Social Engineering: The Art of Human Hacking — Christopher Hadnagy

If I’d been a real criminal I would probably be rich, famous, or dead — probably all three.

Social engineering is the art or better yet, science, of skillfully maneuvering human beings to take action in some aspect of their lives.

“True social engineering is not just believing you are playing a part, but for that moment you are that person, you are that role, it is what your life is.”

Google forgives but it never forgets, and it has been compared to the Oracle. As long as you know how to ask, it can tell you most anything you want to know.

Each person has both a physical and a mental personal space.

Honesty is the key to a relationship. If you can fake that, you’re in. — Richard Jeni

Get out of your head and into the world

Tony, who could sell a cup of water to a drowning man

Therefore, although you can become proficient at reading the emotion, you cannot read the why behind it. The why is often lost to science.

You can use your voice to inject commands into people just as you would use code to inject commands into a SQL database.

Sometimes how you say something is more important than what you say.

Dr. William Glasser wrote a book called Choice Theory in which he identified four fundamental psychological needs for humans:
-Belonging/connecting/love
-Power/significance/competence
-Freedom/responsibility
-Fun/learning
The principle behind this point is that creating ways for people to get these needs me by conversing with you builds instant rapport.

People speak 150 words per minute but think at 500–600 words per minute.

Some scientists even believe people make decisions up to seven seconds earlier in their subconscious before making them in the real world.

If you would persuade, you must appeal to interest rather than intellect. — Benjamin Franklin

A teacher I had once used to tell me to “kill them with kindness.” That is a pretty powerful statement. Being kind to people is a quick way to build rapport and to establish yourself in the five fundamentals of persuasion and influence.

The rule of reciprocity is important because often the returned favor is done unconsciously.

Pharmaceutical companies will spend $10,000–$15,000 per doctor (yes, per doctor) on “gifts” that might include dinners, books, computers, hats, clothing, or other items that have the drug company’s logo on it. When the time comes to choose a drug to support and buy, to whom do you think the doctors are more likely to go?

According to the American Disabled Veterans organization, mailing out a simple appeal for donations produces an 18% success rate. Enclosing a small gift, such as personalized address labels, nearly doubles the success rate to 35%. ‘Since you sent me some useful address labels, I’ll send you a small donation in return.

The rarer the resource, the higher the perceived value the object retains. This rarity is why gold is worth more than salt, which is worth more than clay.

Grocery stores use framing by putting “75% lean” on a package of ground meat as opposed to “25% fat.

Peer pressure is a strong influence and everyone wants to fit in and be part of the crowd.

It is also how whole groups of people can be manipulated into thinking a certain action or attitude is acceptable. You can see this in the entertainment industry as each year the standard of what is acceptable or moral seems to get lowered, yet this drop in standards is sold as “freedom.”

Security is a mindset, not a simple piece of hardware.

Maltego automates much of the information gathering and large data correlation for the user, saving hours of Googling for information and determining how all that information correlates.

If you have a spare computer and a VoIP service you can also use an Asterisk server to spoof caller IDs.

BitDefender analyzed the password usage of more than 250,000 users. The results were amazing: 75% of the 250,000 used the same passwords for email as well as all social media accounts. This should be especially scary considering the recent story of how 171 million Facebook users had their personal information released on a torrent.

Because most users have weak passwords that can be easy to guess, CUPP is a perfect tool for profiling. It can be used for legal penetration tests or forensic crime investigations.

I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of “if” you will get hacked, but “when.

creating a security awareness culture. Security awarenes is not about a 40-, 60-, or 90-minute program once every year. It is about creating a culture or a set of standards that each person is commited to utilizing in his or her entire life.

The reason the bad guys usually win is because they have dedication, time, and motivation on their side.