In the first series of posts I want to cover the basics of each topic. A good place to start is Social Engineering, so lets kick off with what its all about, when its used, as well as the why and how’s involved.
Wikipedia Definition – Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying)
Everyone is born a social engineering expert, but over the years we adjust the way we behave, act and interact with people based on our understandings or right and wrong, and our cultural environment, along with our ethic and moral stand point.
As a child we are the masters of manipulation. We make our parents and other adults around us give in to our wants and desires. We achieve this due to a humans desire to be accepted, build relationships, friendships, and to be considered thoughtful and accepted. We want our children to be happy and to think we are great parents, and it is for this reason we give in to their pestering and persuasion. Children often play one parent of against another, which also results in building a perception of acceptance or rejection, that is then utilised for their benefit.
As we become adults, most of us don’t feel this sort of manipulation is accepted behaviour, and as a result we adjust overtime as to how we interact and communicate with our peers. A social engineer utilises these adjustments and expectations we have evolved to, and the human desire to please and accommodate each other. It is through this vulnerability that a social engineer creates a scenario of acceptance (types will be discussed in other posts), and as a result becomes accepted in the situation they find themselves present. This acceptance can take multiple forms, it could be someone of authority on the end of a phone asking for information, someone inside a building and accepted as authorised to be there, essentially someone communicating via any medium as trusted, expected and belonging.
The limits of social engineering are down to the imagination, creativity and confidence of the social engineer and the acceptance of the target / victim.
Here is a quick example of when and why you would want to use social engineering techniques. Lets imagine a competitor of your organisation has developed an amazing new technology. Everyone is sworn to secrecy, but you have been tasked with getting this information (we wont discuss the legalities here).
The organisation in question is quite tech savy, and they have adequately secured their network perimeter, and it is determined there is not alot to be gained from external network and vulnerability scanning. We need to get inside the organisation to stand a chance of success.
Getting inside will require the social engineering skills. We will use open source information from social networking sites, information collected from the trash, hang out at local known hang outs, make friends with co-workers, what ever it takes. We will understand who regularly visits the company sites, vendors, service suppliers and more.
Now we have information we can paint a picture, and create a feasible, workable, and realistic scenario. Now we could use this information to establish ourselves as an employee, this may take some time, and due to the nature of work may mean you easily stand out to those working on the project. You may identify a key person on the team and get the information out of them in a social setting. People are often proud, and want to blab about something, especially when they know they are not supposed to. Most likely in this scenario we may pose as a service provider of some sort to gain access to the building, or tail gate. From here we could install a network tap to log traffic on the network and sniff all the content to steal the data, or perhaps if appropriate steal the physical hardware. The point is, social engineering can be used to get us in and out of the building, ensure people want to help us and share information and more.
Social engineering may seem like Jedi mind power, and super complicated. However, once you understand the principles its simple stuff, all you need to do is research and be confident. You will find its amazing what’s really socially accepted and you can get away with, but consciously and subconsciously.
They say there is no patch for human stupidity, I say there is. Make people aware, and have them experience first hand. Most people when experiencing a few times will not suffer the same so lightly in the future. Individuals and organisation spend a lot of money, time and focus on technology and policies, but time and time again there is little to any focus on the people elements.
The guys over at Social Engineer have come up with a great framework that is continually being developed, its certainly worth a look.
