 All right, we got Marcus Leota here, 13 year system engineer and technology veteran, uh psychology and social engineering have been, hey guys, hello? Hey, how's it going? All right, good, great, thank you, appreciate it. Well, glad you're all here. Uh, we're going to keep things moving, so let's try to keep quiet so that everybody has a chance to listen. We're going to pay attention now to Marcus Leota. Again, he's a 13 year systems engineer and technology veteran, psychology and social engineering have been long time interests of his, primarily to understand how the human mind functions. He also published fictional works which employ both, uh, and enjoys both writing and graphic design. Let's give him our attention. He's got the theme, leveraging the insider threat, oh, and how to be awesome. Thank you. Feels good to be here. I'm glad that, uh, all of you could show up. Uh, should be fun. So first thing I need to clarify though is that, to be awesome, not everybody can do that. Sometimes some people do, suck unfortunately, but you can teach people how to believe you are awesome. And that's important because you can then gain, uh, motivational value, confidence in yourself, and you can do things like get up on stage at SESI Village for example, and speak. So that, I'd say that's pretty cool. Uh, but first let's go ahead and talk about some, uh, some overall statistics with the technology field that's, uh, been in play the last couple of years. The first thing that we should consider is that we have, uh, a wide range of increased threats from 2016 to 2017, and then also to 2018. Uh, first thing that we'll want to consider is that there's a lot more ransomware that's been happening, uh, specifically targeting, uh, enterprises, businesses, so forth. Uh, the biggest thing that's on this specific map right here is that 55% of email is considered spam now. Now that's a lot of phishing email, that's a lot of advertisements, that's a lot of just stuff nobody wants. That's on corporate gateways. We also have, uh, 80% more attacks in macOS during that period of 2016 to 2017, and there's 600% more attacks on IoT based devices. Now if you keep in mind that 2016 to 2017 area, that's around the time where a lot of IoT devices, Raspberry Pis, refrigerators that have your, um, your input remotely on how to cool or heat, etc., then that makes a lot of sense. With 2017 to 2018, we'll see the biggest thing is that some malicious attacks went down, which is surprising. Uh, again, this is Gordon Samantech. Uh, we also have an increase of attacks ransomware specifically on corporate gateway infrastructure, which also makes sense because that's where the money is. You know, everybody wants to get as much money as possible if that's their goal and with malicious attackers it makes sense. Uh, the thing that surprised me the most was that 55% of email is still spam in 2018, which I, I'm just kind of shocked about. Um, we go into that a little bit further. IoT devices also had increased threats, increased attacks, um, about 80% increase from my recollection. And we also had a 1000% more increase on PowerShell based ransomware, malware type attacks. That also makes sense because PowerShell is a very useful tool. I use it in system engineering all the time and highly recommend anybody in the technical field learn at least a little bit about PowerShell because it's just such a powerful tool. You can use it on your own machine. You can use it on your work machines if you're allowed to. I mean, it's, it's just very useful. One in 10 emails now scanned at corporate gateways are considered malicious. That's increased from 7% just a year ago. 7,700 organizations are hit by email compromised scams every month. That's a lot of phishing. And these are only the ones that are actually being not only targeted, but they're also successfully being invaded by this attacker to get money, to get information, to get, to get whatever it is they want. So it's very important to defend against these things. And we'll talk about that a little bit later in the presentation. Now a lot of these attacks are induced by something called spear phishing. Many people should be aware of this already. You're, you're at this DEF CON conference. So forgive my generalities. But spear phishing, if you don't know, it's the act of gathering information beforehand to specifically target individuals for whether it be information, profit, like getting a wire transfer because you're trying to be the CEO and get an accountant to do it, etc. This stuff is pretty dangerous because it's, it's all text-based manipulation. And oftentimes people do want to believe the first thing they hear unless there's a reason not to. So if your employees are not trained or users are not trained to combat this, then often they're not going to know to disobey orders or so forth. It's very important to have training sessions throughout corporate infrastructure just that way. You're not leaving anybody in the dust. These are about 71% of the current attacks that are going on against companies, spear phishing is. I'm not sure if I agree with that number, but it's, it's what the semantic and Verizon reports indicate. And I think that they're doing a very general broad sense on that because it's going to include also automated information gathering, AI based tactics and other resources that are more so limited, but still considered spear phishing to a degree. So let's talk about more interesting things. On location threats. New, current, future. We're kind of in this stage where there's a lot of, there's a lot of transference from electronic and email internet based things to onsite threats to human based threats. And it's getting very weird from my experience. So one of the examples if you go down to like Wireless Village, you'll see this first hand is Wi-Fi replication. There's, and I'm sure that there's some throughout the conference. I've seen some that look kind of suspicious to me. Just looking at wireless signals walking around. Wi-Fi replication is essentially where somebody creates a fake Wi-Fi gateway that is the same as a legitimate one. Somebody connects to it. You try to get information off them, get credentials, get whatever. And that's a scary phenomenon that's going to keep getting worse. That's also in combination, conjunction with mobile hijacking, which is a wide variety of different things. That's including of cryptojacking. That's using malware on devices to go and either steal credentials, get email information, a number of different things that you can do personal or business based. And there are not many people who are aware that, hey, that app over there, that flappy bird or whatever it is, is going to steal your bank account information. So obviously very important that everybody be aware of that in your personal lives so that your friends don't lose their bank. Drones, my most favorite, brought one with me. I haven't used it yet though. Drones, talk about this with people often. They're getting more and more advanced. So we've got Amazon talking about delivering by drone now and probably going to do it within the next year or so. Well, what else can you do with drones? Well, if you've looked online or anything at all the last couple of years, you'll see that there's people who can create malicious Wi-Fi portals, things of that nature and hook them up on a drone. Make it mobile. So it's just essentially taking all the tools that everybody already has and adding mobility to it, which is great unless you're being hijacked by somebody using a drone. So, NASA. Those guys right there, the rocket ships and everything. Recently, back in June, they were hacked by an IoT device being hooked up to their network. One of their social engineers, or social engineers, one of their engineers accidentally hooked up a Raspberry Pi to a very important piece of their network and unfortunately got compromised then moon landing data was stolen. Apparently all of it. So I would really like to know if the moon landing was fake though. So I mean, can they like share it, whoever they are? If you see my presentation, hey, you know, I got a website, see it at the end of the show, right? So other threats. All the threats that I've talked about so far and all the threats that we will continue to talk about throughout this presentation have one common factor, very dangerous factor. It's something that we should all know and yet it's kind of hard to divulge or diverge from the technology side and really see it. People are the main threat behind any attack because without scripting, without code that is created specifically for a purpose and action, then you're not going to have anything at all. So people obviously are the intelligence behind these attacks for now until we have rogue AI and everybody dies. Terminator, I mean, just saying. But you know, people, so everybody that you see on the screen, everybody that you see around you are potentially a threat, which hopefully they won't be, but they can be. And one threat especially is, you know, that guy right there. I mean, in all seriousness, does he not look suspicious? He's got the hat, he's got the glasses. He's kind of looking like all hunkered over like one of you hackers down here in DEF CON. I mean, it's just very obvious to me. Or maybe I just like to pick on people because it's fun. So what is social engineering? You're in the social engineering village. I assume that you know what it is. I'll be brief. For the people online, social engineering in a nutshell is the exploitation of people. So to get into a technology, to get into a system, to get some money, to get anything out of another person is essentially social engineering. That's the goal of it and it's the manipulation of people to get there. So kind of some bad stuff, right? So to continue on that, we're going to talk about some psychological manipulation tactics and whether or not they're successful, whether or not they're failures and some interesting stuff. So first off, let's talk about threats and abuse. Threats and abuse are generally not effective because when you threaten somebody, kind of like what Robin was saying, when you threaten somebody or when you tell them something bad about them, they don't want to cooperate. Well, why is that? Well, if I say, oh, you're going to lose your job, that person is going to be like, no, I'm not. You're just being rude. You're just being mean, you know? So kind of like the James Bond scenario, if you've ever seen a James Bond movie or like Mission Impossible, a spy movie of some sort, any time there's like a spy who's in a compromised situation and somebody's like, oh, well, you're going to die if you don't tell me something. They don't want to tell anything because, well, what's the point? Charm tactics. These tend to be a little bit more effective because essentially what you're doing is you're joking, you're doing things to cause better reaction from somebody else because it's something they enjoy. So, I mean, it can be something you enjoy too. And it's just a tactic that is essentially making people enjoy company that you're in. Mutually beneficial tactics. Mutually beneficial is like say somebody can do a small favor and then get $10,000. That's why a lot of email scams work or did work until it got well known that, hey, that guy in that prince is not actually a prince and he's not going to give you a bunch of money. I know it's terrible. It's terrible. How could he lie to us like that? He was dead broke the whole time. Reason-based tactics do not work. This is in regards to social engineering of course. So, reason-based tactics are things that make somebody believe that they will, if they believe they have to work for something in order to do what you're asking or to provide you something, then they're not going to do it. Because people in a very genetic level, a very base level don't want to do things. I mean, I'm lazy. I'm sure most of you are lazy or you can agree on certain aspects you are. And that is true for everyone in my opinion. So, when it comes down to it, telling somebody, well, if you do this, then it's going to work out this way. They don't care. They've already buzzed you off. They just don't care. Because it doesn't matter. It's going to take too much time on their effort. An example of these is threats, again, such as making somebody believe they're going to lose their job. You're just going to make them upset or angry. They're not going to want to help you. Greed is an example. I think I already said this one. Actually, the $10,000 is a print or whatever. This is, okay, yeah, I already said this, sorry. Jump to head. So, overview of how an attack occurs, the in progress thing. So, we've got attacks, attacker identifies a victim. The victim is researched or analyzed. Direct or indirect approach is determined by a social engineer. And then common tactics are explored. Then you get the result. If you explore too many tactics on a single person, like unfortunately some of the people in the booth had done earlier, you'll notice that those tactics start to lose any sort of gain that you could possibly get out of them. Because the person's not going to trust you. You basically have one shot with any one person and then once it's done, they don't trust you anymore. So the whole point of social engineering is you have to build trust so that way they like you. And the point of social engineering is somebody likes you so they want to help you. And unfortunately just doesn't always work out. That's why charm tactics though and mutually beneficial things are often the best because you can break the ice, talk to somebody, and you know, it happens. Technique overview. So there's a combination of different things used in psychological manipulation. Line is not the sole nor most effective option. And I don't want to say that I'm mimicking Robin because I did not look at his presentation beforehand, but I mean it's true. You don't want to lie. I do everything I can to never lie to anybody. Because when I lie, it makes me feel bad. It makes them feel bad when they realize I've lied. Breaks relationships. If you're ever in a relationship and you lie to your partner, turns out six months later you lied about the stupidest thing like, oh, you didn't go to the store that day? You went to the baseball game or whatever? Well, yeah, that relationship is going to have a lot of trouble staying in a trust scenario. And also one thing to keep in mind is lies do not maintain over a period of time. It is very difficult to maintain a lie for any significant period. So if you're just trying to get instant gratification, instant gain from something, then maybe an attacker would make sense to lie in a phone call, so to speak, stuff like that. You're not going to know them for a longer period of time. But if you're trying to do things as an attacker and you want to have additional access at a later point, lying is only going to hurt your purpose. Lying by omission is an example of a technique. So your dog will go ahead and not tell you, hey, I dumped over the trash and I ate some of it, so have fun with that when you get home. He's going to just wink, nod, go sleep. Rationalization. This is the act of somebody doing something wrong or doing something to get into a location, etc., and then rationalizing it by like, oh, I'm just cleaning up. Oh, I didn't know I needed an ID card. I'm sorry, man. What can I do for you? And they'll just try to play it off as, oh, anybody could forget this. Guilt trip. And I apologize for the women in the audience. This is the only image I could find that actually example this. But it's essentially, you know, okay, I couldn't do my job because that report that you put on my desk, the cleaning crew put it in the trash. Thanks, I appreciate that. You know, it's this concept of it's not my fault I couldn't do something because it's your fault. Servant role. You'll see this in figures of authority in many cases. They're just doing their job. So whatever the reason is. This is a good way though for an attacker if they're trying to impersonate, say, a police officer to quote unquote arrest somebody who is not in fact doing anything wrong because, oh, dispatch said that we've got to take you in. You know, something of that nature. It's very simple, very minor, but it makes, since they're an authority figure, you don't want to disobey them. And then there's very little question. And it gets scary if somebody is doing stuff like that. Bandwagon effect. Well, everybody does it. If everybody does it, then that's a justification to do it yourself. So in a business workplace scenario somebody might use, not necessarily use the bandwagon effect intentionally, but they'll justify not doing things or doing things poorly because, oh, hey, Jake over there, he did the same thing. You know? And well, that's not good enough. So when it comes to fishing and so forth, sometimes if you don't train your users you're going to get a situation like this where hey, IT needs your password. Weird. I already gave him my social security number on birthday. You know, something like that. I mean, poor Susan over there, she just doesn't know because she wasn't trained. Unlock computers. I've seen this before in past workplaces where all the computer screens are just, they're just wide open. And it's like, oh my God, what can I do with this? So definitely the big, the big point here is lock your computer screen to prevent a security threat. Teach people at your business or in your family how to lock their computer because you know what? Even personal computers that are non-business based have a way to lock and make it password protected. So I do this at home even if nobody's there because hey, what if somebody broke my window and then like jumped on my computer and hosted some unflattering things on Facebook. Oh wait, we don't use that anymore. Users. If they're frantic, you don't want them to drown. You got to train them with some prevention tactics. First one is you know, use door controls. That's one way to prevent actors from entering a workplace. Everybody pretty much uses this these days but there are some businesses, especially smaller businesses who don't. And that can be scary. Screen lock timeouts as we just talked about, make sure that screens get locked one way or another and try to force it if you're in a technical position. Reports suspicious persons, behaviors, activities, et cetera. To do this somebody needs to know who to contact, who to call, and when. Or they're just not going to do it. They won't know to. Be suspicious. Teach people to be suspicious. Assume that callers and emails could be fraudulent because as we saw 55% of email is spam. Use external flagging on email as well. So this is flagging an email that's coming in from an external source. Recommended training and I see my clock is running out. Teach caution when opening email attachments or links. Quarterly training should be done. Verify phone callers identity before revealing sensitive information and so forth. It's very important to do that. Define proper reporting procedures for any user in a given corporate infrastructure. So let's try to talk about being awesome in the few minutes I have left. What is that and how do I do that? And yes, I did make you wait to the end. Yeah. You have to be bold to be awesome. Now that guy right there, maybe don't be evil though. Being bold is the first step because you have to have an answer. You have to be the guy who raises hand in the room and is like, oh yeah, I know that. Because if you don't, you're just another one in the crowd. Mirror other people's behaviors and their motions. It's important to do this if you're in a business setting, not all the time, but the more somebody sees that you're like them, the more they will like you. And then it's easy to build relationships in that way because you're going to have somebody that's like, oh, well, you know, I bet he would like jet skiing too because he does this other thing that I like, you know. An example of this is I went ahead and back in my first corporate job experience, when I was playing with psychological manipulation, just to play around because it was just interesting to me at the time. I did some very basic experiments. One of those was the power of repeated word play. So what I would do is, I was the IT guy, I would go to people's desks, I would fix their computer and everything. I'd smile, I'd always be nice and everything because that's what you should do if you're helping somebody. And then when I was done there like, oh, thank you so much. I was like, oh, no problem. I'm just awesome like that. And I would joke about it. 27 days later, dozens of people would just on my behalf say, oh Marcus, yeah, he's just awesome like that. Like, he just fixes everything. He's so cool. Like, I literally had dozens of people in my corporate infrastructure doing this without me saying anything. This is very important to do that. If you don't have an answer, figure one out. Don't use Google, use duck duck go because Google sucks. Don't tell, do not tell people to Google it. I may have made the same mistake Chris made earlier this morning. Test. Okay, yeah, I don't think Google like that. I apologize or overlords. I'm so sorry. But no, don't tell people to Google it because that's so rude. I mean, if you have a kid who has a phone and you tell them something and then they Google it in front of you because they don't trust you. I mean, it's the same thing. Don't don't tell people to Google it. I'm going to try not to move now. So always take, take opportunity when it's given to you. So if you're, you know, walking through the park, maybe don't make your dog bite somebody to get an answer out of them on a scripting issue. But I mean, this is a prime example of what can happen when you do. Another thing that could be really useful is you want to leave reviews for people if you're at restaurants. This can help you out because what happens is with restaurants, say you go in, you talk to the server, you get their name, you socialize with them a little bit. You're like, oh, that's a cool tattoo or, you know, just talk about something that you think they'll have in their interaction with. Then when you leave after you've socialized with them for a significant period of time and you have, and you have rapport, you can leave a review. I always leave five store reviews if I want to go back to a restaurant and put their name at the top, tell them you put their name at the top, show them in front of their manager if you can, and tell them their manager, hey, this guy, he was just such a good server. I loved him so much. You know, Jake was super cool. It was awesome. And then when you come back, they're going to remember you. You may not remember your name, you won't remember his name, but you put a Google review that says his name, so you're going to know to look for that name and you'll remember it. So when you first walk in you're like, oh yeah, Jake, hey, can we get a table three or whatever? And when that happens, he's going to remember you, you do it a couple times, you're going to start getting free stuff out of it. I have gotten free sushi at a number of sushi restaurants just by doing this. So it's, I mean, obviously I'm trying to get free sushi out of it, but it makes people feel good and it's useful. And they're going to appreciate the review too. Always be available to do stuff for your boss, for friends, for anybody. Always try to be the person that can do, get stuff done. Now, granted, if you're an IT guy digging a ditch for somebody, it doesn't make sense. It's kind of, yeah, it's kind of overboard. And one of the last things that I'd want to put out there, because this is very important to me, I work in a service industry essentially where IT is helping users. I'm sure a lot of the people in this room probably do something very similar or they're programmers, etc. Users are not, users are not the enemy. So if a user complains, you want to not crush their rebellion if you're an IT? And finally, teamwork. If you don't have a way to get something done yourself, ask somebody else. Rely on another resource or a person, you know, whatever. Either way, it's the same thing. And try to use your friends for what they have to offer, because everybody has something to offer. That's important to know. Everybody has an attribute that you do not have. Even if it's something stupid like, oh, they know the full number of pi up to a thousand points or something like that. I mean, hey, that could be useful if you've ever seen something like, wow, I'm drawing a blank. It was a really cool show too. They had Demogorgons in it. So, yeah, stranger things. There you go. But you know, this is obviously to be funny, but you don't want to cause harm to people, but it's important to rely on team members. Thank you.