Understanding Human Nature I know there is another introduction article to Social Engineering, but I wrote this awhile back for another so I thought I'd contribute. The other article is great, this is just a different view on it. Hope you enjoy. Introduction Social Engineering is the art of manipulating a person into revealing sensitive information. Social Engineering is the best hacking tool you can use, in my opinion. Similar to using a computer program to make another system spew out amounts of valuable information about the machine, that an attacker can later use. Think of it as "people hacking". When hacking into system you find a weakness or vulnerability that you can exploit, to gain access to restricted information. Social engineering is taking advantage of a persons weakness and getting them to disclose confidential information. All it takes is a large amount a confidence and basic knowledge of human nature and social behavior patterns. Social engineering does not just apply to computer security, it can apply to nearly any situation. Understanding Human Nature When it comes to social engineering there are typically only a handful of “tools” you can use. Some of which are; A basic understanding of human nature, cognitive biases, and psychological fallacies. People generally have social patterns and behaviors that can easily be exploited. Everyone has these flaws, it is a matter of finding out what works with the particular person. There are literally hundreds of these fallacies, and nearly everyone is guilty of them. This is just a few that really stand out to me. Maybe I will cover more in a future article. Some of the most popular human social patterns include: *The Bandwagon Effect-This is the tendency to follow patterns of another persons, or a groups behavior. Generally everyone has heard the term "jump on the bandwagon", It simply means to do as others do. This particular bias plays a very important roll in social engineering and can be taken advantage of quite easily. Also known as conformity. *Illusion of Control-This is the illusion that a human believes that they can control the outcome of certain situation, when it is clearly out of their hands. Think of someone who is gambling who believes they can really control the outcome of the numbers they roll. Some people truly believe that they can control the outcome of an event as if to predict the future. Prayer or belief in the paranormal could also be thrown into this category. *Stereotyping-Stereotyping is judging a person by their distinguished characteristics. Everyone is clearly guilty of this at some point. Every time you meet someone for the first time, you almost always inadvertently judge them. You judge them by their clothes, their hairstyle and just their general appearance. However, stereotyping can sometimes be accurate as I will explain later on in the article. *The Ostrich Effect-This is act of ignoring the negative situation that is going on. Think of someone that is over-optimistic about financial issues and pretending everything is fine. This particular fallacy is performed by almost anyone in a negative situation. *Consistency bias-This is known as incorrectly remembering your past thoughts or actions in a given situation. This can be greatly taken advantage of. A new employee may not know how to answer a question, or how they answered it in the past. Therefore possibly disclosing valuable information. Basic Techniques You are not going to want to use every technique at once, find one that fits a particular situation and play the part well. Most social engineering can be done over the phone. It is quite simple to call up a company while imitating a person of authority and retrieving sensitive information. Help desks and customer service are very likely to this method of attack. Be Polite The best thing you can do is always be polite, never blow your cover by acting rude. Remember, you are sometimes taking advantage of someones good nature. So getting on their bad side is not a good start. Remember to speak up and be firm, but do not be rude. For example, call up a company you are interested in, and politely ask questions. Act as if you truly want to learn about how their system works, or what tools they use. Do not blatantly ask for something that you know is restricted information. You have to keep talking to them, while sounding knowledgeable and interested. Ask to speak to a manager, or someone in charge. Working your way up to someone that knows it all. Write down the names of employees pretend you are interested in that particular field of work, ask what type of education and things you will need to learn. The goal here is to persuade them from a psychological point of view. Pretend to be ignorant You obviously do not want the target to know much about you, so you want to be as discrete as possible. You do not want them to become concerned with a question you may have asked. Playing dumb is also another technique that can be used. Pretend to know nothing whatsoever and create a fake problem to ask customer service about. Keep them on the phone long enough and keep asking questions. Give them a fake name and phony problem. Ask for their name and figure out where they stand in the company. You know how annoying it is when you call a company and they keep redirecting you to someone else. They have thousands of calls each day, chances are they will not remember you. In all honesty they probably could not care less, they just want to get rid you and have someone else help you. Be Curious, without giving it away Write down a list of things you want to figure out with a certain phone call. Whether it be a certain name, phone number or just a piece of information that helps put together a piece of the puzzle. Ask for names, and to speak to certain people. Make sure you do your homework first and have a general knowledge about the company. If you do not know what to say beforehand you will sound like a fumbling idiot and your confidence level will decrease. Pretending to be someone of higher authority This applies the the bandwagon effect and also false memory. Tell a client that is lower in the chain that you are someone who you are not. Tell them you are an employee (in this case it would be a good idea to have a list of employees that you found on the company website or through the yellow pages.) Ask to speak to so and so, who is higher up in the company than she is. Tell them you need a phone number, or whatever it may be you are searching for. That is why I think it is a good idea to have a goal of what you are truly after. This method is known as reverse social engineering. This requires a bit of research and preparation to pull off, but with proper execution and very well be one of the best methods. Other Techniques These techniques are aimed to physical access to a specific company. Be careful with these though, they could land you in some pretty tough situations that may be harder to talk your way out of. Just remember that social engineering can be applied to nearly any given situation. Dumpster Diving As silly as this may sound, dumpster diving as an effective way of gaining valuable information about a company. You would be surprised what kinds of things they may have thrown away. Perhaps a trashed company computer with the hard rive still in it. Or possibly company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware. I will not go into great detail of how to dumpster dive, but I am sure you get the picture. Bottom line is that valuable things can be found in a company dumpster. Tailgating The art of following an authorized person into an area where you are not authorized. This is where your acting skills can come in handy. Pretend to be the repair man they called last week. Come ready with all your tools, hardhat white t-shirt and jeans and play the part. When really you just want physical access to something a normal civilian would not have rights to access. This technique takes some serious dedication, but in the end very much worth the effort. This requires doing your best to blend in. Maybe pretending to be just another employee on a smoke break. They will eventually finish and go back inside. That would be your cue to follow them inside, thus giving you physical access. Whatever your doing play the part, and do it with confidence. Shoulder Surfing Seems easy enough, right? It is as simple as it sounds, peering over someones shoulder to see what they are typing. Be careful not to get caught with this one, by making it obvious you are trying to view what they are typing. I am sure all of you have exercised some form of this at one point. I do not think I need to go into great detail on this, just be smooth about things. People Watching This is by far my favorite method. Keep in mind that social engineering does not always involve tricking people. Like I said before, it is all about understanding human nature. For some odd reason, I enjoy watching people. Whenever I go to a mall, airport or somewhere where I can sit down in public, I love to watch people. (In a non-rapist/stalker sort of way) I like to nonchalantly eavesdrop and just hear about their lives and what they have to say. I know you have all done it, at one time or another you have listened in on someones conversation and heard something they probably did not want you to hear. Everyone judges other people by the way they look or talk. It is one of the cognitive biases I listed called Stereotyping. A great way to practice your social engineering skills is to sit down and judge people. Not in a rude way, but try to figure out their life based on their appearance and social patterns. Pick out someone and see think about what they are wearing, what they are talking about, how they carry themselves and try to imagine what kind of life they lead. Conclusion This is just the tip of the iceberg when it comes to social engineering. There is much more to cover, but I hope you all learned something. Overtime you will become better at reading and understanding human nature. You will develop your own style of social engineering. There are many more methods that I left out, but these are great to start with. Knowing how to social engineer is a great way to prevent yourself from getting tricked by others. For example, the police use social engineering and forms of manipulation constantly. Others may disagree, but overall I feel this is an important topic to cover and I enjoyed writing this article. This is my first article, so let me know what you thought and I will keep them coming.