Alex Goldman is a producer for On the Media. One time he got run over by a car.
The Hacker Toolkit: Social Engineering
Friday, September 23, 2011 - 07:00 AM
There's an air of alchemy and mystery that surrounds the world of hacking, because it's perceived as being so technical. That's part of what makes hacking seem so illicit to non-hackers. But some of the most well known hackers have obtained information using an incredibly low-tech method. That method is called "social engineering."
Put simply, social engineering is the process of fooling people into divulging sensitive information. In a lot of ways, it's not too far off from calling your high school pretending to be your parents in order to excuse an absence. If you can convince people that you are entitled to access certain information, or even trick them into creating situations where you can get access to it, you're a successful social engineer.
Adam Penenberg wrote about the journalistic overuse of the word "hack" for the website Fast Company. He says that most of what's described in the media as hacking is really social engineering. "Social engineering is a really old term, actually," says Penenberg. "I wrote a cover story for Forbes magazine more than a decade ago and I had a private detective investigate me, starting with just my byline. And what he was able to pull up was really remarkable. He pulled up all my credit card accounts. He pulled up all my bank accounts, how much money I had. He pulled up long distance phone bills, who I had called and for how long. And the way he did it was to call up the phone operators of these companies, like at Merill Lynch and at Verizon and what not, Sprint, and pretend to be somebody else. Or pretend to be me and complain about a bill and they’d tell him everything. That’s social engineering. Tricking people to do your bidding for you."
If this is all seeming vague and hypothetical to you, let me give you an illustrative example from the (pretty terrible) movie Hackers. In it, the main character, Dade, is trying to break into a television station (relevant section starts at 4:30). Note that while this is a pretty realistic depiction of social engineering, the portrayal of actual hacking in this scene is beyond ridiculous. You've been warned.
Social Engineering has been part of the arsenal of some of the most legendary hackers. In particular, Kevin Mitnick has made much of his use of social engineering to obtain information. He frequently pretended to be someone he wasn't in order obtain information. In his youth, he even used social engineering to figure out a way to ride the LA bus system without paying.
But there are also high-tech corrollaries to the world of social engineering. In particular there's a technique called phishing that many users of social media have probably fallen prey to in the past. I know I have.
Phishing applies the principles of social engineering in a more technologically advanced way. One of the most common forms of phishing is to create a website that mimicks the front page of a commonly used website, like eBay. When you try to log in, you get an error message, but the people behind the fake website now have your login information. Tons of people have had their credit card information successfully phished by fake websites masquerading as bank websites.
However, both offline and online, the level of sophistication in the social engineering world varies wildly. While you might be taken in by a fake website, hopefully you're less likely to be duped by an email from a Nigerian king offering to wire you millions of dollars. Staying alert and recognizing online offers that seem too good to be true is a good way to keep from getting phished. To repurpose a tired adage...beware of geeks bearing gifts.