In our social engineering training courses, services, and as an overall company philosophy, we stress good intent. Our motto has always been, “Leave people feeling better for having met you.”
Yes, we may use deceit as part of an engagement, but we do it for the purpose of making our clients more secure and in the spirit of partnership as opposed to an adversarial relationship. That is the basis for this post, how the intent on the part of the social engineer can make all the difference.
A Social Engineer and Good Intentions
In the late seventies and early eighties, a man named Berry Bremen achieved national popularity for posing as athletes or other legitimate figures to gain access to places and situations he otherwise would not have been allowed. At different times throughout his “career” as a sports imposter, Bremen bypassed security at NFL, NBA, and MLB events. He shot layups with Kareem Abdul-Jabar, infiltrated a World Series Game posing as an umpire, and performed cheers dressed as a Dallas Cowboys Cheerleader during a Cowboys-Redskins game. After his death in 2011, those close to Bremen said that he never meant anyone any harm and he did what he did because he believed it was innocent and playful.
A Social Engineer and Devious Intentions
A man with more devious intentions, David Hampton, posed as Sidney Poitier’s son in the eighties in order to scam wealthy couples into giving him money. Hampton was discovered to be a fraud and ordered to pay back thousands of dollars to the people he scammed. In 2001, he was again arrested for scamming a man out of over a thousand dollars after the two went out on a date. The victim was quoted as saying, “It was one of the best dates I ever went on.”
What Can You Learn?
Both of these men were imposters and they needed to deceive people in order to achieve their goals, but the difference was in their intentions. Bremer was a fun-lover and believed that the public wanted to see more. Hampton wanted money and free places to stay from his victims. These examples are clearly neither polar opposites nor are they necessarily any kind of paradigm for a penetration tester, but they do illustrate the different effects that intention plays when paired with deception.
It is vital that a social engineer maintains the proper intent to best serve the security needs of their clientele. In the formation of pretexts, scripts, etc., remember that people are affected by your words and ideas. In our opinion, security needs are best met through collaborative relationships; we’re not out to “pwn” or embarrass our clients or make anyone feel manipulated or used.
What we consider success is when we can achieve our objects and leave with material to help educate our client and their staff. And the icing on the proverbial cake is when the client looks forward to seeing us each year for the audit, then we know we left them feeling better for having met us.