Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How can I learn about social engineering exploits?
16 points by lunchbox on Aug 3, 2010 | hide | past | web | favorite | 5 comments
I recently read The Art of Deception by Kevin Mitnick [1], and watched the BBC show The Real Hustle [2]. As someone who has a natural tendency to trust people, I'm interested in learning more about the underlying principles that social engineers and con artists employ, and seeing well-executed examples, from phishing to guy-on-the-street scams.

Question for security-savvy HN readers: what websites or books on this topic would you recommend? (For example, I like reading the links Schneier [3] occasionally posts about ingenious schemes he comes across.)

In case it's of interest to anyone, I'll post in the comments a compilation of the most frequent tricks & lessons I learned from the full series of The Real Hustle.

[1] http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124

[2] http://video.google.com/videoplay?docid=25386750441983070#

[3] http://www.schneier.com/

You may have seen this, but a while back Schneier pointed to a study (pdf) conducted by Frank Stajano [1] and Paul Wilson [2]: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf

The study looks at the recurring behavioural patterns con artists use to exploit victims and concludes that there are seven psychological principles they exploit.

I summarised them here: http://www.lonegunman.co.uk/2009/12/02/seven-psychological-p... They are:

1. The distraction principle While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.

2. The social compliance principle Society trains people not to question authority. Hustlers exploit this "suspension of suspiciousness" to make you do what they want.

3. The herd principle Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.

4. The dishonesty principle Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you've been had.

5. The deception principle Thing and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.

6. The need and greed principle Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.

7. The Time principle When you are under time pressure to make an important choice, you use a different decision strategy. Hustlers steer you towards a strategy involving less reasoning.

I recommend reading the full study; it's fascinating.

[1] Of the University of Cambridge Computer Laboratory. [2] Writer and producer of The Real Hustle. Was an IT consultant for twelve years before moving into entertainment.

As promised in my post:

Most common tricks used in "The Real Hustle":

1. Fake an appearance of authority (wear a uniform, get a sign, etc.)

2. Get a shill/accomplice.

3. Get people to make exceptions to routine security measures based on extenuating circumstances.

4. Get people distracted or nervous

5. Use social conditioning to prevent people from speaking out (e.g. taboos against making a scene in public)

6. Appear to concede something of your own (give someone fake collateral)

7. Give the mark a motive to be surreptitious (e.g. get the mark to commit a crime)

8. Make people think there's an information asymmetry to their advantage (e.g. pretend not to know how much Euros are worth, thus making the person think they're ripping YOU off)

9. Put the mark under time pressure.

10. Use easily obtainable information for authentication. (e.g. eavesdrop on the person)

11. Do a verification of authenticity, but then cause an interruption that lets you swap back to counterfeit. (e.g. show someone the laptop you're selling them, but at the last moment swap it out of the bag for a block of wood)

12. Cause a plausible emergency situation that voids the usual authentication mechanisms. For example, put an "out of order" sign on a bank deposit box and stand to collect people's money.

13. Fake credible signals. For example, people are willing to believe what they overhear while eavesdropping on you, since they don't realize they've been set up, and therefore don't think you have any reason to be dishonest.

14. To increase trust, give the mark a token sign that you're following security guidelines: "sorry, I'm not allowed to accept money from you. Please call this number instead."

15. Make an offer you know they'll refuse, but that enhances your credibility nonetheless. (e.g. offer to authenticate yourself in a way that would inconvenience them, such as having them call a number and wait on the line.)

16. Stores/restaurants don't let you leave without paying, but they're more comfortable if someone in your party sticks around. Befriend an innocent bystander and make them complicit by giving the business the impression that you know the person.

Protecting against scams:

1. Always keep your valuables in a hard-to-reach location

2. Require credible authentication! If someone calls, ask for a number to call them back.

3. If you can't get credible authentication, take a picture. Get the conman's identity. They should be happy to give you more info. Or put them in a surprise situation that will throw their scam off guard.

4. For a game or proposition bet: ask "Is there a trick?"

5. If an out-of-the-ordinary event happens and you get your attention drawn to something, keep in mind that it could be a scam.

6. Bargains rarely come looking for you, unless there's a catch.

7. Remember: Situations that look like coincidences are easy for conmen to set up!!!

I just came across a podcast yesterday on this very subject: http://www.social-engineer.org/framework/Podcast

I've only listened to one episode so far (Episode 010 - Social Engineering Past, Present and Future - Released 14 June 2010) but these guys are behind the social engineering contest at defcon that got all that attention (http://news.cnet.com/8301-27080_3-20012290-245.html). Also, they had a lot of veterans who were quick to share battle stories. A very enjoyable listen (plus tons of link suggestions, books, etc).

Art Of Deception was a fun read (along with Intrusion). I found it not to be a guide per se (although it may be billed that way) but the stories are inspiring and really get you into the mindset.

Johnny Long wrote an interesting book called No-tech hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing that might interest you.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact