Misdirection.. Now you see it, now you dont

Misdirection, is the hand quicker than the eye? I am sure we are all familiar with misdirection, I focus your attention on my left hand, whilst I do the old switcheroo with my right hand, and what do you know I made a coin disappear.

Wikipedia Definition – Misdirection takes advantage of the limits of the human mind in order to give the wrong picture and memory. The mind can concentrate on only one thing at a time. The magician uses this to manipulate the “victim’s” idea of how the world is supposed to be.

The art of misdirection is a useful skill to have and master as a social engineer, and can be used in a variety of situations. Misdirection is all about focusing the attention in a defined area, to allow something else to happen outside of that area, and proceed unnoticed.

A simple example of misdirection when working in a pair could be both that of a physical or verbal nature. You could get you colleague to call ahead to the location you are looking to penetrate and impersonate either an employee or a made up one all together. The conversation will focus on the employee running late, and expecting a visitor, so could reception just see him through, and they can find their own way. We have now set-up misdirection. The focus is on the would be employee who is running late, so when our other social engineer enters the building they will be let through, as all thoughts are elsewhere. (This may sound simple, but I have done this many times with success, remember people want to be helpful, and influence is a key factor also).

From a physical perspective, I am sure this is a scenario you could all have some familiarity with. A colleague creates something attention grabbing at one side of the building, focusing all the attention and resources on them. Your colleague then slips past, or goes in via another entrance undetected. Something as simple as setting of a fire alarm, is ideal misdirection. You may look suspicious entering a building with everyone leaving, so you simply return inside with the hordes of people re-entering.

As an individual when social engineering, you may use misdirection to gain access to confidential paper work, access to a terminal. You may simply ask someone for a drink, as they go off to get the drink as requested the focus on you is off, and you are left to your own devices. We all use misdirection unknowingly day to day, and this is the key. When carrying out an assessment you have to be natural, fit in, be confident and sure of your skills on the outside, even if on the inside your crapping yourself.

I encourage you to think about examples day to day where we see or hear misdirection, and consider how you may use this to your advantage as a social engineer. We use misdirection in sports, we use it in war, we use it as child and an adult to hide things we do that perhaps we shouldn’t.

Like all of these skills we look to understand and master, the more we realise the concepts, the better chance we have at being successful, and also having the awareness for when these tactics are being applied to us.

As a closing comment, I thought an American Football strategy is a good example of misdirection that we can see drawn. Have fun and enjoy learning.

March 30, 2010 | Dale | Tags: , , , , | 1 Comment »

NLP for Social Engineers – Mike Murray

Not long after kicking off Head Hacker, I got speaking to Mike Murray. I am sure many of you will be familiar with his thoughts and work in the SE space. Well he made me aware of a recent project he has also kicked of which is NLP for Social Engineers.

As Mike rightly pointed out, we share some common thoughts, and there is some overlap. I have now listened to his first two episodes, and have enjoyed the content.

So I recommend you take some time, subscribe and see what you think. Please feel free to share your thoughts with both Mike and myself.

March 26, 2010 | Dale | Tags: , , , | 2 Comments »

Influence.. Decision and Deception

Influence, this is a term we are all familiar with, and influencing skills are something many of us use everyday. This post is going to look at the benefit and utilisation skills that can be used day to day, and in the context of social engineering and the other skills we have already discussed, and will continue to touch on moving forward.

Wikipedia Definition – Social influence occurs when an individuals thoughts or actions are affected by other people. Social influence takes many forms and can be seen in conformity, socialization, peer pressure, obedience, leadership, persuasion, sales, and marketing. Harvard psychologist, Herbert Kelman identified three broad varieties of social influence.

  1. Compliance is when people appear to agree with others, but actually keep their dissenting opinions private.
  2. Identification is when people are influenced by someone who is liked and respected, such as a famous celebrity or a favorite uncle.
  3. Internalization is when people accept a belief or behavior and agree both publicly and privately.

Morton Deutsch and Harold Gerard described two psychological needs that lead humans to conform to the expectations of others. These include our need to be right (informational social influence), and our need to be liked (normative social influence). Informational influence is an influence to accept information from another as evidence about reality. Informational influence comes into play when people are uncertain, either because stimuli are intrinsically ambiguous or because there is social disagreement. Normative influence is an influence to conform to the positive expectations of others. In terms of Kelman’s typology, normative influence leads to public compliance, whereas informational influence leads to private acceptance.

Influence can take many forms. Someone can be considered influential based on their position, their perception of knowledge, people they know and are associated with, how they behave, what they say and do, as well as how they present themselves.

I will start with presentation. This is probably obvious, but we immediately judge people by their appearance. First impressions are important, so we need to be mindful of wearing appropriate clothing for the environment we are in, or looking to infiltrate. If a company has people casually dressed, and you turn up in a suit, you will stand out like a sore thumb, and will attract attention. There is a balance to be had here, as someone smartly dressed can also represent a position of authority, so it is key to do your homework. There are subtleties when dressing that can also contribute influence. Interesting research has shown that smartness and colour of shoes, as well as tie colour can make a large difference in the perception of influence. We are are familiar with the joke of power suit, power tie, but it really is true. On the opposite side, a female could wear smart clothing, but is slightly revealing, or particularly flattering. This may attract attention (which has its place in certain circumstances), however the focus will be on attractiveness of the individual, not on the quality and value of the information being communicated, and essentially the patterns being used to facilitate influence will be ignored and go unoticed.

Communicating influence is something that is very common as it can be done on the phone and in person. Being familiar with a companies lingo, and key industry terms will resonate with the individual you are communicating with. They will believe / assume you are a person with knowledge and know how, this will lead to a position of influence. NLP patterns can be utilised when communicating to create focus on a sentence, ensure notice is taken of positives and not negatives, and bring someone around to your way of speaking. We will look at NLP patterns in the future. A hypnotist also uses influence both in body language and communication to facilitate buy in, and bring someone around to facilitate hypnotic experiences. Research has shown positioning can also have an impact on having what you say accepted and actioned upon. The left side of the brain is used for making decisions, and research has shown that speaking on the right side of an individual (so audio is received via the right ear) can lead to an increased chance in your communication being fully received and processed, and a decision being made in your favour.

Influence by association is something that can be of great use when a social engineer. When communicating dropping a name in can result in people not wanting to question your activities, as they do not want to trouble or disturb the individual of importance, and perhaps you are important and influential also as there is some association. This can also be achieved just by tail gating people of importance. I am sure if you give this some thought, you can think of the obvious scenarios where this will work, perhaps you would introduce yourself and create rapport outside of the office your looking to infiltrate, perhaps you can do it rapidly on the bus, train or elevator.

I have tried not to ramble to much in this post, but hopefully you get the idea. Having influential skills can obviously help influence people, but also build rapport, meet more people, and more valuable friends and associates. These are skills essential to a social engineer, as fitting in, getting people to do things for you, and help and facilitate are essential, and can make your life easier, and increase chances of success.

In my experience successful social engineers, come across as friendly, and confident people. This may or not be the reality, but its what is communicated that is essential for building a perception, and elevating from there. Consider what the individual you are looking to influence are interested in, dangle the appropriate worm to meet your objective. The point here is, to influence others we need to focus on their desires, to meet / get ours. Its all about perception.

Take note of peoples behaviour you consider to be influential. Examine how they carry themselves, mannerisms, vocabulary used, and the general presence. Different things work for different people, so you need to try things out for yourself. We will look at patterns, and mirroring in the future that can assist with getting people onside, and leading to influence.

Bullying, pushing, sarcastic complimanty comments may facilitate results, however I dont believe they will give long term results, this is something to be mindful of.

As ever I welcome feedback, and suggestions for content you would like to see, and information you would like to share.

March 25, 2010 | Dale | Tags: , , , , , , , , , , , , , | 2 Comments »

Mentalism…. Psychic or Straight Jacket

Mentalism. I am sure you will have heard the term mentalism, or someone telling you they are a mentalist, and I am sure you probably agreed. Thought they are a nut case, and should be put into a straight jacket and wheeled off to the funny farm. Mentalism in this context is not quite the same.

Wikipedia Definition – In psychology, mentalism refers to those branches of study that concentrate on mental perception and thought processes, like cognitive psychology. This is in opposition to disciplines, such as behaviorism, that see psychology as a structure of causal relationships to conditioned responses and seek to prove this hypothesis through scientific methods and experimentation.

Mentalism is a performing art in which its practitioners, known as mentalists, provide their audiences with a theatrical experience of witnessing or participating in demonstrations that appear to utilize highly developed mental or intuitive ability. These demonstrations may include telepathy, clairvoyance, divination, precognition, psychokinesis, mediumship, mind control, memorization, and rapid mathematics.

When I am thinking of mentalism I am thinking of a combination of perception, performance, and direction. To categorise yourself as a mentalist is something I am sure many people would not consider doing, but many most likely fit the bill. If you are using skills to build rapport, influence behaviour, mimic and read body language, read facial expressions and other such skills, this is essentially what a mentalist performer is doing.

We will cover different levels of skills, and what forms them in later posts, but skills such as cold reading, behavioural analysis and more, can help us all day to day, and especially when we consider social engineering.

A quick example is facial expressions, eye movement that we can use to our advantage. We can use these skills when in general discussion, persuasion, questioning and more. Some of the following is also discussed in regards to NLP, but this is just a simple example to show some commonalities in people when monitoring eye movement.

The face below represents that of an individual we are looking at them straight on. When you ask someone a question you will see eye movement towards a zone that represents their representational system. Remember everyone is different so we need to build up rapport, and monitor, measure and test for accuracy.

Zone 1 represents Visualistic, Zone 2 Auditory, and Zone 3 Kinaesthetic.

When you ask someone a question that requires them to access buried information in their memory, you will notice their eyes look towards their most dominant zone. Some people remember images better (Zone 1), some people remember how something sounded (Zone 2), and others with feeling and emotion (Zone 3).

To start of you need to ask a question that will trigger old memories, and that will get an honest response. A simple example here could be what was your first pet, or who was your best friend at primary school. Someone who visualises this memory will look up, and picture an image. Those who word better off sounds will look to the side, and hear a persons voice, or associated sound. An individual who feels and experience will tend to look down, recalling the great times experienced and the emotions associated. So this demonstrates we are all different, and that the key is asking the right trigger questions to build up a baseline, before probing further. Its abit like a visual lie detector.

If we look to get a better understanding we can go abit deeper. We can look to identify if a memory is actually being recalled, or if someone is making something up.

So you have determined the predominant zone, and we now use this information to gain extra information. Most people are visualistic people, so if you do struggle to identify it clearly, zone 1 is often a safe bet, just be aware.

If we look at the diagram above, if someone is looking towards area 4 they are most likely accessing a memory, if area 1 they are making something up. Similarly if they look to area 6, this may demonstrate a conflicting issue, perhaps touching on a difficult subject. However area 3 would demonstrate a more emotional response. When we see eyes moving between areas 2 and 5, this will verify the auditory nature, and lingering in area 2 it may signal a lie is being thought up.

The key here is to experiment, identify normal behaviour, measure it against normal questioning, and then under interrogation. Obviously there are many books on this, and this is just a brief overview.

So why did I discuss all this. Well one its interesting, but two it is to demonstrate how this information can be utilised, and one of the tools a mentalist may use to convince someone of their psychic abilities.

With this information we can not only use it to spot who is cheating, we can use this information for other benefits. So when we are explaining something, trying to get someone to buy in. We can focus our language according to the visualisitic, auditory and kinaesthetic representations to improve our chances of success.

March 20, 2010 | Dale | Tags: , , , , , , , , , , , , , | 1 Comment »

Neuro Linguistic Programing…. Art or Science

Next we shall talk about Neuro Linguistic Programming (NLP). NLP has become more well known over the years now, but there is still some controversy and taboo on the subject.

Wikipedia Definition – Neuro-linguistic programming (NLP) is a controversial approach to psychotherapy and organizational change based on “a model of interpersonal communication chiefly concerned with the relationship between successful patterns of behaviour and the subjective experiences (esp. patterns of thought) underlying them” and “a system of alternative therapy based on this which seeks to educate people in self-awareness and effective communication, and to change their patterns of mental and emotional behaviour”

In the 1970′s Richard Bandler (Maths Student) and John Grinder (Linguistics Professor) came up with a process called “Neuro Linguistic Programming”. This process was derived from studying, and duplicating the work they observed of great communicators and therapists (Erickson, Perls, and Satir). Essentially what this means is they looked and listened, and they replicated what they observed, and tweaked and modified neuro and linguistic components to amazing results in many cases.

Notice I didn’t mention the word science. The reason for this is, the work done to establish NLP wasn’t a science, its a process or art. There is lots of debate on this subject, and if NLP is or isn’t effective. I am not an NLP Practitioner, I just utilise the techniques both in my work and with myself, and find it interesting. If it makes sense and works for you, fantastic,  if not acknowledge what it is and form your own opinion and move on.

So what happens with NLP, what is the art / process involved.

NLP came out of viewing what a therapist is doing, the stance, the words, the process. Then essentially just replication, and testing in a similar way. Then when a process worked, it was documented as to how it was believed to have occurred, and then a pattern was derived. These patterns could then be retested, and tweaked etc etc. These patterns grew overtime, and were improved and expanded based on further observation, experience and testing.

So how do these patterns work. Personally I see alot of similarities here with hypnosis. The patterns, are a structure of words, its how they are delivered, the rapport that is built up, the confidence of the practitioner, and belief of the subject. It important also to understand NLP can be used on yourself or on someone else. So in its simplest form, NLP is about using a structure and language that makes sense and builds credibility, and from this creating a frame to work and build upon. I see it as associating positive thoughts and feelings, and creating association, replace / removing the negative frame.

This may sound confusing, or it may sound strangely simple. Let me put this to you. If someone was to constantly tell you multiple times a day you are bad at something, your terrible, you cant do anything right, etc etc. It wont take long for this association to stick. You will feel bad about yourself, you will fail, as you believe this to be true. If the opposite where to happen, you would feel good about yourself, confident, look to succeed and expect nothing else. Pop Idol and X-Factor shows are a perfect example, some of these people really do suck, but someone has been telling they can sing all their life, and regardless of the facts, they believe they can. :)

The important thing is not to stop questioning. Curiosity has its own reason for existing. One cannot help but be in awe when he contemplates the mysteries of eternity, of life, of the marvellous structure of reality. It is enough if one tries merely to comprehend a little o f this mystery every day. Never lose a holy curiosity.”
-    Albert Einstein

As with the other topics discussed so far, there is alot of material available to read and view. These posts are just aimed as a brief introduction, to give a basic understanding of the theme and principles. They are of course my thoughts and opinions, I encourage people to question, comment, and give them view to make the information available here even more valuable.

March 16, 2010 | Dale | Tags: , , , , , , | 2 Comments »

Hypnosis… Mumbo Jumbo or the Real Thing

Next lets look at Hypnosis. I am sure everyone is familiar with the term hypnosis, and we all have our own conception of what hypnosis is. Of course we are all entitled to our own opinions and views, and many will simply dismiss hypnosis as mumbo jumbo, and that’s fine, in fact that was also my opinion before I learnt more about hypnosis and became a hypnotist myself.

Wikipedia Definition – Hypnosis is a mental state (state theory) or set of attitudes and beliefs (non-state theory) usually induced by a procedure known as a hypnotic induction, which is commonly composed of a series of preliminary instructions and suggestions.

I find it interesting when I speak to people about hypnosis, but that believe it to be a load of nonsense and those who believe. The interesting this is, even if you don’t believe, most people don’t want to try it, even though they are sure nothing will happen. Like myself in the past, its cant be real, but what if……

When you do speak to someone who has not been hypnotised but wants to be, and you ask them most people believe they will experience something like the following:

I will fall asleep, into a blank state of nothingness, I wont be able to feel anything, hear anything, see anything. I will no longer be in control.

Its an interesting view, and I think its due to what we see on TV and in movies. Everyone’s hypnotic experience is different, but you can be assured of a few things. You will feel completely normal, everything is the same, you can hear everything, you can feel, see, talk. This may sound odd to some, but lets really understand what’s happening.

Everyone in my opinion has experienced hypnosis in a way. If you have had a day dream, found yourself staring out of the window, concentrating and thinking about something, and then suddenly becoming aware of what’s going on. This in my experience is just like a typical hypnotic experience. You are fully aware, you know what’s happening, reality is still constant, but if suggested, altered for a period of time.

Hypnosis is often considered to be a form of trance, and I guess in a way that is true, but then you would assume that you would need to be put into this trance, however many skilled hypnotist work through conversational hypnosis that does not involve any closing of the eyes and sleep commands. Everyone has an opinion, and I don’t believe there is any right or wrong. Hypnosis to me is a state where you are highly concentrated, using the power of your unconscious mind (like when you dream), and imagining and experiencing real or imagined suggestions.

Many believe that even when someone is hypnotised, that they are actually just playing along. I am sure this is true, and I think this is because especially in a group setting, there is a desire to be compliant, and this can be advantageous. However those who have been hypnotised, and those who are a hypnotist know that the suggestions are very real, and if you test your work, you can verify this to be true.

Scientists and those in the medical profession have also carried out testings on various levels and have confirmed hypnosis to be true. Below is a simple image that represents a brain scan, that showed the reactions of someone hypnotised, and someone playing along. The scans clearly show they hypnotised subject to be using different parts of the brain. Its a simple, but interesting image.

Many people will ask can everyone be hypnotised. I think yes to some extent. I am not sure how accurately the figure of 90% is, but apparently 90% of the worlds population can be hypnotised. Being hypnotised does require skill of being a subject, as well as the skill of the hypnotist. If someone is unable to concentrate, use their imagination, or grasp the concepts will have great difficulty. Now the 90% of people may not experience a deep state of hypnosis, that would allow for amnesia, hallucinations, analgesia, but most will experience a relaxed therapeutic state, and experience sensations and catalepsy. Some people are considered to be a somnambulist (sleep walker), and these make for people who are very receptive to hypnosis, and make great subjects. Something linked with this is permanosis. This is where an individual can be receptive to the hypnotist without re-induction, I can only attempt to define it as a subconscious bonding, that may last for a variable length of time.

Like all things, hypnosis takes practice, and requires various skills, and we will go into these in later posts. I will close of with a few comments for thought and consideration.

If you are a hypnotist, remember to test your work, remember both ethical and moral boundaries for the subject, and remember to bring your subject out of hypnosis fully, reassure and verify before moving on.

If you have not been hypnotised, and believe it to be real or not, do your homework, and make an informed education decision. We are all entitled to our own opinions and believes, just challenge them from time to time.

* I should point out the hypnosis I carry out is impromptu (rapid induction) hypnosis. I am not a hypnotherapist, or a stage hypnotist.

March 14, 2010 | Dale | Tags: , , , , , , , , , , , | No Comments »

Social Engineering, What , When, Why and How

In the first series of posts I want to cover the basics of each topic. A good place to start is Social Engineering, so lets kick off with what its all about, when its used, as well as the why and how’s involved.

Wikipedia Definition – Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying)

Everyone is born a social engineering expert, but over the years we adjust the way we behave, act and interact with people based on our understandings or right and wrong, and our cultural environment, along with our ethic and moral stand point.

As a child we are the masters of manipulation. We make our parents and other adults around us give in to our wants and desires. We achieve this due to a humans desire to be accepted, build relationships, friendships, and to be considered thoughtful and accepted. We want our children to be happy and to think we are great parents, and it is for this reason we give in to their pestering and persuasion. Children often play one parent of against another, which also results in building a perception of acceptance or rejection, that is then utilised for their benefit.

As we become adults, most of us don’t feel this sort of manipulation is accepted behaviour, and as a result we adjust overtime as to how we interact and communicate with our peers. A social engineer utilises these adjustments and expectations we have evolved to, and the human desire to please and accommodate each other. It is through this vulnerability that a social engineer creates a scenario of acceptance (types will be discussed in other posts), and as a result becomes accepted in the situation they find themselves present. This acceptance can take multiple forms, it could be someone of authority on the end of a phone asking for information, someone inside a building and accepted as authorised to be there, essentially someone communicating via any medium as trusted, expected and belonging.

The limits of social engineering are down to the imagination, creativity and confidence of the social engineer and the acceptance of the target / victim.

Here is a quick example of when and why you would want to use social engineering techniques. Lets imagine a competitor of your organisation has developed an amazing new technology. Everyone is sworn to secrecy, but you have been tasked with getting this information (we wont discuss the legalities here).

The organisation in question is quite tech savy, and they have adequately secured their network perimeter, and it is determined there is not alot to be gained from external network and vulnerability scanning. We need to get inside the organisation to stand a chance of success.

Getting inside will require the social engineering skills. We will use open source information from social networking sites, information collected from the trash, hang out at local known hang outs, make friends with co-workers, what ever it takes. We will understand who regularly visits the company sites, vendors, service suppliers and more.

Now we have information we can paint a picture, and create a feasible, workable, and realistic scenario. Now we could use this information to establish ourselves as an employee, this may take some time, and due to the nature of work may mean you easily stand out to those working on the project. You may identify a key person on the team and get the information out of them in a social setting. People are often proud, and want to blab about something, especially when they know they are not supposed to. Most likely in this scenario we may pose as a service provider of some sort to gain access to the building, or tail gate. From here we could install a network tap to log traffic on the network and sniff all the content to steal the data, or perhaps if appropriate steal the physical hardware. The point is, social engineering can be used to get us in and out of the building, ensure people want to help us and share information and more.

Social engineering may seem like Jedi mind power, and super complicated. However, once you understand the principles its simple stuff, all you need to do is research and be confident. You will find its amazing what’s really socially accepted and you can get away with, but consciously and subconsciously.

They say there is no patch for human stupidity, I say there is. Make people aware, and have them experience first hand. Most people when experiencing a few times will not suffer the same so lightly in the future. Individuals and organisation spend a lot of money, time and focus on technology and policies, but time and time again there is little to any focus on the people elements.

The guys over at Social Engineer have come up with a great framework that is continually being developed, its certainly worth a look.

March 10, 2010 | Dale | Tags: , | No Comments »

Welcome to Head Hacker

Welcome and thanks for visiting the Head Hacker website.

The goal of this site is to discuss the benefits, process, theories and qualities associated with social engineering, and what I consider to be linked skills, products and theories.

So obviously we are going are going to discuss social engineer and the spy and tech tools that we can use once we are in, but we are also going to discuss other skills that you should be aware of, and you can add to your brain toolkit to increase chances of success and take tests further. We will look at Neuro Linguistic Programming, Hypnosis, Influencing and Manipulation skills, methods of Misdirection, Mentalism, Cold Reading and more. I will also mention some possible Magic that may come in handy as part of recon, and relationship building.

The content is going to be based on my experiances, research, thoughts, theories and discussions with other practioners in the various industries.

Feel free to add comments to topics, ask questions and make requests.

I hope you enjoy the content as it develops and grows over time.

Thanks

Dale

March 8, 2010 | Dale | Tags: , , , , , , , , , , , , , , | No Comments »