RSAC 2016: Hacking a Human
The talks at this year’s RSA conference seemed, overall, less confused than last year - more focused and sure of what information security needs to do as an industry to move forward, including an emphasis on threat intelligence sharing through vendor partnerships and alliances, and the all-important need to secure a rapidly disappearing perimeter (cloud, BYOD, mobile, etc.).
One theme that persists year after year at the RSA conference is the focus on the human factor - Zee Abdelnabi, a security analyst and engineer from a major automotive company gave an awesome talk last week on The Art of Hacking a Human. She delved into the topic of social science and psychology, and how personal information found publicly online can be used to manipulate interactions with people (and, ultimately, to get more information from them).
Human Programming: Our Own Set of Interaction Rules
Her theory was that humans are programmed like computers; we set up rules, similar to firewalls, based on our past interactions and how we’ve been been treated, as well as based on our different stereotypes and beliefs.
Those rules work to either allow or block people from entering our comfort/trust zone. Our built-in firewalls judge potential threats in order to keep ourselves safe, and inform how we interact and communicate with others.
When it comes to figuring out people, we have to determine what type of operating system they’re running, as well as what patches are in place, what configuration issues the person may have, and what kind of vulnerabilities that can be used to exploit them.
Essentially, hacking a human is quite similar to hacking a computer system, and often cycles through many of the same stages of hacking. Plus, it can give hackers the information they’re seeking to access an enterprise’s systems - such as login credentials or valuable company data.
External Reconnaissance of A Human Target
Zee described the different stages of an attack path used to hack a human; the first being external reconnaissance. That involves anything from Internet searches to social engineering to even dumpster diving to get any and all information that could inform the hacker about their target - such as their interests, their habits, their work history, etc.
Social media, like LinkedIn and Facebook, offer a lot of publicly available data about human targets. Zee gave an example of a co-worker she was trying to get to talk to her - she found out he loved donuts through an old Flickr account of his, then brought his favorites to the office in attempt to get him to start talking to her - it worked.
But she also got a deeper idea of his past experience by researching his previous employers, finding out that some had gone bankrupt, which informed her that her co-worker had had a rough time before he became employed at their current company. Perhaps that was why he maintained a gruff exterior and didn’t care to socialize with his co-workers.
Figuring Out the Human Operating System
Part of breaking into a human also involves determining what kind of OS they’re running. Another target of Zee’s was a different co-worker that would talk to everyone at work except for her, motivating Zee to try to figure out why based on social psychology.
One aspect she realized was that her co-worker was an introvert, while Zee was an extrovert. Introverts can’t be approached the same way extroverts can - they’re more quiet and calm, while extroverts may be more outgoing and excitable. Zee had to adjust her behavior and speech in attempts to successfully interact with her co-worker.
Finding and Exploiting Human Vulnerabilities
Another part of the attack path of hacking a human includes exploiting any known vulnerabilities - by looking at her desk, Zee found out that her co-worker liked Starbucks coffee and dogs. She bought her coffee in attempts to get her to talk to her, and get ‘entry’ to her trust zone. Further, she tried to ‘escalate privileges’ by giving her a fake survey to get more information about her co-worker.
Her co-worker had a lot of ego defense mechanisms, which many people have. We’re often unaware of our own tics, which can be used to inform our behavior and habits. Some of those defense mechanisms include lashing out if she was asked certain questions, as well as not being able to admit when she was wrong. She could also control her microexpressions extremely well, which can often give away what a person is really thinking or feeling in response to stimuli, and can inform you if they’re feeling comfortable and/or connecting successfully.
One commonality among how humans operate is the need for belonging - most people are social creatures (even if the way they interact varies), and most people want to be part of a group. Zee encouraged her co-worker to sign up for a security class with her. By talking to others, she eventually found out that her co-worker didn’t feel recognized by their teacher (of a security class they took together), while Zee was often praised, which may have also contributed to why she avoided talking to her.
Another aspect to recognize while attempting to hack other humans is to take your own bias into consideration. The way you view things, the reasons you don’t like things, and how you communicate can be integral to changing how you get along with others. Additionally, staying persistent and avoiding detection are important aspects of hacking a human.
Leveraging Information to Increase Trust
After inviting her co-worker to lunch, she found out that a guy had catfished her for two years on Facebook, meaning he pretended to be someone else while chatting with her online. Zee used his Facebook image to find out who the guy really was, then started adding his friends to find out more information about his real name. She eventually got his profile taken down, and gave her co-worker a folder of all of his information in order to gain her trust.
We’re All the Same
Communication is key when it comes to hacking a human, and kindness and compassion will get you far. Essentially, we’re all the same - we want the same things in life, including health, promotions, security, etc. However, the basis for fighting and problems occurs when we think that we’re all different.
We’re often confined by the walls we build around ourselves. The way we talk shows other people how we want to be treated, such as with respect and positivity.
About Zee Abdelnabi
A dedicated security analyst with comprehensive data and telecommunications experience, Zee Abdelnabi is experienced in SIEM, vulnerability management, security testing and compliance, with expertise in data network security analysis and wireless security. Abdelnabi is technically savvy and adept at solving networking, electronics and computer technology problems. She is effective at training technical and non-technical personnel.