## Introduction If you've studied computer science or networking, you're undoubtedly familiar with the OSI 7 Layer model. It's the standard framework that describes how network systems communicate, structured in a perfect logical hierarchy. From Layer 1 to 7, everything operates within the realm of logic, governed by strict protocols of hardware and software. However, there exists one more abstract layer. It sits above all others, controlling everything, yet it remains the most vulnerable and undefined layer of all. It is Layer 8: The Human Layer. <center> <img src="https://hackmd.io/_uploads/HJMlH_LD-g.png" width="80%" height="auto"> </center> ## Imagination Upon watching [this video](https://www.youtube.com/watch?v=rY5S-1N1QS8&t=2324s), a thought struck me. We often view Giacomo Casanova simply as a legendary lover. However, stealing the hearts of women worldwide wasn't merely romance. It could be seen as a sophisticated form of hacking—akin to obtaining Root Access to the system known as human emotion. There is a famous anecdote involving a Venetian nobleman named Senator Bragadin that perfectly illustrates this. One night, Senator Bragadin collapsed from a stroke. The doctors of the time applied a mercury-based ointment to his chest—a standard treatment back then, but one that was actually poisoning him. Observing this, Casanova immediately removed the mercury patch and simply cleaned the patient with cool water. Miraculously, Bragadin recovered. He came to believe that Casanova possessed divine medical knowledge, and as a result, he trusted him deeply for the rest of his life. He even adopted the low-born Casanova as his son, providing him with lifelong protection and leaving him a substantial inheritance. Now, let's analyze this event from a hacker's perspective. Casanova identified a critical system error (the mercury treatment) and patched it effectively. By doing so, he established a permanent Trust Connection with a high-ranking administrator (the nobleman). Consequently, he achieved Privilege Escalation—rising from a commoner to a nobleman's son—and secured full access to the target's resources. This was not merely a medical act; it was a perfect example of a Human Exploit. Now, let's explore some legendary social engineering techniques that exploited this very layer. ## Case Study If Casanova hacked the heart, Kevin Mitnick hacked the corporate hierarchy. Known as The Condor, he proved that a telephone is a far more dangerous weapon than a keyboard. There is a legendary incident involving Motorola that defines his methodology. In the 1990s, Mitnick needed the source code for the MicroTAC Ultralite, the most advanced mobile phone of the time. He didn't launch a zero-day attack or inject malware into their servers. Instead, he simply picked up the phone. First, he called the company's switchboard and used a mild pretext to identify the specific department and the name of a lead engineer. Then, he dialed that engineer directly. > *"Hi, this is t0ka, the Project Manager from the mobility division. Listen, I have a meeting with the VP in five minutes, and I need to show him the source code review, but my access is blocked. If I don't get that code right now, my head is on the chopping block. Can you FTP it to me quickly?"* The engineer on the other end didn't ask for authentication. He didn't check the employee ID. Hearing the panic in a colleague's voice and the fear of a Vice President, he simply said, "Sure, hold on". Within three minutes, the source code—worth millions of dollars in R&D—was transferred to Mitnick's server. ### Why was this exploit so effective? Mitnick didn't exploit a software bug; he exploited a **Legacy Protocol** hardwired into the human brain. 1. **Authority Spoofing**: By claiming to be a Project Manager and referencing a Vice President, he utilized the Authority Bias. Humans are socially conditioned to comply with hierarchy without question. 2. **Urgency Overrides Verification**: The phrase "in five minutes" is the payload. When the human brain encounters urgency, the amygdala activates, and the prefrontal cortex shuts down. The victim bypassed standard security protocols because the fear of delay outweighed the fear of a breach. 3. **The Helpfulness Vulnerability**: Most corporate security training teaches employees to be suspicious, but human nature is fundamentally designed to be helpful. Mitnick turned this virtue into a vulnerability. In the end, the strongest firewall in the world was dismantled by a single sentence: "I need your help." ## Learning While mastering technical skills like reverse engineering and network protocols is fundamental, these case studies highlight an often-overlooked truth: understanding the human mind is just as critical. Why spend weeks fuzzing a kernel to find a zero-day vulnerability when you can simply ask a fatigued employee for their password? Utilizing the human element can drastically reduce the Time-to-Exploit. Therefore, I would like to introduce a few essential social engineering techniques that every security researcher should understand, along with methods on how to study them. ### Key Techniques (The Human Exploits) Just as there are different classes of software vulnerabilities, there are distinct categories of human vulnerabilities. #### Pretexting This is the art of creating a fabricated scenario to compel the target to divulge information. It’s like setting up a virtual environment where the victim feels safe. - Example: Acting as IT support needing to sync the database to get credentials. #### Baiting This technique leverages human curiosity or greed. - Example: Leaving a USB drive labeled Executive Salary Report Q1 in the company lobby. When the victim plugs it in, the payload executes. The vulnerability here isn't the USB port; it's the human desire to know secrets. #### Quid Pro Quo Something for something. Attackers offer a benefit in exchange for information. - Example: Calling random extensions claiming to be tech support and offering to fix the slow internet speed in exchange for disabling the firewall. ## How to Train You can't exactly practice hacking people illegally, so how do you learn this? ### Study Psychology, Not Just Code Read *Influence: The Psychology of Persuasion* by Robert Cialdini. It is the bible of social engineering. It explains the 6 principles that trigger automatic responses in humans. ### Analyze Phishing & Scams Don't just delete spam emails or hang up on scam calls. Analyze them. What trigger are they pulling? Fear? Urgency? Greed? Deconstruct their script like you deconstruct malware. ### Practice Cold Reading Observe people. Try to deduce their profession, mood, or password patterns based on their desk environment or social media footprint. This improves your Reconnaissance skills. ## The Future So far, we have explored historical figures like Casanova and Mitnick, examined various case studies, and discussed methods for learning these techniques. Before I conclude, there is one more crucial point I must address. Historically, social engineers relied heavily on acting skills and psychological manipulation. However, with the advent of Generative AI, the landscape of social engineering is evolving rapidly. Hackers no longer need to be great actors. All they need now are good prompts. - **Deepfake Voice**: AI can clone a CEO’s voice with just 3 seconds of audio. - **Deepfake Video**: Real-time face-swapping technology allows attackers to impersonate anyone during video conferences. ~~(To avoid falling for this, perhaps we really should just go hide in the mountains? lol)~~ <center> <img src="https://hackmd.io/_uploads/SyiIv_IvZx.png " width="40%" height="auto"> </center> A recent case in Hong Kong perfectly illustrates this evolution. An employee at a multinational firm attended a video conference where, unbeknownst to him, every other participant was an AI-generated deepfake. He was tricked into transferring $25 million, believing he was following orders from his real superiors. The tools have shifted from simple phone calls to hyper-realistic AI, but the vulnerability remains exactly the same: Human Trust. The operating system of the human mind has not been patched since the Stone Age. ## Conclusion Security professionals invest millions of dollars in firewalls, intrusion detection systems, and endpoint protection. However, as numerous cases have shown, a single phone call or a sophisticated deepfake video can bypass all these security layers in mere seconds. We cannot patch human nature. Curiosity, fear, and the desire to help others are not bugs; they are innate features. Therefore, the only defense is to adopt the mindset of "Trust, but Verify." However, in the age of AI, I believe we must rewrite this proverb: > **"Verify, then Trust."** This concludes my thoughts on the Human Layer, written in the quiet sentiment of the dawn. ☕ ## References - [[#벌거벗은세계사] (80분) 성공률 1000% 카사노바의 플러팅 방법🌹 132명의 여자를 꼬신 막장 드라마의 주인공 ㄷㄷ](https://www.youtube.com/watch?v=rY5S-1N1QS8&t=2324s) - [The Project Gutenberg eBook of The Memoires of Casanova, by Jacques Casanova de Seingalt](https://www.gutenberg.org/files/2981/2981-h/2981-h.htm) - [Influence: The Psychology of Persuasion](https://ia800203.us.archive.org/33/items/ThePsychologyOfPersuasion/The%20Psychology%20of%20Persuasion.pdf) - [Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’](https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html) - [The 8th Layer Of The OSI Model: The Human Risk](https://www.forbes.com/councils/forbestechcouncil/2025/11/13/the-8th-layer-of-the-osi-model-the-human-risk/)