Body Language | Head Hacker

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Body Talk… Arms out rah rah rah

Hope everyone is off to a good week, what with Defcon, Blackhat etc I am sure many of you are travelling. I personally had a weekend break in Cardiff and enjoyed doing a little grey matter manipulation, as well as talking about social engineering, mentalism, body language and more.

So with body language on my mind, its time to get into it again, this time we are going to look at the arms. Before anyone asks, yes they are my biceps…… honest.

So why bother with the arms you might be thinking? Well they are a good transmitter when someone is expressing themselves, and they are a good area to observe to pick up on signs of both confidence and discomfort as well as other emotional experiences.

We also rely a great deal on our arms, not only for the obvious things, but for the subconscious actions that occur. Our arms automatically reach out to grab a dropping item, raise to protect us from danger in swinging and blocking motions, even when it may not make sense. This is again the limbic systems carrying out basic primitive survival actions.

So onto the observational stuff. Have you noticed how when we are happy and content our arms move more freely, moving around on the wave of enjoyment, sometimes raising over our heads in excitement, exchanging high fives and cheering. When people are having a good time, content and energised you will really notice an increase in arm movement. When the opposite experiences and emotions are going on, there is a droopy sulky nature to the arms. Hanging down, more rigid and withdrawn. A key observation here is the arms forming very closely to our sides, or closing across our chest in a protective manner. This motions can be observed in relation to both physical and emotional pain or distress, its a guarded and protective reaction.

Another interesting observation, is the statue / frozen type of stance in the arms. This is common reaction that stems back to animalistic survival techniques, we freeze to attempt to remain unnoticed. If you observe someone become statue like / arms fixed to the side in the presence or approach of an individual this is usually a sign that there are bad feelings, or a history of discomfort in the relationship.

The arms also have a story to tell when you are approaching them. If you are approached arms stretched out, in a come here type of look, its pretty clear they are happy to see you. If the upper arms remain rigid in a vertical manner and just the lower arms are extended from below the elbow, then this communicates that you are kinda welcome, but the greeting is more that of a political correctness. Arms placed behind the back locked out of sight, is a clear signal of not being interested, wanting to be left alone, and not to be interacted with. This is somewhat similar to when people have their hands in their pockets, and it a world of there own. If you see these later signs when you approach someone, it is a clear signal of they do not want to interact with your, or depending on the situation have something to hide. Another common display, and I am sure many of us are familiar with the saying “keeping you at arms length”. Well this is true, we will extend an arm to keep people at a distance, that we feel keeps them out of our personal space. You often see this in crowded places, and situations of conflict.

Finally we shall quickly look at the arms language regarding dominance. We have spoken about this a little before, in how humans spread their legs to take up more room, in a sign of territorial stance. The arms can also play a similar role. People spread out there elbows, place them on there hips to take up more space, and show they are dominant in that space. The more or less territory someone takes up is a good sign of how confident they are feeling at that time, in the situation they are in. Another sign of dominance with the arms is when people put there hands behind their head, with elbows pointing out. The is a very confident, laid back approach, signifying authority and that your in charge and mean business. Similar to this is having arms spread out spanning multiple chairs, or a bench. As well as planting your hands with arm splayed out on a desk, in an authoritarian manner.

Hopefully you found this information interesting and insightful. As per usual be mindful, keep your eyes open and watch for what’s happening around you.

Its the little things… Micro Expressions

Many people say its the little things that count, depending on what your talking about your partner may or may not agree with you However when it comes to body language type stuff and reading people there is a little something worth paying attention to, and that’s micro expressions.

Wikipedia Definition – A microexpression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced. They usually occur in high-stakes situations, where people have something to lose or gain. Unlike regular facial expressions, it is difficult to fake microexpressions. Microexpressions express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt.They can occur as fast as 1/25 of a second.

Microexpressions where first discovered / documented back in the 60′s, however I didn’t become aware of the studies and research until reading the work of Paul Ekman in the early 90′s. Back then I didn’t look into it to much, and its only been the last 18 months or so that its really peaked my interest, again from a social engineering perspective. I will also say in the last year people have been made a lot more aware of microexpressions due to the TV show Lie To Me with Tim Roth.

There are supposedly 7 universal microexpressions, however like anything its is important to study people to define the baseline of an individual. Below are some examples (from the TV show) of what these 7 microexpressions look like.

So why should you bother looking into microexpressions. Well its simple, its provides you with a guide (educated guess) as to if someone is lying to you, as well as providing additional information as to how people are really feeling when responding to your questions and presence. I am sure you are aware of the tells and expressions of people close to you, and those who you interact with on a regular basis. No doubt it took you some time to become familiar with those expressions and the hidden meanings behind them.

So if you want to go about learning these skills there are a few things you can do. The easiest and cheapest is to study people in your everyday observations and interactions. You could even team up with friends and go through various Q&A sessions study and note the responses. Another option, and I recommend in conjunction to the previous suggestion read various materials on the subject, but also look at videos, political speeches and training sessions to improve these skills. Personally I find I learn a great deal more from videos and images, than text alone, especially with this sort of material it is essential.

The only tools I am familiar with myself are those of Paul Ekmans, both the METT (Micro Expression) and SETT (Subtle Expression) training tools. These tools feature large collections of images, showing quick demonstrations of expressions to learn and test yourself. For more information on Paul’s tools check out his website, I think he used to have some free tools, however now there is a demo option, and then the charged options ranging from $20 – $70.

All the best with honing your human lie detector skills

Setting your motivation… Mind Scripts

Getting into character is an important part of being successful on a social engineering engagement. You may be physically impersonating a sales guy, engineer, employee, or you may be carrying out your fiendish work remotely gathering data, and setting up meetings. Either way you should be clear in your mind who you are, who you are engaging with, and what you want out of the activity, you need to be clear on your motivation.

When I think of this, my immature side (say nothing) hears a rather camp actor shouting at the director asking, “what’s my motivation darling”. OK so I am odd, lets use the above imagery to demonstrate the motivation to run through the opposition to score

So with this in mind I wanted to quickly talk about something a little NLP’esk that I think you will find helpful, and if full embraced will really help with your attitude, approach, body language, facial expression, tonality and more when carrying out an engagement. This little something is called Mind Scripts, and is something I first heard about when studying cold reading and hypnosis, but have also heard similar approaches from an NLP context, and in sales type books on engaging and building rapport with people. (I am not 100% sure who coined this term, I think it may have been Ian Rowland, but please don’t hold me to that).

So what is a Mind Script? Well a mind script is just a simple, short,concise and positive statement about the activity or interaction you are about to engage in. This statement you repeat to yourself mentally before and during the engagement.

Don’t reject this concept just yet please, as some pointless simplistic activity. You will actually find that you make a huge difference as to how you come across to the person(s) you are interacting with when you you run an appropriate mind script. If you think about it we are unconsciously running a mind script of some kind all of the time, simply waking up and telling yourself its going to be a crappy day, then becomes a script you will be running. This then effects how you interact, attitude and the effect you have on others unknowingly.

Here are a couple of example of a mind script to give you an idea of how simple they are. I then encourage you to try running appropriate scripts before going into meeting, interacting with people one to one as a form of practice. If you think about it, it really does make sense, but I would like to hear from people with their thoughts, comments, success and failures. Obviously remember there is NO FAIL

I know you, you know me, I belong here

I like you, you like me, this will go well

I respect you, you respect me, and we will have a good discussion

I am an expert, you know I am an expert, there will be confidence in my recommendations

Hopefully you get the general idea from these brief examples, think positive, be positive. A positive mental attitude, positive things happen to positive people, that’s what I tell myself anyway

Body Talk.. Its torsotastic

This week we are going to look at body language again. In a previous post we looked at how the legs and feet have a lot to tell us, in this post we are going to uncover what the upper body can reveal to us.

The torso is made up of the shoulders, chest, abdomen and hips. The torso is capable of giving us some clear limbic responses, due to what is housed inside, we subconsciously look to protect what matters most. A perfect example of this is when an individual crosses their arms, or holds an object in front of them. This is a clear sign of protection and or comfort, which will often signify discomfort with a topic of discussion, or the presence of someone who makes them uncomfortable. Its also important to be aware of the subtle forms of this which may appear in the prolonged adjustment of a tie, cuff links, breast buttons, etc.

People pivoting, leaning and moving there torso away from an individual is also an interesting tell of disgust. This may be to the individual themselves, the opinions they share, or the activities they have done. This can sometimes be coupled with arm crossing for even more impact. On the other hand, someone who is leaning in and open shows interest, admiration and a strong focus of interest. A middle ground can often be peoples stiffness and a form of rigidity. This can be an opinionated position, standing tall and snooty, as well possibly a freeze type of approach, trapped in the head lights. Another sign is when someone is bowing at the waist, leaning over a little with head looking at the floor is another gesture of shame.

We have spoken before about looking to acquire more territory, this can also be seen from how people are seated, all splayed out, torso laid back in an effort to take up more space, and be perceived as more dominant. This can also be a clear signal of lacking of interest, and disregard for an authoritative figure. They are clearly playing their game, you need to make swift adjustments to get them playing your game. Another form of being territorial is the puffing out of the chest. This is done by all animals, including humans and is an initial sign of trying to be more dominant, looking to be bigger and stronger than your opponent, this is a clear sign of challengement.

On the flip side, shrugged shoulder with someone’s head lowering is a clear sign of heavy burden and shame. These tells give a good indication when challenging in a group of someone who is ashamed or disappointed, or in regret. Shoulders can tell you more also, especially in a shrugging situation under questioning. A clear high shrugging of the shoulders is a sign of a confident response, a lower half level shrug, or perhaps only one shoulder moving should be considered dubious, and demonstrates a lack of commitment in the response being given. Something in-between where the shoulders rise and fall slowly shows signs of discomfort, they are perhaps uncomfortable and are not feeling confident.

Some people say the torso is the billboard of the human body, and this is very true. We reveal and hide alot of information in the torso area. This is where we have our badges, wear jewellery on show, may have shirts buttoned up or down. This is another example of really being what we wear, and this also sends a message in conjunction with the other tells we observe.

As before this information should be a guide, and built from a persons baseline of how they move and operate. I know you will have seen these body signals before, and perhaps have been unaware what’s going on. Have fun and watch people, and look for the other information people are dishing out in this area. Body language is relatively easy to understand as you look at it over time, and listen to the associated discussions to build up a frame, and remember to use this information to adjust what body signals you are giving off.

Body Talk.. Kick off your dancing shoes

The human body is a wonderful thing, I admit some more wonderful than others, but I digress.

We all give of subtle signals, cues and tells. These are subconsciously taken in, but consciously we are not always aware of what is happening. We can make our selves more aware of how our body is communicating by becoming masters of observation, and learning someone’s baseline, and then looking for movements outside of the norm.

Wikipedia Definition – Body language is a form of non-verbal communication, which consists of body posture, gestures, facial expressions, and eye movements. Humans send and interpret such signals subconsciously.

Of course most of our subconscious movements are generic to everyone, with only slight changes due to cultural changes. It was my initial plan to consolidate the whole body into a single post, however I think it would be better to do a series covering the different parts of the body. So this post focuses on possibly the most revealing part of the body, that is often not considered… The legs and feet. In the future we will look at the torso, hips, chest and shoulders, the arms, hands and fingers, and lastly the face.

The Feet and Legs

If you were to ask most people the question “what part of the body gives the most away, if you were looking for information from body language?” I think most would say the face. Although this is true, and we do give alot away with facial expressions, eye movements, and touching of the face, the legs and feet have alot to say also.

So why is this so? Most of our movements from a body language perspective happen subconsciously, so we are not really sure what is happening, its our limbic system doing what it does best, controlling emotions, behaviour and more. Our legs and feet particular are often hidden out of sight, so out of sight, literally out of mind. Due to this fact, this is why the lower part of our body can give alot away, and ensuring we pay close attention can tell us alot.

What to look for, and what does it mean

Wiggling and bouncing feet is something people would normally relate to a child, but its something we don’t forget as we get older, we just take it for granted. However if you observe someone, and after they receive good news, you will see them demonstrate the high confidence tell that is wiggling of the feet. Obviously looking directly at the feet will make viewing very easy, but looking for bobbing shoulders is also a good sign of what is happening down below. It is important to realise there are subtle differences between this, and moving legs and feet, that signifies impatience. Such as a tapping foot when you are waiting for a late bus.

Feet can also non verbally signify when we find a situation, or individual agreeable. We turn to things we like, and away with what we do not, the important thing here though is how much we turn. If we turn our whole body, we are showing 100% commitment to how we are feeling, however if we just turn our upper torso, then if we look at the feet, they are normally communicating the truth. When you greet someone if they turn around to face you, they are welcoming you, if they just turn their upper body, they are probably not so keen, and their feet demonstrate they would like to continue as they were. You may also notice how the feet change during an interaction, moving from facing you, to one or both feet pointing in another direction. This is a signal that they would like to conclude the interaction and head in the direction their feet are heading. Another example is when someone is being questioned, or interviewed. They may be sat facing you, but as difficult questions occur, you may notice the feet pointing towards the door. This is a signal they would rather not be there, this may be double up with clutching or rubbing of the knees, giving the intention wanting to get up and leave.

So how about the legs. Legs can tell us alot about how someone is feeling. If someone is relaxed and standing or sitting cross legged, they are comfortable with the situation. The reason for this is they are unbalanced, and not in a position to make a quick get away. If this changes to both feet firmly on the floor, then this is a more of an assertive stance, and a position you can make a prompt get away.

The legs also can show you when someone is looking to be assertive, this is a territorial stance and you will see that people open their legs wider to take up more and more space. When two people are challenging each other you can see each other stance slowly widening. This is something you see even more commonly with military and law enforcement individuals.

Another example of where the legs and feet tell us what we are thinking is when we are sitting with our legs crossed. If we are sat with our legs are crossed with our leg facing away, this is a form of protection and creating a barrier. Leg crossed facing towards removes the barrier, and shows comfort. Interestingly in this position we can see that some people will also giggle their leg naturally. This is not necessarily a sign of nerves, infact it may be comfort. However you may notice this giggle change to the more kicking motion when questioned and a topic of discomfort occurs.

I hope this was of some interest, and there is obviously alot more to it, and it all seems very obvious once you become familiar. I recommend reading the papers and books of Joe Navarro if you want to learn and study more. So next time you are speaking with people, see what their feet and legs are doing, and next time you experience this yourself, adjust your body language, can you send a mixed signal?