The audience in the room is weirdly quiet. The contestant is in a small plexiglass booth with nothing but a phone, a laptop computer and some notes. On a set of speakers outside, the booth broadcasts the sounds of a dial tone as a woman on the stage begins to dial a number. It is apparent she is not phoning a friend. The dial tone changes to a ring tone, and moments later, the other end picks up.

“Hello…<company redacted> IT department. How can I help you?”

And with those words, the game begins.

Human beings—well most of us anyways—are wired to help. If we see someone in trouble, we want to assist them. It is what has kept our rather soft and squishy species alive when there were lions and tigers and bears trying to eat us. Strength in numbers and all that. When we see a car broken down on the side of the road, and if we notice that little, old lady trying to cross the street, there is that instinct to lend aid.

In the social engineering world, attackers depend on and exploit this instinct. There is a rather common cliché in InfoSec: the weakest link in computer security is the human. You can have the strongest firewalls, the most expensive intrusion detection, and/or the most complex security system in the world, but none of that matters if the janitor leaves the doors unlocked or if the front desk staff freely gives out information about your company.

To put it bluntly: social engineering is the tactic of using human psychology against a mark to get them to do what they normally would not (should not) do. Or as PT Barnum once said: “There is a sucker born every minute.”

And that is what takes (Read more...)