 Thanks for showing up. I mentioned hacker strip tease on Twitter and I get a good crowd. Next time I want to be offering cookies. We'll see how that works out. I do have to apologize. The good thing is I'm going to be disappointing a lot less people. The program said there was a demo. And unfortunately, as you can tell by the certifications, this is not a technical talk. So sorry about that. But I did see, I did listen to security justice podcast, you know, good podcast who actually mentioned you should be doing magic tricks for social engineering. So I need a volunteer. I need to help. Who's got a challenge coin? Who here's got a challenge coin? Okay, I was trying to spot the Fed. Thank you. No, no. Just any kind of coin we'll do. Just I need a quarter. It's like a gold piece. It's like someone to help me out here. I'm already suffering enough here. Please, someone. Okay, here we go. Here we go. Great gentleman here. Everybody was digging for money. I should have said like, oh, yeah, uh-huh. That'll happen. But what I was going to say is I'm going to do this trick. I need science. I don't know this gentleman. Okay. Wait for it. My four-year-old loves this. Come on. I'm working with what I got. And it's not much. Okay, help me out here. Yeah, you'll get that back now, right? You really want that one. So what we're going to do is since obviously we're having a little problem here, I do know another trick. Does anybody know pen shellette? It's like when I was doing research on the book and stuff, you know, I've actually met him doing a show at the Rio and he does this thing called predictive analysis where he actually gets a read on the crowd and then he calls someone up and he's actually able to tell them what they had for dinner last night. Like within 85, 90, because of the people, you know, geographically, you know, there's not many choices around here. Hacker conference can be easier because it's probably pizza. But it's like, I'm going to try to do that show and I'm going to try to see what I can do and see if I can make it work. So let's start with the general read of the audience. Okay. Here, who here is married? Raise your hand. Okay. Wow. That's good. That's right for geese. Yeah. Okay. So who here has children? Raise your hand. Wow. And we're spreading awesome. Okay. Now, another good question is who here has bought a car off a car lot? Not off of Craigslist, not off of eBay, not found in an alley. It's like, uh, okay, that's a little bit less. Okay, I'm trying to read everybody. Okay. Who here has shopped at a grocery store, not Walmart, like an actual grocery store? Okay. Wow. Walmart's not totally taking over. That's good. Okay. Now, also, let's go to another one. Let's go and ask the one last one is like, who here has bought something off the internet? Raise your hand. Okay. Dude, you're not even playing. Okay. Come on. If you haven't bought something off the internet, you're not playing. Okay. It's like, I want to, I need cooperation from everybody. Okay. Thanks a lot for that. Okay. So now I need one volunteer who doesn't mind being a victim. I mean, a contestant on this little competition. So for this little trick thing. So what I'm going to do is I'm going to be able to ask you five questions. These questions deal with dietary, social, psychological, geographical, and how old you are your age. Okay. Genealogical. I don't know that really well. Not that educated. So here we go. So I want to ask this with these five questions, I'm going to ask you what you had for dinner. Now, if I can guess what you have to you had for dinner, guess what? I win. It's like and you owe me a drink. No, not really. It's like, but if I lose and I can't tell what you had for dinner, I will give you a nice little hacker sticker set later after the the talk because I forgot it because I was working on my slideshow for some reason. And I blame you know, several parties last night. So what I'm going to do is like I'll have those stickers for you if I lose. Okay. So let's go and everybody raise your hand. If you are a spouse, if you have a spouse is specific because of the sociological questions. If you have a spouse and you want to volunteer, raise your hand. Okay. You right there because you're cute. Yes, right there. Come on here. Not that you weren't cute too, sir. I'm just saying. It's like I want to, there we go. Yeah, you got to come up here. Come up here. What's your name? Marisha. Okay. Marisha. It's like, is this your first DEF CON? Yeah. Obviously, because she volunteered. So that's a good thing. So what we're going to do now is we're going to do a little thing. I'm going to need you to look this way right here. Keep your eyes on me. Watch how I do it. Okay. Actually, I need you to write about there. Right there. There's method to my madness. Not usually. But yeah, this time, we will say there is. So I'm going to ask you these five questions. Keep your eyes on me. And I'm going to by reading your body and your facial expressions, I'm going to be able to tell you. Okay. So yes, while I'm doing that, all I'm going to do is just entertain them. I'm going to put pictures of Lola cats up. So it's like they'll be able to enjoy themselves as well. So let's start with the first one. Can we switch to the slide so they can see the Lola cats? Thank you. So here you go. That's a cute picture. So I'm going to ask you one question first off. And this is going to be a sociological question. Okay. So where did you meet your spouse? It was a restaurant. You know the name of the restaurant? What was the restaurant? Someone's in trouble. Okay. Very good. Am I the judge? I don't think so. Okay. So let's let's go ask with the next question. Now this next question. Oh, here I'll even let you look at one of the Lola cats. So the next question is going to be let's make it a psychological question because that looks pretty psycho. If no matter what you eat, even if you're a vegetarian, it's like no matter what you eat, do you consider yourself an omnivore, herbivore or carnivore? Like mostly? No, no, no, no. This is talking about to help get for the dietary thing. It's like what do you consider yourself a carnivore? Oh, meat eater. Be careful here guys. Okay, there we go. So, okay, so you think you can serve carnivore. Okay, so now let's ask the next question. Now this question is a geographical question, but we're going to try to use the logistical part of your brain. Okay, so in a number kind of way, how do you associate where you live? So what's your zip code? Yes. Okay, that's good. It's like that shows the logical side of how you how you where you live. Let's go with the the next question. Now this is more of a dietary question. It's like everybody loves the internet cat. You can look it's like it's not bad. These pictures aren't really bad. So don't worry. So on a dietary standpoint, what do you like to do if you were at home, not here? If you're at home, would you like to eat out, eat in, or have delivery? Delivery, like I'm a girl, I like that. So it's like, so there we go. So that's your dietary question. Now one more last question. And of course, I picked someone that's gonna be very difficult and stuff, you know, it's like, because you know, I know this is a really great question. But on a genographical side, I can tell what your generation stuff is. It's like, what's your birthday? Just give me the whole birthday to be great. I'd appreciate that. Okay, thank you very much. Now, that is social engineering. Thank you very much. It's like, she was a great sport. Unfortunately, I've got some good news and bad news. The good news is you get a sticker set because I was lying about telling you what you had for dinner. It's like, that was not true. But bad news is that was a social engineering demo right there on how easy it is to be able to do it. I started off, you can get back down. So once we get down, I said, I'm gonna get kicked by a husband later. Not the first time. So, so this is what we're going to talk about. It's like, that was so easy with social engineering. I started by lowering your expectations. Came out a little hairy. It's like a little dejected. It was like, you know, this is how how is this going to work? Did a really lame magic trick? Yes, I realized that was lame. One more slide. I forgot to show you what what is all about because the fact, what do these questions have in common? They call Sarah Patel and her email address. Those three main red questions were the password reset questions for Sarah Patel and Zmail. That's social engineering. That's how you get those kind of the data you give them to think about one thing. So busy thinking about Oh, he's never going to get what I had for dinner. It's like he's not gonna get I'm gonna get stickers. I'm gonna show him wrong. It's like you get them engaged. You get them thinking that they're doing one thing when they're actually providing information for another. So that was our demo. And thank goodness the demo guys were nice and it didn't fail too much. So let's get right back on to what else is going on. This is me. It's like, yes, it's like, trust me, I'm going to talk about both my jobs. It's like I've never no one I know actually has ever seen me in that suit except for on Halloween during my day job. But let me talk about that more. I've got two jobs. I got night job to day job. The day job is I'm the AVP of information security for National Financial Institution, where I monitor firewalls, IDS logs and stuff, you know, and handle the day to day stuff. But my night job is I'm the CIO strategy one solutions where I go and break things. I've written a book, Dysysking the Hag. Yes, shameless plug. And also do some talks around the world and do different kinds of hacking and social engineering engagements as well. So that's me. And that's enough about me. You can Google the rest. And then let's talk about I would like to start off with a quote. There's your I am a CISSP. So there's your SunZ quote as required. So because this is an infosec talk. And that's enough of the SunZ. Let's go with another one. I want to let people understand when we're talking about being critical, not being critical with you, but let you understand I'm not a subject matter expert on this subject of social engineering. Okay, there are a lot of people out here that know it a lot better than me. I do a lot of different research. It's like when researching my books. And also it's like I just like doing this stuff. So I'm a geek who likes to talk. And I talk, you know, a lot. Just putting witnesses to that here. So that's what this talk is going to be. So I want to use the Theodore Roosevelt quote. But here's the main Theodore Roosevelt quote that I like to use. And that is to educate a man in mind and not morals is to educate a minister society. And we're not talking like gang style. We're talking about like this talk hopefully will not just show you how I'm breaking things and getting into stuff, but hopefully how we can start finding solutions to the human element, which is the main problem with our society and stuff you know, in an industry when it comes to social engineering and information security. Wow, crap. That was just the intro. Okay, but so far so good. We're doing good. Hold on. Trust me, I needed that. So now we're going to talk about the history of the 36 stratagems. We're going to talk about the history of social engineering. We're talking about how social engineering actually differs between cultures. And we're going to discuss the OSI model and go through the stratagems. So one of my things I like to say is that if you want to learn how to cook, you go to France. If you want to learn how to paint, you go to Italy. If you want to learn how to conduct military strategy, you go to China. It's like one of the things I admired about them is they've got military strategy laid down. They know exactly how they do it. And I've heard people and said, you know, one of the strategies out there is if you have to resort to physical violence, you've already lost the fight. It's more about the mind. It's more about the development of your weaponry and also your treaties and the positioning of your people, which also involves social engineering. So that's the reason why I like the 36 stratagems. It's like the reason why the a little bit more about the 36 stratagems is the fact that there are 36 different strategies that are written out, given a story to each one to help better explain it. It's like two or 3,000 years old. Now another thing, let's talk about the history of social engineering. I mean, Kevin's good, but actually social engineering did, you know, occur before him or Frank ever got onto the scene. And one of the first noted victims of social engineering, the victim of social engineering was Amonode 3. He was socially engineered by the priest of the Amoon priest of the royal city at that time period, where they were actually in theory just controlling his whole dynasty. So much so that upon his death, his son had to move the royal court to Thebes, and that's when the royal city became to Thebes to get away from the influence of the Amoon priest. And then he proceeded to wipe out the Amoon priest, but that came later. But that exactly, so sometimes there are bad consequences, you know, to social engineering. But that was one of the first victims of social engineering. One of the most well-known social engineering attacks that have ever occurred in history is never credited with a social engineering attack. And that's the Trojan Horse. We all know about the Trojan Horse about how it's, you know, the program and how you're able to do it in computer terms. But do you realize the very first Trojan Horse was carried, the social engineer carried it out? His name was Cynon. He actually disfigured himself. Physically, you know, cut himself up, made himself look, you know, like near death. I mean, that's called method acting, which I'm not going to go that, you know, hard into. But it's like he actually left himself for dead on the beach as the Greek ships left. And this guy was actually able to convince the people of Troy for one, don't kill me. It's like two, oh yeah, the Greeks, I don't like them anymore. We have falling out, you know, they chopped me up. Hey, they left a horse. Do you want to bring it inside? All right, that was pretty cool social engineering attack. We talked about the horse, but we don't talk about the person who carried it out. And that was a social engineer of massive proportions. So mad props to him. Another thing is the Bards of Old Middle Ages. They were social engineers because they weren't just trying to entertain, but they were actually in the employee of feudal lords who would then gather that information. Because who actually went to the end to listen to the Bards? The stable hands, the maids, it's like the guards coming back from the castle wanting to impress the local musical traveler, giving them good intel. And then they would go back and report it. So social engineering has been around a lot longer than an Amiga. So that actually I don't think Amiga is around anymore. But you understand what I'm saying. It's like social engineering is here to stay. So also another thing is people don't cover very much is social who's freaking attacking me while I'm on a freaking presentation for gosh sakes. That's not nice. Sorry that then, okay, that was rude. Okay, so how does social engineering actually differs between the cultures? Okay, well quite simply there is. In Asia, you talk about conformity persuasion. Meaning people don't want to stand out too much. You don't want to like create a disturbance. And you can use that during your your your social engineering engagement. One of the trust models used very well is in Japan where you got a trust model which is I trust you until you give me a reason not to trust you. Social engineering terms we call that jackpot. It's like yes, you should trust me till you can't trust me anymore. In Europe, it's authority based persuasion. In other words, like in the Russian trust model, you're untrusted until you're trusted. Well that might be a different a bigger problem, correct? Not really. I'm walking up to the place. It's like I'm here for the surprise inspection of the server farm. I need to be let in. Sir, you're not on the list. What part of surprise did you not understand? Obviously, you're not in control of the situation. If you're not even understanding that I'm supposed to be here today. So why do they let you on this shift? Let me in the server room and if you're lucky, I won't put you on the report. And that's how you do conformity. That's how you do authority base. And then don't worry. I always put them on the report. I was just lying. I will put them on there. So and that's how you do when you're dealing with like European it's like you're dealing with authority based persuasion and North America's need base persuasion, which is really cool because you got to be polite. I was actually asked to do this demonstration, social enduring demonstration in a secured location. I can't tell you what city was in. It wasn't like a main one. It was just but it dealt with financial stuff and instead of going, you know, through the bulletproof glass and the man trap and the armed guard and the metal detector and the x-ray. I just hang out by the employee entrance and waited for my target, which was a guy being followed by a girl. And so I go in and insert myself in between the guy. He opens up the door and I hold the door open for. I am a gentleman after all. And then I fall in right behind her. It's like those are the kinds of things that we do a lot in North America. It's like you won't, you'll question people, but what happens when I roll up in a wheelchair with four boxes on my lap and ask you to let me in? Are you going to be that a-hole that's not going to let me in the door? No. Should you be? Yes. You should. But we want to be polite more than we want to be secure. And that's one of the biggest problems that we manipulate here in North America. In South America it's like reciprocation based conformity. What I do with that persuasion, what I do with that is I go like, hey you know what? I'll put you on the report. Show exactly how well you did. You helped me out here. You make my report look good. I'll make sure you look good. It's like I don't want to eat there either. It's like I do put them on the report, okay, when they let me into the server because they want to look like they're doing a good job. So I do appreciate that. Now why are we having to do these things? Why are we talking about social engineering so much lately? It's like well quite frankly it's because of the fact that there's a new OSI model in town, okay? This whole seven-layer thing is gone. It's like one through six is busted. I mean, okay, yes, I will admit we still have SQL slammer going out on the Internet for some strange freaking reason, okay? But it's slowly dying out. People are understanding that firewalls might be a good thing to block, you know, 1433. But also layer seven. It's like we can still attack layer seven, thank you Adobe and Microsoft. It's like we can still attack layer seven pretty good. But now we're getting heuristic intrusion prevention systems on the desktop. We're getting a more secured code. We're getting more patches coming out, you know, every day. So that's sort of not dying away by any means, but it's slowing down. So where do we have to go? We have to go to layer eight, the human layer, the physical layer. The reason why this person, this gentleman here is on here, he's the poster boy for layer eight security. Because this gentleman and stuff, you know, actually was in Tampa, Florida in March, spent 18 hours in an office building. 18 hours in an office building with no question. He brought dinner. Okay. I would love to tell you his name. He's never been caught. But he did still offer a lot of laptops, cell phones. He actually stole a suit. So the next time you see him, he'll probably be wearing the suit when he's robbing your building. So at least he's upgrading wardrobe. So that is the reason why we have to deal with layer eight. Now, this is a perfect example, thanks to jcran on Twitter who actually gave me this. This is the perfect example of why we need layer eight security and how effective it can be. Right here, these three right here is him attempting to do a network based penetration attack. Red is denied, gray is either attained, not attained or not tried, and green is success. So network based attack right here, deny, deny, deny, deny, deny. Okay, you're not getting in that way. It's like a utter fail. So you know, you don't go home dejected though. What do you do? You come over here to the physical location of the headquarters. Let's try Wi-Fi, not happening. Oh, how about walking through the front door behind somebody? That seemed to work. Let's find an empty conference room, bingo. Let's get our laptop onto the network. There we go. And let's just jump right over here to where we've got domain admin credentials. For some reason, I think they stopped. It's like, I don't think these weren't not attainable. I just think that I think the company just, okay, you win. Back off. So that's how that goes. That's why this is so needed. And it's usually so successful. I have not always been 100% successful in a network based penetration test. I have been 100% successful in every social engineering engagement I've ever been on. And like I said, I'm not that talented. So it's like, it's just that's the way it rolls. So it's like, and hopefully I'm not going to get, now I'm here, it's like I might get caught next time. But so far, as of this time, I've been 100% successful. So let's start with one of the stratagems. Stratagem three is killing with a borrowed knife. In other words, you want to turn an employee's assets against them. So it's not really you the one attacking. You let those people be the attacker. And some of the great tools for this is of course, the Google's because, you know, everybody wants to be a trillionaire. And but also you have Facebook and Twitter and, well, do we still use MySpace, anybody? Okay, just wondering that's professional curiosity. But there's also, there's these tools out there. Those, those are what you're going to use to do your data mining to actually try to circumvent those. I'm going to be on Facebook all over the place, my profile. Not me personally, but Kathy, hi. Kathy, I like long walks on the beach, watched all the Buffy seasons. They were awesome. It's like I've seen Serenity. It's like, I don't like the notebook or vampires that glitter. So it's like, but we also happen to be in the same company fan page. And I just friended you because you know, we're in the same, we work at the same company in different cities and stuff. You know, but you're really great to help me out and be friends. And, and yes, I'll help you with your farm. And, you know, I'll kill you needing Mafia Wars. And it's like, it'll be all great for about two weeks. And then I'm going to need help. My executive who I'm an assistant to who's lost his passwords and stuff, you don't need me to reset them, but I can't get ahold of the network guy. Can you help circumvent all that process and get me in trouble? I'm gonna get fired for this. I mean, seriously, I need your help. It's like, can you hook me up and just reset the password for that account and just save the day for me and be my hero? You will. I'll give you an extra cow and farm veal. Thanks. There you go. And that's how you use the employee. But how else do you do it? How else do you do social engineering besides directly manipulating people? Well, it's also good for doing Intel. There's a lot of good choices. Thanks to a couple other people. It's like, I'm not going to drop docs on that on Savage like I planned, because I can stalk you as a much better website for that now. It's like, but also, we also have Evil, which actually shows the Facebook phone numbers of people that post their actual phone numbers on Facebook, also a one stop shopping for phone numbers there. Please rob me an oldie but a goodie. It's like, and this, I can stalk you actually when you take an iPhone picture and still has geodata in it. They're nice enough to tell you exactly where you're located. And then put it on the internet for everybody to see. That's where the whole stalking thing comes in. And then my favorite is just the old Twitter search headed to because I started out talking about doing this and showing the dangers of Twitter. I decided to go bad. I want to do the most evilest thing that I could think of by using Twitter. What could I do that could be so evil on Twitter? It's like, what could I do? What kind of damage can I do if I had resources and I had the time and the meanness and you know, just, I'm not really a mean guy. But say if I was thinking that way, what could I do? Well, I can search my locations. You know, the Twitter app on the library is so nice to tell you exactly where you're geographically at at the moment. And so I started searching for my locue. And I found this guy. It's like teaching healthcare provider CPR at WAH. The only thing that made this guy different than anybody else was I was wondering what WAH was. It's like, what's WAH? Well, it turns out it's Washington Adventist Hospital, which is right down the street from Walter Reed Hospital. And he feds that know where this is going. I'm a very good guy. This is all hypothetical and I'm not trying to do anything bad. So please, you know, you got other things on me in your files that you don't need to add this to it. So what I thought to do was like, let me find him more about this LinkedIn guy. Now he's got my attention. Now I'm interested. So where do I go? Oh, hi, Steve. Everybody say hello to Steve. It's like he's on he's on LinkedIn. He's a volunteer EMT. It's like he's a volunteer fire and rescue association. What I liked about here is that he's a consultant at Northern Drum and Mission Systems. You know, that's telling me like possibly top secret clearance. It's like you used to use databases and stuff, you know, 20 year database design and development. If I'm going to do something bad, especially in the Washington DC area, it's like I'm not going in as the kebab salesman. I'm not going in as a street vendor selling hot dogs and water. I'm going in as a first responder. Why? Because I'm because people aren't going to be the douchebag that stops the fireman to get into the fire for proper credentials. People aren't going to stop the police officer trying to respond to an event, especially a major event that might involve important people that happen to live in the area, especially around Walter Reed Hospital, especially if they're an EMT there to help out and assist. That could lead pretty bad. But you'd have to find this guy. I can't track him down everywhere he's at and said, you know, I hope that he's at the same spot as soon as I get there, right? So I'd have to know where he lives. Where would he live? Oh, he lives right here. Thanks, Steve again. I feel sort of bad, you know, for Steve because I'm dropping docs on him and stuff like this. But it's like, he dropped them to the world. I'm just showing it to you guys. So I'm actually showing it to less people than he did. So I don't feel too bad about it. Now I know where he lives. So now when he's dead and I got his identity and stuff, you know, and certain events can occur and stuff, you know, that I can make occur, I might be able to have access to Walter Reed Hospital, which is a very bad thing, which is a very evil thing, which I would never do in real life ever. Okay, but I had to put a disclaimer in there just because I'm paranoid. So I love LinkedIn. Let's not just pick on the little people. Okay. LinkedIn is the Facebook for corporations. I mean, seriously. And they're also a great goldmine. Look right here. We've got Scott, not the popular profile. So I don't care who's popular or not. I mean, I never did in high school because I wasn't. But let's look at these people. We don't care about the marketing and recruiting and placement. Why would they be popular? Because you want to get a job? I'm looking down here, who got promoted, who are new hires? Oh, this person three months ago, they might have a personal assistant that I'm now their personal assistant. We just started up three months ago, we're working on ramping up our new data center. And we're going to need to need you to reset the passwords because they got out of sync because of the RSA token. Can you just reset all the passwords? I'd greatly appreciate it. It's like also another good thing is I'm from I'm I graduated from the University of Oklahoma. If this was University of Texas, it's like a and was the highest pop percentage. That's where I'd come from as well. basis in Oklahoma City and Tulsa. So if I'm attacking Oklahoma, I'm from the Tulsa office from the Tulsa office. I'm a type of I'm attacking Tulsa I'm coming from the Oklahoma City office. A lot of I actually finished a recent social engineering engagement was able to forge an email, put it on an iPad and get access to a server room from two different searches on Twitter and LinkedIn. I was able to forge an email good enough to put on and get me to a server room. Just from the information that I gathered off this. And I didn't attack the low level guy. I was attacking someone higher up. It's like the executives are like that. You get CIOs, CEOs they're susceptible to this kind of attack. And you have to be careful what you publish on LinkedIn and Twitter. So I'm not just picking on the look. See, I'm not going to the guy that's just trying to hit on like the users. Everyone wants to say the users are stupid, humans are stupid. No, people are just not educated. That's the issue. Just like this uneducated network administrator who put his diagram on rate my network diagram.com actually put when he submitted it. IP address and other miscellaneous information has been removed. My supervisors would feel quite unhappy with me if I posted the full version, even though I did post a full version of SDS network diagram for the Encore Building Synergy Business Park, with also the devices that I'm actually using. Yeah, they're not going to get mad about that being shown at DEF CON, I'm sure. Now, this next slide, I am totally not bsing you on this one because I honestly did not believe it myself is an I had to Google the company because I did not believe this was real. I peamed the IP address to see it. I did DNS stuff, you know, IP lookup on it. This is the actual external IP address of the companies and there's their internal IP addresses. And there are some of the different firewalls that they're using the names of the version of the firewall and their web server and they're telling us all the internal and external IP addresses. Ouch. That's also what we call jackpot. Okay, that wasn't a user. That was an IT network guy, soon to be an employed network IT guy. It's, hey, it's freely accessible on rate my network diagram dot com, which has got to be one of the best social engineering network resources that I've ever had. Okay. Yes, that was the same place. Yes. Oh, just goes and please guys, I don't want you all to be malicious. Please rate their diagram. I mean, be fair. So make sure you do that. Now let's go to one of the other stratagems. This is the stratagems to scheme with beauties. And basically it's going to be talking about how we're dealing with online versus in real life social engineering engagements and the problems people with the voice like mine have. Yes, not just visual but audio. So as we talked in previous stratagems, being able to fool someone online is pretty easy. When you get to the point where you're dealing with calling a person in real life, that's when it gets a little bit more difficult because it's one thing to be able to say, Hi, I'm Kathy on Facebook and be able to exchange emails. It's another thing when you need to talk to the person in real life and tell them that you're Kathy. It's like, so how are you going to do that? It's very simple. You need to be able to change your voice in a way that will make the person make it sound more believable. It helps if you have background noise and like I'm trying to do it in a very quiet situation. But you want to be able to make it where it's convincing where it sounds like, Oh, I am Kathy. It's like, I do need help with that password. Could you help me out please? So that's one of the main things when you're dealing with doing social engineering in real life, you're going to want to have the ability to be able to change your voice or have someone an employee that can impersonate a female or be a female or an older person or the target you're trying to choose. It's like if you want to go after someone that's an executive, the water, warcraft heads that's really good with being an old person, maybe a little bit too convincing because I don't know if you're going to be if you're going to be this old to sound like this, it's how much you'll still be working. You could be pull off as the owner of the company or the CEO or something like that. Maybe a little too old. That's not the closest thing going to an old person. So with the head set I just take with the with the female. Because that sounds like the most convincing without hardly any tweaking at all on the on the settings. So you like that. It's like hopefully this helps show you some of the things that this is just one headset with preset voices. I mean and trust me, all the other sets, all the other voices aren't as convincing as this one. I don't think you was going to take me seriously if I tried to ask for a password reset like this. And I don't think you're going to be able to get anything from someone if you tell them straight up, you know, just give me your password now. So you went to be creative. It's like there's other voice changers out there. This is just one. And it's just happened. It was just a find. And that's one of the things I liked about it. It was just by accident that says, Oh, this could be used for social engineering. It's like there's other devices that I'm sure are much more sophisticated. They do the same thing. So please remember, it's like if it's on lines, if you know, you can't trust who you're talking to online. One of the things I said in my book, you know, it's like guys are guys, girls are guys and 14 year old FBI agents. That's the internet. But also now and more more, you'll see in real life, you can't trust the other person on the other to the phone line for the same reason. And there we go. Let's go on. Thank you. Let's go. Our next strategy. I'm like so over time right now, they're going to be dragging me off in about 10 minutes. Our next strategy was learning a tiger from it's layer in the mountain. You wait for the worker to take his network to you. I don't know about anybody else resuring who likes to go to jail and explain to Bubba and stuff, you know, just murders family that you're in there because of a computer crime. Yeah, that's not going to end well for you at all ever. Okay. So you want to make sure that you can limit your risk and one of the best ways to do that is not get caught and not be getting caught in the main headquarters. So where do you go? You go within a two mile radius of the major Starbucks Panera bread, you know, place where you can actually do still access their network. How do you do that through their laptop? So being able to use and mimic an access point. Thank you Microsoft for making sure that everybody begins out. Hey, are you there? Are you there? Are you there? Are you there? And I'm always going yes, I am. Yes, I am. Yes, I am. Please join me. I'm there for you. It's like, we're not going to cuddle, but it's like it'll be beneficial for at least one of us. So, so, so that's one of the kinds of attacks that you can do. This is another way to do it. My friend of mine and co author of the book, Kent Neighbors actually took this picture at a Panera bread outside of where he was was staying right outside of the main company headquarters area. This lady left her laptop, her purse and her latte. It's like for over 15 minutes unattended. I'm not going to try to install malware. I'm not going to try to hijack her session. I'm not going to try to do some kind of cool leap middle on the man, man in the middle attack. I'm taking her laptop. I'm putting it in her purse and I'm malicious. I'll take her, her coffee too. It's like, uh, and then I'm walking away and gathering the data. Yeah, they're going to come after me. So that's one of the problems with when we're talking about wireless security. It's just physical and, and also from the network base. Now let's go and talk with tossing out a brick to get a Jade. It's like, uh, which one is the scariest picture in there? Out of all those pictures, which is the scariest. It's the middle one, because that's the one you're going to put in your computer. And I like USB drives. I like personal devices. This is a picture of me right there again and trust me, it's not that I like that picture. Uh, believe me, but guess what I'm wearing under that nice suit. That's my best to doom. I call it the best to doom because I think it sounds cool and I'm reliving my childhood, but it's like that's the name and I'm keeping it. Okay. Uh, what can I do in the best of doom? Well, here's the part where we come to the hacker striptease. So you throw money row days. It's all good. So here's the best to doom. Let's go and see what we've got in here. We got a couple of drives here. They're really nice. They've got, uh, they're saying cruiser thing. He's saying cruiser forgiving some environment to manipulate. So we can suck down the system hash and the password hashes of a system just by plugging it in for five seconds and then going off to the next machine. Those are really good. Very handy. Let's just empty pockets here. Oh, these are really nice. I dropped these. I don't drop these in parking lots. People dropped these in parking lots with malware on them. Now, I put them in an envelope, address it to someone in the company and then put it on their desk when I'm in there. What are they going to do? They're going to plug it in and they're going to double click on that pay raise for 2011. Right? Just to see, just to make sure they were supposed to be the one to get it and stuff, you know, they want to make sure they're returning to the rightful owner, right? So what else we got? Oh, these are really good because no one ever noticed these when they're logging your keystrokes and stuff you know behind your computer. Those are really nice. Sometimes it's like you can't have time. You got some time you got some time on your hands is like you're there at night and stuff. You don't want to go and decrypt the passwords there. You don't want to try to be on the location. That's okay. I take the hard drive with me. I do that later. Sometimes I want the system to still be on, but I still want to be able to attack it and stuff. So nicely USB wireless devices I can connect and bridge and then I'm just, you know, hacking from the convenience of my car, jamming out. It's got our conditioning. It's good. And let's see here. Also if I want to record a phone conversation, try to manipulate or actually just leave one in someone's desk while they're talking, try to get some incriminating evidence there. If I want to do forensics on the machine, that always helps to have something available for that. Let's see button, button. Who's got the button? Here we go. Network crossover cable. If you have USB rights and you think, oh, we're protecting because we're protecting USB rights, I'll just join the network directly to the other machine and then download the files that way. And then here we've got some hard drives. I like this because this is the rainbow tables. So I can do some password tracking right there. Don't worry, I do have a permit. It's all good. Here's just loaded with malware. This is just all different kinds because I might want to, you know, get a custom one out there on networks I get to choose. And I want to be able to compromise and take that data. So it's like I always carry at least, you know, one or two terabyte hard drives with me that are the same size because you want to be able to back up the data. What am I going to manipulate with that? How am I going to manipulate all that data? How am I going to crack? How am I going to do that wire? Well, I do it this way. This helps. 40 gig hard drive, one gig hertz processor, one gig of RAM running backtrack for. Thank you, Teton, who helped me out with that. It's like just plug that in right here. Network jack. I'm good to go. I'm doing a wire tap on your network backing it up to a one terabyte hard drive. I can get some password hashes off of that, I think, especially if it's duct tape underneath the desk. Here's another one because this is one of my newer toys. It's like, this is not mine, of course, someone else used this one to jailbreak. It's like the reason why I like this because Metasploit, thank you, HD, who was able actually to, I was actually on an engagement breaking into a network gateway and from here. So everybody's walking past me and I'm just like, you know, trying to get into the, trying to guess the password through an SSH channel and the manager actually comes so how are you liking your state? Oh, I'm loving it. I'm having a great time. So is that the new iPads? Yes. It's like, it does a lot of, a lot of cool things and closed out that, show them the pictures, show them the videos, didn't show me breaking his network. And it was all nice and fun on that. So those are some of the things that you can get. And those are some of the things that are available. It's like, it's just that easy to bring into it. I actually brought that into a secured location one time, which now I'm banned from because they don't like people carrying small little USB devices on their person. This is my favorite eight gigs right here. It's like that goes through security checkpoints everywhere in every country. And it's got a nice, okay, don't hurt me. Okay. I'm running long as I'm talking, can I talk any faster? I don't think so, but I'm trying. So, so there's nice little eight gig USB drive for that. So let's talk about the next one. Usually after I tell all the people of the things I can do, I want to get out of there. So that's the strategy was escape. It's the best game. It's like, you do that. How do you escape? Fake engagement letters. Those are my favorite. It's like, I actually was caught inside a dumpster in Houston. A lot of my stories end up with me in a dumpster. But, but this one was I was stopped by HPD and they were wanted to question me at gun point about what I was doing there. I showed them the engagement letter, the one that I had was legitimate one. And they looked at it and gave it back to me. They didn't call. They didn't verify anything. So now I carry two engagement letters. One's the real one. And the one that's fake that actually tells them, please assist him in any way, shape or can that you can. And make sure you call his phone number and stuff, you know, and verify that he's supposed to be there, which, you know, they've never called me. So it's like, I've just been wasting those go plans. But, but, but that's what you can do. That's how you do it. It's like, and I love it when they do help me. It's like, yeah, here's the engagement. Can you help me? I need to take that server out. It's like, this isn't the, you're supposed to help me. Don't worry. I'll put your name on the report. It's like, you're doing a good job. I really appreciate it. And you did a great job catching me. And I don't, like I said, I try not to lie. I do put them on the report. And so that is, that's one of the best schemes is like using those engagement letters. Now, what we got to talk about is how we try to solve this in the next two minutes. It's like, we try to do by security awareness, but we're doing security awareness wrong in most companies. Look at this top security awareness poster from a company. So great. Now you have insecure employees that have low self-esteem. That's not the way to go, man. It's like that. And the last, the bottom three just show you don't even know what's going on because that whole mouse thing is just creepy. So we got to get better security awareness. Now if security professionals made security awareness posters, we would try to get the point across, but people may not appreciate it as much. Now problem is we're also too technical. So sometimes we use terms and we try to put it in ways that we think are self-explanatory, but users may not know. You can't be so out there that they don't understand what exactly is going on. Some of them did. Others are going to be Googling later. That's awesome. Google Spanish Inquisition. Now so what you have to do is you have to get one target specific to see your company so your people understand it. Google headquarters has a good security awareness poster that's effective. Thank you, Ophelia. Sorry for all the Google guys in here just being funny. So you got to strike an even tone. You got to be able to educate them and give them some information they can actually use. Something like just basically you're reporting suspicious people. Okay. So and like I said, I'm not trying to target anybody, you know, by what they look like. I mean, because going to Glamour shots is not a crime. It's just I'm just trying to inform people, you know, that certain, even if you are the number one hacker, it's like you should be aware of them in case they ever show up in your building. Yes, he threw a gaslight in. So what else can we do? You're doing what you should be doing. One of the people things that people don't understand is you're doing what you're supposed to be doing right now. You're at a security conference, you're at a hacking conference and you're trying to learn and hopefully you're sharing that information with others. That's one of the biggest things that we have in here. We're always about communicating and trying to break things. We need to start getting together as a community and start understanding and learning and teaching others. Every everybody here should be learning and what they know the most about and developing a talk for it to give it later at another conference. It's like I mean that's what we should be doing. We should be learning and sharing that knowledge. We've got to share it more. Hey, you can't give me. Can't give me. I'm done. Oh, that's it, guys. Seriously, that's it. That's it.