Column 0: Human Exploitation 101

| September 10, 2008

telepathy.jpgSo, this is my first column for EthicalHacker.net.  I’m quite excited, as I have spent a whole lot of years exploring penetration testing, vulnerability research and exploit writing, and most of the past couple of years working on exploiting people.

When I use that term, I’m not talking about how to open a third-world sweat shop.  While "human exploitation" tends to fall under the traditional heading of "social engineering," that term has been beaten to death of late. For example, the top five articles in my "social engineering" Google News RSS feed as I write this refer to phishing, social network sites, and three different products claiming to protect against all manner of malware.

Unfortunately, this isn’t the type of social engineering I’m going to write about in most of these columns.  And I’m not going to talk about lock-picking, breaking into buildings, or any of the other "No Tech Hacking" type of stuff that Johnny Long and others have made famous over the past couple of years. Nope – this is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust. 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Murray}

Of course, this skill underpins everything else that we do when on a social-engineering engagement – in order to impersonate a UPS guy, talk someone out of their password, write a great targeted phishing email, or know exactly where to drop the USB keys - you have to have great skills at exploiting the natural tendencies of humans.

This means a deep understanding of the three fundamental skills (that I have mentioned often in introductory talks and articles on this topic) – the ability to communicate, the ability to be aware of your surroundings, and your ability to control the context (or "cognitive frame") of your interaction.

Each of these skills is complex and could take up an entire book (or books), but we’ll start out with a quick breakdown of each skill, and how it affects the interaction.

Communication

This one’s the obvious one – you have to be able to talk effectively to influence someone and get them to do what you want them to do.  However, this is far easier said than done.

I’m sure that you know that the art of being a great hacker is knowing the rules of a how a system works, and figuring out how to twist, bend and break those rules to your advantage.  Language works the same way… but, for language, there are actually two entirely different sets of rules – one for each action of language.  In fact, every act of communication can be distilled down to performing one of two purposes: the act of information transfer and the act of influence. 

Information transfer is what you probably spend most of your time doing when using language.  Most of the time, you are either telling someone something or requesting that they tell you something – pulling information from people or pushing information to them.  Nearly every statement in this article has been an act of information transfer (including this sentence). Most sentences are designed to provide a piece of information to you that you can assimilate and remember.

The rest of your time, you spend working to influence someone to change their opinions or positions on something.  In that case, you are not conveying nor requesting information, but attempting to change the thinking of another.  Unfortunately, most of us have been taught that this is a similar act to information transfer – this is why we try to "convince" someone using a better argument.  This is NOT the most effective way to influence someone, however.  (We’ll cover that one in a future column…)

Awareness

When on a social engineering engagement, your awareness of others is fundamentally like having a compass.  If your goal is to go to a destination that lies due north, it is incredibly helpful to know that you happen, at this moment, to be walking east.  The compass will tell you that a direction change is required.  That is exactly what your ability to read others will enable you to do. It gives you the ability to change, adapt and restructure communications on the fly and relies entirely upon the ability to see the effects that your communications are having. The awareness of others within the communication is the true skill that conveys the ability to know whether your language is having the intended effect.

In NeuroLinguistic Programming (NLP), this skill is referred to as "calibration."  Calibration is the ability to notice the emotional, physical and mental state of another and to accurately apply that state to oneself.  If the parent in the above example happens to be in a loving mood, the choice of temper tantrum may not be the most effective.  Whereas, if the parent is already stressed, it may be.  The point is not what the calibration is – the skill is to notice facial expressions and body language at an extremely precise level, and accurately represent them within oneself in order to structure communication more effectively.

Cognitive Frames

Frames are defined by Wikipedia as: "the inevitable process of selective influence over the individual’s perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others."  In effect, the frame of a conversation is the context that allows us to shape the meaning that is given to the content. Most of the time, we spend our lives absorbed in content.  When having a conversation, we are mostly engrossed in what the person is saying and what we are saying in response. 

However, the frame around the communication has a great deal more impact on its effectiveness than does the content of the communication itself.  What strong social engineers are able to do is manipulate the perceptions of those around them in order to ensure that the content that they are using is interpreted in the way that makes them most able to get what they want.


This has been just an introduction to the skills of exploiting humans – I’ll go in to far greater detail in the coming months as we discuss each of the skills in more depth.  As well, I’ll be using this column to release some interesting research (including 0-day exploits against humans).  Until then, feel free to email (mike at ethicalhacker dot net) if you have questions – I’ll answer any questions you have in future columns.

Category: Murray

Comments are closed.