Ethical considerations play a critical role in the field of social engineering, where methods and techniques are used to manipulate people to obtain information not relevant to their interests or to access confidential data. Given the potential consequences of these actions, adherence to ethical principles becomes an integral component of the effective and responsible use of social engineering. One of the main ethical principles in social engineering is the prohibition of using these methods for harmful or illegal purposes. Misuse of social engineering can lead to financial harm, data privacy violations, psychological trauma, and personal privacy violations. Ethical compliance ensures that social engineering is used only for legitimate and ethical purposes, such as improving information security and protection. Another important aspect of ethical considerations in social engineering is the responsible use of the information obtained.
The collection of data about other people must be carried out with their permission or within the limits of the law, and the obtained data must be kept confidential and protected from unauthorized access. Responsible use of received information ensures compliance with privacy and trust, which are integral aspects of ethical social engineering. In addition, ethical considerations in social engineering also include transparency and communication using these techniques. It is important that the participants in the process are informed about the possible risks and consequences associated with the collection or manipulation of information. Communicating with potential victims of social engineering helps maintain trust and prevents possible harmful consequences. By considering ethical considerations in social engineering, effective and responsible approaches to protecting information and improving security can be created. Ensuring legality, responsible use of information and transparency in communication are key components of successful application of social engineering in an ethical context.
Unlike network and web application security testing, the impact of social engineering can extend beyond the laptop or server. When you interact with real people, you must take special precautions to avoid harming them.
You should also carefully follow the laws of your country and consider the physical location of people or businesses with whom you may potentially interact. You may accidentally violate the laws of the country where your exposed people or servers are physically located, and you may unwittingly become a criminal under someone else’s laws. While there may be no legal precedent directing you to collect OSINT data in a certain way, or prohibiting you from collecting OSINT data at all, some laws, such as the European Union’s General Data Protection Regulation (GDPR), impose certain obligations on you consequences for the data you collect and strictly define how you must protect it. This section outlines best practices for conducting social engineering and collecting OSINT data in a legal and ethical manner.
Ethical social engineering
Let’s start with the social engineering attack itself. When engaging in social engineering, you must constantly think about how the victim will feel as a result of your actions. This is not an easy task, as you need to find ways to show that the company is vulnerable (usually because employees are not properly trained or poorly organized processes), but do so without directly damaging the reputations and careers of the people through whom you exposed a vulnerability.
One way to protect people is to make them anonymous in the eyes of your client, if possible. For example, instead of mentioning that Edward from accounting followed a link in a phishing email, write in the report that one of the employees of the finance department fell victim to a phishing attack. At the same time, you should take into account the size of the organization and the possibility for colleagues to guess the identity of the victim from the data you provided. If you work for a relatively small company, you don’t need to say that the founder posted too much sensitive information on social media, but instead say that upper management takes social media privacy lightly.
The real bad guys likely won’t adhere to such boundaries. However, in penetration testing, we shouldn’t copy everything the bad guys do. Instead of us, they will use attacks of the “denial of service” type (attacks on networks and systems that prevent access to them by legitimate users and services, DDOS attack); doxing customers, i.e. disclosing their personal information such as residential address, email address and phone number; and the deployment of ransomware (malicious software that requires victims to pay a ransom to unlock it). But we’re not like that, are we?
Here are some tips for protecting people in your social engineering projects.
The following rule should be followed without fail: If people ask you to stop talking to them or if they end the conversation, you must stop. Also, while you can look at a victim’s public social media posts and create an attack profile based on them, you should never do the following:
use personal accounts (including communication with them);
refer to this information outside of work tasks.
Imagine someone pestering you with work-related issues while you’re relaxing at home, and also doing it through a personal account on a social network. That would make you very angry, wouldn’t it? Acceptable uses of social media to collect OSINT data include searching for publicly available job data, mentions of specific software or technology, or references to a common username.
When it comes to social engineering, there are two main legal aspects: spoofing and call recording. In addition to these issues, one of the best ways to avoid legal problems is to attack only resources belonging to the client company and avoid interacting with employees’ personal resources as much as possible.
Most countries have laws against spoofing phone numbers of subscribers. If you imitate the actions of the attacker in accordance with the security verification agreement and call only the client’s business numbers, then most likely you will be clean before the law. It’s a little more complicated when it comes to recording calls, especially when the recording is made without explicit consent and even without notifying the interlocutor. Can a company act as a second party to consent to the recording of conversations of its employees, which they conduct using corporate means of communication – a gray legal area. Much depends on what is said about it in the standard employment contract with the company’s employees. If you are asked to record calls, please contact your attorney for further clarification in your specific case.
Problems can also arise if you violate the rules of using services provided by a third party. In 2019, Mike Felch of Black Hills Information Security published a couple of blog posts about choosing software services that can be used for phishing. Titled How to Clean Google and Start Fresh (Parts I and II), these posts share his experiences using G Suite (Google’s productivity platform, now called Google Workspace) as both a target and an attack tool. Feltch explains how he compromised credentials and used CredSniper to bypass multi-factor authentication.
Here the story takes an interesting turn. The blog was discovered by both the Customer Security Operations Center (SOC) and the Google SOC. In response, Google not only blocked Felch’s account, but also (presumably with the help of OSINT and its own detection algorithms) began to block other accounts of Mike and his wife, even unrelated to the Google services they use. The moral of the story is that you need to coordinate with any other service providers the customer may be using to ensure you don’t get locked out of everything, including, as in Mike’s case, even the thermostat in the home’s heating system.
After carrying out operations using social engineering, it is important to properly conduct a debriefing (debriefing) – publicize the measures taken and the results obtained. Debriefing involves familiarizing victims with the methods you used and the information you gathered. You don’t need to tell the entire organization that Jane from HR uses her husband John’s name as her password, or that Madison is having a relationship with her uncle. Strictly observe the anonymity of the message and do not touch the details; Just tell the client that you discovered some employees using their spouse’s names as passwords, or that you easily obtained information about their personal information.
One way to solve this ethical problem is to keep a list of those who have been assaulted and tell them confidentially why they failed the test without mentioning their names in the report. If your organization requests this information, you can provide names in response to the company’s commitment not to lay off workers. This point is often specified in the contract between pentesters and their customers. If a company does not train its employees, it would be unfair to fire them for a safety violation. On the other hand, your report should clearly identify the people who foiled the attack. They took care to protect their organization and their services should be recognized and rewarded.
From an organizational point of view, management should make it clear to employees that the company itself has not been spying on them. They need to understand that the company paid someone else to do the review, which involves gathering information, and then filtered the collected information and kept it relevant only to the business, keeping the employees’ personal lives private. In addition, the organization should use the report you provide, as well as best practices and sample attack scenarios, to train employees so they can be more secure.
When speaking at conferences like DerbyCon, Hacker Halted, and various Security BSides events, I follow the same rules as when speaking. You never know if there is someone in the audience who has been attacked, so try not to publicly shame other people. Follow the golden rule: “Praise publicly, blame privately.” Encourage people to be more vigilant and report problems to appropriate professionals.
Example: Social engineering gone too far
In 2012, Duchess Kate Middleton, pregnant with Prince George of Cambridge, was hospitalized with severe morning sickness. Soon the public and the media found out about it, and at 5:30 a.m. a couple of Australian radio show hosts called the hospital, introducing themselves as the Queen of England and Prince Charles. The presenters skillfully depicted their pronunciation and asked for the latest information on Middleton’s condition. The nurse on duty at the reception answered the call. Believing the call to be legitimate, the attendant connected the pranksters to Middleton’s personal nurse, who shared various details about her condition.
The presenters recorded the call and put it on the air. The program attracted enormous attention and became the cause of an international scandal. Before the hospital could take any action, the nurse was found dead with obvious signs of suicide. Prince William and Duchess Kate issued a statement in which they expressed their deep sorrow over the incident and expressed their condolences to the nurse’s relatives.
This is an example of social engineering gone too far. Practical jokes are practical jokes, but at some point during the call, the pranksters had to open up. Nor were they supposed to make their tricks available to the general public. Later, the radio show was closed, and the accounts of the show and presenters in social networks were deleted. The owners of the radio station issued an official public apology – too late after the avoidable tragedy.
Although this behavior looks more like a stupid, tasteless joke than an attack, the incident can be considered as an abuse of the victim’s trust, because the DJs did not act in their own interests. If they had not broadcast the call, their actions might have been more like a harmless use of someone else’s authority, although the best solution would have been not to call at all.
OSINT ethical framework
Now that we have defined the legal and ethical limits of social engineering, we need to do the same for OSINT. Many of the considerations mentioned earlier apply here, but the stakes are generally lower because, while the information you receive through OSINT collection may affect the well-being of your watchful subjects, you are not interacting with them directly. However, this does not mean that you should indiscriminately collect all the data on each object.
You need to think carefully about how long you need to keep any data you collect, how to destroy it, what value to place on the data, what the consequences of losing the data will be, and how someone might try to compromise it.
Digital forensics and law enforcement often use the concept of chain of custody when working with data. Chain of Custody aims to preserve in a secure environment any collected evidence from the time of collection until destruction. To do this, you need to store all data in a specially designated safe place. For example, it is customary for police officers to store physical evidence in a special cell located in a guarded room. The person gaining access to this camera must prove their right of access, sign the physical evidence receipt, and then return it for signature.
Unfortunately, data in digital format can be easily copied, so ensuring a secure chain of custody is a bit more difficult, but it can be done if certain precautions are taken. First of all, it is compliance with safety hygiene rules, which we will talk about later. For each security investigation, you need a dedicated virtual machine that you will use exclusively for that investigation. The device must be encrypted with a strong password. After completing the research, ensure safe storage. Save the files that make up the virtual machine to a separate disk. Most likely, a regular CD or DVD will be enough, but in some cases you may need a larger storage device, such as a flash drive or external hard drive. As an additional layer of security, you can encrypt the drive itself and store it safely by disconnecting it from any computers using a physical access limiter, such as a regular safe.
Digital hygiene is nothing more than the consistent application of security best practices. Protect your work devices from malware and don’t reuse passwords (and, of course, choose strong passwords). You should also use a password manager and multi-factor authentication whenever possible. This is only the tip of the iceberg, but these steps will protect you from someone questioning the authenticity of your data, especially if it is intended for legal proceedings.
To determine the value of data, consider how much damage it can do to a company or person. I never collect or store social security numbers, but if I did, I would place a high value on them. If I receive someone’s email address along with their password, I will assign it the highest level of importance. The discovery of this information indicates that an organization or employee is potentially vulnerable to a breach because people tend to use the same passwords. At the same time, if the organization can prove that this user is technically prohibited from using the password you know, the known password can be assigned a low level of importance. A simple password without a person attached to it will also have little value, although you can use it to attack a company using password spraying. In password spraying, an attacker uses a single password in an attempt to compromise multiple accounts, such as using the default password for all accounts they know.
In short, protect your sensitive data by minimizing access to the system where it is stored, keeping it up-to-date, disabling unnecessary services, using strong passwords and multi-factor authentication whenever possible. Encrypt data whenever possible. Even if someone steals the data, it will be useless if the attacker cannot crack the encryption key.
This section discusses possible legal aspects of OSINT collection. While I consider the European GDPR as an example of the primary law governing OSINT, other countries and jurisdictions have adopted similar laws related to the protection of personal information and liability for data breaches. The collection of OSINT data is not in itself a data leak, but so far no court has ruled clearly to the contrary – that the provisions of the GDPR do not apply to OSINT. Therefore, you should consider the GDPR or similar domestic laws in your country as directly applicable to your activities.
GDPR regulations determine what you can do with data belonging to EU citizens. The Regulation is aimed at protecting EU citizens and residents in connection with the collection and use of their data. Essentially, this allowed EU citizens and residents, as consumers, to control the data collected from and about them. Following the adoption of the GDPR in 2016, businesses were given two years to bring their operations into compliance with the new regulation. As of May 25, 2018, all companies worldwide operating in the EU must be GDPR compliant.
A company that violates the GDPR can be fined 4% of its global annual revenue. This should act as an incentive to protect any information collected about EU citizens (both in the EU and abroad) and about people visiting the EU.
The main impact of GDPR on social engineering and OSINT is that the law gives people the ability to limit the collection by others of their personal information (PI) and sensitive personal information (SPI), which in turn can significantly reduce the OSINT attack surface. Additionally, if personal data were stolen and the information became publicly available, it would result in huge fines for companies that failed to properly secure the collected PI and PII.
Another important GDPR provision is the right to be forgotten. This provision allows individuals to see the full amount of information held about them by the data controller and to request that their PI or SPI be deleted immediately.
If you work in law enforcement (state, municipal, or otherwise) or are licensed as a private investigator, you probably have more opportunities to collect and use OSINT. Please familiarize yourself with all applicable laws or consult with an attorney before using your special authority in any OSINT collection operation.
For example, the American Civil Liberties Union (ACLU) published an article in 2012 warning of the extremely slippery slope of using big data and other methods, including OSINT, to identify potential criminals before they break the law. The ACLU has discussed the practice of obtaining big data from law enforcement agencies and then using that data to suspect wrongdoing against people who may not have broken the law because the guesswork came solely from computer predictions. Jay Stanley, author of the ACLU article, argues that this approach to analysis will lead to an uncontrolled increase in the amount of information collected, with or without good reasons. This can lead to people being brought into the criminal justice system without due process of law – simply because “the data said so”.
If you have entered into a contract for pentesting and social engineering activities as an individual, this does not exempt you from the need to comply with laws on the collection, protection and storage of personal data. Some countries and regions have laws that limit the conduct of OSINT activities by individuals even more severely than for legal entities and law enforcement agencies.
Conclusion: You alone are responsible for following the laws in the area where you and your victim work. Before proceeding with OSINT collection, it is best to consult with a local attorney who has specific knowledge of laws related to digital data, information business, and security, just in case.
Case Study: Ethical Limitations of Social Engineering
The next incident happened when I was a consultant helping a group of pentesters. I had to call 25 potential targets on the phone and write a call report. The company did not give me a reason to call. (Some clients like to provide a pre-scripted call, though I prefer to create my own to make sure employees aren’t informed in advance of the review.)
I pretended to be conducting an organizational competency survey, which I had invented to allow myself to ask rather intrusive questions to the victims under the pretext of an assignment from the CEO. The organization provided me with a list of numbers, but without indicating the names and the names of the departments. Since calling the number blind usually doesn’t lead to success, I had to do more research. Of the provided phone numbers, one turned out to be the number of the police station, and the other two were the numbers of local courts. I discussed this with my manager and we decided to drop them out of caution.
I then spoofed my number to look like a Nielsen phone number that usually conducts surveys for other organizations. I claimed that I was conducting a survey authorized by the CEO of the organization to find out what the employees knew about the workplace and other departments of the organization. A number of questions were asked, such as the following.
How long have you worked for this organization?
Do you have access to wireless internet? If so, what is the network or access point name (SSID)?
Do you have vending machines near your workplace?
What kind of computer do you have? Operating System?
What brand of antivirus are you using?
Do you know the names of the guards at the checkpoint?
What was your mother’s name before she got married?
Can you give an example of a previous or current password you use?
As an added security measure, I did not record the calls and conducted them in a private location. After a while, several people gave me their mother’s maiden name, but no one gave me the password yet.
Then I called the official contact number of the organization. – replied a pleasant lady in her sixties. We exchanged pleasantries and I explained the research. She agreed to help in any way she could, but told me she wasn’t very tech savvy.
“Me too,” I said, “because I’m doing a little part-time survey while I’m studying at the ACME College of Psychology.” We laughed and I started the survey.
I went through the standard list. She answered the first six questions, but when I asked her her mother’s name before she got married, she said that I was asking about a password reset, the answer to which she must not tell anyone. I agreed to move on, telling her that I didn’t always like the questions I had to ask. I reminded her: that she could always refuse to answer questions. When I asked her for a password she used often, she hesitated, then sighed and told me, “Buttermilk.”
“Buttermilk?” – I asked.
To build rapport with her, I shared a true story about how as a child I loved to eat crumbled buttermilk cornbread when visiting my late grandfather.
The woman burst into tears. When I asked if everything was okay, she said that cornbread and buttermilk was her late husband’s favorite meal. I immediately felt overwhelmed. She told me that it would be his birthday this coming Thanksgiving and that she had lost him about three years ago to cancer.
What to do in such cases? I decided to stay in character but talked to her until I was sure she had calmed down. It would be unethical to just hang up and move on to the next call. We mentioned our deceased family members, people in the neighborhood, discussed the weather and other traditional topics for social conversation.
Before ending the conversation, I asked her if everything was okay. After I hung up the phone, I spoke to the team leader, told him the story, and told him it was best not to call again that day. He agreed, so I switched to another project that didn’t involve calls.
Buttermilk is the liquid residue after churning whole milk into butter.
The basic rules of polling are: Always allow people to opt out of the conversation. You can try to gently coax them to continue, but don’t push too hard. If they refuse, just move on. If you feel confident, ask again later, but if they say no again, stop. Force will not help your cause; when asking sensitive questions, make sure you are in a quiet and safe place where no one will hear you. Avoid recording the conversation if you ask the following questions; if you suspect you’ve offended someone with your questions, take the time to calm them down, or call back later, or hang up, whichever works best for your campaign; contact your management if you find yourself in a situation similar to mine. They need to know about the event in case your interlocutor contacts them later, but they also need to know about your mental balance and anything that might affect your work.
We used materials from the book “Social Engineering and Ethical Hacking in Practice”, which was written by Joe Gray.