Friday, September 12, 2008

Mike Murray on Human Exploitation 101

http://www.ethicalhacker.net/content/view/209/1/

From the article:

"This is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust.

Of course, this skill underpins everything else that we do when on a social-engineering engagement - in order to impersonate a UPS guy, talk someone out of their password, write a great targeted phishing email, or know exactly where to drop the USB keys - you have to have great skills at exploiting the natural tendencies of humans.

This means a deep understanding of the three fundamental skills (that I have mentioned often in introductory talks and articles on this topic) - the ability to communicate, the ability to be aware of your surroundings, and your ability to control the context (or "cognitive frame") of your interaction."


Human 0days are promised in the future!

1 comment:

mlab said...

There is a good book that is related to this subject. "Habit: the 95% of Behavior Marketing Ignores" by Neale Martin. While it is written for marketing, it is enlightening when read from a security point of view.

People are creatures of habit. "The habitual mind learns through cause and effect, reward and repetition." The book talks about one of the reasons MS become so successful. People used it at home, then expected to use it at work. Applications were integrated and worked alike, so learning a new program was easy, it became a habit.

This leads into something most of us deal with everyday. Security is hard, painful, so no one does it willing. People don't do security at home, develop destructive internet habits, and bring those habits to work.

The key to social engineering is to identify those destructive habits and use them to your advantage.

The book goes into behavior training, a subject that can be used to give insight into social engineering. It recommends treating people like dogs when it comes to behavior training. This is the same recommendation that was mentioned in the book "The Game" by Neil Strauss.