Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Now you see it, now you dont … Change Blindness

Change blindness is an interesting natural phenomena every human experiences on a pretty regular basis, but what is it exactly? Essentially its our inability to spot obvious changes that occur around us. There has been a fair bit of study done to understand this better, while I wont claim to have all the answers I do know that this research has shown that surprisingly we are not so good at spotting changes in colour, but are better at spotting when something is added or removed from a scene. I imagine carrying out these studies are pretty difficult as by there nature the participants are being tested and are under controlled additions, which is interesting as change blindness is most common when we are not looking for changes, when our mind isn’t focused and attentive to the finer details. This is an interesting area of study and one that I believe will continue for a while, as there can be legal complications when it comes to testimonies where images are concerned, I personally think some of this comes back to what we have discussed before, the human mind is processing so much information so quickly, it wants to help out and define an easy answer, so doesn’t pay attention to what it may consider minor details at that moment. I recommend if you find this sort of thing interesting do some further research on change blindness and what your mind really knows about what is occurring at this instance.

So why is change blindness of any interest to you from a social engineering perspective? Well I fell there are a few reasons. The first one, and the one most difficult to possibly get your head around is that attention to detail really isn’t that important sometimes. What do I mean? Well Harvard did some interesting research (Derren Brown example below) called “The Person Swap” where they had people approach a desk where a gentleman would have them sign a form, he would then duck down to file the form and another man would pop up, and a large percentage didn’t notice any change. When you think of a change this significant it puts a few things in perspective, the key thing here is that people were not looking for / expecting change. So if you are prepping for an onsite engagement, ask yourself will my ID need to stand up to direct scrutiny, or will just having something similar do the job?

The same applies in things such as phishing campaigns, its may seem obvious as many people already know that when we read something the letters of a word can be jumbled but it still makes sense to us. The same applied to domain names and other key pieces of information, so perhaps substitution isn’t always required, simply omitting it could still be successful as it wouldn’t be expected for it not to be right.

This is just a brief glimpse as what change blindness means to us, in reality it should tell us that alot of what we do / dont see is an illusions. If you think it wouldn’t happen to you, or you spotted thing again. Sure you will spot the issues where you are suspicious and are looking, but these not something many of us do for everything, unless we are very paranoid. Then we imagine things that are not there at all :D

Another good change blindness test :)

Hiding in plain sight… Playing it loud and proud

Happy New Year. 2011 has already gotten off to a hectic start for me, as I type this I am still in California working, but looking forward to flying back at the end of the week.

In the last week I have tried out something a little different, and wanted to share my thoughts with you on the matter this month. We have discussed before about the importance of rapport, building those relationships and the fact we like people who are like us, and we like people who like us. With this in mind we tend to try to fit in with our surroundings, look the part so that we can blend in and go unnoticed.

However, what if we went for something almost completely the opposite. What if we didn’t look to sneak under the radar, instead we looked to stand out, stand out so much everyone would remember us. I am talking LOUD and PROUD.

Now I am not saying this is a situation that would suit every engagement, but in certain circumstances I think it can be an approach worth investigating.

In my scenario I found it worked very well in a shared building. I am sure many of you will be familiar with this setup. A large corporate looking building, a central reception, and several floors all occupied by different organisations. On each floor there will then be local receptions, but very often no turnstyles etc to bypass just straight on entry. True possibly an easy target, but a great example to experiment.

So let me get on with my point of loud and proud. If you were to see someone with their best hawaiian holiday shirt, shorts, messenger bag, and iPod on full blast what would you be thinking…… I am hoping you are thinking crazy courier type guy?? If you X-Factor delusions you might want to sing along to your selected Kylie track :)

What I have observed in this scenario is that staff, especially reception staff will allow you to go unnoticed. You are the common sited, crazy courier dude, who no one really wants to talk to, and they just want you to get in, deliver your package, and sod off :)

I think this approach may work best in the US where in my opinion (not to be Americanist) people are more colourful in their outfit selection, and the warmer weather is more tolerable of your best Magnum Hawaiian special.

Like all social engineering engagements, you need to be aware of what will work culturally, and what will play best to you as an individual and the pre-text you are working from. The take away I really want people to take from this is the following, sometimes playing it safe isn’t the most obvious approach, and getting a little more creative and flamboyant, although making your more noticeable, may actually have that more stealthy approach your seeking.

Give it some thought, experiment, and share your opinions.