Killing Social Engineering

Killing Social Engineering

Part of a presentation I recently wrote for a security event.

Eh’den (Uri) Biber

I’ve been professionally involved in information security since 1987, while starting hacking a few years before. I’ve witnessed information security become more and more sophisticated and advanced for both attackers and defenders. However, when it comes to what is known by information security experts as “social engineering” – or, as I prefer to call it – human manipulation – it seems that little progress has been made in that field.

After years of trying to understand how people can be influenced due to my youngest son’s autism that prevented him from being able to communicate with us I have been investigating in the last year the connection between neurology, human manipulation and information security. I’ve discovered a fascinating world, and the more I’ve learned the more I felt that it’s time to kill social engineering as we know it.

It’s time to grow up,  it’s time to approach the field via a scientific method.

Scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge.[1] To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of reasoning

(wikipedia)

Today the people known as experts in the field of social engineering use intuition, methods, practices, and sometimes technology to enhance their skills. But, at the end of the day they will all admit that their success rates varie from one situation to another. If you ask for scientific reasons to their success or failure they will provide answers originating in psychological explanations, sometimes they will talk about micro facial expressions, and body language reading, but none of them seems to focus on the root of everything – our human neurology.

This is also why all the information security awareness training I’ve seen (and sometimes wrote) where unscientific –  the approach to the subject was based on endless assumptions; many of them were false and lead to negative results. None of the social engineering training I saw was driven from a factual scientific reason as to why we all are susceptible to manipulation.

In the last 20 years humanity has discovered more on how our brain works than in the last 2000 years, yet when it comes to information security we seem to disregard that progress. Why is it that when we go to a hackers conference we see presentations of people who go down to the core elements of the system they are hacking, but when it comes to human manipulation no one provides explanations on the issue through the perspective of human neurology?

In my presentation I will show how developments in science require us to move away from old paradigms and how technological changes require us to abandon “social engineering” and start talking about human manipulation as a neurological phenomena. All of us have embedded technology in our daily lives, even in Afghanistan people are connected to the Internet. The future of humanity is tied to our ability to provide current and future generations with an understanding of both why they can be manipulated and how technology plays an important role in it. I consider us, Information security experts, as educators. We have two choices – we can either help humanity reach a bright future or act like bystanders who watch a person destroying himself/herself without assisting him/her. Wayne Dyer, a famous American psychologist says that responsibility is to respond with ability. It is our responsibility to make a change. Let’s not waste this wonderful rare moment of time, Let’s begin…. NOW

 

(R.I.P. Social Engineering)

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Update – 13Th of July, 2011.

Due to popular demand I’m adding a link to the first presentation I gave on the subject back in February. Please be advised that the current presentation has been totally re-written from scratch, but for the sake of transparency I wish to include it as a reference.

So here you go, “social engineering in the 21st century“, as was given to distinguish members of the dutch academic and research institute organizations.

Advertisements

15 thoughts on “Killing Social Engineering

    • Hi Dan

      The article above is a short segment of a revised presentation I first developed for a Dutch security conference that took place this year. I’ve developed it for the February event because I was unable to find even one “social engineering” expert that base his/her approach to human manipulation on neurology.

      I don’t try to say that people who work in the field of social engineering are not good in human manipulation – some of them are really good – but so does politicians, and you don’t see politicians in information security events, especially in hackers conferences, standing on stage talking about the methods that makes them successful human manipulators. They are performers, and while I can have high levels of admiration for a talented performer – I’m much more interested in both what causes them to be such great performers, and what makes their target audience follow them. I think it’s about time that in the 21st century we will start to use science to describe the way we think, and while I admire the work of professor Paul Eckman on micro-expressions – people can not ignore the fact he developed the theory of emotion classification in 1972. That’s not only 5 years before the first MRI studies that were performed on humans were published, that’s also many years before MRI became a standard research equipment in many universities.

      The fact that in the 21st century, which totally transformed humanity via the information revolution, you still see security experts that work in the field and base their work on such old methodologies is for me like a physics professors who will try to explain the universe without the theory of relativity.

      The closest thing to a scientific approach I’ve seen used by information security experts was mentioning meme theory, but even there I was unable to find academic papers that provides correlation between different cultural memes and the level of susceptibility of individuals and societies with regards to information security. I was unable to find academic papers that tries to approach information security awareness training and the state of the human neurology. I really don’t wonder why organizations are being hacked all the time using the human factor.

      So yes, I’ve developed a theory on how we can approach the field of human manipulation which is based on neurology, and when I gave my talk on February I do acknowledge many of the people felt confused and it’s OK. I was happy to be the first person that suggested to abandon the current used framework and start to approach human manipulation in a more scientific driven method which is based on neurology, and I do plan to present more on the subject soon.

      Wishing you a great day
      U/B

  1. Howdy Uri, Thanks for the invite to read and correct your post.

    Did you even look for scientific research in this area? Not sure why you’re spending time ranting and never searched for the tremendous volume of hard core research done in this area over the last 200 years. You seem to think Social Engineering (SE) is something new and just for the hacker crowd. Social engineering is a small section of the larger “cognitive psychology”. This includes marketing, advertising, therapy and treatment methodology,

    Lets get your education started. Search Google for “cognitive science behavior change” then select the scholarly paper section. Only about 27,000 scientific articles in 2010 alone. All using the “scientific method”. The article: “A time of change: Behavioral and neural correlates of adolescent sensitivity to appetitive and aversive environmental cues” might also help with your child. A group always meets at Defcon and discuss new scientific research. I’m always looking for new things as I work with Special Olympics athletics in my state.

    Almost every form of mental health therapy, marketing and advertising is based on the defined scientific work. Visit http://www.saladltd.co.uk/ for a site that will introduce you to the therapy side of what the computer crowd calls SE. You might want to review the archives for relevant articles.

    Personally most people who proclaim to be SE “experts” and give talks, have no real training in Psychology – Sociology or even a knowledge that SE goes back to the Greeks. (Eckman? Please…) King Solomon has a great quote on SE. Darwin (yes Charles) also did a vast amount of qualitative research on cross cultural SE. Seems like you’re ready to be a “SE expert” now since you don’t really know the field.

    Now to correct you. Eckman just expanded on the work of Darwin who expanded the works before him, all way back to the Greeks. Please check Plato’s Meno for some of the first written record of what I call cognitive science. Here’s a site to get you started on improving your knowledge: http://en.wikipedia.org/wiki/Cognitive_science

    “I was happy to be the first person that suggested to abandon the current used framework and start to approach human manipulation in a more scientific driven method which is based on neurology, and I do plan to present more on the subject soon.” Really? You’re the first? Have to add you to my next text book chapter. Must be tough to be older than Plato.

    Thanks for letting me know about this blog, but it seems your knowledge in SE only driven by your lack of research, training or even awareness in this field. Do you homework I have assigned you, then write something thoughtful. Please. We have enough crap on SE coming from IT people.

    • Dear Brad
      Thank you so much for your comment.

      Yesterday I was forced to spent 9 hours in ER for a test that eventually took less then 10 minutes – but until that test I waited 8 hours. While I would never recommend ER as a vacation resort to anyone, this time I had a nurse that seemed as if her only purpose in that shift was to drive me crazy. She was unfriendly, extremely negative, and at some point connected the infusion to me in a way that was very painful and when I said “wow, that hurts” she simply giggled. Later, I discovered that she forgot to let the infusion run as it supposed to), and finally, when I came back from my test the doctor have asked her to remove the infusion needle and she pulled it out like someone is tearing a branch out of a tree. As I received the release letter there was this part in me that wanted to go and tell that nurse exactly what I thought about her – but I didn’t. I left the hospital, walked over to buy something to eat after a day of fasting – and then I received a message on my mobile that I’ve got a new comment on my blog – from Brad theNURSE.

      Coincidence? I don’t think so 🙂

      As you know (because we exchanged emails about it) my original impulse was to reply to what you wrote: tell you exactly what I think about it, answer on everything you wrote, correct you, show you – play the game. Thank god there was a voice that reminded me that it was my ego who wanted to reply to you in such way, and that by doing so I will not achieve anything – the same way that I would not have achieved anything if I went to that nurse in ER and told her what I felt about her. I know that the only thing to do is to accept you and your comment with the same way I’ve chosen to accept the nurse – with love and forgiveness. I will go via the experience which is you by accepting you and your suggestions without trying to go through the notion of correcting you, but by listening to you. My heart is bleeding for you, I feel you, I feel your pain, and I love you deeply from within my heart. Please forgive me, forgive yourself….. I am here to accept you as you are. My friend, we are all part of the unity. Thank you for teaching me that lesson.

      Namaste
      Uri

  2. my point of view is very clear on this, there are people who have the gift of being good communicators, friendly, social, outgoing, etc. They don’t know sh**t anything about cognitive awareness, Neuro-linguistic programming, cognitive science, research, etc, etc. and I have seen a very specific case, where a guy manages to convince a large group of smart engineers that he is a very good IT Security consultant, and managed that every body trust him, however this guy was so dumb that he didn’t even know how to change the fonts in a Word document. The amazing thing is that it happened in an IT Security group, where people is supposed to be “security aware” he could have been a cyber criminal, but everybody trusted/liked him.
    Social engineering is not in science, is not in speeches, is not in lectures, is a skill or gift that any person has to make us feel comfortable, to make us trust him, and to make us believe he is “a good guy”. Nothing can prevent you against that, we humans have the tendency to trust and to create social relationships based on our common interests, and once again you can be fooled, even if you have a Post-doc in Social Engineering prevention.

    The gap between the theory and the reality in this area is huge.

    • Hey Paul
      Thanks for the comment, and the example you gave. If I got you right, you say that when a person is extremely good in human manipulation either because he studied it or because he has a natural talent that it would be very hard to catch him, and that there is a huge cap between theories in the field and reality. If that’s what you’re saying then you are right.

      What I was looking into in the last year was the neurological reasons to why are we so susceptible for such influence, how much brain flexibility (or as it’s called “neuro-plasticity”) we have to alter any given state we are in – including the ability to identify extremely good human manipulators – and how we can make that flexibility better.

      Our perception is dictated by our own neurology, which is a biological product of evolution. A brain is a life management system, and neurology is the core component of that life management system. The problem is that the part of the brain that we are aware of is just a glimpse of the neuroactivity that occurs in it. To makes things even more complex, many of what we consider as a human qualities can be found even in bacteria colonies, yet the difference is that those bacteria have no ability to understand what they do, or to think about it – while we do, and many times we attach our own personal/cultural/social description to very basic life element.

      Which brings me back to my view of the subject of human manipulation – I believe that the more you know about why we come up with decisions and feelings, the more we detach ourselves from our own interpretation of reality and the more we allow ourselves to use meta-cognition or mindfulness. The more we will develop the ability to correlate between cultural memes and technological development and the influence they have on different neurological structures in our life management system (AKA the brain), the more we will allow ourselves to know when someone is trying to manipulate us. When we understand the dependencies we have with other human beings and with nature, when we see ourselves as part of one eco system on one planet, we then are be able to provide ourselves and other an objective cognitive toolkit to handle the now. In universe terms humans are not even a virus, yet each and every one of us walk around with a great sense of self that is based on a glimpse of the reality the universe is radiating all around us. This is where science can make a difference, this is where scientific tools can be developed to provide us a shelter from being manipulated in an unconscious way by our own senses.

      Wishing you a great day
      Uri

      PS
      Do I know that guy you talked about? he sounds like a master of disguise!
      ROTFL

    • (here’s a copy of the reply I left for the writer)

      Hi man
      Thanks for the insights! Using a western name reminds me something – back in the mid 90s I was a computer hardware specialist working in a big non profit organization, and we were about to buy a huge amount of computer hardware we were planning on installing in primary schools throughout of my country. So me and the chief procurement officer of the organization did what everyone did in those days – we went to Cebit – one of the world’s biggest computer exhibitions that take place in Hanover, Germany. This was the place to do business with international companies, where German companies used to hire hotel rooms 3 years in advance because of the amount of visitors. A huge exhibition that seems to stretch forever (not to mention the distance from the parking lot to the exhibition ground itself). The days that OS/2 marketing was almost as bad as Microsoft’s programmers 🙂

      Anyway, this bring me an understanding I just had: one of the things I remember that was strange to me at then is the fact that all our contact people from all the companies from Taiwan that we worked with had a western name on top of their chinese names. I’m talking about the days when “It’s made in China” was a way of the people from the US and Germany and Japan and even Taiwan to insult the quality of the cheapest brands in the market who were manufactured in China (I guess we all know who is joking now). In those days the idea of adding another name to myself such as “Tony” or “John” just so other people can remember it was really weird. Hey – I’m Uri! But now I do understand the reason they invented such name is rooted in the neurological fact that when we are young we can process all the various sound waves – but we loose that capability after a few months. The people in Taiwan who knew that it is impossible for many people in the west not only to correctly pronounce their names, but also to remember them. A western name allowed the people that they worked with to remember their names. And let’s be honest – in many parts of eastern Asia population had to do it because they were occupied by western countries for a long period of time.

      If a name is a mental object, it is easier for us to remember a known name of someone then a very unique and we can’t even pronounce correctly (unless we have emotional relationship with that person which in that case will trigger our hippocampus in a way that will allow us to remember him. And so…we closed another cycle

      Have a great day
      U/B.

  3. I drop a leave a response each time I especially enjoy a article on a website or if I have something to add to the conversation.

    Usually it is a result of the fire displayed in the
    post I looked at. And after this article Killing Social Engineering | Infoseq with a Q, like Quantum Physics.
    I was actually moved enough to leave a thought 🙂 I do
    have a couple of questions for you if it’s okay. Could it be just me or does it look like like some of these remarks appear like they are left by brain dead visitors? 😛 And, if you are writing on other sites, I’d like to keep up with you.
    Could you list every one of your communal sites like your linkedin profile, Facebook page or twitter
    feed?

    • Hi Sima
      Sorry for the late reply, was being tied up by… well, let’s just say the lady who tied me is beautiful and I really love her, but enough about lady luck 🙂
      I’m writing (finalizing) a long article that starts to resemble a book… but in the meanwhile, I’m always reachable via my twitter which is BlueSkyOfLove … feel free to tweet me 🙂
      Cheers
      Uri

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s