Social Engineering from Prison

by CyberGenesis

So...  Social engineering.  Yes?  No?  Maybe?  Although hackers are largely anonymous and seem to have very large problems with authority (as well they should), most seem to at least be on the same side.  I won't go into government snitches here.  I just can't understand or even remotely fathom why one hacker would turn one of their own into the government to be prosecuted.  But that's another article in and of itself.  Back on topic!

Hacking, back in the day, used to mean someone who could throw a program together out of nothing in no time flat.  Now?  Hacking means terrorism, "punk kids" (I'm 43 now), and criminal acts.  But hackers are needed.  They're our front-line fighters.  There's another group, however, that gains their information through more stealthy means, then hands it to the hackers so they can do their thing.  It's this "shadow group" that people should really be afraid of.  That's right.  I'm talking about social engineers.  I am a part of this ever-growing population.

Social engineering, as with hacking, is an art form and one that only a few people are called to, and even fewer truly get good at.  Imagine meeting someone for the first time and within 30 minutes, they're giving you their life history.

Case in point.  I'm incarcerated at FCI Beaumont, a low-security facility.  I was taking their Community-Based Learning course here and I got very bored, very quickly.  A friend, knowing I'm a social engineer, challenged me.  "I bet you can't get any personal information out of our instructor."  I asked him how long I had and he said 14 days.  (Like taking candy from a baby!)

Anyway, I noticed the instructor had a touch-screen watch that was flashing a warning that it couldn't connect to his cell phone because it was out of range.  This was my "in."  I asked what type of watch he had and who he used as a provider.  He readily gave up that he had AT&T.  Within a mere 48 hours, he was telling me he was married, how many kids he had, where everyone worked, what types of cars they all had, and what cities they all lived in.  Bonus round - I even got that his wife was undergoing treatment for cancer.

Now, if I was unethical in any way, I could have passed this information on.  But this time I let it go.  I just couldn't pass up the challenge.  My friend couldn't believe I'd gotten all that info from a paid prison instructor from the local university.

Knowing how people think and respond in given conversations gives the social engineer "control" over people.  Here are three rules to remember when social engineering people for your cause:

1.  Be friendly!  A smile makes people want to trust you.

2.  People want to talk about their families.  It's a source of great pride for them.  And as they talk, they're inadvertently giving you their username and password combinations.  A proud parent will most often have their child's name as their password .

3.  People with high-octane jobs are more likely to have nice families and large bank accounts.  If someone works at McDonald's, it's time to move on.  If they say they're a bio-engineer, such as this instructor's 20-something daughter, it's worth your time and effort.

Being a social engineer also means being able to think quickly and being a chameleon.  If your surroundings require you to be a paramedic to get someone to trust you, time for you to brush up on your anatomy and physiology.  You're talking to a CTO and you want some info from them?  Brush up on the latest technology.  You have to literally become what it is you want.  You've never done what you need to become?  That's fine!  Know enough to make yourself believable.  People generally are not going to ask a lot of questions, though they will ask one or two to establish a baseline.

Now after saying all this, I have two more things to say.  Then it's off to dreamland for me.

Personally, I've social engineered my way into a key card for a Silicon Valley company by convincing the secretary I was a new hire (I did my homework so I'd know names of current employees).  I've social engineered my way into two marriages that financially benefited me, and I've also gotten into a secure county emergency management office using credentials that took me ten minutes to create.

In my opinion, social engineering is the wave of the future, but please, know one thing:

As stated in a previous issue of 2600, if you call yourself a hacker or a social engineer, you're joining an elite war and consenting to being labeled a terrorist by your country's government.  If you want to be an agent-of-change, then I invite you to join this war against our persons.

Thanks for reading!

They're trashing our rights!  Hack the planet!