The principles of warfare are often cited as a reference in the books of Military strategy and tactics. However, computer security is not an exception to this rule. All authors with enough strategist spirit have certainly tapped into the many verses of the imminent Sun Tzu.
Chris Hadnady (@humanhacker) begins “The Art of Human Hacking” with a quote often repeated “Know your enemy and know yourself“. This one will take over its sense all through the book.
“The Art of Human Hacking” introduces since the first chapter the principle and the very foundations of social engineering. Words have a meaning and the word “Art” is not used by accident.
Dissecting the whole book is not my goal, because you should have it in your hands to appreciate its value. Besides it will not be honest with respect to the future readers to unveil all the secrets.
The book is a journey into the fascinating world of the Mind tricks.
When I first met Chris (even though I knew very well the character through his work and tweets) at the RSA Conference in San Francisco, I thought he had a lot of charisma. Indeed, I had not read his book before but I have found all the qualities of a great Social Engineer. By “Social Engineer”, I hear a communicating skilled person. Chris has offered me his book and I was sure this one was the image of its author.
We learn that information gathering is an essential phase for approaching a target. It is in some ways the keystone. The better prepared you are the less you will make mistakes and jeopardizing your scenario. Chris provides some tools and techniques to better correlate and aggregate information. Information sources are legion and especially with social networking : people let go and deliver some of their secrets. In the hands of a malicious SE, this information is a lethal weapon.
Mindmapping is a method I personally use to categorize and structure the flow of information (even when writing this review). Chris also reveals several techniques used by social engineers. This is in some ways, the perfect SE Cookbook.
The strength of observation is a necessary quality. Chris explains that observing an environment one’s can gather valuable amont of information and thus pave the way for you to close encounter the target.
Contact with the target may seem easy and simple because we do it every day without awareness that we’ve, directly or indirectly, been “victim” of an attempted social engineering attack. This is the very basis of the communication model that Chris has exhibited in few chapters.
Today, when I read some Phishing emails I realize the weakness of their contents caused by an inappropriate semantic or sloppy scenario. Believe me, you can avoid some impressive numbers of phishing attempts just by applying the rules that Chris has described in his book about the preparation, approach and the use of the appropriate semantics and words.
Psychology is no exception. Because if you think one second that you will close the book, take your phone, confuse the guy at the other end of the line and order your pizza for free then you have missed the essence of “The Human Hacking”. Personally, I rediscovered how our senses come into play in a discussion. We all said once about our ability to remember a pattern or a quote heard during a keynote or meeting. The chapter on the psychology describes the Micro- Expressions and their roles in a conversation. The most skilled Social Engineers will certainly find fertile ground to suit their target. Chris said that if the target mimics disgust, you could consider that your approach is discomfiture.
Now when I talk to people I pay more attention to their microexpressions. And to my great surprise, I am disappointed in some cases by those who fake their smile. Beware it must not become obsessive.
When Chris mentions the NLP (Neuro Linguistic Programming), you must hang on to your chair and reread this chapter preferably twice. The highest art is to use the techniques of NLP to his advantage. A change in voice tone, pitch or resonance can have a desirable or unwanted effect on your target. You understand why Chris chose the word “Art” ☺
One of my favorite passages is the similarity made with the “Human Buffer Overflow”. Chris compares the human brain to an Operating System. What is fascinating, according to the author, is to realize a Fuzzing on the human brain to inject malicious data into the subconscious. By malicious data, Chris means leading the target to do what you want without even it realized. And if you want to know what the brain subconscious is ? You have to buy the book ☺
A. Schopenhauer (The Art of Always Being Right), K. Mitnick (The Art of Deception) and C. Hadnagy have something in common. They have treated in their own way “the power of persuasion” with methods and depicted examples. I confess that Schopenhaur was the most complicated to read ☺. I read the book twice and I still have some questions.
As for myself, I think the power of persuasion is one of the most dreadful weapons of Social Engineer. Chris also points out the ambiguity and innuendo created by manipulation. Some years ago, I had the opportunity to read “The Manipulators are among us” by Isabelle Nazere-Aga who classified manipulators into groups. You just have to observe your family or collegues to realize how many manipulators are around you. You will see that your parents are abusing a little with emotional blackmail. A form of psychological manipulation.
Several terms and techniques mentioned in the book “SE – The Art of Human Hacking” notes the field of psychology and the ability of SE to collect, analyze and adapt to its target without arousing suspicion. The goal is to achieve the purpose with few mistakes. However, in some situations the game gets exciting and alludes to spy movies.
The mere mortals didn’t have the chance to perform SE Assessment . Hopefully Chris gives us a whole chapter on the use of tools. These tools, according to Chris, are a great help for SE to bypass certain difficulties. Nevertheless, tools will not make you a SE. Back in the old days, Mitnick did not have all the appropriate toolkit. But he had enough mind presence and sufficient intelligence to rescue himself from any mishap. And that’s what SE is all about.
Among the tools mentioned by Chris, there is the “Lockpicking Sets” or the art of knock the locks. For the lucky ones who had a K.Mitnick’s Business Card, you’ll notice it’s like a “Lockpicking” Toolkit. A wink for the SE 😉
There are a variety of tools cited by Chris: Software, Hardware or combination of both as the case of GPS Trackers. Similarly, you will not see the same way the impressive Maltego when you’ll figure out it played a key role in some SE Chris missions.
We can not talk about tools without mentioning SET – Social Engineering Toolkit by the great Dave Kennedy. SET is frequently updated and well maintained.
The important thing is not mastering these tools but find the appropriate pretext and the good message for approaching the target.
My Point Of View
After reading the book “ SE- The Art of Human Hacking”, I’ve realized (although I suspected it) that we are surrounded by SE. Some are good and some are shabby. I remain convinced that few skills of an SE can not be learned just by reading books. It’s a mindset and a willingness to learn and to improve. Remember when Brad “TheNurse” Smith has a stroke attack, who was first to mobilize the community to provide financial assistance to the family of Brad? The answer is in the book title: Chris Hadnagy.
Was he expecting something from Brad? NOPE !! He did it because he is human. And besides, that’s what makes him what he is now.
Although this book will not make me a String Puller (I miss several qualities mentioned in the book) but it triggered into my brain a new cell: SE Trigger Alert. As soon as I feel someone confuses me, my defensive system is put in place ☺
The SE is certainly used by several categories of people: The Secret Agents, the Profilers in airports, traders, salesmen, your girlfriends, your wives, your children, your parents, your colleagues in office.
But as Chris concluded in his book, SE is truly an art form !
Thank you buddy for this fabulous book! It’s a real gift to give to your friends and colleagues and an excellent material for those wishing to update the chapter ‘Awareness’ of their Security Policy.