 So, hi, everyone. Thank you so much for being here in such a large group. So, today I'm going to talk to you about deception for pen testers. First, let me introduce myself. My name is Laura Nézouni. I'm the vice president of bridge detection and response at GoSecure. But first and foremost, I am a NordSec challenger designer. It's my eleventh year as a NordSec organizer, as well as a magician in pickpocket. So, today I'm going to talk to you about magic, as well as about pen testing. And the question you should ask yourself is why? Like, why am I here talking to you about pick a card or these type of things? And in truth, my magic improved my pen testing. What I found out was that once you understand how the mind works, how can you capture the attention of someone or make sure they don't look at something you'd like, then suddenly you're better at lying. You're better at deceiving. You're better at crafting the right phishing email that suggests just the right level of stress without being too noisy. So, basically, today I'm going to talk about you regarding magic and how it can make all of you better pen testers. And I kind of felt clever thinking about this. But turns out, other people had thought about it before. There is a Freedom of Information Act that you can request in the United States, where a famous magician coached the CIA in deception techniques. So, if it's good enough for the CIA, I figure it's good enough for us. But even further, Jean Robert Oudin, also known as Oudini during the Napoleon Wars, helped Napoleon trick the propaganda and do psyops using a trick called the heavy light chest. And that was used to convince the population that Europeans were better and that magic was real. So, if we look at these things, I mean, there's a background where deception and magic intersects. So, today I'm going to talk about a few things. I'm going to talk about convincers, suggestion, repeatability, repeatability, don't run if you're not being chased, managing attention, studious and accomplices. And while it's not exactly something that's about magic, about surveillance, surveillance detection, how to tell someone, how to surveil people, and common mistakes people do when they're doing, telling people. All right, so let's go. So, the first thing, the first principle you need to know about magic is that people doubt others but don't doubt themselves. What it means really is, if I tell you I'm a plumber, you might doubt. But if you look at me and you say, oh, he got this, he's got this suit, the car, there's a problem with my faucet, I called someone, then you're more than likely to believe that I am the right person. So, if I tell you something, you can doubt it. If you deduce it yourself, then you won't be as likely to doubt it. So, a convincer really is like a game where I want to give as many hints as possible that what I'm doing here, what I'd like you to do in these type of things without actually telling you. Because if I tell you, it doesn't work. So, that's called a convincer. Of course, if you tell your, if you talk about your convincer, it doesn't work. In magic, you'll never see someone say, look at my thumb, it's a totally normal thumb. I have two, there's two sides of a thumb, here's a thumb, it's a normal thumb, look at this thumb. Like, that doesn't work. I mean, they're gonna show their hand, but the moment they say it's a normal thumb, of course it's a normal thumb. Like, we all have two, well, most of us. So, it's the type of thing that, of course, if you need to say it, then it's not as good as a convincer. And if you had one rule to recall, that's the one. Like, people are better at lying at themselves than are better to, like, it's much easier to, people don't doubt themselves, but they're likely to doubt others. So, when you're crafting fishing, you are much better not to say something, but let them deduce it. Believe that they're smart, more than likely, and hint about things, but give as many hints as possible. Let me give you a few examples. This one I already talked about, the lanyard attack. So, if I had a lanyard of, say, EY, EY are famous auditors, and I wear my EY lanyard, it's when people will say, hmm, this guy must be an auditor. Of course. I mean, who else carries lanyards or who's crazy enough to collect lanyards? So, of course, in that regard, by having this, I mean, nobody will never, ever only let me get in because I have a lanyard. That doesn't make sense. But it adds credibility and people build on it. But some things are even simpler, and the following attack my team did this year is the very fabled hot dog attack. So, some places, they have, like, favorite spots and favorite restaurants. So, we found where people ate, and in this case, we're hot dogs, and we purchased the same hot dogs at the same place, and we walked with them as they came back in the office. Now, of course, nobody will ever see, say, hmm, I trust this guy. He has the same hot dog brands as we do. Like, that never happens, right? But the thing is, they might say, hmm, I don't know this guy, but he works for us. Obviously, he knows our secret hot dog spot. And it really worked. Like, people find the hot dog attack stupid, but it works. So, keep in mind, convincers doesn't need to be fancy or complex. All they need to do is reduce the risk about somebody doubting you because you gave a hint that you're part of the in-group. So, lanyards, uniform, way to walk, way to talk are all things that are common as convincers. So, convincers are a way to reduce path in your mental mind. Like, you know, when there's a path of possibilities and you, convincers are used to remove these paths, remove that perhaps he's an outsider. But what if instead you wanted a person to perform something? If you recall the principle, if I tell you to do something, you can doubt. Whereas, if you convince yourself, you're more than likely to do it without understanding that I told you about it. And of course, there's ethics here. But, you know, if I say, gee, the dishes are due and we may have a visit anytime, I'm not telling anyone to do the dishes. All I'm saying is dishes are not done yet and we may have a visit. The person might be more inclined to do it without me telling that person to do it. You understand the difference? And since the desire or the understanding comes from them, comes from within, then suddenly, they're more than likely to do it. So, that's the first principle of magic. People are the best liars to themselves. Does that make sense? All right, I'm going a bit fast because we have plenty and plenty of examples. Repetition. That's a common thing in magic. First time is exciting. Second time is normal. Third time is routine. Magicians do a thing where, you know, they would show something in their hand, put it in their hand, put it back, put it in their hand, put it back, put it in their hand. Oh, it's empty. Why is that empty? Well, because the first time you were looking in the hand and your brain said, oh, yeah, that's... There's something happening, but nothing happens. I take it as coming back. And I put it again. Now, your brain says, mm-hmm, I didn't get caught the first time. This time is right. But no, this time again was true. And third time, your brain was lulled into a sense of repetition and then coin is gone. And repetition is a way to build trust because it's normal. Like, you have a model of awareness and things that are repetitive are suddenly boring and your mind erases it. Of course, it's a mechanism to reduce suspicion, as I mentioned. For example, asking for information. You know, you're performing a social engineering attack. You need to know something since important. The first time is abnormal. So suddenly, that's not when you should ask your question. If you want somebody's password, the first time you call them, don't say, hey, what's your password? That won't work. Instead, how about you call and give information, share something, none come at all, like there's a meeting about something. You know, the first time is where they have the most attention, is where you should be the most mundane. Second time, you reinforce that model. So again, you're none come at all, you're asking for something that has no impact. And the third time, then you go for the kill. And that's, by creating patterns of three, it's much, much easier. Let me give you an example. We had to perform a... I'm really happy by that example, so I'm gonna take like three minutes. We had to perform phone phishing. And phone phishing is super difficult. One, it can't be automated. Two, depending on the personality of the person, it's difficult. So we had to craft a scenario. Here's the following scenario. Hello, I'm calling regarding a survey or regarding your IT services. Do you have a minute for me? One, they will say yes. Two, it's boring. If you're having fun doing social engineering, you are failing. Most people, when they call you, they're not having fun. If you're like, hey, I'm super happy to talk with you. Can I interest you in insurance? Like, it won't work. Those people hate their lives. So, be the same, do the same. So, I'm calling saying, hey, I'm here for a survey, first question. On a rate from one to 10, how IP about the IT support? This is non-committal, like they're gonna answer seven. Who cares? Question two, from a scale of one to 10, how IP are you about the material that you're being provided? And then I give an explanation saying, in time of COVID, any items that belong to you were not provided by the IT company. So, please disregard these. Whatever, they give you four, fine. Question three, from a scale of one to 10, how IP are you about your network speed? Whatever they say, huh, interesting. What's your speed? So, from the way it's made, the fourth question is not part, it looks like improvised, like, huh, what's your speed, interesting. And when people recall the discussion, they will recall the three question, not the, oh, by the way, it seems like an afterthought. So, what's your speed? I don't know, whatever. Oh, you don't know, no problem. Can you go on evol.don'tclickme.hackme.ca slash evol.exe? We are gonna run a speed test. And here are the ways it's worked, why it's so clever. Some people knew that this was wrong. They knew by then that this was a problem. But they had said yes three times. They had committed, they had said yes, they gave information, oh, I don't like, you know, the background or my mouse doesn't work, whatever. So, they had involvement in the discussion. So, once they had their arm in, it was too late to say, oh, I don't feel comfortable downloading your EXE. So, we created trust, we created repeatability, and at some point, we did interviews and they said, I knew it was bad, I knew it shouldn't have downloaded that virus, but I did, because it would have been an awkward conversation otherwise. So, and I swear, this scenario is using repetition, is using trust, and is using what's called afterthought, or side thought, where the important part doesn't look important, and I'm gonna talk about it in a minute, that makes sense? All right, same thing used by politician and pollsters all the time, the three yes rules. If you want somebody to do something, ask three questions that will end by a yes. Are you using Windows? Yes, cool, do you work at this place? Yes, amazing, and are you having IT problems? You want a yes, but by creating a three rules that end by a yes, people are more likely to also start with a yes. Does it work all the time? Of course not, but it really, really works, and politicians and pollsters use it all the time. Some famous German politician in the 1940s was very famous for using this rule. Now, this is, so the whole reason why I started this talk was because of the following situation that I'm gonna share with you here. The magic principle is called don't run if you're not being chased, and what it means is this. So we're doing an intrusion at a site and we're saying we're a plumber, and we get caught. There's somebody like challenging us. If I say I am a fourth generation plumber, my mom was a plumber, she went to the International Plumbing Institute where my father is a copper plumber, I'm such a legit plumber that I named my kid, my dog Gasket, and my first kid is gonna be called T-trap. Well, you know, most people don't talk like that. You know, most people that I'm gonna say, are you a plumber? They're gonna say, yes, I am a plumber. That's it. They're gonna talk about, like, they're either kids or anything, but pen testers oftentimes feel guilt. Deep down, we're good people, and we're told that lying is bad. So, since we're feeling guilt and there's risk, we want to over-explain, and that's a common defense mechanism. We all want to be good person. So, people, of course, naming your kid Gasket is a bit of a stretch, but the idea is still this. Oftentimes, you're gonna see, especially pen tester, over-explain. While just saying, I don't know, is such a powerful word. When you're being asked where you're doing here, I don't know. And oftentimes, the people will have to do the processing power on their end. It's like Judo. You're using their cognitive power against them. I don't know. Oh, you're here for this. Yes. You know, so, but you need to do a pause. Like, when you do, I don't know, stop. People will fill the blank. But these are the type of thing where if you run, if you're being chased, you're gonna look suspicious. If you're not being chased, you're gonna look suspicious. And I've seen this over and over in physical pen tests. So again, you must be comfortable and not feel guilt when you're lying. Now, how do you know? How can you avoid feeling guilt? It's easy, like everything else. Practice. Next time you're in a taxi, you don't have kids. Talk about your kids. Mine are two and four. Like, don't lie to people who are important or you're gonna see again. That's not gonna work. And like, don't invent things that don't make sense. Like, there's no one gonna be like, oh, I'm an ex-marine and now I am a Olympian. You know, it won't work. That's not gonna happen. So, but you know, be mundane. You work in an office. Talk about life at the factory was difficult. Or perhaps invent that you're a fax repairman and business doesn't go super well except in hospitals. Or, you know, find something and learn to lie and you'll find out that people don't care. And it's like a super sad story because we're all unique snowflakes. But when you think about it, most people you'll never encounter again in your life and they don't care. But you need to practice lying. You need to practice just the right level of information. So, you know, and lie. Taxis are wonderful because they meet people and you'll never meet them again. But you need to learn about lying and understanding that all this over-explaining comes from guilt. Yeah, keep things simple, I'll re-explain. Now, managing attention. There's this amazing book. It's difficult to find called Leading with Your Head that explains how the attention model works. Like, there are things that are called active versus passive positions. If I'm talking with you like this, you know I'm interested. You know I'm looking at you. Whereas if I'm like this, you know, I mean I might be listening or thinking about whatever I'm eating tonight, right? It's just my body language. So the idea is people will care when you care and people won't care when you don't. So if you need to copy a card or something, if you're like this, man, well of course there might feel something's worrying, right? Or if you're giving information and you want them to focus on something, look at them, like be active in your posture. Whereas if you want someone not to look at something, don't look at it. You know, I've often seen people copying cards and being like this and looking. Of course people are gonna look where you look. Like we're humans, we look at people's eyes. So if you wanna emphasize on something, look at it. If you want people not looking at it, don't look at it. It appears very obvious, but it's not so obvious after all. Then you need to take in mind what is called the bubble of attention. So quick question. What is more worrisome? Somebody in your back or somebody in front of you? In the back, yes. You can talk out loud, by the way, I see you, but just in case. So yes, so people in your back are more worrisome than people in front of you. So obviously if you wanna not be a threat, you should be in front of them. Now what's more worrisome? Somebody in front of you or somebody next to you? Next to you is less worrisome than in front, in theory. And what's worse? Somebody going toward you or you going toward them? Well, somebody, if I am going toward someone, it's less threatening that if that person is going towards me. So when you take that in mind, then if you need to clone a card or pick a pocket, you are much better if you understand that model to be in the right place. My favorite spot are escalators. Cause when you're at an escalator in a non-active position like this, cloning a card, you're not a threat. You're on the side, you're not moving toward them, they are moving toward you. And the fun part about an escalator is they can't go back. So it's pretty nice. Elevators work as well, doorways, but we've all seen the TV series where there's a cloner that hides behind a guy like this trying to clone a card. And everybody finds it's really weird. Try to avoid these things. When you know how people perceive what's around them, by knowing this, just take care of know the bubble of attention and know where to, when to attack. Yeah, so yes, I worked super hard to find a sonsu quote cause it's obvious that all cybersecurity conferences should have a sonsu quote. And this one is the hand concealing the object should be dead to you. So really, if you have something important in your hand, like you have a rubber ducky and real thing, I got into a high security place where they patted you down and I had a rubber ducky in my hand. And they did pat me down, I was like, sure, pat me down. And it felt like, I felt like such a spy, but in the end I just stopped looking at it and they didn't care. Oh, by the way, if you're breaking into a high security place, they're gonna look for cell phones and cameras. You know you're allowed to have decoys, right? And they never think about it. You know, they're gonna say, do you have a laptop? Say yes, you're allowed to have two laptops. They don't know about it. And decoys work very, very, very well, by the way. And if you have cheap laptops, cause oftentimes they're gonna expect you to come back to get it. So like find the most broken super dated laptop. I'm a market place guy. And like leave that laptop. And they'll know you will come back to get it cause it's an expensive item. And then you're free to roam. So when you're breaking into things, think about having decoys. Anyway, that's a side note. Active versus a relaxed state. I just wanna explain again that if it's important to you, you should be active. And it's not important to you, you should be passive. And use this, use the attention model to exactly know when to attack. Actually you should be the opposite. You're doing something at that point. Well, then you should be in a relaxed state of mind. You should be in a relaxed body. Cause of course if you're like this, well people are gonna feel stressed. And it's more about position, words, tone of voice and all these things. This is amazing book called Psychological Sortilties by Benacek, who is, you can read all about this or the leading with your mind by Gary Curitz that are. Like it's only this. As a side note, Gary Curitz was a dancer for being a magician. So he's an expert at the body. And he has, it's like a 300 pages book about all the sortilties of position and how to use your hand to look, convey some things. It's really nice. Stooges and accomplices. So spoiler, in magic sometimes we have things called stooges, accomplices. And within accomplices is somebody who's with your team and that whoever you're trying to con doesn't know. The first thing you should, in magic, they always do is say, we've never met. We've never seen one another. Of course the accomplice is expected to say no, but the thing is, why are they all saying we've never met where we didn't know one another? Well cause two people build trust. So if you're able to have an accomplice then it's amazing, but accomplices only work as long as it's not obvious you know one another. So if you say, hey how are you, a nice meeting you, then suddenly you're not two team of one but one team of two and then you can't leverage accomplices. Now in what kind of pen testing you use accomplices, because of course if your client lets you in it's easy. But say you're able to get in once using one person then you can privilege escalate by suddenly becoming an internal employee and then opening the door for somebody else saying, hey you're a new person by all means register. So now you're able to bring your own team inside the premise because you're now an insider and you're enforcing the rules of having people sign in and since you're there you can even request for a badge. So by being an accomplice it only works if it's obvious that you're not working with the person. So that's called an accomplice, it's very used in magic. But there's something much more cool and magic that is not well known called stuges. And stuges are accomplices who don't know they are accomplices and this is really nice. And let me give you an example and I'll talk about the next few slides. I came into a pen test and say I'm here for the audit. Now the first person expected me to be an auditor. So that person brought me to the auditors. And now that person said he's here, he wanted to tell that I was here for the audit. But the auditors really knows that I'm not, that they don't have an ongoing audit, right? So I'm kind of stuck, what do you do in these cases? There's this amazing magic principle that you can use called double talk. And what double talk is, is when you're saying something and both sides understand something different. When I'm saying I'm here for the audit, the person at the reception hears, I'm here as an auditor. Whereas the auditor believes that I'm here to be audited. I'm using the same words. I'm saying I'm here for the audit, but both sides of the people hearing hears something different or they understand something different. Does that make sense? And it's an amazingly powerful tool. I'm giving you a very, very simple example about audits. But when you can have somebody on the inside understand something and that person can now be your messenger about your throat to somebody else, then you're leveraging their trust in order to get in. So that's something super useful and it's called double talk. Now, unless you're exceedingly witty, it's very rare that we see people being able to do double talk like this. It requires some practice, but it's a very, very nice tool in that regard. Now, I have like four more minutes and I wanna talk to you about surveillance. Cause recently I've been privy to people doing surveillance or tailing people and I wanna give you a very, very good example. What is wrong with this picture? No one? Well, first, yes, people's doing this. Now, if you ever have to do surveillance, please know that you don't need to do this. In movies they do cause they want them to see it, but you don't need to do this. Oftentimes you can just talk and it'll work. So, and it's very obvious. When you see people being trained at surveillance, they will all have the reflex of doing this. There's not a problem with this picture, what is it? Yes, exactly, there's this little, but earpiece. You don't need an earpiece. Now the earpiece is so small it goes inside the ear and there's an induction loop in your collar so there's no wire, it's just like radio. But more than this, again, in movies they use cell phones and so on, but you can't always use your cell phone. If you need to talk to someone in surveillance, there's something called a press cell or a PCT switch. Press to touch. And the way it works roughly is, since you can't talk, you need to have an operator asking questions. So oftentimes three beeps will ask me a question. So I have the press cell in my hand, it's like a little beige-shaped button, basically. And one day I'm gonna press three times to say ask me a question. And the operator will say, is the target moving? I'll press one for yes. Is the target going west? I'm gonna press twice for no. Then east twice for no. Then north, yes, and all these things. So it's not like in the movies and people need to be super worried about surveillance. The way they're doing it is really bad and you're gonna see pros doing something like this. But it still is about magic. If you care about it and if you look at it, people will look at it. So now, if ever you're lucky enough to do surveillance, it's really boring work, by the way. Just relax and don't touch your earpiece and behave like normal. There's lots of things I'm out of time so I'm not gonna talk about clothing and techniques and counter-surveillance. Talk to me around the beer if you'd like. But it's something you shouldn't need to know. In the movies, it's totally wrong. Yeah, I said this. And references, finally. The CIA manual to deception. This is something the CIA wrote. Well, with magicians living with their mind, they talked about it before. Psychological subtleties. A sleight of mind, it's amazing. It's like neuroscientists looking at deception and the book Influenced by Robert B. Cialdini, who was a psychologist who wrote about how influence works. It's a really, really good book. Thank you so much for your time. You've been great. Have a nice day.