2. Pwning People through Technology Mike Murray Hacker Halted USA 2009 9/24/09

3. Mike Murray A decade of experience in penetration testing, vulnerability research and social engineering CISO of Foreground Security (ForegroundSecurity.com) - leads penetration tests and security services engagements Lead trainer and curriculum developer at Foreground’s training division The Hacker Academy (TheHackerAcademy.com) Managing partner of Michael Murray and Associates, where he directs diverse stealth-mode security industry projects. Security blogger (Episteme.ca), podcaster, and regular speaker on social engineering, vulnerability management and the human side of security. Founder of Information Security Leaders, the leading resource on information security careers (InfoSecLeaders.com) Certified Hypnotherapist and Master NLP Practitioner 3 3

4. 4 Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einsten

5. 5 Social Engineering:The practice of obtaining confidential information by manipulating users. Source: Wikipedia

6. Human Vulnerability Humans are social creatures Human nature makes us vulnerable to each other Social engineers exploit weaknesses in human nature to obtain information or access 6

7. 7 That Sounds Familiar

8. 8 Mesmer Erickson Elman Brown Ponzi Angel Irving Abagnale Weill Houdini Jermay Con Men Magicians Hypnotists

9. Why Now? 9

10. 1985 1990 1993 10

12. UDP Denial of Service

13. Smurf attacks

14. Teardrop

15. LandAugust 24, 1995 November 8, 1996 October 13, 1994 1997 1994 11

17. Sendmail

18. Sadmind

19. Apache

20. IIS

21. Wu-FTPD

22. Tooltalk

23. IMAP

24. POP

25. SQL Server

27. Nimda

28. SQL Slammer

29. MS Blaster1998 2000 2003 12

30. 2003 2006 2009 13

31. 14 Human / Organization Network Service / Server Client Application The Vulnerability Cycle

32. Penetration Test Success We spend a huge amount of time on the exploit Books written on XSS, XSRF and buffer overflows Very little research on how to get people to exploit themselves Nearly all of our tests rely on that ability Successful ethical hacking is successful SE Far too little SE is discussed 15

33. The Critical Faculty The hypnotist’s term for the part of the mind that acts as the rational alert system Allows the human to act on largely unconscious process Things raise to conscious awareness based on CF activation This suggests that all SE success is CF-related Avoid activating critical-faculty We want the person to execute a task that is inappropriate, yet fail to raise the CF alert to conscious awareness 16

34. The Military Experiments Would Military officers disobey a direct order under hypnosis? 17

35. Rule #1 Create a context that ensures that the behavior we want is completely appropriate. 18

36. 19 The Three Skills Critical Faculty is bypassed through three fundamental skills: Artful Communication and Use of Language Awareness of the Target Frame Control The skills are the same when online Language You must have structure your language to effect control of your target Awareness You must know how your target will interpret your communication Frame Control Your ability to control the context of your communication will be the largest component of suppressing the CF

37. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Communication The art of communication Language is the first skill of the social engineer Ability to craft words is first step in influence Language is not real Incomplete representation of reality Incompleteness creates opportunity Dual Purpose of Language Information Transfer Influence

38. Precision Information Transfer is hindered by the incompleteness of language Deletion Distortion Generalization Presupposition

39. Influence Influence is about maintaining agreement Avoiding CF activation This is about the amygdala The goal is to change representation without triggering disagreement Disagreement is the mind’s defense against inappropriate influence. This is not about rhetorical/logical disagreement Agreement allows The artful inversion of precision Use of deletion, distortion and generalization to maintain agreement Sometimes referred to as being “artfully vague”

40. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved The Basics This is third grade English class: Spelling Grammar Punctuation Most CF-activation is here Taught as base of much Sec Awareness Training

42. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Awareness Words are meaningless without awareness of what is working Your awareness of others acts as a compass You need to see and hear the effect of your words Main components of awareness in face-to-face Body language Facial expressions Language Tone How do we do this in technological social engineering?

43. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Tone Analysis of Writing As native speakers of English, we infer auditory tone into written word. Two main components: Word choice Punctuation Simple example

44. Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering. Introduction tohttp://www.social-engineer.org

46. trying to land a job

47. score the big promotionParaphrased fromhttp://www.social-engineer.org

49. trying to land a job

50. score the big promotionParaphrased fromhttp://www.social-engineer.org

51. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Tone in SE Back to the prime rule Tone needs to be natural and appropriate. Every situation has a tone and a fel for the writing that is unlikely to activate the CF.

53. Actual Email from TD Hello Michael Murray,I appreciate your interest in viewing your TD Visa account informationusing EasyWeb. Thank you for taking the time to write.If you currently have an active EasyWeb profile but can not access your TDVisa, you may have 2 separate customer profiles set up with TD CanadaTrust. For immediate assistance with correcting this situation, Iencourage you to call EasyLine toll free at 1-866-222-3456. A BankingSpecialist can combine your profiles if necessary, provided that thepersonal information on both profiles match. Representatives are available24 hours a day, 7 days a week. If you are not registered for EasyLine,kindly press 2 and then 0 to speak with a representative. The combiningprocess usually takes about two days to complete, and once it is finished,you should be able to view your entire personal portfolio via EasyWeb.

54. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Frame Control Cognitive Frames Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others” The frame is the context in which the content of an interaction occurs Physical Frame control Transformation Extension / Contraction Combination Amplification / Compression

55. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved The Elements of Influence Cialdini and others have found that creating a frame with certain elements can enhance influence Reciprocity Authority Social Proof Confirmation Scarcity / Urgency Emotional / Amygdala hijack Confusion Inserting these elements within a frame can strengthen influence These are natural human responses We use these responses to create a context for influence

56. Confirmation 35

57. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Confirmation Confirmation Bias That which confirms what we already believe, we tend to believe. That which fails to confirm what we already believe, we tend to ignore. The brain LITERALLY turns off No CF activation

58. During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men--half self-described as "strong" Republicans and half as "strong“ Democrats--were tasked with assessing statements by both George W. Bush and John Kerry in which the candidates clearly contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical of Kerry as Democratic subjects were of Bush, yet both let their own candidate off the hook…. The neuroimaging results, however, revealed that… "We did not see any increased activation of the parts of the brain normally engaged during reasoning" From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf

59. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved Confirmation in SE Signal Theory Branch of economics relating to the messages passed by inference E.g. A CEH is a signal that you have chosen the path of an EH We need to give appropriate signals Tone Language Appearance

60. Back to TD Hello Michael Murray,I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write.If you currently have an activeEasyWebprofile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust. For immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you should be able to view your entire personal portfolio via EasyWeb. Best regards,Debra MatsumotoInternet Correspondence Representative________________________________________TD Canada Trust 1-866-222-3456http://www.tdcanadatrust.comEmail: customer.service@td.comTDD (Telephone Device for the Deaf) 1-800-361-1180This email is directed to, and intended for the exclusive use of, the addressee indicated above. TD Canada Trust endeavours to provide accurate and up-to-date information relating to its products and services. However, please note that rates, fees and information are subject to change.

63. Reciprocity 42

64. 43 We create relationships through trading value. Temporary inequality creates powerful bonds.

65. Reciprocity == Investment The act of exchanging value I can do something for you You can do something for me. Both acts strengthen our bond. We become more invested in the relationship The more invested a person feels, the more likely they are to be influenced by the relationship This is the Nigerian scam’s overwhelming power 44

67. Scarcity 46

68. Scarcity People will take almost any opportunity for their own gain Especially if the opportunity seems scarce If we have to hurry, the amygdala takes over This is a marketing tactic Infomercials Scams 47

69. Ron Popeil “If you call in the next 15 minutes…”

72. So much more we could discuss…So little time.Keep an eye on:ForegroundSecurity.comEpisteme.caEmail me: mmurray@episteme.ca