Social Engineering Archives - Page 11 of 16

Subliminal Hacking Blog November 16, 2012

Now you see it, now you dont … Change Blindness

Change blindness is an interesting natural phenomena every human experiences on a pretty regular basis, but what is it exactly? Essentially its our inability to spot obvious changes that occur around us. There has been a fair bit of study done to understand this better, while I wont claim to have all the answers I do know that this research has shown that surprisingly we are not so good at spotting changes in colour, but are better at spotting when something is added or removed from a scene. I imagine carrying out these studies are pretty difficult as by there nature the participants are being tested and are under controlled additions, which is interesting as change blindness is most common when we are not looking for changes, when our mind isn’t focused and attentive to the finer details. This is an interesting area of study and one that I believe will continue for a while, as there can be legal complications when it comes to testimonies where images are concerned, I personally think some of this comes back to what we have discussed before, the human mind is processing so much information so quickly, it wants to help out and define an easy answer, so doesn’t pay attention to what it may consider minor details at that moment. I recommend if you find this sort of thing interesting do some further research on change blindness and what your mind really knows about what is occurring at this instance.

So why is change blindness of any interest to you from a social engineering perspective? Well I fell there are a few reasons. The first one, and the one most difficult to possibly get your head around is that attention to detail really isn’t that important sometimes. What do I mean? Well Harvard did some interesting research (Derren Brown example below) called “The Person Swap” where they had people approach a desk where a gentleman would have them sign a form, he would then duck down to file the form and another man would pop up, and a large percentage didn’t notice any change. When you think of a change this significant it puts a few things in perspective, the key thing here is that people were not looking for / expecting change. So if you are prepping for an onsite engagement, ask yourself will my ID need to stand up to direct scrutiny, or will just having something similar do the job?

The same applies in things such as phishing campaigns, its may seem obvious as many people already know that when we read something the letters of a word can be jumbled but it still makes sense to us. The same applied to domain names and other key pieces of information, so perhaps substitution isn’t always required, simply omitting it could still be successful as it wouldn’t be expected for it not to be right.

This is just a brief glimpse as what change blindness means to us, in reality it should tell us that alot of what we do / dont see is an illusions. If you think it wouldn’t happen to you, or you spotted thing again. Sure you will spot the issues where you are suspicious and are looking, but these not something many of us do for everything, unless we are very paranoid. Then we imagine things that are not there at all

Another good change blindness test

Subliminal Hacking Blog October 12, 2012

Proxemics … Have you heard of personal space??

Proxemics is all about that little bubble we like to call personal space, depending on how people position themselves in that bubble effects how we feel. Below is a generalisation on acceptable distances based on interaction, but its important to be aware that we are all individuals so all of our bubbles are different, and also different countries and cultures (you will know this if you have ever been to Hungary) have totally different concepts on what is acceptable in the personal space intrusion stakes.

So why is proxemics of any interest to you as a social engineer? Well when it comes to gaining physical access, looking to influence and / or manipulate someone this is really important. This is very much linked to your body language and other non verbal cues, but where you position yourself has an impact on how you are perceived, the position or structure you are trying to portray as well as territorial aspects you may be trying to convey with your physical positioning.

The social boundaries are what you would consider acceptable in a public / exhibition environment (not the local social club / pub). If you were waiting to meet someone, or speaking to a stranger to ask directions this is the typical personal space requirements that would be considered normal in most parts of the western world. Distances greater than the social boundary are more public spaces, like visiting a park, or museum, etc.

The personal boundary is the area I would imagine most people feel is invaded on a more regular basis. This area tends to be where we are happy for friends and close colleagues to venture into, and what we could consider a more ideal spacing if we are waiting for the bus. When people breach this boundary we can often feel threatened and looking to withdraw, or considering the option of standing our ground even though it may be an uncomfortable and stressful experience.

The intimate boundary is reserved for those we are most closest and trusting of, this is because at such a close range we are very vulnerable so trust is of paramount importance. A slight exception to this is when we are happy for us to whisper something we value to us, and for this we have happy to grant a temporary reprieve and allow that person in to share information, before getting the hell out.

As mentioned before, ethnicity and culture we will result in variances in this, but I quick bit of people watching will help establish a quick baseline of the cultural norm. You will of course experience the odd one out, who for variance reasons will keep a distance from you, or be all up in your face as part of their natural way of communicating, so even though it will feel awkward judge other non verbal cues to establish any possible intent before reacting. During our interactions people can possibly move through various boundaries depending on the social situation, intent of the interaction, the topic of discussion and even their gender.

So when you are next involved in an onsite engagement, and you are attempting to build rapport and influence individuals or groups be sure to give some thought to your proximity along with other verbal and non verbal cues we have discussed before.

Thanks for reading, and until next time happy hacking.

Subliminal Hacking Blog August 20, 2012

Tweaking your Critical Factor … Understanding RAS

In previous posts (probably over a year ago now) I have spoken about this thing called the critical factor. In the hypnosis world this is the gatekeeper or firewall between your conscious and subconscious mind, helping to keep out all the junk and irrelevant information and focus on what is most important. I have also spoken about how the subconscious mind is gathering and processing all this information external to us and then feeding the conscious mind with just a small subset of this information to help us form our reality. When we are looking to manipulate or influence people we use language in various forms to either bypass the critical factor by making it lazy (Yes Sets, etc) or by finding agreement in beliefs and opinions to build rapid rapport to increase chances of success, or possibly give the impression of authority (in a positional or knowledgable sense) to utilise social compliance to get to our desired outcome.

So if you read my blog already this is old news, but something I have been looking into is how does the human mind pre-determine what is critical information, and if we understand this does it help us bypass easier, but more importantly does learning about these techniques (as I have said before) help us be less susceptible to manipulation that may result in a negative experience.

What I found as part of some neuropsychology reading I was doing is that part of how the mind works and organises / filters this critical information is with the use of a RAS. RAS stands for Reticular Activating System, the system is considered by some as the Command and Control center for all brain and body activities.

I wont try and talk science about how the RAS works with the rest of the brain as I am sure to make a dogs dinner of it, but essentially what the RAS is doing is taking onboard all subconscious stimulai and checking this against a priority list, if the information matches with something on the priority list you will be consciously alerted, if not its stored in subconscious for a later date.What the priority list does is make us aware of things around us that are either important to our health (fire alarm for example), and things we are interested in (type of car perhaps) and things that are personal to us (our name for example). This is why when going about our daily duties and among a crowded room we can distinguish our name being called, this is why when we have decided on our next car purchase every damn car we see is the car we thought was unique and you dont see many on the roads. In my Googling, I also found alot of reference to programming your RAS to reach your goals by life coaches, now this really isnt my bag, but at the same time I can see how it would work.

So how do you get additional items on your RAS priority list and tweak your critical factor? Well I dont have any scientific proof but when I think about the items that are common place in most peoples RAS it seems that they are either there because large forced repetition or freely chosen repetition because you are interested in something. Now I know this to be true, because when I am interested in something, or thinking of making a purchase I research the hell out of it, and then when out and about I either see or hear many things in relation to that something I am thinking of buying.

In short by engrossing yourself on a regular basis allows you to tweak your filters to be more aware of specific happening in your world. If you have studied body language and find it interesting, and look for things daily, all of a sudden you realise you are seeing and reading gestures effortlessly. When learning the types of languages used to influence, you hear more readily when a sales person is spouting the BS. So this stuff really is simple and obvious, but I think its interesting to understand and appreciate what part of your mind is working, and for some people this is key to realising you can make tweaks and improvements.

Appreciating this, in my opinion will make you a better social engineer. As you continue to discover and understands both the art and science of SE it makes you more effective. It provides you with a better ability to be consciously aware of the various situations you find yourself in, meaning you can make quicker, better and more informed decisions. This results not only a better threat simulation in the activities you be carrying out, but it also makes you more informed to educate people into what can be done to identify when they are being socially engineered real time, to reduce the risk of wrongful manipulation.