I recently finished reading The Art of Deception, and I probably should have posted about it earlier. I’ve been involved with computer security for a while, and I’ve been to a bunch of the more popular security and hacker conferences, which is the reason I’m giving to myself for the book not making a strong impression immediately. The book is very good, it brings to light many aspects of computer security that even most experts don’t know about. This should be required reading for anyone involved in computer security. That’s why I picked it up myself, despite being familiar with many of the tactics and general principles from hanging out at DefCon year after year. So, I’ve gotten that out of the way, it’s a good book.
What’s stuck in my mind however has nothing to do with computer security. The question currently gnawing at me: where does social engineering stop and social/business networking start? Is the difference that the social engineer goes in looking for a particular piece of information? Well, that’s sometimes how business networking works out. A business development gambit might start out by schmoozing a potential client to find out how to best target the sales pitch. Is it that the social engineer tries to get information they’re not supposed to have? Well, social networking often involves getting a hold of “juicy” information. While that might not necessarily represent restricted info, it could certainly mean information which certain parties might not want widely distributed. And that really does equate to restricted info, just without a written policy. So is the difference that an individual engaged in social networking forms a lasting relationship while a social engineer does not? No, cause social engineers try to form recurring relationships where they can. Leaving themselves routes that they can exploit later to fulfill the same kind of service.
The only difference I can see is that the social engineer does not use their real name, and the social networker does. I was originally going to write that as “the social engineer normally misrepresents themselves while the social networker does not”, but I don’t think that’s really true. Especially within the realm of business networking. People normally “misrepresent themselves” in terms of attempting to make their company appear more powerful or to make it seem like a fledging deal is further along than it really is. Now, of course, I’m not saying that most of the people involved in business networking are out to steal information from the people they interact with. I’m just saying that the two concepts blur together quite contiguously.
I think that’s probably quite significant. Cause the premise of the book is that the real action in security doesn’t revolve around firewalls or intrusion detection systems or encryption or any other technology. The real weakness is in the people using those systems, and transferring information in a way that’s outside of the normal means of connection. The most “interesting” transfers of information are not those that occur along controlled lines, but the transfers which are made because someone is acting in some extraordinary way. But then take that statement and apply it to social networking applications. Do social networking applications really catch the flow of information? Well, if misrepresentation plays a big part, probably not all of it. Of course, I have no idea what percentage of exchanges are genuine and which are influenced at least in part my misinformation, so I’m not at all prepared to make a blanket statement about the impact. But I will say that years and years of computer security work are starting to result in the realization that human interaction issues dwarf technical risks in terms of the current concerns. Of course, this could be due to years and years worth of computer security work tilted too heavily toward technical issues and ignoring human factors, but that’s a whole other discussion. I’ll leave it at saying that if you think that the information you have access to is based “who you know, and who they have access to”, I urge you to at least skim through the book and read about some counterexamples. They may happen to be only a small percentage of the cases, but sometimes very interesting information patterns arise when someone is able to identify who doesn’t know them and how to use that to their benefit. There are some spectacular examples, but I think every information transaction is placed somewhere along the line between genuine and false. Even if most transactions are tilted strongly toward genuine, the false aspects of them taken as a whole may be very significant.