(NOTE: Long post)
(NOTE: Educational purposes only!)
Social Engineering or SocEng for short, is the art of communicating for some sort of gain (personal or otherwise).
From the movie ‘Usual Suspects’:
‘Who is Keyser Soze? He is supposed to be Turkish. Some say his father was German. Nobody believed he was real. Nobody ever saw him or knew anybody that ever worked directly for him, but to hear Kobayashi tell it, anybody could have worked for Soze. You never knew. That was his power. The greatest trick the Devil ever pulled was convincing the world he didn’t exist. And like that, poof. He’s gone.’
Convincing someone through communication is a very powerful device.
SocEng is not for the introverted and socially inept. You will be caught out early in the game or cannot maintain good OpSec (a statement about hackers can be placed here but that would be a major generalisation).
How SocEng is used depends on what the intent is (yes, there are good reasons to conduct a SocEng exercise)
If you are planning to do an exercise, here is a short list of things to consider:
- Not have the need to backtrack or cover up your tracks during the exercise. If you have to do this, you’re blown!
- Have a good solid cover: you can’t disclose who you are in real life and what your intent is.
- Think 2+ steps ahead: if you have to think in the moment, game over
- Context: A convincing story to tell: important, right?
- Gain trust, it can be considered to be manipulation but remember…good karma!
- Edge closer to the intent and capture the flag. Get what you need and run.
- Keep it constrained, the longer you engage in the exercise, the more likely you’ll slip up.
- Knowing when to stop and bail (exit strategy), you’ll need to pull the parachute before you get caught…always have a plan B
The best SocEngs can make things up on the fly, maintain character, be convincing and achieve their goals.
SocEng is a game of words (or actions). Needless to say I like a good SocEng exercise and it’s still amazes me the number of times senior people, socially aware people can fall.
How to bust someone practising SocEng:
- Ask lots of questions: this will get them riled up and may cause them to break character.
- Keep them engaged: depends on how much free time you actually have, they will get to a point where their patience will run out and break character (why do you think it’s really hard to be an undercover operative!)
- Poke holes in their story: by alerting the SocEng to their flaws, they will need to cover it up on the fly, which is quite difficult to do unless if they are a trained veteran.
- Use their tools against them: Be the dominant one in the conversation and lead the charge. Unless if this is a physical encounter, they can’t beat you up.
- Smoke and mirrors: If you suspect that they want to capture the flag, keep moving the flag. Drop in false information, delay information, etc BUT don’t do this often as they will sense that they are being played.
- Reduce the intensity: Taking away communication will get them frustrated not knowing what to do next, this leads to a break in character.
Please be very, very careful with SocEng, doing this the wrong way can lead to some serious consequences on the target. Always maintain ground rules before you start. Remember, good karma.
Tinder hacking will be a really exciting exercise, watch this space.