Ahh, social engineering. It’s something I’ve heard/read a lot about throughout the years, but I never really thought to take it to the next step and give it a shot (it’s got social in it after all, a word that pains us nerds). That all changed a few months ago, when on a whim I decided to start messing with people’s heads. Er, sorry, start trying to social engineer people. Why? Because I suck at human interactions, and I wanted a way to cheat. And learning how to do it well has some pretty cool benefits. So let’s talk about it.
Social Engineering: History
Know the definition of social engineering? Know about Mitnick and how he’s the Michael Jordan of it? Then skip this, it’ll get boring. Still with me? Ok then! Social engineering is basically just acting, when you get down to it. Acting like you belong somewhere you don’t. Acting like you’re someone you’re not, in order to get access to restricted areas/information/whatever. Just a bunch of acting, and being able to think on your feet when things start to go south.
The man who was the best of the best when it came to this stuff was Kevin Mitnick. If you haven’t read it already, I highly recommend reading The Art of Deception. In the book, Mitnick describes various social engineering attacks, why they work, and how to protect against them. If you want to be a social engineer, then learning why attacks work is by far the most valuable thing you can take away from the book, but it’s all quite interesting. The most successful social engineering attacks combine two things: Knowledge about a subject, and cold reading people in order to tell how far you can push for information before they get suspicious.
Most of the social engineering attacks in Mitnick’s book (and most attacks in real life) take the following form:
- Gather information about the target.
- Use that information to gain more information via social engineering.
- Repeat step 2 until you’ve got what you want.
That’s it. Easy to say, hard to do.
Defcon 20: The Hunt For An SDR
My first major foray in social engineering came a few months ago with Defcon 20. More specifically, it was during a challenge that my friend Alan and I entered that had a Software Defined Radio worth hundreds of dollars as the top prize. Now this is Defcon, people! Everyone is already super paranoid about their security at the con, because again, it’s Defcon! People have installed faked ATM machines in the convention space. People hacked toilets to flush nonstop when ever someone got close to them. People are doing all sorts of crazy things in the name of hacking, and everyone is on their highest alert. So what better time to try out some social engineering? After all, if it works at ALL on a bunch of paranoid hackers, it’ll be a walk in the park once I hit the real world.
So, back to the challenge. It ended up being a code reversal challenge, where you were given part of the source code of a program and an 10-key pad, and you have to figure out the right sequence of numbers to hit in order to score points. Alan did really well at the puzzle, I did not. Each day new code was released and people could score more points, and at the end of the second day (out of 3) we were in second place very close behind the leader. With the last day of code being released in 8 hours, and me ever being the pessimist about our chances of winning, we hatched a plan. Each of the game cards had a unique set of public/private numbers, and one of the code paths allowed you to input a set of those public and private numbers and earn points. Basically, if you could figure out people’s private numbers, then you scored free points. I had done some shoulder surfing earlier in the day, and had about 5 sets of keys that we were waiting to use come the next day. But we weren’t happy with just 5, we wanted to be able to come back the next day with enough to triple the number of points the leader had. But how?
Social engineering! That’s what this post is about, man! Did you even read the title? Anyway, the next day Alan and I split up and decided to try our luck getting people to unknowingly get us player cards (or at the very least, get us player cards without knowing the real reason) so we could have as many public/private pairs as possible. The techniques I used varied immensely, and not all of them are your typical social engineering fodder. Hell, a few were just straight bribery. But end result, right? Here’s some of the things I tried:
- Telling people that I lost my card and that the booth people wouldn’t let me get a new one. Could you do a fellow hacker a favor and grab one for me? Sometimes it was grabbing a card for a friend that was in line for a talk, both seemed to work equally well.
- Bribing with beer. You look thirsty! Trade ya a beer for a player card! (I told you they weren’t all social engineering. Turns out bribery works well)
- Creating a story about a fictitious statistical analysis project that we were performing, but our sample size is just so small! Play the game, and then let me peek at the card?
- Telling people that the cards, once decoded, would grant people access to a party that only people who solve the puzzle (kind of like the Paul Dot Com party from a few years back, where you had to follow the clues to get access). But you have to do it in pairs. Want to go? Get a card, here’s your decoded key, see you at the party! Win/win scenarios seemed to be the way to go with this thing.
- Many other fabrications, many of which were only marginally successful or not successful at all.
People familiar with social engineering might look at that list and think to themselves “hey, that’s not real social engineering!” And they’d be half right. While it’s not a full blown social engineering attack, it was a great way to cut my teeth on the various skills required in social engineering, such as the art of cold reading people, and practicing coming up with fabrications on the spot in order to get people to do something for me. After a few minutes of trying, it became easy to tell if a person would be willing to help and what kind of story would work best for them. And all of that decision is made in the 5 seconds I had before approaching them or letting them pass me by.
The most interesting thing I learned from our little social experiment, however, was exactly how bad Alan was at social engineering. In the hour that I was talking to people and trying to get them to get me cards, I had succeeded around 30 times (and failed at least half that). Alan, in that same hour, has succeeded a whole four times. How in the hell could that be? I’m a scruffy dude who looks like he’s probably homeless, and Alan is a clean shaven, nice looking dude. What gives?
Why Alan Sucks, And I’m Awesome
As far as I can tell, Alan failed for two reasons. First, he’s a genuinely nice guy. People find it easy to get along with Alan, and he has a hard time lying to folks. Building a rapport with people you’re trying to social engineer is a good thing, but you also have to be able to stick to your fabrication and tell lies on the fly. Alan’s just too damn nice for that. The second reason Alan didn’t do so well is he spent a lot of time working on people that were clearly dead ends. He would get stuck talking to people about the challenge for 5 minutes, and they wouldn’t be interested in helping us. We were going for quantity of cards, so it was important to cut your losses as soon as you felt the person wasn’t going to cooperate. And he’s just too damn nice for that, too!
So then, why was I good at it? Again, I was not a trustworthy looking dude. Give me a cardboard sign and a freeway offramp to stand by, and I’d fit right in. But, unlike Alan, I find it pretty easy to lie to people. Practice has made perfect, in that regard. Being able to lie, and keep a straight face while doing so, makes it immensely easier to get people to help you out. And I picked my targets carefully, as I mentioned in passing above. After striking out a few times, you start to get a feel for who is likely to help and who isn’t, just by looking at them. The way they’re walking (are they in a hurry to get somewhere?), the number of people in the group they’re with (big groups are harder to get to help you, because you have to convince more people), hell, their physical appearance played a lot into my decisions as well (some people just look like assholes that won’t help. Some people look nice and easy to bend to your will. It’s hard to explain exactly why, but go watch people for a few minutes and tell me I’m wrong). And the last reason was I tailored each story to the type of person I was talking to. People who looked nicer got the lost card story, while people who looked less interested in helping were given the beer/party bribes. Picking your story for the type of person you’re dealing with is a huge part of it.
Practical Uses: The Workplace
One of the things I wanted to do when I started looking into social engineering was to find a way that, no matter what color hat you wear, the skill could be of some use. And it turns out, social engineering techniques are super useful in white hat settings, including on the job. It’s been my experience (and your milage may vary here) that the most important part of most jobs is creating the perception that you’re a good/hard worker. You can work as hard as you want, but if you’re not being perceived as a hard worker then it’ll all be for naught. And what makes people see you as a hard worker, exactly? A majority of it is how things go between you and them when you interact. If people walk away from their interactions with you and they’re feeling good, then they’re likely to think you’re a good worker. If they leave dissatisfied, even if you’re doing your job flawlessly, they’re likely to think you’re bad at your job, and probably an asshole to boot!
So, how do we sway these people (some of whom directly affect how much we’re paid, or could easily make our working lives hell) into thinking we’re the bee’s knees? There are a lot of ways, and if you’re into hacking these types of social interactions, I highly recommend How To Win Friends And Influence People by Dale Carnegie. Two of my favorite techniques, that may or may not be in that book, are:
- Never say “no” to people that you’re trying to make more amicable towards you. Instead, tell them that you can do what they ask, but there are serious consequences to doing it. Hell, you can even make up scary sounding consequences on the fly in order to make people rethink their request. I’ve done this more times than I can count, and it works very well, especially if you say one of the consequences is an increased workload for the person asking.
- If you absolutely must give in to other people on things (in order to look the part of the “team player”), then offer up small concessions in order to appear flexible but not really lose much. Hell, if you’re really smart you can include small things that you know won’t make the cut, and offer those up as something you’re flexible on. That way, you appear willing to work with other people’s input, but really you get your way (which is a million times better anyway, right?) while getting the added bonus of being an evil genius. For example, from an article I read about game design a while back: An artist was working on chess game, and his management tea was notorious for tweaking things that didn’t need to be tweaked, just so they felt like they were contributing to the project. The artist, at the time, was working on the queen piece and so he added a flurry of birds (doves?) in the background whenever she moved, hoping (nay, knowing!) it looked bad and would get cut by management. And, lo and behold, the higher ups liked everything, except can you remove the birds from the animation?
Ok, so how does one actually get into social engineering? Pretty much the same way you do anything for the first time: dive right in, and fake it until you make it. Act like you’re a person who is good at social engineering, think like you’re a person that’s good at social engineering, and you’ll become someone who’s good at social engineering. Read as much as possible on the subject, and practice, practice, practice. I suggest starting with areas where you might be lacking skill. Take lies, for example (which Alan still sucks at. Heh). If you’re not a good liar, then start telling some small, white lies that doesn’t hurt anyone. Maybe test these victimless, white lies on your girlfriend or parole officer. For example:
“No baby, I didn’t go anywhere near strippers when I was in Vegas!”
“No sir, I’d never break parole by traveling to Nevada over the weekend!”
“I keep telling you, the underwear with the lipstick smears on them belong to Alan! They must have gotten in my bag some how!”
For me, the areas I needed the most work were basically all parts of social interaction that didn’t involve lying. So, I suck at talking to people… what to do? I started forcing myself to talk to people I didn’t know, a couple a day. Especially women, I’m a huge pussy when it comes to talking up the fairer sex. It hurt, a lot. I was uncomfortable. But, slowly, I’m becoming less uncomfortable and more confident in what I’m doing. And confidence is 90% of social engineering.