Hello group,
The best way to do it is contact your local con artist and ask them
questions. Social Engineering is like playing a musical instrument. You have
to know what strings to pluck in order to hear good sounding music. Yes you
can dumpster dive and things of that nature but the real essence of social
engineering is how good of an actor you are. If you were a kid who used to
make prank calls and with in the first 20 seconds started laughing, then
that is going to be your weakness when you call a help desk. Because of the
word social it brings a whole new element to the game verse the latter half
Engineering which we are all comfortable with. You cannot engineer a person
into giving up info but you can be social you can.
Mike
-----Original Message-----
From: Marco Ivaldi [mailto:raptor@0xdeadbeef.info]
Sent: Tuesday, November 23, 2004 3:12 AM
To: pen-test@securityfocus.com
Subject: Re: Social Engineering ... ?
I am trying to find some good resources for social engineering
methodologies and such performed as part of pen-test work.
OSSTMM's Section B (Process Security) is a good start, though the version
currently on-line needs to be expanded a bit:
http://www.osstmm.org/
A very interesting source of social engineering examples is the book "The
Art of Deception: Controlling the Human Element of Security", by Kevin
Mitnick, William Simon, and Steve Wozniak.
SecurityFocus and PacketStorm also host some articles on this subject:
http://www.securityfocus.com/infocus/1527
http://www.securityfocus.com/infocus/1533
http://www.securityfocus.com/guest/5044
http://packetstormsecurity.nl/docs/social-engineering/
Finally, for italian speakers:
http://blackhats.it/en/papers/social_engineering.pdf
Hope it helps. Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
smime.p7s
Description: S/MIME cryptographic signature
