Reverse social engineering, or simply reverse engineering (or the simpler RSE or simplest RE) is a sometimes risky endeavor that varies in its effectiveness and in its applicability. However, results from RSE are so strong - and often so humorous - that it provides a flashy alternative to other methods of breaching system security.
You see, even though social engineering is an accepted and revered method of finding out what you shouldn't know, it has its faults. No system is perfect, and clearly the list of flaws from the previous chapter shows that there are deficiencies in the usefulness of social engineering.
In many respects RSE is better than SE. However, reverse SE can only be used in specific situations and after much preparation and research. In addition, the best reverse engineering can only be done by more sophisticated (and mobile) hackers.
Don't expect this technique to be your bread and butter as you are first introduced to the world of computer-criminal culture. Reverse social engineering in its most consummate forms takes information you don't yet have, and skills you may not have acquired. Here is a comparison chart that shows some of the pros and cons of each form.
SOCIAL: You place call, are dependent upon them.
REVERSE: They place call, are dependent upon you.
SOCIAL: You feel indebted to them, or they believe and act as if you should be.
REVERSE: They appreciate your help and concern, will oblige you in the future if ever you need
assistance.
SOCIAL: You need help from them.
REVERSE: They need help from you.
SOCIAL: Questions often remain unresolved to the victim.
REVERSE: All problems are corrected; no suspicious loose ends.
SOCIAL: You have less control.
REVERSE: You retain complete control of the direction and subject of conversation.
SOCIAL: Little or no preparation required.
REVERSE: Lots of pre-planning required; previous access to the site is needed.
SOCIAL: Can work anywhere.
REVERSE: Only can be used under certain circumstances.
Much of social engineering is based on the premise that you, an impostor, pretend to have difficulties and need assistance from another computer operator to solve your problems.
The reverse to this is that a legitimate system user has difficulties, and he or she asks you the hacker for
assistance. In the process of assisting the user with his or her problem, the hacker is able to (effortlessly) find out account names, passwords -the works.
An RSE attack consists of three parts:
• Sabotage
• Advertising
• Assisting
Sabotage is an initial brief contact with an on-site computer, during which the hacker causes a malfunction of some kind that will need correcting.
Advertising is letting the user know you are available to answer computer-related questions.
Assisting is the conversation in which you solve the user's problem, and the user unknowingly solves yours.
Before I explain how this is accomplished and what good it does, you should understand why it's better to have them call you than the other way around. Let's step through that list of bad stuff about social engineering that was given previously, this time demonstrating how reverse social engineering overcomes all of those problems.
