crazylazy.info

txt

Is everybody being deceptive?

When we're not there, we aren't there to know that we're not there.

I recently listened to the 7th episode of the Social Engineering podcast. - That made me take some notes, and I think I remember some quotes.
In short it was simply about using familiar routines - or those routines which should be familiar - in order to successfully blind somebody else's mind into a routine workflow.

Certainty leads to mindlessness. To an illusion of stability. So manipulation through familiar pieces of information can blind people's minds. If you're looking or an example here, simply switch on the TV.
Advertisement frames pretty persons as people with good or healthy taste. - Behavioral pattern exploitation. Some patterns are cultural specific. Like ideals.

Another way to manipulate is to simulate choice: use choices, that aren't real choices.

"Do you have an hour or two?"
-"No!"
"Okay ten minutes."

Sometimes this leads to NLP and to framing thoughts: half empty or half full?

• 80% survive the surgery. Awesome. That sounds good. Well that means 1 of 5 patients died. Association of good things related with the surgery. Reframed stats.
• 3% less fat... well... how much fat is it?
• 10% more this-and-that. How much is it again? And the price went up by 12%? And why do I want this-and-that extra?
• 70% lean. This is unhealthy 30% fat-food.
• 90% sugar-free - 10% sugar?! How am I supposed to cope with that amount of surgar?

Words make a difference. Rhetorical skills are crucial for efficient spam - or manipulation if you want.

Serve facts, not insights. Round about two words:

• Windows fails.
• Apple can't.
• Linux breaks.
• Debian rocks.

Marius says Windows scales for business needs. Well... who is that? And who is that security professional who always wants policy? Why the hell? That guy again? Man, he sucks! Let's ignore him.

In order t successfully manipulate people it's not just enough to have the right information with statistics. You need more than just that: you need to make them feel comfortable - in believing you and buying what you suggest. Similar to that ice-cream truck with the music. Did you ever ask where he gets the ice-cream and how often the truck is cleaned?

That leads to pretexting - if you can actually develop enough empathy to do that. You want people listening to you to be able to reflect some of their weaknesses into you:
Let's say you audited a mail-server and it's a horrible setup. At your presentation in front of the responsible persons and management you simply point out at first: "My first-mailserver. I totally screwed it. And mail-servers are really hard to administrate."
- That makes the administrator in charge think:
"Ah, he doesn't know about mail-server security, too. In his position he should know that stuff. If even he doesn't know it, well... I'm not that bad."
After some slides destroy that illusion. If you begin with facts people fall asleep. If you begin with pretexting elements, not too aggressive, they think you're awesome. At least until you let the cat out of the bag.

The problem with security patterns and patterns in security

A common security-affine pattern for people is to search for security-software. Like there's simply something to buy that'll solve the problem. It's similar to diets: people buy some food they don't really want in order to lose weight. Often this food is very promising: instant fat-loss. Instant security. Instant magic.
If security companies wouldn't use advertisements with knight-banners and stuff... people wouldn't like to believe in the efficiency of the product. Which - at the end of the day - is something only select few experts can test. People aren't uncertain when they buy these things. Sometimes people tend to read tests in modern computer magazines: which is some kind of reframed advertisement for people who want facts.
But neither do administrators in general know about the efficiency of the security-product they have to choose, nor do people who make a diet know whether it's going to work.

The user's problem with the pattern is, that he rapidly learns to click the "Yes" button. Mindlessly. For example to access a site with a self-signed TLS certificate. Or to get rid of the popup ad in front of the sex page. Some of the ads are actively reframed to look like security warnings and the okay button will lead to pwnage.

So how to get the password of somebody via social-engineering?

- That's trivial. What's the worth of the password?
One date with a cute girl? And what if she wants your password for something... Sounds strange. But it's simply about the illusion what you might get... or not. Like: "Do you trust me?" Men do not think, when they're men. It's easy to exploit people's primitive instincts.
- Another less invasive option is to put people under pressure and to make them follow a mindless workflow that blinds their minds. Ask at the right point. Ask a couple of questions that are easy to answer. You have to be in a position similar to an authority. Ask about password policy, how the user is following it. Whether he has got brackets, whether he has got numbers in it. And at the right point simply ask for the password as if you're listing them all for security reasons.
Some people wake up and ask: "Why". At that point many people have their password in mind. Which is good for you. Make up a good lie, and if he doesn't want to answer, let him. He'll develop some uncertainty soon if you manage to stay uninterested.

And how to get the hotties?

There're countless hints... from clean shoes to self-confidence. That's all wrong ;). Woman are very good social-engineers by instinct. You have to be very good in order to able to manipulate them or it'll backfire. Seriously.

So how to wake yourself up in order to mitigate every-day manipulation or targeted manipulations?

Self-manipulation. - That's a relatively complex topic. But that works. You can also pre-manipulate your users: "If you ever give your password to somebody, you'll pay 50 000 $ and be fired." That doesn't work if you allow people to forget their passwords. If they do: send them home. Which leads back to policy.

Details - There's no perfect actor. If you're "awake", fully, you'll realize that.
Watch ten minutes of a B-Movie and look at the faces of the actors. And into the scene: how many people, which cloth, which socks, which shoes... Into the background: which posters, what slogans.
Try to remember as much as you can, write it down after the 10 minutes. Watch the movie again. You'll that you got 1000 things wrong. Do it again.
- Play chatroulette - try to get titts. Well... may work if you're a girl. If that's too... invasive get some guy dancing for you. That's really easy if you can't dance and show your inability. Inability creates sympathy with a similar-to-me effect. But that's just for fun. :)

An attackers goal is access: the janitor has all the keys. The entrance people know everybody and have a lot of information.
But what if the janitor hasn't got all keys? Or if there's this one red key to the data, that simply says: "No". That's waking them up.

Expect social engineering. Via eMail, via Spam, via IM, via voice calls, via people. Especially via woman! :)

Have fun,
wishi