Subliminal Hacking
The Art and Science of Social Engineering



Categories

August 5, 2010

Social Engineering… Is It Ethical??

When I speak to people (non Infosec passionate types) about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because it’s not right, it’s not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what it’s all about, and what I am doing. People are curious of how this knowledge can help and protect them.

So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. I have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and can’t be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally.

In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people don’t care? I think it is a real issue that all professionals should consider, and take time to reflect upon.

Ethics

Why people think Social Engineering is unethical….

In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals.

The key issue here is the perception and it’s a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you don’t really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments.

In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, it’s the individual who is responsible for the actions and result.

Why and how I think Social Engineering can be ethical….

The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I don’t think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldn’t evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day; we have all been doing this since birth. We all have different reasons for manipulation; perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, it’s considered ethically and morally ok.

So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things.

It’s a little grey….

So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employ? Should people who are subject to social engineering activities be punished for being the weak link in the chain? If you gain generic permission, let’s say to hypnotise, then you use this permission to extract sensitive data, is that ok? I am sure we can all think of many more situations that are not so clear.

To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt don’t do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position.

I certainly don’t think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate.

So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what you’re planning, put yourself in the subject’s position, how would you feel if someone did to you, what you are planning on doing to them. If you’re happy, then its most like a good sign you will be operating in an ethical manner.

No one has all the answers, but it’s a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.

Be Sociable, Share!



    About the Author

    Dale Pearson
    has worked in IT since 1998, Infosec since 2004, and studied and performed hypnosis, mentalism etc since 2009. Dale is a full time Red Teamer with a love of social engineering and qualified hypnotherapist. He spends a great deal of time researching the various skills and techniques that make up the art and science of Social Engineering.




    2 Comments


    1. […] This post was mentioned on Twitter by Dave Hewson, Dale Pearson. Dale Pearson said: Social Engineering… Is It Ethical?? – http://www.headhacker.net/2010/08/05/social-engineering-is-it-ethical/ […]



    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Time limit is exhausted. Please reload CAPTCHA.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.