A lack of
fear to talk to people and be in situations that are not considered “normal.”
- I truly do care for people, even if I don’t know them.
- I want to and enjoy listening to people.
- I offer advice or help only when I have a real solution.
- I offer a non-judgmental ear for people to talk about their problems.
These are
key elements to successful elicitation.
Elicitation
is used because it works, is very hard to detect, and is non-threatening.
Appealing to Someone’s Ego
Attacker: “You must have an important job; so and so
seems to think very highly of you.”
Target: “Thank you, that is nice of you to say, but my
job isn’t that important. All I do here is…”
The method
of appealing to someone’s ego is simplistic but effective.
One
caution, though: Stroking someone’s ego is a powerful tool but if you overdo it
or do it without sincerity it just turns people off.
You don’t
want to come off as a crazy stalker: “Wow, you are the most important person in
the universe and you are so amazing-looking, too.” Saying something like that might
get security called on you.
Using ego
appeals needs to be done subtly, and if you are talking to a true narcissist
avoid eye rolls, sighs, or argumentativeness when she brags of her
accomplishments. Subtle ego appeals are things like, “That research you did
really changed a lot of people’s viewpoints on…” or “I overheard Mr. Smith
telling that group over there that you are one of the most keen data analysts
he has.” Don’t make the approach so over the top that it is obvious. Subtle
flattery can coax a person into a conversation that might have never taken
place.
Expressing a Mutual Interest
Consider
this mock scenario:
Attacker: “Wow, you have a background in ISO 9001
compliance databases? You should see the model we built for a reporting engine
to assist with that certification. I can get you a copy.”
Target: “I would love to see that. We have been toying
with the idea of adding a reporting engine to our system.”
Expressing
mutual interest is an important aspect of elicitation.
This particular
scenario is even more powerful than appealing to someone’s ego because it
extends the relationship beyond the initial conversation. The target agreed to
further contact, to accept software from the attacker, and expressed interest
in discussing plans for the company’s software in the future. All of this can
lead to a massive breach in security.
The danger
in this situation is that now the attacker has full control. He controls the
next steps, what information is sent, how much, and when it is released. This
is a very powerful move for the social engineer. Of course, if the engagement
were long-term, then having a literal piece of software that can be shared
would prove even more advantageous. Sharing usable and non-malicious software
would build trust, build rapport, and make the target have a sense of
obligation.
Making a Deliberate False Statement
Delivering
a false statement seems like it would backfire off the top, but it can prove to
be a powerful force to be reckoned with.
Attacker: “Everybody knows that XYZ Company produced
the highest selling software for this widget on earth.”
Target: “Actually, that isn’t true. Our company
started selling a similar product in 1998 and our sales records have beaten
them routinely by more than 23%.”
These
statements, if used effectively, can elicit a response from the target with
real facts. Most people must correct wrong statements when they hear them. It’s
almost as if they are challenged to prove they are correct. The desire to
inform others, appear knowledgeable, and be intolerant of misstatements seems
to be built into human nature.
Understanding
this trait can make this scenario a powerful one. You can use this method to
pull out full details from the target about real facts and also to discern who
in a group might have the most knowledge about a topic.
Volunteering Information
As a social
engineer, offering up information in a conversation almost compels the target
to reply with equally useful information.
Want to try
this one out? Next time you are with your friends say something like, “Did you
hear about Ruth? I heard she just got laid off from work and is having serious
problems finding more work.”
Most of the
time you will get, “Wow, I didn’t hear that. That is terrible news. I heard
that Joe is getting divorced and they are going to lose the house, too.” A sad
aspect of humanity is that we tend to live the saying “misery loves company”—how
true it is in this case. People tend to want to share similar news. Social
engineers can utilize this proclivity to set the tone or mood of a conversation
and build a sense of obligation.
Assuming Knowledge
Another
powerful manipulation tool is that of assumed
knowledge. It is commonplace to assume that if
someone has knowledge of a particular situation, it’s acceptable to discuss it
with them. An attacker can deliberately exploit this trait by presenting
information as if he is in the know and then using elicitation to build a
conversation around it. He then can regurgitate the information as if it were
his own and continue to build the illusion that he has intimate knowledge of
this topic. This scenario might be better illustrated with an example.
Using the Effects of Alcohol
Nothing
loosens lips more than the juice. This is an unfortunate but true fact.
Mix any one
of the preceding five scenarios with alcohol and you can magnify its effects by
10.
Probably
the best way to describe this scenario is with a true story.
In 1980 a
senior scientist from Los Alamos National Laboratory traveled to a research
institute in the People’s Republic of China (PRC) to talk about his specialty,
nuclear fusion. He had extensive knowledge of U.S. nuclear weapons information
but knew the situation he was entering was dangerous and he needed to be
determined to stick to his topic.
Yet he was
constantly barraged with increasingly detailed inquiries directly related to
nuclear weapons. The attackers’ tactics would change and they would ask many
benign questions about fusion and astrophysics, his specialty.
Once they
even threw a cocktail party in his honor. They gathered around and applauded
his knowledge and research—each time with a toast and a drink. They began to
inquire about classified matters such as the ignition conditions of deuterium
and tritium, the two components in the then-new neutron bomb. He did well at
fending off the constant questions, but after many toasts and a party in his honor, he decided to give an
analogy. He mused to the group that if you rolled those two components into a
ball and then rolled them off the table they would most likely ignite because
they had such low temperature threshold levels.
This
seemingly useless story and information most likely caused the researchers in
China to discern a clear path of research on nuclear weapons. They would take
this information to yet another scientist and now armed with a little more
knowledge, use that knowledge to get to the next stage with him or her. After
many attempts, it is very likely the Chinese scientist would possess a clear
picture of what path to take.
This is a
serious example of how using elicitation can lead to gaining a clear picture of
the whole answer. In social engineering it may be the same for you. All the
answers might not come from one source. You may elicit some information from
one person about their whereabouts on a particular date, and then use that
information to elicit more information from the next stage, and so on and so
forth. Putting those nuggets of information together is often the hard part of
perfecting elicitation skills.
Using Intelligent Questions
As a social
engineer you must realize that the goal with elicitation is not to walk up and
say, “What is the password to your servers?” The goal is getting small and
seemingly useless bits of information that help build a clear picture of the
answers you are seeking or the path to gaining those answers. Either way, this
type of information gathering can help give the social engineer a very clear
path to the target goal.
How do you
know what type of questions to use?
The
following sections analyze the types of questions that exist and how a social
engineer can use them.
Open-Ended Questions
Open-ended
questions cannot be answered with yes or no. Asking, “Pretty cold out today,
huh?” will lead to a “Yes,” “Uh-uh,” “Yep,” or some other similar affirmative
guttural utterance, whereas asking, “What do you think of the weather today?”
will elicit a real response: the person must answer with more than a yes or no.
One way a
social engineer can learn about how to use open-ended questions is to analyze
and study good reporters. A good reporter must use open-ended questions to
continue eliciting responses from his or her interviewee.
Closed-Ended Questions
Obviously,
closed-ended questions are the opposite of open-ended questions but are a very
effective way to lead a target where you want. Closed-ended questions often
cannot be answered with more than one or two possibilities.
In an
open-ended question one might ask, “What is your relationship with your
manager?” but a closed-ended question might be worded, “Is your relationship
with your manager good?”
Leading Questions
Combining
aspects from both open- and closed-ended questions, leading questions are open
ended with a hint leading toward the answer. Something like, “You were at the
ABC Tavern with Mr. Smith on June 14th at around 11:45pm, weren’t you?” This
type of question leads the target where you want but also offers him the
opportunity to express his views, but very narrowly. It also preloads the
target with the idea that you have knowledge of the events being asked about.
In 1932 the
British psychologist Frederic C. Bartlett concluded a study on reconstructive
memory. He told subjects a story and then asked them to recall the facts
immediately, two weeks later, and then four weeks later.
Bartlett
found that subjects modified the story based on their culture and beliefs as
well as personality. None were able to recall the story accurately and in its
entirety. It was determined that memories are not accurate records of our past.
It seems that humans try to make the memory fit into our existing representations
of the world. When asked questions, many times we respond from memory based on
our perceptions and what is important to us.
Because of
this, asking people a leading question and manipulating their memory is
possible.
Assumptive Questions
Assumptive
questions are just what they sound like—where you assume that certain knowledge
is already in the possession of the target. The way a social engineer can
determine whether or not a target possesses the information he is after is by
asking an assumptive question.
For example, one
skill employed by law enforcement is to assume the target already has knowledge—for
example, of a person—and ask something like, “Where does Mr. Smith live?”
Depending on the answer given, the officer can determine whether the target
knows the person and how much she knows about hi
No comments:
Post a Comment