Twenty Year Anniversary


Posted Aug 17, 1999

The Psychology of Social Engineering: Text of Harl's Talk at Access All Areas III, 05/07/97

tags | paper
MD5 | c3d8d300270cff0b674a874da513bc73


Change Mirror Download
<title>DMS - Social Engineering</title>
<body bgcolor="#ffffff" text="#000000" link="#c0c0c0" vlink="#c0c0c0">
<b><samp><font size=8 color=#ff0000>People Hacking:</font></samp></b><br>
<b><samp><font size=5 color=#ff0000>The Psychology of Social Engineering</font></samp></b><p>
<b><samp><font size=4 color=#ff0000>Text of Harl's Talk at Access All Areas III</font></samp></b><br>
<b><samp><font size=4 color=#ff0000>05/07/97</font></samp></b><br>
<b><samp><font size=5 color=#ff0000>What is Social Engineering ?</font></samp></b><br>
Basically, social engineering is the art and science of getting people to
comply to your wishes. It is not a way of mind control, it will not allow
you to get people to perform tasks wildly outside of their normal
behaviour and it is far from foolproof.<p>

It also involves far more than simply quick thinking and a variety of
amusing accents. Social engineering can involve a lot of 'groundwork',
information gathering and idle chit chat before an attempt at gaining
information is ever made. Like hacking, most of the work is in the
preparation, rather than the attempt itself.<p>

You may think this talk may seem to be a weak excuse to demonstrate how
these techniques can be used for hacking. OK, fair enough. However, the
only way to defend against this sort of security attack is to know what
methods may be used. With this knowledge it is possible to pick-up on
these techniques being used against either you or your company and prevent
security breaches before anyone gets near your data. A CERT style security
alert with few details is pointless in this case. It would simply boil
down to "Some people may try to get access to your system by pretending
some things are true. Don't let them." As usual, no help what-so-ever.<p>

<b><samp><font size=5 color=#ff0000>So What ?</font></samp></b><br>
Social engineering concentrates on the weakest link of the computer
security chain. It is often said that the only secure computer is an
unplugged one. The fact that you could persuade someone to plug it in and
switch it on means that even powered down computers are vulnerable.<p>

Also, the human part of the a security set-up is the most essential. There
is not a computer system on earth that doesn't rely on humans. This means
that this security weakness is universal, independent of platform,
software, network or age of equipment.<p>

Anyone with access to any part of the system, physically or electronically
is a potential security risk. Any information that can be gained may be
used for social engineering further information. This means even people
not considered as part of a security policy can be used to cause a
security breach.<p>

<b><samp><font size=5 color=#ff0000>A big problem ?</font></samp></b><br>
Security professionals are constantly being told that security through
obscurity is very weak security. In the case of social engineering it is
no security at all. It is impossible to obscure the fact that humans use
the system or that they can influence it, because as I stated before,
there isn't a computer system on earth that does not have humans as a part
of it.<p>

Almost every human being has the tools to attempt a social engineering
'attack', the only difference is the amount of skill used when making use
of these tools.<p>

<b><samp><font size=5 color=#ff0000>Methods</font></samp></b><br>
Attempting to steer an individual towards completing your task can use
several methods. The first and most obvious is simply a direct request,
where an individual is asked to complete your task directly. Although
least likely to succeed, this is the easiest method and the most
straightforward. The individual knows exactly what you want them to do.<p>

The second is by creating a contrived situation which the individual is
simply a part of. With more factors than just your request to consider the
individual concerned is far more likely to be persuaded, because you can
create reasons for compliance other than simply personal ones. This
involves far more work for the person making the attempt at persuasion,
and almost certainly involves gaining extensive knowledge of the 'target'.
This does not mean that situations do not have to be based in fact. The
less untruths the better.<p>

One of the essential tools used for social engineering is a good memory
for gathered facts. This is something that hackers and sysadmins tend to
excel in, especially when it comes to facts relating to their field. To
illustrate this I am going to perform a small demonstration....<p>

[Demonstration here. This basically showed that with social pressure an
individual will conform to a group decision, even if it is obviously the
wrong choice.]<p>

<b><samp><font size=5 color=#ff0000>Conformity</font></samp></b><br>
Even in cases where a person is sure they are right it is possible to
cause them to act in a different manner. If I had simply asked the last
person on their own what the middle word was they would have given me the
correct answer and no matter how much I tried to persuade them they
probably wouldn't have changed their mind.<p>

However, this group setting was a vastly different situation. This
situation had what psychologists called 'demand characteristics', that is
this situation had strong social constraints on how the participants
should act. Not wishing to offend the other people, not wanting to look
dozy in front of a large audience and not undermining the views of the
other well respected participants all lead to a decision to 'go with the
flow'. Using situations with these characteristics is an effective way of
guiding people's behaviour.<p>

<b><samp><font size=5 color=#ff0000>Situations</font></samp></b><br>
However, most social engineering is conducted by lone individuals and so
the social pressure and other influencing factors have to be constructed
by creating a believable situation which the target feels emmersed in.<p>

If the situation, real or imaginary has certain characteristics then the
target individual is more likely to comply with your requests. These
characteristics include:<p>

<li>Diffusion of responsibility away from the target individual. This is when
the individual believes that they are not solely responsible for their

<li>A chance for ingratiation. Compliance is more likely if the individual
believes that by complying they are ingratiating themselves with someone
who may give them future benefits. This is basically getting in with the

<li>Moral duty. This is where an individual complies because they feel it is
their moral duty to. Part of this is guilt. People prefer to avoid guilt
feelings and so if there is a chance that they will feel guilty they will
if possible avoid this outcome.<p>

<b><samp><font size=5 color=#ff0000>Personal persuasion</font></samp></b><br>
On a personal level there are methods that are used to make a person more
likely to co-operate with you. The aim of personal persuasion is not to
force people to complete your tasks, but enhance their voluntary
compliance with your request.<p>

There is a subtle difference. Basically, the target is simply being guided
down the intended path. The target believes that they have control of the
situation, and that they are exercising their power to help you out.<p>

The fact that the benefits that the person will gain from helping you out
have been invented is irrelevant. They target believes they are making a
reasoned decision to exchange these benefits for a small loss of their
time and energy.<p>

<b><samp><font size=5 color=#ff0000>Co-operation</font></samp></b><br>
There are several factors, which if present will increase the chances of a
target co-operating with a social engineer.<p>

The less conflict with the target the better. Co-operation will be more
readily gained when the softly-softly approach is used. Pulling rank (or
invented rank), annoyance or orders rarely work for effective coercion.<p>

The 'foot in the door' factor is where the focus of a persuasion attempt
already knows a you or has had experience of dealing with you. This is a
particularly effective and was known by con men as the 'confidence trick'.
Psychological research showed that people are more likely to comply with a
large request if they have had previously complied to a far smaller one.
If this 'foot in the door' includes a positive history of co-operation,
where things have gone well in the past, then the chances of co-operation
are greatly increased.<p>

The more sensory information a target can gain from a social engineer the
better. This is especially true of sight and sound, you are more likely to
be believed if the target can see and hear you than if they can just hear
your voice over the fone. Unsurprisingly ASCII text communications are do
not lend themselves to persuasion. It is very easy to refuse someone via a
IRC style chat.<p>

<b><samp><font size=5 color=#ff0000>Involvement</font></samp></b><br>
However, success does depend a lot on how involved a person is in the
request you are making. We can say system administrators, computer
security officers, technicians and people who rely on the system for
essential work tools or communication are highly involved in most social
engineering attacks by hackers.<p>

Highly involved people are persuaded better by strong arguments. In fact
the more strong arguments you give them the better. Suprisingly its not
the same for weak arguments. Someone highly involved in the attempt at
persuasion is less likely to be persuaded if you give them weak arguments.
When someone is likely to be directly affected by a social engineering
attempt, weak arguments tend to generate counter arguments in the targets
head. So for highly involved people, the rule is more strong arguments,
less weak arguments.<p>

People are classed as low involvement if they have very little interest in
what you are asking them to do. Relevant examples might be security
guards, cleaners, or receptionists at a computer system site. Because low
involvement people are not likely to be directly affected by a request,
they tend not to bother analysing the pros and cons of persuasive banter.
Instead it is common for a decision to agree with your request or not to
be made based on other information. Such information could be the sheer
number of reasons the social engineer gives, the apparent urgency of the
request or the status of the person trying to do the persuading. The rule
of thumb here is simply the more arguments or reasons the better.
Basically, people who aren't involved in what a social engineer is trying
to achieve will be more persuaded by the number of arguments or requests
rather than how relevant they are.<p>

One important point to note is that less competent people are more likely
to follow more competent models. In the case of computer systems this is
likely to be low involvement people. The moral of these points is, don’t
try and social engineer the sysadmin, unless of course the sysadmin is
less competent than you are, which as we all know is very unlikely.<p>

<b><samp><font size=5 color=#ff0000>Securing against human attacks</font></samp></b><br>
With all this information how would someone go about making their computer
system more secure ? A good first step would be to make computer security
part of everyone's job whether they use computer or not. This will not
only boost their self perceived status with no extra cost to you but will
make staff more vigilant. If you make someone involved in keeping your
computer system secure they are more likely to pay closer attention to
unauthorised individuals trying to gain access to a system.<p>

However, the best defence against this, as with most things, is education.
Explaining to employees the importance of computer security and that there
are people who are prepared to try and manipulate them to gain access is
an effective and wise first step. Simply forewarning people of possible
attacks is often enough to make them alert enough to spot them. Remember,
to give both sides of the story when educating people about computer
security. This isn't just my personal bias. When individuals know both
sides of an argument they are less likely to be disuaded from their chosen
position. And if they are involved in computer security, their chosen
position is likely to be on the side of securing your data.<p>

There are attributes which people less likely to comply with persuasion
tend to have. Less compliant people tend to be pretty bright, highly
original, able to cope with stress and reasonably self confident. Stress
management and self confidence can be taught or at least enhanced. Self
assertion courses are often used for management employees, this training
is excellent in reducing the chances of an individual being socially
engineered, as well as having many other employment benefits.<p>

What this comes down to is making people aware and involved in your
security policy. This takes little effort and gives great rewards in terms
of the amount of risk reduction.<p>

<b><samp><font size=5 color=#ff0000>Conclusion</font></samp></b><br>
Contrary to popular belief, it is often easier to hack people than
sendmail. But it takes far less effort to have employees who can prevent
and detect attempts at social engineering than it is to secure any unix

Sysadmins, don't let the human link in your security chain let your hard
work go to waste. And hackers, don't let sysadmins get away with weak
links, when it is their chains that are holding your data.<p>
# # #<p>
(c) Harl 1997. All rights reserved.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By