Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Social Engineering: You Have Been A Victim

From: bkfsec <bkfsec () sdf lonestar org>
Date: Fri, 18 Mar 2005 17:25:10 -0500
Jay D. Dyson wrote:
It's not just government workers. It's any human being who's been raised to be social.
According to Judeo-Christian theology, humanity gained knowledge of Good & Evil in the Garden of Eden. Unfortunately, the ability to differentiate between the two was not part of the package deal. This, coupled with the demands of a "polite society," is why social engineering can strike anyone, anywhere...regardless of their vocation in the public or private sector.
Except, of course, that the book of Genesis is really a tome of myths and the so-called "Garden of Eden" doesn't really have an effect on polite society.
What you're referring to are social norms of politeness that affect society, and they are passed down via social means. Though they have an impact on people's rejection of those who are out to harm them, they don't explain all of the occurances. There's a BIG difference, for instance, between being helpful and giving someone the keys to your house so that they can rob you.
It is considered socially unacceptable to be unhelpful to others, even strangers over the phone. Hell, some people can't even tell telemarketers to buzz off so they have to buy an electronic device to do it for them.
This is why social engineering works so well...and why folks like ourselves are considered "paranoid" and "anti-social" when we start pulling IDs and taking names.
ID'ing people and giving out your password or sensitive information are NOT analogous events.
The helpfulness argument has some traction on information that is not obviously compromising to the person providing it. However, even in that case it has a LOT more to do with the confusion factor than anything else.
The average person is easily confused about technology and, as such, their perspective will always be that if a tech calls them up and says there's a problem or some information they need, they're going to provide that information because they simply don't know any better. As far as they know, there's a problem that needs to be solved and that's what needs to happen to fix it.
It has more to do with trust and a lack of education/understanding than it ever will with polite society being based on a mythical story about the inability of mankind to differentiate between good and evil.
There's something to what you're saying, but it just is not the whole story. In order to get the compromising information, the social engineer has to pass from A -> B -> C. Politeness gets them to B. A lack of information and understanding on the part of the end user is what gets the social engineer to C. 

            -Barry





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: