Thursday 1 December 2011

Overcoming Social Engineering Drawbacks

May Have Been Warned About Security Leaks
Or May Know About SE Tactics

Trying to social engineer someone who knows about social engineering, especially hip programmers and other hackers, won't get you anywhere. Even if the other party doesn't know about "SEing" per se, he or she may take "Don't reveal the password" warnings seriously enough to see through your bull. Social engineering is based on the premise that the person you contact is naive. You can't always guarantee that will happen.

In RSE, the legitimate user is calling you for advice. Consequently he or she believes you are trustworthy, a member of the company or approved by the company, and one who already knows passwords and protocols anyway. There is no reason not to divulge this kind of data to you. In fact, it won't even be thought of as "divulging" since the person you speak with will just matter-of-factly spill his or her guts to you without hesitation.

it should be noted that reverse social en-gineering is not social engineering. It takes a backwards approach to the problem of getting users to talk, and so it won't be recognized by a person familiar with conventional hacker tricks. Furthermore, even if the person is so sophisticated as to understand RSE, that person will
probably be so wrapped up in his or her own problem that he or she won't notice what's going on. He or she needs your help to correct the problem; he or she realizes that if he or she doesn't cooperate, you won't be able to assist.
Posted by at 15:30
Labels: