 So I met Chris at DEF CON 24. What are we at? 27? It's a three? Wow, yeah. Four years ago? And he competed in the SECTF. Really bad. Really bad. I mean, we're talking zero points in the booth. And he made a great video, though. That's what got me. Really entertaining videos. I'm like, okay, you know, I mean, that happens. You can't win them. And Chris went home and he said, no, that is not my legacy. I'm not going down that way. And he came back in DEF CON 25 and owned it to the point of a black badge. Yeah, right? Right. Yeah. So to go from like zero points to black badge worthy competition, that's really impressive. At that black badge, he was a number of tactics that I stole from him and still use to this day in our company. And he wants royalties, which he will not get. But if you would, help me in welcoming my good friend, awesome speaker and black badge winner, Chris Kersh. All right. So now that Chris has told you my MO, this is my first of a black hat, sorry, DEF CON speech. So next year's speech will be really good. Right? Okay. So yeah, today we're going to talk about getting psychic. So I'm going to walk you through some cold reading techniques that you can use for fortune telling or also for social engineering. So a little bit of background. I'm actually not from the pen testing social engineering side of the house for my job. I'm a product marketer. And I've been in infosec product marketing for 22 years, started out with PGP, then Encipher, so a lot of crypto stuff. Then I joined Rapid Seven, did some work on Metasploit and later on Incident Response and current day I work for Veracode. So then my ticket that got me this lot here was the SCCTF where I took advantage of very nice trusting people at a gaming company. And so that was really nice of them. And my life goal is acquiring all the skills that you see in a heist movie or in con artistry movies. So yeah, and then I'd love to get an internship with a fortune teller. So if anybody could hook me up that would be fantastic. Okay, so what is cold reading? So cold reading is conning people into believing that you have psychic powers. So it's not pretending, it's not actual psychic powers, which I personally don't believe in. But you will see fortune tellers telling you that they're doing tarot readings or palm readings, aura readings, which is kind of like your aura around you. Some spiritual mediums that claim to connect you with the dead and have you talk to the dead. And I believe that all of these people are using cold reading techniques or other techniques like warm reading where you use oscent to be more on target. I want to note that cold reading is different from mentalism. Mentalism is a technique in magic where you pretend you're reading somebody's mind or influencing somebody's mind or doing a fantastic mental feat. But you're never actually telling people honestly, you know, seriously that you are a psychic or that you have these powers. It's all part of a performance act. For some reason, oh, my slides are auto advancing, that's fun. Alright, so I was looking for a way to practice my cold reading skills. And I was struggling a little bit because you can either do cold reading on your friends or family and so on, but then you already know about a lot about their background and so on and you can kind of fake it with all of the information that you have. And I didn't want to go out on the street and just say, hey, I'm a psychic, can I read your future because I felt a little weird about that. So what I did is I did psychic readings at work where everybody already thinks I'm a weirdo. So that wasn't a huge change. And Veracode has a culture where we do hackathons twice a year. It's three days events that are basically like mini def cons. Hackathons are different in every company. And in our company, the two rules are you either have to learn something new or you have to work with people that you haven't worked with before. And you know, psychic readings kind of fit the bill for that. And because I had to learn it and I was giving readings for other people. And so I offered people free psychic readings talking about their career, health, ambition, relationship, money, past, present and future. And in the posters that I put up, I said it's a conjoined reading of your astrology, hands and aura, which was complete and utter bull crap because I just made that up. So the, I only did it on people that I didn't know all that well. Where, you know, I might have seen them around the office but I'm not like close friends or colleagues with them. And I did about eight readings in two days. It was a lot more exhausting than I thought. I thought it would be a little bit easier because I didn't want to take stock readings that I, where I read the same one to every person, I wanted to make them more custom and, and tailor to the person. That requires that you observe, process and then find a way to actually make it sound good and like you're a psychic and not, that you're not just stating the obvious. So, at the end, slides are advancing, if anybody knows how to switch that off, that would be great. I did the slide timing. So, I did a survey at the end with people. So I have some, some data that we'll have a look at later on how they thought I did. And then I debriefed everybody to tell them that I wasn't actually a psychic and, and told them how I did it because that was important to me ethically. So I started out and fired up Google image search, found an astrological chart. I don't know what this chart actually says but I printed it out. And I asked people first of all to write their date of birth on the front and then close their eyes and draw lines across the chart. And you know, whenever they feel they're done, they're done. And then turn over the paper, trace your left hand, the outline of your left hand and put initials of somebody that's important to you on the back, right? So that was the thing that I pretended to be reading. So most people swallowed that completely and didn't question that. So now we come to the first lesson for social engineers. No matter how bad your pretext, sell it. Right? And sell it with conviction. Channel the people that ran the fire festival because while they didn't run a very good festival, they, they did sell it with conviction. Even though it was a, a pretty bad idea. So sometimes you have time to, to create your pretext. Sometimes you don't make, when you make it up on a whim, you know, just sell it. So then I started to gauge my sitters and I asked them first, have you had a reading before? And, and I tried to figure out if there were skeptics, maybes or believers. I put them in these three buckets. And I found that the skeptics were the hardest to convince. The maybes were actually the easiest. And for the believers, they, they fell into two categories. Either they were complete hook, client and sinker and one lady actually didn't believe me that I was not a psychic even after I told her. And she was, she was insisting that I had psychic intuition. So I thought that was, that was interesting. And the other person who'd gone to psychics for like many, many years, he's kind of like, yeah, I don't quite believe you've got it and so on. So that was that. So after I, um, asked the question, I, I told them, you know, like, have you been to a psychic before? And let's say they said no, then I'd say, all right. Well, uh, you know, when I see things, I can't quite steer what I see in the reading, but, um, uh, we'll, we'll try to cover different things. If there's something that you're interested in, I can try to cover that. And also what I see is not always entirely clear to me, so I need your help interpreting it. Right? Um, so that was really important to set it up and that's what every psychic will tell you. So, what do we learn from that for social engineering? I, uh, think you should get a read on your target when you start a conversation with them. And I'll give you an example of that. Let's say you're pretending to be somebody from IT support. And you've got a, a technical pretext. Then you might want to know how technical your target is if you haven't figured that out through, through OSIM, like the LinkedIn profile. So you could say something like, hey, um, I'd love to help you and walk you through, but just so I know kind of, um, how to interact with you, would you say that you're a regular Microsoft office user? Or do you sometimes go into the advanced set, uh, settings or even drop down to the command line to do stuff? Right? So that'll give you a, a good reading on what level somebody is at and, uh, how careful you have to be about the technology part of the, um, sorry, uh, of the, uh, of the pretext. So, get a read on your target. Then the second one is make them do the work. So let's say you don't have all information on, uh, on something that you're, you're trying to do and you're, you're fishing a little bit. So you could walk into a building and say, hey, um, one of your colleagues asked me to fix the projector cables in the conference room. He's a nice fellow about this height, uh, short brown hair. Uh, does that ring a bell? Right? Those kind of things. And then they'll say, oh yeah, that was Richard. And then, you know, they convince themselves that Richard kind of, uh, asked you to do this. So even without doing the research, you can, uh, you can make them do the work by, by throwing something out there. So then I went into a whole section about rainbow ruses. So a rainbow ruse is something that tells you, you're one thing but you're also the opposite. It's like ying and yang, right? And people choose kind of in self-select what they, um, feel more drawn to. So a rainbow ruse works even if you don't have an outcome at the end and kind of like a, a, um, a, uh, like a ying or yang, right? But what I try to do is I wanted to tailor it more to the person. So I'll give you an example here. The first person I talked to was somebody who worked in corporate communications. Now and, and she had worked for a PR agency before. So that's usually a job where you're representing the company, you're wearing like a, you know, a business suit and you have to follow proper etiquette and all that stuff. But she was sitting in front of me in a, in a black hoodie and with tattoos, right? So that's kind of like a dissonance. So what I read for her is, um, there are some people who need rules in their lives to function and others that are more of a free spirit. I get the sense that you are more of a free thinker, but they can stick to the rules in, uh, in your job when you have to, right? So ying, yang, but you're this, right? Same thing for a, a sales person. Sales people are, um, compensated with commission. So they're, they have variable compensation, which means they tend to be people, they, uh, people in, in sales, self-select, uh, as people that are more risk-friendly, right? Or more, more happy to accept risk. So what I said here is, uh, you're comfortable assessing and accepting risk in your life. You weigh the pros and cons of risk and make, then make a decision. However, uh, when you think about other people in your family and your social circles, you are more comfortable with risk than most others, right? So ying, yang, one side. And then an engineer, um, from his body language and his whole behavior, he seemed like an introvert to me. Uh, software engineers often are introverts, right? They, they prefer working by themselves and, and being left alone. So if I just said, hey, you're an introvert, that would have been a pretty, you know, mad reading. So I kind of puffed that up a little bit and what I told him is, you know, some people prefer to hash things out in conversations, but I get the sense that you find these tedious and unproductive. Uh, while you will get input from others, you'd much rather read up on a topic and find some peace and quiet and figure things out for yourself, right? So that's, uh, that's how I kind of tailored that for, for this person. So what social cues did I look for? Um, and there might be a better term for social cues, but that, that's what I've kind of been, been working with. So first of all, clothing and haircut. You know, look at, uh, are they wearing expensive brands? You know, are they wearing sports clothing? Like what's their, what messages are they sending with their clothing? Then watches and jewelry are also great. It's, it's that person wearing a Rolex, you know, that indicates status symbol, you know, wanting to, to show what they have and what they've achieved. Are they, uh, wearing like the, uh, the t-shirt of a charity, you know, like you can read a lot out of people's clothing. And, um, then the body language, open body language, you know, like are they introvert, extrovert? Do, do they have confidence? Do they, do they, uh, not and so on? You can play with that. And then I also always look at people's kind of like wrinkles on the face. And you know, uh, most, uh, most prominently, you know, do they have like, uh, dimples from like laughing a lot? Or do they have the frown lines like going down the face like this? Because if you have somebody that has frown lines, you might say something like, oh, you know, you, um, you know, other people always seem to get, be lucky and, uh, you, you rarely have, uh, luck in your life and, uh, and so that's something that's been bothering you, right? So play to their expectations. Or then you could also say fitness level, you know, like read different things into that. Okay. So what do we learn from that for, for social engineers? So, uh, one thing that's great with Rainbow Rousses is you don't ask are you one or the other, you make a statement. So when you, uh, put something out there, phrase it as a statement rather than a question. To show more authority and, and more knowledge in that domain. So an example would be instead of saying, oh, are you having any connectivity issues? You would say, oh, we are having connectivity issues at your site, right? That are likely affecting you. So then you make a strong statement, you've, you come up a lot, uh, across with a lot more authority. Then also use, uh, social cues to shape your pretext. And I'll, I'll give you an example. Let's say your goal is to get somebody to press a button, right? And you've got two people. Like, let's take the, the first person. First person is kind of like wearing earthy tones and kind of like being all touchy-feely. And you know, um, you, you get kind of like a warm sense from them and so on. And so to that person you might say, um, you know, I, I feel that, uh, we should probably press that button. That's what, uh, the others would want us to do as well. So I want to make sure that, uh, uh, that, uh, uh, we do what they need from us. So, um, uh, you know, kind of, kind of getting their buy in and making sure that everybody's okay with the decision. Let's say you have somebody standing in front of you who's kind of like ex-military authoritative, calls people sir and mam, kind of thing, right? Then you might say, oh, standard operating procedure is that we press this button to ensure that the business keeps on running. Can I count on you to press that button? Right? So you can read those cues and you can phrase things in the way that people think and that, you know, their kind of value framework. All right? This advance actually worked. So then I love to play with probability. So one of the things that I did is to look up the most common first names for male and female for, uh, the 1960s to the 2000s. And, uh, if you're born after, uh, 2010 then I think you know how to Google. So, uh, you can do that yourself. Uh, so what I did there is, uh, when I had a sitter, I would, uh, look at their gender and pick the same gender. I knew the year from the front of the, uh, front of the sheet. And I might even have gotten an indication for an initial from, uh, the back because I said trace the hand, put an initial of somebody on there that's important to you. And so then I would go into a, a reading, uh, you know, along the following line. So I get a strong sense of someone significant in your life. It's not quite clear to me, but you, but I see a name starting with a J. It's, uh, someone you know well, haven't been in touch with for a while, but I know you've interacted on social occasions and you haven't been in touch for a while, but, uh, you have thought about that and thought about reaching out. I see a Jess or Jessica or maybe a Jen or Jennifer. Um, tell me what, what relationship do you have with that person? Right? So here you're playing with the probabilities. I got a hit in about, um, sorry. I got a hit in about 50% of times. Uh, if, uh, the person said no, don't know Jen, never met a Jen, nothing, uh, you're, you're completely wrong about that, then you have, like as a psychic you're never wrong, right? You can just say, oh, I'm getting the sense that this person is really impactful to your life. So if they haven't come along yet, then just make sure you watch out for them, right? So what do we learn for social engineering? So first of all, use probabilities to, uh, shape your pretext. So for, let's say you are doing, uh, research in a company. You can't quite figure out what CRM they're using, but you want to use that in a pretext. You can just go to, let's say, find the Gartner Magic Quadrant or some, uh, market share data and you'll pretty quickly find out that salesforce.com is the market leader there. So you can make a bet on that being true, right? So you could say, um, I, I can't seem to be able to log into salesforce.com. So could you check if that works for you? And, uh, if they, if they say that, uh, they don't have salesforce.com and you are wrong, you can just say, oh, uh, I, I thought you're already on the new pilot, uh, for salesforce. So, uh, are you still on the old system? And then they're gonna say, yeah, we're still on X or some things. Uh, so have multiple outs. That's also something that mentalists will have. So depending on what you say as your answer, they, they will have different routes. They take the conversation. Then there is another type of probability. And I call this the unexpectedly common. And some people I think also call this, call this, uh, Barnum statements, uh, after PT Barnum. So the first one is accidents involving water. That seems to be something that happens to a lot of people in their childhood, but nobody thinks that it happens to a lot of people, right? So, uh, and also when you have an accident with water in your childhood is quite traumatic for you, for your parents and so on. So you tend to, kind of tends to stick in the memory. So, uh, I, I would say something like, uh, it's not quite clear to me, but I see something probably in your childhood an accident involving water. What does that mean to you? And note that I didn't say it was you who had the accident. I said like during your childhood or, you know, early on, um, an accident involving water could be in a bathtub, in a pool, uh, could be in a lake, in the ocean, slipping on ice, uh, you know, accident in the snow, like skiing accident. It could be a lot of different things, right? So you couldn't interpret that. So help me interpret that. And then for that one, um, I had about a 50% hit rate, which I thought was extremely high. Uh, that was super surprising. And, uh, one person, uh, told me, like, this was the first time I tried this one. And I wasn't quite sure if it was gonna work. And this was the first person I, I tried this with, and he, he turned white and he said, oh my god, um, when I was a kid, this family had a child that, uh, that drowned in the pool and they took me in as a child after that. I'm like, holy shit. We're not, we're not, we're not, we're not going down that path, right? So, so, uh, let's say, uh, some people said, no, I don't remember anything like that. And then I said, oh, you know, um, you are very young at the time. Make sure you ask your parents about that, right? Always have an out. Then, uh, the, the other one, uh, that's kind of a, a nice, uh, Barnum statement that I used is house with a digit 2 in the street number. So, um, I'd say something like, oh, I'm seeing a house, it's not quite clear to me, but I see the digit 2. Uh, does that mean anything to you? It might be your current residence or somewhere, uh, where you grew up or another place of significance like a, a best friend or a, a spouse or a boyfriend, girlfriend, um, something like that. And so if you think about statistics, you know, most streets in, in, at least in like smaller cities and so on are, um, shorter than 100, uh, house numbers, right? So, uh, you have the 20s are quite prominent all of the 20s and then every, you know, 12, uh, 32, 42 and so on. So you actually have a pretty high probability and then you multiply that by like all the houses people have lived, lived in all of the houses. They're friends and family members and so on live in and you get a pretty good hit rate. And one time I said that and somebody said, yeah, I grew up in the house of the, uh, with the number 22 and, uh, I, I kind of got a little bit of a micro expression of like fear and sadness. So I said like, oh, um, so, um, I, I get the sense that there was some, some struggle at that residence, like with family members or, or friends. And he said, oh yeah, my parents got divorced, right? So you can take it a little bit further. I didn't want to push it too hard. I didn't want to really get into people's personal and like very emotional spaces. Uh, but a psychic would do that and then kind of like real people in and really lock them in and make them come back and so on. So lessons for social engineers, um, here, um, use common facts to come off as an insider. So for example, your, most companies are moving to the cloud and when they move to the cloud and move to AWS or Google cloud or, uh, Azure, they usually pay a whole lot more in, in hosting costs than before because it's so easy to spin up machines and you don't really have a good overview. So it's something that's fairly common, but people don't perceive it as common, right? So you could say something like, oh, our cloud hosting bills are much higher than expected and they'll say, oh yeah, yeah, that's right, right? So use those kind of things to, to, uh, create credibility with things that people think are not that obvious, but are actually fairly obvious. So I ran a survey at the end and asked people how I did and so some of you might be familiar with NPS Net Promoter Score, that's the thing I used. It's, uh, you know, on a rate from, uh, one, a scale from one to ten, how likely are you to recommend getting a psychic reading at the Crossroads Diners to friends or colleagues. So Crossroads Diners was the cafe that we had at the Hackathon. And, um, a, uh, 62% gave me like a 7, 8, uh, 8, 9 and 10 I think it is. Uh, is the, is the promoters. Then 5 and up, uh, is, uh, passives. Those are like, neither likely to recommend or, or, uh, or detract. And then, uh, actually I had no detractors, which, uh, is easier when you have a free product, right? Uh, all right. So what do we, uh, and actually there's another statistic that's interesting that I don't have in the deck, but I asked people to use a slider to show me like how, what percentage of my statements were on target versus not. Um, I had only one person who said I had less than 50% of my statements on target, which I thought was really surprising. Uh, one person had 100% and the other ones were like around like 60, 70s, those kind of things. 60, 70s, 80s. So, um, my parting comments, um, please use cold reading for good, right? So hold on. Um, don't channel the dead or talk about health. Those were my rules for the, for the engagement. If you, you know, uh, a lot of psychics say like, oh, uh, like in your family I, I, I sensed that there was somebody who was having, uh, trouble, I see, like, uh, trouble around the chest area, you know, like in somebody who passed away, right? So that could mean a whole lot of things. And so if you go into that, it's, you can very quickly get to a point where you hurt people's feelings and, uh, and I don't think that's okay. So, uh, also I encourage you not to blame the victims. I met several people that are going to psychics and they, uh, they are doing it because they lost a spouse and they're trying to connect and heal. So in those situations, uh, be empathetic and try to educate them. And I would, uh, recommend that you try and make sure that they don't get financially exploited. But if this is what they need to heal, fine, fair enough, right? Just make sure that they're financially okay and not getting roped into something. Or if you are close to them and you can maybe provide an alternative coping mechanism from them to get them away from the psychic, right? But don't go and tell them they're stupid for, for going to a psychic. I don't think that's just very productive. Then educate your friends and family about cold reading and those techniques and how they work. And, uh, use it for ethical purposes and not for personal gain. So there are some resources. The most important resource I used was Ian Rowland's, uh, full facts book of cold reading. Uh, also, um, I think we'll have on the slide like between sessions, the SE village in Orlando in February. Ian Rowland is actually giving a training there on cold reading. So if you wanna, uh, want to hear from somebody who's like a real expert in that, uh, area and not just somebody who tried it out, then, uh, definitely check that out. He's also on the social engineering podcast episode 109 with Chris Hadnagy. Uh, so that's a fun one. And I wrote a couple of articles about cold reading and I'll also post the, lessons for social engineers on medium. Alright, and now we have time for your free psychic question. Alright, over there, yeah. Sorry, I didn't quite hear that. Oh, how do you react when, uh, somebody is telling you that I'm just bullshitting? Um, well, um, I didn't have anybody who was kind of completely, kind of, uh, in my face about that. But I would just say, hey, you know, it's, uh, it's a matter of belief or something like that. I would just soften it and say, you know, like, if some people are comfortable with this, some, some people aren't. I think it's a useful tool, something like that. But, yeah. Does that answer your questions? I didn't really push it on people to tell them, like, it's absolutely real, uh, because that was kind of the point I was trying to debunk it rather than make them believe it. But I just started with the premise that it's real. Yeah. And I actually told people in the beginning, like, oh, I learned this from my, uh, grandmother. She's from East Germany, from Thuringia, and it was kind of passed down, all that stuff. Yeah. Sorry. Yeah, yeah. Okay. So the question was, did I treat the skeptics different from the maybes or the believers, uh, in, in how I interacted with them? Not drastically. I was, uh, with the skeptics, I was less hopeful that they'd believe it. Um, and I always started with kind of like the, the softer things, like the rainbow statements where they self-select. And those are a little bit, uh, weaker in, in, in convincing people. And then I kind of upped the game towards the more, uh, you know, the, playing with probabilities and those kind of things. Yeah. Over here? Okay. So the question was, what's the difference between a rainbow ruse and a barnum statement? And then what is a, a forward statement? A forward statement. I'm not familiar with a forward statement. Um, but, but the rainbow ruse and the barnum statement is, so a rainbow ruse is like, you're both introvert or, and extrovert, right? And you're picking which one you are closer with. Whereas a barnum statement is, uh, I'm taking something that's quite common. So I might say, oh, I sense that, uh, in your house there's a box of something that, uh, you've collected and you haven't, uh, had a look at it for a while, but it used to mean a lot to you, right? So that's super common. It might mean something very specific to you and you're like, oh, this is my, Avengers toy collection or something, right? Uh, but, um, you, uh, yeah, you, you, you use more like probabilities and like, um, things that are commonly true. And by the way, in the end of the reading, I would summarize all the things that were hits, but left out all the things that I got wrong, right? Because you want to, uh, change their, their memory and kind of implant in their memory what you got right so that it's more impressive when you summarize it in one go. That's one more question there. Okay, so the question is what do I recommend for learning about micro expressions? There is the Paul Ekman training, so it's like a $99 bundle. Uh, that's pretty good. There is, uh, that's a hundred bucks, um, for a year. And I recommend that you do that not once, but you do it like every, every couple of months. Um, just to refresh it because you need to have it sink in. Then if you want to spend less money, there is actually a, an iPhone app called Emotions Connection. That's like, I think it's less than five bucks. And, uh, that one uses actual video, um, and, and so you, you have like a sequence of like five or ten seconds and you have to spot the micro expression. Uh, sorry. Then there's one more. Um, actually if you check, I have, if you Google, uh, social engineering resources, Chris Kirsch, then I have a medium article with all the, all the resources that I recommend and I have some micro expressions, things there. Now, I just want to, before I take one more question, do we have more time for questions or should I, are we good? We're good? Okay. All right. Thank you very much. I'm gonna stick around over there, uh, by the t-shirts. So if you have any questions, grab me there. Thank you.