Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Confirmation Bias … The Manipulation Assistant

I think most people would accept, that when it comes to building rapport and getting to a stage of some form of manipulation is normally always possible with anyone give a decent amount of time. This is great for making REAL friends, but in the social engineering context we normally don’t have or want this lucky, we like it quick and dirty so to speak. We have discussed many ways to have this happen, but I think we have a little discussed manipulation assistant that we can utilise. This is something known as confirmation bias, also known as Tolstoy Syndrome.

So what is confirmation bias? Essentially this is something that we all suffer from to some degree, and depending on your opinion more than others. Confirmation bias is the human tendency to favour information that is associated with their beliefs or preconceptions, regardless of if this information is true or factual. So when we communicate people will be selective in their memory selections and interpret what we say in a biased way.  Some consider this bias as being the internal yes man, also willing to agree even in an ambiguous context if what they hear matches their beliefs, and filters out the unwelcome information.

Probably all sounds obvious right, and why do we care about this. Well I have to be careful how I describe this as to not get your backs up regarding your confirmation bias.

Lets consider this scenario. As part of your intelligence gathering exercises on your mark / victim you identify that they support Man United Football club, they love dogs, recently got a new car, seen on forums they are not to happy with their job, and a recent tarot reading said good fortune is coming their way soon.
Now in my experience using any of the obvious stuff, like animals, football clubs will yeild good rapport building results, as we like people who like us, and are like us, it sets up a common ground. However I think the stronger and faster rapport builder, that will lead to a quicker manipulation frame would be the tarot route. The reason for this (in my opinion) is that this sort of thing is treated with a large amount of scepticism, and myself personally don’t believe it to be valid and have not seen any solid research to prove it. However many people have a confirmation bias to this, and I would imagine feel a minority in that aspect and would really feel a close bond to someone who shared this same interests.

The reason I raise this point is that when we are acting out our pre-text as a social engineer, we should no longer be ourselves. We should leave behind our personal baggage and be 100% committed and open to the situation we find ourselves. If we fail to do this we may end up in a situation that builds distance not rapport. So for example when not working and if someone started speaking to me about tarot readings I would quickly lose interest and be looking for an exit plan, this could present a missed opportunity. Since my transition from hypnosis sceptic to hypnotist I have a large appreciation for this sort of thing.

Now you might be thinking, OK sounds great in principle, but there is no way I could just blurt out I was into tarot reading as it would be just so odd. My first point is your thinking out of context. Blurting that sort of thing out to a random person could be considered crazy, but we know this is a person of interest.

Lets go through a super quick conversation example.

Victim : Hello Acme Systems, how can I help?
Me : Good morning. I hope you can help me as I am on a tight deadline to gather some information for my project.
Victim : Sure I can certainly try, what do you need?
Me : I work for the local government security council and we are carrying out a study of how companies securely dispose of their confidential waste.
Victim : Oh, I am not really to sure if we can give out that information.
Me : I totally understand your concerns, and I dont want to get anyone in any trouble, but this is for a government report. We sent out official requests in the post but so many companies didnt response, I guess everyone is just so busy.
Me : Could you possibly find out who could confirm if you can give this email. Perhaps there is some information on your Intranet, or someone you can call.
Victim : OK I will have a look, please bare with me.
Me : No problem
Few seconds pause….
Me : Whilst your looking, did you have a good weekend? The weather was pretty bad again wasnt it.
Victim : My weekend was to bad thank you, how about yourself?
Me : It actually turned out really well. I went to see a tarot reader, and I had a really good reading. I know some people think its  all phooey but it was just amazing.
Victim : Really. I have had a few tarot readings myself, and your so right about other people, but I really rate my tarot reader.
Now we go through the process of talking tarot for abit, so make sure you have done some research on terms etc.
Me : Its great to meet someone who shares my same interest, it really is rare. By the way how are you getting on with the information on the confidential waste information.
Victim : I cant seem to find anything, but I think it would be ok to share the information anyway. Its Acme disposals.
Me : Brilliant, thanks you really helped me out. Thanks for everything and take care.

This hopefully kinda gives an idea, utilising that dead time when they are searching for stuff, get the hook and exploit it to manipulate your way to getting the desired information.

Hope this was of interest, and you can try this in many scenarios. Those that know me will know that I used similar techniques to this on the phone to get discounts and freebies when I am buying stuff, same principles apply. Essentially regardless of your beliefs you are going to go with the grain, not against it.

Social Compliance and Manipulation… The Art of Confidence

As human beings we are very good at making excuses, and always believing that some how we have it worse than the other guy. There is often that mentality that, its not we don’t want to do this or that, its just that ………. add any excuse you want. When you speak to people about where these excuses stem from, it often comes down to an apparent lacking in confidence, and the other guy has so much confidence, and that is why they are successful. To some extent this may be true, perhaps the other guys does have so much confidence, or at least that is the perception.

So when it comes to getting your social engineering foo on, I am sure you would expect that confidence plays a pretty essential part in getting people to comply with your requests and manipulate people in such a way to reach your desired outcome. In many ways you are correct, confidence is a key component. However I would prefer you think of it as the Art of Confidence is essential to success.

Confidence is many things to many people, when I talk to people about what confidence feels like to them in a hypnosis context you hear some very strange definitions. However these strange definitions did help me realise something, confidence is something that is very personal, and might not actually make sense at a concious level. The dictionary says confidence is freedom from doubt; belief in yourself and your abilities, a state of confident hopefulness that events will be favourable.

I think confidence is really not something you can clearly label. Confidence is a result of many different attributes, so when someone says they don’t feel confident, its not really as simple as one thing (its not a simple flick of a switch), however you can get realisation after taking certain steps to realise confidence is some what of a placebo.

So what is the Art of Confidence? The Art of Confidence is a lacking of fear. If you ask someone why they are not confident of something, the end result is normally a fear. Why wont you speak to the woman at the other end of the bar? Fear of rejection or looking stupid. Why wont you call a company and ask for information, or a discount? Fear of intimidation, or failure. Why wont you attempt to SE your way into this building? What if I get caught, or I forget my cover story, etc etc. These are all valid, but they don’t need to be.

So if to be confident we need to lose our fear, what do we need to do. We can achieve this in a few ways, first of all knowledge is power. If we study body language we can understand what fear looks like, the subconscious signs our body gives away to alert others to the fact we nervous etc. Knowing our subject matter, if we are pretending that are an engineer we should have a good level of knowledge of what that looks like, the dialogue that is used, the basic knowledge that should be known during your interactions, and having done the appropriate reconnaissance of what your target is doing, backgrounds, specialities etc. Having a plan and process is also very important. The plan should cover all angles with multiple steps to achieve your goal, what to do when confronted, how to handle awkward situations, and how to bail out gracefully. Finally self belief, just believe and act like what ever you are doing you have done a million times before, both with success and failure, you are the oracle, your are Mr / Mrs Informed, look, feel and act confident. This is very important, a large majority of subconscious tells are removed when you really believe in yourself and what your trying to do, just seeing the talent shows on TV is more than a good example of this.

Its important to note that demonstrating the Art of Confidence does not alleviate all fear (fear is important to success to), clearly there are going to be times that you are crapping yourself, but its how you handle it, and ensuring you still project yourself as confident. Appearing confident is a very attractive trait, and it puts you in a kind of Alpha state. When in this position people are less likely to question you, they are more likely to assume you are in a position of authority, and we all know even if something doesn’t feel right, or we should really do it, we may turn a blind eye when those in authority request it.

Some final thoughts for what may also make you feel confident are the following. Reciprocation, you may feel more confident when asking someone to do something if you have previously given or done them a favour. Perhaps you bought them a drink, picked up some paper work when they dropped it, open a door for them etc. Humour, we all feel more at ease around someone with a good sense of humour and appropriate jokes. So if you have a quick wit, and think fast on your feet, and know some half decent jokes you may also use this in your favour. Reasoning, we know from other posts and studies that we respond more favourably when we have justification for a request. So as part of your planning and process work, define some reasons for why you are requesting what you ask for, or the actions that you take as these will be accepted more favourably.

Remember the BIG BECAUSE. Everything in life happens for a reason, the things we say, the way we act, everything. So give time and thought to why you are confident, why you belong, why your are successful. We can often easily remember and think of negative, but focusing on the positive is a more productive approach of our time, and will lead to a happier more successful outcome.

FAKE IT TILL YOU MAKE IT!

Byron (and influence through the media)

If you’re following the Toronto news today, one of the main stories out there is about a former team member of mine, Byron Sonne. The news coverage (CNN, Yahoo) paints Byron to be one step this side of Timothy McVeigh… explosives, threatening police, etc.

And that doesn’t even mention that the picture that they’re using makes him look that way.  (As an aside: in my 11th grade journalism class, we spent a lot of time talking about how pictures frame the news story that you’re reading.  Before you ever even start the Globe and Mail coverage of this story, you’re greeted with a blurry, grainy picture of Byron looking like he’s about to blow up a building.   Regardless of whether the facts  support the charge, our minds are primed with all of the times that we’ve seen a terrifying looking psychopath looking very similarly to this picture… and we read the story with that bent.)

Unfortunately, the reality seems a little less glamorous. If you read Byron’s Twitter account, you’ll find that Byron was being little more than the opinionated activist that he is. “An agent provocateur”, as someone told The Star. He talked about investigating the fences and posted video of the fences. He talked about how the cameras were being set up in locations that were likely to be used by activists. And he was pointing out that the amount of money spent on “security” for this conference was a little out of range.

One of the things that Byron has been most pilloried for in the news was the talk he gave a few months back on radio surveillance (a decent account can be found here).

Amazingly, Byron even posted the slides to that supposedly “provocative” talk on his Twitter feed. (I’ve put the same slides here for the BitTorrent challenged). Read them… there’s nothing in there that suggests anything but a security professional talking about insecure radio transmission.

Let’s give a different picture of the guy that used to work for me. Byron’s a very smart and well-rounded engineer. While he wasn’t the top producer on the team, he was someone who I valued a great deal from a management perspective. He was vocal and would push others to come to the table with their best (even when he wasn’t up to their level). He was the member of the team most willing to call out others in a meeting. It wasn’t just internal… he was even willing to call out a vendor in a blog post. (Note that since I wrote this, nCircle took