People spend a fortune on technological
solutions, and then get compromised by good
old-fashioned con jobs, said Riley, senior
security strategist in the Trustworthy
Why? Because every computer system and
network relies to some extent on human
beings, and since it’s becoming increasingly
difficult to hack computer networks thanks to
improved technology, he proposed, “Why not
hack the network administrators instead?”
Interesting idea. And just how do you hack
It’s actually rather easy, according to Riley.
In a security survey, 67 percent of people happily gave their passwords to “researchers” in
exchange for a chocolate bar!
That sounds a little far-fetched, even to a
dyed-in-the-wool chocoholic like me, but it’s
true. People, on the whole, are entirely too
trusting and prone to manipulation by social
Social engineering is the art and science of
getting people to comply with your wishes.
It’s not some kind of mind control or voodoo;
it’s the clever use of psychology to use peoples’ more benevolent instincts against them
to defeat even the most powerful technological defenses.
It’s also the highest form of hacking, and
can yield huge rewards.
One would think that an experienced
administrator should be immune to con agents,
but Riley described a series of techniques
designed to disarm even the most cynical.
Diffusion of responsibility. The attacker
tries to convince the victim that an improper
action is somehow supported by higher-ups,
and thus he or she is not solely responsible for
that action. Five-year-olds are adept at this
ploy (“Mom said it’s OK…), but adults fall
for it too.
Chance of ingratiation. The victim receives
hints that compliance with the request will
generate some sort of personal benefit—
brownie points with the boss, or competitive
advantage, or perhaps even the privilege of
assisting a sultry-sounding woman over the
Trust relationships. Building trust through a
series of small, innocuous (but positive) interactions makes it more likely that the victim
will assist the attacker during the crucial hack.
Moral duty. The goal here is to convince
the victim that there is a wrong that will be
righted by compliance. It requires research on
the part of the attacker, to come up with
plausible arguments, and to persuade the victim that detection is unlikely.
Guilt. There’s nothing like a little guilt to
get people to do something—just ask any
mother. Good social engineers are experts at
creating situations where compliance with
their requests will prevent or alleviate guilty
Identification. Building a connection with
the potential victim makes it much easier to
get information—people are more likely to
share with a buddy than with a stranger. A
sociable chat and a little information-gather-ing about the target can go a long way
towards a successful exploit.
Desire to be helpful. Ask, and you will
often receive. Ask someone to hold a door to
a secure area open because you have your
arms full, ask them to help in logging on to
an account, and they’ll often become unwitting accomplices in an exploit. Social engineers know that most people have poor
Cooperation. Barking orders like a Marine
sergeant is usually not part of the social engineer’s repertoire—typically the attitude is of
reason, logic, and patience. Annoying the target is usually a poor way to get information
(although sometimes it works very well). Get
someone difficult to blow their stack in a
directed way and they’ll spit out all kinds of
As if those techniques aren’t enough, the
cunning social engineer knows triggers that