How to think like an online con artist

An enterprise is only as secure as the weakest human link. Here's how to use social engineering to test security defenses

Con job, pretexting, social engineering – the art and science of manipulating human beings for nefarious ends – goes back as far as the origin of the species. The techniques have been practiced and perfected by a rogue's gallery of flimflam artists, from legendary carnival operator P. T. Barnum to infamous FBI mole Robert Hanssen.

[ For  more of Andrew Brandt’s wisdom, see: Stupid hacker tricks ]

But in our modern, security-centric world, this ancient craft poses an ever-present danger: Despite technological advances that present an illusion of security, we are as vulnerable as ever to the con.

IT security pros frequently employ social engineering when analyzing a company's overall security strategy. After all, even a completely locked-down computer network won't protect your company's secrets if someone can "tailgate" a group of employees through the front door, plug a remote-access device into an open network port, and walk out again. And the sad fact is, even a social engineering amateur can be successful. People are gullible, and without a real-world test, you'll never know how vulnerable your company really is.

With that in mind, we spoke to security experts in the field who perform these kinds of physical penetration tests on a regular basis to learn the tricks they use to bypass security. Armed with this knowledge, you stand a better chance at preventing a real attacker from stealing the recipe to your company's secret sauce.

Do: Research your target before you make contact

If you're going to do a realistic test, you need to do your homework. Going to school on a target – whether a person or a company – is a fundamental first step to any social engineering project. Why go to the trouble to sneak into a building if, once inside, you find that the info you're looking for resides elsewhere?

"What you've got to do is learn [as much as you can] about the target itself, and what information is valuable to the target," says Ira Winkler. And Winkler should know: Author of "Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day" and "Zen and the Art of Information Security," Winkler is among the foremost experts in the art and science of social engineering.

Winkler makes a crucial point, because even white hat social engineers can get into trouble. One penetration tester interviewed for this story, who asked that his name not be used, admitted that a lack of preparation early in his career nearly got him arrested.

The task, commissioned by a U.S.-based firm to get inside its London office, seemed simple enough, but he had no idea that the same building that housed the company that hired him also housed Britain's domestic intelligence agency, MI5.

"They had spotted me when I was still a block away, followed me [using CCTV cameras], and picked me up just before I was able to approach a female employee and ask her to let me into the building," he said.

In other words, a successful social engineering hack is no snatch-and-grab job. It requires real diligence. "If you're going to be doing this work, you have to have a detailed plan," Winkler says. "The less training you have, the more detailed the plan you have to follow."

Do: Play on common interests when conversing with your target

Spies don't just walk up to random people on the street and ask them to divulge their country's secrets. They take weeks, months, or even years to develop a rapport with a target, gradually asking them to release increasingly more sensitive information. Security experts call this process "elevating the situation."

But when it comes to social engineering, time is generally of the essence. Nobody can strike up a deep, confiding friendship in the course of one conversation or phone call. And here is where context and intuition come in.

From the beginning of your white hat social engineering hack, pay close attention to your target, assimilating as much as you can about him or her as quickly as possible. A keen sense of observation and a knack for profiling can help tip you off to topics of conversation that will resonate with your dupe. Last weekend's game, raising children, something else likely to be of interest to the victim … whatever it takes to convince the target that you share a common experience or outlook.

Proving you are a member of the same "tribe" is essential to earning trust quickly and ensuring you are more deserving of assistance than some stranger off the street.

Do: Exploit human nature

Human beings – social creatures that we are – are taught from a very early age that helping others is a worthwhile practice, especially those with whom we most identify. For the social engineer, nothing helps a black-bag job go more smoothly than the victim's innate desire to be helpful.

In your role as sham bad guy, remember that an effective social engineer doesn't just get what he or she wants without arousing suspicion. The other objective is to make victims feel good about themselves, even as they hand over the crown jewels.

And when it comes to penetrating the workplace, playing off employee's inclination to be useful is a worthwhile strategy. After all, bosses do it all the time.

People want to feel like they are fulfilling their job duties effectively, says Dan Kaminsky, director of penetration testing at security firm IOActive. A good con artist feeds this sense of accomplishment back to the victim so that the victim is left off guard, unaware that he or she has compromised company security in exchange for feeling some momentary sense of satisfaction at having done a good job.

Do: Assume the target is at least as smart as you are

If you're going to play social engineer, remember that underestimating the intelligence of your target can get you in trouble fast. Although in many cases, a social engineer can call a help desk, pretend to be a hapless user, and get a password over the telephone, you can't always assume that will be the case.

Depending on the organization, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible – and to be aware that the person you're social engineering probably has experience parrying many of the usual tricks in the book.

This is where your advance research comes in handy: If you know the organization requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.

Of course, that said, if you're testing a company's security arrangements, it's often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."

And it's not always a lack of intelligence that proves to be the soft spot. Laziness, complacency, or disgruntlement may play a part, too. And of course, without training or testing, a social engineering attack may well be the furthest thing from an employee's mind. That's where you come in.

Do: Use the pretext that best suits the situation

To run a successful social engineering test, you need to perform a fast, on-the-fly analysis of the situation and respond accordingly.

The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is also essential to choosing the best pretext for the job.

Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.

In another example, Winkler explains, "I went into an organization and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.

Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he'd been made.

"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He didn't know me, didn't check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."

Do: Anticipate how to react if caught, and prepare an exit strategy

If you test security defenses using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.

The one universal is to never reveal your true motives or actions. For example, if you're pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.

"If you've got to disengage [from a social engineering attempt] as someone would who is legitimate, you don't stop the act," Kaminsky says.

It's also essential to be aware of local laws so that you'll know what you're up against when performing a pretexting test. If you don't know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organization [to take credentials under false pretenses]," Winkler says.

Don't: Arouse suspicion by moving too quickly

Gaining the confidence of the target is an essential skill, but zeroing in too fast in your social engineering test can set off alarms in the target's head.

Because of this, it is essential to keep a cool head and pace yourself. After all, many of those whose identity you might assume to pull off your job – a contractor, a hapless corporate user, or a disgruntled employee – don't necessarily go about their own work quickly.

Think of the process as being more like a dance than a race, says Kaminsky – one in which you're leading the victim, guiding his or her path, but avoiding a sudden shove in a particular direction. "Everyone has to perceive that you're doing what you're supposed to be doing," he says.

Don't: Put on an act that's too perfect

Somewhere between truly honest behavior and the artifice of a ruse, people may begin to intuit that something isn't right.

Academics who study human perception have a name for the point at which the mind begins to pay more attention to, for example, the slightly unnatural motion in a computer-generated animation than to the rich, lifelike detail it presents: They call it the Uncanny Valley.

Social engineering experts also refer to the Uncanny Valley – it's the moment in a social engineering attempt when everything looks and works just a bit too perfectly and therefore arouses the target's suspicion.

The solution, of course, is simple: Be imperfect. Don't be too polished or quick to answer questions as you perform your social engineering test. Remember, you're trying to convince your target that you're just another working Joe or Jane.

Don't: Panic if you think the jig is up

If you start to get the feeling that you've aroused suspicions, stay calm. It's natural for people to lapse into leeriness from time to time when dealing with people they don't know particularly well. And besides, you have a leg up on the real bad guys, since the only bad consequences for you will be a failed test.

The most important thing to remember when you feel your blood rising is that fleeing from a target works only in the opening sequence of a James Bond movie. In real life, a look of panic or a sudden departure almost always raises a red flag and should be avoided at all costs.

Rest assured that there are many ways to get out of a situation quickly without giving yourself away. It could be as simple as making up a plausible excuse to get off the phone or to just calmly walk away from an irksome employee. Subdue the natural tendency to panic, and easy exits will present themselves clearly. Then you can wait a while, come back, and test from another angle.

Don't: Let the other person think about their actions too much

1 2 Page 1