 Beach is on social engineering, and I know a lot of the topics that you've read on social engineering They say it's like the ardent science of getting people to comply to your wishes and out They use they say that we use psychological tricks, but I mean it's just there's no psychological about it I mean we just we use your weaknesses like we can get passwords phone numbers credit card numbers social security numbers Pretty much whatever we have to depending on where we sit and where you sit and you know Security is all about trust and trust and protection generally agreed upon this as the weakest link in the security chain The natural human willingness to accept someone at his or her own word Which leaves many of us vulnerable to attacks many experienced security experts emphasize this fact no matter how many Articles are published about network calls patches and firewalls We can only reduce the threat so much and then it's up to us Well up to Maggie and accounting for her or a friend across the hall from dialing in from a remote site to keep the corporate network secured They'll never know it hit them Until the attack is over and maybe then they don't even know what's going on Targeting your attack and attacking your host the common goal of social engineering is to gain information The specific motive of a social engineer it may be hard a Hard item to determine he could be looking for information for personal gain of knowledge Or in the most extreme cases corporate espionage Most companies do not like to disclose the fact that they were a victim of of a security compromise This is something an attacker Would would be gladly the exploit the goals of social engineering can range from gaining unauthorized access to assist Hold up for a second. I went back to top Systems and information either to satisfy personal curiosity or even to commit fraud network intrusion industrial espionage Identity theft or even just a dispute a network service in all aspects of social engineering the attacks are done against the weakest links of the Organization the people typically targets for attacking include telephone companies answering services internet service providers a well certain companies financial and Military and government agencies all though the internet boom had had a chair of attacks on small startup companies Generally focused focus is placed a large larger corporate corporations the bigger the company the easier It is the mass great as someone in another office of the corporation Utilizing large corporations and attacking a busy department could yield a small treasures of information That could not only further inform a information gathering but may provide you with The exact information you were looking for asking questions at a busy department can provide answers especially when They want to get off the phone and get back to an important project or just go out and smoke a cigarette Attacking from a phone near you finding a prime victim may prove a bit difficult But it really just depends on the attitude of the person you're talking to Most people just are rude on the phone, you know And especially if you don't want to do like small favors or anything like that now, they're just real tough You can either just give up and just try finding someone that's a little bit more vulnerable to social engineering Or you can just push yourself a little bit harder practice a bit more and see if you can put the guy in a better mood Does this work? All right Some other methods for this is just a call a place that you're trying to get information from a few times a week Gets another place you're you're attacking See who they are when they work, you know gets another schedules make them think that you're actually a part of the company really well Once you once you once they think that you're doing a really good job with the company It the attack will just be a little bit easier The one thing you really have to remember about when you're on the phone is you can pretend to be almost anybody you want to be or you Can pretend to be from any company you want to be If you're going to call call place you may not want to call them from a friend's phone or you know Even pay phones because you have the noise the disturbance a lot of people running around That could be a dead giveaway. That's just not a good thing to have Track phones like everybody goes to Walmart like you know the little Yeah, the prepaid cellular companies and stuff like that. They're cheap you can pick one up for like 50 60 bucks They're disposable, so I mean if you can switch up numbers really quick really often and it may cost a little bit on personal investment, but It's not that hard to get a hold of And especially being that it's disposable if you need to dump the phone or anything like that They melt really good If you're trying to call companies don't use the general access 1 800 numbers that they give you out try to find direct lines in The general access 1 800 numbers the big downfall is a and I they'll be able to pick up your number rather quickly Finding a direct line, you know somebody walking down the street and they give you a business card or you just you know From that business card. That's a direct line in and that's a little bit easier to get through on And when you're doing it takes a lot of practice, you know You're working call up little small companies Pizza Hut just to find out who the last person was that delivered a pizza Anything just to get you into the groove of it all Once you're into the whole group of everything It's it's harder for them to pick up on you the more natural the more confident you are the easier things are I Like personally, I like to make my call sorts the end of the day. Everybody's getting a little bit tired They're not thinking straight all they do is want to go home Everybody just wants to go home by like three four o'clock in the afternoon. They're just watching that clock place a call They're not going to pick up on little sub little sub till things when they just want to go home They're just gonna be a little bit easier to go through IT staff are always told to make sure to look for these types of attacks You can avoid them a little bit easier, you know customer service reps still get a little bit of information that you can help use to To get what you want HR HR publishes stuff right out in the In newspapers internet website, so they're gonna be a little bit more easier on giving information, especially if they think you're a job broker When you start your attack a great thing like Hello, my name is James and I'm from AC Nielsen market research Would it be possible for me to ask you a few questions for our statistics relating job markets in your local area? Something like that, you know, you're giving a strong confident front for them to see You know, it's just like When you first speak to someone it's just like your personal appearance when you walk up and shake someone's hand the better you look Or the better you sound the more believable you're gonna be you can have a better report with whomever you're gonna try speaking to Once your target is willing to help, you know, you just lay out your story Do your best if you've done your research, you'll be well prepared for it unlike us up here today From from where we left off if you're explaining your researching job markets for IT professionals and curious as to what types of servers that they have their networking department support If you ask the HR department About that They're not gonna have any trouble saying well, you know when we hire people We're looking for people that support Windows 2000 or Windows 2003 with XP workstations, you know And from there you're able to glean just a little bit more information Well, you know what types of service packs, you know things like that You're gonna get an idea of what types of systems you're gonna physically attack Once you're getting to know HR people you can run with this rules repeatedly as long as you don't give yourself up A lot of people when they do this to other companies, you know They can either make up a company name try to try to take on a company name. That's very reputable in the business If you don't have any imagination skills it gets really hard to start bringing this stuff up It's like playing a role-playing game except without the whole game part, you know, you're things just don't happen for you You've got to actually go out and try to try to pull information piece by piece You're not gonna call up someone and they're not gonna give you every last bit of information You want one try you're gonna have to call up three or four times Maybe just to get you know an address or you know a credit report or something like that, you know You've got to have that patience to to keep working with with the people Once you answer into their world their business, you know the ball is in their court You have to be able to just bounce around and keep up with them making them think that you're doing what you what you've told them You're doing You know for people that that you know know everything or just don't have patience or think they know everything you don't have patience You can blow yourself really quick And something like that you don't want to knock at the door in three in the morning You know, it's just not a good thing Actually now if it's don't wake up to like six that working your attack When I say networking your attack I mean just that you know networking your resources to The more people that you have focused on the target veterans help compromise the target faster Using multiple targets can help gain both acceptance of your main attack or story. I either they're what you need to do and Can also be used to monitor suspicion a Caller can say he's from ABC computing He's sending a repair technician in to install firmware update or they's from XYZ companies saying they're sending a courier over to pick up some packages When inside the building the courier can Call the base attacker to confirm whatever as the target can call back to the base attacker to confirm whatever story helping giving your story authenticity Physical attendance is not recommended obviously, but under extreme circumstances. It may not be avoidable Here's a couple examples of various attacks I would be the target and I'm gonna play the attacker Hello. Hi, this is Jack in HR. Who may I speak with? This is Jane in accounting Hi, Jane We have been having some issues in contacting the accounting database to pull a few user files You have been experienced. Have you been experienced any? Connectivity issues over there. No, everything is running smoothly. Okay. Well, we have been fighting this thing To thimp tooth and nail No, it's fucking dying. There we go. All right, did you see that? Yeah, my battery is dying All right, I was wondering if I could have you forward me the files for Joe public You know, it could be for whoever or could I have someone come in and pick it up whatever works for you guys over there Sure, I can get that out. You where do you want me to send it to can you email it to me? Tell me, you know, tell them to email it whatever your email address is you might want to use a fake email address Don't use your real email address that just This attack would be good for Like like Saying like later in the day people rush trying to get home that'll further Give your story authenticity, you know, I'm trying to get out of here. I can't access it I got to get it done before the day is out, etc Example number two shit. Yeah. Oh, yeah, I got power now. I'm good to go Human resources is a Chrissy. Hi, Chrissy. This is Greg impact the pack parking garage, you know The access cards used to get into the parking garage and elevators Well, we've had a problem and we are reprogramming the cards for all the new hires from the last 15 days So what do you need? You need their names or? Their phone numbers and their phone numbers. I can check the new hire list and call you back. What's your number? I'm at eight seven. I'm going on a break. How about if I call you back in about an hour. All right, that's fine with me And after giving like the need of time, obviously for for your story and then calling back Oh, yes. Well, there's just two Sammy self in Finance and she's a secretary and then there's a new VP. Mr. Tanner and their phone numbers Right. Mr. Tanner is 3423 Sammy self is 2432. You have been a big help. Thanks Don't and after you get off phone with somebody just don't blow them off like okay, thanks You gave me what I wanted, you know, you know, just be nice to them Because if you do something like that, they're all gonna be like, okay, that was really, you know stupid They might have tape recorder or something. So you want to be nice Yeah, it's good to be nice. Yeah, nice pays off. That's example number three Financing this is Sammy. I'm glad I've found somebody working this late. Listen, this is Robert walls I'm publisher of the business division. I don't think we've been introduced. Welcome to the company. Oh, thank you Sammy I'm in Nashville and I've got a crisis on my hands. This will only take about 10 minutes of your time I'm sure what do you need go up to my office? Do you know where that is? Nope? Okay? It's at the corner of office on the 13th floor room 1337. I'll call you there in a few minutes when you get to the office You'll need to press the forward button on the phone So my call won't go directly through my voice. Oh, sure. Okay. I run up there now You know, once she's in the office the attacker can have you know, Sammy do whatever launch all sorts of tax on the Computer there locally, you know ranging from boarding emails to installing remote access Trojans You know within 10 minutes of the original call the attacker can have her in the office looking around Another call back to the office can further instruct her on whatever you want To further have it like to help infect the machine Once you did this let the you know, it'll let the attacker have full access to the system The back door will be in place and nobody you'll have a clue of what's going on Some back doors have problems working on lands. So you need to try something like a assassin from evil eye. I Think sub seven is working on NT now Yeah, it was a release for it You know once once you get her to execute the program that's pretty much all you need tasks like restarting the computer Pillaging through files moving files deleting things that can all be done remotely. So Everything once it's installed you have it from there This is how most attacks happen. There's nothing really anybody could do about it Whenever a backdoor application is released to the computer the hacker on the other side has pretty much a hundred percent control of whatever That goes in and out You know this will let the our attack or do whatever he likes to the computer and land mostly attacks not be reported As you not hear about it due to half of them don't even figure out what's actually going on This is extremely short a very large part of this presentation was live calls and we have no Ah, yes Something out with a phone or something. Yeah, we we have a special guest with us. He's a writer from 2600 Lucky 225. He's going to be talking about various attack methods and Some a little bit of stuff about social engineering that we haven't touched on and then we're going to get your guys's questions All right, this is my gun Yeah social engineering is like basically Ha ha ha Testing. All right. Is that good enough? All right Yeah, but social engineering comes in handy a lot and like like they said about if you called 800 number they can get your A&I but I mean If you social engineer the phone company you can spoof your A&I to anything you want So I mean you can make it look like it's coming from an inside call from the company And that gives you even more authenticity and as far as like personal information goes like a Couple months ago my girlfriend got her car stolen and our cell phone was in it And the police basically did not want to do anything else to help us find the car And so they had they've been using our cell phones I just looked at all the phone numbers and it reversed look ups on them and They had also called a couple hotels under my local area So I went to the hotels and I social engineering them into giving me pbx call logs of the room numbers. They were in and I had found out that they had been calling other numbers that were also on my call detail for the cell phone so I pretty much had all this information to nail them and I gave the call records to the police and Told them they're staying in these hotels and they've also made calls to phone numbers They're on my stolen cell phone from the from the pbx at the hotel and the police still didn't do shit So, you know, they basically said I was invading their privacy when they're stealing my car and my cell phone Well, I figured I'd have some more fun with the people that stole my car, but Anyways, so it comes in handy for stuff like that and if you need people's personal info if you have like one Item of information that's basically all you need like if you have an address you can call a pizza and say Or if I mean if you have a phone number and you need their address You can call a pizza and see you're making a delivery. I got sure what's the phone number and you give them your phone number And they go, all right, and you still live in a 1337 crystal court. Yeah, thanks You know and then your next step is to call You know the electric company and I get some more information on them I mean like there's a tax you can do to get like social security numbers call up utility companies If you can verify enough information tell them like, you know I'm trying to log online to do online billing and keep saying my socials invalid They're really the one we have on file is 585. You know, is that yours? No, but I'm sure it is So I mean there's all sorts of things you can do and basically it comes down to people trusting you and you've given off A good front, you know, if you've ever seen the movie catch me if you can that's a good in-person social engineering movie You know and even though it's set in the 1960s a lot of that shit still works today So basically, you know, it comes down to human trust you got you got all sorts of targets banks utility companies Anyone who has information databases and people who have access to it without verifying information I mean you really can't verify over the phone You get you got to you have to have people come down in person and show ID That's really the only way you can do verification. I mean like Banks let you set up accounts. You just using a social over the phone and using some mail forwarding but I mean, you know and for my bank account I don't even give them my social and basically it's better because if someone tries to social me My social is not on file. I don't my transient and credit report doesn't have a social security number on it And basically it's better because you you have to go to the bank and show my ID and You know, that's just more secure. I don't see why everyone trusts information over the phone or online When you're not even showing any authenticity so yeah All right, if you guys have any questions about our Speech or whatever you just want to figure out some more stuff about social engineering. You can ask us now We had some time left Yeah, we got plenty of time. So alright. Well, do you mean in person or over the phone when you got? Well, I mean over the phone getting credibility is really easy You just find find a phone number that's listed for them have the phone company forward it to like a loop number All the phone freaks a lot of loops for you and then just have them say, you know what? This is our main number is listed in the phone book. Give me a call back Give me to give us a call back and then can verify that I'm out on a call for you, you know All right, I'm sorry In person basically it comes down. You got to show some credentials You know making it just make a photo ID in Photoshop that looks legit and laminate it All right, does anybody else have any questions I'm going to the louder mic. All right Yeah, that really helps because people don't shred their stuff before they throw it in and the garbage And that's just more information to deal with you know Actually, you brought up something really good, you know If you're out dumpster diving and a cop comes up wondering what in the world you're doing in this company's dumpster You're gonna have to make this cop believe that you're actually down in there picking up boxes for a friend That's moving or that you lost your cat and it just somehow jumped inside of this locked dumpster You know you you know when you're dumpster diving you always run the risk of having to think on your toes of security or even another employee is walking up You know, it's All right, the guy in the back with the black shirt on the sunglasses on top of the head. Yeah Yeah, it doesn't have a speaker phone Yeah, and nobody has an FM transmitter unless if you got the stuff in your backpack, I've been asking that people all day, so Feedback it's gonna cost too much feedback and there's RF Yeah, mm-hmm. Plus. Yeah, that one All right, we got that phone up here still sorry Yeah, I wish I could do that. Does this look new to you? What is that man? It's like Are you guys are gonna have to be really quiet, I mean super quiet no joke Yeah, let's see Gas leaks or any if your presence is required for a service appointment you may request One moment while we transfer your call Hello Yeah, can I check my account balance, please? I'm sorry. Hold on one. Can you speak up a little louder? Let me give you my service address. It's 45 41 Foster Way car Michael, California I'm sorry what no, I'm sorry what my name is Adam Watts My name is mr. Watts, um, let me try my other house is 4809 Foster Way Yeah, 4809 Okay, and you're mr. Watts. Yeah, I don't have what? Okay Well, see I didn't verify with PG&E. I did this on pita because I only had 15 minutes to look up some info Yeah, hello, I'd like to make a delivery. Yeah, my phone number is I'm sorry what your phone number. Yeah four eight nine three seven two five Three seven two five. Yeah Yeah, that's where I live and it's under Watts, right? I'm sorry, and it's under the name Watts. I'm sorry who Amy Annie Hey, and why? And what's the last name? All right, thank you. All right, so it must be under Amy Watts if any girl wants to come up here and try and social PG&E But basically you'd call up if we didn't have the phone number We'd call up PG&E like I did before and give them that address and say we want to check our balance to make it sound legit And then you just tell them a yeah I tried entering my phone number on the automated system and it didn't bring up the account and it transferred me to you Could you just verify what phone number I have on there? And they'll be like I have nine one six four eight nine three seven two five All right, thanks very much, and you know even if it's an unlisted number there you go Any more questions? Yeah That's why you should have someone call ahead of time and tell them that someone else is coming that way that they can expect it and You know talk to the person up front Because the people at the front desk are usually a little bit dumber and they'll let you do it And if they don't just have them contact the person that you called before and be like, you know my boss said He's gonna send me down here. This is a quick 30 minute job, and I got another I got another call So I really got to get out of you, you know, and then they'll probably let you know And if they already spoke to that person I think uh is it like actual appearance does have a very big play like say if if it was me and Versus Alex if Alex critical mass was to go in or if I was going you know with my mohawk up They probably believe his story and give him a little bit credit more credibility than they would me Yeah, the nice clean-cut looking young man was I am not so But we always rip on him And obviously though when you go in person It's a little hard because you got to show credentials and that's why you shouldn't give information out over the phone If if something sounds sketchy you should have the person come down in person and show ID I mean if they went through that that much trouble, they're probably going to get it anyways from somewhere else I don't want to interrupt But I just got noticed we have a very special guest here and it's even more special especially since like a bunch of People have left. So they're really going to miss this I want to thank the man that's coming up to save our asses right now. Mr. Kevin Mitnick Everyone I'm not prepared with anything because this is just like right off the cuff But social engineering sometimes is really about doing things right off the cuff Extra god, I can't even do you have any water. Yeah, thanks so what I'm going to do since I'm not even prepared as I thought to give you some good examples from my My history since I'm not profiting from this particular talk. I can talk about anything normally When I do my normal public speaking I Can't talk about my personal exploits Because I'm not allowed to make money for a period of seven years From the time I was sentenced on anything to do with my personal exploits But if I'm not profiting like today to make it clear because I'm sure there's some federal agents in the audience here, right? Anyway, I'll tell you tell you a little story several years ago past the statute of limitations I found a vulnerability in any sees They had a firewall System that was running under unix and I found a vulnerability in their SMTP And I was able to exploit that vulnerability and gain access to their internal network But there was a particular system that I wanted to get access to Because that's where the source code to the NEC phones were and I wanted to get access to the source code to see basically how these phones worked So remember finger D when everybody used to run finger D and you can do a finger on a host And you can see the people that were logged in so I did finger D I run finger on this particular host and it lists of course it listed the people that were logged in and There was a sky logged in had his name his telephone extension What department if he was in it was real simple right all the information was there So I call this guy up on the phone. I say hey, this is Bob over in IT I'm calling about that problem that was reported because I didn't report a problem I go well Do you work with Langford because I did a little bit of research and I found out the names of other people in that Department which all good social engineering attacks do is they actually do have a research phase which I'll talk about in the minute So he goes well, he's not here right now. So well great Have you created any files that begin with a dot because that was the problem people were complaining that they create a file Beginning with a period and it wouldn't show up And the guy goes Why would I create a file with a period? I always I always use file names. I go well Do you have a dot our host file? The guy goes what's that I go well, I'm going to show you So I have the guy far up I think it was ad under Unix ad I said well, let's test this out and see if this This is failing if we can't create files with a period because this is a serious problem that we have to look into So I said well, let's make it easy. I'll just have you put in two plus signs Separated by space so do plus plus I haven't saved the file of course I said well, listen, this is this is the test Do you know how to do a directory command in Unix? He goes. Yeah LS. I go that's exactly right do an LS He did you did an LS and of course I go the file file show up. He goes no I Go oh, so we're still having the problem. Well, I'm gonna have to work on this for a while and Meanwhile, I'm are logged into the host right and I'm gonna have to work on this a while And then I'll give you a call back, right? So You get everyone here, you know gets that kind of attack, right? This is where people don't understand the consequences of what they do So because this guy wasn't that computer literate with the Unix operating system He didn't realize that the greats about our host file with two plus signs He's basically allowing the world into his box and that was because he didn't understand So what are the does anyone out here in the audience know the three primary reasons why social engineering? Social engineering attacks work so well No Whether it's true. There's no patch for stupidity. You can't go to Windows update and download it. No three things No people people aren't aware of the threat of social engineering, right? They don't know there's people out there that are going to try to manipulate and deceive them, right? to As people don't understand the value of information This is how how clever attacks are actually Created is where the attacker calls different business units and different departments within the organization or the enterprise And it's a obtains bits and pieces of information, right that are innocuous an employee number a telephone extension an email address the Name of the guy in the mail room the guy the woman in the county gets all this all these little bits and pieces of information that are Inocuous when you take this information you can combine it together Well, now you got kind of a inside look into that enterprise, right? You know, you know a little bit about it so you have more credibility when you're speaking with somebody on the inside and That's what really social engineering is about. It's really the art of manipulation and deception of getting people to comply with a request whether that request is to reveal proprietary information or to do some sort of action and When they do that action it lets the the attacker in like for example creating the the dot our host file I remember when I was a fugitive I lived in Denver, Colorado, and I And I worked and I worked for a law firm For about a year, of course the name I wasn't using Kevin Mitnick at the time because it would probably been easy to find me So I I chose the name Eric Weiss. Does anybody know who Eric Weiss is? Harry Houdini, right? so I worked in this law firm and One of my co-workers handed me the new brochure that Motorola had out for the micro attack ultralight phone And I thought that was a cool damn phone and at the time I was into cellular technology I wanted it. I wanted to know how these phones worked. I was very interested in the protocols I was interested and in getting access to the firmware Of course, we know there's two ways of doing that looking at the source code or reverse or reverse engineering Well, I figured getting access to the source code would be faster so I was around three o'clock on this one afternoon and it was snowing in Denver and on the way out of the office I Powered on my Novotel PTR 25 cell phone which had some special firmware on there and Called 800 information and I asked for the telephone number to Motorola and The nice information operator gave me the phone number So I call up 800 and I called up the 800 number and I said hey This is a Richard Salisbury. I'm with the Arlington Heights I'm on the Arlington Heights campus in Motorola. Can you please tell me who is the project manager for the cellular subscriber group? So I got transferred around to a couple of people and I ended up at somebody at the executive level That deals with that with a what they called the Pacific God's been a long time pan-american cellular subscriber group And I talked to this executive. He says yes I'm I'm actually in charge of the whole cellular subscriber division. I said well listen. I'm over in the Arlington Heights Engineering group and I need to talk to one of the engineers who's who's the project manager? So he didn't feel there was any harm in giving me the information. So he told me it was this lady named Pam Diller. I Go great. Thank you very much. So I call Pam and The phone rings once and I hear this voicemail message and Pam says On her outgoing greeting that she is on vacation And she'll be back in a date two weeks into the future And if you have any problems or you need any help to call Alicia on extension blah blah blah And I'm thinking to myself. This is a great foot in the door So I call Alicia and I go hi to Pam Lee. I go hi This is so-and-so with I forgot what name I used at the time Arlington Heights engineering To Pam leave yet because she was supposed to send me something. She goes. Oh, yeah She just left a couple days ago. You're good. I go you got to be kidding. Do you have your cell phone number? And she goes yeah, but she's out of the country. I go my god Did she tell you did she tell you about the project we're working on? She goes no I go oh wait because she was supposed to send me the latest rev of for the Microtech ultra light release the latest source code rev. She goes. Oh, I can help you. I go, okay great But she she knew what server the source code was on But she didn't know it specifically how this was or she didn't know the how to get to the newest relays So I was on the phone with this woman for a good hour Trying to help her because I found out it was an HP UX Apollo system trying to help her find the code And I didn't know anything about their structure right eventually In Pam's account. There was a little script that allowed you to extract the latest version of the source code So then the next problem was well, it's she has access to it But how do I get it right? so I Had to talk her through of using how to use tar and compress so we can make it into one little file Then I said well listen. Why don't you send it over to me at the Arlington Heights? So let's do FTP so I had her fire up FTP and And in the process of doing this I'm going wow. I got to think of an account. I have somewhere So I actually had several accounts at Colorado Supernet which was an ISP and I'm thinking man This is going to be a problem because I'm not on campus there and I don't have access to a system there So I said well listen. We're having problems with our DNS server So what I'm going to need you to do is to open and I gave her the IP address rather than the host name Right because if she didn't realize that that IP address wasn't mapped to a system on campus She wouldn't have been the wiser. Well, she did check and she opened a connection and it went open Could open an FTP connection outside Motorola, right? So I go wow something must be wrong. She goes well hold on. I'll find out what's wrong, and she puts me in hold I'm going shit. Oh, because now she's going to check with somebody else, and that's exactly what you don't want to happen So about five minutes later she comes she comes back to the front She goes oh listen I just talked to our system manager and this is a big security issue and we can't connect to systems outside The campus or something like that, but he showed me a way that I could do it through one of our proxy servers I Right I go well I go well he's a great guy great, so she fired up She fired up the proxy server, right and I had a connect to the IP address I recalled a name and password and within and Mind you I leave I left my office around three o'clock by the time I got to my front door and around 317 318 Walking home from the office By the time I put the key in the front door She had already transferred the tarred the tar ball the compressed tar ball of the Motorola source code And why did that work right you have to ask yourself are people really that stupid and I don't think people are stupid there's a there's two types of thinking that Clever social engineers could use people either think systematically or horristically right systematically is where you think logically about What somebody is asking you to do or asking you for you think about the logical argument Does this really make sense and then there's heuristic mode of thinking this is where people are Kind of what we call lazy thinkers and we could use things called mental cues to trigger them like psychological triggers to to trigger them to comply with the request and For those that have looked at my book the art of deception. I discussed those cues really there There are 40 their reciprocity liking scarcity Social validation inconsistency, so I'll give you an example Ten minutes, okay, I'll wrap this up reciprocity attack right How many of you have heard of what we call the door in the face technique? It's a psychological technique you hear in psychology 101. This is where you ask for something out of the ordinary That's a huge request right? For something that somebody is not going to do hey I need you to send me a copy of your whole hard drive or something just ridiculous. That's not going to happen. Well, of course The person's not comply. They're going to basically say no, you know They're going to find an excuse not to not to agree with your request So then when you ask for something smaller Than the original big request your what it's called your compromising you asked for something big And they decline so you say okay since you can't do this. Can you do this a little small thing? Can you download this piece of software and test it for me and just see if it runs for you or something something very simple Right and people will reciprocate with your compromise and compromise themselves and agree to the smaller request That's called the door in the face technique. So how does an attacker use reciprocity is? the attacker might call different departments within the enterprise right and say they're with the help desk or with IT and Say I'm calling to I'm calling back on a case of trouble that was reported and 50% of the time you're going to get somebody that has has a problem with their computer right an outlook or Something to do with their system. Let's say you don't so you're with the IT department You're calling from network operations. There's a problem and you walk through through the user through their normal Steps of signing on the system or whatever they normally do during the day to verify that their system is okay Okay, so now you did that person a favor and when you do somebody a favor They usually like to reciprocate in like kind right so they'll do you a favor say okay? Well, great. I'm glad we got your system up and running You're not going to have any problems today and by the way before we go. I need you to do this Small request, but that small request is something that lets the bad guy into the system and stuff like that so Since I don't have that much time I just wanted to go over a little bit about a couple of my own stories and a couple of the Psychological triggers that people use The other the biggest one by the way before I go is liking This is developing rapport and trust with the target is if the target likes the person that is speaking with them over The phone for example the more likely they are they are the comply with the request. What is liking involved? That's where you flatter somebody over the telephone or if it's a female if the person perceives that they're attractive They'll comply with the request or if the attacker is able through their research to determine What that person's hobbies and interests and where they grew up because now the attacker Through first doing the research could be from the same area went to the same school has the same hobbies and interests when people Have similar interests you like other people that have this, you know like We're kind of like all hackers right so other people that are computer enthusiasts or hackers You feel like automatically like them in a way and you're more likely to comply with what they want you to do So I don't know what else since this is not prepared prepared talk to Talk over but if you have any questions for me, I'll be happy to answer it again. I'm just coming up here on the fly So I'm not prepared. I didn't expect to do this There's a lot to talk about this topic. It's Social engineering is not just talking somebody out of their password. That's the media definition of social engineering the clever social engineers the last resort is asking for somebody's password There's what we call like man in the middle of attacks for social engineering one quick example I'll give it back to you a facts exploit Let's say that the the attacker wants to get particular information from an enterprise and the best way to do that is to Deceive somebody into faxing that right so the attacker calls up the telephone receptionist of that enterprise Maybe even another office location and says so makes up some sort of pretext. Hey, I'm outside the office I have an important facts coming in I can't get back into the office until this time and this is critical Do you do you have a fax that a fax machine near you or in the reception area or receptionists are there to help? Right, that's their job. They're there to help the the company get along with communications and such In most cases receptionists have access to fax machines and they'll agree. They'll say, okay No, but no problems have a fax sent. I'll hold it for you great So now the attacker calls the real target within the company and uses a pretext that they need Particular piece of information or some documents fax and they'll and the attacker will now use and now they have an internal fax number at the company right and they'll Use another pretext to get the target to fax that information to the internal fax machine, right? So now it's on the fax there at the reception area so then after that transactions complete the attacker calls back to the receptionists and then Tells the receptionist. Hey, listen, I ran late in the sales meeting. I have to run do Another meeting or what whatever and now has the receptionist fax that fax over to something like e-fax or Or kink goes or whatnot So that's where that's where the attackers could set up a sense of trust that the information is just going internally and That's outside the company and that could work with with source code or with Proprietary information that's fdp'd internally and then moved out by somebody that doesn't realize the value of that information so Thanks, I hope that was a little bit All right, well we have to go now because we ran over our time But if you guys have any questions, we'll we'll be walking around for a while or we're gonna go step out right over there So if you guys have any questions, let's go through double they can go through the double doors over there I go through the double doors over there and we'll be standing out there We can answer whatever questions you have I think the other speaker wants to come up here, but I don't I don't know. I think we should continue for speech Thanks for sticking it out everyone