Don't lose it. Subscribe and receive a link to the article in your email.

Since the advent of computers and the beginning of the development of the Internet, programmers have strived with all their might to ensure computer security. But even today no one has managed to achieve this 100%. However, let's imagine that this result was still achieved thanks to powerful cryptography, enhanced security protocols, reliable software and other security elements. As a result, we get an absolutely secure network, and we can safely work in it.

"Wonderful! – you will say, “it’s in the bag!”, but you will be wrong, because this is not enough. Why? Yes, because the benefits of any computer system can only be obtained with the participation of users, i.e. of people. And it is precisely this interaction between a computer and a person that carries a serious danger, and a person often turns out to be the weakest link in the chain of security measures. Moreover, he himself is the reason why security is ineffective.

In the information age, it has become easier to manipulate people, because there is the Internet and mobile communications, which allow you to interact without direct contact. There are even special methods that help attackers “operate” with people the way they want. Their complex is called social engineering, and in this article we will try to find out what it is.

Social engineering: what is it and how did it appear?

It’s easy to guess that even the most sophisticated security system is vulnerable when it is controlled by a person, especially if that person is gullible, naive, etc. And when an attack is made on a machine (PC), the victim can be not only the computer, but also the person who works on it.

This kind of attack is called social engineering in the slang of social hackers. In its traditional form, it looks like a telephone call, where the caller pretends to be someone else, wanting to extract confidential information from the subscriber, most often passwords. But in our article we will consider the phenomenon of social engineering in a broader sense, meaning by it any possible methods of psychological manipulation, such as blackmail, playing on feelings, deception, etc.

In this understanding, social engineering is a method of controlling people's actions without the use of technical means. Most often it is perceived as an illegal method of obtaining various valuable information. It is used mainly on the Internet. If you are interested in examples of social engineering, here is one of the most striking:

EXAMPLE: An attacker wants to find out the password for a person’s personal Internet banking account. He calls the victim by phone and introduces himself as a bank employee, asking for the password, citing serious technical problems in the organization’s system. For greater persuasiveness, he names the fictitious (or the real one found out in advance) name of the employee, his position and powers (if necessary). To make the victim believe, a social hacker can fill his story with believable details and play on the feelings of the victim himself. After the attacker has received the information, he still skillfully says goodbye to his “client”, and then uses the password to enter his personal account and steal funds.

Oddly enough, even in our time there are people who fall for such bait and trustingly tell social hackers everything they need. And in the arsenal of the latter there may be many techniques and techniques. We will also tell you about them, but a little later.

Social engineering is a science (direction) that appeared relatively recently. Its sociological significance lies in the fact that it operates with specific knowledge that guides, systematizes and optimizes the process of creation, modernization and application of new social realities. In a sense, it complements sociological knowledge, transforming scientific knowledge into algorithms of activity and behavior.

People have been using social engineering in some form since ancient times. For example, in Ancient Rome and Ancient Greece specially trained rhetoricians who were able to convince an interlocutor that he was “wrong” were highly respected. These people participated in diplomatic negotiations and solved state problems. Later, social engineering was adopted by intelligence agencies such as the CIA and the KGB, whose agents successfully impersonated anyone and found out state secrets.

By the early 1970s, telephone hooligans began to appear, disturbing the peace of various companies for the sake of a joke. But over time, someone realized that if you use a technical approach, you can quite easily obtain various important information. And by the end of the 70s, former telephone hooligans turned into professional social engineers (they began to be called singers), capable of masterfully manipulating people, determining their complexes and fears by just intonation.

When computers appeared, most singers changed their profile, becoming social hackers. Now the concepts of “social engineering” and “social hackers” are synonymous. And with the powerful development of social engineering, new types began to appear and the arsenal of techniques expanded.

Watch this short video to see how social hackers manipulate people.

Social engineering methods

All real examples of social engineering indicate that it easily adapts to any conditions and to any situation, and victims of social hackers, as a rule, do not even suspect that some kind of technique is being used against them, much less know who does it.

All social engineering methods are based on . This is the so-called cognitive basis, according to which people in a social environment always tend to trust someone. Among the main methods of social engineering are:

"Trojan horse"
Pretexting
"Road Apple"
Phishing
Qui about quo

Let's tell you more about them.

"Trojan horse"

When using a “Trojan horse,” a person’s curiosity and desire to gain benefit are exploited. Social hackers send a letter to the victim’s e-mail containing some interesting attachment, for example, an upgrade for some program, a screen saver with erotic content, exciting news, etc. The method is used to force the user to click on a file that can infect the computer with a virus. Often, as a result, banners appear on the screen, which can be closed only in two ways: by reinstalling the operating system or by paying the attackers a certain amount.

Pretexting

The term “pretexting” means an action that the user performs based on a previously prepared pretext, i.e. script. The goal is for a person to provide specific information or perform a specific action. In most cases, pretexting is used during phone calls, although there are examples of similar attacks on Skype, Viber, ICQ and other instant messengers. But to implement the method, a singer or hacker must not only conduct research on the object in advance - find out his name, date of birth, place of work, amount in the account, etc. With the help of such details, the singer increases the victim's confidence in himself.

"Road Apple"

The road apple method consists of adapting a “Trojan horse” and requires the mandatory use of some kind of physical storage medium. Social hackers can plant bootable flash drives or disks counterfeited as media with interesting and/or unique content. All that is needed is to discreetly place a “road apple” on the victim, for example, in a car in a parking lot, in a bag in an elevator, etc. Or you can simply leave this “fruit” where the victim is likely to see it and take it himself.

Phishing

Phishing is a very common method for obtaining confidential information. In the classic version, this is an “official” email (from a payment service, bank, high-ranking individual, etc.), equipped with signatures and seals. The recipient is required to follow a link to a fake website (there is also everything that speaks of the “officiality and reliability” of the resource) and enter some information, for example, full name, home address, phone number, social network profile addresses, bank number cards (and even CVV code!). Having trusted the site and entered the data, the victim sends it to the scammers, and what happens next is easy to guess.

Qui about quo

The Qui Pro Quo method is used to introduce malware into the systems of various companies. Social hackers call the desired (sometimes any) company, introduce themselves as technical support employees and interview employees for any technical problems in the computer system. If there are malfunctions, the attackers begin to “eliminate” them: they ask the victim to enter a certain command, after which it becomes possible to launch virus software.

The above methods of social engineering are most often encountered in practice, but there are others. In addition, there is also a special type of social engineering, which is also designed to influence a person and his actions, but is done according to a completely different algorithm.

Reverse social engineering

Reverse social engineering and social hackers specializing in it build their activities in three directions:

Situations are created that force people to seek help
Problem-solving services are advertised (this also includes advance assistance from real specialists)
There is “help” and influence

In the case of this type of social engineering, attackers initially study the person or group of people they plan to influence. Their passions, interests, desires and needs are explored, and influence is exerted through them with the help of programs and any other methods of electronic influence. Moreover, programs must first work without failures so as not to cause concern, and only then switch to malicious mode.

Examples of reverse social engineering are also not uncommon, and here is one of them:

Social hackers develop a program for a specific company based on its interests. The program contains a slow-acting virus - after three weeks it is activated, and the system begins to malfunction. Management is contacting the developers to help fix the problem. Being prepared for such a development of events, the attackers send their “specialist” who, while “solving the problem”, gains access to confidential information. The goal has been achieved.

Unlike conventional social engineering, reverse engineering is more labor-intensive, requires special knowledge and skills, and is used to influence a wider audience. But the effect it produces is amazing - sacrifice without resistance, i.e. of his own free will, reveals all his cards to hackers.

Thus, any type of social engineering is almost always used with malicious intent. Some people, of course, talk about its benefits, pointing out that it can be used to solve social problems, maintain social activity, and even adapt social institutions to changing conditions. But despite this, it is most successfully used for:

Deceiving people and obtaining confidential information
Manipulating and blackmailing people
Destabilizing the work of companies for their subsequent destruction
Database theft
Financial fraud
Competitive Intelligence

Naturally, this could not go unnoticed, and methods to counter social engineering appeared.

Protection against social engineering

Today, large companies systematically conduct all kinds of tests for resistance to social engineering. Almost never, the actions of people who come under attack from social hackers are intentional. But that’s what makes them dangerous, because while it’s relatively easy to defend against an external threat, it’s much more difficult to defend against an internal one.

To increase security, company management conducts specialized training, monitors the level of knowledge of its employees, and also initiates internal sabotage itself, which makes it possible to determine the degree of preparedness of people for attacks by social hackers, their reaction, integrity and honesty. Thus, “infected” letters can be sent to E-Mail, contacts can be made on Skype or social networks.

The protection against social engineering itself can be either anthropogenic or technical. In the first case, people's attention is drawn to security issues, the seriousness of this problem is conveyed and measures are taken to instill a security policy, methods and actions that increase the protection of information security are studied and implemented. But all this has one drawback - all these methods are passive, and many people simply ignore the warnings.

As for technical protection, this includes means that impede access to information and its use. Considering that the most “popular” attacks of social hackers on the Internet have become emails and messages, programmers are creating special software that filters all incoming data, and this applies to both private mailboxes and internal mail. Filters analyze the texts of incoming and outgoing messages. But there is a difficulty here - such software loads the servers, which can slow down and disrupt the system. In addition, it is impossible to provide for all variations in the writing of potentially dangerous messages. However, technology is improving.

And if we talk specifically about the means that prevent the use of the obtained data, they are divided into:

Blocking the use of information everywhere except the user’s workplace (authentication data is tied to electronic signatures and serial numbers of PC components, physical and IP addresses)
Blocking the automatic use of information (this includes the familiar Captcha, where the password is a picture or a distorted part of it)

Both of these methods block the possibility of automation and shift the balance between the value of information and the work of obtaining it towards work. Therefore, even with all the data given out by unsuspecting users, social hackers face serious difficulties in putting it to practical use.

And to protect against social engineering, we advise any ordinary person to simply remain vigilant. When you receive a letter by email, be sure to carefully read the text and links, try to understand what is in the letter, who it came from and why. Don't forget to use antivirus software. If unknown people call from an unfamiliar number, never give out your personal information, especially those related to your finances.

By the way, this video, albeit briefly, but interestingly, talks about how to protect yourself from social engineering.

And finally, we want to introduce you to some of the books on social engineering, including as a field of sociological knowledge, so that if you wish, you can get to know the topic in more detail.

These books contain many practical recommendations on how to master common manipulative techniques and techniques. You will also learn about the most effective methods of social engineering and learn how to recognize them and protect yourself from attacks.

Books on social engineering:

Kevin Mitnick "Ghost in the Net"
Kevin Mitnick, William Simon "The Art of Invasion"
Kevin Mitnick, William Simon "The Art of Deception"
Chris Kaspersky "The Secret Weapon of Social Engineering"

Remember that everyone can master the art of managing the actions of others, but these skills must be used for the benefit of people. Sometimes guiding a person and pushing him towards decisions that are beneficial to us is useful and convenient. But it is much more important to be able to identify social hackers and deceivers so as not to become their victim; it is much more important not to be one of them yourself. We wish you wisdom and useful life experience!

December 27, 2009 at 4:38 pm

Social hacking in everyday life (protecting yourself from stupidity)

Information Security

I know that all the many hackers have read the memoirs of daring hackers, which very clearly tell us that the weakest link in the information security chain, as a rule, is not a protocol, program or machine, but Human(administrator, user, or even manager).

I read it too, and even became indignant: “No, how can you tell someone your password over the phone?” But, alas, what is best remembered is the blow of a rake on your own forehead. And so it happened. Over the past couple of months, I have witnessed and even participated in several situations that are embarrassing to talk about, but socially useful.

Careful disposal: do not throw away or lose information

Of course, there are shredders and harvesters for destroying optical and even hard drives. But their place is at the enterprise (where safety instructions must not only be written and signed, but also carefully read and followed by all employees), and at home, as a rule, everything has to be done by hand.

With optical discs, everything is simple: they can be easily scratched by the corner of any USB plug (look for it on a flash drive or any cable, yes). The photo in the teaser illustrates the result of 10 second manipulations. Although the disc is not readable after one deep scratch along the radius(checked on some NEC model seven thousand drive). Stay safe: make a lot of scratches. In the comments they doubt the reliability of this method and recommend breaking the disks or scratching them deeply at both sides(otherwise they will polish it and read it). Well, I propose to proceed from the real value of the information and choose a proportional measure of damage to the media.

For a hard drive, it is not enough to break just the controller, you need to damage the platters, just as it is not enough for a flash drive to break off just the plug (you need to destroy the memory chips). Or, as wisely advises, format the media so that it is impossible to restore anything from there (quick formatting, which clears only the structure, of course, will not work). HDDs and flash drives, of course, are not often thrown away, but the latter are often lost.

The paper (if you are too lazy to tear it) can be filled with water or better with some kind of detergent: even on packs of 20-30 sheets, everything very quickly corrodes and blurs.

Horror story on the topic: I recently threw out a pack of DVDs with website backups from 2008. There were no user passwords in the database dumps (there were hashes with salt), but in the CMS configs there were passwords for accessing the database. Yes, I changed them. Yes, almost all hosters prohibit by default connecting to the database from a remote host. But still.

Social phishing: do not share passwords anonymously or through open channels

If a provider, hoster, payment system or the owners of some web service asks you for a password, then do not believe them, it is not them at all, but attackers.

If someone else needs to have access to your passwords, make them aware of all the potential dangers. Explain in such a way that you are understood (for example, wives are convinced by the danger of wasting the family budget on accounts from the provider).

First horror story: An acquaintance works for a provider in support. He is sometimes too lazy to go into billing, so he asks the client for the password over the phone to check if he entered it correctly. And the provider actively uses the callback service. If you call back in time, the unsuspecting person will dictate his passwords to you. At least a friend was never denied this.

Horror story two: Once, when sending a letter to the hoster, I trusted the auto-complete of the email client. As a result, the letter went to the wrong recipient. I have never changed passwords so quickly before. By the way, now my hoster has also come to his senses: he no longer asks (and probably does not even recommend) to specify a password when contacting, when the letter is sent from the mail authorized in the account.

Banal cryptographic strength: qwerty is not a password

In general, I don’t think that Habr’s audience is so crazy as to set the birth dates of their children with passwords or do something similar. But there are more subtle moments. An example is in a horror story.

In addition, regarding passwords, you should consult the people around you if you are concerned about their privacy (and it may also be yours - for example, some family photos are not intended for public viewing).

Horror story: While the project is being developed there is not much to protect there, right? Therefore, during development, the password is usually set to something like “abcd1234”. So I checked: out of the last 4 projects launched into production, one of us had the default admin password - we never changed it. It’s good that although everyone knows the default password, it is created separately for each project.

Do not write down passwords (at least on pieces of paper that you throw away or store next to your logins)

It’s better to set up authorization using a key wherever possible. And store the private key on a local server (and a copy on a flash drive in a safe). For less work-related purposes, there are password manager programs (the most actively recommended in the comments are RoboForm or the cross-platform KeePas), you should try to remember the master password in your head and not write it down anywhere at all. In the simplest case, save passwords to a text file and encrypt it with a password from your head.

If you save passwords in an email or FTP client, then worry about proper anti-virus protection; any Trojan or backdoor will gladly steal the file with your passwords.

Special advice for those who store their password in the browser (from a commentator): use a master password in those browsers that support it.

In Opera: Tools - Settings - Advanced - Security - Set password.
In FF: Tools - Settings - Security - Use master password.

Do not use the same passwords for different systems and services. Do not store other people's passwords in clear text in your software and services.

First horror story: elderly people or people simply far from IT often scratch their PIN code directly on a plastic card (this is already folklore, but still).

Horror story two: was the case, the Trojan stole the password saved in the FTP client (it seems that it was not the latest Total Commander, but many other clients are no better in this regard) from the administrator from the local computer and stuck frames with the infection on the live sites of partners where potential clients (as a result, visitors either got infected or received screams from the antivirus). By the way, Yandex now marks sites with Trojans in a special way in the search results - moreover, you can kill the Trojan now, but the mark will disappear only after the next re-indexing, for example, a week later.

Others may steal it, you may lose it, or give it away yourself by mistake.

Don't store anything important on your netbook or phone.

On netbooks, set passwords (normal) and encrypt the file system.

On flash drives, store everything (or at least everything important) in encrypted form (for example, in a RAR archive with a normal password).

If you have several identical-looking flash drives, then stick some labels on them so that you don’t suddenly hand over a flash drive with a backup of all your office’s black accounting to the tax office instead of a quarterly report (the tax office will be happy, but the manager is unlikely).

For whom and what is this book about?

The subject of the book is an examination of the basic methods of social engineering - according to many researchers, one of the main tools of hackers of the 21st century. At its core, this is a book about the role of the human factor in information security. Several good books have been published about the human factor in programming, one of them, the book by Larry Constantine, is called “The Human Factor in Programming.” This is perhaps the only book on this topic translated into Russian. Here is what the author writes in the preface to this book: “Good software is created by people. Just like the bad. That is why the main topic of this book is not hardware or software, but the human factor in programming (peopleware). Despite the fact that L. Konstantin’s book is more about psychology than about programming, the first edition of the book was recognized as a classic work in the field of information technology.

Information is also protected by people, and the main carriers of information are also people, with their usual set of complexes, weaknesses and prejudices, which can be played on and played on. This book is dedicated to how they do this and how to protect themselves from it. Historically, hacking using human factors has been called "social engineering", that’s why our book is called “Social Engineering and Social Hackers.”

You can protect yourself from social hackers only by knowing their working methods. Our goal as the authors of the book is to familiarize readers with these methods in order to deprive social hackers of their main trump card: the inexperience of their victims in matters of fraud and methods of covert human control. We also hope that studying the material in the book will be useful for readers not only professionally, but also in life. After all, studying those sections of psychology that we will talk about in this book will allow you to look at the surrounding reality through the eyes of a psychologist. Believe me, this is great pleasure and a great saving of nerves, effort and time.

75% of the company's employees responded to this letter, enclosing their password in the letter. As they say, comments are unnecessary. You don’t need to think that it’s just people who got caught so stupid. Not at all. As we will see later, human actions are also quite well programmed. And the point here is not the mental development of people who fall for such bait. There are simply other people who are very good at programming language for human behavior. Nowadays, interest in social engineering is very high. This can be seen in many ways. For example, a couple of years ago, for the query “social engineering” there were only 2 links in the Google search engine. Now there are hundreds of them... The famous hacker K. Mitnik, who uses social engineering methods for hacking, gives lectures at the Radisson-Slavyanskaya hotel for top managers of large IT companies and specialists from corporate security services... They began to organize conferences on social engineering, in A number of universities are going to introduce lecture courses on this topic...

However, many of the lectures and published articles reviewed by the authors have several serious shortcomings. Firstly, the psychological background of the techniques used is not explained. The authors of the articles simply say: “It’s done this way.” And no one explains why exactly this is so. At best, the phrases are given: “this technique is based on the principles of neurolinguistic programming,” which, however, confuses even more. Sometimes they also say that “in order to avoid becoming a victim of social hackers, you need to develop a psychological sense.” There is also nothing said about where to go for this very flair and where to buy it. And finally, the third and, perhaps, the most serious drawback of currently published articles on social engineering is that most of the examples they give are far-fetched (“movie”) ones that will not work in real life. The reader, studying this example, understands that if such a hacker comes to him, he will certainly figure him out. What is true: this will be figured out. But when the real one comes to him, he tells him his deepest secrets. The proposed book is intended, on the one hand, to eliminate these shortcomings and give the reader a real psychological minimum that underlies “social hacking.” On the other hand, the book contains many real, not fictitious, examples, which will also help the reader in mastering the material and show the basic techniques that social hackers use. After reading this book, readers will be largely protected from such manipulations. And one more small note. In many places the book is written in the style of a social engineering textbook. Thus, we often wrote as if we were teaching readers about social engineering. This is not because we wanted to teach readers methods of fraud, but because very often, in order to recognize a manipulator, you need to know how he acts, get used to this role... Not in order to “bewitch” someone ", but only in order to be able to foresee danger and predict further actions.

The book will be equally useful to representatives of three types of professions: IT specialists, enterprise security officers and psychologists studying social engineering. First of all, the book will be of interest to IT specialists from a wide range of professions: programmers, system and network administrators, computer security specialists, etc. If only because they are charged with stealing valuable information from the “bows of a computer.” IT specialists. And it is they who first have to deal with the consequences of such a theft. It is often the responsibility of IT specialists to find out the causes of information leaks. Because of this, many foreign universities are already introducing a course of lectures on the basics of social psychology for computer security specialists. The book will also be of interest to “ordinary” PC users, since they are the ones most often chosen by social hackers as the most convenient targets.

The book will be of interest to psychologists because for the first time it outlines the basic principles of social engineering and shows on what psychological concepts it is based. It is useful for security officers because they are the ones responsible for unauthorized entry into a facility, and such penetrations are very often based on the use of the “human factor.”

Readers of the book will be able to ask any question about social programming methods on a special forum on the authors’ website.

Acknowledgments

Part I
What is social engineering and who are social hackers?

The first part discusses the basic concepts of social engineering and social hacking. The first chapter, as usual, is an introduction to the issue under discussion, and the second chapter provides various examples of the use of social engineering methods.

Chapter 1.

Chapter 2. Examples of hacks using social engineering methods

Chapter 3. Social Programming Examples

Chapter 4. Building social firewalls

Chapter 5. Psychological aspects of training social hackers

Chapter 1
Social engineering is one of the main tools of hackers of the 21st century

...At the beginning of February 2005, many information security specialists in our country were waiting for the speech of K. Mitnick, a famous hacker, who was supposed to talk about the danger that social engineering poses, and what methods are used by social engineers (whom we will further call social hackers). Alas, expectations were not very fulfilled: Mitnick spoke only about the basic principles of social engineering. And he talked a lot about the fact that social engineering methods are used by criminals all over the world to obtain a wide variety of classified information. According to many meeting participants, it was interesting to listen, because the person was really very charming, but no special secrets were revealed.

Note

Kevin Mitnick is a famous hacker who was opposed by the best information security experts from the FBI, and convicted in the 90s by US justice for infiltrating many government and corporate secret bases. According to many experts, Mitnick had neither a significant technical base nor great knowledge of programming. But he had the art of communicating on the phone in order to obtain the necessary information and what is now called “social engineering.”

The same can be said about his books - there are no special revelations there. We do not exclude at all that Mitnik knows all this very well; moreover, we are almost sure of this, but, unfortunately, he does not tell anything of what he really knows. Neither in his speeches, nor in his books.

Note

Which, perhaps, in general, is not surprising, since the FBI then took a very close look at him, showing him who was boss, and it really got on his nerves. There were many explanations, a ban on working with computers for several years, and imprisonment. It should not be surprising that after such ups and downs he became a very law-abiding person, and not only would he not steal some secret bases, but he would even speak about non-secret things with great caution.

As a result of such omissions, social engineering seems like a kind of shamanism for the elite, which is not true. Moreover, there is another important point. Many attack descriptions skip entire paragraphs, if not pages. This is what we are getting at. If you take specifically the schemes of some of the most interesting attacks and try to reproduce them according to what is written, then most likely nothing will come of it. Because many of K. Mitnik’s schemes resemble something like this dialogue.

– Vasya, give me the password, please!

- Yes, yes! I feel sorry for a good person.

The analysis of this “attack” resembles something like the following: “Vasya gave it to a social hacker because from birth he did not know how to say “No!” to strangers. Therefore, the main method of countering social engineers is to learn to say “No.” …Perhaps this recommendation is suitable for America, but I’m afraid not for Russia, where the majority most likely do not know how to say “Yes,” but everyone is quite good at saying “No.” Indeed, there is a type of people who organically cannot refuse another person, but, firstly, there are few such people, and everyone else needs to be brought to such a state. And not a word is said about how to fail.

Note

We will talk in detail about psychological typology and how to use this knowledge in social engineering in Appendix 2.

This is roughly what we mean when we say that Mitnik often skips entire paragraphs. It can be assumed that the first phrase could take place at the beginning, and the second at the end of the conversation. But there was still a lot and the most interesting things between them. Because for everything to be so simple, the person needs to be immersed either in deep hypnosis, or injected with “truth serum.” But even if this was the case, then this also needs to be written about.

In life, as a rule, things happen differently. And the passwords are told, and the databases are taken out, not because they just can’t answer “no,” but because sometimes they answer “no,” ... I really don’t want to. And in order to make it very difficult for a person who has some serious information to answer “no,” he needs to be brought to such a state. By following him for, say, a week. What if something interesting turns up? Maybe he himself is a “sent Cossack” or in the evenings he works part-time for competitors, or maybe the situation is generally more serious: in the evenings he does not work part-time for competitors, but goes to a brothel ... for people with non-traditional sexual orientation, and, being an exemplary figure for everyone else a family man, he really doesn’t want anyone to find out about this. Having approximately this information, you can safely approach him and say:

- Vasya, tell me all the passwords you know. And give me access to your network so that I don’t waste time.

And in this case, many Vasyas will answer:

- Yes, please. And I’ll give you the passwords and open access. I feel sorry for a good person...

In intelligence language this is called "recruitment." And if suddenly everything in your organization disappears somewhere, all the passwords are known to someone, think about whether someone is “on the tail” of one of your employees. It is usually not difficult to figure out who was imprisoned and those who were imprisoned. Smart security officers, by the way, before entrusting people with key positions, usually check him very hard for, let’s say, the weaknesses of the candidate for the position. And they keep an eye on him, and they arrange all sorts of smart tests to know what kind of person came to work.

...This introduction was written not to criticize K. Mitnick - each of us has something to criticize for - but to show that in social engineering not everything is as simple as it is sometimes presented, and this issue must be taken seriously and thoughtfully. Now, with that introduction being said, let's get started.

The computer system that a hacker hacks does not exist in itself. It always contains one more component: a person. Figuratively speaking, a computer system can be represented by the following simple diagram (Fig. 1.1).

Rice. 1.1. The main options for hacking a computer system (man - from a cartoon by H. Bidstrup)

A hacker's job is to break into a computer system. Since, as we see, this system has two components, there are correspondingly two main ways to hack it. We will call the first way, when a computer is “hacked,” technical. A social engineering It’s called when, when hacking a computer system, you take the second path and attack the person who works with the computer. A simple example. Let's say you need to steal a password. You can hack the victim's computer and find out the password. This is the first way. And by taking the second path, you can find out this same password by simply asking the person for the password. Many people say if you ask correctly.

According to many experts, the biggest threat to information security, both for large companies and ordinary users, in the next decades will come from increasingly improved methods of social engineering used to hack existing security measures. If only because the use of social engineering does not require significant financial investments and a thorough knowledge of computer technology. For example, Rich Mogull, chief information security officer at Gartner, says that “social engineering poses a more serious threat than simple network hacking. Research shows that people have some behavioral tendencies that can be used to be careful.” manipulation. Many of the most harmful security breaches have and will continue to occur through social engineering rather than electronic hacking. Over the next decade, social engineering itself will pose the greatest threat to information security." Rob Forsyth, managing director of one of the regional divisions of the antivirus company Sophos, also agrees with him, who gave an example of “a new cynical type of fraud aimed at unemployed Australians. A potential victim receives an email, allegedly sent by Credit Suisse, which says about an available vacancy. The recipient is asked to go to a website that is an almost exact copy of the real Credit Suisse corporate website, but the fake version contains a form for filling out a job application. And in order for the application to be considered, the “bank” asked, albeit symbolically, but the money that needed to be transferred to such and such an account. When quite a lot of people transferred the money, the amount was no longer so symbolic. The fake site was made so skillfully that it took experts time to make sure that it was a fake. It is worth recognizing that the attackers have used a rather clever combination of technologies to target the neediest members of society, i.e. those looking for work. These are precisely the people who can succumb to this kind of provocation,” says Forsyth. Enrique Salem, vice president of Symantec, generally believes that such traditional threats as viruses and spam are “problems of yesterday.” , although companies must protect themselves from them. Salem calls phishing using social engineering methods the problem of today.

Note

Learn more about phishing in chapter 2.

Why do many researchers believe that social engineering will become one of the main tools of hackers of the 21st century? The answer is simple. Because technical protection systems will improve more and more, but people will remain people with their weaknesses, prejudices, stereotypes, and will be the weakest link in the security chain. You can install the most advanced protection systems, and still you cannot lose vigilance for a minute, because in your security scheme there is one very unreliable link - a person. Set up a human firewall, in other words firewall(firewall) is the most difficult and thankless task. You may not be able to use a well-tuned technique for months. The human firewall needs to be adjusted constantly. Here, the main motto of all security experts sounds more relevant than ever: “Security is a process, not a result.” A very simple and common example. Suppose you are a director and you have a very good employee who, in your opinion, will never sell anything to anyone or sell anyone out. Next month you lowered his salary, say, for one reason or another. Even if these reasons are very objective. And the situation has changed dramatically: now he has an eye on him, because he can’t find a place for himself out of resentment, he’s already ready to kill you, let alone talk about some kind of internal corporate secrets.

I will also note that in order to engage in security, especially in terms of setting up “human firewalls,” you need to have a stable nervous and mental system. Why, you will understand from the following wonderful phrase of A. Einstein, which we, following Kevin Mitnick, cannot help but repeat: “You can only be sure of two things: the existence of the universe and human stupidity, and I’m not entirely sure about the first.”

All attacks by social hackers fit into one fairly simple scheme (Fig. 1.2).

Rice. 1.2. Basic scheme of influence in social engineering

Note

This scheme is called Sheinov's scheme. It is presented in general form in the book of the Belarusian psychologist and sociologist V.P. Sheinov, who has been involved in the psychology of fraud for a long time. In a slightly modified form, this scheme is also suitable for social engineering.

So, first the goal of influencing a particular object is always formulated.

Then information about the object is collected in order to discover the most convenient targets of influence. After this comes a stage that psychologists call attraction. Attraction (from lat. attrahere– attract, attract) is the creation of the necessary conditions for the social engineer to influence the object. Compulsion to take the action necessary for a social hacker is usually achieved by performing the previous stages, i.e., after the attraction is achieved, the victim himself takes the actions necessary for the social engineer. However, in a number of cases, this stage acquires independent significance, for example, when coercion to action is carried out through induction into a trance, psychological pressure, etc.

Recently, while checking one of my soap dishes, I came across a touching letter. The administrator of the provider whose services I use complained tearfully that the hackers had destroyed the entire office, and all that was left of the old client database was horns and legs. “We’re trying to restore order here, so, buddy, could you send me your username and password,” the interlocutor timidly suggested. It was actively getting dark outside.

Despite the fact that the concept of “social engineering” has appeared recently, people in one form or another have used its techniques from time immemorial. In Ancient Greece and Rome, people were held in high esteem, who could hang any nonsense on their ears and convince their interlocutor that he was obviously wrong. Speaking on behalf of the leaders, they conducted diplomatic negotiations, and by mixing lies, flattery and advantageous arguments into their words, they often solved problems that seemed impossible to solve without the help of a sword. Among spies, social engineering has always been the main weapon. By posing as anyone, KGB and CIA agents could find out the most terrible state secrets. And how professionally politicians and candidates for deputies (mayors, presidents) engineer us is generally worth seeing. Although, to tell the truth, I, and you, and all of us are not far behind them. You won’t deny that you have at some point tried to use a clever trick to tune someone into the wavelength you want. For example, when he asked his parents to buy ice cream, promising an A in his math class. We often use social engineering techniques without even realizing it. Unlike the same agents, deputies and... hackers.

In the early 70s, during the heyday of phreaking, some telephone hooligans amused themselves by calling Ma Bell operators from street payphones and teasing them about their competence. Then someone, obviously, realized that if they rearranged the phrases a little and made mistakes here and there, they could force the technical staff not only to make excuses, but to give out confidential information under the influence of emotions. Phreakers began to slowly experiment with tricks and by the end of the 70s they had so perfected the techniques for manipulating untrained operators that they could easily learn from them almost everything they wanted.

Talking to people over the phone in order to get some information or simply force them to do something was equated with art. Professionals in this field took great pride in their skills. The most skilled social engineers (syngers) always acted impromptu, relying on their instincts. With the help of leading questions, by the intonation of the voice, they could determine a person’s complexes and fears and, instantly getting their bearings, play on them. If at the other end of the line there was a young girl who had recently started work - the phreaker was hinting at possible troubles with the boss, if she was a self-confident mattress - it was enough to introduce herself as a naive user from the company, who needed to be shown and told everything. Each one had its own key. With the advent of computers, many phreakers moved into computer networks and became hackers. SI skills in the new area have become even more useful. If earlier the operator's brains were powdered mainly to obtain pieces of information from corporate directories, now it has become possible to find out the password to enter a closed system and download from there a bunch of the same directories or something secret. Moreover, this method was much faster and simpler. No need to look for holes in a sophisticated security system, no need to wait for Jack the Ripper to guess the correct password, no need to play cat and mouse with the admin. It’s enough to call the phone and, with the right approach, the treasured word will be called at the other end of the line.

Three pillars of social engineering

All social engineering techniques can be divided into three categories depending on where they are used: over the phone, on the Internet or in reallife. Each has its own specifics, and it is not at all a fact that a person who has SI skills on the Internet will be able to use their face2face just as effectively.

Many believe that after brains, the telephone is the main weapon of a singer. Thanks to him, you can remain anonymous and at the same time have a direct connection with the victim. The latter is important because direct contact does not give the interlocutor time to think about the situation and weigh the pros and cons. A decision needs to be made immediately, and under the pressure of a singer who is pushing his line. Since in a telephone conversation we exchange only audio information, the intonation and voice of the interlocutor plays a large role in decision making. At first, when trying to deceive someone over the phone, beginners may become confused and quickly lose ground. To prevent this from happening, you need to develop practice by calling random numbers and, talking to strangers, trying to deceive them. For example, you can invent some idiotic news (Americans landed on the sun) and invite an unknown interlocutor to discuss it together. Your task is to learn to confuse people and inspire them with any stupidity. You can play with roles, introducing yourself as a telephone exchange operator or a morgue director. The more experience you have with phone pranks, the more confident you will feel when talking to your intended victim.

Try to walk while talking. It has been scientifically proven that when a person moves, his brain works faster. If you decide to do something serious, don’t call from home, use a payphone. Because if you really want to trace your call through the PBX, it won’t be a problem.

At companies that take security seriously, they advise asking for a return phone number at the beginning of a conversation and calling the stranger back. This is another reason why it is better to call from a payphone. But if you call from home and hear: “Please leave your number - I’ll call you back,” dictate one of those phone numbers that are always busy. There are such in every city, you can find out about them, for example, from operators (again, using SI). It’s still easier to explain short beeps than the hungover voice of the left guy.

In some cases, the Network can become a more convenient alternative to the telephone. For example, if the victim is in another country and there is a language barrier between you. Or if you need to do something global (send out a bunch of messages). First of all, the good thing about the Internet is that you can impersonate anyone on it. It, unlike the telephone, does not keep within the limits of age and gender. In addition, you can use a bunch of different characters for engineering, using secondary characters to create the illusion of the desired quality in the main one. For example, if you go to the www chat and shout: “I’m a cool writer!” - who the hell will notice you. But if, from different windows under proxies, you start a crowd of virtuals in the same chat, vying with each other to praise your writing talents, the rest of the people will immediately become interested and begin to ask what you write there.

In general, since virtuals are used everywhere in network social engineering, you should take good care to ensure that they look realistic. Biography, character, writing style, signatures, coordinates on the Internet (soap, website) - you must think through everything so that any unbelieving Thomas can be convinced of the reality of your virtual as many times as he wants.

When carrying out serious sabotage, try to avoid sending messages from free mailboxes - they immediately arouse suspicion among more or less literate people. However, if the soap is little known (located in another country), you can pass it off as branded by indicating “the full name of the company” at the end of the letter. For example, our freebie bk.ru can be passed off as soap from BlackKobra corporation or Brothers Killers inc.

Riallife

The method is quite dangerous, since you no longer have to rely on anonymity, and you can subsequently be identified. But it’s only dangerous in particularly extreme cases, for example, when you decide to cheat a company out of big money. In practice, reallife is the most common method, since we communicate mainly in real life, and where we communicate, there is time, and where there is a lie, there is our topic. RealLife SI is directly related to NLP, so if you want to learn more about how to change people’s behavior patterns, read the NLP FAQ, there is a lot of interesting stuff there.

If you are serious about your work and are willing to sacrifice time for the sake of efficiency, reverse social engineering may be a good method for you. This is the name of the method when a singer forces a person to turn to him for help and, by offering it, gets what he needs. Everything goes approximately according to the following scenario - the hacker first establishes himself in the company as a competent specialist (see the previous section), then somehow disables one of the computers (it is enough to run a program that disables one of the parameters in the registry). A company employee calls a “specialist”, and he asks for confidential information (or finds it on the computer himself), citing the fact that it is needed to fix a problem.

The art of transformation

While practicing SI, you will have to put on the masks of other people more than once. It’s clear that no one will reveal their secrets to the leftist kid on the street, but willy-nilly they will have to to someone who has the right to do so. Not everyone can lie confidently. This is reflected in the moral teachings of our ancestors, who from childhood drilled into us a harmful complex - lying is not good. But you can deceive your complexes if you sincerely believe in the truth of your lying words. You should not doubt for a second that, for example, you are an employee of a company who has forgotten your password, that you need help and have every right to it. After all, when you go to receive your salary at the end of the month, you don’t feel discomfort from this, don’t you whine pitifully, trying to get an extra penny? You get what you deserve, what is rightfully yours. The same principle must be followed in social engineering. If you are able to convince a person of your rights, you will get what you need, even if in fact you have no rights to it. A better result can be achieved if you do not play someone’s role, but become that someone. In thoughts, actions and everything else. To do this, of course, you need to understand the psychology of people of different categories and have some acting skills. I’ll give you offhand a few common patterns among hackers, perhaps they will help you choose a course of action in a given situation.

Boss. A person who is used to giving commands, values his time, and achieves his goals. The manner of speaking is harsh and impatient. Impenetrable self-confidence and slight (or complete) disdain for ordinary employees. With all his appearance he shows that the problem he addressed is a minor problem that needs to be solved as soon as possible. No requests - just stern, “what the hell” questions. In response to distrustful or checking remarks - indignation and intimidation.

Secretary. Usually a girl with a pleasant voice. The task is to carry out a specific order from the boss without being distracted by conventions. She is aware of her boss and some of his affairs, and casually drops reliable facts (or unreliable ones that cannot be verified). The nature of the conversation is soft, with a slight erotic overtone (if the interlocutor is a man). The reaction to reluctance to cooperate is violent disappointment, a complaint that the authorities will punish.

Technical employee. Condescending but friendly attitude towards customers. The goal is simple - fix the problem and save both parties from headaches. Competence emphasized in specific terms. A refusal to cooperate results in a reaction of surprise, since cooperation is primarily beneficial for the client. No persuasion - just make it clear that without your participation the problem will only get worse. You can describe the terrible consequences.

Beast: An employee performing his duties and frightened by an unexpected problem. A clearly expressed motive to quickly solve all problems and return to your routine work. Lack of understanding of the nature of the problem, interest only in eliminating it. Nature of communication: “Oh, my cursor is frozen. It's a virus, right? Show the hopelessness of your situation and your readiness to surrender to the hands of a specialist.

There are many behavioral models, which one to use depends on the situation and the person who needs to be processed. Preliminary collection of information about the future victim is of great importance here, because only in this way can you create the most effective scenario and prepare for any surprises. Previously, hackers' favorite way to collect information was to rummage through office trash cans at night. With the advent of the Internet, everything has become easier. Firstly, there are specialized directories for large companies where you can find the names, positions and contacts of representatives. Secondly, you can again use social engineering and gain trust in a careless employee. For example, many people abuse ICQ during their work hours. Having introduced yourself as a promising madam, you can start a whirlwind virtual romance with the person, and under the pretext “I want to know more about you,” slowly ask about the company and management. You're probably wondering what exactly you need to know? I don’t know, my friend, just a hundred pounds - the more information you collect, the more varied it is (from the boss’s favorite color of socks to the company’s average annual income), the easier it will be for you to complete your task. Pay special attention to the names, character and responsibilities of key figures in the office, since this is the information you will most likely use in the future. Only begin the main engineering phase when you feel like you know your target. You know how she lives, what she thinks about, how she will behave in a given situation, what psycho-complexes are swarming inside her.

Cockroaches living in our heads

No matter how wary or life-taught a person is, he will never get rid of all the bugs in his head. Our mind is more vulnerable than the most leaky Windows. Moreover, the qualities that we value in people - responsiveness, devotion and curiosity - often become vulnerable. I'm not even talking about all sorts of psycho-complexes inherent in all of us. All social engineering is designed to exploit human weaknesses to change behavior patterns. Below we will look at several basic psychocomplexes, most often susceptible to SI, using examples.

Gullibility

This quality is inherent in every person. We listen to stories about people who were thrown out as complete suckers, we are surprised at their naivety, we are completely confident that we would never get into something like this ourselves... and over time we ourselves take their place. Gullibility is directly related to our innate laziness. Agree, it’s easier to take a person’s word for it than to bother checking the veracity of his words.

In addition, some, due to timidity or good upbringing, simply do not dare to openly declare that the interlocutor is lying, and prefer to take risks, hoping for his honesty. A big role in the issue of trust is played by details that we do not consciously think about, but which determine our reaction - to believe a person or not.

Perhaps the main factor of trust is self-confidence. If someone speaks in the authoritative tone of an expert that does not allow for objections, people can believe in any nonsense. Of course, we are not talking about well-known truths (although an experienced sophist will be able to convincingly prove to you that the temperature on the Sun is minus, and white is actually black), but about things that a person does not know about or that he at least doubts - you can easily tilt his opinion in the right direction. A good way to create the illusion of being truthful is to make a few statements that the other person knows to be one hundred percent true, and at the same time mix in a few false arguments. A person, seeing that you are telling the truth, will automatically perceive your lie as the truth. A kind of analogue of the test for knowledge of the culprit, modified to suit the needs of the SI.

If you haven’t thoroughly studied the victim in your preliminary preparation - what he knows and what he doesn’t, try to avoid outright lies. For example, if you introduce yourself as Vasya Chaikin, an employee of the sixth department, you will most likely hear: “I know everyone in the sixth department - there is no one there with that last name.” But if, instead of a specific Vasya Chaikin from a specific department, you become an indefinite Petya, who has just entered the service, you will always have room for retreat. In general, before starting sabotage, try to think through everything so that you are not pushed to the wall by finding obvious inconsistencies. Always choose a scenario that fits the situation as accurately as possible. To illustrate this psycho-complex, I’ll tell you how I once walked into a student dorm room through an evil grandmother-janitor who “didn’t let anyone in in any way.”

Hello, grandma. I'm 90, to Samodin.

We don't let anyone in. Wait here. If anyone comes down, they will call.

Grandma, I’m from the dean’s office - the rector is urgently calling him. The institute is sending Kolya to the Olympics; he needs to bring an application. It’s necessary now, today is the last day. I'll tell him quickly and come back right away. Fine?

OK. Just come faster.

I'll be there in a jiffy. Thank you!

Each of us has our own fears. This is not necessarily a fear of the dark or, for example, spiders. You may experience fear of appearing ridiculous in some situation, fear of the consequences of an unfulfilled order, fear of something unknown. There are millions of small and large fears that will force a person to do the most rash things to get rid of them. It is easy to use this psycho-complex - you just need to evoke one of the fears in your interlocutor and play the role of a “liberator”. A good example is the case described in the article by Alexey Lukatsky, when a hacker obtained the password to a bank employee’s account within just a couple of minutes.

At the height of the working day, a bell rings in the bank's operating room. The young operator picks up the phone and hears a man’s voice:

The network administrator is speaking to you, Ivan. What is your name?

Olechka, we are currently carrying out a planned modification of the Bank Operations Day software. Could you tell me your password?

And they told me that you can’t tell others your password.

So I’m not a stranger! I am one of my own, I am an employee of the information department. My boss is Petr Petrovich Petrov. I want to do all the work as quickly as possible. Otherwise, both you and I will have to stay after work. And you probably have things to do in the evening. Besides, your boss will also have to stay late after work. And he will be dissatisfied with this, which may affect you too. You agree?

Yes, I agree.

Then tell me your password and everything will be OK.

My password is olja.

OK. Thanks for the help.

Here Singer aroused two fears in the young lady at once - staying in the office longer than expected and arousing the wrath of her superiors. The latter is especially effective, since most people still value their work and will try to do everything possible to avoid trouble.

Fear, by the way, is a good incentive to trust - it is a natural protective reaction of our body. A frightened person is more concerned about how to get out of this unpleasant state than the thought that fear may be the result of a bluff. Each of us is subject to one or another fear to a greater or lesser extent, but there are some that greatly affect almost all people. This is a threat to life, fear of losing a loved one (animal), fear of loneliness, fear of pain, fear of not achieving goals, etc.

Greed

The second quality of a person after laziness - greed - is the favorite psychocomplex of scammers of all stripes. People's desire to quickly get rich is so great that it often overshadows all reasonable thoughts, and people are led into obvious scams. It’s easy to use greed for your own selfish purposes; you just need to promise a person something that he needs. Not necessarily money - advertising, information, a collection item, sex... whatever. Just find out more about what the victim values and promise it. Promising is not prohibited by law. Your task is to present your “product” in the most attractive light, but do not overuse epithets. Progress does not stand still, and people no longer believe “well-wishers” who promise 10 million bucks in a week. But for 100 bucks a month they will easily take the bait. An excellent example of SI driven by greed is the episode described in Sidney Sheldon’s book “The Intrigue.” The swindler walked into a jewelry store and, posing as the wife of a wasteful billionaire, bought a large diamond without even looking at it for $150,000. A couple of days later she returned and, enthusiastically praising the purchase, asked if there was another equally large specimen for sale. When the seller assured that he had sold her a very rare diamond and it was difficult to find a similar one in the whole country, the madam assured that her husband would not mind paying 400 kilobucks if only there was another one just like it. After a long and fruitless search, the man was already in despair, but then an inconsolable widow called from an advertisement and, lo and behold, she had a very similar pebble. “After John’s death, I was left with debts - 300 thousand greenbacks, and also this grandmother’s diamond. I agree to sell it, but only for 300 thousand. I need this exact amount to pay off the debt.” Figuring that he would still win 100 thousand, the jeweler bought the stone. Needless to say, the diamond was the same one that he had sold a couple of weeks before, and that the divorced man never saw the rich madam again.

Responsiveness

When I use this psychocomplex in SI, I have no remorse. For the simple reason that by deceiving, I give people the opportunity to once again feel like people, to enjoy the joy of helping their neighbor. There are grains of compassion in the soul of even the most gloomy prisoner. Having decided 15 people, he no, no, and will throw a crumb of bread to the chilled sparrow.

Manipulating responsiveness is not as easy as it seems. Although everyone has it in different doses, it is not always possible to use it. Try to go to DALnet’s #xakep in your spare time and ask the people there for money for a gift for your mother. They will immediately explain to you in all the splendor of the Russian language what compassion is. But if you ask for something that is not very stressful for a person to part with, and at the same time convince him of the great value of it for you, the effectiveness of using the psychocomplex is very high. In one of the issues of Spets, dedicated to web fraud, I told how I managed to get a book that was only available on Amazon for 20 bucks. It was enough to contact the author - a wealthy woman from America, and, under the guise of a little girl dreaming of becoming a journalist (the book was about freelance writing), tearfully ask to send the book. “Thanks so much, Masha! “I appreciate your kind words,” the woman responded to my words of gratitude, and that’s where we parted. The weaker (or is it the fairer?) sex is generally very vulnerable to this technique, especially if it believes that the child needs help. I agree that playing on maternal feelings is selfish, but SI is a selfish science in itself, and if you want to succeed, you must forget your moral principles when thinking about the goal. In relation to men, manipulation with erotic overtones will be no less effective. As you understand, any silent person is much more willing to help a beautiful girl than a shaggy-haired colleague of the same sex. This is because, on a subconscious level, we often hope to receive reciprocal gratitude from them of you-know-what kind. If you have a girlfriend with an angelic voice who knows how to talk to guys in a promising tone, she can become a good ally in the process of processing an overworked user. The more she manages to interest the “client,” the less he will want to lose his potential girlfriend and the more likely he will fulfill her request.

Superiority

Of course, we all want to be a role model, to understand something better than others. Superiority is a state into which our subconscious periodically plunges us to give us the opportunity to experience such a pleasant feeling of victory.

But if at such a moment someone from the outside tries to impose the idea that you are not a winner at all, the natural defensive reaction will be to prove to the asshole that you are the best.

The trick is that, by deliberately hurting someone's pride, the singer can, as evidence of winning, demand something that in another situation no one would give him. And the victim, in order to get rid of the stigma of a loser, willy-nilly will have to follow his lead. The technique of superiority is difficult because it needs to be manipulated very subtly. A rude “weak?” It doesn’t work on everyone - at least on tough, self-confident specialists who are sensitive to criticism of their abilities. But there are a lot of people in the world who really don’t care that you doubt their incompetence; it’s easier for them to send you away than to prove something. This does not mean that tactics against them are useless. In this case, the psychocomplex must be used implicitly, in a general context (in between).

Another option is to use the reverse method. That is, you do not belittle the person’s abilities, but, on the contrary, elevate them to the skies. Remember the last time you did something, and you were sincerely praised - what a great job they say. You probably then wanted to surpass yourself in order to hear even greater praise, and you continued to plow with redoubled zeal. Gratitude is recognition of our abilities, which is very important for every person. By playing on people's pride, you can easily force a person to do something for you. For example, I once repaired a watch for free in this way - I hinted to the watchmaker that his workshop had the best authority in the city, that his professionalism was legendary, and my friends considered him a very decent person. After which, the touched owner of the godforsaken stall refused the money and, with a wink, said: “Come on, it’s nothing.” Also, one of my acquaintances borrowed a car from a cheapskate neighbor for a day - it was enough to praise his car in every possible way.

I briefly described only 5 of our vulnerabilities, in fact there are many more. IMHO, any feeling available to people can be used in social engineering. Curiosity and envy, love and hate, fun and sadness. All his life a person experiences a kaleidoscope of emotions that make his life brighter, and at the same time expose him to the danger of becoming a victim of singers.

For some reason, many people consider SI to be an exclusively hacker activity. Digging up passwords for a free Unlim, gaining access to the company’s internal network... all this can really be solved with the help of SI, but outside the computer framework there is an endless sea of opportunities. Having learned to use human weaknesses, you will be able to emerge victorious from many difficult situations, achieve success where others would only throw up their hands. Therefore, study, practice, dare - this science will come in handy more than once.

Maxim Kuznetsov, Igor Simdyanov

Social engineering and social hackers

Introduction

For whom and what is this book about?

The subject of the book is an examination of the basic methods of social engineering - according to many researchers, one of the main tools of hackers of the 21st century. At its core, this is a book about the role of the human factor in information security. Several good books have been published about the human factor in programming, one of them, the book by Larry Constantine, is called “The Human Factor in Programming.” This is perhaps the only book on this topic translated into Russian. This is what the author writes in the preface to this book: “Good software is created by people, just like bad software. That is why the main topic of this book is not hardware or software, but the human factor in programming (peopleware).” Despite the fact that L. Konstantin’s book is more about psychology than about programming, the first edition of the book was recognized as a classic work in the field of information technology.

Information is also protected by people, and the main carriers of information are also people, with their usual set of complexes, weaknesses and prejudices, which can be played on and are played on. This book is dedicated to how they do this and how to protect themselves from it. Historically, hacking using human factors has been called "social engineering", that’s why our book is called “Social Engineering and Social Hackers.”

The authors of this book came to social programming and its basic concepts, on the one hand (and for the most part), through programming related to information security, and on the other hand, through one of the areas of our professional activity related to the design and installation of information security tools from unauthorized access, security alarm systems, access control systems, etc. Analyzing the causes and methods of software hacking or channels of information leakage from various structures, we came to a very interesting conclusion that approximately eighty (!) percent of the reason for this is human factor in itself or skillful manipulation of it. Although this discovery of ours is certainly not new. An amazing experiment was carried out by English researchers. Without further ado, they sent letters to employees of a large corporation, supposedly from the system administrator of their company, asking them to provide their passwords, since a scheduled equipment check was scheduled. 75% of the company's employees responded to this letter, enclosing their password in the letter. As they say, comments are unnecessary. You don’t need to think that it’s just people who got caught so stupid. Not at all. As we will see later, human actions are also quite well programmed. And the point here is not the mental development of people who fall for such bait. There are simply other people who are very good at programming language for human behavior. Nowadays, interest in social engineering is very high. This can be seen in many ways. For example, a couple of years ago, for the query “social engineering” there were only 2 links in the Google search engine. Now there are hundreds of them... The famous hacker K. Mitnik, who uses social engineering methods for hacking, gives lectures at the Radisson-Slavyanskaya hotel for top managers of large IT companies and specialists from corporate security services... They began to organize conferences on social engineering, in A number of universities are going to introduce lecture courses on this topic...