SE | Head Hacker

Social Engineering Zombies… Getting people playing your game

In the wonderful world of InfoSec we often talk about zombies, and the associated botnet zombie army. With our army of machines we can do our evil bidding, and wreak havoc upon the unexpected users of the Interwebs.

So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

Social Engineering Competitions… Good or Bad?

I have had a few people mention to me in person, and via email and twitter about the social engineering competition that took place at DEFCON 18, and if I think it was right or not, as many people seem to have mixed feelings about what went on.

So I am going to take the opportunity this week to speak briefly about my thoughts, however I will make it clear that I was not at DEFCON, and I don’t have any insider knowledge on the event (although I do know the winner) and any information I mention about the event is just my understanding, so don’t take it as gospel.

If you are not familiar with the Social Engineering CTF – How Strong is Your Schmooze, then check out this link for the rules and guidelines that were published online.

So do I think social engineering competitions are good. YES, however I would caveat that answer with the following. I agree that social engineering competitions are a good idea if they are run responsibly, with the right intent, in an ethical and some what controlled environment. I think the DEFCON SE CTF was carried out in this manner.

Why do I think its a good idea? Well you have probably all seen it, and I even have the T-Shirt. There is no patch for human stupidity. I believe this isnt the case, however the reality is people are lazy, lack understanding, and would rather stick their head in the sand than try and understand the problem and to fix it. People are complicated.

Social engineering engagements of any type help to identify the gaps in the human element (wetware), and lets face it there are alot of crap social engineers around, who dont really know what they are doing, but are still pretty successful, because the controls are non existent, or ineffective. Don’t get me wrong, I think its a good thing, because lets face it, if someone with not alot of skill can get it, your more than just screwed, as someone who takes a proper interest, and knows what they are doing are going to cause some real damage.

So what does a social engineering competition achieve? I think it does a few things, and if done properly everyone benefits. So first of all, anyone who participates as an SE gets to experience some elements of social engineering, can test their theories, see what happens and learn. People outside of the event learn something, perhaps the penny will drop and this stuff is real, and has been going on since humans walked the earth, and perhaps will try and be more mindful as a result of what they hear, even if its not truly factual. Then the companies who have been selected also get something out of it, they get a free remote assessment. I am not sure what information the organisers share the companies involved (perhaps legal implications, based on permission) but regardless they know they have been targeted and in all likelyhood have had data extracted. This can then signal some internal movement to up the priority on awareness, and they have some real world example to draw on.

Criminals dont care about the people or companies they are attacking, they just do what they need to do to succeed. As social engineers, we can replicate this attack in a controlled and ethical approach, this is a big benefit. Companies need to look at the bigger picture, the full scope. Get your head out of the sand, great you have got a firewall, its all locked down, bully for you, dont think an attacker isnt going to use another vector.

So just to conclude, I think everyone involved can benefit from a social engineering competition, I guess the only grey area and again I don’t know the details is if the companies that have been targeted have not given consent. However I think this is covered to some extent based on the rules of engagement, and what information is allowed to be extracted, and how it is handled after the event. I think anyone would be naive to think that people other than criminals are calling companies and extracting information to benefit themselves in one way or another, context is a crazy thing. Intent and responsibility is to me what really is the deciding factor when it comes to ethics.

Its my understanding the SE CTF guys had various discussions with the EFF to ensure they were going about things in the right manner, and I believe there were also some discussions with the FBI, who may or may not have given the companies selected a heads up. Regardless the event was allowed to continue and was highly publicised in the media.

I can understand why some people may be abit dubious about these events, and I think that’s only natural as good people will often consider possible ramifications, but I hope that over time we can see more events similar to this, and educate everyone in the process. Together we can make people more informed, and to operate in a more mindful manner.

There is no silver bullet, but we can apply a patch to human stupidity to reduce the risks and exposure.

Invest in the Community… Schuyler Towne and Open Locksport

One of the best thing about the InfoSec community is the people. Sure like everywhere there are the idiots, big headed know it alls, and the leachers, but in general we are a supportive bunch, and happy to share.

So this brings me to this blog post. Many of you will know that one of my other interests is Lock Picking, and there is this guy called Schuyler Towne (@shoebox), and he likes lock picking… just a little bit

So why am I sharing this information, well he has set up a Kick Starter project to help get some funding to release his own customer made picks. Now you may be thinking you have got picks, and thats great. However custom made picks can improve your picking, they look funky, and hey your supporting the community.

I think the pledging opportunity is over at the end of September, so get in now and play your part. Oh and there is also something in it for you.

Click the image below and check out the video for the full story…

Subjects lend me your ears… Especially the right one!

Language and communication is of great importance when it comes to manipulation as part of social engineering, or any situation where you want to try and get your way.

So it would be interesting to learn that your double your chances of getting your desired outcome, simply by making your request to the right ear.

Well its totally true. I have tried this myself, of course I haven’t been carrying out documented studies, but there does seem to be some factor of increase when making requests, and having someone be compliant and receptive when you ask via the right ear.

I heard about these studies that focused on the natural expression of the hemispheric asymmetries. This is all about how your brain operates and processes request, based on studies around the left side of the brain, controlling the right and visa versa. Psychologists in Italy carried out studies that showed that sounds are processed differently based on the ear they are received into. The study showed that verbal input into the right ear had an increased level of presidency in the brain, and it is the left hand side of the brain that then carries out the linguistic processing.

The research they carried out, seemed to show that the different sides of the brain are tuned for positive and negative emotions, and speaking into the right ear is then processed by the more positive side of the brain.

So next time your trying to influence and manipulate, I recommend you make your requests into the right ear. What have you got to lose.

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Its the little things… Micro Expressions

Many people say its the little things that count, depending on what your talking about your partner may or may not agree with you However when it comes to body language type stuff and reading people there is a little something worth paying attention to, and that’s micro expressions.

Wikipedia Definition – A microexpression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced. They usually occur in high-stakes situations, where people have something to lose or gain. Unlike regular facial expressions, it is difficult to fake microexpressions. Microexpressions express the seven universal emotions: disgust, anger, fear, sadness, happiness, surprise, and contempt.They can occur as fast as 1/25 of a second.

Microexpressions where first discovered / documented back in the 60′s, however I didn’t become aware of the studies and research until reading the work of Paul Ekman in the early 90′s. Back then I didn’t look into it to much, and its only been the last 18 months or so that its really peaked my interest, again from a social engineering perspective. I will also say in the last year people have been made a lot more aware of microexpressions due to the TV show Lie To Me with Tim Roth.

There are supposedly 7 universal microexpressions, however like anything its is important to study people to define the baseline of an individual. Below are some examples (from the TV show) of what these 7 microexpressions look like.

So why should you bother looking into microexpressions. Well its simple, its provides you with a guide (educated guess) as to if someone is lying to you, as well as providing additional information as to how people are really feeling when responding to your questions and presence. I am sure you are aware of the tells and expressions of people close to you, and those who you interact with on a regular basis. No doubt it took you some time to become familiar with those expressions and the hidden meanings behind them.

So if you want to go about learning these skills there are a few things you can do. The easiest and cheapest is to study people in your everyday observations and interactions. You could even team up with friends and go through various Q&A sessions study and note the responses. Another option, and I recommend in conjunction to the previous suggestion read various materials on the subject, but also look at videos, political speeches and training sessions to improve these skills. Personally I find I learn a great deal more from videos and images, than text alone, especially with this sort of material it is essential.

The only tools I am familiar with myself are those of Paul Ekmans, both the METT (Micro Expression) and SETT (Subtle Expression) training tools. These tools feature large collections of images, showing quick demonstrations of expressions to learn and test yourself. For more information on Paul’s tools check out his website, I think he used to have some free tools, however now there is a demo option, and then the charged options ranging from $20 – $70.

All the best with honing your human lie detector skills

A Rubbish Post.. Dumpster Diving

So I am sat here thinking what to write about this week, and I kept going over things, but for one reason or another my mind is elsewhere. I kept thinking, no, that will be a rubbish post. Then it hit me…. dumpster diving

If your not sure what dumpster diving is, then its just what it says really. Your digging around in the rubbish / trash looking for that nugget of information that can help you in your information gathering stage.

So what are you going to find in the rubbish, not alot surely? Wrong. Individuals and Companies put alot of seemingly unimportant information in the bin. This rubbish can help us in many ways. We can find thrown out junk mail, that would be targeted around what an individual does, this can help build a profile. We may also find pre-approved credit card applications and alike, these of course can be used for identity theft. This is nothing new, and criminals have been doing it for years, and even though people shred alot of their bank statements and alike, this supposed junk is often overlooked.

Organisation you may think do a better job. They have confidential waste bins, that get sent of site to be shredded, to stop someone getting access to what the company considers juicy information. This is often the case, but in a few instances I have found this confidential waste bins sat unlocked near loading bays awaiting collection, perhaps a case of out of sight out of mind.

Then we have the general waste. Now this has become some what easier in recent years as companies have become more environmentally aware, because we now often see multiple bins for paper, waste, and recycling etc.This is obviously helpful to us, so we can hopefully ignore the bag of apple cores, moldy sandwiches and other untold horrors, but dont forget that humans make mistakes, so there is still sometimes gold to be found among the banana skins.

So what are we looking for when we are doing our stig of the dump impression. All sorts of valuable pretties can be found. We can find internal memos that will give us contact names, phone numbers and internal gossip. We can find business cards, and correspondence from the companies 3rd parties, this helps us to identify viable 3rd parties to impersonate. You can often come across various sensitive reports, network diagrams, IP lists, customer details, alarm codes, passwords. All the things you think would be shredded, can turn up when dumpster diving. In addition, organisation charts, company phone directories, policy and governance information, print offs of peoples calendars, letter headed documents, CDs, DVDs and even old hardware. It really can be an Aladdin’s cave.

Things to remember when you go dumpster diving, dress appropriately, wear gloves, and take a bin bag to dump stuff in. Be aware that you may be trespassing as part of this exercise, so you may come across a disgruntled security guard, or his pooch.

Dumpster diving is often a dirty, filthy, smelly job, but the rewards can often be significant. Another approach is to simply take refuse bags and go through them at a more remote location.

One mans rubbish, is another mans treasure

Pack up your troubles.. in your social engineering kit bag

Just a simple post this week, but you know what they say the best things come in the simplest of packages.

Like any good boy scout, you should always be prepared. So lets have a quick look at what we should have in our pockets and social engineering kit bag. The aim of this list is to provide a growing resource that can provide a reference point to many (in no particular order). If you feel something is missing, please feel free to drop me a mail with the details of the item, and the reason behind it.

Your Brain – Its the most powerful tool you have. Planning and manoeuvrability.
Lock Picks – You never know when you need to get past a lock.
Pick Gun – When time is an issue.
Super Mica Cards – When you don’t have a starbucks reward card handy.
Cigarettes & Lighter- A smoker can be your best friend.
Business Cards – Fake and Legit cards, they can be a real convincer.
Metal coat hanger – Always handy to have some metal wire you can bend into handy shapes.
Camera – Always handy to record video and take some photo’s.
Pack of Cards – Everyone loves magic.
Get out of Jail Letter – Real and Fake, for when things get tight.
Mobile Phones – Its good to call, even better to drop and record.
Access Point – Always handy to make a network drop for easy external access.
Network Cables – Connecting the the network, and other creative things.
Chewing Gum – For when you have to wait a while, and for sticking stuff.
Gaffa Tape – Erm for sticking stuff.
Computer – Handy to have your laptop, netbook, tablet handy for hacking and looking stuff up.
String – You never know when you might need some string.
ID Cards – An ID card helps you look official.
Outfits – Its always a good idea to look the part and fit in.
Condoms – You might need something inflatable, and who knows what else
Mobile Jammer – Blocking phones, alarms, and anything else using mobile tech.
Tools – Screwdrivers, spanners, grips, pliers etc. Oh and security torx bits.
Dictaphone – Something for discreet recordings.
Rubber Gloves – You never know when you need to put your hands somewhere nasty.
Bags – For collecting and putting stuff in. Dumpster diving, etc.
RFID Cloner – Cloning access badges and alike.
USB Storage – Leave behinds, OS on a stick, Payloads, etc.
Live CDs – Never know when you need to use a client machine and no USB support.
Torch – Its dark sometimes.
Pocket Knife – Handy for cutting stuff.
Tripod – Mounting Cameras, antennas, lasers, etc.
Paper and Pen – Making notes, leaving messages, paper aeroplanes.
Sweets – Sweets are good if your bored, but also make a good bribe and rapport builder.
Watch – Always handy to keep track of time on an engagement.
Laser Pointer – Handy for point out something to a colleague, also for CCTV bypassing.
Money – Buying stuff, bribes, etc
Elastic Bands – Hold stuff together.
Velcro – Stick stuff together.
Earphones – Discreet listening.
Scope / Binoculars – Remote viewing.
Keylogger – USB and PS2 variety for logging those key strokes.
Jasager (Hak5 Pineapple) – For getting all those clients talking to you.

Gaining Access.. As easy as abracadabra, alakazam

Some of you may have gathered by now, as well as infosec, social engineering, and hypnosis, I am also interested in abit of trickery pokery, magic.

In recent months I was asked to carry out an impromptu social engineering exercise as a favour to someone. Of course I obliged, almost bit their hand of infact, but we will keep that a secret. Anyway, I had discussed the generic process and results of this test with a few people, and they also found it amusing and suggested I made a post. So here we go.

You know the recon, give the building a little tour, and you are not surprised to see access controlled doors, locked windows and turnstiles on the main entrance to stop tail gating. However as we continue on our little wander we find a rear entrance, however it is also access controlled. No big surprise. However we see from the corner of our eye, something beautiful, thats right its smokers corner. The smoker is a common helper to the social engineer, and normally we could fake having a cigarette. Two problems, I have no smokes, and I don’t smoke. However I do have a set of cards on me, as I have been taking every opportunity to practice some of my tricks when ever a spare 5 minutes arise. So I sit down on the bench just up from smokers corner, and start shuffling the cards and having a little mess about.

Almost 45 mins later, a few people have been and gone, but one guy just cant resist any more. He approaches me, and in a joking tone asks “What do you think you are, a magician or something?” There is my cue. I show he a simple trick, card prediction. Hes impressed and laughing, rapport is building. He asks me if I know any others? So I get him to pick a card, and then remember it, and then go through the deck and reveal his card. He is loving it, and lets face it, who doesn’t like magic However its getting cold, and I have got work to do. So I suggest we best go in, as I am cold, and my work wont do itself. He kindly walks we me to the rear entrance, and without asking swipes his card and lets me in. Access Gained.

I am still not sure if what happened next was a good or bad thing, but he asks me if I know any more tricks and if I would show his work mates. I explained I need to get on, but I can do something quickly. So he takes me to the first floor, and to where he sits with his two work mates. I do a quick triple card routine, which involves abit of mind reading. They are amazed and loved it. Now I really need to go.

I head down a corridor and located a small empty meeting room. Locate a network point, and plug in my La Fonera. Lights are on, we have lift off. I head back down to the rear entrance, a few people are off out for a cigarette. I tail gate and head back to the car.

In the comfort of the car, I load up BT4, connect to my La Fonera, that’s connected to the corporate network and do what needs to be done. With that little smirk on my face, of what a great few hours I have had.

So basically the magic was just another method to build rapport, and a point to build upon. I don’t think it could be used everywhere, but in general people like magic, and are fascinated buy it. The best bit was the debrief the next day with the company, they couldn’t believe the chain of events, and of course again I have to show them one of the tricks.

So I have posted the basics of this due to requests, but also to demonstrate a key thing when social engineering. Use what you know, and what you have available to you and think out of the box.