Social Engineering How the bad guys really get what they want 25 October 2013
Agenda Who am I Summary What is Social Engineering The problem How Social Engineering is performed Who is at risk Preventive measures Page 2
Who am I Dad, husband, son & brother Studied medicine & computer science Computer security for 12 or so years (Secunia, CSIS, nsense) FX trading Hypno therapist (Milton E.) NLP Psychology Study fear & greed based decision making via FX trading Page 3
Summary The purpose of this talk is to present some of the techniques well organised, criminal groups employ in an attempt to exploit human nature, to get what they want The psychology behind Social Engineering Page 4
What is Social Engineering Psychological manipulation Encouraging your target to do something they probably should not Techniques typically have their roots in social sciences Helping your target to help you Page 5
So what s the problem? People are configuring all of these super secure devices People are answering the telephones People are greeting new visitors at the reception People are reading and responding to the email they receive People are opening the envelope and deciding what to do with the contents People are the front line of defense Don t necessarily need to know e.g. C++, PHP, ASM This is a people problem Page 6
How is this relevant? IT is not longer the only target Thinking this way turns people into doors But we use state-of-the-art security technology! Here is a little human Page 7
The subconscious mind is the super computer The concsious mind is the firewall, the ruleset our belief system (generalisation, distortion, deletion) Page 8
How can the firewall be bypassed? E.g. Linguistics, physiology, & Psychology Page 9
Know thy self What are they doing and how? A quick look Page 10
How Social Engineering is performed Target Interaction Physical (in person) Auditory (on the phone) Written (via email) Page 11
How Social Engineering is performed Target Interaction - Physical (1/2) Face-to-face The ultimate test of your coolness Confidence is absolutely everything Rapport, make them feel comfortable Initial impressions (non verbal communication) Look confident but not cocky Hands Page 12
How Social Engineering is performed Target Interaction - Physical (2/2) Grooming Frames (pre-, re-, de-framing) Prepping (e.g. keyboard story) Laws of persuasion (discussed later) Actual words spoken: 7% How they re spoken: 38% Expressions when spoken: 55% E.g. 20 second theory Page 13
How Social Engineering is performed Target Interaction - Auditory Phone calls What is said * Physiology = state (how) ** Tonality (how) ** Speed (how) ** * 7% ** 38% Page 14
How Social Engineering is performed Target Interaction - Written Spear-phishing emails Physical media Written word * Our words must resonate with the reader it helps to know who you are communicating with You aren t there to cheer them on * 7% Page 15
How Social Engineering is performed Representational Systems Visual Auditory Kinesthetic Auditory Digital Page 16
How Social Engineering is performed Representational Systems - visual Speak quickly Move their hands whilst communicating Use visual language (e.g. see, appear, get the picture) Hobbies (e.g. photography, films) Value aesthetics Page 17
How Social Engineering is performed Representational Systems - auditory Speak with a medium pace Use auditory language (e.g. hear, speak, listen) Hobbies (e.g. music, singing) Remember things they have spoken about you said x Page 18
How Social Engineering is performed Representational Systems - kinesthetic Speak slowly Remember things how they experienced them Slow learners but good retention Language (e.g. feel, gut feeling) Hobbies (e.g. sports) Emotional Page 19
How Social Engineering is performed Representational Systems auditory digital Want to understand ideas Language (e.g. this makes sense, is logical) Want things to make sense Tend to be spontaneous Memorize by steps, procedures Page 20
How Social Engineering is performed Representational Systems - statistics Visual 60% Kinesthetic 25% Auditory 10% Auditory digital 5% Page 21
How Social Engineering is performed Motivational Factors People are typically motivated in the following two ways To get pleasure (toward) To avoid pain (away from) Page 22
How Social Engineering is performed Motivational Factors - toward Enjoy the prospect of possibility Act out of desire They like having the choice If I do this then (x) Page 23
How Social Engineering is performed Motivational Factors away from Often fear driven Act out of necessity Often forced to make decisions due to unfavourable circumstances If I don t do this then (x) Page 24
How Social Engineering is performed What other methods exist? Let s have a look at some very powerful techniques, typically used for e.g. hypno-therapy Page 25
How Social Engineering is performed Embedded Commands Truisms Assumptions Double binds Page 26
How Social Engineering is performed Embedded Commands - truism Make a statement your subject can only agree with, and then deliver your suggestion As you (truism), you (suggestion) Every time you (truism), you (suggestion) (Truism) means (suggestion) Because (truism) you can (suggestion) Page 27
How Social Engineering is performed Embedded Commands - assumptions Make an assumption that will get your subject to follow your lead You may be wondering (suggestion) You may notice yourself (suggestion) I don t know when (suggestion) (Negations) Page 28
How Social Engineering is performed Embedded Commands - double bindings Force your subject into making a decision by giving them options via an either or clause and let them choose Would you like to (suggestion) before or after my meeting? Does A or B suit you better? (can be combined with the law of contrast) Page 29
How Social Engineering is performed Resolving conflicts - Interrupting automatic responses If you get stopped and are questioned Destroy the road from suspicion to confirmation Asking questions keeps you in control What were you going to say? Page 30
How Social Engineering is performed Encourage them to help you Imagine, consider Involve their senses with your language Yes sets Anchoring Page 31
Example Dear Mr. Harper, I am very pleased to inform you that you, and some carefully selected colleagues in your department, have been chosen by Wouter De Boer, to participate in an exclusive communication workshop. Imagine what it would be like if you could learn new methods, which would enable you to literally increase the effectiveness of your communication skills exponentially. In today s world, one simply can t afford to leave prospects second guessing what you re trying to say. Can you see how useful this would be for you? Please view the attached PDF file for more information about the workshop. As there are a limited number of seats, please confirm your desire to participate by completing the attendee confirmation form below: http://all-good.net/workshop.php We look forward to receiving your confirmation. On behalf of Mr. De Boer, Martin Garland Page 32
Example Dear Mr. Harper, I am very pleased to inform you that you, and some carefully selected colleagues in your department, have been chosen by Wouter De Boer, to participate in an exclusive communication workshop. Imagine what it would be like if you could learn new methods, which would enable you to literally increase the effectiveness of your communication skills exponentially. In today s world, one simply can t afford to leave prospects second guessing what you re trying to say. Can you see how useful this would be for you? Please view the attached PDF file for more information about the workshop. As there are a limited number of seats, please confirm your desire to participate by completing the attendee confirmation form below: http://all-good.net/workshop.php Social Proof Scarcity We look forward to receiving your confirmation. Embedded Commands On behalf of Mr. De Boer, Martin Garland Leading Authority Away from Towards Page 33
Who is at Risk Some are more susceptible than others Understand who is most at risk (e.g. personality profiles, DISC) Some people aren't gate-keeper material, don't force them to be The first line of defense should receive training so they understand the risks and know what to do The C-Guy Page 34
Preventive Measures Be careful with your rubbish Hard disks Computers Notes Source code Documentation Page 35
Preventive Measures Be careful with your personal information Page 36
Preventive Measures Never provide personal information over the phone Do you know who you're speaking with? Can you be certain that it is them? Is the line secure? Are people listening? Page 37
Preventive Measures Never respond to requests of unknown origin This can initiate a dialog with someone you may not know Tells the sender that he there is a potential fish Page 38
Preventive Measures Be careful when handling sensitive information in public spaces Usernames Password Pincodes Documentation Etc. Page 39
Preventive Measures Social media Be careful with what you choose to share about yourself Facebook, LinkedIn, pinterest can be used for profiling Ensure that access to your social profiles is limited to those who you trust Page 40
Preventive Measures Begin developing your critical sense Question situations & people you are uncertain of Keep asking until you get a quality answer Don't allow their charm to sway you A lesson in assertiveness Be friendly about it Page 41
Thank you for listening Your donations are welcome Page 42
Gear Page 43