Tuesday, May 6, 2014

Communication Modeling


The more elaborate our means of communication, the less we communicate.

Communication is a process of transferring information from one entity to another. Communication entails interactions between at least two agents, and can be perceived as a two-way process in which there is an exchange of information and a progression of thoughts, feelings, or ideas toward a mutually accepted goal or direction.

This concept is very similar to the definition of social engineering, except the assumption is that those involved in the communication already have a common goal, whereas the goal of the social engineer is to use communication to create a common goal. Communication is a process whereby information is enclosed in a package and is channeled and imparted by a sender to a receiver via some medium. The receiver then decodes the message and gives the sender feedback. All forms of communication require a sender, a message, and a receiver.

Understanding how communication works is essential to developing a proper communication model as a social engineer. Modeling your communication as a social engineer will help us to decide the best method of delivery, the best method for feedback, and the best message to include.

Communication can take many different forms. There are auditory means, such as speech, song, and tone of voice, and there are nonverbal means, such as body language, sign language, paralanguage, touch, and eye contact.

Regardless of the type of communication used, the message and how it is delivered will have a definite effect on the receiver.

Understanding the basic ground rules is essential to building a model for a target. Some rules cannot be broken, such as communication always has a sender and a receiver. Also everyone has different personal realities that are built and affected by their past experiences and their perceptions.

Everyone perceives, experiences, and interprets things differently based on these personal realities. Any given event will always be perceived differently by different people because of this fact. If you have siblings, a neat exercise to prove this is to ask them their interpretation or memory of an event, especially if it is an emotional event. You will see that their interpretation of this event is very different from what you remember.

Each person has both a physical and a mental personal space. You allow or disallow people to enter that space or get close to you depending on many factors. When communicating with a person in any fashion, you are trying to enter their personal space. As a social engineer communicates they are trying to bring someone else into their space and share that personal reality. Effective communication attempts to bring all participants into each other’s mental location. This happens with all interactions, but because it is so common people do it without thinking about it.

In interpersonal communications two layers of messages are being sent: verbal and nonverbal.
Communication usually contains a verbal or language portion, whether it is in spoken, written, or expressed word. It also usually has a nonverbal portion—facial expressions, body language, or some non-language message like emoticons or fonts.

Regardless of the amount of each type of cue (verbal or nonverbal), this communication packet is sent to the receiver and then filtered through her personal reality. She will form a concept based on her reality, then based on that will start to interpret this packet. As the receiver deciphers this message she begins to unscramble its meaning, even if that meaning is not what the sender intended. The sender will know whether his packet is received the way he intended if the receiver gives a communication packet in return to indicate her acceptance or denial of the original packet.

Here the packet is the form of communication: the the words or letters or emails sent. When the receiver gets the message she has to decipher it. Many factors depend on how it is interpreted. Is she in a good mood, bad mood, happy, sad, angry, compassionate—all of these things as well as the other cues that alter her perception will help her to decipher that message.

The social engineer’s goal has to be to give both the verbal and nonverbal cues the advantage to alter the target’s perception so as to have the impact the social engineer desires.

Some more basic rules for communication include the following:

  • Never take for granted that the receiver has the same reality as you.
  • Never take for granted that the receiver will interpret the message the way it was intended.
  • Communication is not an absolute, finite thing.
  • Always assume as many different realities exist as there are different people involved in the communication.




Knowing these rules can greatly enhance the ability for good and useful communications. This is all good and great but

  • what does communication have to do with developing a model? 
  • Even more, what does it have to do with social engineering?



The Communication Model and Its Roots

As already established, communication basically means sending a packet of information to an intended receiver. The message may come from many sources like sight, sound, touch, smell, and words. This packet is then processed by the target and used to paint an overall picture of “What’s being said.” This method of assessment is called the communication process.

This process was originally outlined by social scientists Claude Shannon and Warren Weaver in 1947, when they developed the Shannon-Weaver model, also known as “the mother of all models.”

In a simple model, also known as the transmission model, information or content is sent in some form from a sender to a destination or receiver. This common concept of communication simply views communication as a means of sending and receiving information. The strengths of this model are its simplicity, generality, and quantifiability.

The Shannon-Weaver “mother of all models.”


Shannon and Weaver structured this model based on:
  • An information source, which produces a message
  • A transmitter, which encodes the message into signals
  • A channel, to which signals are adapted for transmission
  • A receiver, which “decodes” (reconstructs) the message from the signal
  • A destination, where the message arrives


They argued that three levels of problems for communication existed within this theory:


  • The technical problem—How accurately can the message be transmitted?
  • The semantic problem—How precisely is the meaning conveyed?


·     The effectiveness problem—How effectively does the received meaning affect behavior? (This last point is important to remember for social engineering. The whole goal of the social engineer is to create a behavior that the social engineer wants.)

Almost 15 years later, David Berlo expanded on Shannon and Weaver’s linear model of communication and created the Sender-Message-ChannelReceiver (SMCR) model of communication. SMCR separated the model into clear parts, as shown














You can think of communication as processes of information transmission governed by three levels of rules:

  • Formal properties of signs and symbols
  • The relations between signs/expressions and their users
  • The relationships between signs and symbols and what they represent


Therefore, you can further refine the definition of communication as social interaction where at least two interacting agents share a common set of signs and a common set of rules.

In 2008 another researcher, D. C. Balmund, combined the research of many of his previous cohorts with his own and developed the transactional model of communication, as shown below... The new and improved communication model




In this model you can see that the channel and message can take on many forms, not just spoken, as represented by the picture. The message can be in written, video, or audio form and the receiver can be one person or many people. The feedback also can take on many forms.

Combining and analyzing this research can help a social engineer develop a solid communication model. Not only social engineers can benefit from doing this—everyone can.

Learning how to develop a plan of communication can enhance the way you deal with your spouse, your kids, your employer or employees—anyone you communicate with.

Because the focus of this tutorial is social engineers, you need to analyze what a social engineer can take away from all of this.

After reading all this theory you may begin to wonder how this can be used. Remember, a social engineer must be a master at communication.

They must be able to effectively enter into and remain in a person’s personal and mental space and not offend or turn off the target. Developing, implementing, and practicing effective communication models is the key to accomplishing this goal. The next step then is developing a communication model.

Developing a Communication Model

Now that you know about the key elements of a communication model, take a look at them from the eyes of a social engineer:
The Source: The social engineer is the source of the information or communication that is going to be relayed.

The Channel: This is the method of delivery.

The Message: Probably the biggest part of the message is knowing what you are going to say to the receiver(s).

The Receiver(s): This is the target.

The Feedback: What do you want them to do after you effectively give them the communication?

How can you use these elements effectively? The first step into the world of communication modeling is starting with your goal. Try working with a couple of the scenarios that might be part of a typical social engineering gig:

Develop a phishing email targeted against 25–50 employees and attempt to have them go during work hours to a non-business website that will be embedded with malicious code to hack into their networks.

Make an onsite visit to portray a potential interviewee who has just ruined his resume by spilling coffee on it and needs to convince the front-desk person to allow a USB key to be inserted into a computer to print a copy of the resume.

When developing a communication strategy you may find working on the model in reverse order to be beneficial.

Feedback: What is your desired response? The desired response is to have the majority of the employees you send this email to click on it. That is ideal; of course, you might be happy with just a handful or even one, but the goal, the desired feedback, is to have the majority of targets click on the phishing link.

Receivers: This is where your information gathering skills come in handy. You need to know all about the targets.  

  • Do they like sports? 
  • Are they predominantly male or female? 
  • Are they members of local clubs? 
  • What do they do in their off time? 
  • Do they have families? 
  • Are they older or younger?

    • ·    The answers to these questions can help the social engineer decide what type of message to send.

    Message: If the target is predominantly 25–40-year-old males, with a few being part of a fantasy football or basketball league, your targets may click on a link about sports, women, or a sporting event.

    Developing the email’s content is essential, but also grammar, spelling, and punctuation are very important to consider. One of the biggest tip-offs to phishing emails in the past has been the bad spelling.

    Getting an email that reads like this: “Click here and enter ur pasword to verify ur account settings,” is a dead giveaway to its being a non-legitimate email. Your email must be legit with good spelling and an appealing offer that fits the target. Even with the same goal the message will change depending on gender, age, and many other factors. The same email would probably fail if the targets were predominately female.

    Channel: This answer to this element is easy, because you already know it is going to be an email.

    Source: Again, this element is a no-brainer, because you, the social engineer, are the source. How believable you are depends on your skill level as a social engineer.

    Scenario Two: USB Key
    The onsite scenario is a little more difficult to do because it is in person. You can only do so much to “spoof” your identity in person. In this scenario remember that you must have all these details in memory because you can’t be pulling out and using cue cards. It is also important to remember that oftentimes we have only one chance to make an impression. If we do a bad job at it, it can ruin the rest of the gig.

    Feedback: The goal with this scenario is to get the front desk receptionist to accept your USB drive that has a malicious program on it. The program will auto load and scrape her system for all information, such as usernames, passwords, email accounts, SAM files that contain all the passwords on the system, and more, copying it all to a directory on the USB drive. It also creates a reverse connection from the receptionist’s machine to your servers, giving you access to her machine and hopefully the network. I am fond of using the Metasploit framework or the Social Engineering Toolkit that ties in with Metasploit. Metasploit executes exploit code on its victims and it has a built-in handler called Meterpreter. The user can script many things like keylogging, screenshots, and recon from the victim’s machines.

    Receivers: Having one true target can be tricky because if your target is unreceptive to the idea, your plan is shot. You must be warm, friendly, and convincing. This must be done fast, too, because too much time will allow doubt to set in. But if you move too fast you can cause doubt and fear, killing your chances. A perfect balance must be accomplished.


    Message: Because you’re delivering the message in person, it must be clear and concise. The basic story is that you saw the ad in the paper for a database administrator and you called in and spoke to Debbie, the HR person. She said she was booked today but you should stop in and drop off a resume for her review and then meet her at the end of the week. While you were driving over, a squirrel ran out, causing you to slam on the brakes and causing your coffee to come out of the holder and spill in your bag, ruining your resumes and other stuff. Anyhow, you have another appointment but really need this job and wonder whether she would print you a fresh copy from your USB drive.

    Channel: You are going in person using verbal, facial, and body language communication.

    Source: Again, this is you as the social engineer, unless you have a good reason to have a stand in.

    Holding a coffee-stained folder with some wet papers in it can help sell the story. Looking dejected and not alpha-male-ish can also help sell it. Politely speaking to her and not using foul language will help her feel a liking to you and maybe even some pity. The USB key should contain a file called myresume.doc or myresume.pdf and be printable. PDFs are the most commonly used formats since most companies are running an older version of Adobe Reader that is vulnerable to many different exploits. Make sure the resume is in a format that allows for the most people to be able to open it—not some odd format.

    Most of the time people want to help. They want to be able to assist a person in distress if the story is believable as well as heart wrenching. For a special twist if you really lack a heart as a social engineer, you can put a spin on the story: On my way over, it was my turn today to drop my daughter off at school. When she climbed over the seat to give me a kiss goodbye she knocked over my coffee into my bag. I was already running late and closer to here than home; could you print me a fresh copy?

    Either way, this story usually works and will lead to the USB key being inserted into the computer and most likely a complete compromise of the receptionist’s computer, which can lead to a total compromise of the company.


    Posted by at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)