DefCon 19 - Weaponizing Cyberpsychology

Posted August 18, 2011, 8:39 pm by Steven Fox

Image of Steven

Steven Fox

Company X, a transportation company in the Midwest, had a well-managed external network infrastructure.  The few vulnerabilities that existed led to low-impact information breach that did not compromise corporate or customer information.  Satisfied with the status of their network security, I turned my attention to the human network.

Searching for the client name on sites like Twitter, Facebook, and LinkedIn, I discovered employee names and corporate activities that were not shared on its website.  As the search continued, the client's culture, processes, and lexicon emerged from the corporate dialogue. 

This information enabled me to persuade employees to give me access to critical information and secured areas. This included usernames, passwords, and access to employee-only areas.

How did this happen?

This client invested significant resources protecting itself from technical threats.  However, they overlooked the threats associated with the human network  Social Engineering (SE) exploits the human tendency to be helpful to gain access to sensitive resources.  Simply put, it is a con-game that combines information on the target company, employees, psychological tricks to gain access to sensitive assets.

Social networking sites are among the tools of a social engineer.  They are used for information gathering - key employees/executives, community activities sponsored by the client, organizational partners; all this data can be used to customize the pretexts chosen for the engagement.  Social networking sites also give the attacker an insight into the culture, psychology, and language of its employees and customers.

DefCon 19 featured a talk by Chris Sumner and associates exploring the use of personality theory and Facebook activity analysis.  Weaponizing Cyberpsychology & Subverting Cybervetting For Fun, Profit & Subterfuge described a statistically significant, positive correlation between users Facebook activity and their personality. This study was performed on Facebook by the Online Privacy Foundation (http://onlineprivacyfoundation.org).  It based its lexical and activity analysis on the Five Factor Model of Personality that classifies individual on five spectrum.

  • Openness
  • Conscientiousness
  • Extroversion
  • Agreeableness
  • Neuroticism

Details regarding the usage patterns for each of these types are described in the presentation slides available on the foundation's website.  Suffice it to say, that the study applied statistical rigor to a qualitative analysis that some social engineers perform automatically.

What does this mean to you and your company?

Social networking sites are potent branding and marketing vehicles for both individuals and companies.  The provide a connection to customers and partners that transcends time and space. However, the same message used to promote a brand can be used by social engineers.  For example, I have used a company's pride in community involvement to gain access to executive offices and secured areas.

What can you do?

  • Practice professional skepticism - if a request requires a deviation from policy, confirm that the requestor is authorized to make that request.
  • Escalate when you are not sure - if you are not sure if an action is appropriate, escalate to the issue to your manager.
  • Be nice until it's time not to be nice - it is possible to deny a request politely.  This put your staff is a position of professional power and also disarms the social engineer.
 
Filed under: Uncategorized
Edited August 19, 2011 by
Listed in Communities:


You must be logged in to post comments.