|
-
July 29th, 2005, 02:00 AM
#1
Social Engineering: The Art Of Lying
Greetings AntiOnline. I was thinking earlier that I haven't wrote a tutorial in quite some time and that perhaps I should jump back into doing so. As I continue to want to learn about varied topics (at this current moment, I'm into ANYTHING concerning vulnerability scanners) I also continue to want to share the limited knowledge that I can share with the crowd and hope to help someone in someway. So, here's a relatively short tutorial on Social Engineering.
Social Engineering: What Is It?
Social Engineering. Something that sounds flashy.. "cute" even. It probably sounds frightening to the average home user and definitely sounds as if it was something requiring vast technical know-how. However, nothing could be farther from the truth.
This frightening tech term is simply a "technical" way to say lying. A social engineer is a polite version of a bullsh*t artist. In our case, the user who is doing the lying is "engineering", or lying to the other user, in order to gain some form of information from him. Typically, this information could be passwords to accounts (whether e-mail, system, etc), phone numbers, etc. Well, that's there main objective (and the primary objective of social engineering attempts): Lying to a user in some way, shape, or form to obtain information of any kind.
Social Engineering: Example Of
Below, I will provide you with a sample phone call that happens almost everyday and is nothing more than a social engineering attempt.
You: Hello?
Hacker: Hello, this is Donald over at LocalService ISP..
You: Oh, Hey.. umm, when you say "ISP", you guys are the ones who give me my internet, right?
Hacker: That's correct and that's the reason for my phone call.
You: Oh, really? Is there a problem with the service?
Hacker: Well, we had errors this morning with our service provider and some accounts had difficulty with their GUI optional settings*.
You: Oh.. well, I dunno what exactly that means *laughs* but what can I help you with, sir?
Hacker: *laughs* Ah, thats okay.. I'm not going to need much, I just have to reset the optional settings on your account*, so I'm going to need your account information.
You: Will this directly affect me going online or anything?
Hacker: Nope, that's what I'm here to fix, so that it doesn't.
You: Oh, thanks!
Hacker: No problem.... so, whats your account name?
You: It's joey420.. thats the username.
Hacker: Okay.. entering that in now. And your password, sir?
You: Should I change it from the old one or...?
Hacker: It's recommended you use the old one so that the account is up and running faster.*
You: Okay, makes sense.. again, I dunno about these things. Anyways, it's "password1010".
Hacker: Alrighty, give me a sec.... okay, your re-entered into our systems. Your account should be re-activated within minutes.
You: Awesome, thanks a bunch.
Hacker: No problem sir, and you have a nice day now..
You: You too, bye bye.
* - Where these were indicated something that isn't true and/or isn't needed but was used as an example of a "social engineer" trying to confuse the user into his lack of knowledge, thus having to rely on the hacker.
Social Engineer's prey on two main things. These are the main things they prey on:
1. Your lack of knowledge. They will try to make you feel inferior or use "big words" to confuse you. Their biggest advantage is that they know you the user will feel one main thing: If it doesn't seem right or if it's not making sense, it's because they (the user) doesn't know much about it. Enter the hacker who "seems to know about it" thus the user puts the trust into the hacker.
2. Your trust. 'Nuff said IMO.
Social Engineering: How Do I Defend Myself From It?
Defending yourself from this is simple: Use the mentality that if it seems wrong, looks wrong, smells wrong, and overall has that feel to it that it is wrong.. it IS wrong and run away from it. Have self-confidence, try to think before making decisions (especially rational ones), and be careful. Oh, trust me.. you can do it! 
Social Engineering (for the most part) only works on the "weak mind". I know thats somewhat "crass" of me to say, but many of todays IT professionals and system administrators are a tad more tech savvy when it comes to this. Yes, it does happen to the "best of us" from time to time. Many people think of Social Engineering (IMO) as something that "only happens to newbs".
That is a misconception, as I have seen it done to MANY people who are professionals and NEVER thought it would happen to them. Sad, eh? 
Well, that's my mini-tutorial.. I hope somebody enjoyed it and/or learned from it. 
-
July 29th, 2005, 02:13 AM
#2
-
July 29th, 2005, 05:35 AM
#3
Hi Spyder32,
Looks fine to me...reads well...good job!
devpon's link is two years old...so it's good to do it over for the newbies...refresh the mind.
Eg
You must spread your AntiPoints around before giving it to Spyder32 again.
-
July 29th, 2005, 05:48 AM
#4
-
July 29th, 2005, 06:19 AM
#5
Hi NeuTron,
Well...of those you mentioned...2 were done in 2002, 2 in 2003 ( according to the panel below there were actually 3 in 2003 ) , 1 in 2004, and now Spyder's in 2005...if all we need is one then why the members do the other 4? By the look of their antipoint status...I'd say each one got a warm welcome.
if nothings changed since 2002 then we only need the one...still...it's good to get a refresher now and then for the ' new ' people who may not know the others even exist.
no harm no foul as they say.
Eg
-
July 29th, 2005, 06:31 AM
#6
At least 50% of the tutorials I read on this site are read by me because I'm like, "Hey, there's a person I know and respect and they wrote some security tutorials. I'll see what they have to say." The other 50% are because I want to know more on a topic. So basically my point is if no one wrote tutorials on stuff already covered I might potentially read half the amount of tutorials I read here. Just my $.02.
- X
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
July 29th, 2005, 08:12 AM
#7
Social engineering isn't always about down and out-right lying to people. Its about abusing certain traits and trusts of others. No one has ever asked if im the original |The|Specialist.
-
July 29th, 2005, 09:03 AM
#8
Originally posted here by xierox
At least 50% of the tutorials I read on this site are read by me because I'm like, "Hey, there's a person I know and respect and they wrote some security tutorials. I'll see what they have to say." The other 50% are because I want to know more on a topic. So basically my point is if no one wrote tutorials on stuff already covered I might potentially read half the amount of tutorials I read here. Just my $.02.
- X
Guess what? I read the tutorial with an open mind and didn't pass judgement simply because this wasn't the first like it. I wouldn't have said anything if it had been at all original. It was the same concept, looked at in the same way as the other 5 tutorials we have on this site. If you are going to be the sixth person to write one of these, your job gets that much harder because you have to dig deeper than anyone else to bring new information to light. Otherwise, you are just posting a tutorial for the sake of posting a tutorial.
-
July 29th, 2005, 09:09 AM
#9
Out with it...
You thought it sucked and so did I.
-
July 29th, 2005, 09:23 AM
#10
Hey Hey,
I have to agree with NeuTron and devpon on this one... This is a pretty lousy tutorial and keeps with my theory that Spyder is here solely for status... posts unneeded posts to raise his post count, had to be a moderator (for the status), and posts a useless and repetetive tutorial.
Now many of you will think that this is because of the differences between Spyder and I but I read this objectively, just as I read every tutorial that I look at. I gave greenies to TheSpecialist and him and I have squared off on humerous occasions..
http://<br />
<a rel="nofollow" hre...3867</a><br />
I most likely would have said the same thing about this one had I read it when it first appeared. It gives almost exactly the same script as this one, but at least it covers a few additional details and other methods.
http://<br />
<a rel="nofollow" hre...7701</a><br />
Again not an overly useful thread... very similar to this and the above tutorial.
http://<br />
<a rel="nofollow" hre...8683</a><br />
Another example of the same thing.
http://<br />
<a rel="nofollow" hre...1674</a><br />
Ridiculously detailed and resource-filled. This is a great tutorial.. well more of a reference item with a bit of a tutorial on ways to combat SE.
http://<br />
<a rel="nofollow" hre...0632</a><br />
Not actually a tutorial, a cut and paste from a SecurityFocus article that is actually referenced in another one of the tutorials..
In reality jdenny and whizkid gave the only two valid tutorials... jdenny's for the information provided and whizkid for the first example of a roleplay... Spyder's introduces nothing new... if that's how you want to be known that's fine... but as a moderator on a site that pushes for originality in tutorials this is far from it... It's completely repetetive...
It has been a while since social engineering has been addressed as Eg. said, however rehashing old information isn't the way to address it. A single roleplay teaches nothing about SE... it just gives an example of what happens.. The definition... has been spouted off hundreds of times and the how do I defend myself is pathetic... stating that it only works on "Weak Minds" is awful.. I can show you some people that would blow you away in any subject including IT that have been conned by good SEs... They aren't always these stupid little 'call the person and get their information' bullshit attempts.. As TheSpecialist said there are other ways to do it. Many Socials take weeks or months and a great amount of footprinting and research. Perhaps covering all of that would make for a good tutorial since the last time a good tutorial like that covered anything was a while ago and there are new methods. A tutorial that wasn't a scripted phone call would be a great read and I'd love to see it.. Cover how they get the correct information, how they utilize the information.. tone of voice, time of day, approach... these all factor in.. This tutorial covered none of it..
Spyder: Put some time and effort into something if you're going to post it... don't rehash what others have already done. You can think of this as a personal attack if you want... but you'd be wrong..
Peace,
HT
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
