There’s something “Human” to Social Engineering

 Author : David Kennedy | Magazine Issue : May 2011 - Issue 2
At the psychological skill of Social Engineering
Social engineering is the human side of breaking into corporate or personal pc’s to gain information. Even companies that have an authentication process, firewalls, vpn’s and network monitoring software are subject to the skill of a good social engineer.

In hacking we rely on our technical skill and in social engineering it is a game of getting your subject to tell you what you want to get into their system. Social engineering has been employed since the beginning of mankind, the art of trickery or deception for the purpose of information gathering, fraud, or in modern times, computer system access. In most cases today the social engineer never comes face to face with their target. In social engineering we exploit the attributes of the human decision making process known as “cognitive biases.”

That was the question asked by the Team of Social-engineer.org Gurus.
Which tactic works best for a scamming social engineer? Acting like an authority figure and requiring a victim to answer questions and give up sensitive information? Or acting like a nice, trustworthy person who strikes up a friendly conversation and just needs the victim to tell them a few things to help them out?
They have just released results of a several-months long poll that laid out two different scenarios of how a Social engineer might try and elicit information from a victim.

The first showed how the principle of endearment and how it may be used by a malicious social engineer. The example given was a social engineer who attempts to get strangers to engage in very personal conversation with him with little effort. Dressed very casually he grabbed a prop that he felt would endear people to him, a small sign that had a funny slogan on it. As he walked around, looking like a tourist with his prop, he was able to engage people in conversation.
"The fact is we like to deal with people who are like us, but even more powerfully we like to deal with those who LIKE us," said Christopher Hadnagy, founder of social-engineer.org and author of Social engineering: The art of human hacking. "Endearment makes a person feel liked and, in turn, like you. Endearment is used by getting on the same plane as the target, or giving them reasons to like you."

The second story involved a social engineer employing the authority principle. The social engineer walks into the office with IT tools and a clip board he mumbles how busy he is today. Then looking at the secretary he barks an order, "I was sent to check your network connectivity and I have no time as I have to do this on 25 other nodes. I need you to log in to your network share with your password as I watch to confirm you can connect."

"This works because people fear losing their jobs and there are no methods in place for an employee to port or reject without fear," explained Hadnagy. "Other methods, like carrying a clipboard, looking busy or in control, all of these give off the air of authority and few people will question it."

Interview with David Kennedy (Member @ Social-engineer.org)
Mohit : First, tell us about yourself, your experience and what you have produced in the social engineering field?
David : I'm a director of information security for a fortune 1000 company. Don't let the title fool you, being a director just means i can focus on the stuff i love which is breaking things. I have a heavy penetration testing and exploitation background dating back to the military intelligence days as well as a security consultant working with a number of fortune 500 and 1000 companies. As a penetration tester a few years back, social-engineering was a major portion of what i needed to do in order to gain access either physically or through social-engineering attacks against organizations. It's been a blast working in the security community and contributing as much as i can to open source. My philosophy in life is i love what i do and where i work and my goal is to give as much back to the security community and make them successful and help if i can. I'm one of the founders of derbycon, a security conference in louisville kentucky, creator of the social-engineer toolkit, fast-track, member of the social-engineer crew/podcast, and main blog post at http://www.secmaniac.com.

Mohit : Please explain what social engineering is and how we use social engineering?
David : Social-engineering simply put is the manipulation of human behavior to achieve some task. For us as penetration testers, social-engineering can be leveraged in multiple capacities to compromise an organization and gain access which typically circumvents the majority of security controls in place in an organization. For me, i leverage social-engineering on a regular basis to identify weaknesses within my security program and user awareness. Most organizations are spending a ton of money on the latest shiny technology that promises to fix their security problems while our humans are finding the easiest way to get in. 

Mohit : What are the best ways to perform social engineering?
David : Social-engineering takes some time to learn and something that requires practice. There's no easy answer on what the best way to social-engineer a victim. When i'm going after an organization i look at what they have on the internet, who the personnel is, their language, what companies they own, and as much information i can possibly learn from open source intelligence (osint). I'll develop a pretext (my attack) based on what i learn and practice it before hand to make sure it's perfect and flawless. A lot of times leveraging social networking sites in order to learn a lot of information about my targets is beneficial and leveraging trust with people they trust can always make that little bit of a difference. 
Mohit : What are the recent usages of social engineering, such as the, hbgary hack by anonymous or rsa hack ?
David : I think the most recent one would be the rsa hack where the details are still a bit vague but leveraged spear-phishing in order to target a select amount of people with a flash zero day. We've seen these attacks become more and more prevalent and something we have been preaching on the social-engineer.org podcast for a large time that these types of attacks are coming and it's going to be something really difficult to protect against. 

Mohit : How did "SET (Social engineering toolkit)” come about and why did you develop it?
David : when set was first conceived chris hadnagy and i were sitting in a chat room on irc talking together and he mentioned he was starting social-engineer.org to try to bring more awareness and education to the community about social-engineering and how it relates directly to security. We started chatting and found that there really was no tool out there for social-engineering and something that was a huge gap for us as penetration testers. Out of that talk, a raw version of set was created which was really basic in nature, it had a mass mailer, some pdf exploits and that was really it. Even with its early, early release it got a ton of positive feedback and it has just grown from there. I never thought for one minute that set would become the lead open source tool in social-engineering and something that penetration testers leverage on a regular basis, it's quite impressive and i'm humbled by it.

Mohit : Is social engineering dangerous ?
David : social-engineering is extremely dangerous and the largest threat that i see in information security to date. As mentioned before, we have a ton of technology in place that is specifically designed to stop buffer overflows (or detect them), catch malware (kind of a joke at this point), and protect our web applications. Yet our user population is still completely vulnerable and clueless on the signs of a breach. A fine balance between technology and user awareness needs to be accomplished and it'll never be 100 percent but it'll be a lot better than an uneducated user population.

Mohit : how does someone master social engineering ?
David : Social-engineering requires you to change your behavior, remove your barriers, and start to manipulate humans to do your bidding. I know that sounds awful, but use social-engineering in a positive way at your organization to see if you can affect a decision in your manner. Read and learn from studies on behavioral analysis and how humans interact with one another. Use the social-engineer.org framework to help you get the knowledge to expand on. Ultimately it's going to be yourself learning the techniques and applying them on a regular basis and be able to manipulate your own behavior to get a desired outcome from someone else. 

Mohit : Give us an overview of the social engineering tools and what it offers.
David : The social-engineer toolkit (set) is an open-source python driven arsenal for penetration testers aimed at testing how well an organization can withstand a social-engineer attack. Set has a number of attack vectors specifically aimed at targeting the user population. Set aids a penetration tester in social-engineer attacks however doesn't perform it for them. It's up to the penetration tester to perform intelligence gathering and form their pretext in order to have a successful attack. Set has a number of tools and attacks including the spear phishing module, web attack vectors, teensy usb hid, wireless attack vectors, and a number of additional capabilities and features that make set a unique when it comes to social-engineering and penetration testing. Set is being used internationally by penetration testers and a critical tool to them in every capacity as social-engineering is a highly important attack vector to leverage during normal testing

After that great interview with the creator of the Social Engineering Toolkit, David Kennedy, I wondered how many readers really understand the difference in social engineering as opposed to hacking. The truth is social engineering is rarely discussed. People mostly like to talk about cracking and phreaking.

Let’s bring social engineering out of the closet and onto discussion blogs. Sharing information, learning the techniques and knowing how to protect yourself from social engineering is the best way to be skilled in this method of hacking.

Hadnagy says the poll results further enforce that humans are naturally trusting creatures. But it is that trusting attitude that has led many to being hacked.