Sunday, February 26, 2012
Social Engineering and how a reasonable amount of Privacy is almost non existant
Privacy is a pretty relative thing.
During my first run at college during a certification on deception and manipulation I was told to gather information on a fellow classmate. Many others asked questions and damn near interviewed their mark quite obviously. I spoke to my mark for maybe 20 seconds on the way to the coffee shop that was next door, After school I went home opened up her Facebook account and built a 3 page file on my mark and presented it the next day.
It was a little easier for me since we were already friends on Facebook however even if we hadn't been I think I still could have produced a good two pages just off of internet searching.
What I had practiced is known in the InfoSec (Information Security) field as Social Engineering.
"Social Engineering - The management of human beings in accordance with their place and function in society. This definition was created in 1899."
The definition still holds true. You are ‘managing’ people according to their function. You’re getting them to do things that they probably shouldn’t, gathering information on them, conning them, using scare tactics, tricky wording, making them think they’re helping you or themselves or that your just a good friend.
This used to call for a team of trained ex spooks but today all you need is a name, (or even part of a name) an internet connection and some time to kill.
Today we live in a world where in order to do "normal and modern" things ....like communicate (or self-publish a tactical blog) we voluntarily sacrifice a moderate level of privacy. And while we like to think that this is in our hands it really isn't. The decision to give it away or keep it is ours but once we give it away it's no longer in our control.
The use of any electronic communication device is routed through large corporations with government regulation. At any given time hundreds of people on a daily basis have access to anything about you minus your inner most thoughts. (unless you are a blogger of course)
There is ZERO privacy in the Internet. Those crazy kids at the NSA/CIA/FBI/RCMP/CSIS not to mention millions of corporate entities with all their gadgets and gizmos work around the clock on constant watch word surveillance, and if you were motivated to dig moderately hard enough you can find out a lot about a person right down to the color of their skivvies.
Every-time we open a new profile on a social networking site, post off our cell phone, use twitter etc we voluntarily give away our privacy. This makes it difficult if you ever are targeted by someone to argue that your privacy was invaded when they can show what two hours of internet search engines alone produced. Not to mention any surveillance done or trash rooted through (by the way start burning paper documents and maybe try recycling more.)
Trash rooting is yet another form of Social Engineering. Be careful of what you throw out. Shred anything that has your name, address, any information on you whatsoever. then burn it Anything that is in a trash can (unless posted otherwise) is garbage and is available freely for anyone to take. If you have a trash can outside, bring it in to the garage, but DON’T leave it outside. Once you put your trash down on the curb, it’s more or less fair game.
Dumpsters at corporations are usually not guarded or usually don’t have signs stating that they are private property, if they don’t, they’re also fair game and anything taken from them is taken legally. This is how police get a lot of information without a warrant. This is also a way for police to get probable cause to get a warrant. This is also a way police can get DNA from someone, if they spit gum into a trash can, throw out a coffee or soda can or cup, that can lead to fingerprints, DNA samples, the works.
Ask yourself this. I shared in rapid fire fashion before the whole class complete and perhaps mildly embarrassing details about my mark down to the bar she frequented on weekends. Was her privacy invaded?
No not technically the info was just sitting there for the whole world to see if they knew where to look.The more we attention-whore ourselves out the less we can lay claim to our rights of privacy.
Key factors to keep in mind.
People want to help, people don’t want to get in trouble, people want to think other people have good intentions and finally people are stupid.
That is the core of social engineering.