Social Engineering as a Technical Tool

| September 28, 2012

Social Engineering as a Technical Tool Pic

When we speak about social engineering the normal conversation steers away from the technical and more to the psychological.  This month we are going to change it up a bit and steer head on into the technical arena for a discussion about penetration testing.

There seems to always be a debate online about pentesting, what it is and what it isn’t.  How to do it right, how to do it “real world,” how to do it hardcore and even l33t. But at the end of the day what each and every pentester wants (or should want) is to uncover the holes in the clients network, so they can be mitigated before the bad guys use those very same holes for malicious purposes.

That desire should drive each “real world” pentester to use every tool – technical or not – at his disposal for the benefit of his clients.  This is where our discussion about how to use social engineering as a technical tool or as a tool to get technical details.

Continue Reading is Vegas Bound Baby!

| July 20, 2012 Logo

20 years.  Hard to believe, but Defcon has been around for 2 decades.  And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year.  These two security conferences are some of the pace setting events for our industry.  For the last few years, the crew at Social-Engineer have been a part of these events, and this year is no different. As you may know, we have 2 arms of our organization. is the free web portal that strives to achieve “Security Through Education” not only with our core crew but also with many excellent contributors. is our commercial arm offering social engineering services (such as penetration tests) and training.  Here are some of the events, happenings and schedule for us during the annual pilgrimage to Vegas.

Continue Reading

Nonverbal Human Hacking

| June 18, 2012

Nonverbal Human Hacking - Lie To Me Microexpressions

Many fans of the newsletter will remember a couple years ago when I launched some research.  I wrote about the study and the use of nonverbal communications and labeled it NLH.  Over the last couple of years I have been working on deepening and broadening that research and feel that the title limited my studies.  Moving to a more general definition like “nonverbal human hacking” takes away the stigma and connection to NLP that made many view this area as something more mystical and not science-based research.

The fact of the matter is that social engineering is nothing new.  From some of the oldest stories recorded in mankind’s history until today, social engineering has been used.  Despite the advancement in technology the same principles work when it comes to “hacking the human OS.”

As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole.  As you most likely have heard, we have interviewed radio hosts, psychologist, law enforcement officials, dating experts, scientists and others to try and understand what each of those fields has to offer a social engineer.

Continue Reading

An Insider’s Look at the Social-Engineer.Org SE CtF at DEFCON

| May 25, 2012

By Chris Hadnagy

dc-18-logo_smsq.pngI want you to picture this scene:  It is a warm day in sunny Maryland, my phone rings.  I answer it.

Me – “Chris speaking…”
Voice – “Hello Sir, this is Special Agent Smith (name changed) from the FBI, I would like to speak to you about this social engineering contest…”
Me – “Nice Dave, not falling for it.  Good try sucker!”
Voice – “Sir, I already mentioned my name is Special Agent Smith, not Dave.  It is important that we…
Me – “Blah, Blah Blah.. right Dave.  You are always trying to get me.  Nice one, almost sounds real.  Later loser…”
Moments after the phone was hung up it rings again…
Me – “Hello?”
Voice – “I would ask that you listen sir and do not hang up.  Call me back at this number… And ask for Special Agent Smith.”

This was the birth of the very first Social-Engineer.Org’s Social Engineering Capture the Flag Contest (SE CtF) at DEFCON over 2 years ago.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Hadnagy}

Continue Reading

Bringing the Unsexy Back: The Process of Selling SE Penetration Tests

| April 27, 2012

Selling SE - Bill Gates Sexy Pose

For the past few months, I’ve brought you articles on launching your career as a social engineer, the psychology and history behind hacking humans and even some scams you can pull on your clients for their own good.  As wonderful as it is to talk about the methods, the tricks and the sexy stories of social engineering pwnage, we need to take a step back and discuss the business end of this spectrum.

Yes, I said it… business side.  After all, most of us reading this article either are in IT/Security or want to be.  So how can one sell SE penetration tests?  How can you scope it?  Price it? And what do you give the client at the end of the engagement? All of these are good questions for budding professional social engineers, and thus the topic of this month’s column, the process of selling and delivering a social engineering penetration test.

Continue Reading

Scam Your Clients for Their Own Good

| March 26, 2012

Scam Your Clients for Their Own Good - Pic

As a professional social engineer, it is beneficial to study the methods of scamming that the bad guys have used in the past, compare it to modern tactics and see what can be learned.  Experts have agreed that the motivation for most scams is greed.  Although that is true, it is also found that fame, attention or just the need to maliciously hurt and steal from others are strong motivators for scamming people.  This month, let’s analyze some old scams, compare them to a modern-day equivalent and see what we can learn as Social Engineering Pentesters to ethically scam your clients.

Although scams have been around since the dawn of man, this one from 1812 is notable.  A Philadelphia man name Charles Redheffer claimed that he invented a perpetual motion machine, a theoretical device that, after only one initial input of power, will perpetually continue to generate energy.  Even though such a machine would break the laws of thermodynamics, his claim was supposedly backed up by an actual working device.  His next desire was to secure government funding to “build a larger version”.  He actually got the money and built a new machine, but he then fled the city when inspectors found that he had hidden the real power source.  Undeterred, he tried the same scam in New York City but was again caught when the inspectors removed a wall of the machine to reveal an old man eating a sandwich and turning a crank.  This machine can still be seen today in the Franklin Institute of Philadelphia.  In analyzing this scam we can see some basic principles at play here.

Continue Reading

Look Mom, I’m a Thespian: How to Use Acting Skills as a Social Engineer

| February 24, 2012

masks.jpgChris Hadnagy

Social Engineering is a complex beast.  It is not simply lying or telling someone a deceitful story to get them to give over their passwords.  Social Engineering (SE) is defined, well at least by me, as any act that influences a person to take an action that may or may not be against their best interest.  With that definition in mind there are many different principles that influence SE and the skills needed both physically and psychologically.

The concept behind this column is to provide the tools, techniques and direction to the readers that would like to either incorporate more SE into their current work or to become a full-time social engineer. I would like to take this month’s article to talk about at least one of the psychological principles involved in SE that should be considered foundational and required. It makes a huge difference in your ability to be successful.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Hadnagy}

Continue Reading

Top 5 Tips To Make Social Engineering Your Career

| January 25, 2012

career-opportunities.jpgChris Hadnagy

Over the last year social engineering has gotten a lot of press.  From the attacks on companies like Sony, HB Gary, PBS, Citibank et al to contests like the Social Engineering CTF at Defcon, it seems that social engineering has taken the front page. And rightfully so, as it is still the easiest and often most effective vector of attack.  With that in mind, many people are interested in learning what it will take to either add social engineering skills to their tool chest (either personally or as part of their red team) or even become a full-time, professional social engineer.

And that was the impetus behind Chris Hadnagy’s new monthly column exclusively at The Ethical Hacker Network, how to become a professional social engineer. So to get the ball rolling, I compiled this Top 5 List to help each person make this a career path or at least add it to their present security practices. As we move through the coming months, we’ll explore the history, methodologies and practical experiments in attacking the human. It will not only be educational but eventually lucrative for you and your organizations.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Hadnagy}

Continue Reading