Social Engineering

[Feud]

So, the latest blog mentions that social engineering will be one of the tools in the player's arsenal. I'm not quite sure what to make of this.

On one hand, it seems like social engineering would lend itself to multiplayer games. The social interaction and trickery of such things seems like something that would be pretty tough to balance coding wise without being either too formulaic or random. On the other hand, there would have to be some mechanism in multiplayer gaming to where one would be willing to trust others enough for such manipulations to actually work (perhaps hacking the chat to appear to be an allied player?).

What is your guys' take on the matter?

[Cooper42]

I imagine social engineering may be in the form of a social model, which I'd be wary of - if it's clearly and obviously a game mechanic and it works, fine. If it's trying to hard to create a believable social environment, it may just elad to cognivitve dissoncance.

For multiplayer, if you want to see social manipulation in a game that doesn't need 'trust' to be a hardcoded mechanic, take a look at EVE.

[Mas Tnega]

First thing that springs to mind that involves player interaction is multiple choice for which unconvincing lie you want to give. You never know, maybe the Bank of the Extraterritorial Holdings of Darwinia trustees really do suffer from dogs eating their ID cards all the time, or maybe it's a popular catch-all lie they give meaning "I don't want to explain, it will incriminate me". It's something the player could look up and use to their advantage.

[Feud]

Bank of the Extraterritorial Holdings of Darwinia

When I first read that I saw "Extramarital holdings".

That makes senses to have it be something that could be looked up, like feeding info gleaned from emails that they'd assume only insiders knew about.

[bert_the_turtle]

My guess would be that all employees working in the building you're supposed to infiltrate have private lives outside of that building. You can find out who they are, where they live, dig around in their lives, guess stupid passwords (name of son), maybe find something to blackmail or bribe them with, or even kidnap their loved ones to enforce cooperation (waves to other thread). The information gathering phase is important in any heist movie, so I'd expect it to be represented adequately in the game.

[DinoSteve]

So, a bit like those Japanese computer dating games where while pursuing a girl she tells you the odd fact about herself and dates with her consist of multiple choice questions to see how much you was paying attention or remember. Do well on the test and your relationship progresses. Do badly and she'll grow tired of you.

[GreenRock]

My guess would be that all employees working in the building you're supposed to infiltrate have private lives outside of that building. You can find out who they are, where they live, dig around in their lives, guess stupid passwords (name of son), maybe find something to blackmail or bribe them with, or even kidnap their loved ones to enforce cooperation (waves to other thread). The information gathering phase is important in any heist movie, so I'd expect it to be represented adequately in the game.

From what I know, social engineering is when a fake inspector goes and inspects the workplace. This is done to obtain passwords, secretley hack networks, and perhaps to steal a few key cards to later infiltrate the area. Furthermore, what the hell are you talking about, Bert?

[Phelanpt]

He is talking about the fact that it doesn't have to be a fake inspector, it can be any fake authority role, and it doesn't have to be the workplace, it can be anyplace where information can be gathered.

[xander]

He is talking about the fact that it doesn't have to be a fake inspector, it can be any fake authority role, and it doesn't have to be the workplace, it can be anyplace where information can be gathered.

It doesn't even have to be a fake authority figure. Social engineering is, at its heart, "hacking" human behaviour. As indicated above, it might involve convincing a bank teller that you are someone that you aren't ("Oh, man! I lost my ID! But you can give me the money anyway, right?"), or that you belong somewhere that you don't ("Don't look at me, I am just cleaning the floors. No need to prevent me from going through that locked door"), or otherwise convincing people to compromise their systems for you. Phishing is a form of social engineering, as is Viagra spam.

Basically, any security system is only as strong as its weakest link. Why go to the trouble of hacking a secure system when you can dupe some idiot into giving you the password?

xander

[Feud]

From what I know, social engineering is when a fake inspector goes and inspects the workplace. This is done to obtain passwords, secretley hack networks, and perhaps to steal a few key cards to later infiltrate the area. Furthermore, what the hell are you talking about, Bert?

There's a lot of ways it can be done. For example (very simple), say Bob has a file you want on the first floor, you call up a guys' secretary and say you're from the tenth floor and ask for a meeting with him. You wait till he leaves and gets a ways away, then go up to the secretary and say "I'm with so and so's office on the tenth floor, Bob forgot the Beekerman file and asked if I could get it for him while he stalls the investors." Secretary gets it, you scurry out before he gets back from the meeting that never existed.

[GreenRock]

He is talking about the fact that it doesn't have to be a fake inspector, it can be any fake authority role, and it doesn't have to be the workplace, it can be anyplace where information can be gathered.

It doesn't even have to be a fake authority figure. Social engineering is, at its heart, "hacking" human behaviour. As indicated above, it might involve convincing a bank teller that you are someone that you aren't ("Oh, man! I lost my ID! But you can give me the money anyway, right?"), or that you belong somewhere that you don't ("Don't look at me, I am just cleaning the floors. No need to prevent me from going through that locked door"), or otherwise convincing people to compromise their systems for you. Phishing is a form of social engineering, as is Viagra spam.

Basically, any security system is only as strong as its weakest link. Why go to the trouble of hacking a secure system when you can dupe some idiot into giving you the password?

xander

Cool! so we can get a super hot female character model to woo the male's into giving her a password!?

[Feud]

Cool! so we can get a super hot female character model to woo the male's into giving her a password!?

That's one way.

Ideally, social engineering leaves the victim not knowing any better until it's too late. A good example of the use of the fairer sex is in the movie Sneakers where they need to get a verbal phrase for a locked door. So, they set up the guy who has the password on a date with a girl who's wearing a wire, then have her steer the conversation in such a direction that he says all the words contained in the phrase, which they then splice together.

Then she steals his wallet. That's not so much social engineering, but still a fun and effective.

[xander]

WOMAN: You know, there's this one word that really turns me on.
CLUELESS DUPE: Really? What's that?
W (sexily): Passport.
CD: !?

xander

[Phelanpt]

^What xander and Feud posted.

Even getting to know a company's internal business jargon (which seems harmless) can lead to someone getting past security, as people assume that someone who knows that must be part of the company.

I find social engineering fascinating.

[Trail Mix]

I saw this topic and had to copy pasta what Social Engineering really was from the Cisco A+ study material.

A social engineer is a person who is able to gain access to equipment or a network by tricking people into providing the necessary access information. Often, the social engineer gains the confidence of an employee and convinces the employee to divulge username and password information.

A social engineer may pose as a technician to try to gain entry into a facility. Once inside, the social engineer may look over shoulders to gather information, seek out papers on desks with passwords and phone extensions, or obtain a company directory with e-mail addresses.

So....
I'm just repeating what all you guys are saying, but at least this makes me feel cool.
I-I mean, uh, this is a solid definition to build on what everybody was talking about.
Yeah, that's the ticket.