Social Engineering - Christopher Hadnagy [11]
Mix this knowledge with the skills of lock picks, spies who use hidden cameras, and professional information gatherers and you have a talented social engineer.
You do not use every one of these skills in each engagement, nor can you master every one of these skills. Instead, by understanding how these skills work and when to use them, anyone can master the science of social engineering. It is true that some people have a natural talent, like Kevin Mitnick, who could talk anyone into anything, it seemed. Frank Abagnale, Jr., seemed to have the natural talents to con people into believing he was who he wanted them to believe he was. Victor Lustig did the unbelievable, actually convincing some people that he had the rights to sell the Eiffel Tower, topped only by his scam on Al Capone.
These social engineers and many more like them seem to have natural talent or a lack of fear that enables them to try things that most of us would never consider attempting. Unfortunately in the world today, malicious hackers are continually improving their skills at manipulating people and malicious social engineering attacks are increasing. DarkReading posted an article (www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272) that cites that data breaches have reached between $1 and $53 million per breach. Citing research by the Ponemon Institute DarkReading states, “Ponemon found that Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks, making up more than 90 percent of all cybercrime costs per organization per year: A Web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300.” Malicious insiders being listed on the top three suggests that businesses need to be more aware of the threats posed by malicious social engineering, even from employees.
Many of these attacks could have been avoided if people were educated, because they could act on that education. Sometimes just finding out how malicious people think and act can be an eye opener.
As example on a much smaller and more personal scale, I was recently discussing with a close friend her financial accounts and how she was worried about being hacked or scammed. In the course of the conversation we started to discuss how easy it is to “guess” people’s passwords. I told her that many people use the same passwords for every account; I saw her face go white as she realized this is her. I told her that most people use simplistic passwords that combine things like their spouse’s name, his or her birthday, or anniversary date. I saw her go an ever-brighter shade of pale. I continued by saying that most of the time people chose the simplest “security question” such as “your (or your mother’s) maiden name” and how easy finding that information is via the Internet or a few fake phone calls.
Many people will list this information in Blippy, Twitter, or Facebook accounts. This particular friend didn’t use social media sites too much, so I asked her that if she thought with a few phone calls she could picture herself giving over this information. Of course she said no. To illustrate how easily people hand over personal information, I told her that I once saw a placemat in a restaurant that had a $50-off coupon for a local golf course—a very attractive offer. To take advantage of this offer, you only had to provide your name, date of birth, and street address, and provide a password for an account that would be set up and sent to your e-mail address. (I only noticed this in the first place because someone had started filling out the coupon and left it on the table.) Every day websites are created to collect such sensitive information.
A phone call with a survey or some quick research on the Internet can yield a birth date or anniversary date, and armed with this information I have enough to build a password attack list. Plus, a dozen sites