Social Engeneering Is Dead?

Hey All,

I noticed that two "volumes" have been posted in the tutorial forum and it came to mind about it's actual effects in "today's modern world".

After seeing so (I emphasize so) many movies and tv shows which contain scenes of social engeneering (hackers, takedown, jerky boys) you'd think people would smarten up and think twice about what people say.

Take this for example: key words!
Wouldn't you think that someone would be smart enough to clue in that someone is trying to get your password and network info when they ask questions like: so what's the company mandate about password lenghts and types. (clueing in that a set password is set in place (helpful for bruteforce) and no dictionary words allowed (takes out the use of .dic files))

While some people seem to have a better head on their shoulders, some don't. Hell, it still works for things like e-mail viruses.... "sorry friend, I haven't written in a while.... blah... check out this e-card! (something.exe) duh! e-cards aren't executable from sites like Yahoo or so on... they are retrieved at the sites.

So while it seems to work on some levels (basically home users/computer illeterates) what about areas like comporate/business institutes? or computer firms? Does the whole trick from the Hackers scene still work? (mr. Kawasaki will have my ass.... what's the number on the blinking box?) Some how I'm thinking no.

Security about institutions are getting more severe now, especially with the media coverage of attacks by people like MafiaBoy, Mitnick, Melissa virus and so....

And it's in this sector where social engeneering matters more. Do hackers (or crackers.. whatever) care what home users have? Some do, snooping e-mails and bank accounts, but most people want to target the larger corporations for their thrills and kills.

Even now, home users are becoming much more educated on the subject. Look, we have AO for educating purposes, with a growing volume of users (while some are inactive). We have antiviruses with firewalls. We have retail spam and spyware killers (some come bundled with AV programs) as well as many sites, shows, radio telecasts and whatnot about avoiding these kinds of things....

I mean, many companies, institutions, firms, even retail stores have short seminars about things like this. So wouldn't that eliminate the use of it?

So what do you guys think? Is Social Engeneering DEAD? Or is it, and will be, always a working tool?

(ie: keep in mind that I know that there always will be stupid people out there.... :D)

Quote:

---

ie: keep in mind that I know that there always will be stupid people out there....

---

Well, you took the words right out of my mouth and (I think) answered the question at the same time. Seriously, as the basic home computer user's awareness and technological know-how increases, so, too, will the skills of the social engineer.

I didnt know about the second volume when I posted mine, I did do research for it and couldnt find anything, I would almost like to work on a really good source and have one of you guys make it a sticky in the security or tutorials forums. Really good examples and really in depth ways to protect yourself, Almost like a research paper, I have noticed this site seems to be drifting from security issues and some of their affects. Please let me know if you think this is a good idea, if not I will be working on Vol 2 here in the next few weeks.

As for Social Engineering in general, humans as a whole have a problem. We want to trust someone, tell someone something. Humanity what can we say even if your philosophy is to trust noone we still do it, dont know why but someone along the line we open up to. JMHO

That's a good point mathgirl32!
With advancement comes advancement.
While coning a person and trickery is an art to it's own, wouldn't you think that people will just ignore calls of people claiming to be tech support while nothing is wrong?

It's true that people are a little too trustworthy, but with the advancement with times, and ith events going on (9/11 - Iraq War - Trojans Increase) wouldn't you think people are going to become more paranoid and give less time to people who claim to help?

Quote:

---

wouldn't you think that people will just ignore calls of people claiming to be tech support while nothing is wrong?

---

Quote:

---

wouldn't you think people are going to become more paranoid and give less time to people who claim to help?

---

tyger_claw, yes "I" would think...."you" would think and probably most everyone here would think. Unfortunately, as I've posted before, most people don't think. They let themselves be led along believing most of what they're told and never really stop to.....think....

"There's a sucker born every minute" Many computer users think "anti-virus" is a new product line from Tylenol. If the computer has a problem I'll just turn it off and the problem goes away. Computers and the internet are two of the greatest creations in history (according to me), but try to explain that to someone who puts more thought into the placement of patio stones in their backyard than using a computer for work everyday.

remember social engineering isn't limited to just getting passwords to computers. at work i spend at least 3 days a week doing nothing but making sales, most of them over the phone. we constantly have consultants coming in showing our secrataries and salespeople how to talk their way past receptionists.

i read mitnicks book when it first came out. i thought that the stories were kind of amuzing, but he didn't really reveal anything of value. he talked very little about the research that goes into each of those "cons." stockbrokers, salespeople, debt collection agencies all have people that can fool secrataries and receptionists into giving out information.

People are ignorant and stupid. Like some of you were saying earlier, many people are too trust worthy. This is true, I can con information out of almost all of my friends, family, and even employees to businesses (doesn't mean I do, I have a conscience). Its so easy to get what you need out of people. Sometimes even the educated let things slip that may somehow harm them or something they are close to, like work. Its a matter of educating people and making them more cautious about what they are doing.

Also about the people downloading things that to us are obviously not what they claim to be, a lot of people don’t know that. We here know what a lot of these things are supposed to do and what they are supposed to look like, but the general people don’t. My mom for example, she doesn't know what she is doing half the time on the computer. She might open a trojan by accident and not know it, but we would more than likely know it. She has also opened emails containing viruses which my dad and i had deleted from our accounts.

So it actually becomes a matter of how much people know. A lot of people are completely uneducated about computers. I would say most people are. We here just kind of figure that a lot of people know the basics of computers. And even sometimes the basics isn't enough to protect ourselves.

Give someone an inch and they'll take a yard...and your credit card account number from your trash. You talk of applied ethics these days, and some people laugh. Whose to blame? How does that saying go? Don't hate the player, hate the game?
Anyways, I think it's a natural response to 'want' to trust someone, to think if only for one second that maybe, 'this' person might be different. "the perpetual search for that one person who isn't a *****" is what like to think of it. Well, I found an interesting excerpt related to this, check it out --

"There's always the technical way to break into a network but sometimes it's easier to go through the people in the company. You just fool them into giving up their own security," says Keith A. Rhodes, chief technologist at the U.S. General Accounting Office, which has a Congressional mandate to test the network security at 24 different government agencies and departments. "Companies train their people to be helpful, but they rarely train them to be part of the security process. We use the social connection between people, their desire to be helpful. We call it social engineering.

"It works every time," Rhodes says, adding that he performs 10 penetration tests a year on agencies such as the IRS and the Department of Agriculture. "Very few companies are worried about this. Every one of them should be."

Full Article Here

Social engineering will die the same day that paranoia is wiped from the face of the earth and the last hooker leaves Nevada for good...ie it ain't gonna happen folks. As long as information is stored in the human brain there will be a methodology for extracting it.