Social Engineering - Christopher Hadnagy [98]
Have you ever driven all the way to work and when you get there, you can’t remember what billboards you passed, what route you took or that traffic accident on the news? You were in a state of mind where your subconscious took over and did what you always do without your consciously thinking about every turn.
Most decisions people make are like this. Some scientists even believe people make decisions up to seven seconds earlier in their subconscious before making them in the real world. When people finally do make a decision consciously they do it from more than just what they hear—sight, feelings, and emotions become involved in the decision.
Understanding how humans work and think can be the quickest way to creating a buffer overflow, or an overflow of the natural programs of the human mind so you can inject commands.
Fuzzing the Human OS
In actual software hacking, a method called fuzzing is used to find errors that can be overwritten and give control to a malicious hacker. Fuzzing is where the hacker throws random data at the program in differing lengths to see what makes it crash, because it cannot handle the data. That gives the hacker a path to inject malicious code.
Just like fuzzing a program, you must understand how the human mind reacts to certain types of data. Presenting people with different sets of decisions or different sets of data, then seeing how they react can tell us the “programs” they are running. Certain laws in the human mind seem to be inherent that everyone follows.
For example, if you approach a building with two sets of doors (one outer and one inner) and you hold the first set open for a complete stranger, what do you think he will do next? He will either hold the next set open for you or make sure that set stays open until you get inside.
If you are in a line of merging traffic and you let a complete stranger merge in front of you, most likely if you needed to merge later on he would let you in without even thinking. Why?
The reason has to do with the law of expectations, which states that people usually comply with an expectation. Decisions are usually made based on what that person feels the requestor expects him or her to do. One way you can start sending your malicious “data” to the brain program is called presupposition.
By giving the target something first, the request you make next will be “expected” to be followed. A simple example for you to test is with the doors. Hold a door for someone and most likely that person will at least make an attempt to ensure the next set of doors is open for you. A social engineer can do this by first giving the target a compliment or a piece of information they deem valuable, before the request is made. Giving that over first creates in them the need to comply with a future request as it is expected.
Presupposition can be described best via an example:
“Did you know my next door neighbor, Ralph, always drives a green Ford Escort?”
In this sentence you presuppose:
I know my neighbor.
His name is Ralph.
He has a driver’s license.
He drives a green car.
To use presupposition effectively you ask a question using words, body language, and a facial expression that indicates what you are asking is already accepted. The basic gist of this method is to bypass the “firewall” (the conscious mind) and gain access directly to the “root of the system” (the subconscious). The quickest way to inject your own “code” is through embedded commands, discussed next.
The Rules of Embedded Commands
Some basic principles of embedded commands make them work:
Usually the commands are short: three to four words.
Slight emphasis is needed to make them effective.
Hiding them in normal sentences is the most effective use.
Your facial and body language must support the commands.
Embedded commands are popular in marketing with things like:
“Buy now!”
“Act now!”
“Follow