The null choice. A social engineering example in the wild

With social engineering there are lots of ways to get what you want, depending on the circumstance of course. The null choice is one that works really well when your desired outcome isn’t obvious to the people you’re trying to dupe.

There are ways and means of overcoming a null choice scenario though, here’s a good example. It’s from Edward de Bono and covers a lateral solution to a problem, creating a null choice in the process.

What is a null choice?

The idea of the null choice is to provide the idea of choice but load the choices in such a manner as to render one of the choices to be more palatable than the others.  It’s a simple idea but effective and has been practiced by parents, magicians and authority figures through time.

Recently I went to see the new Marvel Avengers film. As the cinema begins to fill up a couple arrive and one them is, it will be polite to say, “vertically challenged”. A fact my own partner shares, so I am aware of the “tall guy in front of you” problem. After looking around they choose seats in front of us and one of them “accidentally” spills water on the seat in front of them. After a hushed but audible conversation they sit down. Why aren’t they going to get more water I wonder?

The answer was simple, they had purposely used the water to make that seat wet. The seat was “available” but now far less attractive than other seats and remained vacant throughout the film, thus giving them a clear view of the screen. They had enacted a null choice situation.

What do we learn from this? These choices can leave forensics that may give insight into the person or entity pushing it on you. In this example a single empty seat in a full cinema would potentially indicate a culprit. But that forensic evidence becomes harder to track or see as the population is smaller. This is where the social engineer likes to operate and where the null choice is at its most effective.

Null choice in action

You will see the null choice in many forms. Spear Phishing and cold calls to name but two. One most people may have been targeted with is the robocall “this is Microsoft calling”. Not only is this call full of Parental persuasion, but it often has the null choice of “doing nothing will result in your computer being cut off”. This is a null choice that makes inaction (hanging up) unpalatable, the kicker in this case is it isn’t true. The null choice, in this instance, is the right choice.

The null choice is also used as part of tailgating through internal doors. The other party has the unpalatable choice of slamming the door in the face of the follower, or engaging them and questioning their validity, both may come across as “rude” or “not in keeping with team values”. The path of least resistance is to hold the door open or let the other person through. It’s polite, and the assumption will be that the person is valid if they are already there.

I have used the null choice on social engineering jobs before. Statements like “is there any better solution?” is a classic pointer to a null choice. For instance, once while on a physical social engineering job my pretext or cover story was that I was helping push the office through into a “paperless” format. This utopian ideal isn’t always possible in all offices. But I was walking the office telling people about the “new frontier” and “look how much space we will recover”. This already pushes the null choice, stopping me from continuing may hinder the progress of solving a problem it was very apparent the staff were “coping” with.

At one part of the job I was faced with a locked cupboard with the word “Finance – TO REMAIN LOCKED AT ALL TIMES” . This is an obvious target for a Social Engineer so I engaged with people sat in the vicinity and told them of my project and how I needed to audit the contents. This was met with some trepidation, but a reply of “well, I suppose we can leave this whole section of office out of the project and you guys can stick with the paper while everyone else goes electronic” and began to scribble fake notes on a clipboard. This was enough to convince the staff that compliance with my requests was easier than taking the time to go and find someone and verify me. This is the null choice in action.

Make the right choice unpalatable or seemingly more difficult and make the “bad” choice appear the easiest or least effort.

The null choice is a simple tool and one to practice. Remember that it can be used in physical entry as part of your pretext. “The boss is expecting me but he’s on the road and won’t be in till later, he asked you put me into a meeting room till he gets here.” This may not look like a null choice but it has the hallmarks of it. If you are the target you are faced with several options;

1. Reject the request, possibly upset the boss, and make the visitor feel unwelcome. This choice is unpalatable to most reception staff whose primary role it is to treat visitors well.
2. Track down the boss and ask him to verify the individual, but the choice has been made far more unpalatable by the fact the boss is “on the road” and thus harder to contact, and the visitor is right her in front of them. If the target “trusts” the person who is telling them that they have been given permission, it may be rude to question their information. Is the reception even capable of tracking down the boss?
3. Make the visitor wait, this is often unpalatable as reception areas unless designed to be holding zones do not often have much capability to be holding pens for unchecked visitors. They clutter up the aesthetic.
4. Let the visitor into a vacant meeting room, it solves several of the problems and keeps everyone happy. It has the least unpalatable outcome for all parties. It’s a Win/Win! Right? Wrong.

When faced with this problem some staff may choose the path of least resistance. This is the null choice in action.

So how do you fix it?

The answer is never a simple one for the null choice. The most effective advice I can give is “The only way to win, is not to play”, if you doubt the person offering you the choice, or even if you do trust them a little, make sure you always understand your options, and if the situation warrants, choose the option to opt out of the game entirely, hang up and ring the purported company back, pass the email to your security teams and ask advice, or just hit delete and be done with it.

Teach staff to follow a process where access controls are concerned, no matter how unpalatable it may be. Remove the “rude” from validation and make it part of common practice. “hello, I don’t think we’ve met and I wasn’t sure if you were aware of our security policy on validating visitors…” or in the previous example “I’ve not heard of this project can you hold off including us until I can speak to my line manager about access.”. It’s as simple as a few choice words and it’s no longer rude, it’s polite validation.

Help staff to become comfortable with questioning people they are uncertain about and this null choice is made much harder for the social engineer to exploit.