Nonverbal Communication and the <s>Social Engineer</s> Human Being - Putting It All Together - Unmasking the Social Engineer: The Human Element of Security (2014)

Unmasking the Social Engineer: The Human Element of Security (2014)

Part IV. Putting It All Together

Chapter 9. Nonverbal Communication and the Human Being

It is not who I am underneath, but what I do that defines me.

—Bruce Wayne/Batman

When I planned this book, I came up with what I thought was an appropriate table of contents. That is what I presented to my publisher as my concept for this book. The end results are drastically different than what I planned. This happened because as this book was being written, new research came out, changes occurred to the existing research, and my experiences and understanding changed as well.

I am telling you this because it is one of the first valuable lessons I feel this book can teach a social engineer: Things change quickly, and we must be able to adapt. Adaptation is what keeps us alive. If humans didn't adapt, we would die off.

When I analyze the malicious side of social engineering, I frequently see this ability to adapt. The “bad guys” can pick up new skills, utilize new technology, and change as the times change. Yet sometimes, when I work with companies as a social engineering consultant, I see a strong unwillingness to change or adapt. I hear comments like “We've been doing things this way for years. Why change now?”

Why? Because the world is changing. Yes, there have always been scam artists and con men and thieves, but lately we have seen a global influx of a cold-hearted type of criminal.

One example is the increase in attacks on the elderly, regardless of the amount of money they have. Criminals pretext as relatives or government agencies with the goal of taking every last penny these people have. The night before I wrote this chapter, I was discussing this topic with a close friend. He told me that the mother of one of his friends had just been victimized by a scam artist. She was dying of cancer and had very little money, but the attacker still took her for all she was worth through one or two phone calls.

The lack of concern for our fellow man has increased over time. Mix that with the ease of spoofing email addresses, phone numbers, and Internet identities, and you have a breeding ground for anyone who wants to try malicious social engineering.

In our business and personal lives, we can use software and processes to protect ourselves from malware, viruses, and Trojans. We can buy better locks and alarm systems for our doors, and we can even hire companies to monitor our credit reports. Yet we have little to no defense against the malicious social engineer. When such a person gets you to wire him money or give him your credit card number, no system, tool, or software can stop that.

I am not saying that there is no hope and that the future is bleak. I am saying that the fix is not easy. That is why I wrote my first book and now this book: The fix is knowledge and then action.

As with most things in life, you first take in knowledge: how these attacks are performed, what methods are used, the indicators of an attack, what is being attacked.

After that, the knowledge needs to motivate you to take action. That action is where the safeguards are. Knowledge is the only real protection against human hackers or social engineers. If you can recognize the signs and understand what is being said or, even more importantly, what is not being said, you have a chance at defense.

In this final chapter I want to discuss this information from two different viewpoints. First, I will discuss how you can put these things into practice as a penetration tester, using these skills to enhance your talents in protecting your clients. Second, I want to discuss how to use this book as a defense mechanism. Maybe you are reading this book because you are part of an IT team, or you are a professor or teacher, or you are a parent or concerned citizen. How can you use the information in this book to enhance your communication skills and to decipher whether someone is being sneaky with you?

Applying This Information as a Professional Social Engineer

My five-day “Social Engineering for Penetration Testers” class uses the motto “Leave them feeling better for having met you.” Our goal in the five days is to teach each student the skills to elicit personal details from someone without using manipulation tactics or making the subject feel bad. What is amazing to me are the results—not the information gathered, but the results with the students. I have had students tell me the class changed their life and taught them how to be a better husband, father, person. How is this possible? Social engineering basically means learning to be a good communicator. If you learn to be a good communicator, with a goal of leaving the people you meet and communicate with feeling better for having met you, the results can be life-altering.

But a different lesson in those five days sometimes doesn't hit the students until the very end: Malicious social engineers employ the very same tactics.

I once interviewed Dr. Paul Zak for my podcast on www.social-engineer .org (the interview can be found at www.social-engineer.org/ ep-044-do-you-trust-me/). Dr. Zak does research on oxytocin, a molecule released in our brains when we feel trust, bonding, and closeness. It's often related to breastfeeding, but Dr. Zak has found that all humans release it, often when they interact with those they love and trust.He told me a story from when he was a young man working at a gas station, and a couple of con men tricked him using a ruse called a “pigeon drop.” One day a man came into the office with a small box he said he found in the restroom that contained what appeared to be expensive jewels.

Just as Paul was deciding what to do, the phone rang. The man on the other end frantically described how he had left behind some jewels at the gas station. Paul told the man that an honest patron, standing right there, had just turned them in. The ecstatic man on the phone said he wanted to give the finder a $200 reward. Paul hung up and told the finder that the owner of the jewels wanted to give him a reward when he arrived to pick up his box. The finder replied that he was on his way to a job interview and had to leave, but he offered a solution: He would split the reward with Paul. All Paul had to do was take $100 from the cash register and give it to the finder. Then, when the jewels' owner arrived, Paul could keep $100 for himself and put the other $100 back in the register.

Paul did give the finder the money, but the jewels' owner never showed up, so Paul was duped out of $100. How could someone be fooled by this particular con? According to Dr. Zak, “A con works not because the con man convinces you to trust him, but he convinces you that he first trusts you.” When you feel trusted, your brain releases oxytocin, your emotions get involved, your amygdala may be hijacked, and logic centers go in the opposite direction.

This is a key point for the social engineer. When someone feels you trust him, he reciprocates with trust feelings. This is the valuable lesson that the security enthusiasts who attend my five-day class learn. They don't learn how to dupe, trick, or prove someone is stupid. They learn that people are more easily duped and duped for a longer period of time when the deception is carried out with kindness and trust.

After I wrote my first book, I received many requests for interviews. One of the early questions surprised me: “Aren't you afraid you're giving the bad guys more tools to use against us?” My answer was the same then as it is now: We can't defend properly without knowing how to attack. If the first time you get punched is your first real fight, it will most likely end badly for you. That is why people take lessons in how to fight and defend themselves. In those classes they do what is called sparring, in which two people actually hit each other to learn how to hit, how to take a hit, and how to defend against being hit.

That is what a penetration test is like—learning how to take, deliver, and defend against a hit. If you were preparing for a title bout, you wouldn't grab some 90-pound guy off the street to spar with. You would choose a sparring partner who had skill, size, strength, and experience. What kind of penetration testing sparring partner do you want? One who is in the ring for the first time, or one who knows how to fight properly and can prepare you for your title bout?

One quote I have heard that I am beginning to believe more and more is from McAfee's former VP of threat research, Dmitri Alperovitch. He said, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact” (www.pcworld.com/article/237163/McAfee_Warns_of_Massive_5_Year_Hacking_Plot.html).

The bad guys aren't hitting up the local bookstore and going to the “how to be a bad guy” section. They learn on the job. Yet the good guys have few resources to help them learn the skills that will help them defend against attacks.

As a social engineering professional, I tell people to first practice these skills in the wild. For example, you can learn how to be a better conversationalist. Learn how to listen, how to use nonverbal communication to express emotion properly, and how to read others. As you do, you will see that you cannot shut off this instinct. It will start to open a new world for you.

The other day I finished writing Chapter 8. Because I had just reread Dr. Ekman's work, those pages were still fresh in my mind. As I spoke with friends, I couldn't help but see action units 1, 2, and 4 all over the place. I was picking up these signals with and without conversation, and doing so solidified that chapter even more for me.

To reiterate a point I made earlier in this book, “Perfect practice makes perfect.” The more you use these skills with family, friends, coworkers, and strangers, the more they become a part of your personality. After that happens, you can move to the next part, which is using these skills as a social engineer.

This is probably one of the hardest uphill battles that professional social engineers face. I know from my discussions with some of the world's greatest, like Kevin Mitnick, Chris Nickerson, and Dave Kennedy, that we all have the same problem. Many companies do not see how important it is to test real social engineering vectors. They believe that a few easy-to-spot phishing emails and a couple of USB drops constitute a “social engineering test.” You must help your customer see that the bad guys don't just send one or two emails and then give up, or drop a few USB keys in your parking lot and then leave. Attackers are focused and driven and don't give up easily. They don't go home at 5 p.m. and relax. They spend time profiling, gathering intel, and developing realistic attack vectors that work. How can a company expect anything less from its protection team?

When I was sitting with Dr. Ekman in his home, discussing the future of social engineering and nonverbal communication, I commented that it must be hard to catch him in a lie because of everything he knows about manipulating the face. But he replied that actually he is a terrible liar. However, over the decades he has practiced, tested himself, and taught himself to pick up on cues that can indicate that someone is lying. This practice has enabled him to work as a leader in his field since 1954 and write over a dozen books and publish over 100 articles on this topic. What does this mean for you and me? The same rules apply. We can utilize the research that took Dr. Ekman and other great minds decades to develop and work it into our everyday lives, becoming social engineering masters.

Using This Book to Defend

Let me return to my example about learning to fight. I once knew a guy who was a master swordsman. He was amazing with any blade. It took him about five years to get where he was, and then he spent the next five years perfecting the little things. When he started learning, he searched for just the right partner and teacher. Why? Because whomever he chose would be swinging very sharp objects at his head and body. Along with looking for someone who had knowledge and talent, my friend told me that another of the key factors he looked for was experience. Choosing someone with a proven track record meant that he could shorten the learning curve and enhance his abilities more quickly.

This is why I worked for over two years to develop close relationships with Dr. Ekman and Paul Kelly before I considered writing this book. I wanted to make sure I had a couple of “grand masters” on my side to help me reduce some of the learning curve for both you and me. Partnering with the masters of this science means that you and I benefit from the expertise, talent, knowledge, and, most of all, experience of the greatest minds in this area of research.

This helps you because keeping up on all the tactics and methods used by scam artists is time-consuming. I spend many hours every week reading news stories and reports about the latest attacks and the newest research into how humans work. But that is my job—to be the best so that I can protect my clients. You probably have a job, a family, and a life outside security. This book is designed to help you find easy ways to practice and implement the skills I've presented.

Let me step away from security for a moment and focus on communicating with other people. Whether you are communicating with your kids, your spouse, your boss, your students, people you meet in the store or on the street, people at your place of worship, or people you meet by chance, using these skills to become a better communicator will change how you send and receive information.

Being able to understand what someone is truly saying without words can help you alter your style to get your message across more proficiently. If you utilize that skill to create security measures, you will not only communicate better but also notice the signs of when someone is not communicating with clear intent.

After you are armed with this knowledge, insert this knowledge into your security awareness programs. Help the people you work with see how these skills are used by malicious social engineers. Teach them to be critical thinkers, and show them how just thinking through requests made can make a huge difference.

Becoming a Critical Thinker

In the summer of 2012, I read a newspaper article that said the Republican Party in Texas, as part of its official platform, opposed the teaching of critical-thinking skills in the public schools. I was amazed that anyone would want to forbid teachers from instilling in our kids one of the most fundamental skills they could gain.

Many times people equate critical thinking with rebellion, or with a lack of faith, or with questioning everything just for the sake of questioning. I do none of those things. I have strong faith. Although I am a typical “hacker” in the sense that I like to circumvent the norm and figure out how things work, I am not truly rebellious. I enjoy law and order.

My definition of critical thinking means teaching yourself, your family, your employees, and your clients not to accept everything at face value. Do not blindly accept the fact that I am your waste management representative, OSHA inspector, Joe from IT, or the assistant to the company vice president. Question such a fact if it doesn't sound right, if you haven't heard it before, or if you are uncertain why someone is calling you and asking you a question.

Critical thinking takes time and sometimes can be risky. For example, I once worked with a company that used a lot of call centers for support. They had a policy that after a support representative had spent over two minutes on the phone with a customer, his or her hourly pay rate decreased during the time that the call continued. Knowing this, during an audit, all I had to do was call them and keep the conversation going for this amount of time. The rep started getting tense, wanting to end my call so that he could maintain his pay rate. At that point I started to make my requests for sensitive information. Because of the stress on the rep, he stopped thinking critically and started answering whatever question I posed. This was especially true when I would say something like “I don't want to keep you any longer. Just let me ask you this one last question.” This comment gave the rep some hope that the call would end soon. Then I would ask questions like, “Listen, I am starting a small business and it is important that I try to be like the big boys. There are so many choices for trash removal—who do you use?” Or maybe another question like, “I am just setting up my office and I don't know what kind of operating systems and other software to run. What operating system do you use? What browser?”

Waiting until just before time ends on their call means that the person is no longer thinking about logical reasoning but focusing on their pay scale and therefore making bad decisions about what information to give out.

Encouraging critical thinking skills within a company would reward employees for protecting company assets by questioning, thinking, and stopping an attack. Instead, companies often reward the very behavior they do not want the employee to carry out.

To assist my clients with critical-thinking skills, I've developed what I call Critical Thinking Scripts (CTSs). These aren't written-out, word-for-word conversations they should have, but a series of thoughts that will help them develop habits that keep them secure. For example, one script I wrote describes steps to follow when you use an ATM:

1. Look at your surroundings, and make sure they appear safe.

2. Don't take out your card until you're in front of the machine.

3. Before inserting your card, wiggle the card slot to ensure that it is part of the machine and is not a skimmer (a card reader installed by a hacker).

4. Look for any protruding pieces or weird-looking parts, which could indicate a skimmer (a small device that fits over the card slot and steals your data and passwords).

5. Insert your card, and shield the keypad while you enter your PIN.

6. Take your money, card, and receipt, leaving nothing behind.

7. Put everything in your wallet before leaving.

This simple CTS can protect you from being mugged or victimized by a skimmer. You should help your employees or clients develop CTSs for situations such as these:

· What should I do if I suspect that an email is a phish?

· What should I do if I just clicked a link in an email that might be a phish?

· What should I do if I suspect that a phone call is a phish?

· What should I do if I suspect that this person doesn't belong here?

· What should I do if I just answered questions that maybe I shouldn't have?

You face a challenge if the company's response to an employee's falling prey to a phish or other attack is punitive. If that's the case, it's very unlikely that employees will want to openly discuss security concerns and practices. But management needs to realize that being tricked by a malicious social engineer doesn't make someone weak or stupid—it makes him or her human. Employees must be helped to mitigate and fix problems so that the aftereffects can be minimized. The best way to do that is to give them a department or person they can report security incidents to without fear of being disciplined. You may also consider offering them extra training.

Summary

Writing this book was a learning experience. Having the opportunity to work closely with Dr. Ekman and Paul Kelly changed how I use and view nonverbal behavior. The more studying, reading, writing, and comparing I did, the more I started to see these signs in everyday conversations. This helped me communicate better, have richer conversations, understand the emotional content of those I was dealing with, and, of course, be more secure. No one magic technique described in this book can transform you into a human lie detector or mind reader. But combining the skills described in this book can give you amazing abilities to understand what someone is truly saying, even without words.

As you practice these skills, remember what Dr. Ekman told me when I started down this path with him a few years ago: “Just because you can see what someone is feeling doesn't mean you know why he is feeling that way.” Learn to use the emotions you see to focus your elicitation efforts. Learn to notice the subtle things that point to a baseline. These things will give you a leg up in any communication—as a professional social engineer or not.

You may reach out to me if you want to discuss or even debate the points in this book. My website is www.social-engineer.com. There you will find ways to communicate with me directly. I am always open to a discussion.

Thank you for spending some of your valuable time with me in the pages of this book. I hope you have found a few gems of information you can use in your life. I know I have through my journey.

As a final point, please remember my motto: Leave people feeling better for having met you. Some people try to accomplish their goals through embarrassment and humiliation. Some try to teach a lesson using fear and ridicule. But I learn better if I'm taught with humility, kindness, and encouragement. I learn better from critical thinking. Take the time to see the problem from someone else's eyes, whether he is a child or just acting like one. Take time to understand his emotions whether they make sense or not, and whether they are rational or not. I guarantee that when you do, a new world will open to you. You will be able to unmask not just social engineers, but also any human who stands before you.