Social Engineering

The Art of Human Hacking” as Christopher Hadnagy describes it.

This is a non-technical form of authorized information gathering. It relies heavily on human interaction. In the context of information security, social engineering is the art of manipulating people into giving up confidential information.

The easiest way to get a person’s password is not by formulating remarkable algorithms that spit combinations at the speed of light. Usually you can get it by simply asking. Criminals use this form of attack because it is far laid-back than any other form of attack.

A common misconception is that the only thing a hacker is looking for is a password. WRONG! The password just gives access to mountains of information on the system that a human could effortlessly communicate without thought.

I was once told a story about I & J, a company that produces the best fish fingers. There was little understanding on why there was so much business intelligence and IT security for this company. What was found is that they were trying to protect where they did their fishing and when. Go figure!

Further broken down, where they fish could give away the costs and profit margins of the business which would be very useful for a competitor. A regular person would never think of that but this is very important information that determines the very success of their product.

Now here is a scenario: A hacker could go through the tedious task of trying to access the system with many failed attempts, or simply ask “Hey Keitumetsi, where do you guys fish?” and BOOM there is the answer.

There are 2 common types of social engineering. Computer based and human based.

The computer based approach uses computer software that attempts to retrieve the desired information. These techniques include phishing, on-line scams and baiting.

Social media reveals a wealth of information. By Googling a person, you can find their Facebook profile link, LinkedIn profile, Twitter handle, websites related to that name, and also images. Never something we think of when posting on these sites. Social networks are the biggest human identification database and can be used to gather all sorts of personal and professional information.

The human based approach depends on human interaction. Here, the attacker uses impersonation as a regular employee or super user to gain physical access to the system. A person might phone claiming to need urgent access to a network.

The most common attack used is pretending to be a third party with permission from “authority” to gather information. An attacker could pretend to be a desktop support agent. It is amazing how easily people give away information when you say you’re calling from IT.

Less successful, is shoulder surfing. This is a technique where the attacker watches a valid user log into the system and then later uses that for their own benefit. Depending on the type of information one is searching for, dumpster diving, which is going through the trash for thrown away printouts could also reveal a lot.

People are not aware of the value of the information they possess, they are usually careless when protecting it. Social engineers rely on people's inability to keep up with a culture that relies heavily on information technology.

Most security and risk professionals are so preoccupied with putting last week’s vulnerability-malware-hacktivist genie back into the bottle that they’re too distracted to notice that weakness lies in a user who accepts a scenario at face value. Often the user isn’t aware that there is information being gathered for attack purposes. We, and I say we including myself, so easily give away important information.

Important information could include a list of clients, cell phone numbers, business plans, patented secrets, locations where raw materials are purchased, prices of items, the list is endless. Who would’ve imagined that a human’s natural inclination to be helpful would bite them back in tech!

_ “_Security is all about knowing who and what to trust: Knowing when, and when not, to take a person at their word; when to trust that the person you are communicating with is indeed the person you think you are communicating with; when to trust that a website is or isn’t legitimate; when to trust that the person on the phone is or isn’t legitimate; when providing your information is or isn’t a good idea”