.

I would like to hear from people who actually use social engineering in theirjob

<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Tue Oct 11, 2011 12:50 am

I would like to hear from people who actually use social engineering in theirjob

I would like to know how you prepped for the social engineering and maybe an example of one you have completed. thank you!
OSCP in progress
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Oct 11, 2011 1:10 am

Re: I would like to hear from people who actually use social engineering in theirjob

I don't use it in my own job, but Matias Brutti and Mike Ridpath of IOActive did a presentation here at B-Sides PDX this last weekend on how they use SE, along with recordings of calls they've done on the job:

http://www.ustream.tv/recorded/17736407

Jayson Street did his "Steal everything, kill everyone, cause total financial ruin" talk at DerbyCon two weekends ago about his use of SE during his night job:

http://www.youtube.com/watch?v=8esU0G5zlRU
GSEC, eCPPT, Sec+
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Tue Oct 11, 2011 8:51 am

Re: I would like to hear from people who actually use social engineering in theirjob

That's some good stuff, thanks a lot!
OSCP in progress
<<

millwalll

Post Wed Oct 12, 2011 4:13 am

Re: I would like to hear from people who actually use social engineering in theirjob

There is also a really good book on SE called hacking the human.
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Wed Oct 12, 2011 8:43 am

Re: I would like to hear from people who actually use social engineering in theirjob

Is that a newer book?
OSCP in progress
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Thu Oct 13, 2011 9:07 am

Re: I would like to hear from people who actually use social engineering in theirjob

Okay cool. I've seen that book a couple of times on Amazon, I'll have to double check if safari books has it ;D. I've read one SE book and it was really interesting. The author would start with his story and after the 1st page I would try and guess what kind of information he was going after but I was never right. He would go 5 steps to the left just to get a little piece of information, then do something else where I was like " how does this relate at all"..then BAM he finally tells us what he was doing and it all made sense. I feel like SE is almost impossible to stop if someone plans the SE well enough.
OSCP in progress
<<

OneManicNinja

Newbie
Newbie

Posts: 1

Joined: Tue Nov 15, 2011 3:33 pm

Post Tue Nov 15, 2011 5:00 pm

Re: I would like to hear from people who actually use social engineering in theirjob

if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!  ;) 

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.
<<

jibudada

Post Sat May 19, 2012 4:17 am

Re: I would like to hear from people who actually use social engineering in theirjob

OneManicNinja wrote:if Social Engineering is defined as "an interaction with a person that causes them to give you information that may not be in that person's best interest but is used to benefit the person asking"  (and imho this is a good definition)  then technically, no, i don't use it. I don't interact with them until i return their call/e-mail.

That said, when people contact me to hire me, I have a whole series of things i do to investigate them before I accept or reject a job. For the most part i want to make sure that I'll be in a safe situation, but it's also good to find out whether they can afford me!  ;) 

Also, finding out as much as i can helps me to make sure I offer them what they're looking for.  I always say that "affordable is relative" because what one guy would pay $100 for, another guy might pay $1000.  The second guy is expecting a certain level of service, and think that $100 is too cheap. My approach is to accept more clients that would be fine with paying $1000, and make sure those folks felt like they got a good deal.

Kind of a roundabout way of answering your question but i hope that helps.














Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."[1] Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.[2]


http://www.securitytube.net/tags/social%20engineering
<<

millwalll

Post Sun May 27, 2012 4:01 am

Re: I would like to hear from people who actually use social engineering in theirjob

This is a pretty good talk on SE at BSIDESLONDON  https://www.youtube.com/watch?v=gkDct933o6A&list=UUcKbtsDi0qm-rmawx32Gmfg&index=1&feature=plcp  There are slides too somewhere :)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun May 27, 2012 5:30 am

Re: I would like to hear from people who actually use social engineering in theirjob

The slides are available here.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu May 31, 2012 3:01 am

Re: I would like to hear from people who actually use social engineering in theirjob

Jamie.R wrote:There is also a really good book on SE called hacking the human.


aweSEC wrote:The slides are available here.



Very very great resources thank you all. but i think ethical hackers dosent use social engineering ofcourse its a good method to gain sensitive info but its not a pentest technic

anyway thanks alot!!
ICS Academy Network Security Certified
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu May 31, 2012 6:40 am

Re: I would like to hear from people who actually use social engineering in theirjob

@cyber.spirit - ethical hackers ABSOLUTELY use social engineering.  Its use depends on the scope of the contract, but if physical security and system access are called out, then it's critical to be able to use social engineering skills to gain access and gather information.  Even if physical security is NOT in scope, there are times when impersonation over the phone or email, or other SE tactics are still VERY useful in gathering recon data to scope out and penetrate the target.

(Edit:  Remember, the goal of a good pentester is to show a company their weaknesses...  If that includes proving that security awareness training is not a solid piece of the target company's security posture, then so be it...)
Last edited by hayabusa on Thu May 31, 2012 6:42 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu May 31, 2012 8:46 am

Re: I would like to hear from people who actually use social engineering in theirjob

@cyber.spirit: Chris Hadnagy has written up some great articles here at EH-net on the use of SE in pentesting as well:

http://www.ethicalhacker.net/content/category/7/43/24/
GSEC, eCPPT, Sec+
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Sat Aug 25, 2012 6:46 am

Re: I would like to hear from people who actually use social engineering in theirjob

if you are looking to simulate real world threats, then SE should certainly be a component of that threat simulation.
Next

Return to Social Engineering

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software