Hacker Halted 2009 - Owning People through Technology

2. Pwning People through Technology
Mike Murray
Hacker Halted USA 2009
9/24/09
3. Mike Murray
A decade of experience in penetration testing, vulnerability research and social engineering
CISO of Foreground Security (ForegroundSecurity.com) - leads penetration tests and security services engagements
Lead trainer and curriculum developer at Foregrounds training division The Hacker Academy (TheHackerAcademy.com)
Managing partner of Michael Murray and Associates, where he directs diverse stealth-mode security industry projects.
Security blogger (Episteme.ca), podcaster, and regular speaker on social engineering, vulnerability management and the human side of security.
Founder of Information Security Leaders, the leading resource on information security careers (InfoSecLeaders.com)
Certified Hypnotherapist and Master NLP Practitioner
3
3
4. 4
Only two things are infinite: the universe and human stupidity.
And I'm not sure about the former.
- Albert Einsten
5. 5
Social Engineering:The practice of obtaining confidential information by manipulating users.
Source:Wikipedia
6. Human Vulnerability
Humans are social creatures
Human nature makes us vulnerable to each other
Social engineers exploit weaknesses in human nature to obtain information or access
6
7. 7
That Sounds Familiar
8. 8
Mesmer
Erickson
Elman
Brown
Ponzi
Angel
Irving
Abagnale
Weill
Houdini
Jermay
Con Men
Magicians
Hypnotists
9. Why Now?
9
10. 1985
1990
1993
10
11. Vulnerability Environment:

Syn Flooding

12. UDP Denial of Service 13. Smurf attacks 14. Teardrop 15. LandAugust 24, 1995
November 8, 1996
October 13, 1994
1997
1994
11
16. Major Vulnerabilities in:

17. Sendmail 18. Sadmind 19. Apache 20. IIS 21. Wu-FTPD 22. Tooltalk 23. IMAP 24. POP 25. SQL Server 26. Statd, CDEMajor Worms:

Cod Red

27. Nimda 28. SQL Slammer 29. MS Blaster1998
2000
2003
12
30. 2003
2006
2009
13
31. 14
Human /
Organization
Network
Service /
Server
Client
Application
The Vulnerability Cycle
32. Penetration Test Success
We spend a huge amount of time on the exploit
Books written on XSS, XSRF and buffer overflows
Very little research on how to get people to exploit themselves
Nearly all of our tests rely on that ability
Successful ethical hacking is successful SE
Far too little SE is discussed
15
33. The Critical Faculty
The hypnotists term for the part of the mind that acts as the rational alert system
Allows the human to act on largely unconscious process
Things raise to conscious awareness based on CF activation
This suggests that all SE success is CF-related
Avoid activating critical-faculty
We want the person to execute a task that is inappropriate, yet fail to raise the CF alert to conscious awareness
16
34. The Military Experiments
Would Military officers disobey a direct order under hypnosis?
17
35. Rule #1 Create a context that ensures that the behavior we want is completely appropriate.
18
36. 19
The Three Skills
Critical Faculty is bypassed through three fundamental skills:
Artful Communication and Use of Language
Awareness of the Target
Frame Control
The skills are the same when online
Language
You must havestructure your language to effect control of your target
Awareness
You must know how your target will interpret your communication
Frame Control
Your ability to control the context of your communication will be the largest component of suppressing the CF
37. 2008 Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Communication
The art of communication
Language is the first skill of the social engineer
Ability to craft words is first step in influence
Language is not real
Incomplete representation of reality
Incompleteness creates opportunity
Dual Purpose of Language
Information Transfer
Influence
38. Precision
Information Transfer is hindered by the incompleteness of language
Deletion
Distortion
Generalization
Presupposition
39. Influence
Influence is about maintaining agreement
Avoiding CF activation
This is about the amygdala
The goal is to change representation without triggering disagreement
Disagreement is the minds defense against inappropriate influence.
This is not about rhetorical/logical disagreement
Agreement allows
The artful inversion of precision
Use of deletion, distortion and generalization to maintain agreement
Sometimes referred to as being artfully vague
The Basics
This is third grade English class:
Spelling
Grammar
Punctuation
Most CF-activation is here
Taught as base of much Sec Awareness Training
41. 42. 2008 Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Awareness
Words are meaningless without awareness of what is working
Your awareness of others acts as a compass
You need to see and hear the effect of your words
Main components of awareness in face-to-face
Body language
Facial expressions
Language Tone
How do we do this in technological social engineering?
Tone Analysis of Writing
As native speakers of English, we infer auditory tone into written word.
Two main components:
Word choice
Punctuation
Simple example
44. Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.
Introduction tohttp://www.social-engineer.org
45. Many people are afraid of social engineering due to its mystery.Perhaps they feel they will never be able to accomplish a successful social engineering test. However, you are engaging in social engineering whenever you try to influence someone to act in your interest.
All of these are forms of social engineering:

children trying to get a toy from their parents

46. trying to land a job 47. score the big promotionParaphrased fromhttp://www.social-engineer.org
48. Many people are afraid of social engineering.They fear they wont succeed at a social engineering test. But you are engaging in social engineering whenever you try to influence someone to act in your interest. Examples:

children trying to get a toy from their parents

49. trying to land a job 50. score the big promotionParaphrased fromhttp://www.social-engineer.org
Tone in SE
Back to the prime rule
Tone needs to be natural and appropriate.
Every situation has a tone and a fel for the writing that is unlikely to activate the CF.
52. 53. Actual Email from TD
Hello Michael Murray,I appreciate your interest in viewing yourTDVisa account informationusing EasyWeb. Thank you for taking the time to write.If you currently have an active EasyWeb profile but can not access yourTDVisa, you may have 2 separate customer profiles set up withTDCanadaTrust. For immediate assistance with correcting this situation, Iencourage you to call EasyLine toll free at 1-866-222-3456. A BankingSpecialist can combine your profiles if necessary, provided that thepersonal information on both profiles match. Representatives are available24 hours a day, 7 days a week. If you are not registered for EasyLine,kindly press 2 and then 0 to speak with a representative. The combiningprocess usually takes about two days to complete, and once it is finished,you should be able to view your entire personal portfolio via EasyWeb.
Frame Control
Cognitive Frames
Wikipedia: the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others
The frame is the context in which the content of an interaction occurs
Physical Frame control
Transformation
Extension / Contraction
Combination
Amplification / Compression
The Elements of Influence
Cialdini and others have found that creating a frame with certain elements can enhance influence
Reciprocity
Authority
Social Proof
Confirmation
Scarcity / Urgency
Emotional / Amygdala hijack
Confusion
Inserting these elements within a frame can strengthen influence
These are natural human responses
We use these responses to create a context for influence
56. Confirmation
35
Confirmation
Confirmation Bias
That which confirms what we already believe, we tend to believe.
That which fails to confirm what we already believe, we tend to ignore.
The brain LITERALLY turns off
No CF activation
58. During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men--half self-described as "strong" Republicans and half as "strong Democrats--were tasked with assessing statements by both George W. Bush and John Kerry in which the candidates clearly contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical of Kerry as Democratic subjects wereof Bush, yet both let their own candidate off the hook.
The neuroimaging results, however, revealed that
"We did not see any increased activation of the parts of the brain normally engagedduring reasoning"
From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf
Confirmation in SE
Signal Theory
Branch of economics relating to the messages passed by inference
E.g. A CEH is a signal that you have chosen the path of an EH
We need to give appropriate signals
Tone
Language
Appearance
60. Back to TD
Hello Michael Murray,I appreciate your interest in viewing yourTDVisa account information using EasyWeb. Thank you for taking the time to write.If you currently have an activeEasyWebprofile but can not access yourTD Visa, you may have 2 separate customer profiles set up withTDCanada Trust. For immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you should be able to view your entire personal portfolio via EasyWeb.
Best regards,Debra MatsumotoInternet Correspondence Representative________________________________________TDCanadaTrust1-866-222-3456http://www.tdcanadatrust.comEmail:[email protected] (Telephone Device for the Deaf) 1-800-361-1180This email is directed to, and intended for the exclusive use of, the addressee indicated above.TDCanadaTrustendeavours to provide accurate and up-to-date information relating to its products and services. However, please note that rates, fees and information are subject to change.
61. 62. 63. Reciprocity
42
64. 43
We create relationships through trading value.
Temporary inequality creates powerful bonds.
65. Reciprocity == Investment
The act of exchanging value
I can do something for you
You can do something for me.
Both acts strengthen our bond.
We become more invested in the relationship
The more invested a person feels, the more likely they are to be influenced by the relationship
This is the Nigerian scams overwhelming power
44
66. 67. Scarcity
46
68. Scarcity
People will take almost any opportunity for their own gain
Especially if the opportunity seems scarce
If we have to hurry, the amygdala takes over
This is a marketing tactic
Infomercials
Scams
47
69. Ron Popeil
If you call in the next 15 minutes
70. 71. 72. So much more we could discussSo little time.Keep an eye on:ForegroundSecurity.comEpisteme.caEmail me: [email protected]

Hacker Halted 2009 - Owning People through Technology

Technology

Transcript of Hacker Halted 2009 - Owning People through Technology