Greg Day McAfee
download slides (PDF)
Wikipedia defines social engineering as 'based on specific attributes of human decision-making known as cognitive biases', and highlights that these biases, 'sometimes called "bugs in the human hardware", are exploited in various combinations to create attack techniques'. If software vulnerabilities are the entry point to IT systems, susceptibility to social engineering creates an entry point at the human level, giving access to our most prized possessions: our systems and data.
Just as Houdini first baffled and bamboozled the public with the art of misdirection, social engineering tricks have been used to influence individuals, groups and governments alike.
From the early 419 Nigerian scams of the 1980s and the 'click me' threats such as the 'I love you' mass mailer in the 1990s, to today's domain squatting, Web 2.0, phishing and SMS'hing, we will examine the evolution of social engineering attacks, highlighting key principals and physiological techniques used to misdirect computer users into handing over information or running code, even with years of experience of such attacks.
How can we manage the problem? Will technology save us or do we simply need better user education? How will it evolve? Through a better understanding we can answer these questions.