© 2010 – MAD Security, LLCAll rights reserved
Bite The Wax TadpoleBSides Rhode Island
Katrina Rodzon / Mike MurrayMAD Security / The Hacker Academy
Culture / Why it influences us
The Human Vulnerability
The Grog Problem (or: Why Users Aren’t Stupid)
We Shouldn’t Be Here.
But We Are.
There’s a pattern there somewhere…
The fundamental human advantage:
Our ability to work together
Trust is a feature of our hardware
What influences us
Social Engineering:
The practice of obtaining confidential information by
manipulating users.
Source: Wikipedia
Success in Social Engineering
Create a context that ensures that the behavior we want is completely appropriate and ensure congruency with that
context
http://lboeckl.net/model/figures/triune%20details.jpg
The Six Universal Expressions
Understanding Social Penetration:Email / Phishing
Wilson Baka’s Mistakes• The “A 4O6 Expressway” - The road is called “A406” (note
that it’s a zero and not an “O”). The UK calls them highways or “roads”.
• (Q.C.) – British Barristers don’t usually enclose their credentials in parentheses (and often don’t use periods, writing their names as “Wilson Baka QC”)
• Nine Million Eight Hundred Thousand British Dollars – The British currency is the Pound, and 9,800,000 British Pounds is approximately $15,000,000 USD, not $2.6 million.
• The “abandoned property decree of 1996” – There is no such law in Britain
• “Barr” as a formal signature – British Barristers don’t sign their name as including “Barr” at the beginning to indicate their job title. This is the equivalent of an American lawyer named “John Smith” signing their name as “Lawy John Smith”.
Smart Attackers
Wilson’s Email Host
Why is a British Lawyer using an Indian Free Email Service?
Domain Names
$19.98 is a small investment
Understanding Tone
Salutation and Signature
Rewriting It
Actually sounds like a lawyer
But it’s still not likely to work.
Example: The Evil Twin Attack
My Real Facebook Account
Set up A Fake Facebook Account
Steal the Picture
Take the info directly from the original
Add the Right Info
Stolen from the Public Facebook Profile
The Fake Profile
© 2010 – MAD Security, LLCAll rights reserved
Questions?Get a free demo to learn more:
http://www.hackeracademy.com
Get in touch with Mike
Email: [email protected]
Twitter: @mmurray
Get in touch with Kati
Email: [email protected]
Twitter: @krodzon
© 2010 – MAD Security, LLCAll rights reserved
Exploiting LanguageMe Speak Good
Review: 3 Skills of a Social Engineer
1.Ability to Use Language Artfully
2.Awareness of the Target and their Responses
3.Awareness and Control of the Context
Language ProcessingA Hardware Perspective
Processing the Written Word
http://www.e-speec.com/model.jpg
Language and Reality
• Language is not reality– This seems obvious– Except that we treat it as somewhat real.– Language acts a model of reality.
• Characteristics of models– Most models have the following characteristics
• Incomplete• Distorted• Purposeful
– Example: maps– Each of these characteristics applies to language.
Linguistic Incompleteness
• All Linguistic Acts are Incomplete– We should be glad.– If we had to be complete about every linguistic act...– Imagine the description of:
• Eating a strawberry.• Walking down the stairs.
– But it causes issues.– We have all been in the situation of misunderstanding because we didn’t
understand what someone meant.– Even the most simple situations have confusion built in:
• “The cat walked across the room.”• “John gave Mary a ring.”
• The key is to know HOW it is incomplete...
Deep vs. Surface Structure
• Deep Structure– A full representation of the speaker’s model of the world– Contains full sensory representations– Too detailed for practical use
• Surface Structure– What we hear/read in a sentence– The key in language is that surface structure somehow communicates deep
structure• That correspondence is what makes language effective• It’s the failure of correspondence that is the incompletion of language
The Usual Suspects
• There are a few common classes of incompleteness that arise when dealing with language:
• Deletion• Distortion• Generalization
• Why do we care?– Understanding what isn’t present allows you to understand what
is being said (and what isn’t).– As in hacking, knowing the rules allows you to bend them.
Deletion
• We leave out parts of any linguistic act– We filter out that which we believe is unimportant– This creates a partial representation
• Acts of Deletion– Unspecified Verbs– Loss of reference
• Lacking Referential Indices• Comparative Superlatives• The “Ly” Verbs
Distortion
• We choose a distorted representation– Purposeful representation - we have “selective memory”– Language that relies on incomplete shared representations
• Acts of Distortion– Nominalization – Mind Reading– Universal Quantifiers
Generalization
• Abstraction for the purpose of extension– A form of deletion - we leave out or “roll up” information– Language that relies on incomplete shared representations
• Acts of Generalization– Modal Operators – Symmetrical/Asymmetrical Predicates
• Symmetrical - “I slept next to him.”• Asymmetrical “I talked to him.”
– Complex Equivalence• “He was excited, so he’s going to give me the information.”
Language and Its Impact
• Language impacts each of the brains– Creates vivid representations to be processed by the brain’s systems
• Two main purposes of language– Information Transfer
• Representations that are (mostly) relevant to the NeoCortex– Influence
• Representations processed across all three “brains”.
• The focus of the rest of this section.
Information Transfer
Outline
• Information Transfer– While social eng. is primarily about influence, we need to talk about
transferring information....– The first purpose of language– The key is precision– Gathering information
• Similar to meta-model exercises• Asking questions • Eliciting information without being invasive - Reflecting Back.
– Providing information to others• Ensuring your own completeness• Creating Feedback loops
Why does this matter?
• Imagine an engagement– I call you up and get you to give me your password. That’s all just
influence, right?– Not really - first, I have to set a contextual frame– There will always be some form of information transfer in setting
the frame.– There will often be information transfer elsewhere, as well.
– Additionally (and this will make more sense later) - information transfer and influence are largely inverse operations. Learning one will allow you to invert more easily to the others.
Precision
• Example of imprecise language: – When we’re talking, we need to do things that ensure that make our
language understandable to other people and that convey some ability to arrive at meaning.
– WTF?!?!?! What information did I just convey?• In language, precision is the art of overcoming incompleteness
• Remember the earlier descriptions of how language is incomplete• We say that a description was precise when a listener arrives at the same mental
representations as the speaker (with whatever precision is required to use the information appropriately)
• That was precisely vague. (Explain why appropriateness constraint)• Uhh... problem. How do we know? (We’ll get there...)• Put simply, in information transfer, the goal is to synchronize representations between
two minds.
This is Bi-Directional
• There are two types of information transfer
• The first is conveying information.• What is the second?
• Conveying information– Being precise
• Requesting information– Learning to convince others to be precise.
• We’ll start with requesting information first – as it’s easier to learn
Asking Questions
• The primary skill - asking questions– The ability to form a good question is of paramount importance– Most people are never taught what constitutes a “good question”
• A Good Question:– One dimensional (only requests one piece of information)
• BAD - “Do you like music, fine wine, and the color blue?” – Mutually exclusive choices
• (hint: the answer to “or” should never be “yes”)• BAD - “Did you have fun today or stay home from work?”
– Does not violate the “7+/-2” principle - Offers limited choice• BAD - “When you grew up, were you in school at a small school while growing up in a big
town, a big town when in a small school, a small town with a small school or a big town while in a big school, or were you home-schooled and how many students were at your school?”
Overcoming Incompleteness
• People are going to leave information out.– Remember the incompleteness exercises from chapter 2– Your goal is to recover the information– We’re going to go through each of the types of incompleteness
and look at how to recover what’s not present.• Remember the usual suspects
– Deletion – Distortion– Generalization– Presupposition
Deletion
• We leave out parts of any linguistic act– We filter out that which we believe is unimportant– This creates a partial representation
• Acts of Deletion– Unspecified Verbs - Recover the referrant of the verb: “about what/whom?”
• “I’m happy.” - Happy about what?• “I stole from him.” - Stole what?• “He talked to me for an hour.” - About what?
– Loss of reference - Recover the reference point.• Lacking Referential Indices
– “People are gullible” - Which people specifically?• Comparative Superlatives
– “He’s the best.” - Compared to what/whom?– “More aggressive social engineers always get what they want.” - More aggressive than what?
• The “Ly” Verbs– “Obviously, he believes that I’m the best for the job.” - How is it obvious?– “Clearly, we were ready to start the engagement.” - What makes it clear?– “Unfortunately, you forgot to write the password down.” - Why is it unfortunate?
Distortion
• We choose a distorted representation– Purposeful representation - we have “selective memory”– Language that relies on incomplete shared representations
• Acts of Distortion– Nominalization -> Turn nominalization back in to verb, recover information.
• “We made a great decision.” - What did you decide?• “Our fear keeps us from making change”. - What are you afraid of? What would you
change? – Mind Reading -> Recover actual data that allowed realization
• “I knew he wanted to give me his password, but he didn’t.” - How did you know?– Universal Quantifiers - Challenge the relationship
• “All balls dropped from a height will fall.” - All of them?
Generalization
• Abstraction for the purpose of extension– A form of deletion - we leave out or “roll up” information– Language that relies on incomplete shared representations
• Acts of Generalization– Modal Operators - Challenge the moral.
• What would happen if you did/didn’t?– Symmetrical/Asymmetrical Predicates
• “I slept next to him.” - Requires that he slept next to you.• “I talked to him.” - Does not require him talking. Did he talk to you?
– Complex Equivalence• “He was excited, so he’s going to give me the information.” - How does his
excitement == his giving you the information?
Challenging Presupposition
• Presuppositions are the things that must be true in order for the sentence to be true.– Example: “Bob went to the store down the street.”– Presuppositions:
• Bob exists and is able to travel. • Bob is on a street. A store is on the street.
• We elicit presupposations with the concept of “does that mean...”– “Does that mean there’s a store on the street?
Confirming Model Equivalence
• So, this could get annoying really quickly.• Remember, the goal is model equivalence (to the level of specificity required)• We don’t have to question for every piece of incompleteness• Because of this, we need to confirm that what is in our head is in the speaker’s
head, as well.
• Reflecting back– Old skill from what was known as “active listening”.– Simple restatement of the speaker’s statements:
• “What I hear you saying is...”• Or, more simply (and less obviously), just a restatement of their statement
with a questioning tone?• Secondary benefit of establishing rapport (more on that later).
Providing Information
• Unless someone else is trained in this, you’re going to have to do it yourself.
• Feedback loops in your own head.• Using the same questions that you were asking
• This is the editing process for writing. – Write a sentence– Read it and determine what it is missing.– Fill in information with next sentence(s). – Repeat.
• In this case, the editor is your audience.
Checking Your Work
• Requesting feedback on information you have given– The goal of model equivalence is only achieved in the head of
the listener– You need to check in with the listener to determine your success
• We can do this without being annoying– Simple checkins request a request for clarification – My use of “Make sense?” – We’ll talk more about audience awareness in section 2, but we
can check in specifically.– Also: “say that back to me”
Learning to Do it In Real Time
• Unfortunately, you can’t learn this by reading or listening to me talk. You have to do it.
• Next time you talk– Allowing yourself to become aware, now, of the next time you tell someone
something what information you have deleted.– Notice the questions that those around you ask - what information are the
people talking to you asking for?• Intentional vagueness
– Intentionally start a conversation or two with a completely vague statement
– Observe the information elicited from you and take note of how you could have added that information at the beginning.
Language for Influence
Types of Influence
• Defined all the way back in ancient Greece.– Aristotle, “On Rhetoric”
• 3 types of rhetorical persuasion– Logos: Appeal to reason– Pathos: Appeal to emotion– Ethos: Appeal to authority/ethics
• Logos: – relies on having the right information - precision
• Ethos - leave for later• Pathos - focus for now.
Agreement
• The goal of information transfer is precision– Different than the goal of influence– This is about the amygdala
• The goal is to change representation without triggering disagreement
• Disagreement is the mind’s defense against inappropriate influence.• This is not about rhetorical/logical disagreement• Agreement allows
• The artful inversion of precision– Use of deletion, distortion and generalization to maintain agreement– Sometimes referred to as being “artfully vague”
A brief word on hypnosis...
• Hypnosis is portrayed as a magical state– It can be, but so is meditation– Hypnosis is actually accurately depicted by the idea of the relaxation of the
critical faculty
• Critical faculty– barrier between conscious and unconscious mind– actually part of the conscious mind– Part of the memetic immune system
• Consistent agreement depotentiates the critical faculty– This state is what is known as hypnosis– Also seen in cult behavior in a different context
Compliance Set
• Agreement patterns– Consistent agreement creates an altered state– This consistent agreement is important for the purposes of
influence
• As long as someone remains in agreement, it is possible to feed suggestion– This is the basis of hypnosis– In fact, disagreement ends trance
• Tell story of Melina from the weekend.
Using what’s not there
• So, how do we create consistent agreement?• Maintaining agreement requires allowing shared
representations– Which is easier to agree with?
• I feel a sensation in my hand.• I feel a stabbing pain in my left index finger?
• The artful inversion of precision– Use of deletion, distortion and generalization to maintain implicit
agreement in all contexts– Sometimes referred to as being “artfully vague”
Deletion
– Unspecified Verbs - • You can wonder exactly what it is to know.
– Loss of reference - Recover the reference point.• Lacking Referential Indices
– “People can know that things are as they should be.”• Comparative Superlatives
– “You can find that being successful is always best.• The “Ly” Verbs
– “Obviously, you can give me the password because you can trust me.”
Distortion
• Acts of Distortion– Nominalization -> Turn nominalization back in to
verb, recover information. • “You can have the knowledge that it’s the right
decision.” • “Our fear keeps us from making change”.
– Mind Reading -> Recover actual data that allowed realization• “I knew he wanted to give me his password, but he
didn’t.” - How did you know?– Universal Quantifiers - Challenge the
relationship• “All of the things that you can do are the right ones...”
– Lost performative:• “It’s good that people are honest.”• “One can wonder exactly when you are going to move
your right arm now.”
Generalization
• Acts of Generalization– Modal Operators - Generalize the modal operator
• One should find themselves working out each day.– Complex Equivalence - making causal
connections• Transitional words -
– Using “and”, “as”, “because”, “will”, etc.
– “The more x, the more y”
Presuppositions
• The artful use of presuppositions is the true method of influence– Once you have agreement, presuppositions are
used to create and alter shared meaning• Example: the Hypnotist’s use of “try”
– “Try” presupposes failure.– “Try” to open your eyes. Really, really try.
Presuppositions
• The artful use of presuppositions is the true method of influence– Once you have agreement, presuppositions are
used to create and alter shared meaning• Example: the Hypnotist’s use of “try”
– “Try” presupposes failure.– “Try” to open your eyes. Really, really try.
• Other words with useful presuppositions– -er at the end of the word (“you can get sleepier
now..”)– More/less/fewer
• Getting closer to putting you in a bind...
Binds
• Binds are situations that reduce the number of choices that we have– Simple binds create an “illusion of choice” (e.g.
“Magician’s choice”)– Double binds create no choice at all.
• Simple binds– Would you like to go to bed now or in five
minutes?– Would you like to brush your teeth before or
after your bath?
• Double binds– “Damned if you do...”
Questions
• The question can not be avoided by the unconscious mind– If you ask a question, it will be answered– This doesn’t have to be conscious
• Knowing how to use questions is the key of making change– Questions can ensure that your content gets
processed, can’t they?
Negation
• Negation is not understood by the human mind– We understand only positively framed statements– “Don’t think of a pink elephant”
• The pattern is unavoidable
Process / Content Confusion
• Linguistic Ambiguity– Hypnotic language patterns often turn on the
ability to substitute process for content– The conscious mind need not understand the
content• Ambiguous Content
– Syntactic Ambiguity– Phonetic Ambiguity