overview.md 5.9 KB
title: Overview of Social Engineering course: human_hacking section: "Introduction"
layout: lesson
What is social engineering?
Some people may think of social engineering as:
"Lying to people to get information"
"Being a good actor"
"To get stuff for free"
Wikipedia defines it as "the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases, the attacker never comes face-to-face with the victim".
Although it has been given a bad name by the plethora of "free pizza", "free coffee" and "how to pick up chicks" sites, aspects of social engineering actually touch many parts of daily life.
Webster's Dictionary defines social as "of pertaining to the life, welfare and relations of human beings in a community". It also defines engineering as "the art or science of making practical application of the knowledge of pure sciences, as physics or chemistry, as in the construction of engines, bridges, buildings, mines, ships and chemical plants or skillful or artful contrivance; maneuvering".
Combining those two definitions, you can easily see that social engineering is the art, or better yet, science or skillfully maneuvering human beings to take action in some aspect of their lives.
This definition broadens the horizons of social engineers everywhere. Social engineering is used in everyday life in the way children get their parents to give into their demands. It is used in the way teachers interact with their students, in the way doctors, lawyers or psychologists obtain information from their patients or clients. It is definitely used in law enforcement and in dating - it is truly used in every human interaction from babies to politicians and everyone in between.
I like to take that definition a step further and say that a true definition of social engineering is the act of manipulating a person to take an action that _may_or may not be in the "target's" best interest. This may include obtaining information, gaining access or getting the target to take certain action.
For example, doctors, psychologists and therapists often use elements I consider social engineering to "manipulate" their patients to take actions that are good for them, whereas a con man uses elements of social engineering to convince his target to take actions that lead to loss for them. Even though the end game is much different, the approach may be very much the same. A psychologist may use a series of well-conceived questions to help a patient to come to a conclusion that change is needed. Similarly, a con man will use well-crafted questions to move his target into a vulnerable position.
Both of these examples are social engineering at its truest form, but have very different goals and results. Social engineering is not just about deceiving people or lying or acting a part.
Social engineering is not just any one action but a collection of skills mentioned in the framework that when put together make up the action, the skill and the science that is called Social Engineering. In the same way, a wonderful meal is not just one ingredient, but is made up by the careful combining, mixing and adding of many ingredients. This is how I imagine social engineering to be and a good social engineer is like a master chef. Put in a little dab of elicitation, add a shake of manipulation and a few heaping handfuls of pretexting, and bam! - out comes a great meal of the perfect social engineer.
Of course, this course discusses some of these facets, but the main focus is what you can learn from law enforcement, the politicians, the psychologists and even children to better your abilities to audit and hten secure yourself. Analysing how a child can manipulate a parent so easily gives the social engineer insight into how the human mind works. Noticing how a psychologist phrases questions can help to see what puts people at ease. Noticing how a law enforcement agent performs a successful interrogation gives a clear path on how to obtain information from a target. Seeing how governments and politicians frame their messages for the greatest impact can show what works and what doesn't. Analysing how an actor gets into a role can open your eyes to the amazing world of pretexting. By dissecting the research and work of some of the leading minds in microexpressions and persuasion you can see how to use these techniques in social engineering. By reviewing some of the motivators of some of the world's greatest salespeople and persuasion experts you can learn how to build rapport, put people at ease and close deals.
Then, by researching and analysing the flip side of this coin - the con men, scam artists and thieves - you can learn how all of these skills come together to influence people and move people in directions they thought they would never go.
Mix this knowledge with the skills of lock picks, spies who use hidden cameras and professional information gatherers and you have a talented social engineer.
You do not need to use every one of these skills in each engagement, nor can you master every one of these skills. Instead, by understanding how these skills work and when to use them, anyone can master the science of social engineering. It is strue that some people have a natural talent, like Kevin Mitnick, who could talk anyoone into anything, it seemed. Frank Abagnale Jr., seemed to have the natural talents to con people into believing he was who he wanted them to believe he was. Victor Lusting did the unbelievable, actually convincing some people that he had the rights to sell the Eifell Tower, topped only by his scam on Al Capone.
These social engineers and many more like them seem to have natural talent or a lack of fear that enables them to try things that most of us would never consider attempting.