ChicagoCon '09: Hacking Humans

Posted at 12:50 p.m. - Thursday, April 23

The ChicagoCon Ethical Hacking Conference returns on May 8-9th, 2009 with an interesting new topic: 'human hacking' AKA 'Social Engineering.'

In advance of the conference, Donald C. Donzal, Editor-In-Chief of The Ethical Hacker Network & the founder and organizer of ChicagoCon, explains what Social Engineering is:

G2M: For those who are not familiar, explain 'social engineering.'  How does one 'hack a human?'

Donald Donzal: Social Engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.” While not totally accurate, it serves as a good starting point for the uninitiated. So how does one do this? It’s actually much easier than you might think. In these tough economic times where tax refunds are almost like that crucial extra paycheck, it might be very beneficial to get that money quicker. What if I sent you an email message with a way to do it for free? All you have to do is click on this link, send me your personal information including bank accounts for direct deposit, and I’d be willing to bet that lots of people would do it.

G2M: Is his something that happens solely on the internet, or can it happen in any social situation?

DD: One simply has to look at the (Bernard) Madoff case to see that not only are humans easily duped, but even the ones that are highly educated and affluent. So whether the attack is over the phone, via snail mail or on the Internet, the common denominator is trust. If we feel like we trust the person, the look of the envelope or the source of the email message, we are more likely to trust the contents. This has been true long before computers, and will continue long after the next big thing.

G2M: What does a 'social engineer' stand to gain from 'human hacking.'?

DD: Easier access into systems with no trace except for a memory in someone’s head. Even better is that the shame of being duped is another protection in the attacker’s favor. Imagine if I convinced you over the phone that I was one of your local technical support staffers that was helping your company recover from a possible breach in security. In order to prevent you from losing access for a day or more to network resources or even the Internet, I can help you on the phone right now change your password. All I need is your current username and password, so I can help you avoid any downtime. How many would fall for that? Now I have full access to whatever that person had. And if anything bad happens, do they find me? No. It looks like the employee I impersonated.

G2M: What is ChicagoCon?

ChicagoCon is actually 2 events in one, training and a conference. Training courses like the SE Master Class are held from Monday to Friday afternoon May 4 - 8. Then at 2:00 PM on Friday and all day Saturday is where the fun is. This is an entire 2-day Ethical Hacking Conference May 8 – 9 focused on helping the good guys learn the tools and techniques of the bad guys to bring back to their own businesses for better security. We have numerous presentations, free career counseling for this exciting field, a hands-on computer lab with a Capture the Flag contest, a lock picking instructional session, food and much more. Tickets to the 2-day Conference are just $100. Details can be found at www.chicagocon.com

Next up: How To Protect Yourself from Getting 'Hacked' by a 'Social Engineer.'