Talk:Social engineering (security)

From Wikipedia, the free encyclopedia

Contents

[edit] limits

All this talk on changing the category, and nobody's done it yet? I'll gladly volunteer. 65.9.221.117 19:48, 24 September 2005 (UTC)

Isn't social engineering more than just getting them to reveal sensitive information? Isn't getting them to do something other than that also social engineering? Example: I call up blockbuster, pretend to be another store, ask them to remove my balance, and they do that. That's social engineering ne?

Yes! Absolutely! Obtaining sensitive information is but one goal, albeit typically the end game of social engineers who are being paid to do their thing. Social engineers, in general, will use deception, guile and bravado (a.k.a. "cojones") to get their marks to reveal sensitive information directly OR unwittingly provide access to such information, for example by loading a Trojan. If the 'sentive information' includes, say, the ROOT password, well, you can see where I'm heading. "All your base is ours". [NoticeBored]

My concept of social engineering goes beyond just computer security, but security in general. The computer is merely the means to access some information, or the means to perform some action. Replace the computer with an entry porter, or the secretary to a company, or someone's PA and social engineering would apply just the same. As the first comment in this section, I therefore believe this article is too limited. What do others think? -Wikibob | Talk 04:16, 2005 Jun 18 (UTC)

Yes again! Sales reps, as a breed, are consummate social engineers. So too are three-year-olds (trust me, I'm a parent). Aside from dealing with family friends, a good proportion of human communications could be classified as social engineering in the widest sense. Politics and sales especially. [NoticeBored]

As mentioned above Social Engineering does not just apply to computer Security. And let’s not mix social engineering with manipulation. Three year olds are not social engineers they manipulate. There is a dim line between manipulation and Social engineering but, it is there. Social engineering on the other hand is a means to something else, it is a "planned" process with a "specific" goal to circumvent protocols, i.e. to gather intel for later use in stealing data (Computer Security), or pretending you are another Blockbuster store to clear out a balance is using social engineering to commit fraud. Social engineering should stay within the category Security. Protocols are your processes for protecting what is yours. I.e That the engineer not discuss cost of a project with a sales rep. or employees never give out their passwords.

[edit] Cryptographic attacks

Is the category:Cryptographic attacks really suitable for this? --Easyas12c 09:43, 25 Jun 2005 (UTC)

I don't think so. I made the translation to the spanish version and labeled it Categoría:Seguridad informática. I think it should be changed to "Computer security" instead, although it's applicable to every security facility, just as said above. --Endo/spanish Wikipedia
Endo 22:58, 18 August 2005 (UTC)

[edit] Scope?

Social engineering is also used for non-computing, its limitless in its boundries. Many a stalker or sociopath has used social engineering to get into the life of their victims to create a similar lifestyle from which to "be" the victim. —Preceding unsigned comment added by 142.166.146.178 (talk • contribs) 22:28, 15 May 2006 (UTC)

Yes, social engineering is definitely more than a computer security issue. (I've done it offline on several occasions — we all have at one time or another.) Perhaps this should be moved to Social engineering (psychology) or some-such. æle  2006-05-24t23:51z

[edit] "Social engineering"

Isn't Kevin Mitnick the person that coined the phrase social engineering'? --Abdull 19:29, 16 Jun 2005 (UTC)


NO -- he popularized the term but it's been around longer than he has. It's also known as pretexting. 24.126.126.105 04:43, 18 September 2006 (UTC)

Perhaps I'm talking to myself, but I had fun writing it...

It's unfortunate that someone has been able to co-opt a perfectly good/legitimate concept and apply it to the act of deception in order to give it some aura of legitimacy and status. I'm not sure which is worse - the lack of imagination demonstrated by authoritative professionals and thought leaders in a position to offer jargon in the world of technology, or the intellectual laziness on the part of those who misuse this and other terms so willingly. Mangling the language is another form of social engineering - right speak spoken here?

Intellectuals, heal thyself!

From Wikipedia... Politics and the English Language (1946) is an essay written by George Orwell in which he criticizes "ugly and inaccurate" contemporary written English and asserts that it was both a cause and effect of foolish thinking and dishonest politics. He calls "vagueness and sheer incompetence" the "most marked characteristic" of contemporary English prose and especially of the political writing of his day. The essay also criticizes contemporary writers for preferring the abstract to the concrete, claiming this reduces precision of thought. He notes that insincerity is the enemy of clear prose and that much contemporary political writing was in defence of the indefensible. Orwell argues that, in addition to being aesthetically unpleasant and disingenuous in its discussion of politics, bad writing is morally wrong.[1] Orwell "believed he was [morally] bound to give as much of himself to his writing as he could" and so "drove himself relentlessly" to avoid the kind of bad writing he describes in the essay.[2]

Orwell asserts that the English language is in decline, but that the decline is reversible. He gives five examples of bad contemporary writing and criticizes them for "staleness of imagery" and "lack of precision." The essay describes the "tricks" his contemporaries used to avoid the work (and thought) of constructing clear prose: overused (or "dying") metaphors, "operators or false verbal limbs" that were used in preference to simple verbs, pretentious diction and "meaningless words." From: http://en.wikipedia.org/wiki/Politics_and_the_English_Language

the dimestoresage

[edit] Close Ties to Con Artistry

Social Engineering does have close ties with conning people out of, say, money. Rather, it's for information. Getting something for nothing or very little is a big part of social engineering similar with cons.

Also, here is another thing to concider... A person who has interests in something, can obtain parts of that information from one induvidual, and another, and another, then put the peices into perspective, while confirming with others, the big picture can be formed, when the single induviduals might find it trivial amounts of data.

Just my two cents. (Unsigned)

You're certainly right, however the term "Social Engineering" at least in the last 10 years or so, has more been linked with computer fraud, hacking and various technioques used for information gathering. What you DO with the information (theft, fraud, whatever) does not matter or really even apply to the term - it's just the collection of techniques used to get the information. 24.126.126.105 04:20, 27 September 2006 (UTC)

Guys, guys! Social engineering is a term much older than 10 years and much much different and broader than hacking or anything related to computers. It is a concept in the field of politology and sociology and refers to "initiating/making a deliberate transformation in society". In this sense what Hitler did with the German people before WWII is a perfect example. But Social Engineering doesn't have only negative meaning. I kind of represent an organization, whose name is Alliance for Social Engineering and the mission of it is to initiate positive and desired transformations in the society.
Andrey, Bulgaria —The preceding unsigned comment was added by 213.91.242.67 (talkcontribs).
Yes, that's called Social engineering (political science), and is not this article. McKay 19:52, 19 December 2006 (UTC)

[edit] Add Pretexting by Police

I am the person who has twice tried to add a paragraph on pretexting by the police. It read:

"Some pretexting comes from where you would least expect it - the officials who are supposed to protect you! In California, many police departments send out computer-generated red light camera "tickets" that have not been filed with the Superior Court and thus have no legal weight. The intent is to bluff the registered owner into contacting a website, or writing back, and revealing the name, address and driver's license number of the person who was driving the car. Fake ticket"

The first person who removed it explained his action with this note: "remove opinion and rant without references."

His short note seems to make three assertions. That the article is not factual ("opinion"), that it is a rant, and that it is without refererences. To him:

1. It is factual, albeit something that you didn't know about before. (But learning new things is the purpose of reading an encyclopedia, isn't it?)

2. A "Rant" is "loud, wild, extravagant speech." My paragraph doesn't begin to qualify.

3. The link given at the end of my paragraph refers to a large website with a full discussion of the fake tickets, including images of examples from four cities. —The preceding unsigned comment was added by 71.116.129.206 (talkcontribs) .

So, now that you've talked on the talk page, and defended yourself. I'm going to add my rebuttals:
  1. 1. Highwayrobbery.net isn't notable. Google("link:highwayrobbery.net") returns 25 results, 10 of which are either wikipedia (or derived from it), or are from the site itself. This leaves 15 links. I'd prolly put that at a non-notable level.
  2. 2. Now that I've read the content of the page, it's interesting and helpful information, but it is Original Research, which is frowned upon in wikipedia.
As a sumary, I don't think that there is a problem with the content, but I think that we should find a better source than the one provided. McKay 13:11, 28 September 2006 (UTC)
Also, see Talk:Phishing for more information.

If anyone else here would like to participate in a discussion of the suitability of the entry, please join in, in the discussion section of "Phishing," under the heading "Phishing by the Police."--Einsteininmyownmind 17:29, 29 September 2006 (UTC)

While I'm certain your claim is legitimate, that's not the problem with your entry here. Your entry is specific to abuse of power by the police and more appropriate to something dealing with that (e.g. Police abuse of authority or something) It's kind of like discussing how you painted your house under the paint topic: yeah they're related, but someone interested in paint and what it is is not likely interested in your specific experience. Check out: Police#Ethical_issues_related_to_police to see what I mean. There is a whole area devoted to that topic and your reference to phishing and pretexting would make a lot of sense there and probably open up the minds and eyes of a lot of people who would never look up this stuff normally.24.126.126.105 20:15, 7 October 2006 (UTC)

[edit] In Government Health Solutions...

In Government Health Solutions we encounter Social Engineering tactics as a means for unsubs to gather information on Medicaid or Medicare clients for purposes such as identity theft or locating abducted children. While it is true that some use Social Engineering in attempts to access our systems, the majority of violations occur over the VOIP.

This topic should include discussion of Systems Security, but I would hesitate to merge them.

[edit] Personalities

Social engineering is used primarily, but not exclusivly, in a hacker context. It would be a good idea maybe to include a section of famous social engineers, ie. Mitnik, Archangel, Desperado, and Frank Abagnale...Chahax 21:06, 7 March 2007 (UTC)

Quick question regarding Archangel. His nickname was "The Greatest Social Engineer of all Time", and I'm having some trouble expressing that. I can remember him being called that on the radio and a lot in the newsgroups. I know the guy used to have a website, but I can't find it to cite it. Anyway, I keep changing the text attempting to satisfy, but I'm not having much success. Would it help if I simply spelled out that it was a NICKNAME, that I'm not trying to say he was ACTUALLY the greatest social engineer of all time?

Would it help? Yes, because saying that he is the greatest social engineer would be very hard to WP:VERIFY (see WP:PEACOCK). But in order for the nickname to remain, we're going to need a verifiable source. McKay 13:29, 12 March 2007 (UTC)

Whoa, somebody deleted the whole thing!...it's one thing to debate about the nickname, it's another thing to wipe out the entire entry. Chahax expressed that it was a nickname and provided a reference, that should be good enough for anyone, and is certainly more documentation than is given in other questionable parts of the article. Paste a "citation needed" tag if you feel that way, but you can't delete the entire entry, thats vandalism. I'm replacing the entry. If it is removed again I'll take this up the ladder. Vandalism and edit wars won't be tolorated! Sue Rangell 18:55, 12 March 2007 (UTC)

Thanx for reverting it. I never could stand Archangel either but deleting the entire section was a little overboard, afterall I did find very good verification of the facts, plus stated that it was a NICKNAME. For those who weren't around then, the nickname wasn't meant to be complimentary, people called AA that because they thought he was full of BS! I won't get into an edit war over it though. If it happens again I'll just go to an admin.Chahax 04:42, 13 March 2007 (UTC)

I linked Archangel to the phirm wiki (Basically because it needed to be done), but I can't find the website either. I remember it had something about the feds in it, but I don't feel like wading through 7000 usenet posts about Archangel to find it. Does anybody know the website offhand? Sue Rangell 19:53, 12 March 2007 (UTC)

Vandalism is putting a bunch of irrelevant information in the front of a definitive article on a subject. If you want to build a pillar to "Famous" Social Engineers, create a page but don't keep adding lines of text that have nothing to do with the subject, especially before the term is defined. It's like talking about famous painters under "paint" before paint is described - it doesn't make sense. Sorry if I deleted your paragraph prematurely, perhaps quick on the draw before I saw that (gasp) someone is using talk in the SE page - but I wrote most of this article and am used to cleaning up (see past edits). 76.80.8.65 07:15, 13 March 2007 (UTC)

You say you're sorry for deleting his paragraph, but then you went and did it again anyway. A list of prominent social engineers IN THIS ARTICLE is extremely important. You didn't move the name elsewhere on the page, you moved them straight OFF. Finally you claim you've written most of this article, yet this is the first time your IP has appeared here, and even if I were to give you the benefit of a doubt, I would point out that this article is not your own private sandbox to do as you please. Deleteing very important and relevant information is VANDALISM, especially since you have apoligized for doing it once already! Sue Rangell 17:52, 13 March 2007 (UTC)

I wrote the entry after making the change, thus the disparity. No offense was intended, please don't read into it more than that. In any case, the biggest issue with the recent changes is that the writer is confusing Social Engineering with Confidence Tricks and hijacking the opening paragraph with homages to people he likes. It's irrelevant to the article. What might you suggest in this case dear Sue? As for authorship, I prefer to remain anonymous and change my IPs regularly - note that most content comes from anons. 63.138.87.171 20:49, 13 March 2007 (UTC)

[edit] Pretexting

Speaking of websites, there is also one out there about pretexting which lists a lot of people did it, but I can't find it via google.

Does anyone know the site I'm talking about, and the URL? Sue Rangell 19:59, 12 March 2007 (UTC)

Pretexting is pretty common in many industries and being that fame impacts an individual's effectiveness, it's unlikely that anyone good at it would tout their ability. Fourteen year old boys with a lot of testosterone, poor social skills, palid skin and lots of black clothing are typically quick to claim themselves as "the best." Getting poor suckers through a Motel 6 auto attendant to believe you're the front desk & give you a credit card number is truly beginner's stuff. Don't you believe it - the best you will rarely hear of, if at all. 76.80.8.65 07:05, 13 March 2007 (UTC)

[edit] Edit War Prevention

I have moved the notable social engineers to their own section, below the explanation area per request. I hope that this solution will satisfy all paties involved. I really do. The whole thing seems more organized and readable too.Sue Rangell 20:10, 13 March 2007 (UTC)

Great move, but was Pappy a Social Engineer or a Con Artist? Per the description of both I'd say he was the latter. SE typically has an end result of information systems access, otherwise it's just a con - no? What would you use as the defining factor between the two?63.138.87.171 20:54, 13 March 2007 (UTC)

Good question. Certainly it seems that the qualifier should be an access to some type of information. It might be a good idea to add a citation request there. If a decent citation cannot be provided, my vote would be to remove the Pappy Boyington reference. Since he was pre-computer age, I don't see why he should get his own blurb in any event.Sue Rangell 21:22, 13 March 2007 (UTC)

Sue I disagree with your view about Pappy Boyington, but i'll go along with it, and here is why- I think you did a hell of a job preventing an edit war between 65:138.87.171 (or whatever) and myself. I tend to get a bit passionate about things I love, and I suspect my counterpart is much the same. I never meant to rock the boat so I will let cooler heads prevail and take a back seat on this issue. Your solution very acceptable, thank you. -Chahax

[edit] social engineering of social engineers

Should it be mentioned that even people who social engineer other people for a living aren't immune to social engineering? (I.e. nobody is 100% immune to social engineering) Some people spam the spammers and make them do silly things like balancing a loaf of bread on their head (by social engineering them) as seen on [1]. --Soylentyellow 21:23, 20 May 2007 (UTC)

if it can be added in an attributable manner. McKay 14:48, 22 May 2007 (UTC)

[edit] Bogus listings

Someone keeps putting in a reference to 'Archangel' - A hacker I guess, but the references are bad and no real name is used. I deleted it after I could find nothing on this guy at all in regard to Social Engineering, much less any cite-able reference to "Greatest social engineer of all time." Anyone have comments? Lexlex 04:26, 27 July 2007 (UTC)

[edit] "Pretext" redirect and lack of disambiguation

"Pretext" redirects to social engineering even though it is a much larger concept than "pretexting." For example, a link to "pretext" in the Sept. 18, 2007 "On this day..." article on The Mukden Incident links here even though that use of "pretext" has no connection to social engineering. Turtle Falcon 02:25, 18 September 2007 (UTC)

[edit] Using social engineering on IT staff

Q. Does this count as social engineering? A hacker calls up the IT helpdesk of a major company and says, "Hi, this is Nathan Sanford in accounting. I forgot my password. My account is nlarson7." Then the IT guy says, "OK, Nathan, I've reset it to abc123." Captain Zyrain 13:24, 22 October 2007 (UTC)

A. Yes, that's a simple example. So too is someone pretending to be from IT and calling users to get their login details, or to download/install a Trojan or ..... NoticeBored 02:50, 6 November 2007 (UTC)

[edit] Trojan horse/gimmes

This section is misleading. A trojan is simply maleware that hides in or poses as something else. If I write a bad program and name it MSWord2009.zip.exe and offer it to a less attentive distributer of stolen content that too would be a trojan. However the section talks only of email attachments which while Trojans are more commonly dealt with as "email viruses" as the aim of the attachment is to send itself out via email. --Lord Matt (talk) 08:08, 22 November 2007 (UTC)

Yeah, you're right. Although most use of teh term 'Trojan' deals with email. You'll note that 'Road Apple' used to be a subsection of Trojan Horse until someone got confused and changed it. Why not re-write it? 76.90.12.243 (talk) 20:51, 6 January 2008 (UTC)

The "trojan horse/gimmes" part of this artcle sounds like it was written by a bitter IT support worker. I think it needs to be rewritten to remove the subjective terms that infer the stupidity of people that generally recieve emails. Also maybe more examples than just email receipts of trojans as they are distributed in many more ways than just through email attachments and links. Danno81 (talk) 09:41, 29 March 2008 (UTC)

I have given the article a mild edit to try and cover what has been discussed here. I'll not be offended if you feel my work requires further work. --Lord Matt (talk) 15:35, 30 March 2008 (UTC)

[edit] Grammar

I absolutely hate it how stupid Americans say "them", when they are referring to a single person! --84.250.188.136 (talk) 02:56, 9 May 2008 (UTC)

Gee, you sound aggressive. So you're of the camp that would prefer "he/she"? This is a common written English problem of plurality, hardly American. A common "solution" has been to use "they" - and while not grammatically correct, it's certainly getting more common as useage. As a result, many people now use "them" as singular. It is what it is. It's not like everyone here is college edjumacated. By the way, what the hell does this have to do with Social Engineering? Lexlex (talk) 15:18, 9 May 2008 (UTC)