SOCIAL ENGINEERING THE ART OF HUMAN HACKING

AKSHAY RASTOGI July 24, 2019 0

What is social engineering? 

I once asked this question to a group of security enthusiasts and I was shocked at the answers I received: “Social engineering is lying to people to get information.” “Social engineering is being a good actor.”

“Social engineering is knowing how to get stuff for free.” Wikipedia defines it as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.” Although it has been given a bad name by the plethora of “free pizza,” “free coffee,” and “how to pick up chicks” sites, aspects of social engineering actually touch many parts of daily life.

>social engineering is the art or better yet, science, of skillfully maneuvering human beings to take action in some aspect of their lives. 

For example, doctors, psychologists, and therapists often use elements I consider social engineering to “manipulate” their patients to take actions that are good for them, whereas a con man uses elements of social engineering to conv ince his target to take actions that lead to loss for them. Even though the end game is much different, the approach may be very much the same. A

psychologist may use a series of well-conceived questions to help a patient come to a conclusion that change is needed. Similarly , a con man will use well-crafted questions to move his target into a vulnerable position. Both of these examples are social engineering at its truest form, but have very different goals and results. Social engineering is not just about deceiv ing people or ly ing or acting a part. In a conversation I had with Chris Nickerson, a well-known social engineer from the TV series Tiger Team, he said, “True social engineering is not just believ ing you are play ing a part, but for that moment you are that person, you are that role, it is what your life is.

These social engineers and many more like them seem to have natural talent or a lack of fear that enables them to try things that most of us would never consider attempting. Unfortunately in the world today , malicious hackers are continually improv ing their skills at manipulating people and malicious social engineering attacks are increasing. DarkReading posted an article 

(www.darkreading.com/database_security/security/attacks/showArticle.jhtml? articleID=226200272) 

that cites that data breaches have reached between $1 and $53 million per breach. Citing research by the Ponemon Institute DarkReading states, “Ponemon found that Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year: A Web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300.” Malicious insiders being listed on the top three suggests that businesses need to be more aware of the threats posed by malicious social engineering, even from employees..

The Different Types of Social Engineers

Hackers: Software vendors are becoming more skilled at creating software that is hardened, or more difficult to break into. As hackers are hitting more hardened software and as software and network attack vectors, such as remote hacking, are becoming more difficult, hackers are turning to social engineering skills. Often using a blend of hardware and personal skills, hackers are using social engineering in major attacks as well as in minor breaches throughout the world

Penetration testers: Since a real-world penetration tester (also known as a pentester) is very offensive in nature, this category must follow after hackers. True penetration testers learn and use the skills that the malicious hackers use to truly help ensure a client’s security . Penetration testers are people who might have the skills of a malicious black hat but who never use the information for personal gain or harm to the target. 

Spies: Spies use social engineering as a way of life. Often employing every aspect of the social engineering framework (discussed later in this chapter), spies are experts in this science. Spies from all around the world are taught different methods of “fooling” victims into believing they are someone or something they are not. In addition to being taught the art of social engineering, many times spies also build on credibility by knowing a little or even a lot about the business or government they are try 

Identity thieves: Identity theft is the use of information such as a person’s name, bank account numbers, address, birth date, and social security number without the owner’s knowledge. This crime can range from putting on a uniform to impersonating someone to much more elaborate scams. Identity thieves employ many aspects of social engineering and as time passes they seem more emboldened and indifferent to the suffering they cause. 

Disgruntled employees: A fter an employee has become disgruntled, they often enter into an adversarial relationship with their employer. This can often be a one-sided situation, because the employee will typically try to hide their level of displeasure to not put their employment at risk. Yet the more disgruntled they become, the easier it becomes to justify acts of theft, vandalism, or other crimes. 

Scam artist: Scams or cons appeal to greed or other principles that attract people’s beliefs and desires to “make a buck.” Scam artists or con men master the ability to read people and pick out little cues that make a person a good “mark.” They also are skillful at creating situations that present as unbeatable opportunities to a mark

Executive recruiters: Recruiters also must master many aspects of social engineering. Hav ing to master elicitation as well as many of the psychological principles of social engineering, they become very adept at not only reading people but also understanding what motivates people. Many times a recruiter must take into consideration and please not only the job seeker but also the job poster.