Social Engineering

From Project PM
Jump to: navigation, search

Note: Just as with attribution, except far more ironically, I will allow Aaron Barr to do the work on this particular subject. Barr, of course, was both a perpetrator and victim of social engineering, a topic which he touched on in what would appear to be rough chapters of a book manuscript he was in the process of writing. Some of the tactics and history here would presumably be useful to those seeking to launch social engineering operations against, say, executives of corporations that develop surveillance tools for use on the enemies of their clients.

Note that the text below includes notes added by a third party with an awkward command of English phrasing - probably HBGary CEO Gregg Hoglund, except that the term "dude" is not employed so probably not.

OK Overall comments.. It reads well but also reads very traditional. You cover social media but cursory. Maybe that is the better feel for the book. SM allows you to find people specific to your objectives and at the same time exploit their personal connections, etc. But you might not want to make this chapter over social media heavy.

Psychological Weapons

  • Social Engineering Explained
  • How the military approaches Social Engineering
  • How the military defends against Social Engineering

We have talked about technical attacks now it is time to talk about using the targets behaviors to gain access to their information. Psychological Weapons (PSY OPS) are planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals. (1) Militaries have been conducting PSY OPS or Influence operations for centuries. The United States stood up Army Special Forces (Green Berets) to win the hearts and minds rather than just FORCE to achieve victory. These same techniques have been used in civilian society by con artists whose ability to gain someone’s trust so they can take advantage of them. They are also used by the Intelligence community to get enemy personnel to betray their countries by becoming spies. These methods are used by salespeople to influence buyers to purchase the most expensive car. Today these techniques are used by hackers to get users to violate policies and common sense thus allowing them access to critical data – and are commonly referred to as Social Engineering.

Social Engineering Explained

Social Engineering (SE) is the act of influencing someone’s behavior through manipulating their emotions or gaining and betraying their trust to gain access to their system. This can be done in person, over the phone, via an email, through social media or a variety of other methods. The difference between social engineering and other attacks is the vectors are through the person or as hackers say the ‘wetware’.

The goal of an SE attack is to create a relationship, gain the targets trust and get them to take an action or provide some information that is a violation of their organizations’ policies or personal basic security practices. Some folks have the gift of gab and can do it with a cold call but most attackers will take time to prepare a story based on information known about the target. This attack vector has grown rapidity in the past few years and for some target sets is the dominant technique.

Is Social Engineering science?

How is this a science? There have been many recent publications on kinesics (the study of body and facial expressions) like Paul Ekman’s books on micro facial expressions and ‘What Every Body Is Saying: An Ex-FBI Agent's Guide to Speed- Reading People by Marvin Karlins and Joe Navarro’. These combined with books on subjects like ‘Emotional Intelligence: Why It Can Matter More Than IQ by Daniel Goleman’ and ‘Blink by Malcolm Gladwell’ that talks about how intuition is based on insights the person may not be consciously aware of start to develop a body of knowledge that can be applied as a science rather than an art. These formal studies are developing the baseline to take this discipline from an art to a science.

This leads to the question can SE be taught or is it a natural ability. There is some debate on whether SE skills can be taught but this is basically the same debate that exists for leadership, salesmanship or any other ability. Though the arguments are often very passionate most will agree in the end that some people have natural tendencies that make them great when they study and train in the discipline they want to master while others can go through the same process and only become average. So while some individuals will naturally become very proficient at technical hacking they may struggle to use social engineering techniques like the ‘cold call’ but everyone can learn the basics and find where their talents lay. Many of the tactics techniques and procedures we will discuss are a blend of technical and SE attacks.

Types of SE targets

A typical SE exploit depends on the target. There are two general scenarios: general access and specific targeted access. To use a metaphor (understanding most metaphors when applied to cyber space are dangerous as they don’t reflect the complexity of the environment), if we were ordered to steal a car in the next week that would be easy. We could sit outside a convenience store waiting for someone to leave their car running then jump in and drive away (remember to check for a baby seat) or we could use a gun and car jack someone at a light, we could go old school and learn to hotwire a car or any number of other techniques. If we were told to steal the mayor of our towns’ car that is a different story. In the first scenario we didn’t need to do any reconnaissance, now we need to put a lot of effort into recon. We have to learn what they drive and figure out the best attack. We need to understand which attack has the least chance of getting caught as the mayor controls the police force. Depending on our motivations we may want the theft to go unnoticed for a period of time or we may want it to be dramatic so it gets on the evening news. The same rule is true with cyber attacks but as there is an element of personal interaction in SE it is even more relevant to understand the target.

First let’s look at general attacks. These are attacks where the goal is to gain entry to any system or network. The attacker is indifferent to the owner of the system. A general phishing attack would be a good example (see note for definitions on types). The cost of sending out the emails is low so a return rate of 3-5% is acceptable. These systems can be attacked or used to attack other systems (making them ‘zombies’). Harvesting large number of systems is useful to build systems in between the attacker and the targets. There is NO need for reconnaissance as the attacker doesn’t care where the system is or what is does, they can move directly to the attack phase and due to the low costs accept the lower number of compromised systems.

The next example of a general attack is to release a virus. A virus is a malcode program that the user needs to run to have it work. Attackers can load a virus into a word doc, PDF, power point, picture or even a game. These infected files will open and run (ie someone can open the power point and go through the slides) at the same time the virus infects the system. The down side to an attack like this is it can go viral and end up infecting systems it was not intended to attack. This kind of an attack can also be done with a worm which is a malcode program that doesn’t need user interaction, it will infect a system and use it to infect others but this would not be a SE attack, it would be categorized as a technical attack. The proliferation of translation sites on the web and access to interesting news from the targets homeland have made this type of attack much easier to develop believable scenarios that will get potential victims to take the bait.

Standard types of attacks generally designed to steal identities:

  • Phishing: This is where a mass email is sent to a large group of addresses (potentially millions). The email could try to lead the user to open an attachment or go to a web page, either of these actions would lead to the computer system being compromised (assuming the system in question was vulnerable).
  • Pharming: misdirecting users to fraudulent Website. .
  • Spear Phishing: This is where a specific individual is targeted and a tailored email is sent that they will open and react to. Examples would be the Sys Admin for a network or Program Manager of a target.
  • Whaling: This is a Spear Phishing attack against the senior level of leadership of the organization being targeted.

This only talks about email based social engineering attacks. What about social engineering to acquire information? What about using SM? What about targeting a group that work for an organization. Its not quite phishing or spear-phishing?

Now we will analyze target specific attacks. The attacker will approach the target after learning as much about them as they can via what the military calls Open Source Intelligence (OSINT). Civilians call this Googling someone. The attacker wants to understand the victim’s interests, fears, motivations, attitudes and desires. This will allow the attacker to tailor the attack and increase the chances of success. Key information includes knowledge on significant dates (birth, marriage…), addresses, phone numbers, family members, interests, relationships, photographs, and work and education histories. If the target is active on social networking sites this is a great place to start. The greater their electronic footprint the better. There are many places to learn about the target:

  • Personal info can be found on networking sites like FaceBook or Myspace (this includes relationships, activities like sports, volunteering, religion practices, political beliefs...)
  • Professional info is on networking sites like Linkedin or job sites like Monster
  • Geolocation info on sites like Google earth or twitter tracking (LBS like Foursquare)
  • Financial info like tax records and homeownership records
  • What they are thinking can be read on via their twitters or blogs
  • Involvement in virtual worlds like Second Life or gamming site (where people can meet as any avatar they create)
  • Membership info from organizations like academic alumni, clubs, professional organizations, or hobbies

I don't think so. It's hard to get good facial prrooptions when doing a self-portrait. If you hold the camera at a wonky angle, you look weird. . .but it's hard to hold the camera at a good angle when you are just holding the camera out and guessing. But I also did just did focus point focus with piknic, blurring everything not in focus. I suppose it does give it an underwater or dreamlike quality.

Types of SE approaches

Once the attacker has gathered the background information necessary to understand some options to approach the target they must decide how aggressive they want to be. From least to most aggressive the approaches are; observation, conversation, interview, interrogation, and torture. They can start by digital or physical observation. Next comes a conversation (electronic, telephonic or in person). This is often the phase where the attacker will determine who they want to recruit or attack. Typically this is known as elicitation which is generally the extraction of information through what seems to be casual conversation. To phrase this another way it is where the con is based on the SE’s ability to spin a lie. This ability comes from pretexting which is developing a scenario where the SE gains the trust of the person who owns or has access to the information in order to get them to break their policies or violate common sense and give the information to the attacker. One method that is used in every type of attack but is especially useful here is mirroring. For example by adopting the targets speech mannerism (or email style) it will be much easier to get them to engage in a conversation.

The next technique is to conduct an interview or outright interrogation. Both of these require the victim submits to the attackers authority. This can be done by posing as a customer who needs the information to make a decision, pretending to be someone from the government who has the right to the information or through intimidation. These attacks can be done cold or after a relationship has been developed. The attacker can do them in person using props like badges or over the phone/email using spoofing to make it appear like the contact is from a legitimate source. An example would be to call someone as the Tech Dept or Help Desk and tell them they have to reset their account because of a mistake made during a recent update. Most people want to be helpful and automatically trust their computer. That desire to help or trust in their system is the key to compromising them. Both of these techniques are not by their nature antagonistic. Often the most effective techniques are based on establishing common bonds. All of these techniques require building a relationship based on trust. Finally comes torture which is beyond SE.


The Financial Modernization Act of 1999 more commonly known as the Gramm-Leach-Bliley Act makes pretexting a crime. Under federal law it’s illegal for anyone to (2):

  • Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.
  • The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.
[Insert Figure 7.1 Here] [Caption] Approach techniques from most to least aggressive. 

It's great to find an expert who can explain thgins so well

How the military approaches Social Engineering

The military has been in the spy – counterspy business from the beginning, they are also experts at interrogation. Spying is the long con where as interrogation is generally the method used to get access to information in an immediate situation. The section will focus on the near term gathering of data (or the short con). We will look at the techniques used to extract information and discuss how they apply to SE.

First we must understand that these techniques have been developed to work in both peacetime operations and combat situations. They are normally done in a controlled environment and are very similar to the techniques used by Law Enforcement Agencies. The basic principles are similar to SE and the foundational principles and many of the techniques apply well to SE attacks. The military trains interrogators and they will stay in that discipline their entire careers. They will become proficient in the languages and culture of their assigned region. Human Intelligence (HUMINT) operators or Interrogators are trained to deal with screening refugees, debriefing US and allied forces, interrogating prisoners of war, interview collaborators, exploiting captured material, liaising with host nation, acting as interpreters if needed and interacting with the local population.

Army Doctrine

We will discuss how the Army deals with interrogation as they are the ones who are on the ground dealing with these issues. The basic techniques we will cover are from “FM 2-22.3 HUMAN INTELLIGENCE COLLECTOR OPERATIONS September 2006”. (4)

Goal - collector's objective during this phase is to establish a relationship with the source that results in the source providing accurate and reliable information in response to the HUMINT collector’s questions.

Key principles - From a psychological standpoint, the HUMINT collector must be cognizant of the following behaviors:

  • Want to talk when they are under stress and respond to kindness and understanding during trying circumstances.
  • Show deference when confronted by superior authority.
  • Operate within a framework of personal and culturally derived values.
  • Respond to physical and, more importantly, emotional self-interest.
  • Fail to apply or remember lessons they may have been taught regarding security if confronted with a disorganized or strange situation.
  • Be more willing to discuss a topic about which the HUMINT collector demonstrates identical or related experience or knowledge.
  • Appreciate flattery and exoneration from guilt.
  • Attach less importance to a topic if it is treated routinely by the HUMINT collector.
  • Resent having someone or something they respect belittled, especially by someone they dislike.

These principles are used to develop an approach, build rapport and establish a relationship in which the HUMINT collector presents a realistic persona designed to evoke cooperation from the source. In the military things are usually done in accordance with established procedures and if it is a mission (like a interrogation) should have a documented plan. This is not to say they are not flexible and resist innovation but rather to say they want increase the chances of mission accomplishment and have found these lead to greater success. The HUMINT collector must ensure their body language and personal representation match their approach.

Some standard operating approach techniques are: direct, incentive, emotional (Love / Hate / Fear / Pride / Futility / Anger), “we know all” or “file / dossier”, rapid-fire (don’t let them talk), Mutt and Jeff or good cop / bad cop and false flag (misrepresentation of oneself). The direct approach is simple and straight forward. It is simply telling the person what they want and using interview/interrogation skills to convince them to cooperate and share the information. This technique is useful in a conventional war but not very useful in counterinsurgencies or for social engineering. Statistics from interrogation operations in World War II show that the direct approach was effective 90 percent of the time. In Vietnam and in Operations URGENT FURY (Grenada, 1983), JUST CAUSE (Panama, 1989), and DESERT STORM (Kuwait and Iraq, 1991), the direct approach was 95 percent effective. The effectiveness of the direct approach in Operations ENDURING FREEDOM (Afghanistan, 2001-2002) and IRAQI FREEDOM (Iraq, 2003) are still being studied; however, unofficial studies indicate that in these operations, the direct approach has been dramatically less successful. (4) The military is still analyzing the reasons but one assumption is that the motivations of religious fanaticism are harder to compromise than traditional nationalism. There are some general types of direct questions that are useful: Initial (get the discussion going), Topical (focused on establishing how much they will communicate and what their level of knowledge is), Follow-up (making sure we have gained all the primary and peripheral information), Non-pertinent (establishing rapport and keeping discussion going), Repeat (seeing if they are consistent), Control (establish baseline), Prepared (for areas interviewer is unfamiliar with or highly technical topics). One of the key questions here is the control or baseline question. It establishes how someone behaves when they are telling the truth. Much like a polygraph test starts with questions like your name and address then gradually builds to questions related to guilty actions a SE must understand how the target behaves when not under stress.

[Insert Figure 7.2 Here] [Caption] The various approaches must be integrated. 

The indirect approach or using elicitation is more useful as we would combine the information gathering with normal conversations with targets of interest. Elicitation is a sophisticated technique used when conventional collection techniques cannot be used effectively. Of all the collection methods, this one is the least obvious. However, it is important to note that elicitation is a planned, systematic process that requires careful preparation. (4) This is where the more the interviewer knows about the target the better so they can have a natural flowing conversation. For example they may start by sharing information they have so the target assumes they know all about it and will openly discuss the details.

Next comes incentive – this is basically offering the target something they want or need. The first thing that comes to mind is bribing them but it can be as simple as an email offering to increase their speed or access to the internet. This approach can be very effective when tied to the right emotions. The emotional approach is where the targets emotions are brought into the interaction to get them to take an action that they would not normally do. A recent example of this is what is known as scareware. A good example would be when a pop-up box will announce there is a problem on the system that can be fixed by installing a free update. The update is a Trojan horse and doesn’t do anything but compromise their system. This approach is based on Fear, other emotions that can be used are: Love (in its many forms), Hate or Anger (us against them), Pride (in themselves or their organization) and Futility (there is no other option). Picking the right emotion is easier in person because we can read the body language or on the phone where we can judge the tone of voice and modify they approach based on the situation. The goal of this method is to manipulate the targets emotions so they override their natural cognitive reactions.

Other well know techniques are - “we know all” or “file / dossier”, this is where the interrogator would come in and lay a folder labeled ‘witness statements’ or a DVD labeled ‘surveillance footage’ on the desk. They would contain no actual information but allows the interrogator to start by saying something like “we have the evidence we need but want to get your side of the story before we submit our final report”. For a SE the presentation of material that supports the belief that we know the basic but just need them to provide the details. If they are still not talking freely it may be time to try the rapid-fire method where we keep interrupting them so they get frustrated and jump in with key facts so we will listen. It is also used when the target is going to say something that the interrogator doesn’t want them to say like “I never went to that site” because once they tell a lie it is harder to get to the truth as first we must make them admit they lied.

The last two methods we will discuss are Mutt and Jeff or good cop / bad cop and false flag. We have all seen the aggressive and compassionate interview team in movies. The target will identify with the compassionate person and tell their story so they will shield them from the aggressive one. Typically the good cop would help the target rationalize their actions so they can talk about them openly. One way a SE can use this is to convince someone their organization has mistreated them and deserves to be attacked. Another way this method can be used by SE’s is on social networking sites we could present a Fakebook personality created for the attack as a cyber bully and a second as someone defending the target. Finally using the false flag, for the military this might be having a new interrogator come in and pretend to be from a friendly country or a non-government origination like the Red Cross. This is very useful as it is simply misrepresentation and is a bedrock of Social Engineering.

We can see that most of the techniques used by the military are directly applicable to the civilian sector and can be applied to both physical and cyber environments. The most important aspects the military brings are proven Tactics, Techniques and Procedures (TTPs) and careful mission preparation and planning. These when applied to Social Engineering will give the attacker a strong capability to be successful on their mission.

Richard:Without going into great detail here, which most of you won't beelive anyway, nothing is going to happen really, really bad like that to America, yet. I say yet. Stuff will happen, but we're still in an unconditional blessing period right now. However you can read the handwriting on the wall to see how it's all being set up. Doesn't mean that bad stuff won't happen now, it can and will, just not a huge killing off of Americans. Just that when the bad stuff really happens, it will be from Yahweh and there will be no doubt about it. It's even so plain that peoples of the world will know who has destroyed this nation. Use Sodom and Gomorrah as your guidelines. Who destroyed S&G? Was it mankind? No! Know that there will be some people beyond repentance and then understand the sins that they committed. There's a lot of stuff that could happen in our country besides getting hit by someone else. Look at the super volcano in WY. If that sucker blows, you don't want to be around in most of the US. Plus if an asteroid hits it, it could blow, if it received a direct hit, or the asteroid could be large enough itself that it will kill off America. And an asteroid could very well hit in the years to come. If you're watching this, you know it already.But right now we're still in an unconditional blessing period what was given to this nation, which is in the Bible. It's for a limited time frame. And the power and wealth is for one reason and one reason only, to spread Yahweh's truth and his covenant, to reveal his covenant. It's a crying shame that it's not being done much by a little bit, but it just goes to show you that it takes a large amount of wealth to spread truth when there's only a few that are willing to do it.We're about in the last 6 years of it now, meaning of the unconditional blessing period. And because of this unconditional blessing, we have the wealth that we have over any country in the world. Imagine that! But not for our benefit, but for Yahweh's benefit. It's he who gave us this wealth for a reason. Soon the strong arm, right-arm of Yahweh (i.e., the messiah, Yahushua, the true messiah) will pull back from us. He's been upholding us throughout the time.The shepherd, the true shepherd, has been holding us up.A time will come in the next few years, that he and his father will pull back from us and see how we will go. I hate to think it considering how we're going now. If you don't think that he could hold stuff back, just consider what would have happened if all the planes had reached their destinations on 9/11, and the consider it would have been worse.