2. www.sisainfosec.com
About Me
• Consultant @ SISA Information Security Pvt. Ltd.
• PCI QSA, CISA, ISO 27001:2013
• Regular contributor to information security magazines such as
ClubHack Mag, Pentestmag.
• Interested in PCI DSS, Compliance and Penetration Testing
• Like to learn and demonstrate latest security attack vectors and
technologies.
3. www.sisainfosec.com
Discussion Agenda
• What is Social Engineering (SE) ?
• Why is Social Engineering SO successful?
• Achieving maximum efficiency : Social engineering tests
• Thwarting social engineering attacks
• Macroexpressions & Body Language
• Microexpressions
• Demo
5. www.sisainfosec.com
Is Social Engineering always bad?
Good Social Engineers:
Parents,
Doctors,
Criminal Psychologists,
Negotiators,
Salespersons,
Diplomats,
Whistle-blowers,
Magicians
Bad Social Engineers:
Fraudsters,
Confidence tricksters
Malicious Insiders,
Espionage Agents,
Double-Agents,
Blackmailers,
Human Traffickers,
Terrorists
6. www.sisainfosec.com
Why is Social Engineering SO successful?
We are hard-wired to respond to a favor, often not in direct
proportion to the size of the favor done to us.
Principle 1 - Reciprocation:
7. www.sisainfosec.com
Why is Social Engineering SO successful?
Once we have made a choice or taken a stand, we will encounter
personal and inter-personal pressures to behave consistently with
that commitment.
Principle 2 - Commitment and Consistency
8. www.sisainfosec.com
Why is Social Engineering SO successful?
One means we use to determine what is correct is to find out what
other people think is correct. The principle applies especially to the
way we decide what constitutes correct behavior.
Principle 3 - Social Proof:
9. www.sisainfosec.com
Why is Social Engineering SO successful?
As a rule, we prefer to say yes to the requests of someone we
know and like
Principle 4 - Liking
10. www.sisainfosec.com
Why is Social Engineering SO successful?
The real culprit is our inability to resist the psychological power
wielded by the person in authority.
Principle 5 - Authority
11. www.sisainfosec.com
Why is Social Engineering SO successful?
The influence of the scarcity principle in determining the worth of an item.
Principle 6 - Scarcity:
14. www.sisainfosec.com
Macro-expressions / Body language
Macro-expression / Body language is a form of mental and physical ability of human
non-verbal communication, which consists of body posture, gestures, facial
expressions, and eye movements. Humans send and interpret such signals almost
entirely subconsciously.
Communication consists of :
• 7% of what we say
• 38% vocal(tone, accent, dialect)
• 55% Non Verbal
15. www.sisainfosec.com
Macro-expressions / Body language
Non Verbal behavior is depicted fundamentally by some body parts and how
they act:
• Feet/Legs (Most Accurate)
• Torso
• Hands
• Neck
• Mouth
• Face (Least Accurate)
19. www.sisainfosec.com
Characteristics of micro-expressions:
• They are very brief in duration, lasting only 1/25 to 1/15 of a second.
• Highly Accurate in depicting the "actual" thought of the person.
• Almost involuntary reflexes barely felt by the subject
• Express the seven universal emotions: disgust, anger, fear, sadness,
happiness, surprise, and contempt
• It is difficult to hide micro-expression reactions
20. www.sisainfosec.com
Puppy Dog Eyes Expression
Animals too…..are able to Social engineer us successfully !!
With whom you’d rather share your biscuit with??
Can you give me a
biscuit? Please……
May I join in too?
Please……
Where is MY biscuit?
GIVE IT TO ME NOW !! Or else…….
21. www.sisainfosec.com
Achieving maximum efficiency : Social engineering tests
• On confronting an anti social or angry person; frown a bit and tilt
your head by relaxing your shoulders. This indicates you are
interested to hear him/her out and are not confronting directly.
•If you enter with a sad expression, the subject will involuntary feel
sympathetic for you and will offer to help in most cases.
22. www.sisainfosec.com
Achieving maximum efficiency : Social engineering tests
• A friendly and warm reception always has higher chances of
information retrieval than a rash or unfriendly behavior you know
you are trapped.
• Dress up nicely (as per occasion) and walk in short sure steps. It
gives an impression of authority and people are much likely to
yield under this charismatic effect.
25. www.sisainfosec.com
Resources
Books:
• Social Engineering: The Art of Human Hacking by Christopher Hadnagy
• The Art of Deception: Controlling the Human Element of Security by
Kevin Mitnick
• Influence: The Psychology of Persuasion by Robert B. Cialdini
26. www.sisainfosec.com
Resources
Links:
Body Language – Expressions on Google Android App Store:
• https://play.google.com/store/apps/details?id=com.Mazuzu.Expression
Training&hl=en
Video: Nonverbal Human Hacking Derbycon 2012
• http://www.irongeek.com/i.php?page=videos/derbycon2/2-1-2-chris-
hadnagy-nonverbal-human-hacking
27. www.sisainfosec.com
THANK YOU !!!
- Manasdeep
http://reflect-infosec.blogspot.in/
https://twitter.com/manasdeep
https://in.linkedin.com/in/manasdeep