NLP for Social Engineers
October 5, 2009
Anybody in the industry who has talked to me about NLP has understood my utter frustration about the state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months ago.
And, for the past few months, I’ve been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I’ve been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.
But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn’t teach the reader anything useful about how to use NLP in SE. (That shouldn’t be taken as a criticism – I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months… the guys over there are doing the community a phenomenal service).
So, I sat down and started recording the material I had been putting together over the previous months. It’s going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you’re going to get.
Check out the video and sign up here.
Hacker Halted Redux
September 28, 2009
I had a blast at Hacker Halted last week, and I did a talk that I was incredibly excited about. It was the first time I was going to talk about some of the new research I’ve done and, while I didn’t plan to give out a huge number of details on the methods, I hoped that the talk was going to be well received.
Well, I’m sure that it would have been, had it actually finished. Because I didn’t read the program nearly closely enough, and I prepared a normal 80 minute talk, only to realize that my speaking slot was 45 minutes.
So, I only got about 1/2 way through my slides, and much of the meat was lost. A couple of audience members talked to me afterwards and seemed a bit disappointed, so I promised I’d provide the talk another way.
I do like to keep promises. So I sat down at my computer this morning and recorded the slides and the audio. The entirety of the talk that the audience would have seen is below.
Let me know your thoughts and opinions and ask questions if you have them (since I didn’t get to take audience questions at the conference, either).
Greed as a prime motivator
July 22, 2009
I found this article the other day about the teen in Great Britain who managed to completely dupe a bunch of airline executives in believing that he was a millionaire who was looking to buy into their company and expand it. The key to the attack is that greed was the prime motivator in the attack. From the article:
“When asked how he had managed to fool them, one of the airline execs in Jersey stated:
“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””
That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?
The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”
I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.
Modern Social Engineering
March 17, 2009
I’ve spent a lot of my time lately working on projects related to social engineering. Writing articles, prepping class material, and just generally having conversations and brushing up on my skills. For those that don’t already know, Chris Nickerson and I are doing a full five-day class on Social Engineering at ChicagoCon in May, and there’s much to prep for.
In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net
Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:
Determining Tests
• Types of testing
o Direction of attacks
o External
? Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand
• Malicious attachments
? Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
? Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
? Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying
Check out the webinar, and hopefully you sign up for the class.
National Honesty Day
April 30, 2008
My VA from Get Friday, Sona, said something to me that I thought was weird until I looked it up:
“Happy Honesty Day!”
My first thought was that it was some strange Indian euphemism. And then I looked it up – turns out that there actually is an Honesty Day. From this press releasepress release:
“M. Hirsh Goldberg, former press secretary to a governor of Maryland and author of five books, established National Honesty Day in the early 1990s after spending four years researching and writing The Book of Lies (Morrow), which has been translated into Japanese, Korean and Chinese. National Honesty Day is now listed in Chase’s Calendar of Events, a repository of special occasions found in most public libraries. April 30 was selected, said Goldberg, because April begins with a day dedicated to lying and should end on a higher moral note.”
When I ponder social engineering, I realize that the most important skill of a social engineer is a balance between lying and honesty. Kenton Knepper talks about this in Wonder Words – that the ability to maintain congruity when performing requires a level of unconscious commitment and belief in your own honesty that is hard to maintain if you’re not actually being honest.
Something to think about on National Honesty Day…
Hypnosis and Memory
February 7, 2008
Anyone who has studied hypnosis formally won’t be particularly surprised by this, but a study has shown that hypnosis can actually allow the brain to suppress memories. From the article:
“MRI scans of their brains under hypnosis showed reduced activity in some brain regions during memory suppression, and increased activity in others.
When their recall was tested later, the suppressed regions were reactivated when the cue was given to bring back the memory.”
This is interesting to me not as it relates strictly to hypnosis, but to the power of the mind itself. As I said recently, hypnosis is not a distinct state (i.e. having physiological markers unique to it) but indicative of a particular condition that can occur in many different situations. So, knowing that the mind has the power to suppress memories given a receptive state and a willingness to go along is an important marker.
Imagine if there was a situation where it might be good to be able to get someone to repress the memory of, oh, say, obtaining information from someone… I’m sure you can, can’t you?
InSecure Magazine
February 4, 2008
Had to post on this – I’ve been writing a two-part series for (In)Secure Magazine. The first part posted today in (In)Secure #15.
This one is about the 3 main skills of an advanced social engineer – please check it out.
Hypnoticon – Day 1 (PM)
February 2, 2008
Finally posting this late on Day 2 while watching a great talk on “Instant Inducations” (more on that one later).
Well, we went through the rest of the day yesterday learning and spending most of the day in and out of trance. Boy, was I fractionated. A wonderful day, all around.
We missed out on walkabout hypnosis – unfortunately, it turned out that their view of walkabout hypnosis and mine wasn’t exactly the same. I keep forgetting about the two major frames for the formal use of hypnosis: therapy and entertainment. The walkabout exercise was far more about entertainment than I had thought coming in. We were doing “table approaches” – think of a magician walking up to you in a mall to show you a card trick.
So, Melina and I went off to grab some lunch and plot our next moves with our video camera. We came up with a wonderful list – I’m sure that it’ll start being on YouTube sometime soon.
The afternoon was more of the same as the morning – not nearly as advanced as I had hoped it would be, but some wonderful trances and some good practice. The highlight of the afternoon was having Brian David Phillips drop me in to the Esdaile state. Always a wonderful feeling.
The evening was fantastic – as with any good conference, the networking is ALWAYS better than the conference itself.
The State/Agreement Distinction
February 1, 2008
Anyone who has read the Wikipedia article on hypnosis is aware of the debate between whether hypnosis is a distinct state or whether it’s simply a set of agreements between the hypnotist and the subject.
I’ve been pondering the debate all morning as I’ve watched the work of Brian David Phillips in the advanced class at Hypnoticon. The beauty of watching hypnotists performing hypnosis demonstrations for others is that their goal (much like magicians teaching magic tricks) is to precisely and exquisitely demonstrate the phenomenon in ways that allow others to replicate the behavior.
More and more, I am falling on the “agreement” side of the argument. I find myself agreeing with Derren Brown that hypnosis is simply the use of a set of tools (in this case, tools of influence) in a particular way that comes together as a phenomenon called “hypnosis”.
In this case, the tool set is largely based upon compliance. I’m looking forward to testing this theory later in “walkabout hypnosis” – if I have compliance, can I create the state/agreement known as “hypnotic trance” using any action/induction?
At Hypnoticon
January 31, 2008
Well, here we are at Hypnoticon. Melina and I flew in from Chicago today and were, of course, delayed. We missed the majority of tonight’s networking reception, but managed to pick up our badges and are looking forward to getting an early start tomorrow.
The schedule is pretty cool. We’re looking forward to checking out Wendi, Brian David Phillips, and Kim & Tom.
Not to mention tomorrow’s “Walkabout Hypnosis” – it’s social engineering at it’s true finest. This is a group of people who can really do all of the things that I’ve been talking about.
I plan on continuing to post entries throughout the weekend, as well as keeping up on twitter. If you’re at the conference, send me an email or a twitter DM and we’ll sync up.