What Is Social Engineering - Building the Foundation - Unmasking the Social Engineer: The Human Element of Security (2014)

Unmasking the Social Engineer: The Human Element of Security (2014)

Part I. Building the Foundation

Chapter 2. What Is Social Engineering?

Enlightenment is not imagining figures of light but making the darkness conscious.

—Carl Gustav

I define social engineering as any act that influences someone to take an action that may or may not be in his or her best interest. As mentioned briefly in Chapter 1, I once was hired to infiltrate warehouses without breaking and entering. To do so, I used the social engineering methods of pretexting, role playing, and three or four different aspects of influence. My intent was to test the company's defenses to see if the employees followed policy. I also tried to take pictures of the exits, camera locations, and other aspects that a real criminal would use to come back later and break in. A typical scenario went something like this:

I drove to the warehouse and pressed the intercom button at the front door. I said, “Hi, this is Paul from your waste company. I need to check the serial number on your trash compactor.”

The door buzzed, and I was let into the inner area of the warehouse. I faced a wall-to-wall, floor-to-ceiling metal mantrap. A security guard looked in and said, “Hold on a minute. The floor manager is coming to escort you.”

A few minutes later, Roy, the floor manager, came out to greet me. I was buzzed through the ominous-looking mantrap and was sent to the security guard desk. The security guard asked for my ID. I looked at him and then at the mantrap and said, “I left my wallet in my car. But I do have my company ID. Is that okay?” The security guard photocopied my company ID and gave me a badge. Roy then took me to the compactor.

After a few seconds, I said, “You're in luck. This number is not on the list.”

“What does that mean?” Roy asked.

“You don't have a bad motor, so this compactor should be in top shape.”

On the walk back, I suddenly exclaimed, “Dang it! I left my phone on top of the compactor. I need to run back and get it.”

A few minutes later, I met Roy in the office, shook his hand, returned the visitor ID, and left the building.

In addition to showing that corporate policy might need better enforcement, I left the building with a phone full of pictures of security camera locations, exits, and where the “goods” are stored.

Social engineering doesn't always involve trickery or deceit. Instead, it is more about how we conduct our social interactions on a daily basis. It is about how we communicate, talk, and get our point across to people with whom we interact.

In my first book, Social Engineering: The Art of Human Hacking (Wiley, 2011). I broke down all the physical, psychological, and personal tools someone needs to become a master social engineer. Rather than recap the whole book here, this chapter gives a brief overview of techniques and methods used by a social engineer.

Keep in mind that it is vital for the social engineer to become part of the same “tribe” as the target. A tribe can involve a workplace, beliefs, clothing, music—anything that causes people to join a group. If you can utilize the skills outlined in the following sections, you can become part of the target's tribe. Once that occurs, gathering information or gaining access is much simpler.

Information Gathering

Information is the lifeblood of the social engineer. The more information the social engineer has, the more vectors (or, methods of infiltration), he can develop, the more he understands the target, and the more he can understand the target's weaknesses and strengths.

Information gathering can be web-based, using tools such as Google dorking and Maltego. It also can involve in-person gathering, such as taking pictures, location scoping, and elicitation.

The power of the internet makes gathering information much easier nowadays, and it means that a social engineer can obtain a very large quantity of data. Learning how to categorize and store this information is very important. I have a practice of developing DAPs (detailed action plans) on my targets that involve information found, attitudes or actions observed, and how this info was gathered. I then correlate that with vectors I want to use and that becomes a plan of action for each target.

Social engineer and ethical-hacker-turned-philanthropist Johnny Long developed the initial Google Hacking Database, which is a list of searches that one can run in Google to find all sorts of juicy information. In the last few years, the folks at Offensive Security have taken over this project and it now lives at www.exploit-db.com.

In addition to tools like this there are others like Maltego, which allows you to gather data on people, websites, or companies and categorizes it in a graphical format that is easy to read and use. More information can be found at www.paterva.com.

Recently a couple of other tools I have found very useful are Google Maps or Bing Maps. When you zoom in close enough, each of these websites will show you a “street view” of the location. If you approach a building or location and already know the layout, the fencing, the camera locations, and more, it saves you the time of having to figure this all out on the spot.

However a social engineer gathers information, the rule of thumb should be “no information is useless.” Even the littlest pieces of information can go a long way into the success of an engagement.

Pretexting

Your pretext is the person you will portray—the act you will put on. It is somewhat like Method acting—you become the person you are pretending to be. Clothing, ID, body language, and knowledge all play a role in making a pretext believable.

In the example at the beginning of this chapter, my pretext was “Paul the waste company employee.” To successfully carry out my pretext, I needed to do some planning. I had to make sure my clothing convinced my targets I was who I said I was. Just as I mentioned in Chapter 1 when I spoke about “enclothed cognition” I had to make sure my clothing made me feel the part and portrayed the right message too.

My ID had to be realistic. My body language had to suggest that I was a blue-collar worker and not upper management. I also needed knowledge of the artifacts I was using to prove my pretext. I had to know about trash compactors, where the serial numbers were located, what I would be looking for, and any tools needed to do my “job.”

In the same way, a pretext is not always in person. In a five-day class I teach, I send the students out each night to gather small pieces of information from people in the public to show them how using these skills can develop rapport, generate trust, and result in information sharing very fast. During one particular class I had a group of students get together in their hotel room and gather information by pretending to be a call center.

To complete the pretext they downloaded an app called “Thriving Office” that played office sounds in the background. One of their cell phones played these sounds while the others made calls. For the person on the other end of the phone the pretext was complete as they heard a “call center.”

Whether in person, over the phone, or through email, a social engineer's pretext needs to encompass clothing, language and words choice, sounds, and every aspect of the method of communication to prove to the target that the social engineer is who he says he is.

Elicitation

Elicitation is the art of getting information without asking direct questions—just carrying on normal conversation. Elicitation is talking to your target about his or her life, family, and job. You build rapport with your target (see the next section) and get him or her to like you, open up, and offer details you can use. Such a simple explanation, but one of the most important aspects of social engineering.

At the end of this book, I will spend some considerable time discussing how nonverbal communication affects elicitation and can enhance your ability to be a master elicitor.

Rapport

My good friend and author Robin Dreeke defines and discusses rapport-building skills in his book It's Not All AboutMe.” He can quickly teach anyone the best techniques for making people feel liked, which creates an atmosphere of trust. That trust then causes them to talk and give away information that may be valuable. That trust also can cause someone to take action, such as clicking a bad link or letting a social engineer through a door.

Rapport is the feeling of closeness or trust that is developed when psychologically someone opens up and is now willing to trust you with information about their lives.

Robin breaks building rapport down into 10 different methods. Quickly they are:

· Artificial time constraints: Letting people know you will only “bother” them for a very brief period of time

· Accommodating nonverbals: Making sure your nonverbals match your words or there will be red flags raised

· Slower rate of speech: Speaking slow enough not to appear nervous

· Sympathy themes: Using the powerful words, “Can you help me?”

· Ego suspension: This powerful aspect is merely suspending your own ego to let others be right, even if they aren't.

· Validation: Using warm and genuine accommodation of a person's knowledge, skills or person

· Asking how, when, or why questions: Open ended questions that elicit longer responses

· Quid pro quo: Giving a little info out to make the person feel comfortable sharing their info

· Reciprocal altruism: Giving a gift to get a gift

· Manage expectations: To not become greedy and to realize when something isn't working and make a change

Each of these 10 aspects is powerful and can be part of an effective social engineer's arsenal.

Influence/Manipulation

I define “influence” as “getting someone to want to do what you want them to do.” In essence, your target goes along willingly, as if it was their idea and something they wanted to be a part of all along.

One of the greatest minds in regards to this topic is Dr. Robert Cialdini. He spent his life studying influence and how it works.

Dr. Robert Cialdini defines eight aspects of influence:

· Reciprocity is creating a feeling of indebtedness by being the first to give something away.

· Obligation influences someone to take action based on a feeling, whether this is the social norm of showing gratitude or the feeling that we owe someone something.

· Concession is getting someone to give you smaller answers. Giving in and answering basic questions leads the target down the path to answering bigger ones.

· Scarcity: When people are convinced that the item or information in question is hard to come by, running out, or may be gone forever, it becomes scarce and therefore more valuable.

· Authority plays on our innate desire to obey and follow direction, especially from those in a higher position.

· Consistency and commitment are involved when a target starts down a path. She wants to remain consistent in her responses. This creates a feeling of commitment to continue giving consistent answers.

· Liking means that people like those who like them. If our targets feel liked, they will like us in return and give us the information we need.

· Social proof means that if everyone else is doing it, it must be okay. This principle plays on the feeling that being part of the group is important.

Learning to master, understand, and use these eight principles can make you a master social engineer. Manipulation is not much different than influence. As a matter of fact, when you analyze the principles of manipulation, they are very similar to influence. Telling the two apart is critically important, though. Whereas influence is getting a person to want to do what you want them to do, manipulation is getting a person to do something they don't want to do.

In essence, the goal when you influence someone is to always try to make him or her feel better for having met you. When you manipulate someone, there is no goal that is focused on their feelings; the goal is to get what you want, regardless of how the subject feels.

As a social engineer, I try never to employ manipulation as it leaves my clients feeling bad, ruins our relationship and does not open up the employees to training. Instead I always try to employ influence because it opens the client up to advice, training, and change.

A great illustration that a good friend told me once is that manipulation is like getting your child to accept the shot they need. The medicine will make them feel better but the shot may sting a bit. As a professional social engineer, regardless of how I get you to give up information, I am sure it will sting a bit, but the goal is to try to use the method of least sting so you accept it and can improve your security posture.

Framing

Just as a house's frame is its basic structure, a person's frame is her emotional, psychological, and personal and family history. What causes her to think, act, and talk the way she does? These motivations are a person's frame.

What someone has experienced throughout her life alters how she perceives the world around her and how she reacts to events. If a social engineer can begin to understand a person's frame, he can begin building a bridge between his frame and the target's frame.

The easiest way to do this is to find common ground and then build rapport. Doing so makes bridging the two frames much easier. As soon as the frames are bridged, the target and the social engineer become part of the same “tribe,” and it is easier to gather intel from that target.

Nonverbal Communications

Chapter 1 described nonverbal communication (also called nonverbals) in detail. As I discussed in my first book, this topic really changed how we view social engineering. Combining nonverbals with the other aspects just described can make anyone an amazing social engineer.

Nonverbals make up a large portion of how we communicate. What we say is either confirmed or contradicted by how we say it and how we look when we say it. Gaining the ability to detect, analyze, and read microexpressions, macroexpressions, subtle microexpressions, conversational signals, and body language can help you as a social engineer understand the emotional makeup of your target.

Understanding your target's emotional state before you engage with him or her can help you alter your approach, your opening, and the types of questions you ask and conversations you have.

My first book barely scratched the surface of this topic. I covered only the basics of facial expressions. This book, with the help of Dr. Paul Ekman, delves deeply into the face, hands, body, legs, and torso. I explain how each of these areas gives us insights into our targets' emotions.

First we need to discuss how nonverbal communications play into the different types of social engineering.

The Three Basic Forms of Social Engineering

Social engineering in its malicious form is usually categorized into three different areas. It is important for you to understand the differences among the three, because nonverbals play a role in each. Let's take a look at each: phishing, phone elicitation, and impersonation.

Become Phishers of Men

The most widely used form of social engineering is phishing—the sending of either mass or targeted emails that contain malicious files, links, or instructions. If clicked, opened, or followed, those aspects of a phish cause breaches, data loss, and many other problems.

One example of phishing was in the news when I wrote this chapter. An executive at Coca-Cola received an email instructing him to open a file from the CEO regarding energy conservation, an initiative that this company was pushing. That email and its attachment were not legitimate. By opening the file, the executive allowed a program to be run on his computer, giving the hackers remote access to his machine. This led to a full network compromise that was not discovered for many months.

Phishing emails are so prevalent that one group claims that one out of every 300 emails is a phish. This doesn't even begin to cover when the phish are targeted attacks. When a social engineer targets a particular person, he uses spear phishing—very personalized emails that contain details about the person's likes or dislikes. Or he may use what is called whaling, in which a spear phish is sent to a high-profile target, such as the CEO of a large bank.

Whatever method is used, the social engineer writes emails that use fear, curiosity, or authority to get the reader to perform an action that is not in his or her best interest.

Let's look at a phish and analyze why phishing is such an effective tactic. Currently one of the most widely used phish is geared toward Facebook. With over a billion users, Facebook is an attractive target. Take a look at Figure 2-1.

Figure 2-1 Faking Facebook is one of the most popular types of phishes.

image

There are a few key things to notice with this type of phish. First, it works because it looks like a real Facebook email. It has the same layout and colors. It is simple and not overdone. In addition, the subject line is ripped from actual Facebook emails.

A few clues give away this email as false:

· The “from” address is not Facebook. Sometimes a social engineer will use facbook.com or faceboook.com or facebook.co—little changes that may go widely unnoticed.

· The greeting is generic; it just says “Hi.” Usually it would have your name or username.

· The big clue that often goes unnoticed is the link. When you hover the mouse pointer over the link, you see that it is not going to Facebook at all. Instead, it is going to the social engineer's website.

· This particular email is quite smart because the link, the buttons, and even the unsubscribe link all lead to a malicious site.

Another example of the seriousness of malicious phishing is a fake PayPal email, as shown in Figure 2-2.

Figure 2-2 PayPal is widely used in phishing attacks.

image

These emails affect us because they hit us in the wallet—or so we are led to believe. The fear that someone may have accessed and stolen our funds is enough to make us click a link and quickly log into our account to verify. And this is just what the attacker wants us to do. Often a fake website, a fake login, and little scripts harvest the credentials you enter. When the attacker has these credentials, he logs in and then does the very thing that created fear in you: steals your money.

Using Nonverbal Communication in Phishing

At first it may seem next to impossible to understand how nonverbal communication is used when it comes to the written word. Yet consider the concept of framing, which is the structure upon which a person's mental and psychological house is built. The social engineer wants to alter that frame and cause the target to think, feel, and react in the frame of the social engineer. This is called frame bridging. One person builds a “bridge” between his frame and the frame of the other person, making it easier for the second person to meet him in the middle or find that common ground.

One of the main rules of framing is that any words we use evoke the frame. Our mind thinks in pictures, so the words we use create picture scenarios in our minds. Those pictures create emotional reactions, and those reactions are what cause the target to take the action that may or may not be in his or her best interest.

A malicious social engineer wants to create a set of emotional triggers in, for example, an email that will make the target perform that action. In many cases the malicious social engineer uses the emotions of fear (of loss, theft, and so on) or sadness (as it is linked with empathy and the “help me” plea) to elicit the responses he wants.

Statements such as “This must be completed in 24 hours or your account will be suspended” elicit a fear response. Combine that with the possibility that your account may have been used without your knowledge, and you have a perfect recipe for fear-based response. It is based on words, and those words paint a picture in your mind, and that picture causes the emotional reaction.

Another aspect is the use of emoticons, which are used more and more in texts, emails, and instant messages. Audrey Nelson, PhD, author of The Gender Communication Handbook: Conquering Conversational Collisions Between Men and Women, talks about emoticons as used in written communications. She defines emoticons as “nonverbal written indicators of emotions.”

Which of the following softens the reader?

· Wow! You really didn't think that through!

· Wow! You really didn't think that through! image

· Wow! You really didn't think that through! image

The use of the smiley face in the third example means that the statement is meant not as a criticism but as a joke. The emotion aimed at the target can affect how that person reacts to the message. Emoticons are used not so much in fear-based emails but in phishing emails that pretend to be from friends (such as Facebook friend emails) or potential romantic partners (such as emails from popular dating websites). In these scenarios, emoticons are used to make the sender appear to be happy, friendly, and open.

When The Phone Is More Dangerous Than Malware

The second most commonly used form of social engineering is phone elicitation. In the last 18 to 24 months, hacktivist attacks on large companies have used an increasing amount of phone elicitation. In one such case, the hacker group UG-NAZI launched an attack against a web-based invoicing company. UG-NAZI did extensive information gathering on the database administrator of this company and then placed one phone call to their tech support company requesting a password reset. Because this group had all sorts of information on the DB admin, they were able to answer the security questions and reset the password.

The result? UG-NAZI downloaded gigabytes of customer credit card numbers and then erased their servers for fun. This is just one of a dozen such stories in the recent news.

Why has the number of phone-based attacks increased? First, caller-ID spoofing, as it is often called, is cheap and easy. Spoofing, or making it appear you are calling from a number you are not calling from, the number from which the call originated means that the social engineer can fake any number he wants. He can place a call that the recipient will think is coming from tech support, a vendor, or even the president of the United States. Caller-ID spoofing creates an atmosphere of trust quickly because the number “proves” the caller is trustworthy.

Second, it's easy. The social engineer doesn't need to be present or even be in the same country to use the phone to elicit information. With a bit of practice, he can create a believable storyline and establish a decent level of trust with the target.

In one engagement I did, we used a three-layered attack. The first stage was a phish we sent to employees of the target company, offering a free iPhone 5 (the newest phone at the time) to be entered in the drawing they had to fill out a form with their domain login credentials. Hundreds of employees filled out the form.

Stage two was to call these people and tell them they had been victims of a phish. As my pretext, I became “Paul,” the tech support guy from their company. I told them we had placed a tracker on their machine and we needed them to run an executable file to remove it. The executable was not a cleaning tool but a malicious file that would give us remote access to their computers. Out of all the calls I made that day, about 98 percent of the people contacted complied with the request without questioning me. For those who did, I simply told them I was from tech support and we must continue.

In the 1960s, psychologist Stanley Milgram conducted an experiment to test people's susceptibility to listen to authority even when it went against their moral judgment. As volunteers were asked to shock other people for wrong answers, the viewer can see an increase in discomfort as the other person's pain increased. The “researcher” was instructed to say, “The experiment must continue. Please go on.”

Much like that famous obedience experiment, my only statements were along the lines of “We must clean the system” and “If we don't do this, it may cause more problems on the network.” I was to state this with confidence and authority.

At this point in the penetration test, the point was proven, but the team and I wanted to try one more test, now that malicious software was loaded on the computers. I called tech support, posing as the employee I had just spoken to about running the executable file. I told tech support that my VPN credentials had been deleted, so I needed them again. Having this information would allow me into the most secure parts of the network.

The phone call went like this:

“Tech support. Sylvia speaking. How can I help you?”

I had spoofed my number so that the call appeared to come from the office of the person I was pretexting as. “Hi. This is James. I just loaded something on my machine that I shouldn't have. When I ran the virus scan to clean it off, it also erased my VPN credentials. Can you please give me the credentials again?”

“Sure, I can help you. Please tell me your full name.”

“James Smith. You can call me Jim.”

“Jim? Smith?”

“Yes.”

“Don't you recognize my voice? This is Sylvia.”

I had to think fast. I didn't know what relationship these two had, and one wrong word might blow my cover. “Sylvia, I'm sorry. I'm so stressed. I clicked on this phish and then loaded some bad software. When I tried to clean it, it messed up my machine. My head is spinning. I think I'm getting a cold; that's why my voice sounds different. And, on top of everything else, I lost my VPN creds. Forgive me and can you please help me?”

“Sure. No problem, Jim. Let me pull up your credentials.”

A few seconds later, I was handed the keys to the kingdom. Why did this work so well? I didn't have to prove who I was because I was on a phone with the right number, used the right name, and had the right excuse. It was all too believable.

Using Nonverbal Communication in Phone Elicitation

Smiling creates happiness in your voice. According to Scharlemann, Eckel, Kacelnik, and Wilson (2001), we give and receive more trust by smiling. Indeed, even if the smile can't be seen, it can be felt. In their study “The Value of a Smile: Game Theory with a Human Face,” they state: “Smiling increases trust among strangers. Subjects were more likely to trust photographs of smiling persons than unsmiling photographs of the same persons” (p. 13).

In addition to smiling, body posture; gestures; and voice tone, volume, speed, and pitch all affect how the person on the other end of the phone perceives us and our story. All these qualities are nonverbal communications that enhance our ability to influence our targets.

When I posed as a tech support representative during the three-stage attack, it was important that my voice's tone denoted authority rather than nervousness. Even though my target couldn't see my face, he or she could “hear” my smile, which contributed to building trust. My posture was one of authority too.

In stage three, when I was the employee calling tech support, for my pretext to be believable, my face had to show fear, and my voice's volume, pitch, and speed had to be slower and lower. My nonverbals had to say, “I'm sorry. I messed up. Please help me.” Because I changed my facial expressions to match the emotion I was supposed to be showing, my pretext was stronger.

It is even said that how we sit and how we dress can affect our tone on the phone. In social-engineer.org newsletter #34 (http://www.social-engineer.org/newsletter/Social-Engineer.Org%20Newsletter%20Vol.%2003%20Iss.%2034.html), I discussed research into enclothed cognition conducted by researchers, Adam and Galinsky. Their research suggests that our perception of clothing affects how we handle certain tasks and approach a job we are asked to do.

This research further proves that our vocal tones and how we sound to our targets is affected by our clothing, our nonverbals, and much more. As mentioned previously, the same piece of clothing that was given a different “meaning” created a psychological bridge for the subjects to act a certain way. Knowing this means how I dress on engagement can and will influence the way I act.

I Am Not the Social Engineer You Are Looking For

Before phones and the Internet, scams were conducted in person. From Victor Lustig, who “sold” the Eiffel Tower a few times, to everyday street scams, in-person forms of social engineering have been used throughout history.

In recent years, story after story illustrates how criminals use impersonation to trick people into taking actions they shouldn't take. For example, in the United States, a man convinced a few of his buddies to rob a bank. Before the robbery, the man entered the bank, posing as a customer and an undercover federal agent. As his friends started to rob the bank, he stopped the crime, saving the day. He made “arrests” and took all the money as evidence. As he left with the criminals and bags of cash, employees felt the bank was safe and sound. But no police ever arrived to follow up.

Why do attacks like this work? With impersonation comes an inherent link to trust. When someone flashes a badge; wears the right uniform; and speaks, acts, and carries himself as the person he says he is, our minds get answers to unspoken questions:

· “Who is this person?”

· “What proof does he offer to back up his claims?”

· “Am I safe?”

All these questions get answered, and the target's mind is put at ease. This is the power of impersonation. In my introductory story about my warehouse job, I didn't need to vocalize those details, because my outfit said it all. I just needed to answer the leftover questions: “What do you want?” and “Why are you here?”

Once those questions were answered, my pretext did the rest of the work. In addition to physical impersonation, in person social engineering attacks allow for a wide array of vectors that can be hard with other forms of attack. For example, many firewalls and other technology stop attachments such as PDF and EXE files from entering email inboxes and being run. However, if these same files are instead contained on a USB stick, they can be installed on an employee's machine and run with less risk of being stopped.

Many times I've left lying around in a workplace a USB key or DVD labeled “Confidential,” “Employee Bonus,” or, unfortunately, “Private Pics” to pique the curiosity of the target. When he inserts the USB or DVD, his machine is compromised.

The infamous Stuxnet computer worm attack, as well as the more recent attempted attack on Dutch chemical company DSM, highlight how USB drops are still used. The element of curiosity can be dangerous when mixed with malicious software.

Using Nonverbal Communication in Impersonation

It may seem obvious that nonverbal communication is used in impersonation, but it is also crucial to understand. Because interaction is personal in impersonation attack methods, nonverbal communications affect the target the most.

It is natural to be nervous or scared when you fear being caught. If your pretext is one of authority, nerves and fear can ruin the nonverbal link that says, “I am sure of myself.”

We will discuss this in greater detail in Chapter 8, which discusses the nonverbal side of elicitation. If the social engineer is showing expressions of anger, sadness, and fear, those same emotional states are mirrored in the target's brains.

Understanding how nonverbal communication can influence your targets makes it vital for social engineers not only to be able to recognize nonverbal signs but also to control the ones they display. For example, once we understand that having our hands in our pockets can be seen as a sign of weakness, we can either use that if our pretext is submissiveness or avoid doing that if our pretext is to be an authority figure.

Sometimes a social engineer can rely on nonverbal communication alone when performing impersonation. This is often the case with tailgating, in which someone who does not have access to a particular area gains access by following employees who do. Tailgating can be done in a few ways:

· Employee smoking areas: These areas, usually behind the building, often lack proper security so that employees can exit and enter easily. A social engineer can “join the tribe” of smokers and then try to walk back in with them.

· Carrying a box or large object: I cannot tell you how many times I have walked right into a building simply because I was carrying a box. As I approached the door, a helpful and kind employee saw me struggling and let me in. If a smaller, attractive female carries a heavy box, guys will fight over who will hold the door for her.

· Fake badge: Another successful method that even adds a layer of trust is a fake badge. The social engineer creates a realistic-looking badge that he knows will not give him access to the building. As he unsuccessfully swipes it a few times, helpful employees see him struggling and let him in.

These are just a few impersonation methods that do not involve speech much or at all, but do rely heavily on the social engineer's nonverbal communication skills. Everyone has internal radar that pings if something feels wrong, and that feeling is often based on how another person's nonverbal communication makes us feel. Knowing this solidifies the value of the social engineer's being able to control and utilize these signs to give off the right “feeling.”

Using Social Engineering Skills

Social engineering skills don't always have to be used in a negative way; they also can be positive. I will briefly discuss this point to put into context how the rest of this book will progress. To reiterate, I define social engineering as any act that influences someone to perform an action that may or may not be in his or her best interest.

The Good

Positive social engineering is easy to understand. Suppose a child wants something from her parents. She approaches her mom and says, “Mommy, can I have the new Barbie doll?”

Mom says, “I don't know. Ask your father.”

The girl approaches her dad sitting on the couch, cuddles up next to him, and says, “Mommy said I can get the new Barbie doll if you say it's okay. Can I, Daddy, pleeeease?”

“Of course, pumpkin,” Dad says, looking down at those beautiful big eyes.

What just occurred? Without understanding psychology or nonverbal communication or communication modeling, the little girl employed all these techniques.

If I can speak from experience, the first request to Mom is usually made after a good deed or a moment of emotional closeness—a moment when trust and love hormones are heavy in the blood. But the real social engineering comes into play with Dad.

First is the power of touch. When the girl cuddles up and gets close to Dad, this creates an emotional bond. Then, by starting with the basic “Mom already said yes” approach, she applies social proof. Together these become an unstoppable force, and the little girl gets her wish.

Other, more serious examples may include rehab or therapy, where people are reframed and taught how to rethink their belief system. Once they reanalyze their beliefs, they can take a different path. In essence, they are influenced to take an action that may make them stop thinking negatively, stop abusing alcohol or drugs, or take another action that ends an abusive streak.

Social engineering can be used to influence someone to take an action that is good for her. It can be used to reframe her thinking, to create an atmosphere for growth, and to help change entrenched bad habits.

When one of my children was younger, he refused to eat breakfast. I saw this for what it was—a power play. He just wanted to be able to control this aspect of his life. It wasn't about defiance or being a bad kid. Knowing that it was all about his need to make a choice and be empowered by the ability to do so, I simply woke up one day and said, “I know you're having a problem with breakfast before school, so it's up to you. Do you want cereal or eggs?”

He made a choice, he felt empowered, and in the end we both won. I was happy that my child ate, and my child was happy that he was empowered by choice. This type of social engineering is positive because the underlying principle is that both people win, there is no loser, and the change leaves everyone feeling better for having taken the action.

The Bad

The skills just mentioned also can be used by malicious social engineers. The main difference between the “good” and the “bad” is the intent. In the bad, the social engineer doesn't intend to help, change, or better your life—it's all about what he or she can gain.

On March 18, 1990, there was a knock at the side door of Boston's Gardner Museum. This door was to remain closed and not be opened, but the two men knocking were uniformed police officers. The security guard unlocked the door and let them in, only to find out they were not police at all. Using no weapons, they subdued the museum's two security guards, tied them up, and, in less than 90 minutes, stole 13 pieces of art worth $300 to $500 million.

This heist used the principles of influence and authority. We are taught to obey authority figures, especially the police. The thieves banked on that and banked over $300 million in art.

In the Antwerp diamond heist of 2003, Leonardo Notarbartolo rented space in an office building that housed a large diamond merchant for three years so that he could build credibility and rapport. He and his cohorts planned an attack posing as diamond merchants and breached a vault that was protected by multiple measures, cleaning out over $100 million worth of gems. Interestingly, they were caught when one of the five in the heist forgot to burn a bag of trash that contained evidence of the crime.

Hacking attacks such as those carried out against HBGary Federal, PBS's website, and Coca-Cola all started with a phishing email. Other operations, such as Night Dragon and Stuxnet, may have involved phone calls and specialized hardware. Each of these used or even focused on social engineering skills for success. Both sophisticated attacks against corporations and everyday scams such as grandparents being called and asked for money by someone purporting to be their grandchild involve the use of these skills. Both kinds of scams involve planning, information gathering, and heavy doses of nonverbal communication.

The Ugly

Yes, there is one step further than “the bad” when we discuss these skills. I won't cover this aspect in depth, because it is not my area of expertise. Recently I had a chance to interview ex-FBI agent and psychologist Mary Ellen O'Toole about how psychopaths utilize social engineering skills. She recalled some of the cases she has worked on and some she knows about that involved social engineering skills, with devastating effects. Consider Ted Bundy, who terrorized women for over four years in the 1970s and admitted to over 30 homicides. He utilized social engineering skills to carry out his crimes. Many of his attacks started with him pretexting as a police officer, using authority. His most effective method was pretending to be injured, using crutches or a fake cast, utilizing a plea for help and sympathy. His victims felt empathy for him and came to his aid. They were unfortunately repaid with death in most cases.

As I said, I don't want to dwell too long on this part, but it is important to mention that, when analyzed, each of these areas utilizes almost the same skill set. No matter if it is the good, the bad, or the ugly, social engineering looks the same, with one major difference: the intent.

Summary

To summarize, let me reiterate the definition of social engineering: “Any act that influences a person to take an action that may, or may not, be in their best interest.” Seeing how nonverbal communications are used—whether through email, on the phone, or in person—cannot only enhance your abilities to communicate better, but it can help you stay safe.

Understanding that social engineering surrounds us each and every day and that it is part of all our communications is fun and exciting. It makes communicating an interesting learning experience.

As we move on to the next chapters, I want to say that this book is not meant to be an all-inclusive discussion of social engineering topics. It is meant to help you—the security professional, the teacher, the parent, the CEO, the therapist—enhance your understanding of the most commonly used nonverbals.

Each chapter will cover a portion of the body and the nonverbal communication it displays. The next chapter goes into one of the most communicative parts of the body: the hands. What do the hands say intentionally and unintentionally? How can you read the language of the hands? Finally, how can you use your hands to influence the emotional content of others?

All of these questions will be answered as we begin Chapter 3.