Monday, January 30, 2017

Social Engineering Task #1

My task was to get someone to swap their card with mine (they still had to do the task on their original card). I accomplished this task but I forgot to take their card with me and the other player threw both cards away. Hindsight 20/20. I would have used  a picture of the card as proof if it wasn't for the aforementioned circumstance. I do know that their task was to get someone to reveal their card.

My approach to this step was to find someone who wasn't content with their "hard challenge" so that they would trade up with mine. I quickly realized I may have had the harder challenge. Not only was half the players done by the end of the class but some were convinced that my task was "sketchy" or it would "give them more work" if they switched cards with me. The premise of me wanting to swap was a suspicious indicator that my challenge was "hard" in the first place to my fellow players! Fair enough, I understand the sentiment. *grumbles* Even though it made my task way harder than it should've been. The completion of the task fell solely on luck because the player I came across had to get me to reveal my card and they could do so by switching with me. So it was a means for both of us to complete our tasks.

I can see this applying to real life in the sense that for someone to be more compliant with your requests is to find a way that it would also benefit them or at least appear so. Where in a room full of vigilant social engineering task players this may be a harder to do in the real world it would be much easier. For example, exchange a USB and tell them it contains a game or something of interest to them so they could perform your requested action (to swap) whilst it may contain something malicious that could act as a key logger or something that exfiltrates their data.

Some ethical issues this raise is being compliant to some requests may have some consequences. As my fellow players were vigilant in taking my card because it could very well given them "more work" in the real world an exchange can be more detrimental where one party may give too much information that could be used against them later. These "swaps" or exchanges may not be equal and one party may be looking to take advantage in some way. Some people may use these techniques for good such as being cautious in divulging information or assets they wouldn't want exchanged. Protecting company assets or trade secrets. On the other side of the spectrum where it could be someone "borrowing" a USB but giving it back with malware or a virus.






No comments:

Post a Comment