The book’s subtitle is a fitting 13-word summary of what it is about. The book taught me that social engineering is a polite, obfuscating, nonthreatening label for the pernicious, amoral manipulation of people to accomplish someone else’s hidden goals of power and money. The first analogy that came to mind: using the term “social engineering” is like putting lipstick on a feral pig.
This book is a comprehensive and lively survey of the history, sociology, and psychology of social engineering. The authors convincingly identify the threads and interconnecting factors contributing to the practice of social engineering. They modify the term “social engineering” by the prefix “masspersonal” because of the way this activity has evolved. As it exists today, social engineering is a combination of both individual manipulation and group manipulation. How these two regimes work together is explained in detail in the text.
The book is divided into four segments--an introduction and three parts presenting, respectively, a historical overview, the techniques of social engineering, and the contemporary state of social engineering. The introduction is 25 pages long and must be read. It begins with the Russian Internet Research Agency, the elections of 2016 and 2020, Cambridge Analytica, QAnon, the “Big Lie,” and the insurrection on January 6, 2021. From this vantage point, social engineering is defined and characterized as masspersonal.
The historical overview of the first part is divided into two chapters--before 1976 and after 1976. In the earlier timeframe, social engineering first arose based on several factors: the need for advertising of products and services to drive the economy, and the desire to manipulate large groups of people so that they would support political and economic agendas. The latter goal originally had an elitist mindset. The vast majority of people, including many recent immigrants or children of immigrants, were poor and uneducated. The people could be “educated” using an engineering approach. The tools, however, were limited to mass media--mostly the printed page, and then radio and the beginnings of television. The second chapter, after 1976, introduces the personal aspect of social engineering through the rise of “phone phreaks” who worked hard at gaining access to the phone system when the technology changed to the touch-tone system. The social engineering was done on a personal one-to-one basis as hackers tried to gain access to the telephone system.
The phone phreaks developed an extensive network with shared discussion boards and bulletin boards, tools, and even meetings and publications. The process of social engineering can be broken down into four stages, which are covered in the chapters in the second part of the book. Although these stages were originally developed in personal encounters, they are valid for manipulating larger groups of people. In sequence, these stages are trashing, pretexting, bullshitting (the authors’ term), and penetrating. Each one is given its own chapter.
Trashing involves any investigation of refuse--from dumpster diving to scanning corners of the Internet--to retrieve unused email accounts, technical information about systems, pin numbers and passwords, and anything that can be used in the next stage of pretexting. Pretexting is important because it attacks the weakest link in a system--the human being. Pretexting is the ostensible reason why contact is made. At this point, it is “let’s make believe that I am a system technician in Omaha and I need your help.” Trashing provides the information and jargon to create an illusion that this person is who he claims to be. In a phishing activity, it could be an email from a vendor or bank that looks like the real thing, but is not. Bullshitting is the dynamic of acting upon the pretext, the theatrical performance. This is the key stage. If it works, then the system can be penetrated and compromised. Although each of these stages has its origins in personal hacking, they are integral to mass social manipulation as well.
Part 3 is on the contemporary scene and has two chapters. The first chapter has a detailed presentation of what took place in the 2016 presidential election. The major players here are the Russian Internet Research Agency, Cambridge Analytica, and Facebook’s algorithms. The application of the four stages is laid out in detail and makes for a horrifying story. The last chapter discusses what might be done to counteract and resist social engineering. There is a good section on whether social engineering itself can be ethical. Although some hackers have gone legitimate and created businesses that test the penetrability of systems, there is an attitude that all of it is a game--until the report has to be typed, ties and jackets put on, and the results presented to the hiring group. Social engineering seems to attract people who behave as if life is a game lacking rules and with blind and deaf referees, a game in which neither truth nor falsehood is relevant. All that matters is the thrill of manipulation and conquest--like Mozart’s Don Giovanni.
This excellent book should be read by anyone responsible for maintaining a secure system because it describes the sociology, history, and psychology contexts so well. Any reader will enjoy the stories and profiles of the people involved. It is well documented with an extensive bibliography.
More reviews about this item: Amazon