Social Engineering: T he Science of Human Hacking
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256www.wiley.com
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-43338-5
ISBN: 978-1-119-43373-6 (ebk)
ISBN: 978-1-119-43375-0 (ebk)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com
. For more information about Wiley products, visit www.wiley.com
.
Library of Congress Control Number: 2018943781
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
My whole life that I live as a social engineer, a father, husband, boss, friend, and more doesn't happen without my amazing wife, Areesa. I love you more than words can say.
My son, Colin, watching you grow up in this world and become a security-minded young man, as well as working with me, makes all the work worthwhile. I love you.
Amaya, you have been the light of my life, my reason for smiles on dark days, and the cause of joy in my heart. I cannot put into words how much I love you and how truly proud I am of who you are as a person.
CHRISTOPHER HADNAGY is the CEO and Chief Human Hacker of Social-Engineer, LLC as well as the lead developer and creator of the world's first social engineering framework found at www.social-engineer.org
. He is the founder and creator of the Social Engineering Village (SEVillage) at DEF CON and DerbyCon, as well as the creator of the popular Social Engineering Capture The Flag (SECTF). He is a sought-after speaker and trainer and has traveled the globe to deliver at many events including RSA, Black Hat, DEF CON, and even has debriefed the Pentagon on these topics. He can be found tweeting at @humanhacker.
MICHELE FINCHER is the Information Security Awareness Lead at a specialty chemical company. She possesses more than 20 years' experience as a behavioral scientist, researcher, and information security professional. Her specialty is understanding the psychology behind secure decision-making, particularly with respect to the area of social engineering.
Michele has been a trainer and speaker on various technical and behavioral subjects for law enforcement, the intelligence community, and the private sector in venues including the Black Hat Briefings, RSA, SourceCon, SC Congress, Interop, and Techno Security.
Michele has her Bachelor of Science in Human Factors Engineering from the US Air Force Academy and her Master of Science in Counseling from Auburn University. She is a Certified Information Systems Security Professional (CISSP).
“It was just a few years ago that I was sitting with my friend and mentor, Mati Aharoni, deciding to launch www.social-engineer.org
.”
Those are the opening words of Social Engineering: The Art of Human Hacking. As I sit here and read them now, it's almost like a dream; the hazy memory makes me feel like I will wake up any minute. I reflect on the journey that has taken me through the past decade, and especially the last eight years, and it has all come to life in this book.
Over the last eight years I have worked with people like Dr. Paul Ekman, Robin Dreeke, Neil Fallon, and others. I have had the honor of interviewing people like Dr. Robert Cialdini, Dr. Amy Cuddy, Dov Baron, Dr. Ellen Langer, Dr. Dan Airely, and so many others. I have had the privilege of giving a speech with Apollo Robins and meeting Will Smith. I have been flown to the UK to train members of MI-5 and MI-6. And I have been invited to the Pentagon to debrief 35 generals, heads of state, and other officials on social engineering.
The last eight years have been an amazing roller-coaster ride. But like any project, nothing is made on an island of one. These experiences, my life, and the people I have had the honor of getting to know and work with are because of so many people that have helped me along the way.
My wife, Areesa, is one of the most patient and beautiful women I have ever met. Although she does not live in this world that I exist in, she truly supports me, loves me, and gives me a happy life that is full of laughs, adventure, and everlasting memories.
When my son, Colin, was little, he was going to be a doctor, then a writer, then a volunteer. Funny enough, he tried his hand at caregiving and writing, and he still volunteers. His positive attitude and kind spirit is an example to me.
I remember swearing that I would never let my daughter, Amaya, in this world of social engineering; I would keep her safe. She has taught me that keeping her safe means teaching her, including her, and making her a part of my life. She has given me so much more than I have given her.
Although Dr. Ekman wasn't directly related to this book, his kindness, motivation and generosity are an inspiration to me. Thank you.
I want to thank and acknowledge others who have been a continuing part of my journey:
When I started Apple Computers in 1976 with Steve Jobs, I did not imagine where that invention would take the world. I wanted to do something that was unheard of: create a personal computer. One that any person could use, enjoy, and benefit from. Jump forward only a short 40 or so years and that vision is a reality.
With billions of personal computers around the globe, smartphones, smart devices, and technology being embedded into every aspect of our lives, it is important to take a step back and look at how we maintain safety and security while still innovating and growing and working with the next generation.
I love getting to work with youth today, inspiring them to innovate and grow. I love seeing the ideas flow from them as they figure out new and creative ways to use technology. And I truly love being able to see how this technology can enhance people's lives.
With that said, we need to take a serious look at how we secure this future. In 2004 when I gave the keynote speech at HOPE Conference, I said that a lot of hacking is playing with other people and getting them to do strange things. My friend, Kevin Mitnick, has mastered this over the years in one area of security called social engineering.
Chris’s book captures the very essence of social engineering, defining and shaping it for all of us to understand. He has rewritten the book on it again, defining the core principles of how we as humans make decisions and how those very same processes can be manipulated.
Hacking has been around for a while, and human hacking has been around for as long as humans have. This book can prepare you, protect you, and educate you how to recognize, defend, and mitigate the risks that come from social engineering.
—Steve “Woz” Wozniak
Social engineering—I can remember when searching for that term led you to videos on getting free burgers or dates with girls. Now it seems like it's almost a household term. Just the other day I heard a friend of the family, who's not in this industry at all, talking about an email scam. She said, “Well, that's just a great example of social engineering!”
It threw me for a loop for a second, but here we are, eight years after my decision to start a company solely focused on social engineering, and now it's a full-blown industry and household term.
If you were to just start reading this book it would be easy to mistake my intentions. You might think I am fully okay with arming the bad guys or preparing them for nefarious acts. That cannot be further from the truth.
When I wrote my first book, there were many folks who, during interviews, got very upset with me and said I was arming the malicious social engineers. I felt the same then as I do now: you cannot really defend against social engineering until you know all sides of its use. Social engineering is a tool like a hammer, shovel, knife, or even a gun. Each has a purpose that can be used to build, save, feed, or survive; each tool also can be used to maim, kill, destroy, and ruin. For you to understand how to use social engineering to build, feed, survive, or save, you need to understand both uses. This is especially true if your goal is to defend. Defending yourself and others from malicious uses of social engineering requires that you step over into the dark side of it to get a clear picture of how it is used.
I was recently chatting with AJ Cook about her work on Criminal Minds, and she mentioned that she often has to meet with real federal agents who work serial-killer cases to prepare herself for playing the role of JJ on the show. The same idea applies directly to this book.
As you read this book, do it with an open mind. I tried my hardest to put the knowledge, experience, and practical wisdom I have learned over the last decade onto these pages. There will always be some mistakes or something you don't like or something you might feel was not 100% clear. Let's discuss it; reach out to me and let's talk. You can find me on Twitter: @humanhacker. Or you can email me from one of the websites: www.social-engineer.org
or www.social-engineer.com
.
When I teach my five-day courses, I always ask the students to not treat me like some infallible instructor. If they have knowledge, thoughts, or even feelings that contradict something I say, I want to discuss it with them. I love learning and expanding my understanding on these topics. I extend the same request to you.
Finally, I want to thank you. Thank you for spending some of your valuable time with me in the pages of this book. Thank you for helping me improve over the years. Thank you for all your feedback, ideas, critiques, and advice.
I truly hope you enjoy this book.
—Christopher Hadnagy