Resources

Social engineering

Warning: Do not execute these on a network or system that you do not own. Execute only on your own network or system for learning purposes. Do not execute these on any production network or system, unless Rules of engagement have been agreed on, and you have a Get out of jail free card.

Hit Turing right in the test-ees

Laugh uncontrollably for about 3 minutes & then suddenly stop and look suspiciously at everyone who looks at you.

Ask the person next to you if they know how to tap into top-secret Pentagon files.

Companies that sell/offer mobile applications for free often make Terms of Service, Privacy Policies and other legal documents in a way that the user grants many more permissions than the required minimum for the application to operate. March 2, 2015, 6 minute read

What?

Social engineering targets the weakest link in the security chain: people. It takes advantage of human weakness and trust (which can be strengths in other contexts, like being helpful) and uses several non-technical methods to gather information or circumvent security controls. Social engineering:

  • Targets people and non-technical processes
  • May target weak physical and operational security
  • Can also use some technical tools - email and websites
  • Includes several different methods and techniques
  • Requires patience, the ability to think quickly on your feet, acting ability, resourcefulness and observation skills
  • Needs authentic people skills!

Why?

Goals are to gather information, gain a foothold in an organisation, and infiltrate security

How?

  • Using people, like network administrators, security personnel, senior executives, cleaners, etc
  • Blackmail
  • Via email and social media/networking
  • Phishing, including vishing, whaling, and spear phishing
  • Casual contact
  • Eavesdropping and surveillance
  • Shoulder surfing
  • Dumpster diving
  • Impersonation

Concretely