can go on and on, but the point is, most of these scenarios are examples of unsuspected situations. Many times, failure can occur in these situations for no other reason then lack of confidence. Fear of failure and fear of being caught both stem from this lack of confidence, but there is a way to "practice" for these unknowns. This is something I like to call "Lightning SE".
Prepare and Practice for the Unknown Factor
The reason for using legit situations is that if you had to back
out, there is no fear of getting caught, mainly because there are no
repercussions. When the fear of being caught is reduced or removed, then we
can allow ourselves the freedom both physically and mentally to test the
To pove that when fear is reduced (or removed) humans can
achieve great things, I refer to a study created by psychologists E.J. Gibson
and R.D. Walk. They developed the visual cliff test to use with human infants
and animals. Gibson and Walk created their visual cliff apparatus by having a
table with glass on it. The glass had material pasted right under the glass
on half of it and on the other half, the material was placed inches or feet
under the glass. This gave the impression of a cliff.
So he stepped up the method by having an adult on the other side of the cliff. This is where things got interesting. If the adult showed a facial expression of fear the baby would not go anywhere near the cliff, but if the adult showed nonverbal communication that indicated happiness the baby felt comfortable and took the risk.
To me, this is groundbreaking research that can help us better
understand the importance of non-verbals. A video of this research can be
Now, what does this have to do with Lightning SE? To me, everything. The same thing that made the baby cross the visual cliff can work for us... Remove the fear of being caught! Remove the fear of doing something illegal! and you can practice your SE skills and perfect them. Doing so in a natural environment can also help you to recognize and then duplicate your non-verbals that you portray when you are comfortable, relaxed, and not in fear mode. The only way you will know is to try and take notice. But, if the first time is during the actual engagement ,you will not know what is normal. Setting up that baseline is essential so you know what it feels like and looks like when you are under pressure.
The best way to do this is to pick out a few things you might ask for that would be normally rejected and see if you can get the person you are asking to give in. For example, here are a few you can try:
- Try to get your hotel room key rekeyed without giving ID.
This is by no means a comprehensive list, but it can help you to spark a few thoughts or avenues you can try. This should not be long and drawn out, but something you can do quickly. Maybe 30, 60 or 90 seconds worth of SE.
The questions you want to ask yourself are:
Give this some quick thought then pick out a scenario and giveit a try. I wanted to try this in the real world and capture it on video so I had something to show you. I chose to try the scenario of getting a security guard to unlock my hotel room with no proof of ID. My quick pretext was that I was running late on my check out and in my already full hands was a key that didn't work. With non-verbal expressions that would show open and warmth, I would simply ask the security guard for his help and allow him to fill in the blanks as to my problem. Doing this, I would hope that he would make an assumption and allow me access.
Of course, the fear was removed because it was my room and if I was "caught", I could prove it, but still, it - all happened under 30 seconds. The set up was easy,now all I had to do was remove any nervousness and openly talk to the security guard asking for his help. I thought I would throw a pause in there that would allow him to fill in my blank and within 35 seconds, I was given access to my room with no proof of ID.
Want to see it in action? Well, the video is shaky, but I captured the events. I made a small video with explanation for your viewing pleasure:
Hopefully, this will be one of a few in a series that will demonstrate Lightning SE skills. Learning to adapt, change, and move quickly when it comes to social engineering skills can make you more comfortable. It can also you master the skills to make you a great social engineer. How do you practice lightning SE skills?
Send us how, where, and when you perform Lightning SE to email@example.com.
The World's Most Important Social Engineering Tip - REVEALED!
After much toil, we at social-engineer.org, are proud and happy to announce that we have discovered, and are now in possession of, the world's most powerful social engineering technique ever! We came into possession of this time tested and proven technique after much personal risk, but let me tell you, it was worth it. With this technique, even the most unskilled social engineer will find that previously insurmountable obstacles will drop with such ease, you will soon question if you, yourself, have become the world's #1 social engineer.
What are we going to do with this technique? Are we going to write it in blood on the scrolls of SE that are stored at a secret location at that top of the Himalayan Mountains? Are we going to encode it in backward-speak in the next podcast? Are we going to sell it to the highest bidder on a black market website that Krebs will just find anyhow? No, dear reader, no. As for the low, low price of free, we will be placing this secret here, in this very newsletter. All we ask of you is to read to the very end and meditate on the deep meaning that this secret will hold for you until the end of your days.
But wait! Don't read too fast. Before you consume this secret of the ages, take a moment to prepare yourself. Take stock of your life as it currently is, as after the next few moments, it will never be the same again. Steady your nerves by consuming some cool refreshing water. Prepare yourself...
THE SECRET of SE!
After much study, effort, and simple common sense, we have revealed that the secret to SE is: Be Polite to People!
Yes, it is as simple as that. The power of endearment put to your use. This simple, yet devastatingly effective tactic, will do more than anything else to put your target at ease, lower their guard, and get you what you need, when you need it!
Let's make this as simple as possible: 1+ nx/1!+(n(n-1) x^2)/2!+P/R=SE!
Clear enough? Let's explain it another way. From childhood, we are taught that it is important to be polite to others. That this is what separates civilized society from beast. It is ingrained in us to respond to this basic stimulus of polite behavior. For instance, consider the example of reciprocation:
There are two sets of doors. You open the first set and stand to the side to let someone else through before you. What are the odds that they will hold open the 2nd set of doors for you?
Is that magic? No, that's SE!
Etiquette of SE
What ever you do, do not come on too strong. You don't have to tell someone you are polite, show them.
For instance, don't let someone know what a polite person you are all at once, lead up to it. When you first engage in a conversation, ask for something small that there is no way they will reject. When they give you what you requested be sure to be very grateful, but not too grateful.
Study this example closely. The underlying principal is simply you reward someone for the basic help that they provided you. This positive reinforcement is something we call, "a doggie treat", and encourages them to continue to help you. You are taking advantage of a social exchange that has been engrained in all of us since birth – being polite leads to rewards.
A Powerful "Please"
The magic word is not abracadabra, but more simply: "Please". But, it's not just the single word, 'please', it's the attitude that surrounds it.
Ensure that when you first engage a target using this secret technique, you present yourself correctly. For instance, a bashful smile and the line "I am really sorry to bother you, but can you please help me out?" or "I really need your help, I don't want to take up a lot of your time, but ..." instantly puts the target into a mode where they are pre-disposed to assist you.
Seem too simple? But that is the trick of security all along. Complex systems are more likely to break than simple ones. Is this social engineering at all? Or is it simply doing as your grandmother insisted? Does it really matter either way if it gets the results you are looking for?
Yes. I know. Your life is changed. As always, feel free to submit your praise to us at social-engineer.org. Please.
Oh yeah, and "Thank you".
Written by James O'Gorman