Social Engineering
Kevin Mitnick in his book (The Art of Deception) defines it as "Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology." He then defines hacker groups, "Some hackers destroy people's files or entire hard drives; they're called crackers or vandals. Some novice hackers don't bother learning the technology, but simply download hacker tools to break into computer systems; they're called script kiddies. More experienced hackers with programming skills develop hacker programs and post them to the Web and to bulletin board systems. And then there are individuals who have no interest in the technology, but use the computer merely as a tool to aid them in stealing money, goods, or services." Explaining how he turned into a hacker he continues saying, "My first encounter with what I would eventually learn to call social engineering came about during my high school years when I met another student who was caught up in a hobby called phone phreakin. Phone phreaking is a type of hacking that allows you to explore the telephone network by exploiting the phone systems and phone company employees. He showed me neat tricks he could do with a telephone, like obtaining any information the phone company had on any customer, and using a secret
test number to make long-distance calls for free. (Actually it was free only
to us. I found out much later that it wasn't a secret test number at all. The
calls were, in fact, being billed to some poor company's MCI account.)
That was my introduction to social engineering-my kindergarten, so to
speak. My friend and another phone phreaker I met shortly thereafter let
me listen in as they each made pretext calls to the phone company. I heard the things they said that made them sound believable; I learned about different phone company offices, lingo, and procedures. But that "training" didn't last long; it didn't have to. Soon I was doing it all on my own, learning as I went, doing it even better than my first teachers. The course my life would follow for the next fifteen years had been set. In high school, one of my all-time favorite pranks was gaining unauthorized access to the telephone switch and changing the class of service of a fellow phone phreak. When he'd attempt to make a call from home, he'd get a message telling him to deposit a dime because the telephone company switch had received input that indicated he was calling from a pay phone. I became absorbed in everything about telephones, not only the electronics, switches, and computers, but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most telco employees into almost anything, whether I was speaking with them in person or by telephone. My much-publicized hacking career actually started when I was in high school. While I cannot describe the detail here, suffice it to say that one of the driving forces in my early hacks was to be accepted by the guys in the hacker group. Back then we used the term hacker to mean a person who spent a great deal of time tinkering with hardware and software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly. The term has now become a pejorative, carrying the meaning of "malicious criminal." In these pages I use the term the way I have always used it - in its earlier, more benign sense. After high school I studied computers at the Computer Learning Center in Los Angeles. Within a few months, the school's computer manager realized I had found vulnerability in the operating system and gained full administrative privileges on their IBM minicomputer. The best computer experts on their teaching staff couldn't figure out how I had done this. In what may have been one of the earliest examples of "hire the hacker," I was given an offer I couldn't refuse: Do an honors project to enhance the school's computer security, or face suspension for hacking the system. Of course, I chose to do the honors project, and ended up graduating cum laude with honors."
Can't recommend that book for you :P but in case you're interested to know what Mitnick has to say, you can check his published book The Art of Deception.
test number to make long-distance calls for free. (Actually it was free only
to us. I found out much later that it wasn't a secret test number at all. The
calls were, in fact, being billed to some poor company's MCI account.)
That was my introduction to social engineering-my kindergarten, so to
speak. My friend and another phone phreaker I met shortly thereafter let
me listen in as they each made pretext calls to the phone company. I heard the things they said that made them sound believable; I learned about different phone company offices, lingo, and procedures. But that "training" didn't last long; it didn't have to. Soon I was doing it all on my own, learning as I went, doing it even better than my first teachers. The course my life would follow for the next fifteen years had been set. In high school, one of my all-time favorite pranks was gaining unauthorized access to the telephone switch and changing the class of service of a fellow phone phreak. When he'd attempt to make a call from home, he'd get a message telling him to deposit a dime because the telephone company switch had received input that indicated he was calling from a pay phone. I became absorbed in everything about telephones, not only the electronics, switches, and computers, but also the corporate organization, the procedures, and the terminology. After a while, I probably knew more about the phone system than any single employee. And I had developed my social engineering skills to the point that, at seventeen years old, I was able to talk most telco employees into almost anything, whether I was speaking with them in person or by telephone. My much-publicized hacking career actually started when I was in high school. While I cannot describe the detail here, suffice it to say that one of the driving forces in my early hacks was to be accepted by the guys in the hacker group. Back then we used the term hacker to mean a person who spent a great deal of time tinkering with hardware and software, either to develop more efficient programs or to bypass unnecessary steps and get the job done more quickly. The term has now become a pejorative, carrying the meaning of "malicious criminal." In these pages I use the term the way I have always used it - in its earlier, more benign sense. After high school I studied computers at the Computer Learning Center in Los Angeles. Within a few months, the school's computer manager realized I had found vulnerability in the operating system and gained full administrative privileges on their IBM minicomputer. The best computer experts on their teaching staff couldn't figure out how I had done this. In what may have been one of the earliest examples of "hire the hacker," I was given an offer I couldn't refuse: Do an honors project to enhance the school's computer security, or face suspension for hacking the system. Of course, I chose to do the honors project, and ended up graduating cum laude with honors."
Can't recommend that book for you :P but in case you're interested to know what Mitnick has to say, you can check his published book The Art of Deception.
posted by voicy at
6/11/2005 08:40:00 AM
1 Comments:
:o :S
Why is it always this way? whenever someone has the power they usually use it in the wrong direction ..
By
Anonymous, at 1:07 AM
Post a Comment
<< Home