Wed 16 Mar, 2011
Tags: Book Reviews, social engineering, web security
Social Engineering: The Art of Human Hacking
The review that I’d read on Slashdot fairly glowed with praise, describing Social Engineering as being the “definitive text” on the subject. I’m going to have to modify that statement, as I have some fairly severe reservations about the book.
Available in both dead-tree and ebook formats, the book’s electronic edition is, at least, well put together and mostly* professional looking, with table of contents and an index–no glossary, however, which this book might benefit from like other introductory texts.
And it is an introductory text–the language is obviously aimed at the novice, someone for whom ‘social engineering’ is a buzzword they may have heard once. Much of the first part of the book, before he gets into the ‘meat’ of the subject, is spent trying to make the case for why you should read the rest of the book.
When he does get though his spiel of trying to both concern and reassure the reader–that social engineering is a real and dangerous phenomenon that is so all-pervasive that you may not be aware it’s happened and that there are ways to be able to tell, respectively–and gets into the subject the book is nominally about, the content improves significantly.
The book is laid out according to his ‘system’–that’s really what he’s selling, here: a way to organize and categorize social engineering as a teachable system–where he outlines various ways to pursue an ultimate goal of finding out information that the target wishes to keep hidden.
There’s a broad sketch of information gathering techniques–a couple of software packages are namedropped as a means to organize and collate information–followed up with sketches of elicitation (more or less congruent with other standard resources on the subject; links are provided therein to government pamphlets and the like), reading body language (mostly concerned with facial microexpressions–almost nothing on other body language interpretation) and an overview of building pretexts (mostly concerned with selecting the correct one).
The section on causing “buffer overruns” in humans is fairly interesting and well put together, but he either doesn’t recognize or purposely deemphasizes the general case (that of distracting the conscious mind in order to plant suggestions or issue short commands that will be followed without immediate objection) for several specific method-driven cases.
There are some other bits and pieces which might be useful to the budding social engineer–recommendations on how to bypass physical security, for instance, and methods for seeding exploits into locations where the target might conceivably run them.
At the end, there are some case studies–discussing a couple of cases from Mitnick’s book on the subject; a couple of his own cases; and a couple of cases that, dramatically, are hightly obfuscated as “top secret” and intimated to be about “high profile” companies and the like. If you’ve actually read the book up to this point, you’ll likely realize that the language chosen to introduce that section in particular is more than a little loaded.
As an introduction to the concepts and processes of social engineering, it’s not a bad book. It does cover most of the bases of social engineering and some related concepts, but there are a few rather large holes.
If I were to take Mr. Hadnagy at his word–which, given the context of the book, would be a rather foolish thing to do–pretty much everything he does is elicit enough of an opening to introduce spyware onto a corporate system using a PDF exploit. It’s always the same methodology in every case that he describes his personal involvement in, and it reads like a particularly bad spy thriller when he does so. I get this impression of inexperience in the field, as well–he takes a sort of “gee whiz, ain’t that cool!” tone with the exploits of others that he describes, who have little to recommend them beyond their audacity in taking on the targets they did and their talent at maintaining their pretext.
He also continually refers to his “mentor” in such a way that makes me question whether the Master knows the Apprentice is writing and marketing books based on work they may have done.
If you’re entirely unaware of social engineering–if you’ve never seen a spy movie, or a heist movie, or read about Frank Abignale or any other famous con-men; if you’ve never considered ways in which people would be able to steal your information or convince you to take an action that you would not otherwise take–then feel free to read this book. If you’re after a more serious education as to how social engineering works and how to present yourself in a certain way to gain another’s sympathy, then take an acting class–you’ll get a lot farther.
*One does not make one’s source citations in-line. One makes one’s citations in footnotes like a civilized person. Mr. Hadnagy should take note.