Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

August 5, 2010 | Dale | Tags: , , , , , , | 1 Comment »

Derren Brown’s Enigma… Awesome Show!!

Last night I went to see Derren Brown’s Enigma show at the Alexandra Theater in Birmingham. Its not surprise that I am a huge fan of his work, hes a great manipulator and performer. The show was excellent, I really enjoyed the control Derren has over his audience, and what I consider to be very subtle and highly effective linguistic skills. The show lasted almost 3 hours including a little break (I took the opportunity to do some card mentalism at the bar), and he really was on form throughout. Derren asked that no one speaks about the content of the show, so I will respect his wishes, but I really do recommend you go and see the show if you can, you will not be disappointed. The show has given me some other ideas and applications for my mentalism, as well as another possible SE approach, I look forward to developing these.

I will say I only had one disappointment, and that was not getting to say hello to Derren after the show. Apparently he wasnt feeling to well, which is fair enough, shame the guy on the door was a complete arse (not part of Derren’s entourage).

I am sure this will be released on DVD at some point as I believe it was filmed, and he has a new book coming out soon, so if your a fan keep on the look out.

June 17, 2010 | Dale | Tags: , , , | 1 Comment »

Gaining Access.. As easy as abracadabra, alakazam

Some of you may have gathered by now, as well as infosec, social engineering, and hypnosis, I am also interested in abit of trickery pokery, magic.

In recent months I was asked to carry out an impromptu social engineering exercise as a favour to someone. Of course I obliged, almost bit their hand of infact, but we will keep that a secret. Anyway, I had discussed the generic process and results of this test with a few people, and they also found it amusing and suggested I made a post. So here we go.

You know the recon, give the building a little tour, and you are not surprised to see access controlled doors, locked windows and turnstiles on the main entrance to stop tail gating. However as we continue on our little wander we find a rear entrance, however it is also access controlled. No big surprise. However we see from the corner of our eye, something beautiful, thats right its smokers corner. The smoker is a common helper to the social engineer, and normally we could fake having a cigarette. Two problems, I have no smokes, and I don’t smoke. However I do have a set of cards on me, as I have been taking every opportunity to practice some of my tricks when ever a spare 5 minutes arise. So I sit down on the bench just up from smokers corner, and start shuffling the cards and having a little mess about.

Almost 45 mins later, a few people have been and gone, but one guy just cant resist any more. He approaches me, and in a joking tone asks “What do you think you are, a magician or something?” There is my cue. I show he a simple trick, card prediction. Hes impressed and laughing, rapport is building. He asks me if I know any others? So I get him to pick a card, and then remember it, and then go through the deck and reveal his card. He is loving it, and lets face it, who doesn’t like magic :) However its getting cold, and I have got work to do. So I suggest we best go in, as I am cold, and my work wont do itself. He kindly walks we me to the rear entrance, and without asking swipes his card and lets me in. Access Gained.

I am still not sure if what happened next was a good or bad thing, but he asks me if I know any more tricks and if I would show his work mates. I explained I need to get on, but I can do something quickly. So he takes me to the first floor, and to where he sits with his two work mates. I do a quick triple card routine, which involves abit of mind reading. They are amazed and loved it. Now I really need to go.

I head down a corridor and located a small empty meeting room. Locate a network point, and plug in my La Fonera. Lights are on, we have lift off. I head back down to the rear entrance, a few people are off out for a cigarette. I tail gate and head back to the car.

In the comfort of the car, I load up BT4, connect to my La Fonera, that’s connected to the corporate network and do what needs to be done. With that little smirk on my face, of what a great few hours I have had.

So basically the magic was just another method to build rapport, and a point to build upon. I don’t think it could be used everywhere, but in general people like magic, and are fascinated buy it. The best bit was the debrief the next day with the company, they couldn’t believe the chain of events, and of course again I have to show them one of the tricks.

So I have posted the basics of this due to requests, but also to demonstrate a key thing when social engineering. Use what you know, and what you have available to you and think out of the box.

May 24, 2010 | Dale | Tags: , , , | 2 Comments »