Social Engineering Links and Information
Results 1 to 7 of 7

Thread: Social Engineering Links and Information

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Social Engineering Links and Information

    Hello all-

    Okay so I am working on updating our internal penetration testing procedures, looking through volumes of information, including this site, asking questions, including at this site, and I think I have a pretty good start, and I show my manager, and she say "What about Social Engineering?" And I says "Social Eee-yah?!? I'm not social, that's why I was in IT and now Auditing!" And she says "Shut yer yap, go find some information on it and make some procedures for us, ya mug!" So I says to myself, "Awright ya mug, go finds some information on Social Engineering." So I does. What I found, in terms of security and auditing, and I'm sure many security and auditing savvy people in this community already know this, is that Social Engineering is an area ripe for testing and strengthening.

    As I already noted to you, I am not social, an engineer, nor do I claim to be an expert in this area of social engineering, I just want to share what I found so far, and if I find more information, or any of you have now or find, I would ask to add it as well. I found smarter people than I, there's about 6 billion of them, who wrote some good or not so good, depending on your opinion, papers on the subject. My goal is to become educated enough, write some procedures on testing and documenting in the area of social engineering, present that to my manager and team, let IT and IT Security know about it, and then during audits, start to test and see where it takes us.

    At this point, well any point, I am open to suggestions or advice on this subject and how best to proceed, based on experience and/or knowledge. This is obviously not a new area of possible intrusion, however, after reading what I have so far come across, I believe people need to be aware of this avenue of possible attack and compromise and how best to defend against it. Beside saying "You'll neva get me schee!?!"

    Links to Definitions of:

    1. Wikipedia Defintion: http://en.wikipedia.org/wiki/Social_...uter_security)

    2. Wikipedia Definition with Kevin Mitnick - with listings of his books: http://en.wikipedia.org/wiki/Kevin_Mitnick

    Links to Articles/Papers on:

    1. SANS Reading Room - Social Engineering: http://www.sans.org/rr/whitepapers/engineering/

    2. SANS Reading Room - Social Engineering - "Social Engineering: Understanding and Auditing" - great paper: http://www.sans.org/rr/whitepapers/engineering/1332.php

    3. Article/Short Paper on from Security Focus: http://www.securityfocus.com/infocus/1527

    4. Network Security Library - okay paper: http://www.secinf.net/Network_Security/Social-Engineering-The-Weakest-Link.html

    5. From ISACA (Information Systems Audit and Control Association) - "Social Engineering - A Tip of the Iceberg": http://www.isaca.org/Content/Content...he_Iceberg.htm

    Also - I forgot before - if you do read one or more of these papers - you will obviously find out in no time, more resources on this subject matter, I did not want to repeat them here, unless they really stand out.

    Also2 - Before engaging in this type, or any type of audit activity, ensure you have written permission to test and in most cases, inform IT and IT Security Management. (thanks to Aspman for the advice) There may be cases where you do not inform certain parties, however ensure you and/or your team is covered in case something goes wrong.

    Thanks for your time.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    You've already got Mitnick down.
    Bruce Schneier covers SE in his books (Secrets and Lies anyway) but with other things.
    http://www.schneier.com/books.html

    Ask Gore, he's a student of SE.

    A lot of it is common sense if you just think about it and the only real defense is user awareness and training.

    Do it yourself, phone up staff from a cell phone and try to conn their passwords out of them.

    Tuck your pass in a pocket wander round and sit at other peoples desks. Tailgate people into work without using your pass.

    Remember to get a "get out of jail" pass in writing from senior management before you go playing though. You'll piss people off and scare them even if it is for their own good.

  3. #3
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Remember to get a "get out of jail" pass in writing from senior management before you go playing though. You'll piss people off and scare them even if it is for their own good.
    Thanks Aspman for your feedback and information, along with the above sound advice. I have updated my original post to further reinforce that point.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  4. #4
    Junior Member
    Join Date
    Sep 2005
    Posts
    16
    You got a good start but here are some more,

    SE kiddie Forum
    http://www.socialengineering101.com/

    More Tech side of SE
    http://www.isoc.org/isoc/conferences...gs/3g/3g_2.htm

    An old article but still worth reading
    http://cybercrimes.net/Property/Hack...PsySocEng.html

    Security focus articles
    Part 1
    http://www.securityfocus.com/infocus/1527
    Part 2
    http://online.securityfocus.com/infocus/1533

    Just for the hell of it, The tech side of phising
    http://www.honeynet.org/papers/phishing/


    The pyramid of Social Engineering: Attitude, Knowledge, and Perception.

  5. #5
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Great - thanks J4NK for the additional information!

    And like a knob - I forgot to check for already exisiting documentation here on the site, ok, actually I did, just did it wrong. Anywho, this is what has been already discussed before - starting from oldest to newest - ah yeessssssssssss!

    1. http://www.antionline.com/showthread...hreadid=240028 Last update: 14.02.2003

    2. http://www.antionline.com/showthread...hreadid=244188 Last update: 26.05.2003

    3. http://www.antionline.com/showthread...hreadid=251805 Last update: 05.12.2003

    4. http://www.antionline.com/showthread...hreadid=252395 Last update: 15.12.2003

    5. http://www.antionline.com/showthread...hreadid=257966 Last update: 22.05.2004

    6. http://www.antionline.com/showthread...hreadid=270602 Last update: 16.09.2005

    My apologies for that, however, had I posted on an older thread, I would have most likely been negged from here to Mars, and I would rather save those occasions for when I stick my whole leg in my mouth, not just my foot.

    Also - my "Auditor Sense" is kicking in - was the following from "The Specialist" or one of his alter-egos?
    Ask Neg instead. He's been the victim of the equivalent of a 419 scam.
    And Gore has never admitted that he looks up to me.
    Thanks again all.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    About Phishing and Pharming that is also related to social enginering.

    Here is difinitions of them in wiki:
    http://en.wikipedia.org/wiki/Phishing
    http://en.wikipedia.org/wiki/Pharming
    // too far away outside of limit

  7. #7
    Junior Member
    Join Date
    Sep 2005
    Posts
    16
    I forgot about this one

    http://www.usps.com/postalinspectors/dvdorder.htm

    Free DVDs on all types of fraud and SE related subjects from the USPS.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides