Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.Hacking has grown far bigger than anyone could have expected. In the beginning is was about optimizing model trains but today it’s a whole lifestyle. We see “hackers” in the news almost everyday and the business is just getting bigger. If you ask a random person on the street what their view of a hacker is they will probably reply with something like “It’s a person who breaks into systems” but that’s wrong. A true hacker is much more than that and can never be dragged down into something as small as that description, so today i want to explain about what is hacking and how to become a social engineer.
What is hacking?
What do you think of when you hear the term hacker? Most of you guys will probably think of criminal geeks who are butt hurt about something and then decide to take revenge or “hacking” groups like Anonymous. In that case you are wrong. Those people have nothing in common with real hacking and they are using their knowledge for bad things. The correct term for people like Anonymous would be Cracker(lookup the definition if you don’t know why they are called that). The right definition of hacking is “Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator’s original purpose.” – www.whatishacking.org. The word hacker originates back from the fifties or the sixties. One of the places that’s commonly known for have started the hacking culture is MIT. Students from Tech Model Railroad Club joined together to create new ways of controlling and building model trains. A great improvement of the train or the system was simply called a hack. It then moved on to phone lines and later on into computers. The reason why it moved on into the phone lines was simply that there wasn’t anything else to hack.
A guy who got very famous for hacking telephones and telephone lines (also called phreaking) is John “Captain Crunch” Draper. The reason why he’s called Captain Crunch was because of a famous hack he did back in the early seventies. From the american breakfast cereal Cap’n Crunch he got a whistle which could make a sound at 2600Hz. Since AT&T’s system was running by tones he could cheat the phone system to dial up pretty much everyone for free. He later on created The Blue Box which made it easier for him to cheat the phone lines. In 1972 he got convicted for cheating the phone company for money and ended up in prison for a short amount of time. According to The Wall Street in 1978 he hand wrote the first word processor for the Apple II computer called EasyWriter. He apparently should have hand written it in prison on paper and then later typed it into a computer. Hacking was also the reason why personal computers was created by guys like Steve Wozniak. Steve Wozniak created a terminal which enabled him to play chess but at the same to lure around on ARPAnet. He then short after joined hacker groups which introduced him to microprocessors. He have later on made great contributions to the development of the microprocessor.
The precursor to Usenet newsgroup and e-mails, the boards with names such as Sherwood Forest and Catch-22 become the venue of choice for phreaks and hacker to talk, trade tips and share stolen credit card information and stolen computer passwords. Hacking groups begin to form and some of the first well known were Legion of Doom from the United States and Chaos Computer Club from Germany.
In 1983 the movie WarGames came out and changed the public view on hacking. Hacking went from being something underground and unnoticed to something big. The movie was about a boy who want’s to crack into a game company’s computer system to play a game but instead end up starting a military catastrophe.
The same year 6 teenagers known as the 414 gang get’s arrested for hacking into 60 computers. It was first in 1986 it was made a crime to break into computer systems.
The morris worm:
As early as the age of 12 he social engineered himself to free bus drives. He’s today known as one of the best social engineers through time. Kevin Mitnick is captured by federal agents and charged with stealing 20,000 credit card numbers.
I will encourage you to read his biography. It gives you a true sight into his journey to establish himself as one of the greatest social engineers of all time.
How To Become a Social Engineer
Article from Social-Engineer Newsletter Vol 05 Issue 61
I really must admit that one of the most asked questions we get through the website is something like, “I really want to get into social engineering as a career, what should I read/take in college to give me the best chance?” then followed up by “How do I get into this as a job/career?”
It is a serious question that we have spent considerable time trying to come with an appropriate answer for. This month I will answer the education piece, by telling you my own thoughts, what I look for when I hire and also what some of my most trusted friends from large companies look for when hiring. Then next month, I will go into how to make this your career.
So you wanna be a social engineer?
I understand why the question comes in so often. This job is pretty cool sounding. We get paid to phish, vish and break into companies every day. That certainly sounds like the dream job – well at least for a lot of us.
Like most careers, it is logical to think that there may be a clear path to education to help you with a leg up in this field. Some people ask me, if they should study psychology, if they should get sales experience, others wonder if they should skip school all together. What’s the answer?
Let’s first ask my good friend Jim. He manages a large team of pentesters that includes red teams, social engineers and some excellent hackers at one of the world’s largest financial institutions. I asked him this question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”
Jim says, “First of all I look for experience. But there are certifications that mean something to me like Offensive Security’s certifications (OSCP / OSCE) and the CISSP.
In addition, my mantra is generally: Jack-of-all-trades, master of a couple. I look for folks who have a fairly broad generalist experience, but have taken an interest in deeply diving into one or two.
I also look for mentality; can the candidate think like a bad guy? Is security your job, or a passion? What does your home network look like? And very importantly, does the candidate have the ability to communicate clearly, concisely, and professionally.
Finally, personal references are good, especially when it comes to character, since if you join my team you’re going to have to be a highly trusted individual.”
Thanks Jim, that was very helpful.
I went another very close friend who has been in the industry for a very long time helping run Black Hat and now running the Global Education and Training practice at Accuvant, Ping Look. Jim, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”
Ping said, “Accuvant does not look for degrees – experience and ability to pass the practical exams that we administer and references, especially industry ones, are more important.
I know that most hacker’s goals aren’t to be promoted to management but the reality is that everyone has to make a living and having more responsibility within a company usually means a promotion whether it be to management or not. I do know from anecdotal experience of others that at a lot of larger firms, not having a college degree will make it more difficult to be promoted (initially) to management positions.
HOWEVER in a technical field, smart companies know that InfoSec is still an emerging marketplace and that finding a candidate with a college degree, especially in computer science who is also a good infosec practitioner with the necessary experience will be very difficult. Over time, those who prove themselves technically adept and have good management chops end up having the same chance in getting promotions or running teams or being lead technologist or chief research scientist as the guy with a degree.”
Another excellent answer, that really helps us to get a clear picture.
Finally, I went to my good friend, Dave Kennedy. Dave started his own company just a few years ago, Trusted Sec, and went from just a couple people to over 20 people. He obviously knows a thing or two about hiring pentesters. So I presented him with the same question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?”
Dave said, “I favor experience over education any day. Although a college degree is important, I am looking for someone who has the experience to handle the type of work that we get.
References are important, but I tend to hire people I’ve known and trust in the industry so I always get individuals I know and trust to do the work.”
All three answers really paint a great picture for anyone thinking and asking.
What about Social-Engineer, Inc?
My company has personally grown over the last couple years so I have had to spend considerable time thinking about what it is that I need in employees. Unlike some of the great minds I asked above, my needs are a tad bit different. But let me pick out the similarities from what we saw above:
- Experience always wins. Many of my team have degrees, and some, like Michele are not only highly educated but trained educators. Even with that, experience is king. Now with that said there aren’t just slews of people that have tons of experience in phishing, vishing and breaking into buildings without having a criminal record. I will discuss later how we get around this particular hurdle in a bit. Mentality: This is a big one because there are many components to this particular topic.
- Can the person think like a bad guy? We have a motto in my company, “Always leave them feeling better for having met you.” We apply that to how we want our customers to feel about our services. So although I need my people to be able to THINK like a bad guy, I need them to care enough about the customer that they don’t revel in the bad side too long.
- Desire to learn. We are in a constant state of growth, and part of that is learning how to adapt when the times, attack vectors and methods of the bad guys change. My team has to be willing to do that.
- Learn from failure. I have failed so many times I can’t count them, but the important part is learning from each failure. My team has to be willing to have the same attitude.
- Is this a hobby or a passion? It is important to me to find people who enjoy the work and don’t just look at it as a “job”.
- Performance based education. Right now from what I found, Social-Engineer has the only performance based SE Certification around. I also favor the Offensive Security Certifications as they prove fortitude, persistence and critical thinking skills.
- Critical thinkers. Probably one of the most important aspects of being a social engineer is being able to critically think. To adapt, flex and change your methods on the fly. To be able to think outside the box, as if there is no box.
- Willingness to try new things. Many times my team will be required to try completely new things, new pretexts, new methodologies and new processes.
If you are going to college already and you are thinking of a career in pentesting and maybe even social engineering, then there are some areas of study that can help. Things like computer sciences, psychology and social psychology can all help.
In the end, the fortitude to stick through college, study hard and graduate with good grades can tell a potential employer that you have some great qualities to make a good employee. In the end of the day, social engineering is an exciting and very rewarding career path. Study hard, stay out of trouble and get practical experience where you can and it may just be your career someday too.