 Okay, now are we ready? Without further ado, let us announce our first speakers for the night. So Sine, she is, did I say that right? Sine. Sine, thank you. I thought I was saying that wrong back there. So InfoSec analysis for Trace Security. She's got a Bachelor's of Science and she's working on her Master's of Cybersecurity right now. Actually just graduated on Sunday. Did you really? Congratulations! Yeah! Yeah! Nice! Wow! Congratulations. Well, this is your thank, this is your congratulatory gift right here. I've actually been celebrating this weekend because I've been so busy prepping for DEF CON. I haven't had a chance to celebrate. Wow! Oh, that's kind of cool. Well, don't say anything mean to her because she knows Krav Maga and she loves pizza, so she'll beat you up with a pizza, okay? Her partner over here, Bethany, Bachelor's of Science, also works for Trace Security as an InfoSec analysis, and she's an average supporter of STEM and geeks out on superheroes all the time. So we're gonna really enjoy this talk. Human hacking. And power posing, you guys been doing it? Human hacking, you are the weakest link. Welcome, Cine and Bethany. Cine and Bethany. Well, hi guys, sorry about that. But now we're here, we're all set up. This is Human Hacking, you are the weakest link. This is our second time doing a talk about this topic and this is our first time speaking at DEF CON. It's actually Bethany's first time ever at DEF CON, so, so welcome. All right. And sorry, I'm a technical black hole, so that's why everything breaks around me, that's one of the reasons I'm good at my job. All right, so you all came to a technical conference and yet you're here and I think about social interaction. And a lot of people find social interaction isn't technical, you know, it's not nearly as cool as circumventing a firewall or putting malware on a computer. But then again, you think that a couple months ago, a $1 billion credit union allowed me to walk in, sit at one of their empty cubicles, plug into their network, and do whatever I wanted unsupervised all while I was there under completely false pretenses. Happens to us a lot, actually. Yeah. And so that is an awesome way to circumvent a firewall because they just let you in. So we're going to go ahead and talk about some of the science and psychology and the technical stuff behind social engineering and how you can hack the brain, including your own, in order to break into banks in such a way that they'll smile and thank you on the way out. And when you show up the next day as an actual analyst, they'll go, oh hey, I didn't know you were coming back. Was there a problem with our inspection? So here's a little bit about me, like Chris was saying. I have a Bachelor of Science in History and Anthropology, which actually comes, it's a little important point. I'm an information security analyst right now with Trace Security. We do a lot of pen testing, social engineering obviously, audits, risk assessments, and security assessments. I graduated from Florida A&M University, if any of you know what that is. And then I got a job as a teller for a few months at a credit union to pay for grad school in anthropology. And then the systems administrator was like, hey, you know how to install Windows, right? Do you want my job? That's totally all you need. Yeah. So I did two years as a systems admin and got a job at Trace where I've been for the last two years. I fell in love with the industry. So like I said, I graduated on Sunday with my master's in cybersecurity. And in two weeks, I started other master's program in digital forensics because I want to catch pedophiles and human traffickers eventually. So life goal. Like Chris said, I'm Bethany Ward. I actually started off completely in the liberal arts. I wanted to be a novelist. So I was an English linguistics major before I decided that I actually wanted to eat at some point in my life and maybe pay off a mortgage. So I bounced. I went to the University of Arkansas and got a CS and cybersecurity. While I was there, I took an RFID security class, which we actually had a guy come in from Walmart that talked about computer forensics. And basically every time an employee messed up, he got their computer and got to wait through it. I was like, that sounds like the coolest job I've ever heard of. So I applied at Trace security and they were like, do you want to break into banks? And I'm like, I would love to break into a bank. So I've been doing that for a year and a half. And Cine keeps trying to get me into master's programs because she's a terrible person. I panicked and I realized that I've never been out of school since I was like three years old. So I can't do it. And while I've been at Trace security, I've completed over 70 social engineering engagements, everything from fishing to fishing to walking right in the front door. So why is that important? Because who we are determines not only what the best pretext is gonna be, but how other humans are gonna react to us. Before you know the target, you gotta know yourself. So the best possible way to trick people into believing you is to tell most of the truth. So anthropology, if y'all don't know what that is, it's the study of human beings. So how is that useful in social engineering, you know? Studying the physical and cultural traits of humans throughout history really, really, really helps out in social engineering. Like physical anthropology addresses some character traits, like how your face changes color to indicate your mood and little facial tics that you can't really control. And cultural anthropology addresses gender roles, social status and stuff like that's really, really important when you think about it. And on the other side of things, the liberal arts have actually really helped me in this. I need to know how to create exactly the right phrase, create good looking, actually graphic design is great because making forms, logos that look legit. And then I was actually a drama kid in high school. And one of the best things that ever happened to me with social engineering was being an improv kid. If you're really serious about social engineering, I would really suggest getting into improv because it will teach you how to roll with the punches, train yourself to react in the perfect way so that you keep the conversation going and you don't break your character. So social engineering has been around since the actual Trojan horse thing where they brought a giant horse into I think it was Troy and said, hey guys, this is totally legit. I promise there's not a horse full of soldiers and it's not actually weird that we're giving you a giant horse statue at all. It's not like we're enemies or anything. Right, peace offering. So if it's been around for so long, why are we still falling for it? Stereotypes, we're gonna cover that a lot and talk about how it's important to play against them or play to them. And they're more important than you think and they're actually really prominent in the industry. I'll talk about that a little bit later. But stereotypically, women like us, like we were saying earlier, we don't have man jobs like information security analyst or hacker or any of that stuff. We usually are seen with girl jobs like secretary or salesperson and I can't even tell you how many times either of us have gotten calls from our clients directly saying, hey, sales lady, I wanna buy a new thing. And I'm like, I don't know any of this stuff. Aren't you the account manager? Don't you have schedule stuff? Nope, nope, I hack your network. So because of that deep rooted evolutionary trait that makes women seem more non-threatening than males, it's actually helped us out quite a bit. And also science because there's really nothing that we can do to protect humans from being their dumb human selves. So let's exploit it. Human nature calls for human beings to be helpful and trustworthy by nature. And even if they don't wanna be immediately trusting, they actually want to see how things are gonna play out because they're curious beasts and they'll just be like, oh, I wonder if they're gonna get in trouble. Let me let them through. How many people push on the brake when you're going by an accident? Yeah, it's the exact same principle. Can't stop looking at a train wreck. It's kind of us as humans. But social engineers go a little bit further and give human beings a reason to trust them, like having confidence or looking legitimate. Even if you have no clue what you're doing, confidence really helps. Kind of don't really know what we're talking about. So let's break them. Fake it till you make it. Yeah, fake it till you make it. All right. So one of the first things we're gonna talk about is kind of what I feel is like the dirty truth of social engineering that people kind of skip over and don't talk about because, well, it's an uncomfortable subject. Can be offensive and it might hurt people's feelings and no one wants to do that. So everybody's a little bit racist and a little bit sexist and ablest and homophobic and any other thing. Agest is huge. Everyone's like, are you sure you work for an insurance company? You look like you're 12. I have a 401k step off. And it is all of us. I mean, it doesn't matter where you go and it is not just white against black, anything like that. Actually had a coworker who was from Mexico and he went to Hawaii to do a social engineering. No, they had been pretty tough. We hadn't gotten into them. He went in, walked straight in, every single one came out and nobody stopped him. He hit four branches, I think in one day. Nobody was any wiser. And he thought that the manager was just trying to play it off and not take responsibility for the fact that his people had gotten hacked but he actually had a point because he looked at him and said, you look native, everybody trusted you because he looked exactly like he belonged unlike everybody else who had come before. And that's a huge thing we'll go into continuing on. And it's actually natural. Stereotypes and patterning, we'll talk about in just a sec. And like me, if I go in as a network technician people are like, are you sure you're a network technician? You're a girl. I'm Asian, they're like, oh okay. Yeah, I get it now. Anytime I need to add anything. So, stop making me laugh, y'all. So like I said earlier, stereotypes are a huge part of this industry. Like, you may not even consider it but think about it. Like, just think, picture in your head what the non-industry people think hackers look like. Just briefly for a minute because it probably looks like almost everybody in the room because y'all look the same to me right now. Racist. Sorry, I told you, everybody's a little bit racist. I'm just saying. But they probably look all like that. You know, young-ish, socially awkward, mostly white males. They're kind of branching out into other races but still like females aren't usually depicted as hackers. We finally got one in Marvel Agents of S.H.I.E.L.D. with Sky, thank goodness. So, you know, we're moving on up in the world but like I said earlier, people who have known me longer than I care to admit have no, they just can't believe that I do what I do. I mean, even my boyfriend is like, what is that? He watched a CTF that we were doing at Nolocon and he's like, I don't understand how you know this stuff. You're a girl. And so I just kind of exist and then people are like, what is grep? What is pseudo? And I'm like, yeah, I know those words. I got this, speaking in tongues, right? I actually had one client tell me that I failed as a social engineer because I picked a terrible ruse as a network contractor because AT&T doesn't hire girls, is what he told me. So that was cool, thanks buddy. But it's subconscious and it can't really be helped so it's important information to have because if you're like me and you're a female that's not like the stereotypical hacker female, you can use that to your advantage but if you're not then you can also use that to your advantage to play around the stereotypes and maybe you know, groom yourself a little bit different or carry yourself a little different which we'll also talk about in a little bit too. Which like I said, it's natural. It's part of the human brain. Basically it's an evolutionary trait that helped us survive in the wild. Humans' brains are made to recognize patterns. So we recognize patterns depending on our culture, upbringing, our life experiences. So depending on who you are, depends on what your biases are gonna be and you're gonna group people in a certain way in order to make snap judgments so that if you're in a dangerous situation you can know where's safe to go and where's not. This was something that was brought up in the little Albert experiment which I'm going to explain because Sini looked at me this morning and was like, what was that? It's one of the most famous psychological experiments that was done basically in the 1920s. John Watson and his assistant took a little boy, filmed him with a rat, several other fuzzy objects. He was perfectly fine with the rat, nothing wrong. Then they came up behind him and every time he touched the rat they slammed a gong behind his head. So they classically conditioned him to be terrified of everything fuzzy, including Santa's beard. It's the exact same thing. If basically you have negative experiences or positive experiences with one group of people, you're gonna look at that group of people and instantly think that, oh, they're gonna act like this. This is what girls are like. This is what boys are like. This is what white people are like. And now this isn't any excuse to be an ass because we're human beings and we're supposed to rise above animal instincts. Yeah. But you have to realize that they're there in every person and look at yourself before you look at your target and know what people are going to think when they see you. When they look at me, I'm a white girl, kind of chubby, whatnot. I'm very non-threatening. So they're gonna see that and be less likely to be scared of me than they are like Chris who's really tall or a black guy that walks in. They're instantly gonna be more suspicious of him because, well, he's not an innocent little white girl who couldn't do anything, right? Like I said, I look like I'm 12, so people just think I'm not supposed to be there anyway because I'm a child. She grabbed mom's ID card and ran. I even have people, like some clients are like, this is Sine, is your mother home? No, that's me, thanks. And so it all starts with you, like I said. You're gonna be more convincing to others if you convince yourself and you gotta convince yourself of a cover story that makes sense for you. Like I normally show up as a disability inspector. That's because in college I did, I worked in a disabilities office, I know a lot about ADA, and so that's something I can BS really easily. You wanna pick something from your background that you know a lot about. If you know a lot about hardware and technical stuff, go as a network technician, but also think about it. Even if you know a ton about insurance and you're a giant guy with a bunch of tattoos and big hairy beard, whatnot, you're not gonna fit the profile that people are gonna think of when they think it's insurance agent because they're gonna think clean cut, suit, nothing out of the ordinary. And this is really important because the instant you flip one switch that tells them that something is unusual, that's gonna make it easier for them to go, oh hey, that's a chick network admin. Oh hey, she's asking weird things. It starts them down that pattern of recognizing that you're doing something you shouldn't be. The shields go up, guys. Yeah. That's what that is. And even still, I know a lot about hardware because I like to build computers. It's a lot of fun. It's like Legos, but like productive. Legos are productive. Well, I mean, you can play video games on a computer and not a Lego. So, I mean. What's your imagination? My cover story is usually an insurance inspector because of my experience at the credit union. I know what to look for and I have a really fancy checklist of things that I need to be looking for that won't raise any flags. I wish I could go as a network technician, but those stereotypes are killer, man. So, two. All right. One of the big things is balance. You don't wanna go too far in any direction. I mean, you don't wanna show up exactly as yourself and be like, hey, I'm here to break into your bank. Let me in. I feel like you could do that though. Like, I feel like people would let you do that. Quite possibly. Hey, I'm totally supposed to break in here. So, we cool? But at the same time, you've gotta bring in enough of yourself. You don't want to put too many details in. Like, you don't wanna make up like a completely fake name and a fake family and, you know, all of a sudden you have to remember what grade your fake child is in. It's not gonna work. You're gonna freeze up. You're gonna forget your own cover story and they're gonna catch you because you're gonna be inconsistent. So, what you need to do is bring in parts of your own life, either your experience or heck, talking about your own dog, your own child, your own wife. So, that will give you some credibility where you might not have it otherwise. Like, we both have anxiety so we totally work that into our pretext. I'm like, oh yeah, I'm twitchy because I have anxiety, sorry. I just don't like people. It works. And it's true. And then they kind of feel sympathetic for you because like, oh, look at this porn nerd. Oh. I need to help her out. Oh, she's so sad. I don't know how to act around humans. Yeah. And same thing with props. Don't bring a ton of props that you're not gonna need. I mean, if you're a construction worker and you walk in with a chainsaw, they're gonna be like, we don't really need that. But, you know, a clipboard, if you're an inspector, people love clipboards. Yeah, I don't love clipboards. Get anywhere with a clipboard or a coffee mug or just walk around looking lost and just be like, no, it's cool. Got a clipboard. Yeah. Clothing, make sure your clothing fits your pretext and make sure it fits you too. Like, make sure that, you know, it's not obvious that you're wearing a costume or that if you're coming in as... I looked a bit funny the first time I was in network tech. I mean, besides the fact that, you know, I was dressed all in khaki and whatnot, it was all brand new. Yeah, wash your clothes first. Wash your clothes first. Roll around in the dirt some. If you're gonna come in as a painter, like, let your kids throw paint on you. It'll be a great bonding experience. Construction worker, run over your clothes. That works really well. And grooming, grooming too. This is not just for women, though it's almost easier for women because we can change the level of our makeup to say, okay, I'm professional or I am, if I have no makeup on at all, you know, I'm kind of a butch network tech. I almost never look like this. Bethany always has makeup on, but I just kind of roll out of bed. I don't usually brush my hair and I have glasses that I always wear, so look at me looking presentable, what's up? We're very proud of her. But, same thing. Trim up your beard if you're a guy. You know, cover up tattoos if you're gonna do a really professional pretext. And, you know, just look the part without looking like you're in a costume. This is something that, I know Chris yesterday was talking a lot about practice on your family and your friends. Go up to him and be like, do I look weird? And if they do the, no, you totally look weird. No, you look great. That's what my grandma does. She never tells me the truth. Yeah. All right. Another fun thing is color psychology. This actually came up with me really recently because I was playing Disney Infinity, Rest in Peace, Disney Infinity. We will love you. But, I'm playing the Star Wars one and I'm driving around in an X-Wing and green lasers keep shooting by me. And I'm like, oh, that's cool. It's my buds, you know. It's friendly fire until I hit me. I'm like, wait a second. Why did the green lasers hit me? And then I started firing my own guns and realized that mine were red. I was so attuned to thinking that the good guys were green and that the bad guys would have red that I kind of died horribly because of color psychology. And this is something you can use in your clothing. Basically, it's got that subconscious impact. As you can see up here, not very well, but every color kind of has a correlation. Now, this depends on culture a lot. So, if you're going out of the US, this might not mean the same thing. You know, red is passionate, you know, angry. Blue is very professional. Brown is down to earth. Purple's my favorite. It's very regal, so I usually wear purple and I'm like, what's up? Queen B right here. And it can affect how people approach you. It's something you don't wanna go monochrome unless you're trying to be the UPS guy because you're gonna look kind of weird. Like a box. Like a box, but choose complimenting colors or just, you know, if you're wearing like a black suit, put a nice purple or a nice blue shirt underneath it or even your tie. And it can help relax people and make them look at you and say, oh, he's not so bad. I mean, he's all in blue. He can't be doing anything bad. Blue is a professional color. He's probably legit. That's why he's wearing red, so she's shady. So with all of these personal modifications, we have one goal, get your target to trust you so they'll comply with whatever you're saying. So humans are more inclined to trust a stranger unless given a reason not to, so get them to trust you. First impressions are incredibly important. I'm sure you've heard that a million times in like interview tips or, you know, first day on the job tips, but this is also really important for social engineering. Give them a reason to trust you. Have a solid handshake, set up straight. You know, all those normal first impression tips that you have, you know, but. Fake all that confidence. Yes, fake the confidence. And there's another thing about first impressions that people may not have given you advice about. Has anyone given you advice about your face? Cause that's really important too. So before even seeing the way that you sit or the way that you have a handshake, people see your face first, so it's really important when you're trying to make a first impression to have your face under control. So during my research in anthropology, did a lot of facial structure, physical character traits type of research, and I found this study, which I actually use a lot when I'm going and using in my pretext. So new scientists found that the facial structure that you have gives in someone an idea of your personality before you even say anything. So people who have baby faces, I'm sure you've heard that. They have like a chubby cheeks usually, look really innocent, and those people do really good in things that call for baby faces, but they do really bad in like masculine fields like the military or stuff like that. So women with a soft face, which is most women, they're usually more successful in healthcare or teaching because they look extremely more maternal. And unfortunately for some of us, this does include attractiveness. Most people assume that attractive people that's usually symmetrical, people that have a symmetric face, that they're more confident, more outgoing, and just generally more socially in tune with everybody else. So they usually get away with a lot more. That's why a lot of CEOs and presidents and things like that, they're usually a bit more attractive because they've worked their way up with their face usually. Have you seen the Canadian prime minister lately? Oh my God, he's gorgeous. Oh. I'm sorry. And apparently like he just like jumped out at some family recently out of a cave and was like, hey, hey guys, we're just meeting my family being really happy about life right now. I'm like, what does this guy even do with his life? I love it. I love him. I love following him. Stalker. I'm a social engineer. Okay, this is for work. I promise. Another study done by none other than Charles Darwin himself found that the way that you frequently shape your face actually shapes the way that your face is. So if you, like my mom always said, don't score up your face, it'll get stuck like that. That's actually something that Charles Darwin found to be pretty relevant. Like if you smile a lot, you'll look naturally happy because you'll have smile lines that are kind of built in your face because those muscles have been worked out a lot. So that's usually why I'm so happy, I smile a lot. I like some of us that have an RGB. Yeah. But if you know that your face looks untrustworthy, like look seriously at yourself in the mirror. You can socially engineer your face to look more trustworthy. You can upturn your mouth a little bit more, train yourself to have raised eyebrows instead of looking like really mad all the time. And just look, just go in looking more happy and people tend to trust happy people for some reason. It's friendliness. All right, and then, this is my favorite slide. More about your face. All right, you've got micro expressions and you have macro expressions. Micro expressions are really hard to control because they're your instant reaction. Something that is really hard to control unless you practice it a whole lot. Actually, one of the reasons I love improv because you have to react appropriately to whatever weird thing that your partner just said. And so that's something that's gonna take a while. But macro expressions are a lot easier and you can practice them more by yourself. And this is things like making sure that the smile goes to your eyes, that you're not doing the bearing your teeth. That guy's face. Yeah. Yeah, that's great, marketing, cool. Especially if you're going up against women because it has been scientifically proven that women are better at reading facial expressions than men are, stereotypically. And so that's one thing that you have to control very carefully because they're gonna pick up on cues that you might not even know that you're giving out. I have a really bad time with that because I have a really expressive face. So if somebody tells me something gross, I'm like, oh no, that's fine. Yeah. That's why all of her selfies are. Yeah, like literally if you look at my Instagram, all of my selfies are. And her boyfriend's in the background like, I deal with this all day. I swear he hates me. All day. All right. And it goes into body language too. Communication is 55% body language. And so basically half of everything you say, it doesn't matter. What matters is how you're standing, how your hands are. It's one of the reasons we tell people we have anxiety because I'm always twitchy and touchy with you. I'm weird, you know, whatnot. It gives them a reason that they can associate all of those weird tics too so that they're less likely to think that, oh, that person's up to something shady because they're nervous. They're like, oh no, that poor child. She's just, she's scared of everything. We need to help her. And it's your posture. You know, if you want, if you want to invoke sympathy, you know, kind of look down, look sad, whatnot. To make eye contact. Yeah. If you want to be confident. Power pose. We were doing earlier. Shoulder straight up, looking straight in the eye. I feel very confident about everything I'm saying. You will totally believe me. I totally know what I'm doing here. I am not scared of my wits. Our last talk that we did at Nolocon in New Orleans was called, I promise I'm legit. So that's exactly what that is. I promise I'm legit. What's up guys? How you doing? And the more you practice it, the more you will actually feel that way. The whole faking it until you make it actually does work. Pretend that you're totally confident and know what you're doing. And eventually you kind of will. If we haven't talked twice before this talk, I probably would have vomited before getting on stage. I actually don't like public speaking at all. So, should I remind you of that? Watch your hands. Your hands can tell a lot about yourself, especially if you talk with them. I know I tend to do that. Or if you twitch with them. But you can also bring it in. If you're doing this, it's indecision. If you're like that anxiety, insecurity, and touching your nose, anything like that. Rubbing your eyes means you're kind of bored. You're kind of sleepy. Touching your face, I mean, I know y'all have seen this. This is contemplative. Don't ever do this. I walked past a jewelry guy doing that and I was like, he needs to play the next super villain. He looks great. He had like a goatee too and everything. Like you totally fit the part. Yeah. And crossing your arms, doing things like that. No, you're gonna block yourself off. And people are gonna see that and be like, okay, something's up with that person cause they don't look so good. So another thing with body language is mirroring. And this is actually covered pretty heavily in a lot of neuro-linguistic programming books and a lot of books on social engineering that may or may not have been written by head naggy that I didn't take this out of, just saying. Actually like pretty much memorized that book. By the way, his lawyer needs to speak with us after this. So. Oh, great. Cool. So if you can't pull off the whole damsel in distress, please help me, I'm so confused right now. Mirroring actually works really well to subconsciously gain trust. If you look at these guys up here, they're all mirroring each other, but they're not doing it exactly what each other's doing. Not all of them have their hands at their face like this or like this, but they're all touching their face. It's mirroring and it's subconscious and a lot of people actually do it without noticing. But if you do notice that you're not doing it, it's actually a really cool Jedi mind trick to watch in action. Cause some people, like if you're doing it on purpose and your target is not knowing that they're mirroring you then you can see them doing the same things. I always push my glasses up. It's kind of like a nervous habit that I have and I've had a lot of clients that do the same thing and they don't even have glasses. So it's actually really cool. But yeah, so you can mirror body language and you can mirror speech and people want to like people that are like themselves. Yes, I nailed that. So mirroring gives them kind of that I'm just like you, like me. And you can do it with body language and you can do it with speech also. And I pick it up. Both of us actually do it regularly. We met some really cool Australians this week. Shout out to you guys. I see you. I see you people there. And we've been trying not to call people mate. And yeah. I don't apologize and be like, I'm not mocking you. I apologize ahead of time. We're not mocking you. It's just mirroring and we do it without even thinking. Except now that we know you so we're totally gonna mock you. That's different. Right. So usually in vishing, I do this a lot. It's one of the easiest things to do while vishing. If like a perky girl answers the phone and is like, thank you for calling the credit union. My name's Ashley. How can I help you? Hi Ashley. My name's Brittany. How's it going? What's up guys? So mirroring the tone. I'm so not perky either but I pull off perky girl pretty well. Mirroring the tone actually works really well. Subtle accents like when I marathon Dr. Who which I may or may not have done like 12 times already. I'll start to talk with a little hint of a British accent because that's how I was. That's the first accent that I had when I was growing up also. So I pick it up really easy. And if someone's suspicious or upset with you picking up a British accent also will help calm them down for some reason. British people are usually like people think that they're more trustworthy and smarter and I don't understand why but it works. Very true. But like it could work with word choice too. Like if someone uses okey-dokey frequently you don't want to like match it exactly but you can say alrighty or if they say like great you can be perfect. Subtle, subtle word matches will get them to trust you pretty well but don't do it if you're unsure of yourself without practicing first. Yeah, cause a bad accent is gonna be even worse. Don't be that guy in college that was trying to convince everyone he was British for like freshman year. I have a coworker that does that. He likes to pretend he's British and Australian and it's like, sweetie no, stop. Please, we know. But it's really easy to try really hard to convince somebody that you know what you're doing and you really don't. Alright. So getting more into the English, the technical. Getting into word smithing. Questions are extremely important and I'm sure if you were here during the CTF the questions that they asked were extremely important and how they asked them were. It's not just fiction even though it's something that they teach you in creative writing in order to keep your dialogue flowing, how to do questions that aren't yes and no questions. You want questions that'll give you information back. So instead of doing something like, do you like John Johnson? Yes, yes. That gives you absolutely nothing except okay, they don't hate this dude. But how do you feel about John Johnson? All of a sudden they have to come up with some sort of vocabulary that oh he's cute or it's kind of a jerk. I'd still answer yes. That's gonna give you a lot more information and give you a segue into finding out more because then you can ask questions about like, oh what does he look like? Oh, what does he sound like? What does he wear? What is it about his pants that you don't like? Leading questions are very similar. Instead of saying, did Jim say anything about my visit? Which again could be yes or no. Were you able to read the email that Jim sent out about our meeting? That means I know Jim, I have a meeting with him and by the way it's important so you better get Jim on the line right now. Assumptive questions are assuming that the information you have is right. This can work really well if you have an educated guess and it can give you a lot of credibility because if you go up and you're like, okay there are only so many core financial processors in the world so if you call up a credit union and be like, you guys use Pfizer, right? They're either gonna answer yes and oh you look like a knowledgeable consultant because you know what their security vendor is or they're gonna be no, you've secure works. Duh. Duh. And all of a sudden you have more information than you had before. But you have to be very careful about these and not just barrage somebody with questions. You have to be careful because it'll instantly flag somebody if it just sounds like you don't know what you're doing. If you're making a whole bunch of assumptions that are completely off like, oh yeah, your vice president is named Don, right? No, his name is Joe. You're gonna look really sketchy. But if you can slip one in when you've already got some report going, it can give you very valuable information. And imply helpfulness. Like imply that by you giving you the information, giving you the answer, it's gonna make their lives easier. For the love of Christopher Headnaggy, please do not say what is your password. Does not work very well. No, you wanna say something like, can you verify the password on your account so I can make sure I'm speaking to the right person? Okay, then you're helping them. You are verifying that they are who they should be. And that means that you're being secure and they're doing their job well. And it also goes with how you speak in general. There's a technique called positive confirmation, which is basically just making a strong and assertive statement. Instead of asking, is the CEO in today? You say something like, I'm here for my appointment with the CEO. That assumes that the CEO is in, that you're here to see him. And it's the same sort of thing as the leading questions. Except in this, you're not asking a question at all. You're kind of giving a command, but in a very positive way. You're not saying, okay, take me to the CEO right now. You're asserting your dominance, but very nicely. Yeah. Instead you're like, I need to come see the CEO, which way's his office? Much calmer. A lot of women are actually very good at this when guys come up to you at the bar. And doing a very calm, you know. Oh, yeah, it's nice to meet you. That's cool. I'm sorry, I have to go to the restroom. I'll be back. Without. I was just about to leave. Yeah. So without hurting their feelings, without, you know, making them angry, you can escape. It's the same sort of thing when you're trying to get into a place too. You don't want them to go, oh, this guy's a jerk. Keeps pushing me into letting him in and whatnot. No, oh, this is a nice person who, you know, just having to get their employee ID. I should really help them. It comes up in gender a lot. John Alok in his book, duels and duets, mentioned how with guys, they do dueling. With words. With words. Not with swords. Not with swords, not always with fists, sometimes. Basically this is, if you're around two really good guy friends, they're gonna pick on each other like nothing else. They're gonna make fun of each other forever. And whenever I'm at work and surrounded by a ton of guys, I end up dueling a lot more. I end up making fun of things like, hey, you got a sunburn on your nose. Rudolph was a red nose reindeer. Nice pants, loser. Yeah. Well, girls tend to duel or duet, sorry. This is a lot of times when guys listen to women speak, they think that women interrupt each other a lot. And no, what it is, is they're, you know, if you're saying, oh, I had a really bad day, you know, my car broke down. Oh, that happened to me last week. That was terrible. You're actually making the same connection and giving the other person the confidence that you understand what they're going through and encouraging them to tell you more because you're giving a part of yourself in the conversation. And so depending on who you're speaking to and their style, which isn't always with gender, it can give you a lot of rapport. I use it a lot when I go to credit unions because I did work as a teller before. So if I need to talk to a teller or someone that works at the credit union, I'm like, I know, it sucks. Balancing the drawer really sucks. I was a teller too. And it usually built like an instant rapport with people. All right, guys, it's my favorite. It's anthropology time. Anthropology time. So one of those deep rooted evolutionary traits that we inherited from our ancestors a long time ago is trusting locals. I really don't understand it. I guess it's because you know that this person is from around you. So you may run into them another time. So you wanna make sure that everything is cordial. You don't wanna piss off your neighbors kind of thing. So everyone likes to trust each other. I'm from the Midwest slash South. So a lot of my accents and dialects are confused. So I have a hard time trying to regionalize myself to different areas. So I actually like watch a lot of news because they have non-regional diction and you can make sure that your dialect, your accent and everything is non-regional. Sometimes if you can do accents really well, accents really help. But bad accents can be pretty sketchy. We also have regional terms for things. Like I grew up calling soda pop and when I moved to Florida, people got really mad and started making fun of me and was like, what is pop? I'm like, soda, it's soda, I promise. Or a lot of places call all soda Coke, which is weird, like it's not all Coke. I don't want it, I want them out and do. Yeah, I know, it's like random places just call everything Coke. And it's like, give me a Coke. And they're like, okay, here's your Sprite. I'm like, oh, all right. So that's really important and also pronunciation. So we're from Louisiana. And there's a lot of crazy city names and crazy town names like this. They are not pronounced how they're supposed to be pronounced as actually really upsetting. Natchitoches. That is Natchitish. That first one is called Natchitish. The second one is Bozier City and the third one is Homa. So if you can't pronounce those the correct way, you're immediately flagged as an outsider. And these are actually real cities. So if you can't pronounce them the right way, try to avoid it. And they seem pretty minor, but the wrong pronunciation of a town name can immediately set off one of those flags. Otherwise, somebody at the grocery store on your way and be like, how do you pronounce this? Sorry, I'm not from around here. Just make sure it's far away from your organization so you don't see them again. Yeah. Usually I say I'm going to college here and that really helps out, especially because people want to be really helpful to the newcomers, which is cool too. So what if you get denied? You want to plan ahead for this. Think of all the possible denials that you can possibly face and make a plan for each one. You know, don't make a script because scripting is kind of a bad thing. It makes it seem practiced and you seem really sketchy, but you want to have a plan, like a general plan for what happens if you get denied. You can also plan sympathy, especially with women and older women. They love being sympathetic towards people. You'd be like, are you sure? I really have to get this done and I have five more sites to go to and I'm leaving tomorrow and I just don't have the time to come back or wait for approval. Can you please just let me through? People tend to be okay with that kind of stuff. And they want to help you out. Everybody wants to be nice and help this poor person out because maybe that means that their inspection is going to be a little nicer and they won't get in trouble with their boss. Mitnick feigned in difference a lot to get someone to change their mind. Not like whatever I don't care at the door because obviously that doesn't get you what you want, but like, okay, that's fine. I'm just here to do my job, no worries. And then people were like, oh, you don't really care about this. So you're obviously not trying to do this for anything bad, you know? You're not a threat. And that's exactly what you don't want to be. The whole, what really this talk about is not showing up as a threat to your target. Right. And then if all else fails, move on because you're probably doing this for an audit, right? So they passed. So just write it down, get out of there, or they might call the cops on you if you try to push too hard. So, you know. I'll lock you in a closet, apparently. Yeah. So what are we taking away from this talk? You want to build rapport, get people to trust you, be genuine, being genuine actually helps a lot. People love trusting genuine people and make things about them and not you. You know, if someone just asks people about things on their desk, asks people how their day is going, don't care about yourself and people like that. They like talking about themselves pretty much. Yeah, give just enough that you don't look creepy like I refuse to talk about anything. Right. You can't know about my dog. Right. That might be my password. No. You're gonna be like, oh yeah, I have a dog too. What's your dog's name again? You might see them at the dog park. They're gonna be like, sure, here's my dog's information. And one of the most common mistakes that you can make while social engineering is overthinking. I do it all the time in real life. So I try really hard not to do it in social engineering, but it's hard. But you can potentially misread body language or come off as rehearsed and, you know, don't jump down somebody's throat just because their hands are on their hips. They're not being confrontational. You know, maybe they just stand like that. Or maybe they just need a power pose, you know? Right. Or if their arms are crossed, they're not hiding anything, they're just cold. And keep balance in mind when you're working on your pretext beforehand, don't overdo the props, don't overdo the lies, just kind of make everything seem legit. The truth is the most useful thing that you can do. If you can use as much truth as possible in your pretext, then you'll probably be successful. And then you combine it all for success. If you put it all together, like social engineering is a lot of fun and it can be actually technical, especially if you use all these mind hacks that we've been talking about and that Chris was talking about yesterday, Jedi mind tricks are like really fun. And, you know, wordsmithing is a lot like programming and trying to talk your way through a person is a lot like trying to bypass a firewall. So you can think about it in a technical way too. All right. All right. If you have any questions or anything, you can email us at talks at tracesecurity.com or come find us. We'll be around DEF CON, so you take care.