And, for the past few months, I’ve been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I’ve been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.

But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn’t teach the reader anything useful about how to use NLP in SE. (That shouldn’t be taken as a criticism – I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months… the guys over there are doing the community a phenomenal service).

So, I sat down and started recording the material I had been putting together over the previous months. It’s going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you’re going to get.

Check out the video and sign up here.

Technorati Tags: Hypnosis, NLP, social engineering, social-engineer.org

Well, I’m sure that it would have been, had it actually finished. Because I didn’t read the program nearly closely enough, and I prepared a normal 80 minute talk, only to realize that my speaking slot was 45 minutes.

So, I only got about 1/2 way through my slides, and much of the meat was lost. A couple of audience members talked to me afterwards and seemed a bit disappointed, so I promised I’d provide the talk another way.

I do like to keep promises. So I sat down at my computer this morning and recorded the slides and the audio. The entirety of the talk that the audience would have seen is below.

Let me know your thoughts and opinions and ask questions if you have them (since I didn’t get to take audience questions at the conference, either).

Technorati Tags: hacker halted, social engineering

“When asked how he had managed to fool them, one of the airline execs in Jersey stated:

“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””

That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?

The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”

I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.

Technorati Tags: con artist, con man, security awareness, social engineering

In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net

Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:

Determining Tests
• Types of testing
o Direction of attacks
o External
? Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand

• Malicious attachments
? Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
? Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
? Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying

Check out the webinar, and hopefully you sign up for the class.

Technorati Tags: chicagocon, Chris Nickerson, influence, SE Master Class, Security, social engineering

“Happy Honesty Day!”

My first thought was that it was some strange Indian euphemism. And then I looked it up – turns out that there actually is an Honesty Day. From this press releasepress release:

“M. Hirsh Goldberg, former press secretary to a governor of Maryland and author of five books, established National Honesty Day in the early 1990s after spending four years researching and writing The Book of Lies (Morrow), which has been translated into Japanese, Korean and Chinese. National Honesty Day is now listed in Chase’s Calendar of Events, a repository of special occasions found in most public libraries. April 30 was selected, said Goldberg, because April begins with a day dedicated to lying and should end on a higher moral note.”

When I ponder social engineering, I realize that the most important skill of a social engineer is a balance between lying and honesty. Kenton Knepper talks about this in Wonder Words – that the ability to maintain congruity when performing requires a level of unconscious commitment and belief in your own honesty that is hard to maintain if you’re not actually being honest.

Something to think about on National Honesty Day…

Technorati Tags: honesty day, kenton knepper, social engineering

“MRI scans of their brains under hypnosis showed reduced activity in some brain regions during memory suppression, and increased activity in others.

When their recall was tested later, the suppressed regions were reactivated when the cue was given to bring back the memory.”

This is interesting to me not as it relates strictly to hypnosis, but to the power of the mind itself. As I said recently, hypnosis is not a distinct state (i.e. having physiological markers unique to it) but indicative of a particular condition that can occur in many different situations. So, knowing that the mind has the power to suppress memories given a receptive state and a willingness to go along is an important marker.

Imagine if there was a situation where it might be good to be able to get someone to repress the memory of, oh, say, obtaining information from someone… I’m sure you can, can’t you?

Technorati Tags: Hypnosis, memory, memory repression, social engineering

This one is about the 3 main skills of an advanced social engineer – please check it out.

Technorati Tags: human exploitation, Hypnosis, insecure, insecure magazine, language, social engineering

Well, we went through the rest of the day yesterday learning and spending most of the day in and out of trance. Boy, was I fractionated. A wonderful day, all around.

We missed out on walkabout hypnosis – unfortunately, it turned out that their view of walkabout hypnosis and mine wasn’t exactly the same. I keep forgetting about the two major frames for the formal use of hypnosis: therapy and entertainment. The walkabout exercise was far more about entertainment than I had thought coming in. We were doing “table approaches” – think of a magician walking up to you in a mall to show you a card trick.

So, Melina and I went off to grab some lunch and plot our next moves with our video camera. We came up with a wonderful list – I’m sure that it’ll start being on YouTube sometime soon.

The afternoon was more of the same as the morning – not nearly as advanced as I had hoped it would be, but some wonderful trances and some good practice. The highlight of the afternoon was having Brian David Phillips drop me in to the Esdaile state. Always a wonderful feeling.

The evening was fantastic – as with any good conference, the networking is ALWAYS better than the conference itself.

Technorati Tags: brian david phillips, Hypnosis, hypnoticon, social engineering

I’ve been pondering the debate all morning as I’ve watched the work of Brian David Phillips in the advanced class at Hypnoticon. The beauty of watching hypnotists performing hypnosis demonstrations for others is that their goal (much like magicians teaching magic tricks) is to precisely and exquisitely demonstrate the phenomenon in ways that allow others to replicate the behavior.

More and more, I am falling on the “agreement” side of the argument. I find myself agreeing with Derren Brown that hypnosis is simply the use of a set of tools (in this case, tools of influence) in a particular way that comes together as a phenomenon called “hypnosis”.

In this case, the tool set is largely based upon compliance. I’m looking forward to testing this theory later in “walkabout hypnosis” – if I have compliance, can I create the state/agreement known as “hypnotic trance” using any action/induction?

Technorati Tags: brian david phillips, compliance, Hypnosis, hypnotic trance, hypnoticon, social engineering, walkabout hypnosis

The schedule is pretty cool. We’re looking forward to checking out Wendi, Brian David Phillips, and Kim & Tom.

Not to mention tomorrow’s “Walkabout Hypnosis” – it’s social engineering at it’s true finest. This is a group of people who can really do all of the things that I’ve been talking about.

I plan on continuing to post entries throughout the weekend, as well as keeping up on twitter. If you’re at the conference, send me an email or a twitter DM and we’ll sync up.

Technorati Tags: brian david phillips, Hypnosis, hypnoticon, social engineering, walkabout hypnosis, wendi friesen

“Social engineering at its finest.”

Okay, so let me get this straight. A guy in the right uniform walks in to the bank and says: “I’m here for the regular guy“.

This takes skill?

To me, this is very much the equivalent of saying that website defacements of IIS in 2001 using RFP’s MSADC script was “hacking at its finest”. Seriously, just because the guy got a uniform and a badge doesn’t make him anything more than a script kiddie in the realm of pulling off the attack.

This is the kind of attack that Mitnick talks about all the time when he says that social engineering usually doesn’t take much more than the guts to ask for what you want.

Let’s consider a better example of what really skilled social engineers look like: this story where two guys robbed a store by talking to the clerk. If you read the article, you’ll get a pretty good idea of what the attackers did. It’s the ultimate example of a “compliance set” (or “yes set” for those hypnotists out there), and it required some knowledge of the target’s adherence to his culture and the cultural cues that would set the appropriate context for the exploitation.

Really, I want to say that I expected better of Bruce, but that wouldn’t be fair. As I said before, our community as a whole has yet to take notice of what really good social engineering is.

In my writing and this blog (which I’ve promised Hoff and Martin that I’ll continue), I’ll probably be talking about this a lot as I do more writing on the book and in other venues.

Technorati Tags: bruce schneier, human exploitation, schneier, social engineering

“The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.”

This is an incredibly normal line of thinking, and it is the traditional way of dealing with social engineering. The main issue with it is two-fold: first, an even half-way prepared social engineer will have prepared a strong enough frame to verify most of the simple checks that a normal user is going to have.

But the bigger issue is that, when we talk about things like “not blindly giving out information”, what we’re really saying is that we need to teach our users not to trust each other.

The problem with this is simple: an agile, responsive and successful business is built on a lack of boundaries and a healthy set of organizational trust. The kind of mistrust that most infosec people would engender intentionally in their users would cause significant inefficiencies within most organizations.

So, if we’re not teaching our users to not blindly give out information, or to verify everything, what do I think we should be teaching them?

Instinct. Most who are in infosec have developed an instinct for when things “don’t smell right”. When an email just seems a little bit “phishy” (pun intended).

I believe that can be taught (well, indoctrinated) into our users, with about the same effort as it takes to teach them not to trust each other.

Technorati Tags: human factor security, security awareness, social engineering

mediaphyter: “Advanced social engineering” — I am starting to think we use that term way too loosely.

alexhutton @mmurray: Most parents know *exactly* what advanced social engineering looks like – they just don’t think adults do it too

Alex went on to say that “advanced social engineering” is what kids do with “Lying, Manipulation, False Pretenses, illicit access or gaining of privileges”.

Here’s where I disagree. You see, kids don’t have to do anything particularly advanced as social engineers because they’re trading on relationships. While the parent might FEEL as though they’re being social engineered, they’re not… the fact that they’re feeling it suggests to me that it’s not advanced at all.

Using an analogy to hacking: if you notice that you’re being attacked, the attacker isn’t particularly sophisticated.

This is what I meant when I said that most people don’t know what it is… a truly advanced exploit of a human will leave the attacker richer because of the information/access gained, and the target without any knowledge or awareness of it happening.

The best example of this: This Derren Brown video.

I suppose that this is as good a time as any to announce that I’m writing a book on this subject… on truly advanced human exploitation. Not the typical “pretend to be the help desk guy” stuff, but how to really use language, awareness and context to manipulate a situation and get in and out completely undetected.

That’s what real “advanced social engineering” looks like. And I stand by my original assertion: very few know what it really looks like yet.

Technorati Tags: alex hutton, human exploitation, jennifer leggio, social engineering, twitter