[Full-disclosure] Social Engineering: You Have Been A Victim
bkfsec at sdf.lonestar.org
Fri Mar 18 22:25:10 GMT 2005
Jay D. Dyson wrote:
> It's not just government workers. It's any human being who's
> been raised to be social.
> According to Judeo-Christian theology, humanity gained knowledge
> of Good & Evil in the Garden of Eden. Unfortunately, the ability to
> differentiate between the two was not part of the package deal. This,
> coupled with the demands of a "polite society," is why social
> engineering can strike anyone, anywhere...regardless of their vocation
> in the public or private sector.
Except, of course, that the book of Genesis is really a tome of myths
and the so-called "Garden of Eden" doesn't really have an effect on
What you're referring to are social norms of politeness that affect
society, and they are passed down via social means. Though they have an
impact on people's rejection of those who are out to harm them, they
don't explain all of the occurances.
There's a BIG difference, for instance, between being helpful and giving
someone the keys to your house so that they can rob you.
> It is considered socially unacceptable to be unhelpful to others,
> even strangers over the phone. Hell, some people can't even tell
> telemarketers to buzz off so they have to buy an electronic device to
> do it for them.
> This is why social engineering works so well...and why folks like
> ourselves are considered "paranoid" and "anti-social" when we start
> pulling IDs and taking names.
ID'ing people and giving out your password or sensitive information are
NOT analogous events.
The helpfulness argument has some traction on information that is not
obviously compromising to the person providing it. However, even in
that case it has a LOT more to do with the confusion factor than
The average person is easily confused about technology and, as such,
their perspective will always be that if a tech calls them up and says
there's a problem or some information they need, they're going to
provide that information because they simply don't know any better. As
far as they know, there's a problem that needs to be solved and that's
what needs to happen to fix it.
It has more to do with trust and a lack of education/understanding than
it ever will with polite society being based on a mythical story about
the inability of mankind to differentiate between good and evil.
There's something to what you're saying, but it just is not the whole
story. In order to get the compromising information, the social
engineer has to pass from A -> B -> C. Politeness gets them to B. A
lack of information and understanding on the part of the end user is
what gets the social engineer to C.
Full-Disclosure is hosted and sponsored by Secunia.