Fraud, lying, social engineering, the art and science of manipulating human beings for nefarious ends, goes back as far as the origin of the species. The techniques have been practised and perfected by a rogue's gallery of flimflam artists, from legendary carnival operator P. T. Barnum to infamous FBI mole Robert Hanssen.
But in our modern, security-centric world, this ancient craft poses an ever-present danger. Despite technological advances that present an illusion of security, we are as vulnerable as ever to the con.
IT security professionals frequently employ social engineering when analysing a company's overall security strategy. After all, even a completely locked-down computer network will not protect your company's secrets if someone can "tailgate" a group of employees through the front door, plug a remote-access device into an open network port, and walk out again. The sad fact is, even a social engineering amateur can be successful. People are gullible, and without a real-world test, you will never know how vulnerable your company really is.
With that in mind, we spoke to security experts in the field who perform these kinds of physical penetration tests on a regular basis to learn the tricks they use to bypass security. Armed with this knowledge, you stand a better chance at preventing a real attacker from stealing the recipe to your company's secret sauce.
Do: Research your target before you make contact
If you are going to do a realistic test, you need to do your homework. Selecting a target, whether a person or a company, is a fundamental first step to any test. Why go to the trouble to sneak into a building if, once inside, you find that the info you are looking for resides elsewhere?
"What you've got to do is learn about the target itself, and what information is valuable to the target," says Ira Winkler, author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day and Zen and the Art of Information Security, Winkler is among the foremost experts in the art and science of social engineering.
Winkler makes a crucial point, because even white hat social engineers can get into trouble. One penetration tester interviewed for this story, who asked that his name not be used, admitted that a lack of preparation early in his career nearly got him arrested.
The task, commissioned by a US based firm, to get inside its London office, seemed simple enough, but he had no idea that the same building housed the company that hired him also housed Britain's domestic intelligence agency, MI5.
"They had spotted me when I was still a block away, followed me [using CCTV cameras], and picked me up just before I was able to approach a female employee and ask her to let me into the building," he said.
In other words, a successful social engineering hack is no snatch-and-grab job. It requires real diligence. "If you're going to be doing this work, you have to have a detailed plan," Winkler says. "The less training you have, the more detailed the plan you have to follow."
Do: Play on common interests when conversing with your target
Spies do not just walk up to random people on the street and ask them to divulge their country's secrets. They take weeks, months, or even years to develop a rapport with a target, gradually asking them to release increasingly more sensitive information. Security experts call this process "elevating the situation."
But when it comes to social engineering, time is generally of the essence. Nobody can strike up a deep, confiding friendship in the course of one conversation or phone call. And here is where context and intuition come in.
From the beginning of your white hat social engineering hack, pay close attention to your target, assimilating as much as you can about him or her as quickly as possible. A keen sense of observation and a knack for profiling can help tip you off to topics of conversation that will resonate with your dupe.
Proving you are a member of the same "tribe" is essential to earning trust quickly and ensuring you are more deserving of assistance than some stranger off the street.
Do: Exploit human nature
Human beings, social creatures that we are, are taught from a very early age that helping others is a worthwhile practice, especially those with whom we most identify. For the con artist, nothing helps a black-bag job go more smoothly than the victim's innate desire to be helpful.
In your role as sham bad guy, remember that an effective fraudster does not just get what he or she wants without arousing suspicion. The other objective is to make victims feel good about themselves, even as they hand over the crown jewels.
And when it comes to penetrating the workplace, playing off employee's inclination to be useful is a worthwhile strategy. After all, bosses do it all the time.
People want to feel like they are fulfilling their job duties effectively, says Dan Kaminsky, director of penetration testing at security firm IOActive. A good con artist feeds this sense of accomplishment back to the victim so that the victim is left off guard, unaware that he or she has compromised company security in exchange for feeling some momentary sense of satisfaction at having done a good job.
Do: Assume the target is at least as smart as you are
If you are going to play a conman, remember that underestimating the intelligence of your target can get you in trouble fast. Although in many cases, a social engineer can call a help desk, pretend to be a hapless user, and get a password over the telephone, you cannot always assume that will be the case.
Depending on the organisation, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible and to be aware that the person you are social engineering probably has experience parrying many of the usual tricks in the book.
This is where your advance research comes in handy: If you know the organisation requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.
Of course, that said, if you are testing a company's security arrangements, it is often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."
And it is not always a lack of intelligence that proves to be the soft spot. Laziness, complacency, or disgruntlement may play a part, too. Of course, without training or testing, a social engineering attack may well be the furthest thing from an employee's mind. That is where you come in.
Do: Use the pretext that best suits the situation
To run a successful social engineering test, you need to perform a fast analysis of the situation and respond accordingly.
The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is essential to choosing the best pretext for the job.
Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.
In another example, Winkler explains, "I went into an organisation and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.
Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he had been made.
"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He did not know me, did not check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."
Do: Anticipate how to react if caught, and prepare an exit strategy
If you test security defences using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.
The one universal rule is to never reveal your true motives or actions. For example, if you are pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.
"If you've got to disengage [from a social engineering attempt] as someone would who is legitimate, you don't stop the act," Kaminsky says.
It is also essential to be aware of local laws so that you will know what you are up against when performing a test. If you do not know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organisation [to take credentials under false pretenses]," Winkler says.