I would like to hear from people who actually use social engineering in theirjob

[YuckTheFankees]

I would like to know how you prepped for the social engineering and maybe an example of one you have completed. thank you!

[lorddicranius]

I don't use it in my own job, but Matias Brutti and Mike Ridpath of IOActive did a presentation here at B-Sides PDX this last weekend on how they use SE, along with recordings of calls they've done on the job:

http://www.ustream.tv/recorded/17736407

Jayson Street did his "Steal everything, kill everyone, cause total financial ruin" talk at DerbyCon two weekends ago about his use of SE during his night job:

http://www.youtube.com/watch?v=8esU0G5zlRU

[YuckTheFankees]

That's some good stuff, thanks a lot!

[millwalll]

There is also a really good book on SE called hacking the human.

[YuckTheFankees]

Is that a newer book?

[millwalll]

its pretty new here link on amazon http://www.amazon.co.uk/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_3?ie=UTF8&qid=1318500808&sr=8-3

[YuckTheFankees]

Okay cool. I've seen that book a couple of times on Amazon, I'll have to double check if safari books has it . I've read one SE book and it was really interesting. The author would start with his story and after the 1st page I would try and guess what kind of information he was going after but I was never right. He would go 5 steps to the left just to get a little piece of information, then do something else where I was like " how does this relate at all"..then BAM he finally tells us what he was doing and it all made sense. I feel like SE is almost impossible to stop if someone plans the SE well enough.

[OneManicNinja]

if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!   

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.

[jibudada]

if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!   

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.

Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."[1] Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.[2]


http://www.securitytube.net/tags/social%20engineering

[millwalll]

This is a pretty good talk on SE at BSIDESLONDON  https://www.youtube.com/watch?v=gkDct933o6A&list=UUcKbtsDi0qm-rmawx32Gmfg&index=1&feature=plcp  There are slides too somewhere

[UNIX]

The slides are available here.

[Cyber.spirit]

There is also a really good book on SE called hacking the human.

The slides are available here.

Very very great resources thank you all. but i think ethical hackers dosent use social engineering ofcourse its a good method to gain sensitive info but its not a pentest technic

anyway thanks alot!!

[hayabusa]

@cyber.spirit - ethical hackers ABSOLUTELY use social engineering.  Its use depends on the scope of the contract, but if physical security and system access are called out, then it's critical to be able to use social engineering skills to gain access and gather information.  Even if physical security is NOT in scope, there are times when impersonation over the phone or email, or other SE tactics are still VERY useful in gathering recon data to scope out and penetrate the target.

(Edit:  Remember, the goal of a good pentester is to show a company their weaknesses...  If that includes proving that security awareness training is not a solid piece of the target company's security posture, then so be it...)

[lorddicranius]

@cyber.spirit: Chris Hadnagy has written up some great articles here at EH-net on the use of SE in pentesting as well:

http://www.ethicalhacker.net/content/category/7/43/24/

[dalepearson]

if you are looking to simulate real world threats, then SE should certainly be a component of that threat simulation.