I would like to hear from people who actually use social engineering in theirjob

This topic contains 17 replies, has 11 voices, and was last updated by  SaltineHacker 4 years, 8 months ago.

  • Author
    Posts
  • #6900
     YuckTheFankees 
    Participant

    I would like to know how you prepped for the social engineering and maybe an example of one you have completed. thank you!

  • #42672
     lorddicranius 
    Participant

    I don’t use it in my own job, but Matias Brutti and Mike Ridpath of IOActive did a presentation here at B-Sides PDX this last weekend on how they use SE, along with recordings of calls they’ve done on the job:

    http://www.ustream.tv/recorded/17736407

    Jayson Street did his “Steal everything, kill everyone, cause total financial ruin” talk at DerbyCon two weekends ago about his use of SE during his night job:

  • #42673
     YuckTheFankees 
    Participant

    That’s some good stuff, thanks a lot!

  • #42674
     Anonymous 
    Participant

    There is also a really good book on SE called hacking the human.

  • #42675
     YuckTheFankees 
    Participant

    Is that a newer book?

  • #42676
     Anonymous 
    Participant
  • #42677
     YuckTheFankees 
    Participant

    Okay cool. I’ve seen that book a couple of times on Amazon, I’ll have to double check if safari books has it ;D. I’ve read one SE book and it was really interesting. The author would start with his story and after the 1st page I would try and guess what kind of information he was going after but I was never right. He would go 5 steps to the left just to get a little piece of information, then do something else where I was like ” how does this relate at all”..then BAM he finally tells us what he was doing and it all made sense. I feel like SE is almost impossible to stop if someone plans the SE well enough.

  • #42678
     OneManicNinja 
    Participant

    if Social Engineering is defined as “an interaction with a person that causes them to give you information that may not be in that person’s best interest but is used to benefit the person asking”  (and imho this is a good definition)  then technically, no, i don’t use it. I don’t interact with them until i return their call/e-mail.

    That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I’ll be in a safe situation, but it’s also good to find out whether they can afford me!  😉 

    Also, finding out as much as i can helps me to make sure I offer them what they’re looking for.  I always say that “affordable is relative” because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

    Kind of a roundabout way of answering your question but i hope that helps.

  • #42679
     Anonymous 
    Participant

    @onemanicninja wrote:

    if Social Engineering is defined as “an interaction with a person that causes them to give you information that may not be in that person’s best interest but is used to benefit the person asking”  (and imho this is a good definition)  then technically, no, i don’t use it. I don’t interact with them until i return their call/e-mail.

    That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I’ll be in a safe situation, but it’s also good to find out whether they can afford me!  😉 

    Also, finding out as much as i can helps me to make sure I offer them what they’re looking for.  I always say that “affordable is relative” because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

    Kind of a roundabout way of answering your question but i hope that helps.

    Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: “is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”[1] Although it has been given a bad name by the plethora of “free pizza”, “free coffee”, and “how to pick up chicks” sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.[2]

    http://www.securitytube.net/tags/social%20engineering

  • #42680
     Anonymous 
    Participant

    This is a pretty good talk on SE at BSIDESLONDON  https://www.youtube.com/watch?v=gkDct933o6A&list=UUcKbtsDi0qm-rmawx32Gmfg&index=1&feature=plcp  There are slides too somewhere 🙂

  • #42681
     UNIX 
    Participant

    The slides are available here.

  • #42682
     cyber.spirit 
    Participant

    @Jamie.R wrote:

    There is also a really good book on SE called hacking the human.

    @aweSEC wrote:

    The slides are available here.

    Very very great resources thank you all. but i think ethical hackers dosent use social engineering ofcourse its a good method to gain sensitive info but its not a pentest technic

    anyway thanks alot!!

  • #42683
     hayabusa 
    Participant

    @cyber.spirit – ethical hackers ABSOLUTELY use social engineering.  Its use depends on the scope of the contract, but if physical security and system access are called out, then it’s critical to be able to use social engineering skills to gain access and gather information.  Even if physical security is NOT in scope, there are times when impersonation over the phone or email, or other SE tactics are still VERY useful in gathering recon data to scope out and penetrate the target.

    (Edit:  Remember, the goal of a good pentester is to show a company their weaknesses…  If that includes proving that security awareness training is not a solid piece of the target company’s security posture, then so be it…)

  • #42684
     lorddicranius 
    Participant

    @cyber.spirit: Chris Hadnagy has written up some great articles here at EH-net on the use of SE in pentesting as well:

    http://www.ethicalhacker.net/content/category/7/43/24/

  • #42685
     dalepearson 
    Participant

    if you are looking to simulate real world threats, then SE should certainly be a component of that threat simulation.

  • #42686
     Mr Undoubtable 
    Participant

    I Think many people Social Engineer without knowing. I do it very often. But not at work. Well maybe once an awhile.  ;D

    I also run a Forum just for Social Engineering If you’d like to check it out.

    https://hmsef.net/

  • #42687
     MaXe 
    Participant

    @Mr Undoubtable wrote:

    I Think many people Social Engineer without knowing. I do it very often. But not at work. Well maybe once an awhile.  ;D

    I also run a Forum just for Social Engineering If you’d like to check it out.

    https://hmsef.net/

    I think you forgot to read the title of this website, it’s The Ethical Hacker Network, not “Illlegal or Unethical Hacker Network”. Your site promotes the usage of “fake receipts” and the motto is: “We get free shit”. It sounds more like you are scammers abusing how e.g. corporations function in the States, etc.

    Social engineering, does not have to be applied at a malicious / illegal / unethical level.

  • #42688
     SaltineHacker 
    Participant

    @yuckthefankees wrote:

    I would like to know how you prepped for the social engineering and maybe an example of one you have completed. thank you!

    I have done corporate espionage on several occasions. The most important way to prep is to have a detailed back story, and be able to respond to questions without hesitations. I never ask ask for information, I volunteer information and it is an opprutunity for them to contribute to a situation. For Example, I was writing an english paper in college on Social Engineering and I had to meet with my teacher to go over the my rough draft. She was intrigued by the topic. (About a week earlier I went on the campus website and typed in my teachers username and there was a tick box for a password reminder, when I clicked submit it displayed the password reminder “dog1” so I knew the information I needed to discover… her dogs name). When I was in her office there was a picture of a dog on her desk… I guess I could have asked what her dogs name was, but the topic of my paper might tip her off, so I enterjected a story about my daughter and how whenever we got a new dog she would always want to name it after herself (we never did),but actually we named our dogs after Disney Princesses (Bella, Aurora, and Jasmine). So in an attempt to contribute to the conversation she told me the orgin of her dogs name, and all of the pets she has ever had… so to make a long story short her Password is Molly1. I didn’t ask her for any information but I used basic psychology to direct the conversation. People become cautious when questioned. It is better to make them think it was their idea to to divulge the information you are looking for.

    Pro tip: Hackers use social engineering to reset passwords. For example, when I set up a security question, I have an irrelevent “Key word” like “bananna”, and I use it for all of my security questions, it makes it impossible for anyone to social engineer my security questions… like if I am asked, What is your home town? the answer would be “bananna” because with the internet and social media it is pretty easy to stumble accross that info and reset a password. I suggest 3 keywords in the event that there are multiple security questions. ~Happy Hacking

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?