[Full-disclosure] Social Engineering: You Have Been A Victim

bkfsec bkfsec at sdf.lonestar.org
Fri Mar 18 22:25:10 GMT 2005 

Jay D. Dyson wrote:

>
>      It's not just government workers.  It's any human being who's 
> been raised to be social.
>
>      According to Judeo-Christian theology, humanity gained knowledge 
> of Good & Evil in the Garden of Eden.  Unfortunately, the ability to 
> differentiate between the two was not part of the package deal.  This, 
> coupled with the demands of a "polite society," is why social 
> engineering can strike anyone, anywhere...regardless of their vocation 
> in the public or private sector.

Except, of course, that the book of Genesis is really a tome of myths 
and the so-called "Garden of Eden" doesn't really have an effect on 
polite society.

What you're referring to are social norms of politeness that affect 
society, and they are passed down via social means.  Though they have an 
impact on people's rejection of those who are out to harm them, they 
don't explain all of the occurances. 

There's a BIG difference, for instance, between being helpful and giving 
someone the keys to your house so that they can rob you.


>
>      It is considered socially unacceptable to be unhelpful to others, 
> even strangers over the phone.  Hell, some people can't even tell 
> telemarketers to buzz off so they have to buy an electronic device to 
> do it for them.
>
>      This is why social engineering works so well...and why folks like 
> ourselves are considered "paranoid" and "anti-social" when we start 
> pulling IDs and taking names.
>
ID'ing people and giving out your password or sensitive information are 
NOT analogous events.

The helpfulness argument has some traction on information that is not 
obviously compromising to the person providing it.  However, even in 
that case it has a LOT more to do with the confusion factor than 
anything else.

The average person is easily confused about technology and, as such, 
their perspective will always be that if a tech calls them up and says 
there's a problem or some information they need, they're going to 
provide that information because they simply don't know any better.  As 
far as they know, there's a problem that needs to be solved and that's 
what needs to happen to fix it.

It has more to do with trust and a lack of education/understanding than 
it ever will with polite society being based on a mythical story about 
the inability of mankind to differentiate between good and evil.

There's something to what you're saying, but it just is not the whole 
story.  In order to get the compromising information, the social 
engineer has to pass from A -> B -> C.  Politeness gets them to B.  A 
lack of information and understanding on the part of the end user is 
what gets the social engineer to C.

             -Barry

Full-Disclosure is hosted and sponsored by Secunia.