November 13th, 2003, 12:38 AM
Writing On A Paper On Social Engineering
im writing a reserch paper on social engineering and i wanted to know if u guys had any indeas for the thesis, it has to be a controversial issue. i use wanted to learn more about social engineering and never thought about a thesis.
ps- anyone know of any good sites on social engineering?
November 13th, 2003, 12:47 AM
A good thesis could be something about humans being the weakest link when it comes to security. I'm in the process of trying to find a couple of articles I have read about social engineering and will post them if I find them. This is what I found although not what I was originally after: http://www.defensivethinking.com/aod/excerpt.html
You probably already have lots of info though, Right!. Good luck
November 13th, 2003, 01:08 AM
thank! thats my topic!! yeah i got mitnicks art of deception book and like a few websites i found off yahoo, but i was woundering if anyone had any good e-books,txt files or good websites where i can get more info. or like the history..
November 13th, 2003, 01:19 AM
Try google with something like psychology manipulation social ..... social engineering has been around since the beginning of humanity it was just called other things before computing came about. Many psychology texts would be far more useful than much of the tripe on the net (excepting specifics if you lack creativity)
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
November 13th, 2003, 01:24 AM
I have been giving a presentation called Awareness and Training "Combating Your Weakest Link" as a matter of fact I am presenting next week. When approaching Social Engineering remember to give plenty of examples, especially if you want to scare someone. It really seems to hit home if you give a few examples especially if you are talking to more non-technical people. That way people can see how easy it is and can relate to what you are saying.
November 13th, 2003, 01:34 AM
Did you try searching AO for this topic, 3 page post with lots of info on it here...
I posted this info, use this info for good purposes only - as I did to help me with combating it in my organization!
Social Engineering Fundamentals, Part I & II
People Hacking: The Psychology of Social Engineering
Social Engineering: What is it, why is so little said about it ...
Social Engineering: The Human Side Of Hacking
A Proactive Defense Against Social Engineering
Example of Social Engineering
Social Engineering Web Style
November 13th, 2003, 02:36 AM
Wanna see social engineering in action ?
Rent a movie called Catch Me If You Can .
November 13th, 2003, 04:49 AM
I agree with sysmin about giving examples. Mitnick's book has plenty of them it seems, though I haven't read it yet and couldn't tell you for sure. I'm going off of what I've seen flipping through. And if I had to guess, I'd say a few probably actually happened...which would be even better.
Along with the whole psychology thing, human nature seems to be rather trusting...we want to trust each other. So maybe finding someting along those lines.
Also, the culture of a particular organization has a bunch to say about how vulnerable they are to such an attack. Are they paranoid (like they should be) or at ease and laid back? Do they follow their security policy to the T, etc...
Just some extra stuff to think about if you haven't already.
November 13th, 2003, 05:15 AM
Ok... Writing something on Social Engineering is rather easy in some aspects in others. It is hard.
Mitnicks book IMO is alright nothing worth an award it gives a crap loads of examples.
(AND I HAVE READ IT.)
Now the thing about Social Engineering that you have to understand (Something that Mitnick's book does show.) Someone that you don't know that is a Stranger can easily become someone that you know. Also information is power what you think is nothing could very well be the world for someone else.
I don't have anything to do for the moment I will give you an example.
I call your house and ask to speak with Jack, but Jack doesn't live there. Well may I have your name. Let's say your name is Tom. That works at BP. No I work at, Convenient. The one on Fifth street no, the one on first. Now right there I just gathered enough info about you that I could call convenient in, another town and possibly Engineer a couple things.
Another thing that is big in Engineering is not to make the people that your trying to get the Information from nervous. Because nervous people tell other people, and then your screwed. I could go, on and on. About different types of ways that people can be engineered.
Engineering goes from Talking on the Phone, to Irc. there is a way to engineer on any, and everything.
ok... I will give 2 one for IRC. Go into an IRC channel with a female nick. Sugar_Momma, etc.
Then act like a female. From there on you have the entire channel pretty much along with you, to do alot of what you say. Trust me. (<----Has been proven)
Now another example.
Ok... Let's take the info I got from you earlier in a normal phone call and use it. I know where you work and I know your first name. I also know your home phone Number.
So your wondering what I can do. I can call your job. I can and ask to speak with Tom.
They will probably say which one. (In the event that there aren't more then one person at your job with the same first name, there are still several ways that I can get your last name.)
I would say I need to speak to Tom. Well which one. The one that lives on, Flower avenue. Ok that is Tom Harrison.
May I ask who's calling.
This is Joe. I will call him. It is a surprise I am an old HS friend. Can I have his desk # please.
There you go, now I got your desk number.
Next call. I call you but I ask to speak to your Boss. When I get your boss on the phone. I tell him that I am with the local paper. I am doing a story on your Company. I would like to get an over the phone interview with, your boss, and you.
Well your boss is going to say yes. He is also going to tell you to help, me out as much as possible.
Right there I got your Trust your bosses trust. I can keep going. I can keep calling around and gathering more and more info on you until I have enough to Call a Credit Card company
(w00000000000000t) at that point your ****ed.
Now that, is a quick little show. I will help you out if you need, some help writing your report. Just Pm me and I will help you out.
November 13th, 2003, 09:29 AM
Here are a couple of quickies for you...
Distant V.P.'s and General Mangers are fairly easy to impersonate at most large (20,000 +) companies.
I am confident that it would be easy to get some poor helpdesk schmuck to reset some big shot V.P.'s
passwords with just a phone call, either pretending to be the V.P. or some junior exec puke traveling
witht the guy. People tend to cave when they think they are talking to someone of extreme importance
in their organization, and are unlikely (unfortunately) to be too verbal about their suspicions for fear the
guy might just be who he says he is.
Pick a company, and run a search for @company_name.com on google. You'll be probably be surprised
at how many legitimate email addresses (i.e. usernames) that you can turn up on most companies. Often
times it is pretty easy to do further searches on individual users and figure out what they do at the company.
Get OpenSolaris http://www.opensolaris.org/