Social Engineering | Head Hacker

Social Engineering Zombies… Getting people playing your game

In the wonderful world of InfoSec we often talk about zombies, and the associated botnet zombie army. With our army of machines we can do our evil bidding, and wreak havoc upon the unexpected users of the Interwebs.

So what’s this got to do with social engineering? Well I was talking to Jayson Street last week about some of the techniques I have used to get information and assistance from people on the inside of an organisation to help me with an engagement, and I kind of a likened this to creating my own little army of zombies who are willing to do my bidding when asked.

So I will just talk you through a few scenarios, you can then use this information to help formulate your own approach on engagements, and use this information to enhance your training and awareness around social engineering.

One of the key things to realise when you’re looking to do anything that requires influencing and manipulating people, is that we are all going about life playing our own game, or if you’re an NLP fan, operating in your own frame. So when we want someone to accommodate our requests, we need to get them to stop playing their game, and start playing ours. We need to re-frame

One of my most successful approaches to this is social engineering is the use of the fake, and slightly altered get out of jail free letter. This letter will start off with congratulating the individual on challenging you, and to then further explain a modified story of what the engagement is, and that they can now be brought into the circle of trust and help facilitate.

This does a few things. First of all we are starting with positive acknowledgement of success. We all like to be told when we have done well, and having this confirmed in written form as well as verbally is a double whammy. You may even want to take this opportunity to anchor the positive emotions for later use. Next we are given formal written approval to help out on this engagement, so it must be official, and now feel abit more important. Lastly, and I think this is my favourite part; they are in brought into the circle of trust. No one likes anything more than to be part of the secret squirrel brigade, it’s all hush hush and James Bond like.

I find this approach works especially well with security guards. So then you have your zombie, who has internal knowledge and access to most areas within the facility.

Another approach is that of rapport and conformity. This approach requires time invested outside of the targeted facility. The recon process is essential, so you will build up a good understanding of the company, the various departments, and some key senior names etc. You then identify a common location where employees gather. This could be a lunch time or after work cafe or pub, basically somewhere that over time you can have a high level of certainty you will have the same people appear repeatedly.

The next stage is then to build up some rapid friendships, familiarity and some form of common ground. Everyone’s approach here is different, however as I have mentioned before I use the mentalism and beer route, on the premise that most people like a drink, and magic.

So from here people will see me doing different demos in that environment, work your way around to the target, whilst building up their interest. At the appropriate time you start interacting, showing the individuals something interesting, and getting people laughing and having a good time. We like people who make us laugh, and we like people who we consider to be similar to ourselves. Now is the opportunity to also ask information about them, where they work, what department etc, this is achieving confirmation of your research, and is building up rapport. You can then reciprocate with false information about you recently joining the company also, and mentalism etc is your hobby when you’re not working it such and such department.

Now we have a new friend. Friends look out for each other. We can use this friend to get abit more information about the business, strengths and weaknesses. Now when we look to get into the company we can utilise our friend, either entering at the same time as them, or having reception call them to verify you.

So there are just two examples of methods you can use to get people playing your game, you may look to use this directly as described or more indirectly and use these techniques for misdirection to assist a colleague to gain entry.

Finally I will give you a hypnotic example of creating your own REAL Zombie utilising the power of the mind.

Those of you who are not familiar with hypnosis may be poo pooing this already, but please read on for enjoyment if nothing more.

So in this scenario I will use the similar approach with making a new friend, or at least building up a relationship that allows me to demonstrate mentalism and hypnotic phenomena.

So I will go through the motion, and assuming the subject is working well with me and what many would class as the more impressive phenomena such as amnesia is working, then I would look to make a post hypnotic suggestion and give amnesia for the suggestion. As an example you could give the suggestion that the next time you meet and say “let me in” you believe 100% unconditionally that I am authorised to be onsite, and to have access to any areas requested. You then remove conscious memory of this suggestion, in the knowledge that the subconscious will act as expected. If there is going to be a big time gap, it is important to include some time frames in the suggestion also.

The next step is of course to try it. Obviously you have tested other phenomena before giving this post hypnotic suggestion, so you do have a level of confidence, however the brain is a strange and mysterious things, and many things can impact the work you have done before hand. So as with all social engineering engagements, have a plan B, C, D, etc.

The longest I have gone between giving a post hypnotic suggestion, and executing it is a week, however in theory with the correct instruction and intent it should work weeks, months or a year’s gap. In my experience the less time you leave the suggestion, the more successful the results, however this is no doubt a skill issue with me, practice practice

As with all of this, look to practice with permission, and try things on a less elaborate scale. So try just making friends with people in pubs and cafes to test your rapport building skills. Try and get people to help you out in different situations and environments, get them playing your game. If you interested in the hypnosis side of things, of course most importantly is to learn the foundations first and then build up, then when you are at the right stage, try simple to understand post hypnotic suggestions. Something like when I tap you on the shoulder and ask you for a beer you will believe I have just bought you one and its now your turn. The process for the suggestions are all the same, obviously some have more of an impact if they don’t work than others.

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

A Rubbish Post.. Dumpster Diving

So I am sat here thinking what to write about this week, and I kept going over things, but for one reason or another my mind is elsewhere. I kept thinking, no, that will be a rubbish post. Then it hit me…. dumpster diving

If your not sure what dumpster diving is, then its just what it says really. Your digging around in the rubbish / trash looking for that nugget of information that can help you in your information gathering stage.

So what are you going to find in the rubbish, not alot surely? Wrong. Individuals and Companies put alot of seemingly unimportant information in the bin. This rubbish can help us in many ways. We can find thrown out junk mail, that would be targeted around what an individual does, this can help build a profile. We may also find pre-approved credit card applications and alike, these of course can be used for identity theft. This is nothing new, and criminals have been doing it for years, and even though people shred alot of their bank statements and alike, this supposed junk is often overlooked.

Organisation you may think do a better job. They have confidential waste bins, that get sent of site to be shredded, to stop someone getting access to what the company considers juicy information. This is often the case, but in a few instances I have found this confidential waste bins sat unlocked near loading bays awaiting collection, perhaps a case of out of sight out of mind.

Then we have the general waste. Now this has become some what easier in recent years as companies have become more environmentally aware, because we now often see multiple bins for paper, waste, and recycling etc.This is obviously helpful to us, so we can hopefully ignore the bag of apple cores, moldy sandwiches and other untold horrors, but dont forget that humans make mistakes, so there is still sometimes gold to be found among the banana skins.

So what are we looking for when we are doing our stig of the dump impression. All sorts of valuable pretties can be found. We can find internal memos that will give us contact names, phone numbers and internal gossip. We can find business cards, and correspondence from the companies 3rd parties, this helps us to identify viable 3rd parties to impersonate. You can often come across various sensitive reports, network diagrams, IP lists, customer details, alarm codes, passwords. All the things you think would be shredded, can turn up when dumpster diving. In addition, organisation charts, company phone directories, policy and governance information, print offs of peoples calendars, letter headed documents, CDs, DVDs and even old hardware. It really can be an Aladdin’s cave.

Things to remember when you go dumpster diving, dress appropriately, wear gloves, and take a bin bag to dump stuff in. Be aware that you may be trespassing as part of this exercise, so you may come across a disgruntled security guard, or his pooch.

Dumpster diving is often a dirty, filthy, smelly job, but the rewards can often be significant. Another approach is to simply take refuse bags and go through them at a more remote location.

One mans rubbish, is another mans treasure

Social Engineering, What , When, Why and How

In the first series of posts I want to cover the basics of each topic. A good place to start is Social Engineering, so lets kick off with what its all about, when its used, as well as the why and how’s involved.

Wikipedia Definition – Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying)

Everyone is born a social engineering expert, but over the years we adjust the way we behave, act and interact with people based on our understandings or right and wrong, and our cultural environment, along with our ethic and moral stand point.

As a child we are the masters of manipulation. We make our parents and other adults around us give in to our wants and desires. We achieve this due to a humans desire to be accepted, build relationships, friendships, and to be considered thoughtful and accepted. We want our children to be happy and to think we are great parents, and it is for this reason we give in to their pestering and persuasion. Children often play one parent of against another, which also results in building a perception of acceptance or rejection, that is then utilised for their benefit.

As we become adults, most of us don’t feel this sort of manipulation is accepted behaviour, and as a result we adjust overtime as to how we interact and communicate with our peers. A social engineer utilises these adjustments and expectations we have evolved to, and the human desire to please and accommodate each other. It is through this vulnerability that a social engineer creates a scenario of acceptance (types will be discussed in other posts), and as a result becomes accepted in the situation they find themselves present. This acceptance can take multiple forms, it could be someone of authority on the end of a phone asking for information, someone inside a building and accepted as authorised to be there, essentially someone communicating via any medium as trusted, expected and belonging.

The limits of social engineering are down to the imagination, creativity and confidence of the social engineer and the acceptance of the target / victim.

Here is a quick example of when and why you would want to use social engineering techniques. Lets imagine a competitor of your organisation has developed an amazing new technology. Everyone is sworn to secrecy, but you have been tasked with getting this information (we wont discuss the legalities here).

The organisation in question is quite tech savy, and they have adequately secured their network perimeter, and it is determined there is not alot to be gained from external network and vulnerability scanning. We need to get inside the organisation to stand a chance of success.

Getting inside will require the social engineering skills. We will use open source information from social networking sites, information collected from the trash, hang out at local known hang outs, make friends with co-workers, what ever it takes. We will understand who regularly visits the company sites, vendors, service suppliers and more.

Now we have information we can paint a picture, and create a feasible, workable, and realistic scenario. Now we could use this information to establish ourselves as an employee, this may take some time, and due to the nature of work may mean you easily stand out to those working on the project. You may identify a key person on the team and get the information out of them in a social setting. People are often proud, and want to blab about something, especially when they know they are not supposed to. Most likely in this scenario we may pose as a service provider of some sort to gain access to the building, or tail gate. From here we could install a network tap to log traffic on the network and sniff all the content to steal the data, or perhaps if appropriate steal the physical hardware. The point is, social engineering can be used to get us in and out of the building, ensure people want to help us and share information and more.

Social engineering may seem like Jedi mind power, and super complicated. However, once you understand the principles its simple stuff, all you need to do is research and be confident. You will find its amazing what’s really socially accepted and you can get away with, but consciously and subconsciously.

They say there is no patch for human stupidity, I say there is. Make people aware, and have them experience first hand. Most people when experiencing a few times will not suffer the same so lightly in the future. Individuals and organisation spend a lot of money, time and focus on technology and policies, but time and time again there is little to any focus on the people elements.

The guys over at Social Engineer have come up with a great framework that is continually being developed, its certainly worth a look.

Welcome to Head Hacker

Welcome and thanks for visiting the Head Hacker website.

The goal of this site is to discuss the benefits, process, theories and qualities associated with social engineering, and what I consider to be linked skills, products and theories.

So obviously we are going are going to discuss social engineer and the spy and tech tools that we can use once we are in, but we are also going to discuss other skills that you should be aware of, and you can add to your brain toolkit to increase chances of success and take tests further. We will look at Neuro Linguistic Programming, Hypnosis, Influencing and Manipulation skills, methods of Misdirection, Mentalism, Cold Reading and more. I will also mention some possible Magic that may come in handy as part of recon, and relationship building.

The content is going to be based on my experiances, research, thoughts, theories and discussions with other practioners in the various industries.

Feel free to add comments to topics, ask questions and make requests.

I hope you enjoy the content as it develops and grows over time.

Thanks

Dale