RE: Social Engineering ... ?

From: mthompson (mthompson_at_brinkster.com)
Date: 11/23/04

  • Next message: Brewis, Mark: "RE: Crashing services with NMAP and/or SuperScan ?" 
    Date: Tue, 23 Nov 2004 10:58:37 -0500
To: <pen-test@securityfocus.com>

    Hello group,

    The best way to do it is contact your local con artist and ask them
    questions. Social Engineering is like playing a musical instrument. You have
    to know what strings to pluck in order to hear good sounding music. Yes you
    can dumpster dive and things of that nature but the real essence of social
    engineering is how good of an actor you are. If you were a kid who used to
    make prank calls and with in the first 20 seconds started laughing, then
    that is going to be your weakness when you call a help desk. Because of the
    word social it brings a whole new element to the game verse the latter half
    Engineering which we are all comfortable with. You cannot engineer a person
    into giving up info but you can be social you can.

    Mike
    -----Original Message-----
    From: Marco Ivaldi [mailto:raptor@0xdeadbeef.info]
    Sent: Tuesday, November 23, 2004 3:12 AM
    To: pen-test@securityfocus.com
    Subject: Re: Social Engineering ... ?

    > I am trying to find some good resources for social engineering
    > methodologies and such performed as part of pen-test work.

    OSSTMM's Section B (Process Security) is a good start, though the version
    currently on-line needs to be expanded a bit:

    http://www.osstmm.org/

    A very interesting source of social engineering examples is the book "The
    Art of Deception: Controlling the Human Element of Security", by Kevin
    Mitnick, William Simon, and Steve Wozniak.

    SecurityFocus and PacketStorm also host some articles on this subject:

    http://www.securityfocus.com/infocus/1527
    http://www.securityfocus.com/infocus/1533
    http://www.securityfocus.com/guest/5044
    http://packetstormsecurity.nl/docs/social-engineering/

    Finally, for italian speakers:

    http://blackhats.it/en/papers/social_engineering.pdf

    Hope it helps. Cheers, 

    -- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707

  • Next message: Brewis, Mark: "RE: Crashing services with NMAP and/or SuperScan ?"

    Relevant Pages

    • RE: Sexy pen-testers and auditing...
      ... that it does have to deal with security, maybe some in the compsec industry ... While there are tons of write-ups on social engineering, ... "Men have been taught that it is a virtue to agree with others. ... pen testing experience in our state of the art hacking lab. ...
      (Pen-Test)
    • Re: [Full-disclosure] mac trojan in-the-wild
      ... through the motions above what can we as security people do to prevent ... I didn't analyze Linux or BSD threats, but my gut feeling puts them at ... With 86% or more of the past threats requiring social engineering to ... but not with the same success of remote buffer overflow malware. ...
      (Full-Disclosure)
    • RE: mac trojan in-the-wild
      ... through the motions above what can we as security people do to prevent ... I didn't analyze Linux or BSD threats, but my gut feeling puts them at ... With 86% or more of the past threats requiring social engineering to ... but not with the same success of remote buffer overflow malware. ...
      (Bugtraq)
    • Re: Two wireless routers one network
      ... >wireless security in the world didn't do them any good when I can go ... >of wireless and just want it to work. ... Security is more than 50% social engineering. ... >I notice you didn't say anything about my comments about monitoring ...
      (alt.internet.wireless)
    • Re: Two wireless routers one network
      ... >>why should I attack your home system via wireless when I can just hotwire ... wouldn't bother with your home system. ... wireless security in the world didn't do them any good when I can go ... Security is more than 50% social engineering. ...
      (alt.internet.wireless)