Mentalism | Head Hacker

Social Engineering Zombies… Getting people playing your game

In the wonderful world of InfoSec we often talk about zombies, and the associated botnet zombie army. With our army of machines we can do our evil bidding, and wreak havoc upon the unexpected users of the Interwebs.

So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Sub Zero Mind Reading.. The Art of Cold Reading

I know what your thinking! See what I did there Seriously though this post is going to give you a little insight into cold reading, what its all about, a few facts and some ideas how you might want to put this skill to good use.

Wikipedia Definition – Cold reading is a series of techniques used by mentalists, illusionists, fortune tellers, psychics, mediums and con artists to determine or express details about another person, often in order to convince them that the reader knows much more about a subject than they actually do. Without prior knowledge of a person, a practiced cold reader can still quickly obtain a great deal of information about the subject by analyzing the person’s body language, age, clothing or fashion, hairstyle, gender, sexual orientation, religion, race or ethnicity, level of education, manner of speech, place of origin, etc

So what is cold reading all about? Essentially its the process of giving general statements (Barnum Statements) that an individual will find and believe to be very specific and meaningful to them as an individual. This can be achieved by generic statements, or using information gleamed from other sources, body language and general observation.

You may have experienced this yourself if you have been to see a psychic, palm reader or similar. Now before anyone flames me, I am not saying that some people may not have a gift, or at least believe they do, but I have not seen for myself or seen anything documented that convinces me that some sort of cold reading is not at work. Depending on your scepticism you may find the experience interesting, revealing and worth the money, you probably also like to read about your star signs in the daily newspaper also.

The reason I don’t bother trying to convince people otherwise is for two reasons. First of all we are all entitled to our own opinions, and as long as you are entering into the experience with a sound head on your shoulders, and are happy to shell out the money, I guess there is no harm. The other reason is that I have tried to explain in my opinion why its all a load of crap, and I had the opposite outcome and the individuals involved believed that I had some sort of psychic abilities. I thought it was rather humorous, so I will quickly give an overview of the story.

So I was in a pub (common theme here) and a couple of friends where talking about how they had been to see a psychic and how accurate they were, and how it would help them make some difficult decisions they are being faced with. So I said I thought it was all a load of crap, etc etc, and I could prove it as I could give them a reading using a system I had partially learnt at the time. So I went through the process with the first friend, getting them to visualise, etc etc. Then gave them what they called an amazing reading, they were amazed at the accuracy for things I couldn’t have known. The other friend was then also keen after this. Another reading, totally different and again spot on. I was sure I had proven my point. Sadly the result was that as well as being a hypnotist, I must also have some sort of psychic powers, I have the gift…… I give up

From a social engineering perspective I believe there are a few benefits. With my style of SE, where I look to use a mixture of performance, mentalism, hypnosis etc to get information in a social environment it has obviously benefits as the example above gives. You can leverage a good cold reading to then have an intensive and revealing discussion, and during this time extract specific information you may be after for an engagement. Its probably not a surprise after this type of phenomena people are either very curious and want to discuss more, or have totally bought into you, rapport is at an all time high and they could be willing to share all sorts with you.

Obviously once you become more familiar with the process, and the lingo you can simply use the methods and statements in a non psychic setup. Simply use the cold reading techniques to aid with getting buy in, manipulating a subject. You can use these skills to make people more interested in you as well as making people uncomfortable. This can be done in person, via the phone and even my mail. As the statements will appear to give you knowledge about the situation, individual and context of discussion. I really do suggest people look into cold reading at some level with the mindset of applying it in a social engineering context.

If you are interested in reading about cold reading, and how it can be used for manipulation I really do recommend The Full Facts of Cold Reading, by Ian Rowland. Its contents will help you understand the techniques of cold reading, where you take and use these techniques is up to you.

Feel free to check out the Resources section regularly for my recommended readings and products.

Examples of Barnum Statements:

You’ve gone through a lot of ups and downs over the past few years, emotionally and financially, and that has caused some stress in your life.
You have a creative streak that you aren’t always able to indulge in.
You have a fear of rejection.
You feel guilty about and worry about things that are completely out of your control.
You are often too critical of yourself.
Some of your goals seem to be a little unrealistic
You do not accept what others tell you to believe

Derren Brown’s Enigma… Awesome Show!!

Last night I went to see Derren Brown’s Enigma show at the Alexandra Theater in Birmingham. Its not surprise that I am a huge fan of his work, hes a great manipulator and performer. The show was excellent, I really enjoyed the control Derren has over his audience, and what I consider to be very subtle and highly effective linguistic skills. The show lasted almost 3 hours including a little break (I took the opportunity to do some card mentalism at the bar), and he really was on form throughout. Derren asked that no one speaks about the content of the show, so I will respect his wishes, but I really do recommend you go and see the show if you can, you will not be disappointed. The show has given me some other ideas and applications for my mentalism, as well as another possible SE approach, I look forward to developing these.

I will say I only had one disappointment, and that was not getting to say hello to Derren after the show. Apparently he wasnt feeling to well, which is fair enough, shame the guy on the door was a complete arse (not part of Derren’s entourage).

I am sure this will be released on DVD at some point as I believe it was filmed, and he has a new book coming out soon, so if your a fan keep on the look out.

Mentalism…. Psychic or Straight Jacket

Mentalism. I am sure you will have heard the term mentalism, or someone telling you they are a mentalist, and I am sure you probably agreed. Thought they are a nut case, and should be put into a straight jacket and wheeled off to the funny farm. Mentalism in this context is not quite the same.

Wikipedia Definition – In psychology, mentalism refers to those branches of study that concentrate on mental perception and thought processes, like cognitive psychology. This is in opposition to disciplines, such as behaviorism, that see psychology as a structure of causal relationships to conditioned responses and seek to prove this hypothesis through scientific methods and experimentation.

Mentalism is a performing art in which its practitioners, known as mentalists, provide their audiences with a theatrical experience of witnessing or participating in demonstrations that appear to utilize highly developed mental or intuitive ability. These demonstrations may include telepathy, clairvoyance, divination, precognition, psychokinesis, mediumship, mind control, memorization, and rapid mathematics.

When I am thinking of mentalism I am thinking of a combination of perception, performance, and direction. To categorise yourself as a mentalist is something I am sure many people would not consider doing, but many most likely fit the bill. If you are using skills to build rapport, influence behaviour, mimic and read body language, read facial expressions and other such skills, this is essentially what a mentalist performer is doing.

We will cover different levels of skills, and what forms them in later posts, but skills such as cold reading, behavioural analysis and more, can help us all day to day, and especially when we consider social engineering.

A quick example is facial expressions, eye movement that we can use to our advantage. We can use these skills when in general discussion, persuasion, questioning and more. Some of the following is also discussed in regards to NLP, but this is just a simple example to show some commonalities in people when monitoring eye movement.

The face below represents that of an individual we are looking at them straight on. When you ask someone a question you will see eye movement towards a zone that represents their representational system. Remember everyone is different so we need to build up rapport, and monitor, measure and test for accuracy.

Zone 1 represents Visualistic, Zone 2 Auditory, and Zone 3 Kinaesthetic.

When you ask someone a question that requires them to access buried information in their memory, you will notice their eyes look towards their most dominant zone. Some people remember images better (Zone 1), some people remember how something sounded (Zone 2), and others with feeling and emotion (Zone 3).

To start of you need to ask a question that will trigger old memories, and that will get an honest response. A simple example here could be what was your first pet, or who was your best friend at primary school. Someone who visualises this memory will look up, and picture an image. Those who word better off sounds will look to the side, and hear a persons voice, or associated sound. An individual who feels and experience will tend to look down, recalling the great times experienced and the emotions associated. So this demonstrates we are all different, and that the key is asking the right trigger questions to build up a baseline, before probing further. Its abit like a visual lie detector.

If we look to get a better understanding we can go abit deeper. We can look to identify if a memory is actually being recalled, or if someone is making something up.

So you have determined the predominant zone, and we now use this information to gain extra information. Most people are visualistic people, so if you do struggle to identify it clearly, zone 1 is often a safe bet, just be aware.

If we look at the diagram above, if someone is looking towards area 4 they are most likely accessing a memory, if area 1 they are making something up. Similarly if they look to area 6, this may demonstrate a conflicting issue, perhaps touching on a difficult subject. However area 3 would demonstrate a more emotional response. When we see eyes moving between areas 2 and 5, this will verify the auditory nature, and lingering in area 2 it may signal a lie is being thought up.

The key here is to experiment, identify normal behaviour, measure it against normal questioning, and then under interrogation. Obviously there are many books on this, and this is just a brief overview.

So why did I discuss all this. Well one its interesting, but two it is to demonstrate how this information can be utilised, and one of the tools a mentalist may use to convince someone of their psychic abilities.

With this information we can not only use it to spot who is cheating, we can use this information for other benefits. So when we are explaining something, trying to get someone to buy in. We can focus our language according to the visualisitic, auditory and kinaesthetic representations to improve our chances of success.