 Alright, next we have Ed Miro. He's been in the IT business for almost 20 years with the past 5 being focused on security, especially physical security and social engineering. He currently does freelance security consulting, penetration testing and cyber security awareness testing and training. He's based out of Chico, California. Now let's give our attention to Edward Miro, rideshare, Ostend, car based SE for fun and profit. Alright, sorry about that. Hey SE Village, how you doing tonight? I was like totally expecting to have a small crowd. This is the hugest crowd I've ever talked to you, so here we go. So my name is Edward Miro and I'm going to present a talk to you all today called rideshare, Ostend, car based SE for fun and profit. Before I get into the talk, I just want to say thank you to a bunch of people back home on Chico, California. Thank you. Wendy, Tim, Eva from Chico Start, everybody at Butte College, Linda Fisher, Wilka Put and the DC530 crew and everyone who puts on Norcon. She goes on HackerCon. We've had for four years. Thank you very much. And my talk's pretty tight with time, so if you have questions, please find me afterwards. Okay, so of course I want to thank Defcon, SE Village, social desk engineer and I'm honored to be able to introduce myself to this audience at this con and share some of the projects I've worked on, my voice and experience in InfoSec and IT. Cool. So like many of you, I've been in the world of hacking since the mid-90s. I was that teenager running sub seven, making people CD-ROMs pop open and making system dialogue boxes that said boner alert, you know, very elite. And I did go to tech school in 2001, 2002 I got my associates in computer networking and information systems. My first tech job was doing dial-up tech support for Earthlink, if any of you remember that company. Since then I've spanned the full spectrum of IT work, retail-based repair, managed services providers, wireless internet service providers, recently begun my new quest in freelancing and even started doing my own penetration testing. So I started hosting my own podcast and YouTube channel called the pseudo social club and we talk about basic cybersecurity concepts and awareness. And sometimes I dabble in CTFs and crypto challenges. And last time I checked I have 17 subscribers, so I'm not really doing it for that. And it's just mainly to motivate me to keep learning and practicing and giving back to this community, which has given me so much over my life. I was also a mentor and judge at Hack Davis 2019 and got to run a lock picking workshop there. And it was awesome. And the kids loved it. And I've been a speaker at our own hacker con in Chico called Norcon, 2N4. And my first time speaking was really bad. I remember being fully aware that I was having a panic attack and narrating it to the audience. So we're doing a lot better this time. Thank you. Thank you. And thankfully I'll visit video evidence of that talk was lost in the great Chico hacker beef of 2017. So nobody will ever see my shame. And that talk was on vehicle-based surveillance. And I was the guy that found the local FBI office and tried to interview them and spoiler, they didn't. And I just figured maybe a hacker showing up their front door might throw him for a loop, but they didn't. And they came on the intercom and they seemed so confused that I was there. And I did some rideshare work too before I started freelancing. Okay. So you might be asking yourself if you've got almost 20 years of what you experienced and all these accomplishments, why did you drive for a ridesharing service? Well, some people do it with full-time jobs just aren't extra money. And I had recently left a career as a federal contractor that didn't really make me happy. And I just needed a way to make money and make ends meet until I could find a new thing. And just to clarify, driving for Uber or Lyft's not really that bad. If you keep your car clean, if you have social awareness and aptitude not to be super awkward and you're willing to get up early and put in hours, you can make enough money to survive. And I mean, I worked for a wireless internet service provider and I made minimum wage being up on the roof, installing CPEs in the rain. So sitting in my comfortable car, socializing with interesting people, it's kind of hard to poop on. So that's me in a nutshell, where I'm at, how I got here. Now I just want to lay out a few definitions, some of the methodologies I used and the ethical considerations I embraced. Chico, California is a smallish town. If you happen to live there and you use Lyft from December 2018 to February of 2019, there's a really good chance that some of you might see this were my passengers. I just want to state a few things on the record. One, I did not record any interactions, audio or video. Any notes I took were completely anonymous. And I never documented any PII during my research. And I only tried documenting things like talker, non-talker duration at first. But there wasn't anything there. And the most interesting correlation I found was talkers and tippers. So simply put, writers who talk tend to tip better. So if you're an awkward driver, you might want to rethink that. Two, all interactions I had with my passengers were 100% authentic and organic. And this is why I wanted to write this talk and present it because I wasn't really employing any techniques, other than just being a nice and friendly guy who can hold the fun conversation. And I noticed that random strangers were sharing sensitive information with me. If you were one of my passengers, and we had a fun and interesting chat, it was real. And I only wrote this talk as an observation of how much personal and private information writers will share in this environment and how it could be weaponized. And three, I don't really know why this phenomenon is a thing I've asked on Reddit, and I'm not sure other drivers experience it if it's just me, any psych people can find me after the talk, give me your hypothesis. My personal opinion is that I tend to think people take the app-based nature and it kind of bleeds mentally into the gray area of the anonymous nature of the internet. So I imagine most passengers or even many in this audience, you haven't really considered that maybe a hacker or someone with ulterior motives could be using a rideshare app. And hopefully I can change that. So I learned everything I know about how to utilize and be aware of social engineering through the books of Mr. Hadnagie and Mr. Mitnick. One thing I noticed when reading these books is they all seem to start from an implied foundation of comfort and ability to socialize with other humans. These techniques aren't magic. And if you have trouble with conversation and interacting with people, they're not going to be the magic bullet that makes it work for you. And I definitely don't consider myself an extrovert. Speaking up here is it's a fun challenge. But in one on one or small group interactions, I consider myself highly capable. And most of my youth and in young adult life, I was very shy. And it wasn't until I started college and took public speaking and a handful of other communications classes that I discovered I had it in me to be socially able. So to go back to what I said previously about most of the books and content about social engineering, start at that unstated presumption that you have those basic social skills. What do you do if you don't have that? Well, I know so many other people work in IT or security who they haven't had the opportunities that I've had or read the books on SC and can, you know, those books can overlook the starting state of a large percentage of its readers. So here's my advice. I recommend this all the time. How to Win Friends and Influence People by Dale Carnegie, published in 1936. It's in dozens of editions. It's one of the best selling books of all time. And it's the go to book to start getting these skills. And if you haven't read it, you should. You're doing yourself a disservice. We haven't. And the best part to me is that it's not about being manipulative or about being fake or conning people. I mean, just check this out. Here's the bullet points for six ways to make people like you. Become genuinely interested in other people. How many times have we heard other speakers say that exact same thing? Smile. Remember that a person's name is to that person, the sweetest and most important sound in any language. Be a good listener. Encourage others to talk about themselves. I mean, it's like we just keep repeating the same stuff up here. Talk in terms of the other person's interests. Make the other person feel important and do it sincerely. And I know these skills will be easier for some and harder for others. I studied anthropology and community college. So human beings are genuinely interesting to me. And I know some of you are thinking, but I hate humans. Well, it's going to be harder for you. I get that every person I've met has had something interesting to teach me or some interesting experiences to share with me. And most of us love the internet because it's the unlimited resource for curiosity and our desire to learn. And people you meet and bump into during your daily lives can be like that too. So this is all I'm going to say about socialization skills. Check out those books. Get started yourself. Okay. So when I started driving, I knew I had to make it work until I found a new job or a better way to make money. So I had a few rules that I always followed. I've used Uber and Lyft for years. And there are things I do and don't like that other drivers do. I don't like it when a car is dirty, or smells funkier like smoke. So got a car wash membership, easy solution. I don't like it when drivers aren't good drivers. So that's another easy thing to do. And lastly, I hate it when drivers lack social awareness. And that goes for both ends of the spectrum. Sometimes I just want to ride and not talk and I get someone who won't take a hint and leave me alone. Or I'll be feeling friendly and I get someone who's awkward and won't talk to me. And the way I always see it is if the passenger is paying for the ride, they should get the level of comfort they desire. So you can have to expand yourself a little bit if you decide you want to do this stuff. And I assume most people wouldn't be talkative. That's like the current meta when it comes to rideshare. But I couldn't have been more wrong. Like even passengers who aren't overly chatty expect at least a little small talk, I mean, on the whole like 95% of the people do want to talk a little bit. And so it was a little bit of a rocky start. But, you know, I didn't realize that my social skills that I gained when I was younger, they were very rusty. You have to use these things. So getting it back wasn't that hard to do. Using their name when they get in not only helps them confirm they are in the right car, but also feel appreciated. A smile that had a few canned ideas on questions. What's your major? What do you do? Are you from here? I see you have personal item. Tell me about that. And I've had some amazing conversations with random strangers during my time doing rideshare. So to sum up the section and finally make my point, if you want to learn social engineering, you need to be comfortable and confident at socializing and dealing with humans. Doing rideshare is a great way to get a ton of social interactions quick and can be a wonderful laboratory to hone those skills. I mean, where else can you do that? So now being the type of guy like me who speaks at hacker cons and read shady books on SC, I see security threats in many aspects of life that the standard users don't. It took me all of a week before I realized something interesting was happening here. I mean, that's what makes us hackers, right? We see patterns, flaws, vulnerabilities, different and unintended ways of using a thing. How to use a system against itself, how it could be used against us. So I started experimenting. Okay, so let's say you're the kind of person who wants to gather some intel on a particular company or person. How could you use ride sharing as a potential vector? I see this as being divided into two main paths, passive and active. Passive intel can be gained just by driving for a rideshare company and being aware of its potential. If you are friendly and provide a comfortable environment for your passengers, they will share sensitive information, especially if you speak their lingo, have some insight or knowledge. In my town, there are probably half a dozen big tech companies. And as a driver, I learned to pick them out based on the address. So I'd use the opener. Oh, based on that address, you must work for this company. And like most tech people, I know someone at or someone who used to be at most of the tech companies where I live. So it's really easy. And when I originally thought about doing this talk, I kind of decided that dropping names would be unfair. I just wanted to see what could happen organically. But I revised that because any good social engineer is going to do their oceans and they're going to be able to drop names. And I've had passengers from all levels of the corporate ladder, facility staffs to executives. Executives are the most fun. They love to brag. If you know tech and you have a passion like they do, conversation flows easily. And it's not like telling a random Uber driver what software use at work or the latest gossip is going to hurt, right? And I've had multiple passengers tell me more about their medical conditions than I ever wanted to know. I've had passengers tell me their criminal histories or why I'm dropping them off of their lawyer or why they're not allowed to drive. And I've had people tell me about relationships. I've heard people in my back seat talking about infidelities or how they've betrayed their friends. I had a passenger once invite me into his apartment to do and I quote a shit load of cocaine. You know, people invite me to bars or restaurants they work at. They want to exchange info and become real friends. And I'm just this random guy and all I'm doing is being nice and friendly to them, speaking their lingo, being interested in them. And what if I was a bad guy? Do you think people are telling me things I could use against them? Okay, so on the other end of the spectrum, let's say you want to take it to the next level for active Intel and attacker could exploit the location based matching nature of ride sharing apps to implement strategic staging for targeted specific companies or individuals. If my car is the closest one to you when you request a ride, there's a 99% chance I'm going to get you as a passenger. And if I was going to employ this against an individual, I'm going to do my o-scent, find out how they use ride sharing. Some people use it to go to work every day. Some people use it to go to downtown on the weekends. If you can identify the target's pattern, you can almost guarantee you'll be matched. And one thing I want to qualify is an earlier statement that repeat rides aren't, they're rare, but it's true for the most part. There are exceptions. I used to drive in the morning to catch the commuters. And I had a handful of people I'd get every day sometimes. So it wouldn't be weird to get the same person on a regular basis. And you could always have the pretext that you need to just live a block over or something. The same thing can be applied to specific geographic areas of interest. If I parked out by our airport and waited, the chances I'd get someone with something interesting to me would be way higher than average. And Chico only has a few main tech industrial sectors you'd have to focus on to be successful. And like an individual targeting, if you have a specific company you want to target, just park nearby. You'll get tons of their people. Okay. So I went online, of course, and I asked R slash ask psychology why they thought people were so open with my driver's or at least this right to a driver. And one only one person responded. But their words were very interesting. Here's my post. Why do my lift passengers share so many personal details with me? It feels like many of my passengers share so much sensitive information with me. I've heard about people's medical problems, criminal histories, romantic lives. Is there something about the driver passenger relationship that makes people feel comfortable or that the interaction feels anonymous and they could be more free thoughts. So I didn't mention anything about se or how I tried to implement what I've learned from Dale Carnegie, but here was a really good response that I got. And I'll read this kind of hard to read on the screens. When you step back and think about it, you have many qualities of a good bartender. It's a temporary friendly paid trusted relationship, which is about satisfying an immediate need. But it is even more than that. There must be something about you that gives off a positive listening vibe to your passengers. I know when I get into a car if the driver wants to be social or not, you might enjoy being social. There is something about your sincere connection to your passengers which allows them to exhale and open up. You have an empathetic ear that makes people feel safe. I mean, these are such basic principles and techniques, but you know, just to enhance social encounters, they can have profound implications. And I mean, if you listen to Robin's speech earlier, that's what he's doing with his people. And let me look at the implications that has on that level. It's amazing. And I don't think there's anything innately special about me when it comes to SE, other than the fact that as a shy teenage hacker, I've always been cognizant of the value of having these skills. And if I can learn this, I think almost anyone can. And obviously the biggest takeaway I'm hoping for here is awareness. I mean, I love that people are friendly and amenable to small talk, but you shouldn't assume any of your interactions are anonymous. And I'm not saying we should be rude or like Ron Swanson's, but there should be a line. Especially if you're a high value target. I mean, you should keep in mind that if you get a that repeat driver, it might not be a coincidence. Okay, so I have one last story. Okay, I just want to tell another story that happened to me. And it's actually two stories with different endings, but it shows a different side of this coin. I'm a big believer like Mr. Headnagy that SE doesn't have to be inherently unethical or immoral. And yes, during a pen test, you are trying to get someone to do something they shouldn't or allow you access to somewhere you don't belong. But if we can do it in a way that leaves them feeling positive about the interaction, then that's preferable. And sometimes it's fun to help people avoid scams. So during my time with Lyft, I had a passenger who offhandedly asked me if I'd ever sent a money grant before. I told her I had and I asked curiously why she wanted to know. She explained that she was very excited to be adopting a puppy from online. And she needed to send $350 to the service that ships pets across the country. So this immediately caused my spider sense to start tingling and I probed a little bit more about the transaction. And I asked if she'd spoken to the sellers on the phone. And she said she hadn't. And I said that seemed a little weird. And she agreed. But, you know, she said that seller had nothing to do with her religion. And I'm not claiming to be an expert on religions, but I'm not really aware of any prohibitions to speaking on the phone that also allowed using Craigslist, but okay. I told her that seemed a bit fishy to me. And she said that she thought it did to it first. But she knew it was legit because she was sending money to the seller as being sent to a third party pet transportation company that the seller had had contacted her. And she even showed me the website of the company on her cell phone, which, to be blunt, looked pretty janky. I asked if we could sit for a few minutes and take a look at a few details before she sends anyone any money. And she agreed. But she really, really wanted this puppy. So the first thing I asked to look at was the emails back and forth in the seller, checked Google, all their social media sites for the seller's name, no matches, couldn't Google the seller's email address due to the Craigslist email relay system. And this in and of itself might be okay. And we all use pseudonyms online. Craigslist is a site you might not want to use your real name fine. So she then showed me the email thread with the shipping company. So the first strange thing I noticed was that the emails that the link to the pets, the pet shipping company didn't match the URL on the link that the name that they gave. And you'd think a business would be able to get their own name right. And I also saw that if you Google the name given by the shipper, it was extremely similar to a legitimate pet shipping company. And indeed that company comes up first due to Google fixing our query. Now, when you go to the link in the email, however, the site, like I said, was pretty terrible. But not to my passenger. I mean, she's not as seasoned as we are at catching these kind of things. So she had no idea. And I also I lose this. Check check, check, check, check, check, check. Okay. Thank you. Thank you. Okay. So the company didn't have any social media presence also. No Facebook, Twitter, anything. Also the email address that was contacting her was like really long email address at outlook.com. She told me she had spoken to them on the phone. And I asked if she stole their number. She did. And she told me that she was never able to get through to them when she'd call and they'd always have to call her back. So I asked for the number and I called it from my phone. And of course, it was a Google voice number. And not only that, it was at the screening mode, you know, where it's like, Hi, the person you're calling is using the screening service from Google. Please leave your name and number, blah, blah, blah, blah. So and she told me when he did call her back, he was very rude and he tried to get her to hurry up and send the money. And I told her I was 100% confident this is a scam. And I advised not to go through with it. And she was pretty unhappy. But she felt like it was still because she had pictures sent her not only of the puppy, but of the puppy in the shipping crate at the shipping company waiting for payment to be shipped. And like I said earlier, it's not like she was giving money to someone trying to sell dogs or from a puppy mill. It was a lady giving it away for free. And money was for the shipping. And she just didn't see why a scammer would go to all this trouble. And she felt the pictures were authentic. And I started to save all the images. I showed her how to do reverse image search. And before she did it, I asked her if she agreed that if this wasn't a scam, those pictures wouldn't be all over the internet. She agreed and they were all over the internet. Her heart sank and she didn't have any further rebuttals. And she knew it was a scam. I just saved her from losing at least $350. Not to mention that they probably would have asked for more later for shots and insurance and who knows how far this might have gotten. Okay, so here's a few of the red flags that I found. Excuse me. Seller went and talked on the phone. Seller named it and seemed legitimate. Name of shipping company didn't match URL and email. Googling company name shows close match with legitimate company. Company website very poorly designed and implemented. Company has no social media presence. Email address of contact at company using generic email address, not a legit domain. Contact that company can only call her and she was never able to make inbound calls. Phone number was a Google voice number. Reverse image search shows proved photos unoriginal. Okay, and here's some of the SC stuff that the scammers were using in this particular instance. So it was listed as an adoption versus a sale because that alleviates your concern. Handed off to a second party to build legitimacy. Used cute puppy pictures to appeal to emotion and overrule suspicion. Catted on target, not paying attention to detail and the shipper established a sense of urgency and she was thankful. I told her to be very careful when anyone from online ever asked her to send any money. And I told her not likely. This is probably one person the whole time. Hence why the person adopting how the dog couldn't talk on the phone. And they were probably not even in this country as we know many of these scams aren't. And she did say that the shippers English wasn't that great. I also told her to make sure she shares this experience with all of her friends and family and not to be embarrassed. And I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. I mean, we're all humans. We're all susceptible to social engineering no matter how smart you think you are. And the best way to proceed is to empower them to share what they've learned. And I also sent her a link to an article about these very types of scams and she sat there and she was shocked at how exactly similar it was to the experience that she had. And the funny thing is a couple of weeks later I had another writer who was telling me all about the munchkin cat she was buying from online. And so I asked all the same questions and it was beat for beat the same exact story. And this time it was even more obvious because not only were the pictures stolen from other sites, they were straight off shutterstock.com. And she even called the shippers to prove me wrong. And the guy said, oh, those are the other sites stealing our photos. I'm like, yeah, buddy, shutterstock is stealing your photos. OK. So unfortunately, this particular pastor was already partway into the scam cycle. She'd already sent them some money. And I suspect when I mentioned how they'll be asking for more later for shots and insurance, the look she gave me probably means she's a lot deeper into the scam than she wanted to admit. So she got out. She didn't think I was right. And this is the sunken cost fallacy in action here. And a couple of days later she reported a lost item through the writer app. So she could send me this text. You were right. They took me for $800. How much to send them a virus? And if my FBI agent is here, I did not do it. OK. So I know these last two stories have less to do with the actual writer aspect and more about SE awareness. But I just want to demonstrate that we can use our InfoSec and SE skills for good and random interactions. I mean, I took a few minutes out of my day to show these people how to see the red flags that I see. How to do a reverse image search. And now they'll probably show everyone they know what they know. And these small acts from us can go a long way to make the world a little bit safer. And it's why you should never fire an employee that fails a fish or a pen test. That person is going to go on to be like the most vigilant after that experience. And they're going to tell everyone at the company what happened. And plus stories about individuals they're much more impactful than numbers. And I was listening to a podcast recently where the guests mentioned the power of framing and how there was this experiment where they were testing to see how framing affects how much people donate. And if you show a participant a picture of a single child, they donate X dollars. And but if you show them the child with a sibling, it goes down. And a child with a sibling and parents, it goes down more. And a picture of a whole community, even less. It seems counterintuitive. Like logically, it's better to help the larger amount of people, right? Yes. But if you want people to care about a problem, framing is key. If you want the decision makers that your organization to care about your proposed security protocols, you have to tell them stories about individuals. I mean, just telling them how many hacks happen each year and slide decks with lots of numbers. It's obviously not working. You got to make it personal. You have to show them how it could happen to them. And even your friendly neighborhood writer or driver might be a hacker. You never know. Thank you very much.