SE for Introverts: A Proposed Handbook
2:54AM Jul 30, 2020
Welcome back to hold 2020. We've got a great session for you right now on social engineering with the incomparable Edward Miro hi Edward How are you today are doing wonderful. All right, great. So we're gonna go right into the video. Let's go ahead first take it away. Thank you.
Hello everyone. My name is Edward Miro and I'm here to present a talk called se for introverts a proposed handbook. Thank you to hope 2020 2600 all the organizers and everyone behind the scenes making this happen. Thank you to everyone who's watching from home and I hope everyone's being safe. I really love how our community has come together once again to make our cons virtual, and you gotta imagine there are so many people who for whatever reason might not have been able to fly out to New York or Vegas or wherever suddenly now have access to all this amazing content and I just think it's important to recognize this beautiful thing that has grown out of these trying times. So I like telling stories in my talks, and I'm going to start this one by telling you about the time I stopped our local FBI office. Okay. So, the first time I spoke at any hacker con was back in 2017, and it was at a local con here in Chico California called nor con. I did a talk that had nothing to do with social engineering because I had seen deviant Oh laughs elephant elevator hacking talk from DEF CON 22, and I wanted to also do a fun talk. So I picked vehicle based surveillance, and not only did I rent a thermal imaging camera and do a ton of experiments and surveillance detection, but also found our local FBI office and tried to interview them. So of course I flex my muscles and Google Chico FBI and it was pretty easy to get an address. So, I drove by a few times and I I didn't notice any conspicuous signage, not that I had any frame of reference for what I was looking for. I went back on the weekend when the parking lot was empty and had a look around. I noticed there were a row of reserved parking spots. I also noticed that the front door had all the office tenants displayed. But something, but but something's not really right here the reserved parking spots over suite two a three but there's not a suite two or three on this window. The plot thickens. So I go home and the next few days I'm thinking about what to do next and I decide I'm going to go into the building. My pretexts which was the reality of the situation was that I'm an information security researcher gathering data and I'm doing a talk on vehicle based surveillance and, you know, I was there to interview them. I had a spiral bound notebook and some pens I wrote down some potential questions just in case they said yes. I wasn't sure if they would talk to me or not. It's not like I was asking for secrets or sensitive Intel my goal if they said yes was. Ask them about the lighter side of vehicle based surveillance, does it get boring do do any funny things that were happening what's an embarrassing way you blew your cover once also gave myself the option to bail at the last minute. That means I could get up to the outside of their door ready to knock and still be okay with pretending to be lost and leaving, which is just good solid advice for many situations in life. When I was in my early 20s, I met a man of dubious repute, and he always used to say, never pull the job if you're too invested in the score. You have to be able to think logically and walk away if things aren't right. He always used to say the best criminals are the ones that don't need the money, and although I'm not in the crime business that sentiment always stuck with me, and it supports honouring reason which we will talk about when I talk about the code of trust. Anyways, so, so I go, I'm in the lobby and I get this positive confirmation right here that I'm in the right place. I head upstairs and there it is. I walk right up to the intercom and push the button, and the most confused field agent says hello. And I explained who I am and why I'm there. And of course he just refers me to the PR person at the Sacramento field office and I asked if I could take a few pictures and he said I guess so. I really hope that FBI hangouts or conferences those guys tell the story of the wild hacker that just decided to come knock on their door and presume to interview them. And of course they denied my request for an interview, a spooky thing that happened at the con that I gave this talk at was after my particular talk of hanging out with a few guys from the local hacker scene in the sky. He joins our group and he's totally dressed like a dad very normal he leans in and says hey Edward I liked your talk, you should have reached out to me and I'm like, Who are you, and he started telling me about how he knew all the local field guys and then the main conversation kind of picked back up and I never did finish talking to him or ever even see him again at that event or any future hacker events in our area very spooky.
Okay. So most talks in the social engineering realm tend to be mostly on the technical side. Excuse me, but my talks are generally a little bit different than most. Rest assured, I will not be walking you through how to use go fish or sets, there's already great content for that and even though I teach at cybersecurity as my job, I still see myself as more of an infosec philosopher or academic versus any kind of high level technical expert. And I find myself looking at things just a little bit differently than most in our space problem that I not only have a different viewpoint on but also a profound understanding of his being an introvert who really wants to be all they can be. But if you're in that boat and come to that conclusion you are now gifted with the following paradox communication and social skills are a major requirement for being all you can be, but also look at how the current state of communication lately has become so fragmented and in some ways completely devolved. And this is due to many factors, not the least of which is how we've incorporated technology into that equation. I mean it's so bad that having these skills, even in a rudimentary fashion can be a major advantage. And having the level of skill like someone like Elise, Dennis, that's like having a superpower. Now I was. I am a nerdy shy kid, even though I'm 40 and I'm very comfortable with public speaking that shy kid is still he's still at my core. I'm an introvert by nature, but a typically for many of us and very luckily I think I was also aware that socialization was not only something I wasn't good at, but an obvious advantage, so I focused on it, I learned about it, I am To that end, very passionate about the way humans interact and throughout my study of social engineering leadership and professional development. I also noticed something about most of the literature in these areas. They all presume the reader or student has at least a minimum level of comfort and ability with communication and socialization. Well, in the IT world that I live work in teaching, most of us are introverts. So if the main demographic of your audience doesn't even have those baseline abilities, a majority of the techniques taught are far from actionable. My current project, the open source social engineering education course, aka IO seek attempts to address this and takes everything I've learned over my career and attempts to disseminate it to our community. So many talks express how important it is through your career to develop these skill sets and my project and this talks goal is to attempt to provide a solution to this conundrum. In the following presentation I'll be walking you through my framework for learning about being enabled to apply social engineering. And even as an introvert. And, as a note here before we move on, I have since starting this journey revise that initial premise a little bit. I have found through developing this content and digging so much deeper into these books than I had ever done previously, it's revealed that not only was I wrong assuming I was onto something new, but in the case of people like Robin Drake and Chris had Nagy and so many others in the SEO world. This is precisely what everyone else is looking at too. Okay. So I went to tech school back in 2001, I was hired before I graduated with earthlink and my first job was dial up tech support for the past 20 years I've worked in tech support Help Desk ISP msps and I've spent many recent years as a freelancer. I got into security about seven years ago, I did my first talk at a local hacker con a few years in. I've written countless blog posts about infosec I did a podcast, even presented a talk at the SC village last summer in DEF CON. And now I teach cybersecurity classes at Butte College here in Northern California. I also stream sometimes, and I do talks. Alright, So like most in the world of infosec, I am pretty good at most things. I'm bad at a few things and I have my personal specialties, I really like physical security and physical penetration. I'm not the world's best lock picker but it's up there for me at least as far as personal enjoyment goes. I'm pretty bad at programming and I really only know enough to read it and beyond basic scripting I've really got nothing. And I don't really enjoy it,
social engineering however is my favorite discipline in our world and even from the beginning I recognize the massive importance of not only understanding how to detect and prevent an se attack, but also the sheer power in possessing these skills so I've read just about all the books. And like most of you I'm a huge nerd and I love digging deep and figuring out why or how a thing works, and se has been that area of obsession for me. And while I've read just about every book I can get my hands on I absolutely do not claim to know at all and if you ever come across someone who does claim to know everything, huge red flag. In fact, the more I've learned about SC or information security in general, the more I realized just how little I actually know compared to what's out there but I'm sure you get what I'm saying. But to make a more concise point. From my perspective, SC isn't given the respect it deserves. I think it doesn't have the reputation it deserves. And I think its potential for positive self transformation is highly unknown outside a small number in the fields. But here's something a little more quantitative. So Verizon did a study last year and found that over 90% of breaches had phishing as a factor. So from my perspective social engineering is being used to unbounded success, but a lot of the cybersecurity education out there could be doing a better job with awareness. I mean, even in the class I taught last semester for security plus the $250 textbook that was required only spends eight pages on social engineering, and two of those pages are on spam which I guess but it's not very informative. So, I personally supplement and at least the students who I get will be better prepared that's my hope at least another side note, I have since removed that expensive textbook for my class and now I offer my classes, as no cost low costs and use all open educational resources. As far as reputation goes, I feel like it gets downgraded by more technical hackers something unsophisticated or not real hacking. Not that based on the data, their opinion really matters that much. I mean someone owned through se is no less own than if you use the more technical vector owned is owned and if you really think about it it makes sense if you'll just give me your password or run my payload for me or I can be standing in your server room, that's the path of least resistance it's more efficient it's clearly effective. Part of me thinks it's because women have become the leaders in this field, and are naturally amazing at se, and I think there are a lot of misogynistic gatekeepers out there and they just really can't handle that.
Okay. And as I alluded to earlier the study of social engineering has the potential to positively transform a person's life. Here's how I figured that out. So when I was in college I was lucky enough to have been late to register one of my first semesters, and one of the only classes open was public speaking so I took it, that teacher was also a theatre director and he encouraged me to do a play. The next few semesters, I took about a half dozen communications and theater classes and even did a few plays. This led me to joining student government and I was even ASB president one year. I got to attend many leadership conferences I got very comfortable with interpersonal communications and public speaking and having this incredibly fortunate series of experiences have paid off in dividends to this day. So going from being an IT tech vet with my own special kind of random academic variance then getting into security it's probably super obvious in hindsight, that I'd be interested in social engineering. I mean I took to it like a natural. I'm comfortable being uncomfortable I don't get stage fright. I can improvise and I'm pretty confident. And I also have a few other bits of trivia that helps me a ton too. Before college I did telemarketing for two years so vishing. That's my jam. And I was also that weirdo who kept taking classes part time, and I took special interests in religious studies philosophy, theater, as I mentioned, and also and most importantly to me, anthropology. Humans fascinate me. So flashback to what I mentioned earlier about most of us and it being introverts, I mean I'm in that camp. I do still consider myself an introvert, I'm just one that through extensive exposure therapy has learned to flip a switch and turn on extraversion when needed. Spoilers, many people in this field very prominent speakers social engineers experts. They've all told me that they have to turn it on and turn off as well so. And you know I can't sustain it forever and sometimes it comes with a refractory period and I believe most other introverts can learn this too. I don't see myself as being inherently special I'm just lucky and privileged and was able to experience what I did when I did in the way I did. Okay, so I'm getting into security I'm writing blogs I'm doing podcasts I'm doing YouTube videos and not just about se but technical topics too and then I have this friend in real life who mentioned they want to learn how to be a social engineer So, me being all gung ho and confident says yeah let's do this I can teach you. So I start conceptualizing my open source class and I have my first problem that needs to be solved. Not everyone has the same experiences I've had or this crazy random aggregate skill set. I have to find a way to distill down what is important to teach students and then find a way for them to practice and reinforce these lessons. Sure. Many people can grab one of Chris's books and go nuts, but with my friend and so many more, learning how to create a pretext or how tailgating works isn't going to be some silver bullet that gets them everything they need to be successful. And maybe it can give them the knowledge and awareness needed to defend against an se attack, but they still need those basic communication and socialization skills, if they want to communicate what they know to their team or organization. And I know there are amazing classes and workshops, you can do and they do address many of my concerns here and mentor the students but not everyone can afford one of those seminars and I'm just doing my part to make sure there's one less barrier for others, the infosec community literally gave me everything I have now and my priority is to give back. So I sat down and came up with my solution, it's not perfect, but it's something. Oh, seek is a guided self study program where I ask students to read three books with me. I break each of the books down into lessons and spread it out over 15 weeks so you read just a few chapters per week, and I do a short usually 10 minute ish lesson where I discuss the main points, offer reflection on something to think about more, and an exercise for you to do to reinforce what you've learned, I've started describing it as a highly structured se book club with homework. And in the next slides I'll be laying out those three books in detail and hopefully doing a good job selling you on why I think they are important.
Okay. How to Win Friends and Influence People by Dale Carnegie, first published in 1937, it's on all the lists of the best selling books of all time. This is the first text we go through an OCR. Yes, this book is very dated and yes it's used this sales training and yes I still have to debate people, hundreds relevance with AI self debate debate its relevance with people on Twitter. But when you really break it down there's a reason this book is the go to recommendation for learning these baseline skills. And despite the off putting name it's actually not about being fake or conning people, what you learn is that being an effective socializer or social engineer isn't about tricks or cons. The secret is to become the kind of person that people will like treat them well and basically how to not be a jerk in the way you communicate lead or deal with other humans. I mean here's Carnegie's advice on handling people fundamental techniques and handling people don't criticize condemn or complain. My grandpa was like this, if he didn't have something positive to say he'd say nothing and he was legendarily well respected. Give honest and sincere appreciation emphasis on honest arousing the other person and eager ones. And now what you want, what they want, which requires you to focus on them, not you. And here's his advice on making people like you, six ways to make people like you become genuinely interested in other people smile. Remember that a person's name is to that person the sweetest and most important sound in any language, be a good listener talk in terms of the other person's interest, make the other person feel important and do it sincerely. Yeah, I can totally see why this is so hated right it's, it's so greasy. No, I mean honestly it's not super shocking advice here. This is basic stuff but for some reason it's so hard for us is it's so simple and so obvious but why is this so revolutionary, but it really is this stuff really does work and this book makes up the foundation of everything else in my class and even if you think it's cliche or lame to recommend you might change your mind after I get into Book Two the code of trust by Robin Drake. If you're already into the social engineering world the name Robin Drake will be one you already know well for the rest of us, Robin started as a Marine, he later joined the FBI and ended up the head of the FBI elite counter intelligence behavioral analysis program. He's the real deal and his application of social engineering, even though he didn't define it as such in those days was a life and death proposition. It had to be effective. It had to work, and his book doesn't bury the lead and he spells the code out in great detail, even in my class I can only touch the tip of the iceberg of information that Robin packs into this book but it all boils down to the code which is suspend your ego. It's not about you. It's about others be non judgmental have empathy. Try to understand and put yourself in their shoes. Validate others. This doesn't mean you have to approve of them. Honor reason. Emotions are great but we have to root ourselves in what is true and be also able to admit when we don't know something. Be generous. So humans are a cooperative species, our strength, truly comes from reciprocal altruism. So like Carnegie these principles are really easy to comprehend, but they're really challenging to actually do. And also like Carnegie you just can't fake it or pretend the code doesn't work unless it's authentic so again my assertion that social engineering has a dirty connotation. It's debated in this the world's best and most successful social engineers don't utilize these tools in a way that is at least inherently immoral or unethical. Yes, if we are doing a pen test we are trying to get people to tell us things they shouldn't and allow us access to areas we don't belong, but like I learned long ago from listening to Chris on the social dash engineer.org podcast. If we can conduct ourselves as social engineers in a way that leaves people feeling better for having interacted with us then that's preferable. And speaking of Chris now we move on to book three social engineering the science of human hacking by Chris had Nagy this book ties everything together perfectly. Finally we get into the real social engineering, we learn the techniques the tools and we can finally take everything we've learned in the first two books and have a really deep understanding of how and why they work basically to me the differences between a script kitty and a real hacker I mean anyone can run a tool or use a script but when you actually know how things work that's when you can transcend to the next level.
And the way Chris approaches social engineering has also influenced my own perspective and so many major ways he won't use fear or intimidation when doing a test, unless specifically requested by the client. Doing so may work in the short term, but imagine what you're making that employee go through. And if you can't succeed as a social engineer without leaving a trail of bodies, you may want to think about another career. Will it work. Absolutely. Will that company ever hire you again. Probably not. He also tries to ensure employees who fall for a fish or physical test don't get fired or punished I mean this is something I completely agree with, and it leads into a big point I was trying to make when speaking about social engineering, which is we got to stop with the idea that only idiots sort of dumb people fall for phishing emails or social engineering, firstly because it's 100% wrong, social engineering is human brain exploitation and unless you don't have one of those. Even you are vulnerable, some of the smartest and best minds in our field have been victims and even the most vigilant have weaknesses. I mean, you might make a mistake by accident. Who knows if it can happen to the best it can happen to you. Secondly, because if you talk to your users and they actually trust you, you'll find out that most users don't like it. We act annoyed when they need us and we make them feel stupid we don't explain things in ways they understand and we talk down to them. If your users know you think only idiots fall for phishing how likely would you imagine the RS disclosing incidents here. Yeah probably zero. And it's probably not even their faults, I mean most companies aren't doing the kind of ongoing security awareness training that's really needed. So some of you might have already been hacked and maybe the user didn't even have the awareness to detect it. Or maybe they knew only dumb people would fall for that and they're not gonna tell anybody. Or if they know they're likely to get fired for being a human being. I'm sure there'll be lining up to admit that something happened. And I know this is getting better, but it's a drum I'm going to keep beating until we all get there.
Okay, one last story.
So before I close up my talk, I just want to tell another story that happened to me. Well, this is actually two stories with different endings but it shows a different side of this coin. It's fun to help someone avoid a scam and it shows how you can use what you learn to directly help people in your life. So there was driving with a client. When she asked me offhandedly if I've asked if I'd ever sent him money gram before I told her I had and I asked curiously why she wanted to know, see I'm using the code and focusing on her I'm redirecting the conversation back to her and I'm actively listening. She explained that she was very excited to be adopting a puppy from online and she needed to send $350 to the service that ships pets across the country. And this immediately caused my hacker since the start tingling so I probed a bit more about the transaction. I asked if she had spoken to the seller on the phone and she said she hadn't I said that seemed weird but she assured me that the seller said it had to do with her religion. I'm not claiming to be an expert, but I wasn't aware of any religious prohibitions to speaking on the phone that also allowed using Craigslist. I mean I took a ton of religious studies classes but okay. I told her that seemed a bit fishy to me, and she asserted that she thought it did too at first, but she knew was legit because she wasn't sending the money to the seller. It was being sent to a third party pet transportation company that the seller had arranged to contact her. She even showed me the website of the company on her cell phone, which To be blunt to my eyes looked extremely janky, and I totally get the sentiment that these things are easy to spot, but they're only easy to spot to us. The to a normal user they don't have the framing necessary to spot the details that jump out at us. But I digress. So I asked her if we could sit a few minutes and take a look at a few details before she sends anyone any money. She agreed but really really wanted this puppy. And I think I could see her amygdala glowing. The first thing I asked to look at was the emails back and forth from the seller. I checked Google and all the other major social media sites for the sellers name, no matches couldn't Google the sellers email address to the Craigslist email relay system. This in and of itself might be okay, I mean we all use pseudonyms online sometimes and Craigslist site, you might not want to use your real name. Fine. She then showed me the email thread with the shipping company. So the first strange thing I noticed from the emails was the link to the shipping company. The name didn't really match the URL on the link and you think a business would be able to get their own name right. I also saw that if you googled the name given by the shipper, it's extremely similar to a legitimate pet shipping company, and indeed that legit company comes up as the first site due to Google fixing our query. So, when you go over to the link in the email however the site itself was pretty terrible, but not to my clients who is not as seasoned as I am at catching these kinds of scams. So showed her that the company didn't have any social media presence at all. No Facebook Twitter anything. Also the email address that was contacting her was really long company name at outlook calm.
So she also told me that she had spoken to the shippers on the phone and asked if she still had their number. She did but she told me she could never get through when she called them and they'd always have to call her back. Ask for the number and call it on my phone, of course, it was a Google Voice number. Not only that it was set the screening mode. You know the one where it says hi the person calling greeting service from Google and we'll get a copy of this conversation, go ahead and say your name and why you're calling. She also told me when she when he did call her back he was rude and tried to get her to hurry up and send the money. I told her I was 100% confident this was a scam and I advised her not to go through with the deal. Of course at this point she was extremely unhappy but felt it was still a legitimate transaction because she had had pictures sent to her of not only the puppy, but of the puppy in the shipping crate at the shipping company waiting for payments to be shipped. She explained that it's not like it was a person trying to sell dogs or from a puppy mill. It was a lady giving it away for free and the money was for the shipping she just didn't see why a scammer would go to the trouble of doing that and felt the pictures were authentic. So I asked her to save all the images to her device and then I showed her how to do a reverse image searches. But before she did them I asked if she agreed that if this wasn't a scam, those pictures wouldn't exist anywhere on the internet. She agreed and each of the pictures was found at least nine other places online. Her heart sank and she didn't really have any further rebuttals to my concerns she she knew is a scam and I just saved her from losing at least $350 Not to mention that the scammer would have also asked for more money later for shots and insurance and who knows how far they might have gone. Okay, so here are the main red flags seller wouldn't talk on the phone. Seller name didn't seem legitimate name of shipping company didn't match URL and email googling company name shows close match was a legitimate company company website very poorly designed and implemented company has no social media presence. Email Address of contact that company using generic email address and not a legit domain, contact a company could only call her and she was never able to make inbound calls phone number of company was Google Voice number, reverse image searches shows proof photos unoriginal. And here's some of the tactics that were used for the scammers in this to make it more successful listed as an adoption versus a sale to alleviate concern handed off to second party to build legitimacy uses cute puppy pictures to appeal to emotion and overrule suspicion counted on target not paying attention to detail shipper established a sense of urgency. So she was thankful and I told her to be very careful when anyone from online ever asks her to send money I told her in all likelihood, this was probably one person the whole time. Hence why the person adopting at the dog couldn't talk on the phone. Yeah, they were also probably not even in this country as we know many of these scams aren't, she did say that the shippers English wasn't good. I also told her to make sure she shares this experience with all her friends and family and not to be embarrassed. I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We are all susceptible to scams and social engineering and the best way to proceed is to empower them to share what they've learned. I mean also sent her a link to an article on the Better Business Bureau site about how these types of scams work and she was shocked at how similar the experience was to the one in the article. I mean I didn't just tell her something and expect her to trust me, explained why I felt the way I did and I showed her exactly how to see what I saw, and to come to the same conclusions I had, but on her own. So using my knowledge of se not only enabled me to help my client, but I was also able to influence her understanding in a way that empowered her to pay it forward and keep sharing the knowledge. And I bet she's the scam expert now in her circle and shows everyone how to do reverse image searches. Now the funny. The really funny thing is a couple of weeks later I met another person that started telling me about the Munchkin cat she was buying from online. So I asked her all the same questions and it was beat for beat the same story. This time it was even more obvious because not only were the pictures stolen from other sites, but they were straight off shutterstock.com, and she even called the shippers on speakerphone to prove me wrong and the guy who answered said, Oh, those are the other sites stealing our photos. I was like yeah but he Shutterstock is stealing photos from pet shipping companies, right.
Unfortunately this particular person was already partway into the scam cycle and had already sent them at least the beginning money. I suspect when I mentioned how they'll be asking for more for shots and insurance the look she gave me probably mean she's further into the scam than she wanted to admit, she got out, you know, think I was right. And this is this is the sunken cost fallacy aka that consistency principle at work here. Well, a couple days later she reported, you know, and she sent me a text message.
You're right. They took me for $800, how much to send them a virus.
So I think it's super obvious that I'm passionate about this stuff and as someone who's been charged with educating the next gen of it or security folks. I take my secure my responsibility seriously, I mean I don't I don't just preach this stuff I live it. I don't do seek for money or external validation. I do it specifically to take what I've learned and what has helped me so much in the past and give it back to the community and contribute that to that knowledge base that has given me so much over the past 20 years. In fact, I'm on record that if any of my side projects or my twitch channel or YouTube ever make any money. 100% of that goes to the innocent lives foundation. If you don't know the innocent lives foundation is made up of information security rock stars that use open source intelligence and social engineering to unmask child predators and human traffickers for prosecution by law enforcement. So they're the real heroes and if you want to support me my projects or my message, then I would direct you to support the elf. So that's the hat I'm throwing into the ring, social engineering is a fascinating field of study and I think by building the right foundation we can not only make our learning more efficient and having higher retention but can also make the knowledge more actionable. Se has also been a catalyst in my life for my own personal growth, and my mission is to share this with our community. So check out OC read these books with me and let's go on this journey together. And finally, I want to express how much I appreciate you all for listening to me today. Check out my sites listed here and if you have any questions or comments please feel free to contact me anytime. Thank you again.
Welcome back. Thanks for joining us here at hope 2020. We're here with Ruth Bureau, who has just spoken to us about the social engineering, Edward Bureau. Hi, how are you doing tonight.
I'm doing great how's it going over there.
All right, very good. Well,
we have a couple of questions for you if you're ready to take them we'll go ahead and get them ready for you.
I'll do my best.
What are some of your favorite or least favorite depictions of social engineering in movies or other media.
That's really tough because, you know, as you learn more about social engineering and you start to pay attention to even the campus of hacker movies. Will will have depictions of social engineering, and usually fishing. So I mean, I like seeing that even in the movie hackers, there's some fishing going on, you know with the cable company and, you know, some of my favorite movies that have social engineering would be, you know, the classics right like wargames and sneakers obviously like seeing those kind of movies and seeing what can be done with social engineering is just one of the things that's always kind of like stirred my interest in social engineering and kind of driven my own personal passion and study into the subject
is very fascinating. Professor, or introverts Do you think learning the social skills should come first, or learning social engineering.
That's That's a really great question and, like, I think that's the underlying issue that I'm trying to solve with my open source social engineering education courses that there's a lot of great technical content out there about social engineering how to create a pretext. You know how dumpster diving works. You know how to tailgate how to do a phishing call how to create a phishing email or your credential harvesting. But the way I look at it and you know like I talked about in the talk so this may be a rehash of some of the stuff that I spoke about but you know a lot of these, you know skill sets may be not as actionable to someone if they lack the confidence that comes with being, you know, really good at socialization and, you know, learning those social skills. So, I mean, I know a lot of people don't like Dale Carnegie's How to Win Friends and Influence People I mean, it gets used as sales training it's it's really dated and you know it's it's one of those books that's kind of controversial but it does teach those basic skills that a lot of us who are in technology in it, who are introverts, we really need to be able to practice those things, build that really good foundation. And, you know, take, then, then I would say start to learn social engineering skills, once you're able to use them. I mean, yes it would be good for someone who's an introvert to learn about social engineering for an awareness components to be able to detect social engineering attacks and be able to protect their organization. But they still need social skills to be able to communicate that to their team or to the organization so yeah I see, having social skills as being foundational before you get into social engineering on a higher level. I agree,
when I read the book, when I was 13 that really changed my life and perspective and know those lessons like when you walk up to a person who say hey what's your name. No just totally changed the dynamic really excellent. All right. Our next question. Any tips for getting better at dealing with people's name. Despite years of customer service experience people's names go in one ear and out the other almost immediately after meeting them. Yeah,
I'm the kind of person who I have a really strong visual memory so, like, just meeting you tonight on zoom, getting to know you for the past 40 minutes, like if I come across you in the real world I'm gonna remember you. I may not remember that your name is JP, but I'm gonna remember your face so learning names is something that's always been really hard for me. And it's just like you said, you know, Carnegie he teaches that you should use a person's name it's very important. You know when you meet someone, you know, try to use their name a couple of times, try to really pay attention and practice active listening, like, one thing that I want to comment on just to kind of, you know, stretch out the answer here a little bit is you know i books like, How to Win Friends and Influence People they're there use this sales training so they've gotten a really dirty connotation and the way that those skill sets are applied, you know, in sales and by people who are less than ethical have really tainted I think what Carnegie was trying to get across to us, and I'm a real advocate for that book and for books that are derivative of that, because he's really teaching us things like using people's names, making eye contact you know actually paying attention, you know, being an active listener and the thing is like it sounds really scammy and like it sounds dirty to people that it sounds like techniques that you're using but it doesn't work unless it's sincere, like if I don't, if I pay attention to someone if I'm redirecting the conversation and if I'm practicing practicing active listening and I'm focusing on the other person, it would it would cause an in congruence in that other person's subconsciously if I didn't mean that sincerely so I think a lot of people think that these books enable people with mal intent to do bad things and of course they do any tool can be used for good or bad, but I mean predominantly these techniques, especially the way that Robin Creek teaches it and the code of trust, they, they don't work unless they're sincere so I don't know. Yeah, answers your question.
One of my favorite things is how Dale Carnegie talks about allowing people to save face, and, you know, I think that's such an important lesson, because if you don't allow somebody say face them they become defensive and
so yeah like I use that all the time, like my day job is a community college teacher so I teach security plus classes I teach network plus I teach all these, you know classes that lead to getting certifications and I have a lot of introverted students and, you know, if I, you know, made them feel stupid for asking the same questions that every single one of us had when we first started learning about technology, you know, we get to be like us who have been in the field for 20 years plus, and we get really sick of noobs and we get really, we get really sick of like the stupid questions but you can't put yourself back in the shoes of the other person. I think you're doing a lot more harm than good and like the way that I use the things that Carnegie teaches, even with my students. I think enables them to learn on a whole nother level because they can feel safe and, you know, I can allow them to say face if they make a stupid comments or come up with a stupid idea, I could just redirect that into a different way. You know that's you know enables them to come to the right conclusion on their own. And that's just much more instructive.
It can be very humiliating when you're picked on by the teacher in front of the whole classroom so that's very nice difference, or I have another question for you. What is your favorite social engineering story that you did, without naming any names or protecting the. Who knows what.
I can, I can tell you about the last. I was hired by a company here locally to do security assessment, and obviously being someone who's, mostly interested in social engineering and physical security, you know, I'm mostly focused on that so I'm doing physical penetration and I'm also doing SC campaigns so I did a phishing campaign. And, you know, the company that I was hired by they were a tech incubator so you know you think that these are going to be high level users they're going to be up on cybersecurity, and I got one of the sea level people, you know clicked on my fish and not only did it on her cell phone I could see, because I was just logging some basic stuff using PHP. You know the IP address the browser headers and stuff. And I saw that it was the same person that had not only did she use her cell phone on the mobile network but when she got home, she also checked out the same link and you know it's just the basic like Amazon you missed your shipment please click here to update and, you know, you get to, you know, you hear this like sentiment in the world of technology that, you know, we're not going to fall for these things, social engineering is stupid it doesn't really work in the real world like only dumb people fall for social engineering, and that's just not true like every one of us could fall for a phishing email. I mean there's some of the best social engineers in the world like Chris had Nagy have fallen for phishing emails, it could just be the right you know the wrong time the wrong place. You might make a mistake, you know, like, so I think that's always a very important point to take away it's like yeah I probably wouldn't go around telling everybody else, you know only stupid people fall for these things because it would be really embarrassing to fall for when yourself and you will,
or the history and security is been rife with very smart people falling for silly, silly things. Okay. So what's next for you What's, what's under game plan.
Ah, well I'm teaching security plus and network plus this next semester that's coming up at Butte College, and, you know, I'm not sure like this talk has been something that's been in the works for a very long time I'm really proud to have been able to present it at hope 2020. I don't know I'm not sure. I'm not sure where I want to go next. I've been working with a partner that I met through Twitter, and we're thinking about starting a virtual, like, I don't know if we're going to call it a con or we're going to call it an event but I did a similar thing for my students at the end of the last semester where we did a mini con I wanted them to kind of experience the hacker world and you know what it's like and you know now we're all locked down so it's really easy to do something virtually. So I have my twitch channel I got a bunch of really cool speakers I got people from the social engineering world I got Billy boat writes and I got Shane McComb from the innocent lives foundation I got a lot of really cool people to come speak, and I will we will my friend and I want to do that, or we're thinking about doing in September, we're not sure we're gonna think we're going to call it, Intel talks, but we're going to set up an event where no one's allowed to submit to speak who's done a talk already so it's noobs only and and what we're going to do is we're going to have a panel of speakers who have done a bunch of talks to give them really good feedback so I don't know I've been speaking a while I did a talk at DEF CON last year in the SU village. I love public speaking, and it's done a lot for my career and I kind of, you know, not only have the things I've learned about social engineering but just leadership and public speaking, these are the kind of things that I really try to drill into my students and, you know, we're going to set up our own event and we're going to try to get new speakers who are interested in seeing what it's like. And, yeah, just trying to encourage people to go to the next level and, you know, erase like a barrier for some people, you know, try to lower the gates and say, Look, anyone can do this. We all suck the first time so just jump in and do it you know you know the water's fine jump in. It's great.
That's wonderful. That sounds like a great plan. So I think we're.
Here's another question for you. Very interesting. You were right, they took me for $800 how much to send them a virus did you end up sending them a virus or did you follow up with something else, no I,
you know, of course, I would never send someone a virus, obviously, and if my FBI guys listening. I promise I didn't do it. No, no I didn't like. I just thought it was really funny because the second the second person in that story. She was just so sure she had bought into the scam early on, she'd already invested the first initial money, and then that consistency principle, kind of keeps people locked into these things to where they get tunnel vision. They've already invested a lot of money and a lot of times with these pet scams, not only their, you know, paying the, the amount for the pet but there also get hit up for oh I need an extra hundred dollars for insurance or now I need an extra hundred dollars for shots and they just, and since they've got you hooked with a big fat amount in the beginning, like, you're so people are so unwilling to admit that they've been scammed or to pull out of the you know the initial investments so she was just like, No, you're wrong you're wrong you're wrong and I just thought that was so funny when I got that text message, and I was just like, yeah, I mean, these people are probably in another country they're probably behind a VPN like there's nothing you can do. That's why they do the scams that they do. I'm really sorry, tell all your friends and family what happened, don't be embarrassed and, you know, that's another thing I'm really big about is like. Don't be. Don't be embarrassed like this happens to a lot of people, it probably happens to so many people that we don't know about because people are too embarrassed to admit that it's happening so we probably don't even know at what scale these scams are happening. But I think people need to start, you know, being more open about it, talking about it and that way people that aren't aware of the types of vectors that are out there can start to see them. Yeah.
Hopefully, a good education and exposure for all the info security risks that people see in the virtual world and also with social engineering arrow on behalf of all the attendees and all the volunteers here I hope 2020 really want to thank you very much for sharing your talk on social engineering. It was very well received and we had some great questions. Thank you, sir. Yeah, thank
you so much. I really appreciate it this.
All right, thank you. And we're going to go ahead to some bumps right now. Please take it away for us.
Oh, I just made a giant masterpiece for
the greatest portable newspaper nerds.
hey no 2020. Good to see ya it's me when in a minute. You may remember me from the media show or you may remember me from when I was born at home in 2008 at the media show, we always tried to bring hope to a wider audience, whether that be Greg Connie's talk on evil interfaces, what we learned about how hackers find passwords or just with mitchelton and Emmanuel Goldstein taught us about what it meant to be a hacker. So now I want to introduce you to my new baby brother. No no not you know what I mean is my new spiritual baby brother. The book. Keep Calm and log on, which is also made by my turtle Gus Andrews. I like the media show. Keep Calm and log on, it's an attempt to take everything we've learned at home and take it to a wider audience, in this case, older members of your family who may be having a really hard time with their digital security, their digital privacy, dealing with stress online or handling disinformation, so if you'd like to pick up a copy of Keep Calm and log on, you can go to keep calm log on, calm. That's the books companion website, and also has a lot of free information about how people can defend their privacy and security thanks so much for your support, everyone. Thanks guys. Greetings from Philadelphia. This is Bernie s, and this is my botnet server of 50,000 honey bee bots in my backyard. Sweet.
how you doing girls
like the paper. Check out