Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Talking Helps Ease Emotional Distress

Americans are a diverse group of people interacting on a daily basis often times in stressful situations.

How different are our cultural stress coping mechanisms and are they working?

The American Psychological Association, APA reports that according to UCLA psychologist Matthew Lieberman, Ph.D., the idea that putting problems into words will ease the emotional impact of those problems even across cultures.

Lieberman took this idea a step further, in 2003, by investigating it with the latest brain imaging technology (fMRIs).  “There’s this idea that putting bad feelings into words can help wash worries away,” he purported.

Lieberman and his colleagues found that social rejection activates a part of the brain that is also stimulated in response to physical pain.

Interestingly, they also found that people who had relatively less activity in that area-and who reported feeling relatively less distress-had more activity in the right ventral lateral prefrontal cortex, an area of the brain associated with verbalizing thoughts and language production.

Their study’s results which were published in Science suggest that “talking it out” can help ease a person’s emotional response to tough situations by suppressing the area of the brain that produces emotional distress.

I can almost hear groans of guys across the world who fear the words “we need to talk” but who will no longer be able to say “Nothing will come of it, or “talking never solves anything”.

On a more recent note, Lieberman and his colleagues conducted another study that will be published in Psychological Science that tests this hypothesis more directly.

They asked 30 participants to view pictures of angry, scared or happy-looking faces. Half of the time the participants tried to match the target face to another picture of a face with a similar expression. The other half of the time, they tried to match the face to a word that correctly labeled its emotion.

Using fMRI, the researchers discovered that when the participants labeled the faces’ emotions using words, they showed less activity in the amygdala-an area of the brain associated with emotional distress.  At the same time, they showed more activity in the right ventral lateral prefrontal cortex-the same language-related area that showed up in their previous study.

This is further evidence that verbalizing an emotion may activate the right ventral lateral prefrontal cortex, which then suppresses the areas of the brain that produce emotional pain.

What are your thoughts on this study?  Does “talking it out” really help the emotional impact of a problem?

Efficacy of a Facial Affect Recognition Training Tool for Children with Autism Spectrum Disorders

Children with autism spectrum disorders (ASD) often struggle to recognize emotions from facial expressions (facial affect), hindering their social interactions.

By using Humintell’s emotion recognition training tool MiX, researchers out of Rush University Medical Center in Skokie, Illinois tested children ages 8-14 who are affected with autism spectrum disorder over a six week period.

Russo, et. al’s findings, Efficacy of a facial affect recognition training tool for children with autism spectrum disorders, were presented at the International Meeting for Autism Research in San Diego, CA this past May.

The results of their study suggests that coach-assisted computerized training with imitation exercises successfully alleviated facial affect recognition deficits in children with autism spectrum disorder.

Although future studies should investigate whether “boosters” are necessary to maintain the skill long-term, their results suggest that by using a computerized emotion recognition training program, children with autism could improve their facial expression recognition ability.

The result of this study correlates directly with another recent study that demonstrates the positive benefits of autistic children and adults using computers.

Human Phishing … Playing the Odds

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not :) This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells :)

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on :D

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.