Social Engineering and its importance in Penetration Testing

Agenda for Social Engineering:

• What is Social Engineering (SE) ?• Fundamental principals guiding the success of SE• Case Study Demonstration• Macroexpressions & Body Language• Microexpressions • Importance of SE during Audit or SE PenTesting• Counter Measures for SE

What is Social Engineering?“Act of influencing a person to take action that may or may not be in target’s

interest”

Good Social Engineers: Parents, Doctors,Criminal Psychologists,Negotiators,Salespersons,Diplomats,Whistle-blowers,Magicians

Bad Social Engineers: Fraudsters, Confidence tricksters Malicious Insiders, Espionage Agents, Double-Agents, Blackmailers, Human Traffickers, Terrorists

Fundamental principals guiding the success of SE

Reciprocation:We are hard-wired to respond to a favour, often not in direct proportion to the size of the favour done to us.

Commitment and Consistency:

Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment.

Social Proof:One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behaviour.

Liking: As a rule, we prefer to say yes to the requests of someone weknow and like

Authority: The real culprit is our inability to resist the psychological powerwielded by the person in authority.

The influence of the scarcity principle in determining the worth of anitem.

Scarcity:

Examples

Examples (contd…)

Case Study: Reliance Canteen episode

Objective

During our graduation days, we planned have food from the canteen withoutpaying huge bills when our friend group grew large in size.

The Opportunity

Those days, Reliance had launched an offer that enabled you to talk free between2 sims if you buy them.

The SE Attack

We gave the 2 sims to canteen serving boy for having him to talk “as much as he desires” to his village. We made an understanding that whenever our friend circle was visiting canteen, he will bring extra samosas or cold drinks without charging us extra on them.

The Effect

We used to get almost double the food for the price of few items or the half of the price. This went on un-noticed for 7-8 months after which the plan failed.

Case Study: Analysis

• Why did the plan work?

• What could have caused failure of plan after 7-8 months?

• What could have happened if we were caught earlier ?

Macro-expressions / Body languageMacro-expression / Body language is a form of mental and physical ability of humannon-verbal communication, which consists of body posture, gestures, facial expressions,and eye movements. Humans send and interpret such signals almost entirelysubconsciously.

Communication consists of :

• 7% of what we say• 38% vocal(tone, accent, dialect)• 55% Non Verbal

Non Verbal behaviour is depicted fundamentally by some body parts and howthey act:

• Feet/Legs (Most Accurate)• Torso• Hands• Neck• Mouth• Face (Least Accurate)

Macro-expressions :An Analysis

Pop Quiz: Identify this expression?

Micro-expressionsA micro-expression is a brief, involuntary facial expression shown on the face of humans according to emotions experienced.

Characteristics of micro-expressions:

• They are very brief in duration, lasting only 1/25 to 1/15 of a second.• Highly Accurate in depicting the "actual" thought of the person.• Almost involuntary reflexes barely felt by the subject• Express the seven universal emotions: disgust, anger, fear, sadness, happiness,surprise, and contempt• It is difficult to hide micro-expression reactions

Animals too…..are able to Social engineer us successfully !!

Puppy Dog Eyes ExpressionWith whom you’d rather share your biscuit with??

Can you give me a biscuit? Please……

May I join in too? Please……

Where is MY biscuit? GIVE IT TO ME NOW !! Or else…….

Social Engineering Trends : At a Glance

Social Engineering Trends : At a Glance

Importance of Social engineering during Security Audits and PenTesting exercise

Controlling your Micro & Macro expressions during Audit

If you are stuck during conducting a social engineering exercise, the following tips might help for successfully carrying out testing:

• On confronting an anti social or angry person; frown a bit and tilt your head by relaxing your shoulders. This indicates you are interested to hear him/her out and are not confronting directly.

• Enter with a sad expression, the subject will involuntary feel sympathetic for you and will offer to help in most cases.

• A friendly and warm reception always has higher chances of information retrieval than a rash or unfriendly behavior

• Do everything in confidence even you know you are trapped.

• Dress up nicely (as per occasion) and walk in short sure steps. It gives an impression of authority and people are much likely to yield under this charismatic effect.

Counter Measures for Social Engineering

Source: www.hackers5.com

Food for thought…….

Food for thought…….

Recent News:• http://www.bbc.com/news/entertainment-arts-29017642c

• http://fortune.com/2014/09/18/tim-cook-apple-sells-security-google-sells-you

• http://en.wikipedia.org/wiki/Criticism_of_Apple_Inc.#Collaboration_with_the_NSA

Must Have Resources• Social Engineering: The Art of Human Hacking by Christopher Hadnagy• The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick• Influence: The Psychology of Persuasion by Robert B. Cialdini

Links• Video: Nonverbal Human Hacking Derbycon 2012http://www.irongeek.com/i.php?page=videos/derbycon2/2-1-2-chris-hadnagy-nonverbal-human-hacking

• Body Language – Expressions on Google Android App Store:https://play.google.com/store/apps/details?id=com.Mazuzu.ExpressionTraining&hl=en

Golden rule for thwarting social engineering attacks

TRUST, BUT VERIFY

After All………

THANK YOU !!!

Presented By:Manasdeep

Questions ?