Thursday, July 21, 2011

Thinking Like a Social Engineer

Posted by OurTech Team | Thursday, July 21, 2011 | Category: , , , |





Having a few hundred megabytes of data and pictures is great, but when you start reviewing it, how do
you train yourself to review and then think of the data in a way that has maximum impact?
Of course you could just open a browser and type in long-winded random searches that may lead to
some form of information, some of which may even be useful. If you are hungry you probably don’t just
run to the kitchen and start to throw whatever ingredients you see into a bowl and start digging in.
Planning, preparation, and thought all cause the meal to be good. Similar to a real meal, a social engineer
needs to plan, prepare, and think about what information he will try to obtain and how he will obtain it.
When it comes to this vital step of information gathering many people will have to change the way
they think. You have to approach the world of information in front of you with a different opinion and
mindset than what you normally may have. You have to learn to question everything, and, when you see a
piece of information, learn to think of it as a social engineer would. The way you ask questions of the
web or other sources must change. The way you view the answers that come back must also change.
Overhearing a conversation, reading what seems like a meaningless forum post, seeing a bag of trash—
you should assimilate this information in a different way than you did before. My mentor Mati gets excited
when he sees a program crash. Why? Because he is a penetration tester and exploit writer. A crash is the
first step to finding a vulnerability in software, so instead of being irritated at losing data he gets excited at
the crash. A social engineer must approach information in much the same way. When finding a target that
utilizes many different social media sites, look for the links between them and the information that can
create a whole profile.
As an example, one time I rented a car to drive a few states away for business. My companion and I
loaded all of our luggage in the trunk; as we were entering the car we noticed a small bag of trash in the
back seat. The other person said something like, “Service today just stinks. You figure for what you pay
they would at least clean out the car.”
True, you would expect that, but I stopped that bag from just being chucked into the nearest can, and
I said, “Let me just look at that really quick.” As I opened the bag and pushed aside the Taco Bell
wrappers, what was lying in plain sight was a shock to me—half of a ripped-up check. I quickly dumped
out the bag and found a bank receipt and the other half of the check. The check was written out for a
couple thousand dollars, then just ripped up—not into tiny little pieces, but just into four large chunks,
then thrown into a small bag with a Taco Bell wrapper. Taping it back together revealed this person’s
name, company name, address, phone number, bank account number, and bank routing number.
Together with the bank receipt I now had the balance of his account. Thankfully for him I am not a
malicious person because only a couple more steps are needed to commit identity theft.
This story personifies how people view their valuable information. This guy rented the car before me
and then because he threw the check away he felt it was gone, disposed of safely. Or so he thought; but
this is not an isolated case. At this URL you can find a recent story about very valuable things people just
threw away or sold for next to nothing at a garage sale:
www.social-engineer.org/wiki/archives/BlogPosts/LookWhatIFound.html.
Things like:

Currently have 0 Comments:


Leave a Reply