Column by Mike Murray
I was recently at a conference with a friend of mine who was visiting Vegas for a hypnosis conference, and I was explaining to him the biggest problem with most social engineering “experts.” And, of course, because I had been talking to him about amnesia, I promptly forgot [...]
Column by Mike Murray
I was recently at a conference with a friend of mine who was visiting Vegas for a hypnosis conference, and I was explaining to him the biggest problem with most social engineering “experts.” And, of course, because I had been talking to him about amnesia, I promptly forgot about it.
I was reminded of it when I was reading something that another social engineering expert wrote that linked hypnotic phenomena to the act of social engineering. So, I’ll share the same caveat with all of you: if someone tells you that hypnosis has anything to do with social engineering, they’re a charlatan and you need to be VERY careful believing anything that they’re saying.
This is said, of course, as someone who is formally trained in hypnosis and has spent a lot of years studying it as part of my training to become good at social engineering. But, in the same way that being a great coder doesn’t make you a great penetration tester (and vice versa), being a great hypnotist doesn’t make you a great social engineer (and vice versa).
Let me explain.
Discuss in Forums
The majority of work done in formal hypnotic trance is actually about the framing. When someone walks into a hypnotist’s office (whether that office is in a building or on a stage in Las Vegas), they know that they’re seeing a hypnotist. They expect certain things to be able to happen and they accept their own abilities to follow along in the frame and act congruently within that frame.
It is for this reason that the office visit with a hypnotist ALWAYS starts with the same experience: the hypnotist sits down with you and explains what trance will feel like, what’s going to happen, and how it’s going to be. This is the same as the beginning of a stage show – it always begins with the hypnotist talking about hypnosis and setting the frame for the audience of what will happen within the show.
Similarly, watch any videos of “Street Hypnosis” on YouTube. There’s a reason that all of them cut in to the interaction already in progress. It’s because the pre-frame of “I’m a hypnotist, will you agree to be hypnotized and be video-taped?” isn’t part of their illusion of “mind control.”
The problem is that, as someone wanting to learn Social Engineering, you can go on some of the self-described social engineering experts’ websites and find examples of their use of hypnosis. A couple of them even use video to demonstrate how great they are at hypnosis as a social proof point.
Unfortunately, in the social engineering context, this level of pre-framing isn’t possible. Nor are most hypnotic phenomena – it’s simply not possible (or useful most of the time) to get someone to experience hand levitation or number amnesia within the context of an unframed environment.
The mentalists and magicians call this “pre-show” work. And what’s amazing when you enter that world is the discovery of just how many of the overwhelmingly cool tricks that you see on TV from Criss Angel, Derren Brown and Luke Jermay rely on some amount of pre-show work or collaboration from the audience.
In a genuinely live-target social engineering setting, those elements just aren’t part of the frame.
In short… if you’re learning social engineering and the person is trotting out hypnosis as the primary reason that they’re good at it, examine their other credentials VERY closely. Expect that they can back up their work, and that they can tell you the difference between hypnosis and social engineering and how the two skill-sets translate.
And feel free to subject me to the same skepticism.
And, next month, I promise to walk you through how this one was likely done. And why it’s both a great example of social engineering and the worst one you can possibly learn from.
Article source: http://www.ethicalhacker.net/content/view/366/24/
Metasploit Express builds on the power of the Metasploit Framework, the gold standard for penetration testing with more than one million unique downloads in the past year and the largest public database of quality assured exploits. Unlike the Metasploit Framework, which offers only a command-line interface, Metasploit Express provides an easy-to-use graphical user interface [...]
Metasploit Express builds on the power of the Metasploit Framework, the gold standard for penetration testing with more than one million unique downloads in the past year and the largest public database of quality assured exploits. Unlike the Metasploit Framework, which offers only a command-line interface, Metasploit Express provides an easy-to-use graphical user interface that guides the user through the steps of discovery, gaining access, taking control, and collecting evidence. In addition to the features available in the Metasploit Framework, Metasploit Express automates many common penetration testing tasks and provides the ability to launch advanced attacks without the need to develop custom scripts. Individuals whose role does not permit them to conduct penetration tests can still verify exploitability with a dry run that only shows the exploit information but does not execute the exploits.
Article source: http://www.ethicalhacker.net/content/view/367/8/