Social Engineering Competitions… Good or Bad?

I have had a few people mention to me in person, and via email and twitter about the social engineering competition that took place at DEFCON 18, and if I think it was right or not, as many people seem to have mixed feelings about what went on.

So I am going to take the opportunity this week to speak briefly about my thoughts, however I will make it clear that I was not at DEFCON, and I don’t have any insider knowledge on the event (although I do know the winner) and any information I mention about the event is just my understanding, so don’t take it as gospel.

If you are not familiar with the Social Engineering CTF – How Strong is Your Schmooze, then check out this link for the rules and guidelines that were published online.

So do I think social engineering competitions are good. YES, however I would caveat that answer with the following. I agree that social engineering competitions are a good idea if they are run responsibly, with the right intent, in an ethical and some what controlled environment. I think the DEFCON SE CTF was carried out in this manner.

Why do I think its a good idea? Well you have probably all seen it, and I even have the T-Shirt. There is no patch for human stupidity. I believe this isnt the case, however the reality is people are lazy, lack understanding, and would rather stick their head in the sand than try and understand the problem and to fix it. People are complicated.

Social engineering engagements of any type help to identify the gaps in the human element (wetware), and lets face it there are alot of crap social engineers around, who dont really know what they are doing, but are still pretty successful, because the controls are non existent, or ineffective. Don’t get me wrong, I think its a good thing, because lets face it, if someone with not alot of skill can get it, your more than just screwed, as someone who takes a proper interest, and knows what they are doing are going to cause some real damage.

So what does a social engineering competition achieve? I think it does a few things, and if done properly everyone benefits. So first of all, anyone who participates as an SE gets to experience some elements of social engineering, can test their theories, see what happens and learn. People outside of the event learn something, perhaps the penny will drop and this stuff is real, and has been going on since humans walked the earth, and perhaps will try and be more mindful as a result of what they hear, even if its not truly factual. Then the companies who have been selected also get something out of it, they get a free remote assessment. I am not sure what information the organisers share the companies involved (perhaps legal implications, based on permission) but regardless they know they have been targeted and in all likelyhood have had data extracted. This can then signal some internal movement to up the priority on awareness, and they have some real world example to draw on.

Criminals dont care about the people or companies they are attacking, they just do what they need to do to succeed. As social engineers, we can replicate this attack in a controlled and ethical approach, this is a big benefit. Companies need to look at the bigger picture, the full scope. Get your head out of the sand, great you have got a firewall, its all locked down, bully for you, dont think an attacker isnt going to use another vector.

So just to conclude, I think everyone involved can benefit from a social engineering competition, I guess the only grey area and again I don’t know the details is if the companies that have been targeted have not given consent. However I think this is covered to some extent based on the rules of engagement, and what information is allowed to be extracted, and how it is handled after the event. I think anyone would be naive to think that people other than criminals are calling companies and extracting information to benefit themselves in one way or another, context is a crazy thing. Intent and responsibility is to me what really is the deciding factor when it comes to ethics.

Its my understanding the SE CTF guys had various discussions with the EFF to ensure they were going about things in the right manner, and I believe there were also some discussions with the FBI, who may or may not have given the companies selected a heads up. Regardless the event was allowed to continue and was highly publicised in the media.

I can understand why some people may be abit dubious about these events, and I think that’s only natural as good people will often consider possible ramifications, but I hope that over time we can see more events similar to this, and educate everyone in the process. Together we can make people more informed, and to operate in a more mindful manner.

There is no silver bullet, but we can apply a patch to human stupidity to reduce the risks and exposure.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
September 1, 2010 | Dale | Tags: , , , , , , | No Comments »

Invest in the Community… Schuyler Towne and Open Locksport

One of the best thing about the InfoSec community is the people. Sure like everywhere there are the idiots, big headed know it alls, and the leachers, but in general we are a supportive bunch, and happy to share.

So this brings me to this blog post. Many of you will know that one of my other interests is Lock Picking, and there is this guy called Schuyler Towne (@shoebox), and he likes lock picking… just a little bit :)

So why am I sharing this information, well he has set up a Kick Starter project to help get some funding to release his own customer made picks. Now you may be thinking you have got picks, and thats great. However custom made picks can improve your picking, they look funky, and hey your supporting the community.

I think the pledging opportunity is over at the end of September, so get in now and play your part. Oh and there is also something in it for you.

Click the image below and check out the video for the full story…

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
| Dale | Tags: , , , , , | No Comments »

Subjects lend me your ears… Especially the right one!

Language and communication is of great importance when it comes to manipulation as part of social engineering, or any situation where you want to try and get your way.

So it would be interesting to learn that your double your chances of getting your desired outcome, simply by making your request to the right ear.

Well its totally true. I have tried this myself, of course I haven’t been carrying out documented studies, but there does seem to be some factor of increase when making requests, and having someone be compliant and receptive when you ask via the right ear.

I heard about these studies that focused on the natural expression of the hemispheric asymmetries. This is all about how your brain operates and processes request, based on studies around the left side of the brain, controlling the right and visa versa. Psychologists in Italy carried out studies that showed that sounds are processed differently based on the ear they are received into. The study showed that verbal input into the right ear had an increased level of presidency in the brain, and it is the left hand side of the brain that then carries out the linguistic processing.

The research they carried out, seemed to show that the different sides of the brain are tuned for positive and negative emotions, and speaking into the right ear is then processed by the more positive side of the brain.

So next time your trying to influence and manipulate, I recommend you make your requests into the right ear. What have you got to lose.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
August 25, 2010 | Dale | Tags: , , | 2 Comments »

Head Hacker Speaking at Excaliburcon 2010… China Security Conference

In the autumn of 2009, Excalibur Conference 1.0 won great success in Wuxi. The conference invited some of the most respected experts in the world and delivered terrific speeches, breakouts, demos and competitions. We are honored to present such a new approach which strengthens the relationship between the Chinese information security industry and the global industry.

In the coming winter of 2010, Excalibur Conference 2010 will be back as promised. Lots of experts, genius and related professionals will be invited to the conference again and address new speeches then. The conference involves the security of the internet of things, social engineering, wireless security, hardware security, computer forensics and related emerging fields. The genius from UK will present satellite hack technology then.
If you have any new idea, innovation or experience in these fields, please come and share with us in Beijing.

If you want to learn the latest development in the information security industry, master professional skills and extend social network, welcome to Excalibur Conference 2010.

I am delighted to confirm I will be giving my talk at ExcaliburCon 2010. As expected I will be talking about how we can improve our skills as a Social Engineer, by mastering the art and tech of manipulation. I will talk about my journey of understanding how our powerful mind, and the knowledge of NLP, Hypnosis, and Mentalism can help you become a master manipulator.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
August 14, 2010 | Dale | Tags: , , , , | 1 Comment »

Head Hacker Speaking at Hash Days 2010… Switzerland Security Conference

Hashdays – the premier technical security conference in the center of Switzerland organized by DEFCON Switzerland.

During 4 days the center of Switzerland will become also the center of IT security knowledge transfer. On November 3rd and 4th you will be able to learn a lot in the workshops. The following 2 days (November 5th and 6th) will be full of highly technical IT security talks.

Be sure to reserve your seat early – the space is limited.

I am delighted to confirm that I will be speaking at the Hash Days Security Conference in November. As expected I will be talking about Social Engineering, and my work and research on exploiting the ways humans act and behave, and how we can use the most powerful tool available to us…. Our Minds. The talk will cover my journey of discovery of the skills we can utilise to improve our SE Manipulation with the use of NLP, Hypnosis, and Mentalism.

I hope to see you there :)

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
| Dale | Tags: , , , , , | 1 Comment »

Phenomena Activity… Hypno on Camera

So this post is abit late in the week, but I have been busy with work, as well as continual tweaking of the presentation I am working, and helping people to experience hypnosis.

So due to the time constraints I have opted to point you in the direction of the Video section of the site, where you can see 7 new videos of me hypnotising Olly.

Olly works at one of the customer sites I visit on a regular basis. I have hypnotised him before in a pub when we went out for someone’s birthday. He was happy to be hypnotised again, and gave me permission to make the recordings and put them online. The videos give a mixture of what I refer to as conventional (sleep) hypnosis and non trance (eyes open) hypnosis, and various hypnotic phenomena.

There is no fancy filming or flashy effects. As I was on my own I used a tripod with my mini Kodak HD camera to capture the footage. Filming also helps me (still need to be alot more confident on camera) spot where I make mistakes, and tune my approach.

The sample below shows Olly forgetting his name and the number 4 using conventional hypnosis methods. For more check out the videos section.

I would be interested to hear if you find these videos interesting and worth sharing with you? I always look to get some footage when out and about. However for obvious reasons permission is required, and not everyone wants to be a YouTube sensation :)

Feel free to subscribe to the YouTube Channel by clicking on the logo on the right hand side of the site.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
August 12, 2010 | Dale | Tags: , , , , , , | 1 Comment »

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
August 5, 2010 | Dale | Tags: , , , , , , | 1 Comment »

Social Engineering CTF… Showing the value of testing the human element

In Vegas this year (July 2010) there was an interesting contest going on, it was a social engineering capture the flag setup by the great guys at www.social-engineer.org.

This was a great event, and it has attracted some media coverage. The contest and the stories in the press demonstrate the fact issues do exist, its a real problem, not something made up by people in the business in attempt to generate work. The contest was run in an ethical and legal manner, but if with these constraints its clear people are willing to give out alot of information, and still need to be educated.

Companies and individuals can learn alot from these contests and their findings. I encourage businesses and people in the appropriate roles to start properly educating about these real risks, and provide the patches for human stupidity. This needs to be a living, evolving process, not a once a year check list.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
August 2, 2010 | Dale | Tags: , , | No Comments »

Body Talk… Arms out rah rah rah

Hope everyone is off to a good week, what with Defcon, Blackhat etc I am sure many of you are travelling. I personally had a weekend break in Cardiff and enjoyed doing a little grey matter manipulation, as well as talking about social engineering, mentalism, body language and more.

So with body language on my mind, its time to get into it again, this time we are going to look at the arms. Before anyone asks, yes they are my biceps…… honest.

So why bother with the arms you might be thinking? Well they are a good transmitter when someone is expressing themselves, and they are a good area to observe to pick up on signs of both confidence and discomfort as well as other emotional experiences.

We also rely a great deal on our arms, not only for the obvious things, but for the subconscious actions that occur. Our arms automatically reach out to grab a dropping item, raise to protect us from danger in swinging and blocking motions, even when it may not make sense. This is again the limbic systems carrying out basic primitive survival actions.

So onto the observational stuff. Have you noticed how when we are happy and content our arms move more freely, moving around on the wave of enjoyment, sometimes raising over our heads in excitement, exchanging high fives and cheering. When people are having a good time, content and energised you will really notice an increase in arm movement. When the opposite experiences and emotions are going on, there is a droopy sulky nature to the arms. Hanging down, more rigid and withdrawn. A key observation here is the arms forming very closely to our sides, or closing across our chest in a protective manner. This motions can be observed in relation to both physical and emotional pain or distress, its a guarded and protective reaction.

Another interesting observation, is the statue / frozen type of stance in the arms. This is common reaction that stems back to animalistic survival techniques, we freeze to attempt to remain unnoticed. If you observe someone become statue like / arms fixed to the side in the presence or approach of an individual this is usually a sign that there are bad feelings, or a history of discomfort in the relationship.

The arms also have a story to tell when you are approaching them. If you are approached arms stretched out, in a come here type of look, its pretty clear they are happy to see you. If the upper arms remain rigid in a vertical manner and just the lower arms are extended from below the elbow, then this communicates that you are kinda welcome, but the greeting is more that of a political correctness.  Arms placed behind the back locked out of sight, is a clear signal of not being interested, wanting to be left alone, and not to be interacted with. This is somewhat similar to when people have their hands in their pockets, and it a world of there own. If you see these later signs when you approach someone, it is a clear signal of they do not want to interact with your, or depending on the situation have something to hide. Another common display, and I am sure many of us are familiar with the saying “keeping you at arms length”. Well this is true, we will extend an arm to keep people at a distance, that we feel keeps them out of our personal space. You often see this in crowded places, and situations of conflict.

Finally we shall quickly look at the arms language regarding dominance. We have spoken about this a little before, in how humans spread their legs to take up more room, in a sign of territorial stance. The arms can also play a similar role. People spread out there elbows, place them on there hips to take up more space, and show they are dominant in that space. The more or less territory someone takes up is a good sign of how confident they are feeling at that time, in the situation they are in. Another sign of dominance with the arms is when people put there hands behind their head, with elbows pointing out. The is a very confident, laid back approach, signifying authority and that your in charge and mean business. Similar to this is having arms spread out spanning multiple chairs, or a bench. As well as planting your hands with arm splayed out on a desk, in an authoritarian manner.

Hopefully you found this information interesting and insightful. As per usual be mindful, keep your eyes open and watch for what’s happening around you.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
July 28, 2010 | Dale | Tags: , , , , | 1 Comment »

Its the little things… Micro Expressions

Many people say its the little things that count, depending on what your talking about your partner may or may not agree with you :) However when it comes to body language type stuff and reading people there is a little something worth paying attention to, and that’s micro expressions.

Wikipedia Definition – A microexpression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced. They usually occur in high-stakes situations, where people have something to lose or gain. Unlike regular facial expressions, it is difficult to fake microexpressions. Microexpressions express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt. They can occur as fast as 1/25 of a second.

Microexpressions where first discovered / documented back in the 60′s, however I didn’t become aware of the studies and research until reading the work of Paul Ekman in the early 90′s. Back then I didn’t look into it to much, and its only been the last 18 months or so that its really peaked my interest, again from a social engineering perspective. I will also say in the last year people have been made a lot more aware of microexpressions due to the TV show Lie To Me with Tim Roth.

There are supposedly 7 universal microexpressions, however like anything its is important to study people to define the baseline of an individual. Below are some examples (from the TV show) of what these 7 microexpressions look like.

So why should you bother looking into microexpressions. Well its simple, its provides you with a guide (educated guess) as to if someone is lying to you, as well as providing additional information as to how people are really feeling when responding to your questions and presence. I am sure you are aware of the tells and expressions of people close to you, and those who you interact with on a regular basis. No doubt it took you some time to become familiar with those expressions and the hidden meanings behind them.

So if you want to go about learning these skills there are a few things you can do. The easiest and cheapest is to study people in your everyday observations and interactions. You could even team up with friends and go through various Q&A sessions study and note the responses. Another option, and I recommend in conjunction to the previous suggestion read various materials on the subject, but also look at videos, political speeches  and training sessions to improve these skills. Personally I find I learn a great deal more from videos and images, than text alone, especially with this sort of material it is essential.

The only tools I am familiar with myself are those of Paul Ekmans, both the METT (Micro Expression) and SETT (Subtle Expression) training tools. These tools feature large collections of images, showing quick demonstrations of expressions to learn and test yourself. For more information on Paul’s tools check out his website, I think he used to have some free tools, however now there is a demo option, and then the charged options ranging from $20 – $70.

All the best with honing your human lie detector skills :)

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Twitter
  • Mixx
  • Google Bookmarks
  • Blogplay
July 19, 2010 | Dale | Tags: , , , , , , , , , , , , | 2 Comments »
« Older Entries