Saturday, July 30, 2011

Would you recognize a human-hacker?

Originally published 3/11/11 on

As much as we focus on computer viruses, trojans, vulnerabilities and exploits, they are not the biggest risk to security - online or off. The biggest risk is us. Books have been written about it, from Kevin Mitnick's classic "The Art of Deception: Controlling the Human Element of Security" to Christopher Hadnagy's latest, "Social Engineering: The Art of Human Hacking" the subject has been pretty thoroughly covered. But we don't have to space for that kind of detail, so we're going to look at a more succinct study, the Department of Homeland Security's pamphlet on elicitation, (pdf) the art of using ordinary conversation to coax out the information people want to keep secret. From the pamphlet:

In the espionage trade, elicitation is a technique frequently used by intelligence officers to subtly extract information about you, your work, and your colleagues.

Said another way, elicitation is the art of conversation honed by intelligence services to its finest edge.

Elicitation is nonthreatening, easy to disguise (and hard to prove) and it works. Why does it work? Because it's ordinary conversation, the type of thing we do all the time. Is that attractive person you just met so interested in your job because they want to get to know you, or because they're trying to find out something you know? That telemarketer that struck up a conversation with you yesterday - did you really tell him about your vacation plans next month? Just how did he get you to tell him that?

According to the DHS pamphlet the tools are something we all use to some degree:

Appeals to ego: "You must be really important. Everyone here seems to know you." You may respond with a denial, then talk about why what you do isn't really important.

Mutual interest: The person expresses an interest in something you're interested in and uses that to build a bond and increased trust.

Deliberate lies: "I've heard that..." A deliberate lie told knowing you know the truth. Most people have a strong desire to correct the mistake, and we all like to be part of the "in crowd" with insider knowledge.

Volunteering information: It's a simple trade. They give you something in hopes you will give them something. Sales people do this all the time, usually telling you that the price is about to go up, the offer is about to expire or their almost out and it's going to be weeks before they get more.  If it works, you buy whatever they're selling. For a scam artist, you give them your information, such as credit card numbers, name, address, and maybe even SS#.

Assumed knowledge: Just enough is said to give the impression of knowledge in an area so you'll discuss it.

As I read this list I thought about calls I'd received, both at work and at home, from telemarketers. Almost every one of these tools had been used against me in one form or another.  Then in the WalMart parking lot tonight another one was used on me, the appeal for help:

"Could you spare some change? I'm trying to get some food for me and my wife."

I've had my own answer to this type of appeal for years, "Come with me and I'll buy you some food." He said he was getting his wife, got in the passenger seat of a car a row over, and they left.

The DHS pamphlet is aimed at preventing espionage, but the same techniques are used by malware authors and conmen to build trust and encourage us to give them what they want. One reason these techniques are so effective is that they are the things we all do in the normal course of communicating with others. Try going through a day looking for the things you and the people you interact with do as you communicate. Then see if you can tell who is just making conversation and who is trying to get something from you.