Source Code to the Human Mind - The Science Behind Social Engineering
11:55PM Jul 30, 2020
Welcome back to hope 2022, our attendees, our volunteers and our folks watching all over the world. Welcome back. Our next talk is social code to the human mind. The science on social engineering by Kristian mcglothlin. And US Navy veteran public speaker and social engineer extraordinare. social engineering is one of the hottest talked about topics at conferences around the world. What makes social engineering so popular and why is it so successful? As a reminder to our attendees, the only way you can ask questions is through the live stream q&a channel through our exclusive matrix feed. So please ask questions, they will we will relay them to the speaker after his presentation. And now Christian mcglothlin.
Thank you. Thank you so much. I just want to say it's a great pleasure to be here and for everybody that's watching at home. Glad you all are safe, and I hope you guys have had a had a great conference so far. social engineering isn't really something that I can cover in the hour, really 45 minutes that I have with hope. Some people spend their whole lives dedicated to the study, there's degrees on psychology from the bachelor's all the way up to the doctorate level and, and there's there's whole focuses on just studying the human mind. But but my goal really, in this talk is to get you interested, I want you to leave, knowing at least one interesting, fun thing from this talk. So with that, we'll go ahead and begin.
I'll start off here. Alright.
So, my name is Christian McLaughlin, as I was introduced, I'm a US Navy veteran. Seven years I did two tours, three deployments overseas. I'm now out of the military. I'm a sock analyst, I do security research. I'm a public speaker, which is funny because it goes right in hand in hand with the social engineering talk, pen tester, and as always, I am a social engineer. I like to study mostly in the field of macro sociology, which is the study of human behavior on a larger scale. So the society level, I really interested in how we as a society can be socially manipulated and how we how we act with each other. So we're going to get started here. So what is social engineering? Well, it was covered up in the introduction pretty well. It's it's a, it's a hot topic today. Really it is. But it's, it's not necessarily. I'm not going to talk necessarily about what
or how to use it. But I'm really going to talk about how and why it works really, we're going to get deep into the science behind it and associate the psychology and talk about communication to and why that's really, really, really important. So, as always, I or myself and anybody, I hope we don't condone repeating any of these attempts or activities maliciously, unless, of course, you have permission first. So it's important to get permission in writing. I'm going to be talking about a lot of resources too. I pulled a lot of resources, mostly books for this talk. So if You're into reading, you're gonna have a reading list for the rest of the year. If anybody's familiar with Kevin Mitnick, he wrote the book The Art of deception, which is an amazing book written years and years ago, but it's still relevant today. So social engineering is, is human hacking. We we target humans, employees, co workers, families, friends, but not maliciously, always, social engineering has two goals. You either want to extract information from your target, or you want your target to perform some kind of function or task for you. They're both very simple, but highly targeted forms of psychologic. Not manipulation. But that that's the word that that likes to get used a lot, but we'll talk about why it's not really manipulation. So there's three common types of social engineering. There's text base, which is phishing, can be emails could be text message really, phishing, which is done with the voice, like over the phone, and then there's in person. social engineering, usually dealt with like in person nation. But that's that's deals with imperson. So social engineering aims to exploit six flaws that we have as humans, when we're engaging with each other. These six vulnerabilities, as they be called, are identified. And, Robert, I'm going to put your name CL Dinis book influence, the psychology of persuasion is an amazing book. I've read it two, maybe three times, it holds true to this day.
So we're going to first talk about to talk about the first topic here which is liking. So liking is as people we are more willing to do something for somebody when when we like them. The causes of liking could be having something similar in common. I like Star Wars. So if you know the person who's targeting me like Star Wars, that's a great way to go at. I'll talk about Star Wars all day. I'll listen to it. It's a great way to get me relaxed. People who compliment us compliment your shirt say something nice to you. It catches you off guard and We have similar goals or goals that we're working towards is another one helping us. So one thing that's critical, the difference between like a business approach, which is less successful and beneficial and more professional, is establishing a personal relationship is drastically more successful if you can, if you can get a personal relationship with your target, it's going to your targets, your attacks are going to work much, much better. So reciprocity is the next one. This focuses on obligation, but not necessarily you're not you're not expecting something in return. You're trying to get the person to feel like they owe you something returning a gift. So interesting thing about giving gifts is they don't have to be physical. They can be information. You can be telling a joke to somebody or really a secret, especially if you tell somebody a secret. That's definitely giving a gift and they'll they'll probably want to you know, give something back. So An interesting an interesting study is that in restaurants, people who are given mints, their their tips are almost doubled. Or the people who give twice as many mints in restaurants, their tips are almost quadruple actually. So that's that's interesting to know. Next one is scarcity. So scarcity is a fun one. It has to do with the availability of something. So value and availability are disproportion or they're inversely proportional to each other. As the availability of something decreases, its value increases. So we can target people using this technique by saying things like limited edition, exclusive for a short time only. And this makes us feel like we have to buy this it's necessary even if we don't need it. Or if we don't want something, make it limited. This is great for social engineering attacks when you give them a time limit and it's running out and they make them feel like they have to do it quickly. Consistency is a is the next one. So, consistency is pretty much the privilege escalation of social engineering, you start small, right? And you constantly ask for more and more. But you want to ask the same person. And a great thing about this is to, to target a specific person, especially somebody who has at a lower level who doesn't feel important. You make them feel important. You ask them for a small thing, like, Hey, I don't have a pen or pencil, and they give it to you. And then maybe an hour or a day later, it turns into, hey, I need the password for this and this, and they're just going to trust you because you've already formed that relationship. And you've escalated that privilege up so high. So consensus is the next one. consensus is when we as humans feel doubt about something. We seek approval through others. Other people are okay with it. We're okay with it. It's just human nature. It's based on actions and behaviors. So we are compelled to follow the journey. consensus of others. This could mean having the social, the social proofing, but having the social approval of people. But another another good way of targeting this is saying that, for example, you're in a bank or you're in your target area, you're trying to get access to something.
You can mention somebody high up, who has been approved by the company, I'm here to represent, you know, I'm on here on behalf of the CTO, and they know who the CTO is. So if you're here on behalf of the CTO, you know, it's almost as if he's walking there with you. And speaking of walking with stepping outside of somebody's office, or just being in close proximity with that person could just give you immediate social proof off the bat. Nobody's going to question you. And the last one is authority. I don't like to use authority. Authority is a very hot topic, and it's really the last one we like to use. We don't want to force people to give us information which is what authority is But there are also finesse, there are also ways to finesse authority. So, if you tell somebody that it's critical that something gets done, and if you say, Well, if it doesn't get done, that's fine, I'll tell so and so and then, you know, it'll be on you, and what's your name, by the way, that's a good way to get authority. You're scaring them and you're giving them that social proof, but also your your, your, your, your posting your authority, and you're supposed to be here. with authority, I would be very, very careful about who you try to impersonate never try to impersonate federal employees or law enforcement officers. I wouldn't really even go as far as to impersonate any public official with the government. It's just it's not a good idea. So we're gonna talk about communication. So the numbers that are on the on the PowerPoint slide here are not exact numbers, but they're they give you a great idea of having a visual of what percent centage of communication is important. So 7% communication is verbal right about. That's not very much. If I'm fishing, somebody's telling me that that 7% of what I'm trying to communicate is being spread or it's being networked across the phone. The increased the crazy part is that almost more than half of communication is body language. And what I'm how I'm acting, what I'm wearing, how I look, that's important postures, gestures, breathing, your facial expressions that these are all important. So communication is really more than just, you know, what we say it's how we say things when where we say things, how we dress, how we sit, what we do. So we're going to go over, I'm going to show a couple pictures here, just to give you an idea of understanding communication. So these are a pair of Marines. If you're familiar at all with the military, you know, any Marines you know, these guys would much rather be back at the barracks, drinking beer. Playing video games, they don't want to be here. They don't look very happy. And they're pretty serious. I wouldn't approach these guys plus they're armed. Right? That's that's a great visual indication. They're wearing uniforms. They're professional. You have so much communication right there on what's being what's being paid to you as a message. This is a funny one though. European cops are cops in the UK. They like to have their vehicle, their vehicles and their uniforms are generally reflective because they like to be seen by people. They're communicating, hey, I am here, you know, Call me if you need me or point me out. Whereas American cops they like to have dark vehicles. They like to have undercover vehicles, they're out there trying to get you know, get you catch you speeding, doing crime or they're really just out there to get you. Now that's just a generalization. And it's meant to be funny. It's not entirely true all across the board. I just want to put that out there. And this is a this is a great one right here. This goes with tip jars. This goes with You know, anything in general. But the open music case, we know what that means. It means I'm performing and put money in here for my performance. And it's crazy that we know what that means that we as humans would go ahead and just do that he was not even going to tell you. That's what you need to do. So let's talk about the three phases of communication. We have perception, evaluation and transmission. Before we even talk or open our mouth, we perceive the situation. It's a combination of our senses, smelling, seeing,
hearing. And really, it's our experience, we bring in our experiences to the perception and we formulate conclusions based off of that. we formulate our conclusions we then evaluate for value. We need to find value in something, how much we value, what's being talked about how much we value, the person that's talking, how much we value, the context and values really Really important because we're going to be more compelled to communicate when it's something that we care about or that we value. And then there's transmission, that's when we are communicating our thoughts. It can be verbally, it can be shaking our head nodding, it could be ignoring or looking the other way. So that's super important and understand. And then there's the structure. So think of the structure as you have two circles. And then you have one big circle that's surrounding them. Both you have us, we have the other person or audience, right. And then we have the context of what's being talked about. So this is important to understand the conversation with people. Physical communication, as we talked about is extremely important and tone, facial expressions, gestures, posture, it's all important. We, as humans, don't. Texting isn't really an effective method of communication, and neither is talking on the phone. We'd like to be social and we'd like to talk to you Other, I will say something that's really interesting, especially being a millennial myself and observing things. As I have, we have adapted as humans to develop ways to communicate and increase that. That communication that's not being done in person through emojis, emoticons. meems, and GIFs. GIFs are super important. If I want to compel if I want to convey that I'm happy. Instead of just sending a smiley face, I'm going to look for the perfect gift. It could be somebody raising their hands. It could be somebody like just grinning or smiling in the camera. I'm going to find the perfect GIF for exactly how I feel. And I think that's really interesting, that we we have developed this method of communicating. So why is reading our target important and understanding this whole communication process? We have to understand all aspects of communication as a social engineer, because we're hackers. We need to we need to be in control of the conversation. You can't control a conversation if you don't understand the foundation that it's laying on. So that's why we have to understand context, we have to understand your target, we have to understand things that like what I just spoke about. So this is, we need to know as much as we can communicate about communication, such as structure and flow. So now we're going to verge into the next section, and talk about the limbic system. I, again, I have about 25 minutes or so, to talk about this. So I can't get too in depth, the limbic system, there are papers, there are websites, there are whole degrees on this system and the human body. I'm only here to get you intrigued on it. So the limbic system for us is primal. It reacts it doesn't think it's not a logical system. There is some logic involved with it, but it's not thoughtful logic. It drives motivation, emotion. It helps with learning and with memory. So non verbal communication. Body language is reflective of the limbic system in the brain. So this is really the brain's intrusion detection system also, and we'll talk about that later. So a fun fact about the human brain before I go on is for wonder why the human brain has wrinkles in it, it's because neurons, their processing is increased with the greater surface area. So if you were to take a piece of paper, right, and this is a whole surface area right here, and you were to crumble it up into something really, really small and sticking inside your brain, right? You have not decreased the surface area of this you have really just effectively made it fit better. And that's why calling somebody smooth brain is an insult.
So the first thing we're gonna talk about is I have done this and this deals with homeostasis in the mind. Drives hunger thirst, it responds to pain. Anger, aggression and sexual behaviors. So why is is the hypothalamus super important? Well, we have to understand how we respond to things. And I encourage everybody to look up all these the limbic system. After the talk and learn more about it, it's really, really good to know. The hippocampus is the next point I'm going to just touch briefly on this converts short term memory into long term memory. It's important for memory remembering things. If the hippocampus is damaged in our mind, we, we fail to to make memories we fail to remember things, but we will remember all of the memories that have happened previously. like living in a constant state forever with nothing changes just like in 54 states, which which seems like a nice concept, but most people who develop this disorder or have this damage end up going to psychiatric hospitals. Because of, you know, they go go insane. And the amygdala is, if you've ever if you know about social engineering, you know about amygdala hijacking. This is a phone that social engineer like to teach. So this is the emotional center of the brain. And this is what really, really drives motivation. It alarms the body, or the brain, which tells the body of any danger. It trains the brain and Associates emotions with triggers, right? So if we as a child, remember something that will that will scar us, it's it's the amygdala that's forming that's helping form this communication, this connection. And this reacts to, it reacts, it remembers things. So we're not thinking when we react if you for example, a dog barking. It scares us, right? It makes us frightened. And that's because we as humans, as a species have been trained to be afraid of dogs just even if we like them. It's Just an instant immediate reaction. So this is great for phishing scams, you want to hijack the amygdala. Create pleasure, excitement, danger, you'll respond to this email now. So why is this important? Well, we really pretty much talked and covered about these and why understanding the human brain is important. You have to know the trigger points of your target, you have to understand as a human and as a species, the things that trigger us negatively, but also the individual. This is great for pretexting when you're when you're creating a pretext engagement, it's important to study your target and and this is a this is definitely something to take into consideration. So these are different, different neurotransmitters and hormones within the body that help facilitate the limbic system and help drive our our happiness. So dopamine, for example, it's considered the feel good hormone. It is a hormone and a neurotransmitter. It helps with learning and memory and motor functions within the body. serotonin is a hormone and neurotransmitter also it helps with mood sleep, appetite and memory. oxytocin, which we'll talk about a little bit later, is, it's called the love hormone. And it's just a hormone. It helps with childbirth and breastfeeding because it's important to create trust and bonding. And also during sex to this this oxytocin is released. So when you're releasing oxytocin, you are creating a chemical bond with whoever you are reacting or whoever you are interacting with. And lastly is endorphins which are pain relievers to the body. They are produced during stress and discomfort. They they help us feel more relaxed or not really relaxed, but but give us this feeling a good a good feeling. They're also engaged during reward producing activities. So if somebody makes you feel good about yourself You also produce endorphins. It's important to understand that we seek comfort in safety as human beings. So everything that we do is to make us feel happy inside, and to make us feel better about ourselves.
We, we seek our wants or needs, desires, we understand our fears, and we pick our preferences. So with that, I want to get into a super interesting topic, which is colors. Colors are really, really important to us. And this section might help some people out a lot. Colors are embedded into our biological mind. It's just passed down through through our DNA and through genetics. So color is is a very, very important form of nonverbal communication. It warns us about danger in nature and expresses emotions such as love, rage and fear. First color up was a blue, blue is Widely known for relaxation and being calm, but blue in overuse can pause or be concerned for depression and blue would be associated with the sky in the ocean. Green also is a relaxing color. This represents clear thoughts and vision and it being relaxing to also it's the earth the green and the blue no surprise why those colors make us feel relaxed.
So next up we have yellow and yellow again with with colors.
We have our preferences some people might hate blue and green and some people might like yellow as as primates primates are primal instinct is to react a certain way to some of these colors. So yellow is a symbol of danger. It's irritating, it's it's also a sign of intelligence. But it warns us and yellow in ocean access can cause sensory overload, which is why if you have, if you have like autism, or you have sensory disorders, yellow can freak you out. So if you have kids with autism and you have yellow everywhere, I would think twice about having that. Red is probably one of the most interesting colors I think personally, versus it's eye catching. It's the first color that we process in the human mind. It can symbolize power, it can symbolize strength, it can be fierce, so we can be telling people that we are a person to them to be afraid of or be confident with or, or that we're strong or self confident. It can also warn us just like yellow of danger. So reds probably one of my more interesting colors that I like. And of course there are some examples of of the color red. Black and White are also interesting. So black is a color Powered authority, while White is purity and innocence. And you can see that reflected in the yin yang symbol. So colors are really, really important when I'm doing job interviews or when I am going out to a social engagement, I do pick my colors pretty carefully, I got the red tie, I also got the blue tie and the blue suit. And I also have the black and white suit if I want to be professional, or just the plain, you know, I got just plain white or just plain black if I want to seem professional or if I want to seem, you know, docile innocence. So, color is really, really important. Next, we're going to talk about proxemics. So, this is also falls in with the human mind, but more or less the way we observe things. proxemics is the study of the use of space and the effects of population density on behavior, communication and social interaction. The term was coined by Edward t Hall. So proxemics is we had these defining boundaries here and we Generally, so how a conversation would start is you'd be out in the public space or even farther out. And you might call out to somebody and want to talk with them. Now, if they're in a public space, your conversation is public, you aren't afraid of other people hearing it. If you want to say, Hey, come here, you're inviting them into your social space to have a more social conversation. But again, anybody passing by can overhear you. personal space is something a little bit more closer, you're probably telling somebody something that you don't want to be known. Public, but you're not really whispering or keeping a secret and then intimate spaces, you know, a secret, or you're trying not to you're really, really trying not to let other people overhear your conversation. So as a social engineer, we want to get close to our target. That is the goal. It may seem weird, because getting close can be uncomfortable for some people, but really the brain if somebody is in your personal space, right, even if they weren't invited in, if done right, it can grow. To actually relax you. So for example, let's say I need map directions and I'm going to come up to you at first you might your warning signs are going off. But as the conversation progresses, the after a minute, you're relaxed, you're you're calm, you know, you don't feel weirded out anymore. And culture really does matter with this. So these are not solid numbers. In some cultures, it's acceptable to be within the personal space of another person. In some cultures like in America, we like our personal space. We don't want people around us, but it's still holds true with with getting close to somebody how it relaxes them. We're going to talk a little bit about the pioneers of emotion before we dive a little bit into facial expressions. So Charles Darwin was first studied the on the Galapagos Islands or Galapagos Islands, was the first pioneer of emotion. He studied Darwinism and natural selection and wrote the book the expressions of emotions of man and animal It's an old book. I it's still holds true, but read it at your own discretion because it's again, it's an old book different time. Later, we have Paul Ekman, you might not know who Paul Ekman is, but but you do know who he is. Paul Ekman, if you've ever seen the TV show lie to me. He helped write that or he helped help them with the writing of that show, and the guidance, and he also was involved with
with the show inside out, I'm definitely sure if you have kids, you've seen this movie. It is a really great movie about human emotions. So Paul Ekman co founded micro expressions in 1967. He traveled to papa Guinea to study nonverbal communication with four people. And he and he realized that facial expressions are universal, right? This is a population that is separate from society, and their facial expressions are the same. So he came up with the facial action coding system or facts took eight years. framing to develop. But in 1978, he ended up developing it. And it's used by leading industries in the world right now, we're going to touch up on the human brain a little bit more and understand the different sides of the brain. So the left side of the brain is more logical. It helps with speech, mathematics, linear, sequential, logical reality, analytic detail, blah, blah, blah. And when it's damaged, you can have difficulty with speaking, understanding words, and you have very slow and careful movements. Whereas the right side of the brain is holistic. It's random. It's intuitive, it's visual, it's musical art, full rhythmic. And it's it's artistic, and open minded. When this side of the brain is damaged. We have difficulty with visual perception or decision making, and we're very impulsive, short, a short attention span and we're slow to learn new things. So let's talk about facial expressions. The eye Right. So, direct contact with the eyes, displays interest or attentiveness, but prolonged eye contact can make can be a threatening gesture. So, breaking eye contact periodically is normal, but making eye direct eye contact somebody is definitely good communication behavior. When we break eye contact the queue for certain things like for being questioned, it can be concealment it can show that we're discomfortable with something or we're distracting or we're distracted from something. Rapid blinking is a symbol of distress or discomfort. infrequent blinking is a concealment of your emotions though otherwise known as poker face and raising eyebrows, displays uncertainty or surprise the mouth some interesting things about this when you purse your lips, it can be a sign of distrust or distaste or disapproval. Lip biting shows stress or anxiety or warning covering the mouse like this is concealment or trying to hide an emotion from somebody Turning away turning up smiling is happiness optimism like a really really big smile. Whereas turning down it shows sadness and frowning, grimace gestures. This is a funny one the okay symbol. It's crazy how certain gestures have changed over time. This used to be a, this used to be the symbol for Okay, this used to be the circle game, and now it's a racist symbol but gestures evolve over time and we have to understand that so some gestures though are they do hold a biological relevance like clenching your fist is a symbol of anger, solidarity. You'll see kids do this they don't even know what this means. Thumbs up is for approval or disapproval or thumbs down for disapproval. And the V sign is for peace or victory. I don't really mean I guess yeah, victory if you are champion, I don't know. But uh, gestures are not universal cultural. There's cultural significance with gestures, just Remember that but generally as humans some gestures with the hands will be universal. Arms and legs when your arms across the indicates that a person might be defensive, or they might be self protected, but also, this is a very comfortable posture. This might just be done to to make us feel comfortable if we are if we are uncomfortable, we will, we will display comfort behaviors. hands on your hips when somebody is feeling ready or in control or even aggressive. clasping hands behind your back is a sign of boredom or anxiety or anger. Tapping or fidgeting can show signs of boredom and crossing your legs is the sign of closing off for privacy. One important thing with hands and hands gestures is when you display your hands you are showing and communicating with the person that you are not a threat, right so when somebody can't see your hands, they might not they in the back of their mind. They might have like a flight off Feeling but if your hands are on the desk or displayed or you show them, people get more comfortable with you. Again, with posture, if you have an open body posture, you're friendly and open, but if it's closed off, or hunched or crossed, it can indicate hostility. unfriendliness. Or actually, like I said earlier anxiety. You want to tell somebody if they're welcoming to a group. So this is an interesting one, but body language and legs. This is one that I heard from Joe Navarro. He told me about this, that the human hacking conference this year, when
when you walk up to a group of people, and you want to tell if you're invited into that group, the person just turns their waist or ignore or looks at you, they're acknowledging you. But when they turn their legs, they're opening up the circle for you. They're welcoming you. I've never, ever looked at groups of people the same way ever again, learning that. So facial expressions, we'll go ahead and knock these out real quick because there's not much to them. We already understand And most of these, as humans, we like to manipulate our face in certain ways, like we mimic behaviors that are fake, so smiling when we're not really supposed to be like when we're not really happy. We do that too, just because we know the facial expressions are important to each other. And also I want to talk about mimicking gestures. So if you don't understand a gesture, mimic it. This includes facial expressions. This includes body posture. So if you're biting your lip as a gesture you don't understand or person your lips or crossing your arms, do it, see how it makes you feel and that's probably why the other person is doing it. So we'll talk about sadness. Sadness is a emotion of lost despair, grief, helplessness, disappointment or sorrow. The inner corner of the lips, they and the eyebrows are drawn in and then the skin below the eyebrows is triangulated with inner corner up the jaws and the lips are on down the jaw comes up but the lower lip outs out so that is like facial expressions of sadness, anger, which is a strong uncomfortable feeling of hostility and response to provocation her or threat, the eyebrows are lowered and drawn together. There are vertical lines between your eyebrows, the lower lip is tensed, your eyes are hard stare and bulging lips can be pressed together firm with the corners down or in a square shape. nostrils are usually dilated or flared and the jaw juts out happiness which is a positive or pleasant feeling, the corners of lips are drawn back and up the mouth may or may or may not be exposed. So, having teeth exposed is not necessarily a sign of true genuine happiness. But it could be just just smiling in general like you can tell by the strength of the the facial expressions so the cheeks are raised eyelids they can show wrinkles or be tense There's a Crow's foot around the outside of the eyes. contempt which is an interesting emotion, you know it's a sign of hate. Or I don't know behavior or attitudes towards individuals or groups that could show distrust or anger. One side of the mouth is usually raised it's not a it's not a facial expression isn't the same on both sides with fear, eyebrows are raised and drawn together usually in a flatline wrinkles in the forehead or in the center in between the eyebrows not across the upper eyelid is raised but the lower eyelid is tense and drawn up. eyes have the upper white showing but not the lower white showing. The mouth is open lips are slightly tensed and there are stretched and drawn back and disgust So, upper lip is raised. upper teeth may be exposed The nose is wrinkled and your cheeks are raised. I'm going to try to get through these quickly a surprise or being startled or have an unexpected event the eyebrows are raised and curved. The skin below the brow is stretched horizontal wrinkles across the forehead eyelids are closed, but white of the eyes is showing above and below and the jaw drops and teeth are parted. But it's not tense and there's no stretching of the mouth. It's very natural. So we're gonna talk real quick about building trust. As we talked about earlier, trust is a very strong emotion. But I'm gonna, it's gonna dispel a rumor here with social engineering. It's not trying to get it's not trying to get the person to trust you. Your target, right? It's trying to get your target feel like you trust them. That is the secret when somebody feels trusted and wanted they are relaxed.
But again, do not misconceived the idea that it is manipulation, right, we want to inspire people to trust us. So this is the chemical formula oxytocin, again, known as the moral molecule or the cuddle hormone. It's for intimacy, trust and healthy relationship building against for sex, childbirth and breastfeeding. We release oxytocin. This is our vulnerability. This is what makes us happy and comfortable. If somebody is able to exploit this and make you release these hormones, or the trust molecule, it can actually spell danger. And it's very, very scary because I recognize when I'm releasing it, and it's very scary how often it is that I release it. When you get into an argument with somebody for example, and they want to apologize to you, you immediately feel sorry to like you're releasing these good hormones, right? When somebody comes up to me asking For a favor are wanting something from me or asking for advice. And they they're seeking my counsel, I'm immediately guard down 100% most of the time, we're going to talk about building report. So the ability to build a relationship with somebody is building report that report. Happy people like to feel helpful and right, emphasis on the right. Communicating communication has to be open and honest, and building relationship building healthy relationships on a foundation of trust. So authority is always used as last as a backup because that's that cannot be used first. You don't want to ruin those, those that relationship. So you situational context, maybe authority might be necessary, but when when wanting to build that relationship, you have to you have to make sure the person feels that they're helpful. Don't nobody likes to feel like they're wrong. So don't ever make somebody feel like they're, they're wrong and be open and honest. So the steps to building rapport. So you have to establish time constraints, right? Like tell somebody like, Hey, this is only gonna take a moment or you know, sorry to bother you, it won't take long. If somebody knows the time constraint how long they're gonna interact with you, it's it's easier for them. accommodate nonverbals, which is body language, use RSVP, which is rhythm, speed, volume and pitch. I express sympathy or assistance. So like asking for help. People love to be helpful. They love to, to, to help other people. So if you're asking somebody for help or assistance, they're, they're almost always going to help you know, nobody's going to turn you down unless they really just don't like you. And that case, the relationships already broken. Validate or ego suppression is the next one. So this can be hard for some people but suppress your ego. You do not want to be an egotistic person, you're neutral, right? The other person is right. validate them is the next step. You Don't have to agree with somebody, but validate the way that they feel if you don't agree on a political view with somebody, but you can validate that the way that they feel is not wrong. They will trust ask things like how when and why and encourages answers beyond yes and no try to avoid yes no questions, get more wordy questions or more wordy answers out of them. Connect quid pro quo so giving info and getting info giving a gift getting a gift, reciprocal altruism, which is again you know, a gift can be a job, it can be physical, a secret or advice and then managing expectations. So with that, don't focus on yourself and what you want focus on what the target wants and they will almost always give it to you. If you focus too hard on what you want in your goal, you might not get it. We achieve our results finally with validation, so being non judge non judgmental validation, right so strings, actions attributes. Never ever lie ever. And if you are going to lie it bad or be a damn good pretext because if you get caught lying, the relationship is immediately terminated. They won't trust you understand what's important to your target, right? Know what they like and what they want and validate it. validation is not agreement, it's just telling them that they are not wrong. Nobody likes to be wrong. Ask their thoughts and opinions about the context right? And then so so if you want, let them explain how they feel. Then tell them how you feel and ask them about how they feel about what your opinion is, and they'll usually give it in a more calm nature. And then the last, the last thing is empowering them with choice. Give them the option don't ever rob them of that. empowerment is a big thing. Nobody He likes to be told what to do.
I just wrote up a simple little, you know, exploit code. It's crappy, but you know, it's just there for presentation purposes, but get the OSEP done, perform your Osen know about your target, form the pretext ego suppression, approached somebody, get close, validate them, distract them talk in their terms, and then exploit or plant what you're trying to get from them. So with that, that's the end of the talk. Here are some helpful references right here. I drew from these. These guys are all awesome people. I got to hear all of them talk at the human hacking conference. They're amazing, amazing people. You can look up Joe nevarez books. Robin Drake has a ton of videos online. These guys are all great Chris. Chris. Had naggy is in charge of social engineer. org check out his website. There is so much information that is out there now these days. And here are some of my websites. So quadruplets Just curious, the company that I work for, check us out. And then mighty pen is, you know, my own personal website and how I do how I do my own contracted pentesting. So, yeah, that's it. That's my talk.
And we're back.
That was fascinating. I hope my face is conveying How fascinating I found your talk just now.
Thank you. It was a lot to cover all lot. I was rushing through some of it.
No, I understand. And as somebody that's also been a presenter in the past, I can completely empathize with that. Now there was an interesting observation that I saw in the matrix chat. And as a reminder to all of our viewers, the only way you can get in the chat is to be an attendee of hope. It mentioned that a lot of negative body language aspects that you mentioned, are things that happen when someone is cold, physically cold. Yep.
discomfort really. Um, so when you're when you're talking about body language, right? Don't look don't. And this is really important with, with lying and lie detection, right? You're not trying to see if somebody's lying or somebody's telling the truth, you're looking to see if they're comfortable or if they're discomfortable. If they're comfortable, they're going to they're going to display. They're gonna display body language of comfort, relaxing, but if they're not comfortable, and it could be temperature, it could be what you're talking about, it could just be, they're thinking about something else, they're gonna just show up a form of discomfort.
Now, there was discussion about propaganda in earlier talks at the conference, and how it affects the individual. Now, social engineering does have some commonalities with propaganda. Where do you see those two modes overlapping and where do they are, can they not?
I'm so glad you brought that up. With propaganda. There's a darknet diaries episode that came out I don't remember what episode it is. But it talks about social engineering and about this, this service member that was part of the propaganda unit. And when he got out of the propaganda unit he went into into public relations, which is the civilian version of propaganda. Right? So social engineering and propaganda is super, super important. You're trying to convince people why you are good. Why is the government you know, why should you follow the government? Why is the United States the greatest country on earth? You know, why is why is this company better than this company? Why should you choose? It's all propaganda and social engineering and, and marketing and advertisements are just, it's a trillion dollar social engineering industry.
Now, now, what tips can you give for those of us that are socially inept? After all, as you mentioned, social engineering does rely on people feeling safe or comfortable, but when your demeanor screams conference, How do you handle it? How would one handle it?
Right? You say confrontation, I'm assuming you're talking about like discomfort, like you're you're an introvert and you want to learn how to be an extrovert, right? Like you're trying to want to be a social engineer as an introvert, I'm guessing right? Okay. So, um, social engineering is one of those really, really cool forms of humans of hacking, right? Like, there's ways that you can do like CTF and stuff with technical hacking. But if you want to get good at social engineering, the best thing you can do is talk to people, right? And you can feel uncomfortable. It's okay. Just have an interaction with somebody at the coffee shop. Right? Not. I would not recommend talking to waiters and bartenders and stuff, because their job is to talk to you they want to talk to you talk to somebody random in a line, you're standing in a line, engage that person, right, talk to them, form a relationship, in the back of your mind, try to create something like I want to extract this information from them. Don't let it be malicious, but just try to find out like you know, where they're from. What what's what do they like what are their hobbies seek the open up to you and and that way you'll develop a more comfortable approach. Some people are mentally unable to do that, I get that. But the more you practice something, the better you get at it, it's a muscle by the end of the day.
Now, you mentioned facial features and expressions. Something that comes to my mind are some of the differences in cultural expression such as the head shakes that one finds in the subcontinent, or how metaphor in the Mediterranean, you often find this movement acting as a know how much cultural company c would you suggest someone have prior to attempting social engineering.
If you live in the United States, and you engage with people in the United States, facial expressions are generally difficult to or difficult to collateralize I guess you could say there are some cultural facial expressions, varying you know, between cultures, but for the most part, the fish expressions are pretty static. I would only say that if you're like pentesting in another country, it can be difficult. You just have to study those things. Again, just interacting with people reading a book, looking at an article online gives you more familiar with that. But for the most part, facial expressions are one of the least, least worried about cultural things. It's mostly hand gestures and body gestures that we're worried about. That's the real big thing.
Are there any good co media, TV shows movies, books that do a realistic job of representing social engineering concepts or the practice of social engineering and your opinion?
Honestly, there's a there's quite a lot of material out there to cover for that. Um, I would definitely just look at Robert seal Dini are not rubber seal these but Chris had naggy his website. First of all, look up some YouTube videos. There's tons of videos about Rob from Robin shriek about just social engineering in general. And you can find like Ted Talks and stuff about it. But uh, you know, if you poke around chris chris had that he has the social engineering podcast, definitely check that out. The older ones are dated for sure they sound you know, but the quality of the ones that are updated now are much better. So, definitely.
So we've got time for one last question. How are the normals of physical distance and mask wearing affecting social engineering?
That's an interesting question. When I was looking up last last minute pictures for proxy mix. I just got a ton of pictures on Google about six feet and distancing. So I can say this with social distancing, we feel different emotions. Me for example, I feel anxiety about being six. So I feel anxiety when somebody gets close to me, for example, if they're within that six feet distance, but at the same time, I also feel really upset that I can't engage people that I want to engage or even just random people, I can't let them in my six foot bubble, right. So I'm getting I am on on edge, right, I have adapted my mind to tell me that, hey, closer to six feet is just too close. But at the same time, my human mind is wanting to to invite people into that circle, the social distancing. And this whole pandemic really has played a big, big part on a lot of people having to work from home socially distance, it's really causing a lot of issues with depression. And I have to say, that really is a good question. I'm glad you asked. Somebody asked that question. But there's definitely more research that has to be involved with that too. I'm just only scratched the surface of it from the last week when I was looking at it.
We are out of time for this talk. I do want to thank our speaker again, Michael Morgenstern. If you would like to continue this conversation, of course, our matrix at our through the matrix chat, visit the hallway conversations room, and we will be back in about 10 minutes at the next talk. Thank you, and we hope to see you again at hope hopefully, in person in the future.
What you're about to see is the world's most revolutionary telephone switching invention. We call it super switcher. It has almost no moving parts, yet handles four times more calls than its predecessor. It required an investment of $400 million, but you'd ultimately save a billion dollars a year. And soon every major American area will have one looks delay.
Well imagine that each of these cars is a long distance call.
This new invention can handle over half a million An hour. That's five days traffic on a busy Los Angeles freeway.
Super switcher. It should go a long distance to prevent traffic jams on your long distance calls
the Bell System, people using technology to help keep down costs and improve service. Keeping your phones