Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.

Happy New Year Everybody. Sorry I have been slack with blog posts this year, family and work are keeping me busy at the moment.

So less about the excuses and more about the doing When I speak to people about Social Engineering there are many common themes, most common being how to handle failure and how to go about being the person / group you are impersonating. The other one is how you make that initial introduction, and start getting your manipulation fu on. Its a good question, and one I used to struggle with when I first got started.

I would say its pretty common to be nervous when approaching someone, especially when you have some form of manipulation planned. I don’t want to offend anyone, but this is what dating is initially right? You want that person of interest to be spell bound by you, so how do you make that first step without totally destroying any chance of success? Well my clue is in the aspect of dating.

When I was researching Hypnosis, NLP and the wonderful world of Mentalism I came across the work of PUA (Pick Up Artist) Ross Jeffries. Now I am no huge fan, and I think some of this stuff from the PUA community is border line on the ethical and moral front for me, but I am sure it works and gets the results if thats your thing. Anyway, one of the things they talk about is how to introduce yourself to that person of interest. This technique applies for the dating game, if your looking to try out some magic and mentalism, as well as engaging in some social engineering. Obviously its important to have context, and timing and the place is crucial, but the approach is to Compliment, Introduce, Question (CIQ).

A simple example could be as follows: You look like a helpful set of guys, my name is Dale and I started here today. I left my badge inside, would you help me get back in please?

Its simple, concise and does the job. It is also useful to use language that implies compliance. Phrases that include, could you, would you, can you etc have a form that implies of course we all know you can meet our request, but its not very often you get a smart Alec that doesn’t want to comply.

Short but sweet post, but something for you to try out in any situation where you need to introduce yourself, remember never miss an opportunity to use the power of persuasion.

I think most people would accept, that when it comes to building rapport and getting to a stage of some form of manipulation is normally always possible with anyone give a decent amount of time. This is great for making REAL friends, but in the social engineering context we normally don’t have or want this lucky, we like it quick and dirty so to speak. We have discussed many ways to have this happen, but I think we have a little discussed manipulation assistant that we can utilise. This is something known as confirmation bias, also known as Tolstoy Syndrome.

So what is confirmation bias? Essentially this is something that we all suffer from to some degree, and depending on your opinion more than others. Confirmation bias is the human tendency to favour information that is associated with their beliefs or preconceptions, regardless of if this information is true or factual. So when we communicate people will be selective in their memory selections and interpret what we say in a biased way.  Some consider this bias as being the internal yes man, also willing to agree even in an ambiguous context if what they hear matches their beliefs, and filters out the unwelcome information.

Probably all sounds obvious right, and why do we care about this. Well I have to be careful how I describe this as to not get your backs up regarding your confirmation bias.

Lets consider this scenario. As part of your intelligence gathering exercises on your mark / victim you identify that they support Man United Football club, they love dogs, recently got a new car, seen on forums they are not to happy with their job, and a recent tarot reading said good fortune is coming their way soon.
Now in my experience using any of the obvious stuff, like animals, football clubs will yeild good rapport building results, as we like people who like us, and are like us, it sets up a common ground. However I think the stronger and faster rapport builder, that will lead to a quicker manipulation frame would be the tarot route. The reason for this (in my opinion) is that this sort of thing is treated with a large amount of scepticism, and myself personally don’t believe it to be valid and have not seen any solid research to prove it. However many people have a confirmation bias to this, and I would imagine feel a minority in that aspect and would really feel a close bond to someone who shared this same interests.

The reason I raise this point is that when we are acting out our pre-text as a social engineer, we should no longer be ourselves. We should leave behind our personal baggage and be 100% committed and open to the situation we find ourselves. If we fail to do this we may end up in a situation that builds distance not rapport. So for example when not working and if someone started speaking to me about tarot readings I would quickly lose interest and be looking for an exit plan, this could present a missed opportunity. Since my transition from hypnosis sceptic to hypnotist I have a large appreciation for this sort of thing.

Now you might be thinking, OK sounds great in principle, but there is no way I could just blurt out I was into tarot reading as it would be just so odd. My first point is your thinking out of context. Blurting that sort of thing out to a random person could be considered crazy, but we know this is a person of interest.

Lets go through a super quick conversation example.

Victim : Hello Acme Systems, how can I help?
Me : Good morning. I hope you can help me as I am on a tight deadline to gather some information for my project.
Victim : Sure I can certainly try, what do you need?
Me : I work for the local government security council and we are carrying out a study of how companies securely dispose of their confidential waste.
Victim : Oh, I am not really to sure if we can give out that information.
Me : I totally understand your concerns, and I dont want to get anyone in any trouble, but this is for a government report. We sent out official requests in the post but so many companies didnt response, I guess everyone is just so busy.
Me : Could you possibly find out who could confirm if you can give this email. Perhaps there is some information on your Intranet, or someone you can call.
Victim : OK I will have a look, please bare with me.
Me : No problem
Few seconds pause….
Me : Whilst your looking, did you have a good weekend? The weather was pretty bad again wasnt it.
Victim : My weekend was to bad thank you, how about yourself?
Me : It actually turned out really well. I went to see a tarot reader, and I had a really good reading. I know some people think its  all phooey but it was just amazing.
Victim : Really. I have had a few tarot readings myself, and your so right about other people, but I really rate my tarot reader.
Now we go through the process of talking tarot for abit, so make sure you have done some research on terms etc.
Me : Its great to meet someone who shares my same interest, it really is rare. By the way how are you getting on with the information on the confidential waste information.
Victim : I cant seem to find anything, but I think it would be ok to share the information anyway. Its Acme disposals.
Me : Brilliant, thanks you really helped me out. Thanks for everything and take care.

This hopefully kinda gives an idea, utilising that dead time when they are searching for stuff, get the hook and exploit it to manipulate your way to getting the desired information.

Hope this was of interest, and you can try this in many scenarios. Those that know me will know that I used similar techniques to this on the phone to get discounts and freebies when I am buying stuff, same principles apply. Essentially regardless of your beliefs you are going to go with the grain, not against it.

In my recent talk Social Engineering Like In the Movies – The Reality of Awareness and Manipulation I talk about how important it is to understand body language, especially in the right context. I also mention how even though generally once you have a baseline alot of body language is global, but some gestures can catch you out.

With this in mind I thought I would share something with you that I stumbled across this week. Its a book about global gestures and a guide to what they mean. Now dont get to excited, I have not yet bought the book, and now sure I will has the feedback isnt great, however I did find out the writers have released an iPhone App, and its only 0.69 pence, so gotta be worth a punt

So is it any good? Well I think its not to bad actually, and for the price its very good. If nothing else its interesting to look and the different meanings, and you can tell it what country your in and it will bring up some common gestures.

I would like to see alot more gestures to be honest, as it is some what limited (perhaps if the book is the same its why people have not given it a high rating) but perhaps they will build upon this. The main thing is I dont think there are many other resources with this info, so why not check it out.

Check out some screen grabs from the application to see what your buying.

I have the great pleasure of speaking at the 2011 IRISSCERT Cyber Crime Conference in Ireland this November.

IRISSCERT Cyber Crime Conference

The IRISSCERT Cyber Crime Conference will be held this year on Wednesday the 23rd of November 2011 in the D4Berkley Court Hotel, in Ballsbridge Dublin.  This is an all day conference which focuses on providing attendees with an overview of the current cyber threats facing businesses in Ireland and throughout the world and what they can do to help deal with those threats.

Experts on various aspects of cyber crime and cyber security share their thoughts and experiences with attendees, while a number of panel sessions will provide the opportunity to discuss the issues that matter most.

The conference will be open to anyone with the responsibility for securing their business information assets. There is no charge for those who wish to attend.

The IRISSCERT Annual Conference is an opportunity to not only increase your knowledge but also to meet and network with your peers in a relaxed environment.

In parallel to the conference, IRISS also hosts Ireland’s premier Cyber Security Challenge, HackEire, to identify Ireland’s top cyber security experts who compete against each other in a controlled environment to see who will be the first to exploit weaknesses in a number of systems and declare victory. The purpose of the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network.

If you are interested in attending please register here.

The title of my talk is “Slipping In – You Wont Feel a Thing” and the abstract is as follows:

People are becoming more familiar with the term social engineering, but do people really understand the process a social engineer would take to gain access to their corporate assets?

Social Engineering can often form the catalyst of a sophisticated hack, the recent HBGary and RSA hacks being the most recent to make the headlines, and costing the companies millions of dollars.

In this talk we shall go through the high level steps and information used by a social engineer to gain entry and steal those corporate assets from right under your nose. We will discuss the reconnaissance and information gathering process, how to build important relationships, creating the right level of influence, gaining access, identifying the assets and finding the nearest exit.

The dictionary defines Elicitation as bringing or drawing out information, or to call forth and provoke a desired reaction. Elicitation is a powerful tool to anyone looking to influence and gather information in a relatively low risk and covert manner. The reason for me remembering I should write a post on this topic is due to an experience that happened this weekend at a local beer festival, as well as lots of drinking I entertained with abit of pseudo mind reading. You might wonder what the hell this has to do with elicitation?? Well I am sure it is apparent to most people its not currently possible to simply read peoples minds. You can create the illusion by subliminally suggesting things to cause a thought, you can prime with questions that research shows will typically respond in a certain way (psychological subtleties), or you can gather information about someone to completely freak them out when you apparently make that connection, and I mean specific information, not generic cold reading style used by clairvoyants.

When it comes to elicitation I find that building rapport is essential, a pretext is also useful as it can get you out of a tricky situation of the questions get awkward. Most importantly though is what you say, and how you say it (the presentation). Before going into more detail, I will entertain you with the musings of Saturday evening.So I am at a beer festival (you already know its going to get messy), well technically its a beer, cider and perry festival, which is great as these days I prefer a nice strong cider. So I am stood inline with my cider tokens waiting to try another 1/2 pint of something new when I realise I have a 6ft male Smurf stood next to me, and a 5ft female Super Ted. I should point out that I am not yet drunk and seeing things, its common for groups to attend these sorts of do’s in costume, and it is often very amusing. Now someone who is dressed up isnt shy, and they obviously want to draw some attention (more on this later). Turns out Super Ted is with another group of people and after a quick chat gets her drink and wanders off with Optimus Prime, the Smurf however wants the same cider as me, so we get chatting about why he is dressed as a Smurf, how many people with him, what are they dressed as, where they live, where they are going next, etc etc. All information that was freely given, but if I was malicious can you see how this information might start to be useful. So I get my drink and on my way I go, I guess I should also note I am wearing my “I am reading your Mind” T-Shirt with Subliminal Hacking, Social Engineering, etc plastered all over the back.

So later on in the evening (few more drinks demolished) I have done a couple of illusions, and read a few minds and I stumble upon a Surgeon and Princess Leia. Now I know from my earlier encounter with the Smurf these guys are part of the same crew, along with a Vicar. So I took the opportunity to have a chat with them, and seeing as we were in the music tent I used this as my topic of mutual interest, and the fact the woman who just finished singing sounded like a cat in pain, it went down well   So I got chatting to these lovely guys, and used the basic information I had gathered earlier to quickly establish a platform to build from, as well as developing quick rapport. Remember we like people who like us, and we like people that are like us. During this conversation I got the ages of the people in the group, their full names, where they lived, along with the fact that the Smurf and the Vicar worked for a big well known global company, what their positions where, the offices they were based in, the fact one worked mostly from home, had recently married, the other had a new baby 3 weeks ago, and that someone of them where off work, and other to a convention next week, as well as how often they all meet up and more. Juicy information for a social engineer to build an effective pretext from, as well as some excellent no fail options to call upon in the event of being challenged. I still think information gathering and target exploitation is very effective outside of the work place, however in this case I just located the Smurf and the Vicar and totally freaked them out when I offered to perform some mind reading mastery. Its probably worth noting, that most people are a little more giving after a drink or two, so its certainly a scenario to leverage.

Why Elicitation?

So you might be reading this wondering what is the point, all he did was speak to some drunks and get some information? Well as Bob Hoskins said in the 90′ BT adverts “It’s Good To Talk” and he is certainly right.

To be successful at Elicitation in a Social Engineering context you don’t need to have the gift of the gab, but you do have to be confident in speaking to complete strangers, coming across as informed in the subject your are supposed to have knowledge (if not go the other way and show an interest), you also have to be a great listener (even if you find it totally bored). Elicitation can be done in written form, but it does take longer, and a written message can often be taken out of context and you may adjust inappropriately. Where possible I would always for go for it in person or over the phone. Body language is also important (even on the phone, remember you hear a smile), keeping an open posture, palms up in a non threatening manner, remembering to be considerate of personal space, and not being to territorial with your stance. Remember we are looking to extract information in a low risk, stealthy manner, not a mental mugging.

When you research your target (be that an individual or company) make sure you gather important bits of information to help form an appropriate pretext. Are you an expert, someone with interest, completely separated from the topic or other. This is important, dont pretend to be a rocket scientist if you can barely put the chain back on your push bike. For me I just be a different type of me (I have lots of interests), by this I mean I will disclose information about myself, however it may not be 100% accurate. This way its pretty easy for me to remember the pretext in great accuracy, opposed to a completely new ID, just like an actor will bring some of themselves to the role.

So why are people going to share information with you, why are they going to give your these snippets of verbal gold that you can then piece together to form a strong chain to launch your attack from. Simple really, people love to be the Oracle. We all have egos, and if you can touch on a topic that someone has knowledge of, and simulate the belief you know very little, most people will be more than happy to tell you everything I also consider myself a good people person, and I believe one of my strengths is to look at a situation from multiple perspectives. For one reason or another this can result in complete strangers telling me all their life stories, problems, issues, concerns and all.

If your not dealing with a look at me and my ego type of person it wont take long to find a subject of mutual interest to spring board from. Perhaps you both like dogs, the same drink, the same establishment you are visiting, maybe its a type of car or political view. What ever it is, it doesn’t really matter, this is just an in, just a way of kicking off that rapport building exercise, gaining trust, and getting the information exchange flowing. Now where a good social engineer comes in with the elicitation techniques is steering these seemingly random and unimportant conversations around to the nuggets your looking for. To do this I again draw on personal experience. Should I have been talking about dogs to someone, I might talk about a company I did some consulting for many years ago in Essex. This particular company allowed their staff to take their dogs to work, which is very rare in my experience. I would assume the individual I was speaking to would also think this is a rare occurrence and wouldn’t be tolerated at their work. I might then describe what I would imagine to be the total nightmare of taking my dog through the turnstiles at my office, whilst holding the lead, carrying my bag and swiping my ID badge. I would then use this scenario and the principle of reciprocation to ask my new friend about the process of getting into there company, then we could moan about when the card doesn’t swipe properly, perhaps I could even take a look at said card. Its really up to you where you take it.

Asking the right questions is also important, open and closed questions can help you route your way to the information you are trying to gain. If you keep asking questions that result in a yes or no answer your going to soon get both frustrated and no where fast. So don’t hope if you ask 100 questions someone will give in, reality is you have probably blown your cover some time ago. Remember the key to excellent elicitation is conversation, so it shouldn’t feel like an episode of mastermind. Its also a reciprocal experience, give out information (doesn’t have to be true, but should be valid) to build up trust, and this will also elicit more information flow, but don’t go to crazy otherwise the conversation could go off track and take you further from your goal.

Tonality and modality are also important. There is no point asking a question, and looking interested, but you sound like a monotone robot who couldn’t care less about the awaited response. Again this comes back to what I have said about pretexting and really BEING what you say, so when eliciting information its important to be interested, or passionate or curious about the conversation you are having, as this will help its acceptance and allow trust to grow and information to flow.

One final approach that springs to mind is to take an approach that provide a positive form of confrontation. By this I mean providing information, or giving a statement that you know to be false, or against the opinion of believe of your target. Managed correctly this will spark a conversation where you can be informed on what they consider accurate information. You may get the information you wanted out of this discussion alone, or you may decide to milk it and play to their ego regarding their knowledge and wonder if they know anything about another topic, perhaps how their company handles confidential waste??

This has been a long post, but I hope it gives some introduction at least into the power of elicitation and give rise to thoughts of what can be achieved should you develop and master this skill. I think its important to remember you don’t have to get the complete picture in one hit from one person, think of elicitation as collecting pieces of a puzzle. They should seem insignificant on their own to the victim, and in the order collected, however when you put them together they give you a clear picture from which to define your attack. This for me is an important part of the engagement process, and can be getting information as simple as when the building is manned, or complete details on the forms of physical security deployed.

When it comes to protecting yourself from elicitation, the main thing is to be mindful. Don’t decide your never going to open up and talk to anyone (life is to short and you will miss out on lots), instead practice a little paranoia and ask yourself if there is a pattern of information you are giving away that may be suspicious. Ideally an awareness program would give examples like above of situations where you may give out information, however this is a vulnerability in human kindness. We don’t want the world to be less polite and kind, we just need to be more aware of some of the pitfalls of the information we give away both verbally and online.

Thanks for reading….

This year I have the honour of giving a workshop at Hash Days 2011 in Lucerne Switzerland. The course will run on the 26th and 27th October 2011, coffee breaks, snacks and lunch will be provided, all located at the Radisson Blu in Lucerne. All attendees will receive full copies of the workshop slides including notes, and will have the opportunity to have 1 to 1 discussions with myself to discuss other related workshop topics that they would like more information on.

Registration is now open, so CLICK HERE TO REGISTER

Course Details :

Overview :
All  organizations  have  one  vulnerability  in  common  and  that’s  the  staff.  People  are  valuable  in
making  an  organization  function  but  sadly  the  wetware  is  vulnerable  to  attack.  In  this  course  we
will  look  at  how  to  exploit  those  vulnerabilities.  Attendees  will  cover  the  fundamentals  required
on  a  social  engineering  engagement,  such  as  the  approval  and  planning  stages,  information
gathering  and  execution.  However,  the  main  focus  of  the  course  will  be  the  subliminal  hacking
skills.    In  this  course,  we  understanding  how  the  mind  works  and  why  it’s  vulnerable,  and  how  to
exploit  it  as  well  as  how  language  is  a  powerful  influencer.  Body  language  will  also  be  discussed,
how  to  read  it  and  use  to  our  advantage,  as  well  as  how  to  build  and  operate  a  successful  pretext.
The  subject  of  ethics  is  often  raised  in  connection  with  many  manipulation  techniques,  so  we
shall  also  touch  upon  this,  as  well  as  how  you  can  reduce  the  risk  of  being  social  engineered
yourself  or  your  company.  We  will  also  cover  useful  tools  for  information  gathering,  as  well  as
handy  equipment  whilst  on  the  job,  this  course  is  not  intended  to  teach  you  how  to  run  ports
scans,  exploit  application  vulnerabilities  and  drop  shell,  its  about  how  to  hack  the  mind  and
influence  the  situation  to  your  meet  your  goal.
You  do  NOT  need  any  previous  experience  to  Social  Engineering  or  Penetration  Testing.  If  you
have  thirst  for  knowledge  and  an  open  mind  to  new  possibilities  this  course  is  for  you.
Learning  Objectives:

• What  is  social  engineering
• Authorization  and  Scoping  Documents
• Information  Gathering  Techniques
• Engagement  Methodology
• Reporting
• Mind  /  Brain  Vulnerabilities
• Psychological  Approach
• Linguistics  /  NLP  /  Hypnosis
• Body  Language  /  Micro  Expressions
• Elicitation  /  Rapport
• Persuasion  /  Influence  /  Manipulation
• Pretexting  –  Being  THE  social  engineer
• Engagement  mediums  –  Phone  /  Email  /  Face  2  Face
• Ethical  and  Moral  Concerns
• Handling  Failure
• Social  Engineering  Risk  Reduction
• Defense  Strategies  for  your  Business
• Tooling  for  the  job

Who  Should  Attend: 

• Pen-­-testers  who  want  to  get  into  Social  Engineering
• Anyone  who  is  responsible  for  Information  Security
• Anyone  who  is  curious  in  learning  techniques  to  influence
• Company  personnel  responsible  for  security  awareness

Hardware  Requirements:  

• Laptop  (Netbooks  not  preferred)
• Windows  OS  (Physical  or  VM)
• Ability  to  run  VM’s  (VM  Player,  etc)

Bio: Dale Pearson is a passionate Information Security Professional with over 8 year’s experience in IT security, and over 12 years in the IT Industry. He has been exposed to and works in a wide range of security areas, such as security and risk consulting, policy and compliance, penetration testing, social engineering, forensics, incident response, and awareness training. Dale is the founder of subliminalhacking.net where he blogs about social engineering, hypnosis, and other skills to improve success as a social engineer. He is also one of the hosts of the Eurotrash Security Podcast

Register here for this workshop.

Albert Einstein was once quoted as saying “Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand”.

I believe this is very appropriate to social engineering today, and could be what separates someone being successful or not in their abilities to persuade and influence. Remember as a child how you could imagine anything, invisible friends, a scribble on some paper could tell a life’s story, you could make anything and everything from a cardboard box and a toilet roll. To top it all off, you had every adult wrapped right around your finger. As we grow and develop into adulthood we learn new expectations on behaviour and interaction, and we struggle to observe anything that isn’t blindly obvious and poo poo the impossible.

What got me thinking about all this was some new research that has been going on around influence and hypnosis, and imagination is a key attribute to some of the success. I have been doing a small amount of research on this myself (hoping to get some video together for future talks) and I have found imagination can be a powerful frame. Those of you who have done any reading on NLP will know that imagination is a key word in language, and if you have looked into neuroscience you will know that some studies with MRI scanners have shown that when we imagine a situation, the same parts of the brain are stimulated, we can feel the associated emotions and our senses are stimulated.

So why do I think this is going to help you on your social engineering engagement, well I have three things based on the way I do things.

1. We all know how important the pretext is, you have done your recon and research, and you know how you are planning to approach your target. So now you have to BE your character. Imagination is an awesome way to achieve this. Imagination what it would be like for you to go about your day as this character, what would your mannerisms be, how would you handle conflict, whats your opinion on yourself and your job? This might sound obvious, but if this is the first time using this character it would be well worth sitting in a chair for 15 minutes or so and just carrying out this exercise. Then when it comes to actually doing this for real, you have been there before in your imagination, so there will be some sense of familiarisation. Its basically Déjà vu.
2. Utilise the imagination language. Factual information is important, however it can also be restrictive. When we include key words in conversation such as imagine, experience and feel we are requesting the mind run that scenario, asking them to mentally go on the journey we describe, or recall a similar situation of their own experience. You need to take somewhat of a gamble at times that you are going to invoke the emotions you want for your influencing desires are. If you have set yourself up as an engineer, and gaining entry is reaching some challenge, you could talk about not believing you forgot your badge, how you feel embarrassed and cant imagine the trouble your going to be in for not repairing / replacing the device. This will help to build the rapport you need to get the person on your side, to then execute other stages of your planned attack (Don’t forget your multiple outs).
3. If you are magically inclined like myself you may want to try out some imagination research. I have discussed before about my opinions on Hypnosis, what it is or isn’t, but I still think really its all just language. So whats my point. Well, there are constantly all sorts of Psychology studies and research going on, so I thought I would use this to my advantage. So I become the annoying research person with the clipboard, researching how good peoples imagination is, based on age, sex, industry they work in etc. This is all kinda irrelevant, but facilitates the pretext of whats coming. From here I go into the Non Trance approach of a hand stick or similar, then the name amnesia, and its during this interval before bringing the name back information of value is extracted. This information could be passwords, pin numbers, ID badge, all sorts. Everyone has different imaginations and different barriers internally so results will be varied. I am still trying to get consent for video footage to show this approach in a non targeted approach, so you can just get an idea of how it works.

So this is why I think imagination is very powerful. You may not know all the answers, you may not know what someone who actually does that role would do, but you can take a stab at it and imagine it based on your research and observations. All of which will leave you better prepared than someone who hasn’t done this. At this point I think there is value in pointing out some research on airplane crash survivors. Many survivors of plane crashes who managed to escape the wreck said the reason for the miracle escape was that they had played the scenario out in their mind many times. What would it be like, how would I get out, what would the likely route be, what obstacles would I face. So when it became reality they had better preparation, and where able to remain calmer and tackle the challenge of escape more successfully that their fellow passenger.

* Disclaimer – I share this information based on my own research and experiences. Should you decide to try out any of these techniques I am not responsible for the outcome, I say this as not everyone reacts well to being duped, and I have had people be a little peeved when they realise they have given or disclosed information, and even after explaining (and rightly so perhaps) are not the best of sports.

Hashdays – the premier technical security conference in the center of Switzerland organized by DEFCON Switzerland.

During 4 days the center of Switzerland will become also the center of IT security knowledge transfer. On October 26th and 27h you will be able to learn a lot in the workshops. The following 2 days (October 28th and 29th) will be full of highly technical IT security talks.

Be sure to reserve your seat early – the space is limited.

I have the pleasure of once again speaking at the awesome Hash Days Security Conference held in Lucerne Switzerland. The conference had its first outing last year and it really was a brilliant event, with great talks, workshops and attendees, it really was a good time, I even went to jail there

So this years talk is called “Social Engineering Like In The Movies – The Reality of Awareness and Manipulation”. On the TV and on the Big Screen we see all sorts of strange and amazing things, and when it comes to reading peoples minds, telling if they are telling a lie, or influencing someone to carry out our desires even the far out can seem possible. With the growing exposure of body language, micro expressions, and lingustic techniques sometimes we forget about actual reality. In this talk I will talk about what you can really gain when you understand body language tells, can the eyes really reveal hidden messages, and can we really get people to hand over their possesions with the right language and framing.