2010 May | Head Hacker

Gaining Access.. As easy as abracadabra, alakazam

Some of you may have gathered by now, as well as infosec, social engineering, and hypnosis, I am also interested in abit of trickery pokery, magic.

In recent months I was asked to carry out an impromptu social engineering exercise as a favour to someone. Of course I obliged, almost bit their hand of infact, but we will keep that a secret. Anyway, I had discussed the generic process and results of this test with a few people, and they also found it amusing and suggested I made a post. So here we go.

You know the recon, give the building a little tour, and you are not surprised to see access controlled doors, locked windows and turnstiles on the main entrance to stop tail gating. However as we continue on our little wander we find a rear entrance, however it is also access controlled. No big surprise. However we see from the corner of our eye, something beautiful, thats right its smokers corner. The smoker is a common helper to the social engineer, and normally we could fake having a cigarette. Two problems, I have no smokes, and I don’t smoke. However I do have a set of cards on me, as I have been taking every opportunity to practice some of my tricks when ever a spare 5 minutes arise. So I sit down on the bench just up from smokers corner, and start shuffling the cards and having a little mess about.

Almost 45 mins later, a few people have been and gone, but one guy just cant resist any more. He approaches me, and in a joking tone asks “What do you think you are, a magician or something?” There is my cue. I show he a simple trick, card prediction. Hes impressed and laughing, rapport is building. He asks me if I know any others? So I get him to pick a card, and then remember it, and then go through the deck and reveal his card. He is loving it, and lets face it, who doesn’t like magic However its getting cold, and I have got work to do. So I suggest we best go in, as I am cold, and my work wont do itself. He kindly walks we me to the rear entrance, and without asking swipes his card and lets me in. Access Gained.

I am still not sure if what happened next was a good or bad thing, but he asks me if I know any more tricks and if I would show his work mates. I explained I need to get on, but I can do something quickly. So he takes me to the first floor, and to where he sits with his two work mates. I do a quick triple card routine, which involves abit of mind reading. They are amazed and loved it. Now I really need to go.

I head down a corridor and located a small empty meeting room. Locate a network point, and plug in my La Fonera. Lights are on, we have lift off. I head back down to the rear entrance, a few people are off out for a cigarette. I tail gate and head back to the car.

In the comfort of the car, I load up BT4, connect to my La Fonera, that’s connected to the corporate network and do what needs to be done. With that little smirk on my face, of what a great few hours I have had.

So basically the magic was just another method to build rapport, and a point to build upon. I don’t think it could be used everywhere, but in general people like magic, and are fascinated buy it. The best bit was the debrief the next day with the company, they couldn’t believe the chain of events, and of course again I have to show them one of the tricks.

So I have posted the basics of this due to requests, but also to demonstrate a key thing when social engineering. Use what you know, and what you have available to you and think out of the box.

Its Hypnosis Jim, but not as we know it.. Hypnosis without trance

Once again I am going to be jabbering on about Hypnosis again. So if you have not noticed by now hypnosis is something that is of great interest to me, and I think having at minimum an understanding of hypnotic language is a valuable addition to your social engineering toolset.

So just a quick history to bring us upto date. I had read a couple of books on hypnosis pre 2009, but things had never really hit home. Then I think it was March 2009 I stumbled across Anthony Jacquin‘s “Reality is Plastic” on a magic forum, and read about the success this guy was having with hypnosis since following the concepts discussed. Well it had me sold so I bought it, and thanks to this book I became The Hypnotist. I also studied other writings, online information and DVDs from Anthony, as well as speaking with him and his business partner Kev Sheldrake helped me develop my skills. I call the method of Hypnosis I learnt from Anthony “conventional” hypnosis, in the sense that it involves the concept of trance, inducing sleep and deepening. I have, and continue to get great success with this approach, and I love it to bits. The only negatives I have found is that if you don’t set up the context right, success issues occur, but that’s a hypnotist issue, and the other is using it from a social engineering perspective, you have to be more creative, and that’s no good if your lazy.

So as mentioned before when I was at the Blackpool Magic convention with Anthony and Kev, I was introduced to James Tripp, and he told me about his Hypnosis Without Trance method of Hypnosis. We spoke about what I do, and the social engineering aspects and we agreed that there is some possible clear benefits. Since Blackpool I have had various online interactions with James, and studied some of his online material, and then began utilising his approach in combination with “conventional” Hypnosis with great results. I didn’t feel as confident with the non trance approach to some extent, I think in a way because I had not officially read, or studied the approach, as a result there was some internal doubt. This was part of the reason for attending the No Fail Protocol Special, and looking to attend James’s Hypnosis Without Trance Workshop.

So fast forward to the 15th May 2010 and I am sat in Regents College in London on the Hypnosis Without Trance Workshop, ready for a weekend of educating my grey matter as well as hacking some

What can I say, it was an excellent two days. I really enjoy James’s teaching approach, its very casual, he gives lots of background, explanation, has no issues with interruption and questioning or challenging. Obviously as you would hope for there is also the actual doing of hypnosis and learning as you go with your fellow class mates. The class had a great selection of people, and everyone got on well. I would say about 50% had the ability to hypnotise to some degree already using “conventional” methods, so this made for good discussion and education for everyone involved.

The main objectives of the course for me were to take steps to mastering this approach and building on what I had observed and practised to date, and I would say I achieved this as I had great successes all weekend. I wanted to discuss and examine possible limitations for my work from a social engineering perspective, and how I could utilise the conventional skills I have already, and as always to meet new people, and willing subjects to practice some head hacking with, and share my thoughts and opinions. I met, and possibly exceeded these objectives. So where from here for me? Well my approach to education and developing my skills is to expose myself to information and knowledgeable people on topics I think will be of benefit me, I then take all the various information and form my own opinions and approach. So moving forward I can see myself really utilising the Hypnosis Without Trance approach, and replacing alot of the “conventional” hypnosis methods I use as I think the non trance is more covert for the lack of a better word. It will also make me become a better hypnotist, and utilise both skills sets I have at my disposal. I would certainly like to work with James again, as I have got to know him even better over the weekend, he’s not only a great guy, he has lots of good insight, and NLP knowledge (in a good way, I have NLP hang ups), and I enjoy the discussions we have.

So if you want more information on Hypnosis Without Trance visit James’s website, you can sign up for his free paper on his approach, and no need to worry he isnt a spam king. Also check out Jame’s blog for more tit bits of information and videos. If you cant make a training, its worth considering the study at home Hypnosis Mastery Programme. I have not looked at all the material myself at this stage as I attended the workshop, but the content I have seen looks excellent.

Finally I will just share a final experience from the weekend, that for me showed the benefit. I know someone who in the past I have tried to Hypnotise with “conventional” hypnosis and I never had any success. In his own words, his brain is just to powerful. First time I tried it with the Hypnosis Without Trance approach, I had multiple phenomena. Hand stuck, feet stuck, arms locked, and name amnesia. Its a powerful approach, and it works. Just imagine what can be achieved with the knowledge of both. The mind is a power tool, make sure you keep it with you, and don’t walk around in a mindless state.

After the last class on Sunday, one of the attendees was kind enough to be videoed as I carried out some grey matter hacking. This was my first time being recorded, and it wasn’t really planned, so the nerves kicked in a little, and my cold didn’t help. However, great successes, and just gives an example of what this looks like. I was unsure if I would share this, but I think it shows me where I need to develop further, and will force me to get some decent planned non amateur footage, and help measure progression.

These three video clips are all using the Hypnosis Without Trance method, no sleep, no deepening, just direct, powerful hypnosis.

If you are also interested in the courses and DVD’s offered by Anthony Jacquin in addition to the RIP booked I mentioned already, please check out his Head Hacking site, for more information on his Manchurian Approach and Trilby Connection. Please let Anthony know how you found about about his products.

Body Talk.. Kick off your dancing shoes

The human body is a wonderful thing, I admit some more wonderful than others, but I digress.

We all give of subtle signals, cues and tells. These are subconsciously taken in, but consciously we are not always aware of what is happening. We can make our selves more aware of how our body is communicating by becoming masters of observation, and learning someone’s baseline, and then looking for movements outside of the norm.

Wikipedia Definition – Body language is a form of non-verbal communication, which consists of body posture, gestures, facial expressions, and eye movements. Humans send and interpret such signals subconsciously.

Of course most of our subconscious movements are generic to everyone, with only slight changes due to cultural changes. It was my initial plan to consolidate the whole body into a single post, however I think it would be better to do a series covering the different parts of the body. So this post focuses on possibly the most revealing part of the body, that is often not considered… The legs and feet. In the future we will look at the torso, hips, chest and shoulders, the arms, hands and fingers, and lastly the face.

The Feet and Legs

If you were to ask most people the question “what part of the body gives the most away, if you were looking for information from body language?” I think most would say the face. Although this is true, and we do give alot away with facial expressions, eye movements, and touching of the face, the legs and feet have alot to say also.

So why is this so? Most of our movements from a body language perspective happen subconsciously, so we are not really sure what is happening, its our limbic system doing what it does best, controlling emotions, behaviour and more. Our legs and feet particular are often hidden out of sight, so out of sight, literally out of mind. Due to this fact, this is why the lower part of our body can give alot away, and ensuring we pay close attention can tell us alot.

What to look for, and what does it mean

Wiggling and bouncing feet is something people would normally relate to a child, but its something we don’t forget as we get older, we just take it for granted. However if you observe someone, and after they receive good news, you will see them demonstrate the high confidence tell that is wiggling of the feet. Obviously looking directly at the feet will make viewing very easy, but looking for bobbing shoulders is also a good sign of what is happening down below. It is important to realise there are subtle differences between this, and moving legs and feet, that signifies impatience. Such as a tapping foot when you are waiting for a late bus.

Feet can also non verbally signify when we find a situation, or individual agreeable. We turn to things we like, and away with what we do not, the important thing here though is how much we turn. If we turn our whole body, we are showing 100% commitment to how we are feeling, however if we just turn our upper torso, then if we look at the feet, they are normally communicating the truth. When you greet someone if they turn around to face you, they are welcoming you, if they just turn their upper body, they are probably not so keen, and their feet demonstrate they would like to continue as they were. You may also notice how the feet change during an interaction, moving from facing you, to one or both feet pointing in another direction. This is a signal that they would like to conclude the interaction and head in the direction their feet are heading. Another example is when someone is being questioned, or interviewed. They may be sat facing you, but as difficult questions occur, you may notice the feet pointing towards the door. This is a signal they would rather not be there, this may be double up with clutching or rubbing of the knees, giving the intention wanting to get up and leave.

So how about the legs. Legs can tell us alot about how someone is feeling. If someone is relaxed and standing or sitting cross legged, they are comfortable with the situation. The reason for this is they are unbalanced, and not in a position to make a quick get away. If this changes to both feet firmly on the floor, then this is a more of an assertive stance, and a position you can make a prompt get away.

The legs also can show you when someone is looking to be assertive, this is a territorial stance and you will see that people open their legs wider to take up more and more space. When two people are challenging each other you can see each other stance slowly widening. This is something you see even more commonly with military and law enforcement individuals.

Another example of where the legs and feet tell us what we are thinking is when we are sitting with our legs crossed. If we are sat with our legs are crossed with our leg facing away, this is a form of protection and creating a barrier. Leg crossed facing towards removes the barrier, and shows comfort. Interestingly in this position we can see that some people will also giggle their leg naturally. This is not necessarily a sign of nerves, infact it may be comfort. However you may notice this giggle change to the more kicking motion when questioned and a topic of discomfort occurs.

I hope this was of some interest, and there is obviously alot more to it, and it all seems very obvious once you become familiar. I recommend reading the papers and books of Joe Navarro if you want to learn and study more. So next time you are speaking with people, see what their feet and legs are doing, and next time you experience this yourself, adjust your body language, can you send a mixed signal?

Head Hacker Speaking at BruCon 2010.. Belgium Security Conference

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

The conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc…..

I have had confirmation that my talk has been accepted (Head Hacking – The Magic of Suggestion and Perception), and I will be speaking at BruCon 2010 in September. The focus of my talking is going to be about social engineering, and how better understanding of how the human brain works, and how it can be manipulated can both make you a better social engineer, but also create awareness to help patch human stupidity. I will talk about the use of mentalism, hypnosis and NLP can be put to good use, as well as how I went about learning these skills to good use, and using them in my engagements.

Hypnosis.. The No FAIL Protocol

Earlier on in the year I attended the Blackpool Magic Convention, it was a great event and I met some great hypnotists and magicians. Whilst I was there I was introduced to a guy called James Tripp. James came across as a nice approachable guy, and it turned out he was a hypnotist as well, but he had a slightly different approach to hypnosis. James was all about hypnosis without trance, and this was interesting, so we got talking, and its really very interesting, but I will tell you more about this next month after I attend his official course.

So why have I told you a little about James, well he asks an interesting question. What would you do with hypnosis if you knew you couldn’t fail? Its an interesting thought provoking question. Well James looked to answer this question with a one off exclusive course, called the No Fail Protocol, and I was lucky enough to attend. The day was recorded, and its my understanding that even though this day will not be repeated, the DVD of the day will be available from James’s website at a reasonable price in the future (I will keep you posted).

So what is the no fail protocol? James defines it as the following:
A code of ‘correct’ conduct that when followed allows the hypnotist to operate to his / her fullest extent 100% free from any perceivable failure!! Its an insurance against failure.

This is exactly what we achieved on the course, working examples and demonstrations to give an approach / strategy that gets you thinking out of the box and planning ahead. What this gives you is opportunity and manoeuvres, and I guess what they say in the magic world to some extent multiple outs. It really does then get you thinking about what you could achieve via hypnotic methods if you knew you couldn’t fail. When you approach hypnosis looking to learn from failure, as opposed to looking for success you may also find your results are not quite as you expect, give it a try.

So from a social engineering perspective, it can really get you thinking and challenging yourself. What information can you really extract from an individual using hypnotic suggestion. Why go to all of the trouble of brute force cracking a password, when you can simply ask and be told? What are the boundaries, practically and also ethically?

If you are interested in the No Fail Protocol, and the Hypnosis without trance (HWT) methods I encourage you to head over to James’s site for more information. If you decide to contact James, or attend one of his courses, please let him know where you found out about it. I think the HWT really can be of benefit over conventional hypnosis for the social engineer, but I will discuss this more after I attend the official course, and put it to use in the field. James also has a blog, where he posts his thoughts, and some videos, its worth a look also.

When conducting hypnosis there are various critical moments. These critical moments are formed from within the frame you are setting up. When a critical moment occurs the normal experience is success or fail. However if we ensure we have manoeuvrability we have both the option to jump over to the next critical moment, or execute an exit strategy.