Mike's random thoughts and ramblings

Social Engineering "at its finest"?

I posted a couple of days ago about how very few in information security know what really good social engineering looks like. Leave it to the inimitable Mr. Schneier to help me make the point with this post that he ends with:

"Social engineering at its finest."

Okay, so let me get this straight. A guy in the right uniform walks in to the bank and says: "I'm here for the regular guy".

This takes skill?

To me, this is very much the equivalent of saying that website defacements of IIS in 2001 using RFP's MSADC script was "hacking at its finest". Seriously, just because the guy got a uniform and a badge doesn't make him anything more than a script kiddie in the realm of pulling off the attack.

This is the kind of attack that Mitnick talks about all the time when he says that social engineering usually doesn't take much more than the guts to ask for what you want.

Let's consider a better example of what really skilled social engineers look like: this story where two guys robbed a store by talking to the clerk. If you read the article, you'll get a pretty good idea of what the attackers did. It's the ultimate example of a "compliance set" (or "yes set" for those hypnotists out there), and it required some knowledge of the target's adherence to his culture and the cultural cues that would set the appropriate context for the exploitation.

Really, I want to say that I expected better of Bruce, but that wouldn't be fair. As I said before, our community as a whole has yet to take notice of what really good social engineering is.

In my writing and this blog (which I've promised Hoff and Martin that I'll continue), I'll probably be talking about this a lot as I do more writing on the book and in other venues.

Share this post

About the author

Michael Murray

Michael Murray