a salesman's guide to social engineering b-sides london edition

AGENDA

● Introduction and Bio● What is Social Engineering?● A Talk about Sales? What the Hell, you said Social

Engineering?!?● Profile? Process? Why not both!● Defences against Social Engineering● The Mystery Security Test● Recap● Q & A Session

INTRODUCTION

Gavin Ewan

[email protected]

www.facebook.com/gavin.ewan

@jac0byterebel

http://www.facebook.com/gavin.ewan

BIO

1st Masters Degree comprising of Psychology and Economics

Worked as:-● Regulated Financial Adviser● Sales Manager● Sales Trainer

Ethical Hacking student at the University of Abertay, Dundee, Scotland..

What is Social Engineering?

● Online definition:- The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection

● My definition:- Bypassing the human firewall/intrusion detection system. Hacking the human mind.

Part Art, Part Science

Number of Mediums:- Face2Face

Number of Mediums:- Telephone

Number of Mediums:- Online

Technical?

Emotional

What Social Engineering Is Not

Easier, Lazier

Reserved for Gifted Speakers

Governed by Hard, Fast Rules..

Sales? But you said Social Engineering!

● Terms are not mutually exclusive

● Salesman == Social Engineer

● Good salesmen use a degree of Social Engineering Skills● Bad salesmen don't

● Social Engineers HAVE TO be good salesmen

● Selling Concept

● “I want you to buy the concept I belong here”● “I want you to buy the concept I need your username and

password”.

Sales? But you said Social Engineering!

The Master Salesman

● Recognises that each and every customer and sale is different

● Can play different roles

● Uses a variety of questioning techniques

● Recognises that NO doesn't mean NO. Objections are good

● Is comfortable with awkward silences (Gav's Golden Rule, Know When to Shut Up)

● Will ask for repeat business, and referrals to other customers.

The Master Social Engineer

● Recognises that each and every social engineering attack is different

● MUST act out a number of different roles

● Uses a variety of questioning techniques

● Isn't phased by objections and can recognise a programmed response

● Is not only comfortable with, but appreciates, awkward silence

● Knows that one target won over can be used to win over other targets, or help provide a 'quick getaway'..

Profile? Process? Why not both!

DISCLAIMER● This is what I use, because it

● Works for me● Made me plenty cash● Has transferred smoothly to social engineering

YOU MAY NOT AGREE WITH EVERYTHING THAT FOLLOWS

● We are all entitled to our opinion.

Profile? Process? Why not both!Sales Process

(1) Prospecting the target

(2) Initial Contact and Needs Identification

(3) (Sales) Presentation

(4) Close

(5) Objection Handle

Steps 3 to 5 are circular can be repeated as often as necessary.


(1) Prospecting the Target

(1) Know your target● Profile without direct contact

● Google● Maltego, etc

(2) Know your limits (Backward planning)● Salesman - QUANTITY● Social Engineer - PERFORMANCE.


Simple Personality Test for a Salesman (or Social Engineer!)● Based on two of four areas examined by original Myers-Briggs test

What we need to know – Sales 101● What they'll actually listen to● How they make decisions based on what you've just said

What we don't need to know● If they are an Introvert or an Extrovert● How they handle 'issues'

DANGER! ● Further apart on the scales – Less likely to be 'compatible'.

Profile? Process? Why not both!But Gav, how do I reel 'em in?

What they'll actually listen toSensor

● Needs to try things out first and pays attention to the finer details. Focus on one day at a time.

● Will ask you 'What?' and 'How?'

Thinker

● Driven by facts, logic and reason. Will go with what the facts suggest even if they don't like it

● Balance pros and cons for them

● Very task focussed

Intuitive

● Trust the gut first and look at the big picture. Detail can wait.

● Will ask you 'Why?'

Feeler

● Driven by their feelings as opposed to just hard evidence

● Appreciates alternative options and viewpoints

● Very relationship focussed.

How they make decisions

Profile? Process? Why not both!And this means what exactly?

● Sensor-Thinker (Thinker)– Give them the facts then go though, step by step, why they should buy from/help you

● Facts then Logic

● Sensor-Feeler (Feeler)– Stick to giving them the facts, but show them how what you have told them will affect the people involved (including them)

● Facts then Feelings

● Intuitive-Thinker (Controller)– Will want to know what the bigger picture is, but will expect a range of well thought and presented options to deal with it

● Overview then Logic

● Intuitive-Feeler (Entertainer)– Give 'em the big picture and then show how all the pieces fit together, who will be affected. Loves a story

● Overview then Feelings.

Profile? Process? Why not both! Controller Entertainer

Thinker Feeler

Managers

Sales Staff

Techies/Researchers Security Staff

MarketingFinance


(2) Initial Contact and Needs Identification

(1) Continue profiling

(2) Work out needs of customer/target● Through appropriate questioning

(3) WATCH

(4) LISTEN.

Profile? Process? Why not both!Questioning Techniques

Profile? Process? Why not both!What to Watch and Listen for

Some Basic NLP

● See as a target sees

● 3 basic methods of perceiving the world

● Visual● Auditory● Kinaesthetic

● Language is the quickest guide

● Visual – I see what you mean, You'll have to watch that one

● Auditory – That rings a bell, I hear what you are saying

● Kinaesthetic – Lets touch base, I've got a grasp of what you mean.


WATCH!

Creating Images

Feelings(Words to Feelings)

Remembering Images

Remembering Words/Sounds

Internal Dialogue(Words to Sounds)

UNFOCUSSED STAREProcessing Information(Usually Visual)

Creating Words/Sounds

RIGHT LEFT


LISTEN!

Visuals● Higher Pitched, quick talkers

Auditories● Low pitch, good rhythm, smooth tone. Concentrating

on sounding good

Kinaesthetics● Constant pauses in speech. Tendency to be 'touchy-

feely'.


(3) (Sales) Presentation(1) Relay customer/targets needs back to them.

● According to profile● In their 'language'● Features Vs Benefits● Feature = Something the item has● Benefit = Something the customer/target needs

(2) AGREE on needs● 'Ski downhill' (contrast effect)● Slight adjustments will not be noticed (heuristics).

Profile? Process? Why not both!The Contrast Effect

PRESENTATION ORDER IS VITAL!!!!

● Salesman - EXPENSIVE >>>>> CHEAP

● Social Engineer – BIG request >>>>> REAL request.

Profile? Process? Why not both!Heuristics

● The human brain has an 'auto-correct' facility!● “Aoccdrnig to rscheearch, it deosn't mttaer in waht

oredr the ltteers in a wrod are, olny taht the frist and lsat ltteer be at the rghit pclae. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe”

● Not readable by a computer● What about.....

● An ID badge with slight variations● A document with some 'favourable' additions


(4) Closing

(1) Interpret buying signals● Verbal - “So let me get this straight, I can have it in red, or

black?”

● Non Verbal -


(4) Closing(1)

(2) Use appropriate close● Assumptive or Command Close – 'Assume' they agree and

ask for the business● Alternative Close – Give them a 'choice', either way, you win

IDEAL TIME TO USE SOME EMBEDDED COMMANDS!

Profile? Process? Why not both!Embedded Commands

● Trojans of the human mind

● Subconscious processing is different

● Gav's Guide to embedding

(1) Pause before the embedded command

(2) Talk louder at the embedded command

(3) Adopt a 'command' tonality at the command (down-turn)

(4) Pause after the embedded command

● Inject the command into a seemingly innocuous statement

● Add a command verb (Do, get, recall, buy, etc)

● Fire away

● Salesman - “By now, you'll know if you want to place an order”.

● Social Engineer - “I don't expect you to let me in right away”


(5) Objection Handling● OBJECTION == FREE LOOK AT TARGETS TRAIN OF THOUGHT● Two main types of objection to deal with● Sincere● A genuine concern that must be overcome● From reasoned consideration

Insincere● Masks unrelated concerns● Indicator of a far bigger objection.

Profile? Process? Why not both!Dealing with the Objection

● Situation● Problem● Implication● Need

● Problem● Effect● Give up● You

GAV'S GOLDEN RULE – Never, ever, ever, dismiss an objection out of hand – LISTEN!

Understanding statement

SPIN/PEGY

FEEL, FELT, FOUND

Defences against Social Engineering

If (Weak Link == Humans)

Exploit Humans

Else

Exploit Other Stuff

THEN Y U NO!!!!!!!!!!!!!!!!!!!!

Have a set framework for defending against an attack?

Stop considering SE tests unethical?

WHAT THE BAD GUYS THINK


Attack 1

Defence?

Attack 2

Defence?

Defence against tools of a Social Engineer


What about 'Direct' attacks

Defence?

Problem3 Golden Rules to enforce

● Calling companies to ensure that a 'visitor' should be here

● Calling the member of staff they are meant to be visiting

● If in doubt, ask for help, don't just assume

Too much 'stick' not enough 'carrot'..

The Mystery Security Test

● Mystery Security Test born from personally witnessed disregard for security in financial services

● Banks, and many retail outlets, are assessed under the Mystery Shopper scheme

Mystery Shopper

● Secret shopper who will enter a branch or outlet with a predetermined list of objectives. They will not buy, rather they decline politely, leave and submit a report to the company

● Checks that the customer experience is fair across the board and that staff are providing the best service at all times. Money can be LOST based on these results

● Mystery Shoppers can be internal, external and their arrival is never announced

● Considered ethical.



● Smaller targets chosen

● Secret security tester will enter branch, retail outlet, office or other unit with a list of objectives to achieve. This will include securing valuable information like passwords, key combinations, and details of non-public areas and practices

● Will hold a 'get out of jail' card like a pen-tester

● Security led, this will check that customer data is safe in the hands of your employees. Ask yourself a question. Would your customer be happy with great service, but knowing their data is insecure?

● Could be done internally, or externally

● A key factor in running a financial services company is that customer data is safe. The only security measure in place at the moment is fines when it all goes wrong.

Recap

● Whether you like it or not, Social Engineering is a growing threat and YOU have fallen victim

● We are training people daily to attack our human weaknesses

● Attackers are using psychology to know what buttons to press. Do you know what personality type you are yet?

● We have a false sense of security that current policies will protect us against everything

● Finally we saw that while difficult, Social Engineering attacks can be defended against..

WHOAMI

Gavin Ewan

[email protected]

www.facebook.com/gavin.ewan

@jac0byterebel

http://www.facebook.com/gavin.ewan

Black Hat Objection Handling

The Magical Number Seven● The human brain has a number of 'buffers' to help process incoming

information. What if we could overflow them?

● Miller's Law:- 'We can store around seven SMALL pieces of information in our short term memory buffer'

● In reality, only 3 or 4 pieces of meaningful information

● In order to fill this buffer, we can

● Supply information in awkward chunks● Open threads of information and not fully close them

● When the buffer is full, requests more likely to be dealt with directly by subconscious.

a salesman's guide to social engineering b-sides london edition

Technology