Episteme

Mike's random thoughts and ramblings

Advanced Social Engineering

I was at lunch when a fascinating discussion broke out on Twitter between Alex Hutton (aka @alexhutton and Jennifer Leggio (aka @mediaphyter) (the brains and driving force behind this year's blogger meetup at RSA and, I've learned, quite an intelligent security mind... but she really does need a blog) about "Advanced Social Engineering". The important part of the conversation for the purposes of this blog:

mediaphyter: "Advanced social engineering" -- I am starting to think we use that term way too loosely.

mmurray @mediaphyter Most have no idea what advanced social engineering looks like. They can't yet fathom...

alexhutton @mmurray: Most parents know exactly what advanced social engineering looks like - they just don't think adults do it too

Alex went on to say that "advanced social engineering" is what kids do with "Lying, Manipulation, False Pretenses, illicit access or gaining of privileges".

Here's where I disagree. You see, kids don't have to do anything particularly advanced as social engineers because they're trading on relationships. While the parent might FEEL as though they're being social engineered, they're not... the fact that they're feeling it suggests to me that it's not advanced at all.

Using an analogy to hacking: if you notice that you're being attacked, the attacker isn't particularly sophisticated.

This is what I meant when I said that most people don't know what it is... a truly advanced exploit of a human will leave the attacker richer because of the information/access gained, and the target without any knowledge or awareness of it happening.

The best example of this: This Derren Brown video.

I suppose that this is as good a time as any to announce that I'm writing a book on this subject... on truly advanced human exploitation. Not the typical "pretend to be the help desk guy" stuff, but how to really use language, awareness and context to manipulate a situation and get in and out completely undetected.

That's what real "advanced social engineering" looks like. And I stand by my original assertion: very few know what it really looks like yet.

Share this post

About the author

Michael Murray

Michael Murray