What is social engineering? A fairly quick and catchy explanation would be that social engineering is the art of human hacking1, whereas a more in-depth, technical analysis would include a combination of cybernetics, mathematics and ethics, as the idea behind it is that someone can actually ‘hack’ (exploit) another person.
Good manners cost nothing…
Some people describe social engineering as the hacker’s polite approach, as a social engineer just asks innocent questions in a casual conversation. The problem occurs when the answers reveal sensitive information about a person, organisation or in a more general way about the target. How many days are you on holiday for? Is anyone going to stay at your place while you are way? OK, so these questions are probably posed by a more everyday thief, but there’s not much difference, as the outcome will be the same both for the hacker and the thief: loss of valuables for the target. The problem here lies within society’s accepted behaviour: is it just good manners that can make someone a victim or is it the skill of the attacker? If you stop the conversation and don’t reply to these ‘innocent’ questions, is it that you have bad manners? Are you just rude, or do you see the threat coming?
“Hold the door for me, mate?”
Of course, social engineering does not stop in conversations. Holding open the door for a stranger who’s juggling four2 cups of coffee is good manners. It’s polite. It’s kind. It’s also a security breach. You don’t know who they are, and there’s a surprisingly high probability that you were fooled. Asking straightforward questions (such as who they are and what they’re doing here) in a polite, friendly way is not rude and is absolutely the right thing to do, as the premises in our scenario have restricted access (such as a pass card or a PIN). The truth is, they could be anyone. This is especially true in larger organisations with staff spread across numerous departments: you might see people you don’t recognise all the time.
If you’re the would-be invader in this instance, a nice way to avoid been asked these awkward questions is to acquire the name of the person at the entrance who is going to hold the door open for us. How about attempting our break-in when the would-be door-holder’s just had some holiday (like the questions we asked earlier)? To them, you’ve probably started working here on their time off. Afterall, you know their name but they don’t know yours and they don’t want to appear rude. If you have the confidence, the information and four cups of coffee in your hands, all you need to do is walk up to the door and use your social engineering to get them to open the door for you. Of course casual conversation always help – why not ask them about their holiday as you go through the door? Lo and behold: they’ve been hacked.
One man’s junk is another man’s treasure
Tailgating is probably the main reason for an attacker gaining access to secure premises. But what happens when the attacker, instead of following closely behind you, just waits outside the building, enjoying the view, waiting for a quiet moment to go through your bins? Seriously. A few years ago, this was the reason behind confidential documents from the Canadian government being exposed to the public. In a more simple way, ‘dumpster diving’, is when the attacker tries to recover documents from the garbage that have not been properly shredded/erased/redacted/etc. And it is alarmingly successful.
Hook, line and sinker
You’ve probably heard the terms ‘phishing’ and ‘baiting’. Although they’re similar they do each have their own meaning, and when it comes to social engineering and good manners it’s easier to distinguish them. Not responding to what appears to be a phishing e-mail won’t offend anyone: they’re usually fairly easy to spot and often aren’t addressed to anyone by name. Baiting, though, is different. Here the attacker targets you personally and makes you the bad guy. Don’t believe me? Let’s imagine the following scenario: You are working for an average-sized company where not everyone knows eachother and you find a USB drive (complete with the company logo on it) right outside the office door. As a good person, you will look around to see if someone just walked in or out. No-one is there. So you have two choices: give it to reception and let them find out who it belongs to, or plug it in yourself and see what’s in there, and in doing so find out whose it is. Either way, you’ve just been hacked: that innocent-looking USB, contained malware that’s now penetrated the internal network of your company. Congratulations! Epeius (the guy who hid Greek soldiers in a big wooden horse) would be proud. But not your boss or the poor security team. A combination of an online phishing attack followed by baiting could easily lead to tailgating and exposure of sensitive information. Imagine all the previous scenarios carried out against your company.
So, where do good manners start and where should stop? There are a few lessons to be learnt here. Be polite, have good manners, but do not trust anyone just because they look like a good person, or because you think that you are good person. Otherwise, you’ll get hacked.
1 Social Engineering: The Art of Human Hacking : Christopher Hadnagy
2 Personally I would do it with 8 coffee cups just to really sell it