Every time I mention using language in security folks assume I’m talking about social engineering. Social engineering has historically been things like calling the front desk of an organization claiming that you’re, say, a new fedex delivery driver and you need to be let into their shipping/receiving department, so you ask who you need to talk to for that to happen.
Language can be used for a lot more than simply convincing a part time employee to let you have more access than you should somewhere – Language can be used to full on exploit “memory corruption” in the mind. The use of the right language is powerful enough to overwrite peoples memories if even temporarily.
Below I’ve linked some information pertinent to the techniques employed when language is the tool used to achieve things like memory corruption, buffer overflows, execution of arbitrary code – except on people. In particular, pay attention to the cognitive biases – see if you think any of them apply to you
Then combine the cognitive biases with things like NLP anchoring and subliminal suggestion and you quickly end up with a recipe for gaining someones trust, convincing them to give you access somewhere or to something, or telling you secrets – all without having to don a fedex uniform and pretend you’re someone else. You can even have someone give you their phone and car keys – willingly.
Language is a very very powerful tool and put in the hands of information security professionals (or attackers) it becomes even more weaponized.
Apologies for the videos that wont embed – if you click through you can view them on their youtube page.
Cognitive Biases – A Visual Study Guide by the Royal Society of Account Planning