Social Penetration Techniques and the Psychology of Influence

Social Penetration
Mike Bailey
Mike Murray

Social Engineering:

The practice of obtaining
confidential information by
manipulating users.

Source: Wikipedia

Social Media Applications are
“applications that inherently
connect people and
information in spontaneous,
interactive ways”

Mark Drapeau and Linton Wells
National Defense University (NDU)

The Tipping Point

http://1.media.tumblr.com/iNIi9iwtqk9wp2rxEL7NpIPVo1_500.jpg

http://www.blogohblog.com/wp-content/pop/2008/03/facebook_chart.gif

The Vulnerability Cycle

Human /
Network
Organization

Service /
Client
Server

Application

Getting Penetrated

• Three Main Issues
– We leak information
– We are vulnerable to each other
– The web browser

Information Leakage
• Intentional or Ignorance
• We leak a million things
– Images
– GPS Coordinates
– Picnic Flyers
– Group Messages/Conversations
– Job Postings
• If you can imagine it, you can find it.

Only two things are infinite: the
universe and human stupidity.
And I'm not sure about the former.
- Albert Einsten

12

Human Vulnerability
• Humans are social creatures
• Human nature makes us vulnerable to each
other
• Social engineers exploit weaknesses in
human nature to obtain information or
access

The Critical Faculty
• The hypnotist’s term for the part of the mind
that acts as the rational alert system
– Allows the human to act on largely unconscious
process
– Things raise to conscious awareness based on CF
activation
• This suggests that all SE success is CF-related
– Avoid activating critical-faculty
– We want the person to execute a task that is
inappropriate, yet fail to raise the CF alert to
conscious awareness 14

The Military Experiments
Would Military officers
disobey a direct order
under hypnosis?

Success in Social Engineering

Create a context that ensures
that the behavior we want is
completely appropriate.

The Basics
• This is third grade English class:
– Spelling
– Grammar
– Punctuation
• Most CF-activation is here
– Taught as base of much Sec Awareness
Training


Awareness
• Words are meaningless without awareness of
what is working
– Your awareness of others acts as a compass
– You need to see and hear the effect of your words
• Main components of awareness in face-to-face
– Body language
– Facial expressions
– Language Tone
• How do we do this in technological social
engineering?

Tone Analysis of Writing
• As native speakers of English, we infer
auditory tone into written word.

• Two main components:
– Word choice
– Punctuation

• Simple example


Tone in SE
• Back to the prime rule
– Tone needs to be natural and appropriate.

• Every situation has a tone and a feel for the
writing that is unlikely to activate the CF.


Actual Email from TD
Hello Michael Murray,

I appreciate your interest in viewing your TD Visa account information
using EasyWeb. Thank you for taking the time to write.

If you currently have an active EasyWeb profile but can not access your TD
Visa, you may have 2 separate customer profiles set up with TD Canada
Trust. For immediate assistance with correcting this situation, I
encourage you to call EasyLine toll free at 1-866-222-3456. A Banking
Specialist can combine your profiles if necessary, provided that the
personal information on both profiles match. Representatives are available
24 hours a day, 7 days a week. If you are not registered for EasyLine,
kindly press 2 and then 0 to speak with a representative. The combining
process usually takes about two days to complete, and once it is finished,
you should be able to view your entire personal portfolio via EasyWeb.

The Elements of Influence
• Cialdini and others have found that creating a frame with
certain elements can enhance influence
– Reciprocity
– Authority
– Social Proof
– Confirmation
– Scarcity / Urgency
– Emotional / Amygdala hijack
– Confusion
• Inserting these elements within a frame can strengthen
influence
– These are natural human responses
– We use these responses to create a context for influence

Confirmation
• Confirmation Bias
– That which confirms what we already
believe, we tend to believe.
– That which fails to confirm what we already
believe, we tend to ignore.

• The brain LITERALLY turns off
– No CF activation


During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men--
half self-described as "strong" Republicans and half as "strong“ Democrats--were tasked with
assessing statements by both George W. Bush and John Kerry in which the candidates clearly
contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical
of Kerry as Democratic subjects were of Bush, yet both let their own candidate off the hook….

The neuroimaging results, however, revealed that…

"We did not see any increased activation of the parts of
the brain normally engaged during reasoning"

From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf

Confirmation in SE
• Signal Theory
– Branch of economics relating to the
messages passed by inference
– E.g. A CEH is a signal that you have chosen
the path of an EH
• We need to give appropriate signals
– Tone
– Language
– Appearance

Back to TD
Hello Michael Murray,

I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write.

If you currently have an active EasyWeb profile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust. For
immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if
necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for
EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you
should be able to view your entire personal portfolio via EasyWeb.

Best regards,

Debra Matsumoto
Internet Correspondence Representative
________________________________________
TD Canada Trust 1-866-222-3456
http://www.tdcanadatrust.com
Email: customer.service@td.com
TDD (Telephone Device for the Deaf) 1-800-361-1180

This email is directed to, and intended for the exclusive use of, the addressee indicated above. TD Canada Trust endeavours to provide accurate and up-to-date
information relating to its products and services. However, please note that rates, fees and information are subject to change.

We create relationships through trading value.
Temporary inequality creates powerful bonds.

Reciprocity == Investment
• The act of exchanging value
– I can do something for you
– You can do something for me.
• Both acts strengthen our bond.
– We become more invested in the relationship
– The more invested a person feels, the more likely they
are to be influenced by the relationship
• This is the Nigerian scam’s overwhelming
power
32

Scarcity
• People will take almost any opportunity for
their own gain
– Especially if the opportunity seems scarce
– If we have to hurry, the amygdala takes over
• This is a marketing tactic
– Infomercials
– Scams

34

“If you call in the next 15 minutes…”
Ron Popeil

Web Browsers
• Malicious Links
• Credential Theft
• XSS
• CSRF
• Abusing websites, not systems

So much more we could discuss…

So little time.

Keep an eye on: MadSecInc.com

Email us: mmurray@madsecinc.com
mbailey@madsecinc.com

Social Penetration Techniques and the Psychology of Influence

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

Similaire à Social Penetration Techniques and the Psychology of Influence

Similaire à Social Penetration Techniques and the Psychology of Influence (20)

Plus de Security B-Sides

Plus de Security B-Sides (20)

Social Penetration Techniques and the Psychology of Influence