#1 - Social Engineering
In both of the earlier scenarios, not having enough a good enough plan and model will lead to failure. A good way to practice communication modeling is to write out a model for manipulating people you know well—a husband, wife, parent, child, boss, or friend—to do something you want, to take some action you desire.
List the following five
·
2,714 views
... the most noticeable characteristic of anger, the glare.
Anger is a strong emotion and can trigger many other emotions along with it. Sometimes when a person feels anger at something, what you see is a microexpression such as that shown in Figure 5-1. What makes it hard to see is that the facial movements maylastonlyone-twenty-fifthofasecond. Learning to see a specific microexpression can greatly enhance your understanding of people. To learn how to do so, Dr. Ekman recommends practicing that expression on yourself. He says follow these steps:
1. Pull your eyebrows down and together; pretend you are trying to touch your nose with the inner parts of your eyebrows.
2. While your brows are down, try to open your eyes wide, without adjusting your brow position.
3. Press your lips together tight. Do not pucker your lips, just tense them together.
4. dare.
What emotion do you feel? The first time I did this, I was overwhelmed with anger. The following is a vital point to this chapter:
If producing the facial expression can cause the emotion, that must mean that our facial movements can affect the emotions we feel, and maybe even the emotions of those around us.
--
Mastering the ability to reproduce microexpressions will go a long a way toward understanding the emotion behind them. When \ou can successfully
reproduce and decode a microexpression, you can understand the emotion that is causing it. At that point you can understand the mental state of the person you are dealing with. Not only reproducing them on yourself but also being able to see and read them in others can be helpful in controlling the outcome of your social engineering engagements.
--
Disgust
Disgust is a strong emotion usually in reaction to something you really do not like. This "something" does not always have to be a physical object; it can also be something that is based on a belief or feeling. A food that you truly hate can cause the feeling of disgust, which will trigger this expression. What is amazing is even in the absence of the actual smell or sight of the food, the thought of it can cause the same emotion.
When I was a teenager, I went to Disney World with a few friends. I am not, and I mean not, a fan of roller coasters. After much prodding I went on Space Mountain, an indoor roller coaster. About halfway through I had determined that I really didn't mind roller coasters when suddenly I was smeared with something very wet and chunky I was then hit with an odor that I can only describe as stomach contents. Not only me, but many behind me had the same reaction and none of us could hold back our lunch, so to speak. Before you knew it, a simultaneous puking splattered the glass of the Tomorrowland Transit Authority a slow-moving observation ride that offers a peek into the actual Space Mountain ride on part of its journey What is amazing is that people in the Tomorrowland ride who sat there slowly going around the park saw the aftereffects hit the glass as they rode through, and saw all the other riders getting physically ill, which made them also vomit— yet they didn't smell the odor or have physical contact with the puke from the roller coaster riders. Why?
Disgust. Bodily fluids generally bring on feelings of disgust and this is one reason that while reading this paragraph you probably started to exhibit the expressions of disgust.
Disgust is often characterized by the upper lip being raised to expose the teeth, and a wrinkling of the nose. It may also result in both cheeks being
raised when the nose is wrinkled up, as if to try to block the passage of the bad smell or thought into one's personal space. I was reading an article on the winter Olympics when I saw this picture of Ekaterina llyukhina (see Figure 5-3) showing very clear traits of disgust. Notice the raised upper lip and the wrinkled nose. Is she looking at her score? Is a competitor beating her? I am not sure, but whatever she is looking at, it is not sitting well with her. Disgust is one of those emotions, according to Dr. Ekman's research, that is in reaction to the sight, smell, or even thought of something distasteful. From a social engineering standpoint this emotion might not lead you down paths of success, but it can surely
help you to see whether you are hitting the mark with your target or causing him or her to mentally shut down to your ideas.
The odds are that if you cause disgust for any reason in your target, you have lost. If your appearance, smell, style, breath, or other aspect of your person can make a person feel disgust, then it will most likely close the door to success. You must be aware of what is acceptable and unacceptable to your targets. For example, if your audit is for a prestigious law firm and you have many piercings or tattoos, a very strong negative emotion may rise in your target, which can close the door to your social engineering attempt. You must seriously consider your appearance when working on your pretext. If you happen to notice the strong negatius emotion of disgust in your target, then backing down and politely excusing yourself to rework your pretext or find a different path in maybe a good idea.
--
Fear
Fear is often confused with surprise because the two emotions cause similar muscular reactions in the face.
One company I worked with was hit by a malicious social engineer who used fear to gain access to the building. Knowing that the CFO was out of town on an important business meeting and could not be disturbed, the social engineer went into the company as a tech support guy He demanded access to the CFO's office, which was promptly denied. He then played this line, "Mr. Smith, your CFO, called me and told me that while he was away at this meeting I better come down and fix his e-mail problem and that if it is not fixed while he is gone, heads will roll."
The secretary feared that if it didn't get fixed, she would be to blame. Would her boss really be angry? Could her job be at risk? Because she feared a negative outcome, the secretary let the phony tech support guy in. If he was a skilled social engineer he may have been watching her facial expressions and noticing whether she exhibited signs of worry or anxiety which are related to fear. He then could have played on these signs more and more, getting her to cave in to her fear.
Fear can be a big motivator to do many things that you (or your target) would not normally consider doing.
--
Sadness
Unfortunately malicious social engineers often use this emotional trigger to obtain things from their targets. I once walked into a restaurant and overheard a young man telling a group of older folks who were leaving that he just ran out of gas on the highway and needed to get home because his wife was nine months pregnant. He had been out of work and had just walked a mile off the highwayto use the phone to call his wife and wondered
if they could give him $20. When I heard some of the story I slowed down and made believe I was on a phone call to observe the rest. He told his tale and then backed it up with, "Look if you give me your address, I will mail you a check for the $20," concluding with "I swear to God."
The story had some elements in it that could elicit compassion, especially when his face showed concern, anxiety, and sadness. He didn't get $20—tie was given $20 by each of the three people in that group. He said "God bless you" a few times and gave the group a few hugs and said he was going to go in to call his wife and tell her he was on the way home. He hugged them and they left feeling as if they had done their good deed for the week.
Afew minutes later as I'm eating my meal, I see him at the bar drinking a couple of fully paid-for drinks with his buddies. Mxing a sad story with some sad facial expressions, he had been able to manipulate the emotions of those around him.
[24/06 ÖÖ 10:37] Mehmet: Happiness
Happiness can have many facets to it—so many that I can probably make a chapter just on it, but that is not my focus. Dr. Ekman's books cover many excellent points about happiness and similar emotions and how they affect the person with the emotion and those around him or her.
What I want to focus on are just a couple aspects of happiness—most importantly the difference between a true smile and a fake smile. The true and the fake smile are an important aspect of human expressions to know how to read, and as a social engineer to know how to reproduce.
Has there been a time where you met someone who was very pleasant but after you parted ways your spouse or you yourself said, "That guy was a fake..."?
You might not have been able to identify the aspects of a true smile in your head but something told you the person wasn't being "real." In the late 1800s a French neurologist, Duchenne de Boulogne, did some fascinating research into smiling. He was able to attach electrodes to a man's face and trigger the same "muscular" response in the face as a smile. Even though
the man was using all the right muscles for smiling, de Boulogne determined that the look of the man was still a "fake smile." Why?
When a person smiles for real, de Boulogne indicates, two muscles are triggered, the zygomaticus major muscle and the orbicularis oculi. Duchenne determined that the orbicularis oculi (muscle around the eyes) cannot be triggered voluntarily and that is what separates a real from a fake smile.
Dr. Ekman's research concurs with Duchenne's and although recent research indicates some can train themselves to think about triggering that muscle, more often than not a fake smile is all about the eyes. Areal smile is broad with narrow eyes, raised cheeks, and pulled-up lower eyelids. It has been said that a real smile involves the whole face, from the eyes to the mouth.
When a person sees a real smile on another person, it can trigger that same emotion inside of them and cause them to smile. Notice in Figure 515 the picture of the two monks. The monk on the left side of the picture is displaying very outward signs of a real smile, real happiness. Just looking at him in this picture probably can trigger happiness in you.
From a social engineering standpoint, knowing how to detect and also create a real smile is a valuable piece of information. Asocial engineer wants a target to be put at ease, so as to have the greatest positive effect on the target. Social engineers in any form, whether they are salespeople, teachers, psychologists, or any other social engineer, often start off a conversation with a smile. Quickly our brains analyze how we feel about that visual input given to us and it can affect the rest of the interaction.
Alot of information is packed into the preceding section, yet you may be wondering how social engineers can train themselves not only to see microexpressions but also how to use them.
--
Training Yourself to See Microexpressions
I read the methods on how a particular microexpression is identified, then practice reproducing it using a mirror, comparing my expression to the notes from the professionals that describe how it is done. I usually have a picture that shows the emotion I am working on because having something to mimic helps me.
/4fter I feel relatively good about reproducing the microexpression I focus on how it makes me feel, tweaking small areas until the muscular movements cause me to feel the matching emotions.
I then scour the Internet looking for pictures and try to identify the expressions in those pictures. Next, I record news or television shows and play certain parts in slow motion with the sound off to see if can determine the emotion, then listen to the story to see if I was close. Pi\ this leads up to working with live "subjects." I watch people interact with each other and try to identify the emotions they are feeling during their discussions. I try both with being able to hear the conversation and also without being able to.
The reason I chose this path before trying to read microexpressions in my own conversations is that I found that trying to do it in a live environment without having to also focus on making good conversation is easier. I just read the facial expressions and do not get confused by other sensory input.
--
One of the tricks actors use to be able to successfully show proper emotion is to remember and focus on a time when they truly felt the emotion they need to portray; for example, a moment of happiness that produced a real smile. As mentioned earlier, making a real smile is very difficult to fake if you aren't truly feeling happy but if you can bring up a memory when you felt that emotion your muscles
will remember and react.
Therefore, although you can become proficient at reading the emotion, you cannot read the why behind it. The why is often lost to science. I had a friend who had some bad experiences as a child with a person who closely resembled a good friend of mine. Whenever my friend would come around she had strong emotional reactions. If you were to read her microexpression you would probably see fear, contempt, and then anger on her face. She did not hate myfriend, but she hated the person in her memory who resembled myfriend. This is a good point to remember when you are learning how to read microexpressions. The expression is linked to an emotion, but the expression doesn't tell you why the emotion is being displayed. I know when
I first started learning about microexpressions and then became somewhat "proficient" at reading certain expressions, I felt like I was a mind reader, /^though this is far from the truth, the caution is to not be assumptive. You may become very good at reading microexpressions; however, later sections discuss how to combine this skill with interrogation tactics, body language skills, and elicitation skills to not only figure out what targets are thinking, but also to lead them down the path you want.
The question you still may have is, "How can I use these skills as a social engineer?"
--
How Social Engineers Use Microexpressions
This whole section leads up to this: As fascinating as the research is, as amazing as the science is behind this psychology how do you utilize microexpressions in a social engineer audit and how do malicious social engineers use them?
This section discusses two methods of how to use microexpressions in social engineering. The first method is using microexpressions (IVE) to elicit or cause an emotion, and the second method is how to detect deceit.
Let me start with the first method, using your own IVE to cause an emotional response in others. I recentlyread a research paper that changed my view of IVE and opened my eyes to a new area of research. Researchers Wen Li, Richard E. Zinbarg, Stephan G. Boehm, and Ken A Paller performed a study called "Neural and Behavioral Evidence for Affective Priming from Unconsciously Perceived
Emotional Facial Expressions and the Influence of Trait Anxiety' that changes the face of microexpression usage in modern science. The researchers connected dozens of mini-EKGs to muscle points on their subjects' faces. The devices would register any muscular movements in their face and head. They then played videos for them that had one-twentyfifth-second flashes of microexpressions in frames. Li et al., found that in almost every case the subject's muscular movement would begin to mirror that which was embedded in the video. If it was fear or sadness, the subject's facial muscles would register those emotions. When interviewed
about the emotion the subject was feeling it was the emotion embedded in the video.
To me, this groundbreaking research proves that a person can manipulate another person to a certain emotional state by displaying subtle hints of that emotion. I have started conducting some research into this from a security angle and I am calling if'neurolinguistic hacking," mainly because it takes much from microexpressions as well as neurolinguistic programming (discussed in the next section) and combines them to create these emotional states within a target.
Imagine this scenario. Asocial engineer wants to walk into a company with the goal of getting the receptionist to insert a malicious USB keyinto the computer. His pretext is that he has a meeting with the HR manager, but on the way in, he spilled coffee all over his last resume. He really needs this job and to help, would she print him out another copy of the resume?
This is a solid pretext that tugs on the receptionist's heartstrings and has worked for me in the past. Yet, if the social engineer allows his own emotional state to run rampant he might be showing signs of fear, which is linked to nervousness. That fear can translate to an uneasy feeling in the receptionist and failure or rejection of the request. Whereas if he were to control his emotions and flash subtle hints of sad microexpressions, which is closely linked with empathy then he might have a very good chance at his request being honored.
Recall the previous discussion of the commercials that encourage people to donate "only a dollar a day' to feed a child in need. Before requesting money before flashing a phone number and URL, before telling you that credit cards are accepted, many long images of very sad children flash across yourTVscreen. Those images of children in need and children in pain put your brain in the emotional state that is needed to comply with the request.
Do those commercials work on everyone? No, of course not. But although not everyone donates, it will affect almost everyone's emotional state. That is how a social engineer can use IVE to the fullest. Learning to exhibit the subtle hints of these IVE can cause the neurons in your target's brain to mirror the emotional state they feel you are displaying, making your target
more willing to comply with your request.
This usage of IVE can be malicious, so I want to take a moment to talk about a mitigation (see also Chapter 9). Being aware of how IVE can be used doesn't mean you need to start training everyone in yourcompanyto be an IVE expert. What it does mean is that good security awareness training does need to occur. Even when requests are designed to make you desire to help, desire to save, desire to nurture, the security policy must take precedence. Asimple, "I'm sorry we cannot insert foreign USB keys into our computers. But two miles down the road is a FedEx Kinko's shop. You can print another resume there. Should I tell IWs. Smith you will be a few minutes late?"
In this scenario, such a statement would have squashed the social engineer's plans as well as given the target the feeling of being helpful.
To utilize the power of IVE, sometimes you have to combine it with other aspects of human behavior as well. The second method, how to detect deceit, describes how you can do this. The second method for using ME as a social engineer is in detecting deception. Wouldn't it be nice if you could ask a question and know whether the response was truth or not? This subject has been a source of heated debate among many professionals who claim that eye patterns, body language, facial expression, or a combination of all the preceding can indicate truth or deception. While some do not believe this to be the case, others feel these can be used as an exact science.
Although some truth may exist in each of those thoughts, how can you use microexpressions to detect deception?
To answer this question you must take into account more than just microexpressions because, as identified throughout this section, microexpressions are based on emotions and reactions to emotions. Keep this in mind while reading this section, which analyzes some causes and effects.
Four things can help you detect deceit in a target:
• Contradictions
• Hesitation
• Changes in behavior
• Hand gestures
The following sections discuss these items in more detail.
--
Contradictions
Contradictions are particularly tricky because they often can and do occur in factual accounts. I know in my case I often forget details, and my wife will fill them in quickly After I get a little hint here or there I often can remember the full story. This doesn't mean that I am always lying at the beginning of a story or conversation, but I don't always remember all the details clearly enough to comment on them at first, or I think I do remember the details but I really don't. Even after I "remember" the details, the details may be my version of real ity and not the way the story actual ly happened.
This inadvertent dishonesty is important to consider when evaluating contradictions as a clue to lying. What a contradiction should do is prompt you to dig more. Watching the person's microexpressions while you question him about a contradiction is also helpful.
For example, suppose you have developed a pretext as a visiting salesperson. You are going to try to gain physical access to the CEO to deliver a CD with a special offer. You know the CEO is very partial to a certain charity so you developed the pretext around that. As you walk into the lobby the front desk person says, "Sorry, he is not in, you can just leave it with me."
You know that if you leave the CD a greater chance exists that your "malicious" CD will never be used. You also feel he is in because you see his car in the parking lot and you know today was a normal work day for him. With those facts in mind and without wanting to embarrass the front desk person you say "Oh, he's really not? I called the other day and asked when I could visit and was told todaywas a good day. Did I mixup my days?"
If you've played your cards right and your expressions are genuine, this can turn out two ways:
• She may hold steady and again say, "Sorry, he's not in."
• She may contradict herself (which can be a clue that she is not being truthful): "Let me check whether he is in or not."
What? She went from a stem "He is not in" to "Let me check." That contradiction is enough to signal that you should dig more. What was her IVE when she did that? Did she show shame or maybe some sadness at lying? Was she angry at being caught in a lie? Was she embarrassed that she was wrong and maybe confused? You cannot automatically assume she is lying, because maybe she really didn't know, and when you rebutted she decided to reallyfind out.
After she confirms whether he is in you can choose to dig a little deeper and probe more to determine truthfulness if needed. Again, playing your card of "Maybe I mixed up my days" and watching her facial expressions can be a good indicator of her truthfulness or not.
If in your first go-round you saw any hints of anger, continuing to enquire can cause her to be more angry and embarrassed and end your interaction. fit this point, you may want to ask something like, "If Mr. Smith isn't in right now and I really mixed up my days or times, when can I stop in to see him? What time is the best?"
This type of question allows her to save face, as well as gives you another opportunity to read some facial expressions. If you didn't notice anger but maybe saw she looked a little sad or embarrassed then you might want to respond with empathy and understanding to open her up. "I could have sworn that he said today was a good time to drop it off, but you know, my memory is so bad, my wife tells me I am getting
Alzheimer's. I bought one of these smart phones, but I'll be darned if I can figure it out. I don't want to be a bother, but when can I just drop this off for him? I want to make sure it gets right into his hands."
Be very observant of minor contradictions as they can be key indicators in deceit and hel p you get your foot i n the door.
--
Hesitation
Similarly to contradiction, you can use someone's hesitation to detect a potential untruth. If you ask a question and the answer should have come quickly from the person, but he hesitates beforehand, it can be an indication that he was using the time to fabricate an answer.
For example, when my wife asks me how much my new electronic gadget costs, she knows I know the answer. A hesitation can mean either I am evaluating whether I want to answer truthfully or I might just be remembering the price.
When I get a progress report from my son's school that says he missed X number of days at school and I only know about two or three valid absences, I ask him where the rest of these missed days are from. If his answer was, "Dad, don't you remember I had
that doctor appointment and then you kept me home that dayto help you with that project?" Most likelythat is full-on truth because it was quick and has facts in the response. However, if he hesitates and comes back with, "Wow, I don't know—maybe the report is wrong," then noting his microexpression during his response is a good idea. Does it indicate anger, maybe at being caught, or sadness at the imagined punishment? Either way it is time for me to investigate more and find out where he was those days.
--
Changes in Behavior
During a discussion the target may change his behavior everytime a certain topic is brought up. Maybe you notice an expression change or a shift in the way he sits, or a marked hesitation. Al of these actions can indicate deceit. Whether these actions amount to deceit is not certain, but they should cause you to probe more on the topics being discussed in a way that does not alert suspicion. These behaviors can be signs that the person is using the time
delays to generate a story recall facts, or decide whether he wants to reveal those facts.
--
Scripts in the New Code
People tend to have common problems, so groups of scripts have been developed to help therapists use NLP in their practice. These scripts lead the participant through a series of thoughts that help guide the person to the desired end. Ai example of one script is an outline of how to increase your sales by getting someone to start talking about their dreams. Once you have them
talking about certain goals or aspirations, you can posit your product or service as answering one of the needs to reach those goals. By positively building on your product as fitting a need they have, you give your potential sale's brain a way to connect your product with positive sales.
If you take time to Google much of the information included here you will see that NLP can take on a life of its own. You can take many angles and paths when studying NLP Despite all the plethora of information out there the question remains, how can a social engineer use NLP?
How to Use NLP as a Social Engineer
Many of the scripts and principles of NLP tend to lean toward hypnosis and similar avenues. Even though you will not use hypnosis to social engineer a target, you can use many of the principles of NLP as a social engineer. For example, NLP can teach you how to use your voice, language, and choice of words to guide people down the path you want.
--
Voice in NLP
You can use your voice to inject commands into people just as you would use code to inject commands into a SQL database. The way you say things is where the injection occurs; this single moment of injection is framed within regular conversation. Sometimes how you say something is more important important than whatyou say.
NLP promotes the use of embedded commands to influence a target to think a certain way or take a certain action. Also, using the tones of your voice to emphasize certain words in a sentence can cause a person's unconscious mind to focus on those words. For example:
For instance, ask "Don't you agree?" Instead of putting an upswing on the word "agree," like you would normally at the end of a question, put a downswing to make the question more of a command.
Another one I have heard used effectively is, "My customers usually do the things I say Do you want to begin?" The way that sentence is used and surrounded by other statements can make this a very commanding
statement.
--
Using Ultimate Voice in Social Engineering
You can master the Ultimate \£>ice but it takes lots of practice. The ability to embed commands into normal conversation is a skill
that is very useful when mastered. Ultimate voice is the ability to inject commands into people's minds without their knowledge. It can sound very artificial when new people try it, until enough practice makes them sound natural.
Hypnotists often use this technique like so: "You can feel yourself relaxing as you slip into calmness."
This standard therapy phrase can be adapted to nearly any command you like. Put extra emphasis on the vowels in the words you want to accent—for example, "yooouurseeelf reelaaxiing."
--
To conclude this section, consider three things a social engineer should focus on when studying NLP:
• Vocal tones, fie stated previously the tones of your voice as well as the emphasis you put on certain words can change the whole meaning of a sentence. Using tone and emphasis, you can embed commands inside of the subconscious mind of the target and allow the target to be more open to suggestion.
• Chose your words carefully.
Learn to choose the words that have maximum impact. Match positive words with thoughts you want the target to think positively on and negative words with those you want them to not think of too highly. This technique can also help the social engineer make a target more pliable.
• Create a list of command sentences that you can use in person or during a phone social engineering audit. Writing out and practicing command sentences will help you be able to recall and use them when in need.
Most of all, practice. Controlling your vocal tones, the words you choose,
and how you say them is not an easy task. Practice can make this become second nature.
--
When starting an interview or interrogation here are areas to observe for changes in the subject:
• Body posture: Upright,
slumped, leaning away
• Skin color: Pale, red, white, changes
• Head position: Upright, tilted, forward/back
• ^es: Direction, openness
• Hands/feet: IVbvement, position, color
• Mouth/lips: Position, color, turned up/down
• Primary sense: Msual, aural, kinetic, feeling
• Voice: Pitch, rate, changes
• Words: Short, long, number of syllables, dysfunctions, pauses
--
Handling Denials and Overcoming Objections
Whether on the phone or in person, what is the plan of action if you are denied access to the place or information you are seeking? I like to call these conversation stoppers. People use them with salespeople all the time, "I'm not interested." "I don't have time right now." "I was just leaving...."
Whatever flavor of stopper targets throw out, you must have a plan to overcome it and handle the denial of access. I like to preemptively preemptively dismiss objections if I feel the situation warrants.
When I was in sales, I worked with a man named Tony who had a tactic that involved knocking on a door and introducing himself, and without pausing saying, "I know you might want to say you are not interested, but before you do, can you answer this one question: Is five minutes of your time worth $500?"
At this point, the person was much less likely say "I'm not interested." By diminishing the possibility of denial and following up with a question, Tony
was able to get the target to think about something else besides her objection.
In a social engineering engagement you can't walk up to the security guard and say "I know you don't want to let strange people in the door but..." because it would raise way too much suspicion. Using this methodology to overcome objections is much more complexfor social engineers.
You have to think about what objections might arise and organize your theme, story dress, and person to pre-empt those objections. Yet you still have to have a good answer to give for when objections come up. You can't just run out the door or hang up the phone. Agood exit strategy enables you to come back to attack later on.
An exit strategy can be as simple as, "Well, ma'am, I'm sorry you won't let me in to see M. Smith. I know he will be greatly disappointed because he was expecting me, but I will give him a call later and set up another appointment."
--
Keeping the Target's Attention
If you handled your social engineering move correctly up to this point and you are in front of the target, then the target may start to think about what would happen if she does not allow access, take the file, or do what you are asking. You need to feed off of that inherent fear and use it to continue to move the target to your goal.
Afew short statements like, "Thank you for your help. I was so nervous about this interview that I obviously put the wrong date down in the calendar. I hope that M-s. HR Manager is some place warmer than here?" Alow for a response then continue, "I want to thank you for your help. When will she be back so I can call to make another appointment?"
--
Keeping the Target's Attention
If you handled your social engineering move correctly up to this point and you are in front of the target, then the target may start to think about what would happen if she does not allow access, take the file, or do what you are asking. You need to feed off of that inherent fear and use it to continue to move the target to your goal.
Afew short statements like, "Thank you for your help. I was so nervous about this interview that I obviously put the wrong date down in the calendar. I hope that M-s. HR Manager is some place warmer than here?" Alow for a response then continue, "I want to thank you for your help. When will she be back so I can call to make another appointment?"
--
So how can you become a great listener?
The following steps can help you perfect your listening skills. These tips
can assist you not only in social engineering but also in life, and when applied to a social engineering audit can make a world of difference.
1. Pay attention. Give your target your undue attention. Do not fiddle with your phone or other gadget. Do not drum or tap your fingers. Try to focus intently on what is being said, looking at the person speaking. Do this in a very inquisitive way, not in a scary, "I want to stalk you" way.
Try hard not to think ahead and plan your next response. If you are planning your next response or rebuttal you will not be focused, and you may miss something important or give the target the impression you don't really care. This can be very hard to control, so perfecting this tendencywill take some serious work for most people. fiiso try to not be distracted by environmental factors. Noise in the background or a small group laughing about something can shift your focus; do not allow that to happen. Finally pay close attention to what the speaker is not saying, too. The body language, facial cues, and other aspects of communication should be "listened" to intently. 2. Provide proof that you are listening. Be open and inviting with your body language and facial expressions. Nod once in a while, not too often, but often enough to let the target know you are there. You don't want to look like a bobble head doll, but you want to let the target know you are "with him."
Don't forget the all-important smile. Smiling can tell the target you are with him mentally and you understand what he's saying. As with paying attention mentioned earlier, add small smiles when appropriate. If the person is telling you her dog just died, nodding and smiling will most likely get you nowhere.
3. Provide valuable feedback. Letting your personal beliefs and experiences filter the message coming your way is all too common. If you do that you may not truly "hear" what the s peaker is sayi ng.
Be sure to ask relevant questions. If she is telling you about the blue sky then you say "So how blue was the sky?" will not be effective.
Your questions must show you have been actively listening and have the
desire to gain a deeper understanding.
Every now and then mirroring or summarizing what you have heard can work well, too. Don't recite the conversation like a book report, but recapping some of the main thoughts can help the target see you are in tune with the message.
4. Do not interrupt. Not much more needs to be said on this tip. Interrupting your target shows a lack of concern for his feelings and stops the flow of thoughts. Letting him finish and then speaking is better.
5. Respond appropriately. This is the pinnacle of good or bad listening skills. If you were focused on your rebuttal or next statement, or you were thinking about the very attractive blonde that just walked by you might put yourfootin your mouth.
I was once training a group of people and was telling them some aspects of very detailed manipulation tactics. I could tell two guys were not listening. I put in a random thought like, "So then you bake the lion at 350 degrees for 15 minutes til crispy." The rest of the group broke out in laughter and I turned to one of the two and said, "What do you think, John?" He responded responded with a blank stare and a stuttered, "Urn, yah, sounds perfect."
Do not ever do that to a target. It is a death blow to rapport (discussed later in this chapter). Be respectful, keep your emotions in check, and respond appropriately at all times when conversing with a target.
--
Aiso, remember to react to the message, not the person. If you don't agree with a person's beliefs or stance, affording him or her dignity will go a long way in making that person feel comfortable with you. Even in situations where you might not agree you can find something empathic to say. For example:
Target: "This job stinks. They make me work this horrible shift and for low pay, too."
SE "It sounds to me like you are overwhelmed by your situation here."
/Although you might be thinking "Try Harder,"™ by responding this way you let the target know you were listening, as well as empathizing with her plight in life.
This technique is known as reflective responding. Reflective responding has some basic principles to it:
• Listen actively, as described earlier.
• When it's time to respond, be aware of your emotions. Knowing what you feel as the target is speaking can help you to react properly.
• Repeat the content, not like a parrot, but in your words.
• Start your response with a non-committal phrase such as, "It sounds like," "It seems like," or "It appears that." These phrases ease the message you are trying to deliver. If you need proof of this, the next time you get into an argument with your mate, boss, parents, or whomever say, "You are mad at me because..." and compare the person's reaction with what you get when you say "It appears you are mad because of..." instead. You will see which one is taken better.
Reflective responding used with active listening is a very deadly force in the trust and rapport-building skills arena.
you learn to listen better and it becomes part of your nature you will enhance your ability to react to the message you hear. Asocial engineer's goal is to gather information, gain access to someplace or something you should not have access to, or cause the target to take an action he should not take. Thinking that you must be perfect at manipulation often stops people from learning and practicing great listening skills, but this is the exact reason you need to be a great listener.
Consider these two scenarios:
• One of your neighbors comes over and asks whether you have time to help him with a project in his garage for about an hour. This neighbor has a dog that has gotten into your garbage a few times and tends to like to use your yard as a bathroom. You are just about to sit down to relax at the end of a long day and watch some TV or read a book.
• Your childhood friend comes over and tells you that he needs some help moving some furniture. He just got a place about five miles from you and he can't get the couch up the stairs. You are just about to sit down to relax a bit.
For which scenario are you more likely to put aside relaxing? Most people will put aside relaxing for the second scenario, but will come up with an
excuse or reason to not help out in the first scenario or at least try to postpone it to another day when they are not "busy."
Why? People are very open and free with friends. When you feel comfortable with someone, you have no boundaries and will put aside your own wants and needs at times to help them out. One naturally trusts the message coming from a friend, whereas with the stranger one might start to double-guess what's being said, trying to determine whether it is truthful or not. In the case of the relationship with the friend, this connection is called rapport.
For years rapport has only been talked about when it comes to salespeople, negotiators, and the like. Rapport isn't just for salespeople; it is a tool that anyone can use, especially the social engineer. If you are wondering how to build rapport instantly, then read on.
--
Building Instant Rapport
IvV former coworker, Tony, used to say that building rapport was more important than breathing. I don't really believe that to be true, but it does have a ring of truth in that rapport building is vital.
Wikipedia defines rapport as, "One of the most important features or characteristics of unconscious human interaction. It is commonality of perspective: being 'in sync' with, or being 'on the same wavelength' as the person with whom you are talking." Why is rapport discussed in this chapter? It is a key element in developing a relationship with any person. Wthout rapport you are at an impasse. Within the psychological principles behind social engineering, rapport is one of the pillars.
Before getting into the aspects of how to use rapport as a social engineer you must know how to build rapport. Building rapport is an important tool in a social engineer's arsenal.
Imagine that you could make people you meet want to talk to you, want to tell you their life story and want to confide in you. Have you ever met someone like that, someone you met recently but feel totally at ease telling
him or her very personal things? Many psychological reasons may play into why that maybe the case, but the case maybe that you and that person just had good rapport.
The following sections outline important points about building rapport and how to use rapport in social engineering.
--
Be Genuine about Wanting to Get to Know People
How important are people to you? Do you enjoy meeting new people? It is a mindset about life, not something that can be taught. The prerequisite to building rapport is liking people. People can see through a fake interest.
To be a good social engineer and to be able to use rapport, people need to be important to you. You must like people and enjoy interacting with them. You have to want to learn about people. People can see through fake smiles and fake interest. Developing a genuine interest in your target can go a long waytoward building rapport.
Take Care with Your Appearance
You cannot change some things that may affect your interaction with others. Unfortunately people can still hold your skin color, gender, or age against you before you facilitate any interaction. You can't control those things, but you can control aspects of your appearance such as clothing, body odor, and cleanliness, as well as your eye contact, body movements, and facial expressions. I read a statement once that I have seen proven true too many times to ignore: "If a person is not comfortable with himself, others will not be comfortable with him either."
Be aware of your pretext and your target. If your pretext is the janitor, make sure your demeanor, dress, attitude, and words reflect someone in that position. If your pretext is a manager of a business, then make sure you act and dress appropriately. This takes research but nothing kills rapport easier than not looking the part. Your goal in some instances is to keep people in the autopilot mode that will let them not question you. Having your dress, grooming, or demeanor out of place removes the target from autopilot and
hurts your chances at success.
Be a Good Listener
See the earlier section for more details. The importance of good listening can't be overstated.
Whether you are trying to make a friend or make a social engineering move, listening is a skill you need to master.
Be Aware of How You Affect People
One time I saw an older woman drop an item as she left a grocery store. I picked it up and followed her out to the parking lot. By the time I caught up with her she had her trunk open and was loading groceries into her car. I came up behind this short, little elderly woman and with all 6' 3" of me looming over her said, "Excuse me, ma'am." I was obviously too close for her comfort and when she turned around she screamed out, "Help! He's trying to mug me. Help!"
I obviously needed to think about how my presence might affect this woman during my interaction with her. I should have realized that an elderly woman all alone in a parking lot who was not expecting a huge man to walk up behind her might freak out. I should have come around and approached her from a different angle.
Be aware of how your appearance and other personal aspects might affect those you will be in contact with. Do you need a breath mint? Make sure no food is on your face or in your teeth. Try to be relatively sure that nothing is glaring in your personal appearance that will turn the person off.
UCLAProfessor of Psychology fiibert Ivtehrabian is known for the 7-38-55 Rule, which states that statistics show that only 7% of normal communication is the words we say whereas much more lies in the body language and vocal tones. Try to be aware of yourself, but also pay attention to the first few seconds of interaction with a person. His or her reaction to your approach can tell you whether you possibly missed something, or whether you need to change something to be more effective.
a social engineer, be aware of how you affect people. If your end goal is all that is on your mind you will affect the people you come into contact with negatively Think about how your appearance, words, and body language may affect your target. You want to appear open and inviting.
Keep the Conversation off Yourself
We all love to talk about ourselves and even more so if we feel we have a great story or account to share—it is human nature. Talking about yourself is one way to kill rapport. Let the other person talk about himself until he gets tired of it; you will be deemed an "amazing friend," a "perfect husband," "great listener," "perfect sales guy" or whatever other title you are seeking. People feel good when they can talk about themselves; I guess we are all a little narcissistic, but by letting the other person do the talking you will leave that interaction with his liking you a lot more.
Keep the conversation off yourself. This point is especially cogent for social engineers. You have a definite goal in mind and sometimes your judgment and direction can be clouded by what "you" want. Taking that focus off of the target is dangerous as far as success goes. Let targets talk about their jobs, roles, and projects, and be amazed at how much information they release.
Remember That Empathy Is Key to Rapport
Empathy—defined byRandom House Dictionary as "the intellectual identification with or vicarious experiencing of the feelings, thoughts, or attitudes of another"—is lacking in many people today and is especially hard to feel if you think you have the solution to someone's problem. However, really listening to what someone is saying, trying to identify and understand the underlying emotions, and then using reflection skills can make a person feel as if you are really in tune with him.
I felt it necessary to provide the definition of empathy because understanding what it is you have to do is important. Notice that you must "intellectually identify' with and then experience "the feelings, thoughts, or
attitudes" of someone else.
These aren't always serious, depressing, or extreme emotions. Even understanding why someone is irritated, tired, or not in the best mood can go a long way. Imagine you go to the bank drive through
and the teller lady gives you a monster attitude because you forgot to sign your check and she now has to send it back. You also forgot a pen and need to ask her for yet another favor. Your reaction might be similar to mine, especially if she gave you the eye roll and the irritated glance—you want to tell her that she is here to serve you. Instead, try saying this, "It appears you might be a little irritated. I understand that; I get irritated when I have to deal with my forgetful clients, too. I hate to ask this, but could I please get a pen?"
It's important to not be patronizing when attempting to show empathy If your empathy seems to come off haughty or arrogant, you can make the target feel like you are patronizing them.
You acknowledged her being upset but without accusation, showed that you have the same feelings, and then made a request. Empathy can go a long way toward building rapport; one caveat is that rapport cannot be faked. People need to feel you are genuinely concerned to build that trust relationship. If you are not a natural at displaying empathy then practice. Practice with your family friends, coworkers, teachers, or classmates. However and wherever you do it, practicing being empathetic will greatly improve your relationship-building skills.
Empathy is a tool of the social engineer. Unfortunately it is also used often in malicious social engineering. When a catastrophe hits somewhere in the world a malicious social engineer is often there to "empathize" with you. The thing that probably makes this tool so easy for malicious social engineers to use in many cases is because they truly are from bad, poor, or impoverished places. Being in bad straits themselves makes appearing empathetic to others' plights in life easy and therefore creates rapport easily.
--
Be Well Rounded in Your General Knowledge
Knowledge is power. Don't neglect reading, researching, and studying about the topic of the target's occupation or hobbies.
--
Develop Your Curious Side
People normally feel a little self-righteous when it comes to their beliefs or thoughts on the way things should be done. That self-righteousness or judgmental attitude can change the way a person reacts to something being said. Even if you don't say anything you may start to think it, which can show in your body language or facial expressions. Instead of being self-righteous,
develop a curiosity about how other people think and do things. Being curious keeps you from making rash judgments. This can be applied by being humble enough to ask for help or ask for more information. Be open minded enough to look into and accept another's thoughts on a topic, even if those thoughts differ from yours.
Curiosity did not kill the social engineer. This point doesn't change much from a non-social engineer perspective. When you become curious about others' lifestyles, cultures, and languages you begin to understand what makes people tick. Being curious also keeps you from being rigid and unbending in your personal judgments. You may not personally agree with certain topics, beliefs, or actions but if you can remain curious and nonjudgmental then you can approach a person bytrying to understand why he is, acts, or portrays a certain way, instead of judging him.
Find Ways to Meet People's Needs
This point is the pinnacle of the list and is one of the most powerful points in this book. Dr. William Qasser wrote a book called Choice Theory in which he identified four fundamental psychological needs for humans:
• Belonging/connecting/love
• Power/significance/competence
• Freedom/responsibility
• Fun/learning
The principle behind this point is that creating ways for people to get these needs met by conversing with you builds instant rapport. If you can create an environment to provide those needs for people, you can create bonds that are unbreakable.
--
Spies use this principle of filling a need or desire often. In a recent trip to a South American country I was told that its government is infiltrated all the time via fulfilling the basic need of "connecting or love." A beautiful woman will be sent to seduce a man, but this is no one-night stand. She will seduce him for days, weeks, months, or even years. As time continues she will get bolder with her requests for where they are intimate, eventually making their wayto his office, where she gains access to plant bugs, Trojans, or clone drives. This method is devastating, but it works.
Social engineers fill desires through phishing emails also. In one test 125 employees of a very reputable company were sent fake image files labeled BritneyNaked.jpg, MleyCyrusShowering.jpg, and other such names, and each image was encoded with malicious code that would give the social engineer access on the user's computer. The results were that more than 75 percent of the images were clicked. What was found was the younger the star mentioned in the picture, the higher the click ratio.
These disgusting and devastating facts show how well fulfilling people's desires can work. In person, too, it is no different. Police interrogators use this tacticfor building rapport all the time. The guest told a story that proves this point about the power of rapport to make people comply with requests. The officers had arrested a man who was a peeping torn. He had a fetish where he loved to invade the privacy of women who wore pink cowboy boots. The law enforcement, instead of judging him for the freak he is, used phrases like, "I like the red ones myself," and "I saw this girl the other day wearing short shorts and high cowboy boots, wow!"
Affer just a short time he began to relax Why? He was among likeminded people. He felt connected, part of the crowd. Their comments put him at ease and he began to spill his guts about his "habits."
The preceding is a nice example of how to develop and build rapport, but how can you use it as a social engineer?
You can build rapport in a matter of seconds by applying the principles of building rapport discussed earlier.
--
The Five Fundamentals of Influence and Persuasion
The five fundamentals of persuasion are crucial in obtaining any type of successful influence upon a target:
• Setting clear goals
• Building rapport
• Being observant of your surroundings
• Being flexible
• Getting in touch with yourself
Have a Clear Goal in Mind
Not only should you have a clear goal in mind, you should even go so far as to write it down. Ask yourself, "What do I want out of this engagement or interaction?"
As I discussed in Chapter 5, especially in relation to NLP, a human's internal systems are affected by his thoughts and goals. If you focus on
something, you maybe more likely to become it or get it. This doesn't mean that if you focus on the thought of getting one million dollars, you will get it. In fact, it is unlikely However, if you had a goal of making one million dollars and focused on the steps needed to make that money your goals, education, and actions would increase the likelihood of you achieving that goal. The same is true with persuasion. What is your goal? Is it to change someone's beliefs? To get him to take an action? Suppose a dear friend is doing something terribly unhealthy and you want to try and persuade her to stop. What is the goal? Maybe the end goal is to persuade her to stop, but maybe little goals exist along the way Outlining all of these goals can make the path to influencing that person clearer. Mer setting the goal, you must ask yourself, "How will I know when I have gotten it?" I once listened to a training program offered by Jamie Smart, one of the world leaders on NLR and he asked each person in the classroom these two questions:
• What do you want?
• How will you know when you have it?
Pt this point, I paused the CD for the first question and answered for myself out loud what I wanted from this course. Then I pressed Play again and when he asked that second question, "How will you know you have gotten it?" I paused the CD again and was lost. It was clear to me that I didn't have a roadmap. I knew what I wanted out of that course, but I didn't know how to gauge when I had gotten it.
Knowing what you want out of your engagements is an important aspect of influence and persuasion tactics. When you approach a target knowing what your goals are and what the indicators are that you are getting what you want, then you can clearly identify the path you need to take. Clearly defined goals can make or break the success of the influence tactics used by a social engineer as well as make the next step much easier to master.
Rapport, Rapport, Rapport
Chapter 5 has a whole section on rapport building. Read it, study it, and perfect your rapport-building skills.
Developing rapport means that you get the attention of the person you are targeting and his unconscious mind, and you build trust within that unconscious portion. Mastering the skill of building rapport can change the way you deal with people, and when it comes to social engineering, it can change your whole methodology.
To build rapport, start where the person you want to influence is mentally —try to understand their frame of mind. *e they suspicious? /Ve they upset, sad, or worried? Whatever emotional state you perceive them to be in, start from there. Do not focus on your goals as much as focusing on understanding the person. This is a very vital point. This means a social engineer must understand his target enough that they can imagine where theyare consciously. What are the target's thoughts and state of mind?
For example, imagine you want to influence your dear friend to want to quit smoking or doing drugs or something else. Notice you don't want to convince her to quit, but convince her to want to quit. Your goal cannot be about you, right? It must focus on the target. You can't start your conversation with what her addiction is doing to you and how much you hate the smell, and so on. The argument has to be what is in it for her. You cannot start the conversation with a verbal attack about what the person has done to you with their habit, but you need to understand where that person's frame of mind is, accept it, and come into alignment with it.
Social engineering is much the same: you can't start where you are mentally. This is going to be struggle for many people. Do you know why she smokes? Do you understand the psychological, physical, or mental reasons why? Until you can really get into her shoes, you cannot build a strong rapport and your efforts at influence will fail.
In addition, you cannot always base the idea of building rapport on logic. I once was in the hospital with a dear friend who was dying from throat cancer. He had smoked for more than 40 years and one day he found out he had cancer. It spread fast, bringing him to the hospital to live out his last days. His children would come to visit and every now and then they would leave the room. I thought they were overcome with emotion. One time after they excused themselves I went out to comfort them and they were outside the hospital smoking! I was dumbfounded. I don't smoke and have no desire to, and although I can understand how strong an addiction can be, I couldn't understand how after seeing the pain their father was in, how they could raise a cigarette to their lips.
Getting someone to want to do something is a blend of emotion and
logic, as well as understanding and humility in many cases. Once I walked into an office I was going to do some work for and I had heard a funny comment outside, so when I walked in the main lobby I was chuckling. The woman behind the desk must have just done something embarrassing because when she saw me she immediatelygot angry and yelled at me, "It's not veryfunnyand you are a jerk."
Now I didn't know this woman and to tell you the truth I had a goal in mind that this interaction was not going to help. In addition, I felt insulted that she assumed I was laughing at her, and wanted to lash back at her. But instead, I saw she was upset. I got close to the counter so as not to embarrass her anymore, I looked her in the eye, and with sincerity said, "I am so sorry if you thought I was laughing at you. I was in the parking lot and some of your workmates were telling a story about a party oyer the weekend and I thought itwas veryfunny."
She looked at me and I could tell she was now even more embarrassed, so to save face for her, I loudly said, "Ma'am, I am sorry for laughing and embarrassing you." This allowed her to save face to those around us. She understood that I "took one for the team" and she responded with extreme kindness. Aminute later she apologized and it worked to my benefit as I was given all the data I asked for, data I normally would have had to work very hard to get.
Ateacher I had once used to tell me to "kill them with kindness." That is a pretty powerful statement. Being kind to people is a quick way to build rapport and to establish yourself in the five fundamentals of persuasion and influence.
One method to influence people using kindness and rapport is to ask questions and give choices that lead them to a path you want. For example, once I was influenced to take a job I really didn't want as part of a team effort. The team leader was very charismatic and friendly and had the "charm factor" that allowed him to speak to anyone. He approached me and said, "Chris, I wanted to talk to you separately from the team. I need a right hand for a small project. But the person needs to be a go-getter, self motivated. I think this is you, but I don't want to assume; what do you think?"
I was excited and flattered by the compliments and the potential to be "important," so I responded, "I am a very self-motivated person. Whatever you need, tell me."
The team leader continued, "Well, I am a big believer in leading by example. And I think you have that leadership quality The problem is, some on the team do not, and they need a strong person to show them how it is
done."
Before the end of the conversation, what he wanted appeared as if it was my idea, which made it impossible to back out of. Powerful indeed, and all started with the power of persuasion.
Be in Tune with Yourself and Your Surroundings
Being aware of yourself and your surroundings, or sensory acuity, is the ability to notice the signs in the person you are targeting and yourself that will tell you that you are moving in the right direction or not.
Many of the principles discussed in the previous chapter apply to persuasion. Reading body language and facial signs can tell you much about your influence on the person.
To really master the dual art of influence and persuasion, you have to become a master watcher and master listener.
[24/06 ÖÖ 10:37] Mehmet: --
I found, for myself, the ability to be observant proved to be easier for me after receiving some training from Dr. Ekman in microexpressions. I found afterward that not only did I become much more aware of what was going on with those around me, but also myself. When I felt a certain expression on myface, I was able to analyze it and see how it might be portrayed to others. This recognition of myself and my surroundings was one of the most enlightening experiences of mylife.
NLP experts promote minimizing your internal dialog when trying to influence others. If you approach the target thinking about the next stage of the attack, the end goal, or comebacks for potential conversation stoppers, that internal dialog can cause you to miss a lot of what is going on around you. Being observant takes a lot of work but the payoff is well worth it.
Don't Act Insane—Be Flexible
What do I mean by not acting insane and being flexible? One definition of insanity that's been floating around for years is "doing the same thing over and over and expecting different results." Being willing and abletoflexis one
of the keys to persuasion.
You can think of this flexibility in terms of physical things. If you were tasked to persuade or bend something, would you rather it be a branch from a willow tree or a steel rod? IVbst people would say the willow branch because it is flexible, easier to bend, and makes the task
Yorum yapabilmeniz için giriş yapmanız gerekmektedir.