Social Engineering 0x01 ~ An Introduction to Hacking People
The most vulnerable thing about your workplace is the people in it. We, as humans, do not have things like security hot-fixes or patches, yet we have some of the biggest flaws ever seen.
Have you ever held a door open for someone? Or helped someone to pick up their dropped belongings? Now that you think about it, did you consciously have to make the decision to help those people? If you did, then society owes you for going above and beyond for those around you. However, if you did not, the potential is present for you to be ground-zero for your company's demise.
People are the Weakest Link
Out of all the software that is installed at your workplace, which do you think is the most vulnerable? Maybe that old version of Microsoft Office? Or maybe the one computer that still has Windows XP. These answers would be wrong. In almost every instance, the most vulnerable thing about the software in your workplace is the people using it. We, as humans, do not have things like security hot-fixes or patches, yet we have some of the biggest flaws ever seen.
In this mini-series (it might become a full series yet), you'll learn how the human mind works and how to exploit that to your advantage. We'll go over some of the most powerful techniques, and the psychology behind them. You will understand when to use them and how to identify the key signs of weakness.
To start off the series, I'm going to talk about an example of social engineering from one of the greats, Kevin Mitnick, who was once one of the most wanted cyber criminals in the world, and talk about what was behind the 'attack'. Kevin has written the book on Deception, and he has an autobiography from his time being one of the most wanted in America, which you can find here:
Ghost in the Wires - My Adventures As The World's Most Wanted Hacker
The Art of Deception - Controlling the Human Element of Security
Example - Free Bus Journeys
When Kevin was 12 years old, he was riding the buses in Los Angeles multiple times per day. 'On summer vacation when my mom was at work, I’d sometimes ride the bus all day.' One day, Kevin thought to himself "If I could punch my own transfers, the bus rides wouldn’t cost anything" . He started to scheme a plan to punch his own tickets.
His plan was simple: 1. Get the Card Punch that the bus drivers used; 2. Get a book of blank transfers; 3. Memorize the transfer patterns. #1 was achieved with relative ease - 'When he stopped at a light, I said, “I’m working on a school project and I need to punch interesting shapes on pieces of cardboard. The punch you use on the transfers would be great for me. Is there someplace I can buy one?”' - the bus driver then told him that you can get a similar punch from the local craft store for $15.
Step #2 was next, and Kevin thought to himself - "Well, where did the buses get washed?" - he traveled to the nearest bus depot, and spotted a large dumpster next to where the buses parked up for the night - 'Jackpot!' - he had stumbled across multiple partially full books of blank transfers, to which he stuffed his pockets full of. Now that all the hard work was done, he just had to learn the bus timetable ~ an easy task for someone with a good enough memory.
'Social Engineering - The art of replacing what works with what sounds good' - Thomas Sowell
This is a relatively simple example, but it demonstrates two of the most core tools in a social-engineer's arsenal: Curiosity and Dumpster Diving.
Curiosity is the first tool/technique I'll go through.
Curiosity is a power technique, as it has no negative penalties attached to it - as the old saying goes, "there's no harm done in asking". Let's say you need something normal, like a pen, from someone. The first thing that you would do is go "Can I have that pen?". If the response is "Yes", then you've succeeded in your goal. If the response is "No", then no harm is done, and you move forward. In Kevin's case above, he asked the bus driver about the card punch, and he got the answer he wanted. If he didn't get the answer he wanted, he could've simply moved on as if nothing even happened, potentially even ask a different bus driver.
The other technique used above is a technique known as 'Dumpster Diving'. Dumpster Diving is the act of sifting through a bin or dumpster or something similar to find key objects or information. In Kevin's case above, it was to get the blank transfers, but you can also get things like bank statements and confidential government documents through this technique. (sidenote: this is why you are told to shred confidential documents you are throwing away) Half the time, you don't even need to actually go 'diving' in the rubbish to get the information you need: a camera and a clear view will do.
One more thing that Kevin had in spades, and is also a vital component in a social-engineer's arsenal: confidence. If you are confident in what you are saying, people are more likely to believe you; if you are confident that you're supposed to be in a place that you maybe shouldn't be, people are more likely to believe you. Kevin was confident in the questions he asked the bus driver, and was confident in entering the bus depot. Even more so, he was confident in using his forged bus transfers. Confidence is important in social engineering, as it's half the act. If you're not confident, not only can you falter in delivering the techniques required, you also seem suspicious.
- The weakest link in security is the people behind it
- Curiosity - never be afraid to just ask for what you need
- Dumpster Diving - 'one man's rubbish is another man's treasure'
- Confidence - If you are confident in what you are doing, other will be too.
I'll be back soon with the next installment, where we'll go through some more ways you can exploit people, including methods that can be used on red team engagements and penetration tests.