Human Hacking

Once asked this question to a group of security enthusiasts and I was shocked at the answers I received:
“Social engineering is lying to people to get information.”
“Social engineering is being a good actor.”
“Social engineering is knowing howto get stuff for free.”
Wikipedia defines it as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Information technology has changed over the years, but there’s one thing that remained constant. It’s social engineering. Social engineering has a lot of definitions. Some people call it the art of human hacking, while others call it digital attack techniques. Well, both of the definitions are correct. Social engineering is the manipulation of a human being through different mediums. It can be both online and offline. It all depends on how the attack is executed and how convincing the lie is. Furthermore, social engineering is the most popular attack vector. There are social engineering toolkits available on the Internet. These toolkits can easily help a beginner to begin executing social engineering attacks.

The Different Types of Social Engineering

social engineering can take on many forms. It can be malicious and it can be friendly, it can build up and it can tear down. Before moving on to the core of this book, take a brief look at the different forms of social engineers and a veryshort description of each:

• Hackers: Software vendors are becoming more skilled at creating software that is hardened, or more difficult to break into. As hackers are hitting more hardened software and as software and network attack vectors, such as remote hacking, are becoming more difficult, hackers are turning to social engineering skills. Often using a blend of hardware and personal skills, hackers are using social engineering in major attacks as well as in minor breaches throughout the world.

• Penetration testers: Since a real-world penetration tester (also known as a pentester) is very offensive in nature, this category must follow after hackers. True penetration testers learn and use the skills that the malicious hackers use to trulyhelp ensure a client’s security. Penetration testers are people who might have the skills of a malicious black hat but who never use the information for personal gain or harm to the target.
• Spies: Spies use social engineering as a wayof life.Often employing every aspect of the social engineering framework (discussed later in this chapter), spies are experts in this science. Spies from all around the world are taught different methods of “fooling” victims into believing they are someone or something they are not. In addition to being taught the art of social engineering, many times spies also build on credibilitybyknowing a little or even a lot about the business or government theyare trying to social engineer.
• Identity thieves: Identity theft is the use of information such as a person’s name, bank account numbers, address, birth date, and social security number without the owner’s knowledge. This crime can range from putting on a uniform to impersonating someone to much more elaborate scams. Identity thieves employ many aspects of social engineering and as time passes they seem more emboldened and indifferent to the suffering theycause.
• Disgruntled employees: After an employee has become disgruntled, they often enter into an adversarial relationship with their employer. This can often be a one-sided situation, because the employee will typically try to hide their level of displeasure to not put their employment at risk. Yet the more disgruntled theybecome, the easier it becomes to justifyacts of theft, vandalism, or other crimes.
• Scam artist: Scams or cons appeal to greed or other principles that attract people’s beliefs and desires to “make a buck.” Scam artists or con men master the ability to read people and pick out little cues that make a person a good “mark.” They also are skillful at creating situations that present as unbeatable opportunities to a mark.
• Executive recruiters: Recruiters also must master many aspects of social engineering. Having to master elicitation as well as many of the psychological principles of social engineering, they become very adept at not only reading people but also understanding what motivates people. Manytimes a recruiter must take into consideration and please not onlythe job seeker but also the job poster.
• Salespeople: Similar to recruiters, salespeople must master many people skills. Many sales gurus say that a good salesperson does not manipulate people but uses their skills to find out what people’s needs are and then sees whether they can fill it. The art of sales takes many skills such as information gathering, elicitation, influence, psychological principles, as well as many other people skills.
• Governments: Not often looked at as social engineers, governments utilize social engineering to control the messages they release as well as the people theygovern. Manygovernments utilize social proof, authority, and scarcity to make sure their subjects are in control. This type of social engineering is not always negative, because some of the messages governments relay are for the good of the people and using certain elements of social engineering can make the message more appealing and more widelyaccepted
• Doctors, psychologists, and lawyers: Although the people in these careers might not seem like they fit into the same category as many of these other social engineers, this group employs the same methods used by the other groups in this list. They must use elicitation and proper interview and interrogation tactics as well as many if not all of the psychological principles of social engineering to manipulate their “targets” (clients) into the direction theywant them to take.