Tuesday, 18 September 2012

Social Engineering by Chris Hadnagy

From The Week of September 10, 2012
Ever since humans possessed the power of speech, they have been in the con game. For we are social, hierarchical animals, qualities which lend themselves to the manipulation of the thoughts and feelings of those closest to us. These tweaks of ego, these posturings for status, needn't be malevolent, or even harmful. They might be as innocent as looking our best in order to make a good impression upon someone we desire, to get a job we wish to have, or even to express our trustworthiness to those who might otherwise judge us. But they can just as easily bear cruel intent -- deflating truths murmured into the trusting ears of our competition, misdirections knowingly bestowed upon the credulous --, actions which allow us to gain advantages at the expense of both the feelings and the fortunes of others. Though these skills have always played important roles in human interplay, they have never loomed larger than they do now in our interconnected, global world. Mr. Hadnagy demonstrates in his uneven work.

Defined as the victimization of individuals through trickery and manipulation, social engineering is one of the most powerful and pervasive weapons in the world of modern espionage. Deploying a host of tools, from confidence games to software exploits, the social engineer typically preys upon both the kindness and the credulity of strangers in order to achieve one of three customary goals: to penetrate and control computer networks, to test the security systems in place to protect such networks, or to harvest information for fun and profit. Though

Whereas hacking requires the hacker to possess extensive knowledge of both computers and the languages used to program them, social engineering demands that one only possess enough charm to convince the innocent to unknowingly act against their own best interests. Consequently, while its weakness resides in the fact that the exploiter needs a mark upon which to prey, its great strength stems from its capacity to entirely bypass every form of computer encryption implemented to protect sensitive systems. A social engineer does not need usernames and passwords; he does not rely upon the manipulation of ones and zeros. He hacks people, not computers. And but for their own sense of self-preservation, humans have no such safeguards.

As frustrating as it is enlightening, Social engineering is a sometimes fascinating journey through the world of human hacking. Mr. Hadnagy, who has specialized in this field for some time, discusses numerous, nightmarish scenarios in which data vital to both corporations and individuals has been stolen by simply convincing a receptionist to put a USB key into her work computer. The gravity of both his claims and his observations have been backed up by two recent cases, that of Matt Honan and of Stuxnet, both of which used social engineering to destroy an individual's digital life, in the case of the journalist, and to significantly damage an Iranian nuclear reactor, in the case of the worm. In this, Mr. Hadnagy reveals a most critical truth, that a system is only as secure as its weakest point.

Hackers are not foolish. Why lay siege to a digital fortress when one can poison its wells, or parachute onto its walls? A clever exploiter probes for weaknesses, flaws in the system, and attacks there, applying as much pressure to the most vulnerable point until it yields to his demands. It is not the fortified gates we must worry about. It is the smiling, friendly person who can be used as an unwitting pawn in a game they cannot understand.

But while Mr. Hadnagy demonstrates this point with admirable clarity, Social Engineering reads, in every other respect, as an exercise in self-aggrandizement. These 350 poorly composed pages are saturated by the author's ego, the masturbatory fantasies of which stain the entire work. I have no doubt that Mr. Hadnagy has helped people. Nor is there any question that his work may arm the credulous with weapons against the attacks of the devious. And yet, it is impossible to escape the smugness with which Mr. Hadnagy conveys these lessons. Consequently, his supercilious tone, which is as offensive as his prose is childlike, mars the work irreparably.

This is an important topic. And though Mr. Hadnagy has much to teach, his ego and his pen both fail him. (2/5 Stars)

No comments:

Post a Comment