Social Engineering by Christopher Hadnagy provides a good overview on the topic of Social Engineering. What it is, how malicious attackers use it and how you can defend.
- Bullet Summary
- Social Engineering Summary
- Social Engineering Review
- Watch out for the data you give to strangers and share to the public
- Education is the best defense against Social Engineering
- Confidence, human psychology understanding and believing you are who you say you are, are the keys to a successful Social Engineering attack
Social Engineering Summary
The first step towards being more secure is accepting that systems are vulnerable and can be compromise. Believing a system is unbreachable instead is the surest way of making your system unsafer.
Chapter 1: Social Engineering
Christopher Hadnagy list the different types of social engineers:
- Hackers: since software are becoming harder to break through, hackers are more and more moving into social engineering;
- Penetration Testers: they have the skills of a hacker but use it to test their clients’ systems
- Identity Thieves:
- Disgruntle Employees: often difficult to detect as they hide their displeasure. The more disgruntles they become the more they justify their malicious actions
- Sales People:
- Doctors, psychologists, lawyers
Social Engineering Equations
Christopher Hadnagy says that the Social Engineering Equation is: Pretext + Manipulation + Subject’s Greed = Success
Chapter 2: Information Gathering
Christopher Hadnagy says that gathering information about your target is your very first step and a crucial one.
I loved the stories examples with dialogues the author provides.
He walked into a cafe where he saw his target get in. He orders the same, sits nearby, takes the newspaper and makes a comment on a conversation-worthy piece of news he read and says
Even in these small towns things are scary nowadays. Do you live around here?
He then says a few things more and adds
“I sell X to major corporations, you’re not a higher up in a big corporation are you”
He then says he’s not trying to sell anything but asks if he could stop by the day after to leave some information. To enjoy the full conversation I invite you to get Social Engineering on Amazon.
Chapter 3: Elicitation
Christopher Hadnagy says that elicitation works because it leverages a few inborn human tendencies. For example people:
- Desire to be polite
- Want to seem informed and intelligent
- Talk and divulge more when praised
- Will not lie for lying’s sake (most of them at least)
- Respond kindly to those who are concerned about them
The author says that great conversation requires the mastery of three steps:
- Be comfortable and confident
- To be comfortable, educate yourself on the topic and don’t pretend you know more than you do
- Don’t be greedy: give and share info as well
Pre-loading is similar to what Cialdini refers to as Pre-Suasion.
Appealing to Someone’s Ego
you must have an important job and be good at it, X thinks very highly of you
You can start a conversation with that sentence if it’s accepted and if the target denies and corrects you, you can get what he actually does in the company and then move on saying that he’s very modest.
you have a background in Ruby on Rails, you should see the work we did at X to expand that language, I’d like to send you a copy
Expressing interest is another great way to elicitate. The author says this is very powerful too because now the attacker controls the next step: what to send, when, and how much to share.
Deliberate False Statement
Making a falste statement on purpose leads people to correct you, and it can be a great way to get new -and truthful- information.
When you say something to someone, their natural tendency will be to give something useful back to you.
We tend to be more open with people whom we perceive are already knowledgeable about something. So if you can seem very knowledgeable about a certain field, the target will be more willingly to share with you insider information.
Leading Questions Manipulation
Christopher Hadnagy goes a bit into open ended questions, close ended questions -which can be used to take someone where you want them to go- and, most interesting of all, leading questions to manipulate someone’s memory.
He says that if you show someone the picture of a child’s room and ask them if they saw the teddy bear, it implies one was in the room, and the person is likely to say yes because it seems logical, or even expected, to have a teddy bear in kid’s room.
Assumptive questions assumes the target has knowledge and knows the answer. The author says it’s used by law enforcement, when for example asking “where does mr. Smith live”, assuming the target knows the answer.
Chapter 4: Pretexting
Christopher Hadnagy says the best way of living your pretext is to becoming the person you need to impersonate.
Two tips I liked:
- Avoid “hmmm” before answering: it’s obvious you don’t know the answer
- If you need two seconds you can pretend you’re going to ask a colleague
Chapter 5: Mind Tricks
Christopher Hadnagy starts the chapter saying that movies and comics often present larger than life characters who can recognize someone’s lying simply by looking at them. These representations are fantasies.
Senses of Reference
Christopher Hadnagy says that although we have 5 senses, we mainly refer to 3 for building our thoughts. They are:
- Sight – Visual Thinker (“I see what you mean”, “see where you’re coming from”)
- Hearing – Auditory Thinker (“I hear you”)
- Feeling – Kinetics Thinker
It’s important to understand the mode because it helps you meet people in their comfort zone, and the more you can make the people around you comfortable the higher your chances of success.
The author highlights that finding and using someone’s dominating sense is not an exact science and you should not fully rely on it.
I fully agree with him that albeit you can become proficient at reading micro-expressions you can’t really be sure what’s behind that expression, of why it’s happening.
You will probably not use the side of NLP dealing with hypnosis, but NLP can serve you well with the use voice, language and words choice to guide people where you want them to be.
The author says changing the tone of voice can change the meaning of the sentence and how the target will perceive it. For example asking “don’t you agree” without going up with your voice will make it more of a command.
Ultimate Voice – Embedding Commands
Christopher Hadnagy says that the skill of embedding commands is a great skill to develop.
Pick positive words when you want your target to get into a positive state of mind and negative words when you want your target to think negatively about the topic.
Building Instant Rapport
Christopher Hadnagy says that the pre-requisite to build rapport is to like people and being genuinely interested. He also stresses clothing and personal appearance.
Chapter 6: Influence
The author talks about the power of compliments and how easy it is to use them wrong for beginners. “You have beautiful eyes, can I use the bathroom” is the wrong of doing it.
Commenting on the picture she has on her desk saying they’re beautiful kids and asking if they’re their children, and then commenting you got children around the same age is the good way of doing it instead.
Christopher Hadnagy says that gifts are very useful and that sending a small gift and then saying that you only ask to visit your website and download their catalogue in exchange worked every time.
Giving a concessions is also a great way to get something in exchange (check Reciprocity in Persuasion by Cialdini for more).
Social Engineers will often pretend of being authority figure to get people to comply with their requests or to let them enter and exit the premises unchallenged.
The author says that authority is especially powerful when people are acting in auto-pilot.
Creating stress, anxiety and fear make people more likely to do what the Social Engineer asks.
Chapter 7: The Tools of Social Engineering
Christopher Hadnagy goes into locks, lock-pickers, GPS, cameras etc.
This goes a bit outside the scope of this website.
Chapter 8: Case Studies
The author mentions a few very interesting case studies here, both from his personal experience and from other famous Social Engineering attacks.
I invite you to check the full book for this part.
Chapter 9: Prevention and Mitigation
Christopher Hadnagy says that it’s paramount to have in place a good disaster recovery plan and an incident response plan because a malicious attack is more a question of when than if.
In Social Engineering you can’t just thrown money at the problem to make the system more secure though because it’s often a matter of people and education.
Some Unneeded Info?
I felt the information on actual software to be too detailed and only took unneeded space. The specifics of programs and software will get old in a few years and can be easily retrieved with a Google search.
Can’t Go Deep
“Social Engineering: The Art of Human Hacking” mentions so many different things that it’s only naturally impossible it could go deep into most of them. So it ends up being an overview of many topics, which someone might appreciate, but in the fields I love I prefer the depth of insight to the breadth of overviews.
Social Engineering Review
If you want Social Engineering because you’re into social arts, psychology and human relationships the book has some good examples but you can get better (check my book summaries and my social skills guide).
However, it can give great value to:
- Hackers with little people’s skills
- People who want to learn Social Engineering basics
- People who want to learn more on how to defend from scams
In all the above three cases, it’s a useful book and I particularly loved the examples. Those were also helpful for people relatively advanced in the social arts.