Sunday, November 3, 2019

Book review - Social Engineering: The Art of Human Hacking

"Sir, you can't board this train with your bicycle"
I faced this statement (or something that conveyed its message in different wording, the translation from Hebrew isn't exact) from a train employee a while ago. As luck would have it, I was just listening to Christopher Hadnagy's "Social Engineering: The Art of Human Hacking", and thus went on to try and board the outcome - I burdened the employee with a barrage of accusations, making him responsible for my situation ("You're stranding me here at the airport after I bought a ticket and used it to get here to my connecting train", "what do you expect me to do now?"), claimed for precedence ("I've been boarding the train with my bike yesterday, and the day before", "why do you change the rules?") and applied time pressure ("Look, you are causing me to miss my train"). After a couple of minutes of arguing, he came to the conclusion that "If I can't see it, I can't stop you, if you would wrap it in your bike-case it's not my fault I didn't see it".
Ordinarily, I would have just thought it was me arguing and getting my way with it, but as you can see - I was employing several tactics to get what I wanted - I counted on the employee's empathy and the fact that he didn't want to be the bad person, added time pressure and offered an escape route that allowed him to save face in the form of "what if the bike had been covered?". I believe being aware of what I was doing helped me "win" this argument, and it sure did make me feel  uneasy a about how "evil" I was acting - consciously putting pressure on someone who was simply doing his job.

Since I neglected my blog for too long due to a multitude of things taking up my time and energy, I thought a good way to start writing again is with a task that have been waiting for quite a while now - a review of "Social Engineering: The Art of Human Hacking" by Christopher Hadnagy which is the first audiobook I listened to twice.

The first thing one should know about this book is that listening to it is a bit scary, as the book shows time and again how reasonable human behaviour can be (and is)  exploited to cause harm and then goes on to say "and were I a real malicious attacker, I would have take this to the next level by...". Apart from that, this book is a great first step in becoming a professional security engineer, and provides the next steps of practice in each step.
After listening to this book, there are two takeaways I continue with:
First - Regular, day-to-day human behaviour can be exploited in way most people don't imagine and leveraged in ways far more serious than one might expect.
Second - Despite the first point, defending against social engineering does not require behaving like a heartless automaton. Most of the times, it is enough to pause for thinking and double checking before acting.

In a nutshell - that's it. However, there's much more to this book, which is very well organised to topics.
First we start by trying to define social engineering, or SE, for short. This, perhaps, is the only place in the book where I think the author is not doing the reader justice. The book dwells on the rather blurry line between influencing a person for their own benefit (e.g. - convincing someone to quit smoking) and persuading them to act in favor of our own interest and against their own. The book claims a simple truth - the same skills and techniques used by malicious social engineers can be used in a variety of other, benevolent actors. A doctor will try to persuade their patients to take on healthier habits, a teacher will "educate" students and a friend might put some pressure on you to take that vacation you've been yammering on for ages. Still, in my eyes, the book is trying to paint a nice picture over a term that is used almost exclusively for actions that are, at least, unauthorized and most of the times - straight out malicious. The examples in the book in later chapters also fall in line with this approach and are portraying examples of misleading, putting pressure on people and in all ways get the upper hand of the victims.
Following on, the book goes on presenting the SE framework (more details can be found here) and the different skills and activities that comprise it.
First thing's first, the 2nd chapter is all about information gathering, showing how some trivial details can be used as a stepping stone to further attacks. For instance,knowing that someone is a stamp collection enthusiast is a good way to lure them to a malicious website claiming that you've inherited a stamp collection from your late grandfather and made a website with the stamps to be sold. Besides some examples on how destructive random bits of information can be in the wrong hands, the book mentions some tools such as BasKet and Dradis to organize the data, and points out to common sources of information - from social media and search engines to job adverts, whois registry, personal blogs and even simple physical reconnaissance and dumpster-diving (which, the book says, you should do with dark cloths and a good pair of boots). The chapter then goes on to the seemingly irrelevant topic of communication models, It's quite interesting, at least from the theoretical viewpoint, and it provides a nice way to break down any single social engineering "scene" (e.g. - sending a phishing email, having a conversation with a target), but it is not really a part of information gathering - a communication model can be used wen planning an information gathering strategy, but at the same time, it requires the information already gathered to succeed. Based on the Shannon-Weaver model of communication a social engineer can ask more specific questions: what is the type of feedback I want from the receiver? what sort of message would work best? what channel is the most effective way to communicate my message?

Next on the menu is the mysterious skill called "elicitation" and apparently that's a real word. Its meaning, in case that you are not familiar with it, is "drawing out". In our context, it's about drawing information out of our target. I assume that it can be used also to invoke an action (such as keeping one door open for a person, creating the expectation they'll hold the next door for you, which just happens to be the one you need a key card for) but the book does not dwell much on that aspect after mentioning that the goal of elicitation is to make the target take an action to the attacker's advantage - as small as answering a question or as big as providing access to a restricted area. The book lists some elicitation techniques, from simple ones that range between simply asking a direct question  and getting people tipsy and talkative to more elaborate schemes that may involve pretexting (see below) and preloading the target with information and emotions that will make them more susceptible to your suggestion.

I mentioned pretexting, right? because that's the topic of chapter 4.
A pretext, in laymen terms, is the image one projects about themselves. For instance, I go to work every day, carrying the pretext of a professional software tester. A social engineer might display pretexts that will mislead people - posing as an IT expert, as a worried father or as a pissed off customer. An important point this chapter makes: A pretext doesn't have to be a lie. In fact, it is much easier to pull of a pretext if you are using your own interests and knowledge as part of it. In fact, one of the dangers in pretexting is trying to pull off something completely foreign to you. For instance, I couldn't build, even in a month of intense research, the casual recall of events a soccer fan has experienced talked about dozens of times, so keep it simple and within your expertise. If you have to pretext as something you have no knowledge about - distance yourself. Communicate via e-mail, or on a short, carefully planned, phone call. It is also important to look the part - if you pose as the garbage disposal company representative, a company logo and a notebook will do wonders to your credibility. If you pretend to be a salesperson,  wearing a T-shirt is probably going to get you some unwanted attention.
No matter what you do, your pretext has to be carefully chosen and tailored to your needs and to the situation you're in.

The 5th chapter is all about magic.
Yes, yes, magic. Or at least as much magic as that possessed by a stage magician. If the skills up to this point were a calculated use of common human communication skills, now we are about to discuss some uncommon skills. Micro-expressions, for instance, are a very powerful way to detect how is a person feeling and quickly adapt your strategy if you aren't getting the reaction you were trying to get, but it is also a way to signal to the other person's subconsciousness without the filtering of the thinking facilities - a slight wrinkling of the nose will go unnoticed by many people, but they will still get an uneasy feeling.
Even more controversial than micro-expressions is the use of NLP, which, basically, is all about using side-channels. Regardless of whether you think NLP is a complete fraud or actual magic, There's no denying that NLP does provide extensive record of efforts to understand how human communication works, and that at least some of its methods are having some results. Sure, changing your tone of voice isn't going to magically make someone do your bidding, but it can divert attention and plant ideas. One "tool" I liked is labeled with the terrible title "The Human Buffer Overflow". Basically, it is directing the SE to rely on the automatic responses of people, and take advantage on social norms and expectations. If I helped someone with something, even if it's trivial, they will feel obligated to help me back. I'm unsure as to what exactly here is the so-called "buffer overflow", but I imagine that in order to be more effective, the SE can make sure to occupy the mind of the target with other things - a constant stream of talking, a difficult question, and so on. This way the mind will leave other tasks to the automatic part more easily.

The final chapter presenting the SE framework is about influence. After all, once we've gathered information and learned to control some neat tricks to elicit a response, it is time to cash in on our efforts and make people do what we want them to. Generally, the message is "know your goal, and improvise towards it". This, naturally, is a gross oversimplification - One does not "improvise", but rather builds a flexible plan, with options derived from the information gathered and constantly monitoring the target's response using the skills acquired and practiced ahead of time. The chapter discusses some important tools and principles, such as building rapport, constant monitoring, influence tactics and framing. Like most chapters, this one has a part that made me cringe a bit in discomfort. This one has a part about "manipulation". Unlike other types of influence, this is a direct attack against a person. It involves tips like "gain control over the target's environment" or "creating doubt", it does not shy away from "heavy intimidation", which is about making the target fear for physical harm or other "dire circumstances". In essence, this is the part people dislike the most about SE. The part which not only makes people behave the way the attacker wants, but may actually harm the target as a side-effect or even as a tactic. Being the pinnacle of the framework and cashing in on the previous ones, this chapters is quite long and full of interesting (and scary) techniques and stories.

The 7th chapter is about tools - everything from a lock-pick and business card to hidden cameras and software tools found in Trackback (The previous version of the Linux distribution now known as "Kali") very educational, and provides a lot of entry points to the different topics.

Of course, a book such as this won't be complete without an impressive list of case studies, demonstrating the wide range of possibilities - from the highly technical story of Kevin Mitnick hack of the DMV which involved breaking into the phone system and routing genuine calls of police officers calling the DMV to his own phone (thus collecting the necessary details to impersonate them later) which required deep knowledge of the phone routing system and of the identification process used by the DMV, and then some very convincing pretexting, to the simple case of a security tester who found a genuine hacker roaming through an unprotected server and then chatted using notepad until he got enough details to find the hacker offline. The stories are interesting by themselves, and each shows a different perspective demonstrates different skills and shows how they are applied in real world situations.

Scary, right? It seems that the smallest detail could be used to leverage more details and create an opening to an even wider attack, and most attacks simply rely on people acting as human beings. This is why the final chapter of the book is so important - how to prevent and mitigate attacks.
Like all defenses, it isn't perfect, but if being used properly, the techniques in this chapter could frustrate and exhaust someone trying to social engineer their way into your organization (or your private life, for that matter).
The easiest tip here is "keep your software updated". It might not be easy to implement, but it is a generally good rule to follow - updated software tends to have less known vulnerabilities, and thus prevent many software based attacks, so it won't matter if the SE managed to get you to open that PDF file.
The second is to teach yourself and your surrounding how to identify an attack - know what is generally possible (for instance, by reading this book) and how to identify the stupid kind of attacks of each vector. You might not be able to defend against someone calling and asking "can I have your email address? I want to send you details about the event I wish you would attend", but you'll be able to delete the obviously false "This file includes a debt you have not cleared, if you won't pay by next week, legal action shall be taken"
Another tool I find important enough to mention is developing scripts that allow you to stay kind without letting someone what they want: "I'm sorry, but our IT people don't allow external USBs, if you want to print a replacement to the paper ruined by your coffee, there's a printing service around the corner". Practicing situations and such scripts can help when facing a real SE attempt.

All in all, I highly recommend reading this book, in any format convenient for you .