RSSMurray

The Failure of Hypnosis in Social Engineering

| May 9, 2011

computer_hypnosis.jpgColumn by Mike Murray

I was recently at a conference with a friend of mine who was visiting Vegas for a hypnosis conference, and I was explaining to him the biggest problem with most social engineering "experts."  And, of course, because I had been talking to him about amnesia, I promptly forgot about it.

I was reminded of it when I was reading something that another social engineering expert wrote that linked hypnotic phenomena to the act of social engineering.  So, I’ll share the same caveat with all of you: if someone tells you that hypnosis has anything to do with social engineering, they’re a charlatan and you need to be VERY careful believing anything that they’re saying.

This is said, of course, as someone who is formally trained in hypnosis and has spent a lot of years studying it as part of my training to become good at social engineering.  But, in the same way that being a great coder doesn’t make you a great penetration tester (and vice versa), being a great hypnotist doesn’t make you a great social engineer (and vice versa).

Let me explain. 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

The 5 Secrets to Phishing Success

| March 2, 2011

phishing.jpg

Column by Mike Murray

These days, it’s hard to perform a penetration test without attempting some sort of online social engineering, and most often, this takes the format of some type of phishing attack (whether targeted or across a wide user base).

While we spend epic amounts of time getting our exploits and payloads perfect (even if we’re using SET), far too often we see testers using stock emails or variants of canned emails that they’ve been taught to use without thinking about the real keys to getting their emails read and acted upon.

These are my five most-often overlooked secrets to making sure that your email phishing works…

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

The Guide to Neuroscience for Social Engineers

| July 1, 2010

brain-network.jpgAs a social engineer, you spend all of your time manipulating people’s brains.  Yet most of the social engineers I meet don’t know the difference between the amygdala and the cerebral cortex.

And you need to.

So this article is going to give you a quick trip through the human brain. 

The brain isn’t just a single organism – it’s truly a three-part entity known as the triune brain.  The idea of the triune brain was first proposed by Paul MacLean. He proposed that the brain that you and your caveman ancestors shared is not a single brain but actually a three part structure.  MacLean viewed our brains as similar to "three interconnected biological computers, [each] with its own special intelligence, its own subjectivity, its own sense of time and space and its own memory.”  That is, while each of the three brains interacts, each one functions as a separate and somewhat independent unit.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

Review: Pen Tester Sets Sights on the IronKey

| June 11, 2009

prodbutton-per.pngAfter more than 10 years in the information security industry and a significant amount of time running a lab that tests products, I’m a pretty difficult guy to impress with technology.  And I’m NEVER nice to vendors.  They hate me.  As an example, when running said test lab, we once had a vendor give a client six-figures worth of software when the client told them that we’d be testing it before they purchased.  The client was happy, so we did our jobs even though we never tested a thing.

The only product I have ever had a net positive review of was the Safeboot disk encryption product, and even then, it was a case of being damned with faint praise.  I believe that the entire positive part of our assessment was: “the product works as advertised.”

So, when Don approached me to do a review of the IronKey Personal, I knew I was going to rip it apart.  I was going to write a scathing review of how terrible their product is and why these “gimmicky” pieces of hardware don’t work.  Because they usually don’t.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

Me Talk Good: Language and Social Engineering

| March 20, 2009

stones.jpgIt’s a fact, Jack. Nearly 100% of social engineering engagements will involve the use of language.

Yes, that was trite and obvious. But it’s also true. Which means that if you want to engage an organization or individual as a target for a social engineering attack, your ability to use language will be a significant factor in the success or failure of your attack. Even more precisely, you have to know the different ways that language can be used, and the differences in the language patterns and formats for each of those uses. Only then will you be empowered to structure your language in such a way as to have maximum impact.

Before talking about how to use language, you have to be aware of language. While most of us are not aware of it, language has two (and only two) distinct actions: the movement of information and the act of influence on another person.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

The Renaissance of Human Exploitation

| February 26, 2009

chicagoconlogo.gifMike Murray was also at the last ChicagoCon in the fall of 2008. Since he is now going to be a regular columnist on The Ethical Hacker Network, this seems like an appropriate place to publish the slide deck and audio recordings from his talk. If you’ve never heard Mike speak on Social Engineering, then you’re in for a treat. Not only will you be entertained but also educated. The description of the talk is as follows: 

"Information security has seen some major changes in the paradigms of attackers through the past 15 years. From the early days of social engineering, through the golden age of server hacking, and to the present times where the human is once again the target, we have seen significant changes in the way that attackers exploit targets. Mike Murray, Former Director of Neohapsis Labs and social engineering expert, will detail those changes and provide a detailed understanding of the types of skills that are being used to exploit human targets today, as well as examples of strategies that you can take to defend against skilled social engineers." 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading

Column 0: Human Exploitation 101

| September 10, 2008

telepathy.jpgSo, this is my first column for EthicalHacker.net.  I’m quite excited, as I have spent a whole lot of years exploring penetration testing, vulnerability research and exploit writing, and most of the past couple of years working on exploiting people.

When I use that term, I’m not talking about how to open a third-world sweat shop.  While "human exploitation" tends to fall under the traditional heading of "social engineering," that term has been beaten to death of late. For example, the top five articles in my "social engineering" Google News RSS feed as I write this refer to phishing, social network sites, and three different products claiming to protect against all manner of malware.

Unfortunately, this isn’t the type of social engineering I’m going to write about in most of these columns.  And I’m not going to talk about lock-picking, breaking into buildings, or any of the other "No Tech Hacking" type of stuff that Johnny Long and others have made famous over the past couple of years. Nope – this is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust. 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Continue Reading