 |
| "The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network." Kevin Mitnick |
Trust and Lies
Human being by design attempt to be trustworthy individuals, we want to either trust or believe in our surroundings, what we are told, shown, or see with our own eyes should be what it is. Having doubt or being a skeptic just doesn't seem like it should be something we need to bother with. Problem is we are also excellent liars, we've all lied at some point in our lives, to get a cookie we didn't deserve, get a promotion that wasn't warranted, or to pass blame to keep ourselves looking clean. We've all done it.
We fear the worst outcome as a trusting species, and just assume, without any preconceived prejudice, that the truth is what we are told. Even though, we know it can't always be the answer or situation we'd rather not hear. Which is really a truly paradoxically flawed way of functioning as a species, knowing we all lie, knowing we've lied, yet refusing to be skeptical in a situation where we would be better off just knowing a lie is a lie. When we are lied to, more often than not, we accept it, without assuming it could be anything other than fact. Why can't we accept it? Why don't we question? Why do we take false information at face value and just believe that for our betterment we just believe?Real World Scenario
Instead of breaking down what and how Social Engineering works, a real world scenario may be a best bet to explain prior to in depth exploration. As of recently in the organization I'm presently employed by, our email is hosted by Rackspace, after ditching our in house exchange with a nice Barracuda Firewall. After this transition we've encountered one small issue, we started getting emails flooding our network that said "Resume","RE:Resume", or "My Resume". As a tech savvy individual personally I look at these, see some random crap I shouldn't be getting, and dig a little further, to find the name on the email doesn't match the sender, there is a zip file that is maybe 900 bytes in size, and a spoofed email address.
 |
| "I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image." Stephen Hawking |
Even with some training, these emails still get opened without fault, the same ones, by the same people, over and over and over. Its quite astonishing to watch as the plethora of cryptic letters and numbers appear in the %appdata% folder consistently on the same people. They are way to willing to trust what they should not.
Reviewing The Scenario
What can be gathered from the above scenario? Quite obviously many computer users are ignorant to how computers work, and are beyond willing to trust, either due to the fact they are willfully ignorant, or aren't capable of comprehending the simplicity of the common con-artist. The thing is, on multiple occasions, the same users continually fell for the same thing, the virus originated from the same source, their trust and ignorance was exploited using simple social engineering.
Exploitation of ignorance or voluntary stupidity only perpetuates the surface area of these social engineering attacks, as people continue to dismiss the obvious in favor of a perceived more blissful existence. In short the targets either don't know any better, or choose not to know, which more often than not its the latter of the two. Hackers more often than not endorse ignorance, to deploy their plots and compromise their intended targets.Stupid? Ignorant? That's RUDE!
What is the difference between stupidity and ignorance? By definition stupidity means "behavior that shows a lack of good sense or judgment." Where as ignorance is defined as "lack of knowledge or information." You either don't know, or voluntarily choose not to know even knowing the consequences. They sound kind of similar, but with a few key differentiating factors, "lack of good judgement."
Those who are ignorant don't know any better, and that's fully acceptable, we've all been ignorant at some point in our lives. Even the greatest hacker in the world may have thought they won a Nintendo 64 the first time they clicked that silly pop up link. After that first time where the threats became quite obvious they learned, and adapted. Those who are voluntarily stupid on the converse, don't learn from their mishaps, and despite being given evidence, and every tool known to man to correct. By willfully being fooled and bamboozled by the same simplistic virus, or scam, shows a willing interest in maintaining a voluntary state of stupidity.Being ignorant is fine for a short while, but learning from ones mistakes and not falling victim to the same scam is optimal. Be ignorant once, but never be voluntarily stupid.
In Summary
What social engineering really is, is a way of taking advantage of someones lack of knowledge, or willful ignorance to exploit in favor of their own personal gain. Tricking someone into clicking a link, or manipulating them in such a fashion that their beliefs or intentions either hi-jack someones personal idea's, or actually influence their actions.
Learn how to not fall for simple social engineering, and if you're trying to become a hacker, learn how to exploit that. If you have any comments, questions or concerns, let me know in the comment section below. And as always, be safe my fellow goblins.
0 comments:
Post a Comment