So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

]]> http://www.headhacker.net/2010/09/07/social-engineering-zombies-getting-people-playing-your-game/feed/ 0 http://www.headhacker.net/2010/09/01/social-engineering-competitions-good-or-bad/ http://www.headhacker.net/2010/09/01/social-engineering-competitions-good-or-bad/#comments Wed, 01 Sep 2010 13:55:57 +0000 Dale http://www.headhacker.net/?p=443 I have had a few people mention to me in person, and via email and twitter about the social engineering competition that took place at DEFCON 18, and if I think it was right or not, as many people seem to have mixed feelings about what went on.

So I am going to take the opportunity this week to speak briefly about my thoughts, however I will make it clear that I was not at DEFCON, and I don’t have any insider knowledge on the event (although I do know the winner) and any information I mention about the event is just my understanding, so don’t take it as gospel.

If you are not familiar with the Social Engineering CTF – How Strong is Your Schmooze, then check out this link for the rules and guidelines that were published online.

So do I think social engineering competitions are good. YES, however I would caveat that answer with the following. I agree that social engineering competitions are a good idea if they are run responsibly, with the right intent, in an ethical and some what controlled environment. I think the DEFCON SE CTF was carried out in this manner.

Why do I think its a good idea? Well you have probably all seen it, and I even have the T-Shirt. There is no patch for human stupidity. I believe this isnt the case, however the reality is people are lazy, lack understanding, and would rather stick their head in the sand than try and understand the problem and to fix it. People are complicated.

Social engineering engagements of any type help to identify the gaps in the human element (wetware), and lets face it there are alot of crap social engineers around, who dont really know what they are doing, but are still pretty successful, because the controls are non existent, or ineffective. Don’t get me wrong, I think its a good thing, because lets face it, if someone with not alot of skill can get it, your more than just screwed, as someone who takes a proper interest, and knows what they are doing are going to cause some real damage.

So what does a social engineering competition achieve? I think it does a few things, and if done properly everyone benefits. So first of all, anyone who participates as an SE gets to experience some elements of social engineering, can test their theories, see what happens and learn. People outside of the event learn something, perhaps the penny will drop and this stuff is real, and has been going on since humans walked the earth, and perhaps will try and be more mindful as a result of what they hear, even if its not truly factual. Then the companies who have been selected also get something out of it, they get a free remote assessment. I am not sure what information the organisers share the companies involved (perhaps legal implications, based on permission) but regardless they know they have been targeted and in all likelyhood have had data extracted. This can then signal some internal movement to up the priority on awareness, and they have some real world example to draw on.

Criminals dont care about the people or companies they are attacking, they just do what they need to do to succeed. As social engineers, we can replicate this attack in a controlled and ethical approach, this is a big benefit. Companies need to look at the bigger picture, the full scope. Get your head out of the sand, great you have got a firewall, its all locked down, bully for you, dont think an attacker isnt going to use another vector.

So just to conclude, I think everyone involved can benefit from a social engineering competition, I guess the only grey area and again I don’t know the details is if the companies that have been targeted have not given consent. However I think this is covered to some extent based on the rules of engagement, and what information is allowed to be extracted, and how it is handled after the event. I think anyone would be naive to think that people other than criminals are calling companies and extracting information to benefit themselves in one way or another, context is a crazy thing. Intent and responsibility is to me what really is the deciding factor when it comes to ethics.

Its my understanding the SE CTF guys had various discussions with the EFF to ensure they were going about things in the right manner, and I believe there were also some discussions with the FBI, who may or may not have given the companies selected a heads up. Regardless the event was allowed to continue and was highly publicised in the media.

I can understand why some people may be abit dubious about these events, and I think that’s only natural as good people will often consider possible ramifications, but I hope that over time we can see more events similar to this, and educate everyone in the process. Together we can make people more informed, and to operate in a more mindful manner.

There is no silver bullet, but we can apply a patch to human stupidity to reduce the risks and exposure.

So this brings me to this blog post. Many of you will know that one of my other interests is Lock Picking, and there is this guy called Schuyler Towne (@shoebox), and he likes lock picking… just a little bit

So why am I sharing this information, well he has set up a Kick Starter project to help get some funding to release his own customer made picks. Now you may be thinking you have got picks, and thats great. However custom made picks can improve your picking, they look funky, and hey your supporting the community.

I think the pledging opportunity is over at the end of September, so get in now and play your part. Oh and there is also something in it for you.

Click the image below and check out the video for the full story…

So it would be interesting to learn that your double your chances of getting your desired outcome, simply by making your request to the right ear.

Well its totally true. I have tried this myself, of course I haven’t been carrying out documented studies, but there does seem to be some factor of increase when making requests, and having someone be compliant and receptive when you ask via the right ear.

I heard about these studies that focused on the natural expression of the hemispheric asymmetries. This is all about how your brain operates and processes request, based on studies around the left side of the brain, controlling the right and visa versa. Psychologists in Italy carried out studies that showed that sounds are processed differently based on the ear they are received into. The study showed that verbal input into the right ear had an increased level of presidency in the brain, and it is the left hand side of the brain that then carries out the linguistic processing.

The research they carried out, seemed to show that the different sides of the brain are tuned for positive and negative emotions, and speaking into the right ear is then processed by the more positive side of the brain.

So next time your trying to influence and manipulate, I recommend you make your requests into the right ear. What have you got to lose.

]]> http://www.headhacker.net/2010/08/25/subjects-lend-me-your-ears-especially-the-right-one/feed/ 4 http://www.headhacker.net/2010/08/14/head-hacker-speaking-at-excaliburcon-2010-china-security-conference/ http://www.headhacker.net/2010/08/14/head-hacker-speaking-at-excaliburcon-2010-china-security-conference/#comments Sat, 14 Aug 2010 15:25:35 +0000 Dale http://www.headhacker.net/?p=398

In the autumn of 2009, Excalibur Conference 1.0 won great success in Wuxi. The conference invited some of the most respected experts in the world and delivered terrific speeches, breakouts, demos and competitions. We are honored to present such a new approach which strengthens the relationship between the Chinese information security industry and the global industry.

In the coming winter of 2010, Excalibur Conference 2010 will be back as promised. Lots of experts, genius and related professionals will be invited to the conference again and address new speeches then. The conference involves the security of the internet of things, social engineering, wireless security, hardware security, computer forensics and related emerging fields. The genius from UK will present satellite hack technology then.
If you have any new idea, innovation or experience in these fields, please come and share with us in Beijing.

If you want to learn the latest development in the information security industry, master professional skills and extend social network, welcome to Excalibur Conference 2010.

I am delighted to confirm I will be giving my talk at ExcaliburCon 2010. As expected I will be talking about how we can improve our skills as a Social Engineer, by mastering the art and tech of manipulation. I will talk about my journey of understanding how our powerful mind, and the knowledge of NLP, Hypnosis, and Mentalism can help you become a master manipulator.

Hashdays – the premier technical security conference in the center of Switzerland organized by DEFCON Switzerland.

During 4 days the center of Switzerland will become also the center of IT security knowledge transfer. On November 3rd and 4th you will be able to learn a lot in the workshops. The following 2 days (November 5th and 6th) will be full of highly technical IT security talks.

Be sure to reserve your seat early – the space is limited.

I am delighted to confirm that I will be speaking at the Hash Days Security Conference in November. As expected I will be talking about Social Engineering, and my work and research on exploiting the ways humans act and behave, and how we can use the most powerful tool available to us…. Our Minds. The talk will cover my journey of discovery of the skills we can utilise to improve our SE Manipulation with the use of NLP, Hypnosis, and Mentalism.

I hope to see you there

]]> http://www.headhacker.net/2010/08/14/head-hacker-speaking-at-hash-days-2010-switzerland-security-conference/feed/ 1 http://www.headhacker.net/2010/08/12/phenomena-activity-hypno-on-camera/ http://www.headhacker.net/2010/08/12/phenomena-activity-hypno-on-camera/#comments Thu, 12 Aug 2010 13:18:33 +0000 Dale http://www.headhacker.net/?p=391 So this post is abit late in the week, but I have been busy with work, as well as continual tweaking of the presentation I am working, and helping people to experience hypnosis.

So due to the time constraints I have opted to point you in the direction of the Video section of the site, where you can see 7 new videos of me hypnotising Olly.

Olly works at one of the customer sites I visit on a regular basis. I have hypnotised him before in a pub when we went out for someone’s birthday. He was happy to be hypnotised again, and gave me permission to make the recordings and put them online. The videos give a mixture of what I refer to as conventional (sleep) hypnosis and non trance (eyes open) hypnosis, and various hypnotic phenomena.

There is no fancy filming or flashy effects. As I was on my own I used a tripod with my mini Kodak HD camera to capture the footage. Filming also helps me (still need to be alot more confident on camera) spot where I make mistakes, and tune my approach.

The sample below shows Olly forgetting his name and the number 4 using conventional hypnosis methods. For more check out the videos section.

I would be interested to hear if you find these videos interesting and worth sharing with you? I always look to get some footage when out and about. However for obvious reasons permission is required, and not everyone wants to be a YouTube sensation

Feel free to subscribe to the YouTube Channel by clicking on the logo on the right hand side of the site.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

This was a great event, and it has attracted some media coverage. The contest and the stories in the press demonstrate the fact issues do exist, its a real problem, not something made up by people in the business in attempt to generate work. The contest was run in an ethical and legal manner, but if with these constraints its clear people are willing to give out alot of information, and still need to be educated.

Companies and individuals can learn alot from these contests and their findings. I encourage businesses and people in the appropriate roles to start properly educating about these real risks, and provide the patches for human stupidity. This needs to be a living, evolving process, not a once a year check list.

So with body language on my mind, its time to get into it again, this time we are going to look at the arms. Before anyone asks, yes they are my biceps…… honest.

So why bother with the arms you might be thinking? Well they are a good transmitter when someone is expressing themselves, and they are a good area to observe to pick up on signs of both confidence and discomfort as well as other emotional experiences.

We also rely a great deal on our arms, not only for the obvious things, but for the subconscious actions that occur. Our arms automatically reach out to grab a dropping item, raise to protect us from danger in swinging and blocking motions, even when it may not make sense. This is again the limbic systems carrying out basic primitive survival actions.

So onto the observational stuff. Have you noticed how when we are happy and content our arms move more freely, moving around on the wave of enjoyment, sometimes raising over our heads in excitement, exchanging high fives and cheering. When people are having a good time, content and energised you will really notice an increase in arm movement. When the opposite experiences and emotions are going on, there is a droopy sulky nature to the arms. Hanging down, more rigid and withdrawn. A key observation here is the arms forming very closely to our sides, or closing across our chest in a protective manner. This motions can be observed in relation to both physical and emotional pain or distress, its a guarded and protective reaction.

Another interesting observation, is the statue / frozen type of stance in the arms. This is common reaction that stems back to animalistic survival techniques, we freeze to attempt to remain unnoticed. If you observe someone become statue like / arms fixed to the side in the presence or approach of an individual this is usually a sign that there are bad feelings, or a history of discomfort in the relationship.

The arms also have a story to tell when you are approaching them. If you are approached arms stretched out, in a come here type of look, its pretty clear they are happy to see you. If the upper arms remain rigid in a vertical manner and just the lower arms are extended from below the elbow, then this communicates that you are kinda welcome, but the greeting is more that of a political correctness.  Arms placed behind the back locked out of sight, is a clear signal of not being interested, wanting to be left alone, and not to be interacted with. This is somewhat similar to when people have their hands in their pockets, and it a world of there own. If you see these later signs when you approach someone, it is a clear signal of they do not want to interact with your, or depending on the situation have something to hide. Another common display, and I am sure many of us are familiar with the saying “keeping you at arms length”. Well this is true, we will extend an arm to keep people at a distance, that we feel keeps them out of our personal space. You often see this in crowded places, and situations of conflict.

Finally we shall quickly look at the arms language regarding dominance. We have spoken about this a little before, in how humans spread their legs to take up more room, in a sign of territorial stance. The arms can also play a similar role. People spread out there elbows, place them on there hips to take up more space, and show they are dominant in that space. The more or less territory someone takes up is a good sign of how confident they are feeling at that time, in the situation they are in. Another sign of dominance with the arms is when people put there hands behind their head, with elbows pointing out. The is a very confident, laid back approach, signifying authority and that your in charge and mean business. Similar to this is having arms spread out spanning multiple chairs, or a bench. As well as planting your hands with arm splayed out on a desk, in an authoritarian manner.

Hopefully you found this information interesting and insightful. As per usual be mindful, keep your eyes open and watch for what’s happening around you.

]]> http://www.headhacker.net/2010/07/28/body-talk-arms-out-rah-rah-rah/feed/ 1