16 May 2014

Becoming the MindNinja

Real-­‐world  social  engineering  for  the  geek/introvert  (or  anyone)  

3

Agenda

– Upfront stuff – The simple social engineering equation – Tour of some psychology to explain motivation – Understanding the attack vectors – Survey of SE Technologies – Outline 5 functional strategies – Jedi Mind Tricks – Questions

4

Goals

–  Primary: •  Explore the non-anonymous social engineering psychology,

technologies, and strategies. •  Demonstrate 5 easy techniques that can be used “today” to

improve non-anonymous social engineering (not to mention amplify anonymous SE).

•  Show it does not take charisma to be a good non-anonymous social engineer – this is technology too!

–  Secondary: •  Understand some basic but functional psychology behind why

social engineering is hard to stop/defend. •  Demonstrate through the offensive scope how social engineering

can be minimized. •  Classify better the social engineering “technology” domain.

5

Why Me?

– Lifelong observer of really difficult people and behavior.

– Nearly 20 years intelligence, spec ops, leo work – Certified hypnotist and skilled in NLP, Hypnotic

Language, Body Language… – Actual Ninja (go figure)

Note: Just because I am, doesn’t mean I always am!!

6

Disclaimer/Warning/Moral Clause

–  This IS powerful stuff. Yes you can manipulate very covertly! –  “With great power comes great responsibility” (not used with

permission of Marvel Comics). –  Use at your own risk

•  Personally •  Professionally •  Daily

–  You have to do/try these things to learn them. Find some willing participants for your screw ups!

–  Remember an old demolition man saying… Always hold the blasting cap with your pinkie finger… You will loose it one day!

–  Finally don’t expect “magic” today… You are the worst audience!! J

7

Extrovert/Introvert

– Technical Definitions: •  Extroverts get energy from social discourse •  Introverts lose energy to social discourse

– My take: •  Introverts are actually more socially in tune with even

minutia, extroverts are far less so. •  As a result, introverts senses are in overdrive and it is taxing. •  Actually a gift •  Introverts actually may have the basis for being far better

social engineers given this, once trained.

8

Social Engineering Equation

(Motivation + Attack Vectors + Technologies)Strategy = Successful & Lethal Social Engineering

Acronym MATS

9

Background Psych – Motivations

– Lots of reasons: •  Freud – Id & Ego •  Jung - Archtypes •  Maslow – Hierarchy of needs •  Pavlov – Behavioral

– Motivation is the thread which the fabric of a good social engineering attack is woven.

– Must learn to identify and recognize motivations quickly and effectively.

10

Psychology – Freud & Jung

– Main principles of Freud: Id, Ego, Super ego •  Id – immediate gratification •  Ego – command and control, values •  Super ego – “meta”… spiritual, beliefs, dreams

Freud is the “who am I” of psychology

– Main contribution of Jung: Archetypes •  Originated the concept of groupings of personalities and

archetypes •  Introvert and extrovert definitions •  Ultimately lead to Myers/Briggs differentiations

Jung is the “what am I” of psychology

11

Psychology - Maslow

– Hierarchy of needs

Maslow is the “what state am I in” of psychology

12

Psychology - Pavlov

– Classical Conditioning •  Big one for Social Engineering •  Association of stimulus to effect(s) (anchoring) •  Does not have to be a direct association (chained anchors)

– Will explore pragmatic concepts more in the technologies discussion. Pavlov just scratched the tip of the iceberg.

PTSD is the most dramatic example of Classical Conditioning.

Pavlov is the “how do I become” of psychology

13

Why?

– So why all this psycho-babble? Consider these the Nmap and Metasploit of your Social Engineering ToolKit •  Freud/Jung/Maslow are your nmap (Reconnaissance/

Motivation) –  Tell you what operating system you are dealing with (id/ego/super) –  Tell you what ports are open (Maslow) –  Tell you want services are available on those states (Jung)

•  Pavlov your Metasploit (Exploitation) –  All exploitation is some form of or includes some form of Classical

Conditioning.

14

Attack Vectors

– What is often overlooked are the basic attack vectors. There are really only 3. Most social engineers only see and work with 1 (human).

– 3 P’s: •  People – The human(s) in the equation. •  Processes – Can be laws, regulations, standards,

organizational processes. •  Perspectives – Hating the boss. Disregard for societal norms.

Attraction.

15

People Attack Vectors “FLAGS”

–  Fear •  Meta fears: failure, being loved… •  Real fears: exposed, bankrupcy…

–  Lust •  Sex, sex and more sex •  Envy (grass is greener)

–  Anger •  Anger felt •  Anger received

–  Greed •  $$ •  $$

–  Sympathy •  Affiliation to cause •  Love, empathy, etc •  Moral virtues

16

Process Attack Vectors “FIRE”

–  Flow •  Steps •  Chain of command/custody

–  Identity •  Ownership of process •  Leadership of execution •  Role of person involved

–  Rules & law •  Locale & jurisdictional regulations •  Internal complimentary processes

–  Environment •  Time of day •  Organization character •  Situation

17

Perspective Attack Vectors “FRAC”

–  Feelings •  Emotional context •  Persuasion

–  Rationalization •  PC (political correctness for you geeks) •  Logic

– Authority •  Real or perceived limits of authority •  Real or perceived sense of responsibility

– Character •  Moral background •  Negativity/positivity of environment •  Sense of “community”

18

Social Engineering Technologies

– Most of these technologies are multi-functional (recon & exploitation)

– Best Set: •  Observation & Intuition •  Body Language •  Language •  Hypnosis •  Neuro-linguistic programming •  Con-estry •  Cold Reading

19

SE Tech: Observation & Intuition

–  Observation •  Observe, observe, observe •  Learn to observe nuances, but not react to them… This enables intuition

to evolve •  What to observe:

–  Macro body positions –  Micro body positions –  Language –  Eye movement –  Breathing

–  Intuition •  Too many people repress true intuition •  Listen to all intuition, avoid reacting to it •  Intuition IS the “quiet thunder” of social engineering

Observation and intuition are the core of all other SE technologies

20

SE Tech: Body Language

–  Most people learn body language as an interpreting (or defensive) technique… Totally Wrong

–  Body language is a offensive and defensive technique –  Defensive:

•  Learn what body language MIGHT be saying… •  Don’t depend on body language interpretations •  Culture/Region/Situation/Locale play a huge role •  Body language major clues…

–  Offensive: •  Way more powerful •  Doesn’t have to “speak”, can:

–  Position –  Anchor –  Generate rapport…

Remember you can’t determine the intent of their body language (defensive), but you fully control the intent of yours (offensive).

21

SE Tech: Language

–  Language is an art unto itself – Modalities of language:

•  Competence •  VKA(D) dominance/predominance •  Tone/Intention •  Content

–  Each of these produces clues to what is going on in the person’s psychology (archetype, id/ego/super)

– Hypnotic language Language is the underpinning to most of the technologies, learn

to become more aware of language used and that you use.

22

SE Tech: Hypnosis & NLP

– Hypnosis: •  Basics – Focus, Rhythm, Relaxation, Visualization/Metaphor •  Traditional falling asleep hypnosis is very rare, people can

be hypnotized and not even change their “state” •  Can use any of these basics to achieve partial states that

are still effective.

– Neuro-linguistic Programming: •  A set of technologies based on… Rapport, Hypnosis,

Classical Conditioning, State Language •  Waking hypnosis on steroids •  The stuff legends are made of…

23

SE Tech: Con & Cold Reading

– Meta Tech –  The art of the con

•  A language and set of scenarios used for meta-scripting social engineering in solo or teams. –  Basic “project plan” for all Social Engineering: 1) putting the mark up 2)

playing the con 3) roping the mark 4) telling the tale 5) creating the confidence 6) giving the breakdown 7) putting the send 8) taking off the touch 9) Blowing him off (or not) 10) putting in the fix

– Cold Reading •  A organized way to interact with someone to create an ability to

“read” that person. •  “Reading” elicits information, engenders rapport, creates

assimilation, and covertly programs the context of the dialog towards goals.

24

Strategy “PAD-IT”

–  5 basic strategies (to achieve end-goals) •  People (asset identification, recruitment and management)

–  Con’estry (knowing the plan and recruiting) –  Cold Reading (how to talk to reveal) –  NLP (rapport & anchoring)

•  Actions (get anything you want) –  NLP (rapport and anchoring) –  Cold Reading –  Con’estry

•  Defense (MindNinja Fu) –  Language/Body Language –  NLP (disassociation and anchoring)

•  Information (overt and covert interrogation) –  Cold Reading –  NLP (eye reading & anchoring) –  Hypnotic Language

•  Truth (human lie detection) or discerning validity –  NLP (rapport and eye reading)

25

5 Jedi Mind Tricks

– Basics: Un-biasing, Tense, Silence, DuChenne Smile – Rapport: Breath, Body (subtle), Language – Eye Reading: VKAd – Disassociation: Kinesthetic, Emotional, Language – Anchoring: Covert/Overt

26

JMT - Basics

–  Social engineers must learn the gestalt technique of “un-biasing”. Best way is to visualize and take in all scenarios from an unbiased observer context.

–  Using language context and tense to match the situation •  VKAd context •  Use abstract “you would want” vs “will you” or “you will”. (e.g., “You

would want to have that bigger room if you had travelled 15 hours straight, wouldn’t you?” vs. “Will you give me that bigger room?”)

–  Ask for what you want –  Silence is the Ginzu knife of conversation.

•  Use it versus negatives. •  Use it to cause the other party to be uncertain •  Use it… A lot

–  Learn to detect and deliver the DuChenne Smile.

27

DuChenne Smile

Photo  compliments  of:    sciencebuddies.org  (h@p://www.sciencebuddies.org/science-­‐fair-­‐projects/project_ideas/HumBeh_p043.shtml#background)  

28

JMT - Rapport

–  Breath •  Fast (Visual/digital), Medium (Auditory), Slow (Kinesthetic) •  Match closely but do NOT parrot. If you are a fast talker talking slowly

will both seem “fake”, as well as mess up your “spitting your game”. •  If you are on opposite ends (Fast/Slow) – move to medium and enhance

your opposite (V/K) language. •  DO NOT overdo the trying to breath at the same pace – but get some

synch –  Body position matching

•  Roughly mirror… I stress roughly… •  Direct your body with theirs identically (mirror wise) •  Don’t try to parrot, move subtly and smoothly

–  Language •  Fill in the gaps with language and language transitions of their Modality

–  Pace vs. Transition vs. Integrate

29

JMT – Eye Reading

– This and anchoring are the secret sauce!! Learn well – A lie detector, mind reader, and behavior measure all

rolled up into one. – Basics: •  Eyes give you the way and modes the mind thinks and is

thinking in. •  Position and transition are important •  Remember for a RH person (looking them)

Check out this link: http://www.nlp-practitioners.com/interactive/nlp-eye-access-cues-game.php

30

Eye Accessing Cues

Photo  compliments  of:    nlp-­‐pracIIoners.com  (h@p://www.nlp-­‐pracIIoners.com/interacIve/nlp-­‐eye-­‐access-­‐cues-­‐game.php)  

31

JMT – Disassociation

–  I had a pizza with my shoe last November when I was born.

– Remember when you can’t beat em, grab the brush and put silly putty on it.

– Never stomp on a bird in a branch of a tree when you can’t eat drama well with broccoli.

– 3 Types: •  Kinesthetic – touch their buttocks as you swipe their badge

from their jacket •  Emotional – sob like a loved one died when you are about

to get what you want. •  Language – see above

32

JMT – Anchoring

– Magic… Pure conditioning. –  Just like you train a dog. – Match anchors to dominant modalities –  Start simple, migrate to complex – Can chain A-> B-> C-> D, so if you want a person to

cough every time you tap your fork you may not start with tap fork -> cough

– Can be done entirely covertly, person doesn’t (and most often shouldn’t know).

– Collapsing anchors – to produce 2nd order (chains) or reduce existing (dissolution)

–  Takes A LOT of practice and work. Start simple.

33

Questions?

There are lots of them I know. This is JUST to get you started.

Lots to learn. Pick one and learn through application

If you want to know more: themindninja@gmail.com

or lstephens@tangiblesecurity.com

Thank you!