Defcon 18 - Deceiving the heavens to cross the sea Jayson E Street

Thanks for you guys showing up. I mentioned hacker striptease on Twitter and I get a good crowd and it's like it. Next time I want to be offering cookies, so we'll see how that works out. I am, I do have to apologize. So the good thing is i'm going to be disappointing a lot less people. The program said there was a demo, it's like, and unfortunately, as you can tell by their certifications, this is not a technical talk, so sorry about that, but i did see on us.

I did listen to security justice podcast. You know good podcast. Who actually mentioned you should be doing magic tricks for social engineering. So I need any volunteer. I need to help. I'm stuff. You know who's got a challenge coin? Who hears got challenge coin? Okay, I was trying to spot the Fed, thank you. Not just just any kind of coin will do. Just, I need a quarter. It's like gold piece.

It's like someone to help me out here. I mean, I'm already suffering enough here. Please someone. Okay, here we go, here we go. Great gentleman, here everybody was digging for money. I would have said like, oh yeah, uh-hthat will happen. Slot machines, okay. But what I was going to say is a I'm gonna do this trick. I need science. Just I don't know. This gentleman- okay, wait for, my four year old loves this. Come on, see, I'm working with what I got and it's not much. Okay, help me out here. Sheesh man, yeah, you'll get that back now, right? You really want that one. So, so here, what we're gonna do is, since obviously we're having a little problem here, i dunno another trick does it might help in gillette. It's like when I was doing research on the book and stuff. You know, I've actually met him doing the show at the Rio and he does this thing called predictive analysis, where he actually gets a readout on the crowd and then he calls someone up and he's actually able to tell them what they had for dinner. Last night I was an 85- 94 because of the people you know geographically.

You know there's not many choices around here. Hacker conferences can be easier because it's probably pizza, but it's like I'm gonna try to do that show and I'm gonna try to see what I can do and see if I see if I can make it work. So let's start with the general read of the audience. Okay here, who here is married? Raise your hand. Okay, wow, that's good success rate for geeks, yay, okay. So who here has children? Raise your hand, Wow, and we're spreading. Awesome, ok, now another good question is: who here has bought a car off a car lot- not off a craigslist, namitha, ebay- not found in an alley? It's like, okay, that's a little bit less. Okay, I'm trying to read everybody. Okay, who here has shopped at a grocery store- not walmart, like an actual grocery store? Okay, Wow, Walmart's not totally taking over. That's good. Okay, now, awesome, let's go to another one. Let's go and ask to one. Last one is like: who here has bought something off the internet? Raise your hand, dude, you're not even playing. Okay, come on, if you haven't bought some out the internet, you're not playing. Okay, it's like I need cooperation from everybody. Okay, thanks a lot for that. Ok, so now I need one volunteer who doesn't mind being a victim- I mean a contestant- on this little competition, so for this little trick thing. So what I'm going to do is I'm going to be able to ask you five questions. These questions deal with dietary, social, psychological, geographical, and how old you are, your age, okay, genealogical, I don't know that really well, not that educated. So here we go. So I won't ask us with these five questions I'm going to ask you what you had for dinner. Now, if I can guess what you have to you had for dinner, guess what I win? It's like, and you owe me a drink. No, not really. It's like, if I lose and I can't tell what you had for dinner, I will give you a nice little hacker sticker set later after the talk, because I forgot, because I was working on my slide still for some reason, and I blamed, you know, several parties last night. So what I'm gonna do is, like I'll have the stickers for you if I lose. Okay, so let's go in. Everybody raise your hand. If you are a spouse, if you have expounded specific because of the sociological questions, if you have a spouse and you want to volunteer, raise your hand. Okay, you, right there, because you're cute. Yes, right there. Oh, come on here. Not that you weren't you too, sir, I'm just saying it's like I want to. There we go. Yeah, you got to come up here. Come up here. What's your name? Mars? Okay, Marissa, it's like this. Your first Def Con? Yeah, obviously, because she's volunteered. So that's a good thing. So, okay. So what we're gonna do now is we're going to do a little thing. I'm gonna need you look this way, right here. Keep your eyes on me, watch how I do it. Okay, why should I need you going right right about there? Right there, there's method to my madness. Not usually, but yeah, this time we will say there is. So I'm gonna ask you these five questions. Keep your eyes on me and I'm gonna, by reading your body, your facial expressions, I'm going to be able to tell you okay. So, yes, while I'm doing that I only do is just entertaining them. I'm going to put pictures of lola catsup. So, cycle, you'll be able to enjoy themselves as well. So let's start with the first one. Should we switch to the slides so they can see the lower caps? Thank you, so here we go. That's a cute picture. So I'm going to ask you one question first off, and this is going to be a sociological question, okay, so where did you get your spouse dinner? I wind up. It was a restaurant, the restaurant. You know them in the restaurant. What was the restaurant? Someone's in trouble? Okay, very good, am I to judge? I don't think so.

Ok, so let those glass with the next question. Now, this next question. Oh, here I'll even let you look at one: the wall of cats thing. I feel cute little. All cats, okay. So. So the next question is going to be: let's make it a psychological question, because you that looks pretty psycho if no matter what you eat, even if you're a vegetarian, it's like no matter what you eat- do you consider yourself an omnivore, herbivore or carnivore? No, no, no, don't know. This is talking about to help get for the doctor, I think it's like what do you consider yourself a carnivore mediator?

Be careful, you guys. Okay, there we go. So. Okay, so you think because your carnival. Ok, so now let's ask the next question. Now, this question is a geographical question, but we're gonna try to use the logistical part of your brain, okay, so, in a number kind of way, how do you associate where you live? So what's your zip code? Yes, okay, that's good. It's like that shows the logical side of how you, how you, where you live. Okay, let's go with the. The next question now. This is more of a dietary question. It's like everybody loves the internet cat you look, it's like it's not bad. These pictures aren't really bad, so don't worry. So, on a dietary standpoint, what do you like to do if you were at home, not here? If you're at home. Would you like to eat out, eat in or have delivery- delivering my kind of girl like that. So it's like: so there we go. So that's your dietary question. Now one more last question and of course I pick someone that's gonna be very difficult and stuff.

You know it's like, because you know I know this is a really great question. But on a geographical, so I can tell what your generation is up is, it's like what's your birthday? Just give me the whole birth there to be great. I'd appreciate that. Okay, thank you very much. Now that is social engineering. Thank you very much. It's like to the grapes board, unfortunately. I've got some good news and bad news. The good news is you get a sticker set because I was lying about time to what you had for dinner. It's like that was a, not true. But bad news is that was a social engineering demo right there on how easy it is to be able to do it. I started off. Your bad guy start giggling, wants to get down. That's I'm. I'm gonna get kicked by a husband later, not the first time, so so this is what we're going to talk about. It's like that was so easy with social engineering. I started by lowering your expectations came out a little harried.

It's like a little dejection. It was like, you know, this is how. How's this going to work? Did a really lame magic trick. Yes, I realize that was lame. One more slide. I forgot to show you what. What is all about? Because the fact? What did these questions have in common? They call Sarah Palin, her email address. Those three main read questions were the password reset questions were Sarah Palin's email. That's social engineering. That's how you get those kind of the data you give them to think about. One thing so busy thinking about: oh, he's never gonna guess what I had for dinner. It's like he's not gonna come to get stickers. I'm going to show them wrong. It's like you get them engaged. You get them thinking they're doing one thing when they're actually providing information for another. So that was our demo and thank goodness the demo. Gods were nice and it didn't fail too much. So let's get right back on to what else is going on. This is me.

It's like, yes, it's like it. Trust me, i'm going to talk about both my jobs. It's like I've never- no one I know actually has ever- seen me in that suit- saffron Halloween- during my day job. But let me talk about that more. I've got two jobs like a night job in the day job. The day job is I'm the AVP of information security for national financial institution where our mantra firewalls, IDs, logs and stuff. You don't handle the day-to-day stuff, but my night job is I'm the CIO strategy 1 solutions where I go and break things. I've written a book hag- yes, shameless plug- and also do some talks around the world and do different kinds of hacking and social engineering, gagement, saz, well.

So that's me and that's enough about me. You can Google's the rest and then let's talk about. I would like to start off with a quote. There's your ims, cissp, so there is your son z quote as required. So, because this is an infosec talk and let's go with another one, i want to let people understand when we're talking about being critical, Doug, being critically. But let you understand, I'm not a subject, a subject matter matter expert on this subject of social engineering. Okay, there are a lot of people out here that note a lot better than me. I do a lot of different research. It's like when researching my books and also it's like I just like doing this stuff. So I'm a geek who likes to talk and I talk to you know a lot. Just, there's plenty of witnesses that here. So so that's what this talk is going to be. So I want to use the Theodore Roosevelt quote, but here's the main Theodore Roosevelt, Roosevelt that I like to use, and that is to educate a man in mind, not morals, is to educate a minister society.

And we're not talking like gang style, we're talking about like this talk hopefully will not just show you how I'm breaking things and getting into stuff, but hopefully have we can start finding solutions to the human element, which is the main problem with our society and step United industry.

When it comes to social engineering and information security, Wow, crap, that was just the intro. Ok, but so far so good. We're doing good and hold on, trust me, I needed that. So now we're going to talk about the history of the thirty-six stratagems. We're gonna talk about the history of social engineering or general, how social engineering actually differs between cultures, and we're going to discuss the lsi model and go to stratagems.

So one of my things I like to say is: if you won't learn how to cook, you go to France. If you want to learn how to paint, you go to Italy. If you won't learn how to conduct military strategy. You go to China. It's like one of things I admired about them is they got military strategy laid down. They know exactly how they do it and I've heard people in 71 the strategies out there. So if you have to resort to physical violence, you've already lost the fight. It's more about the mind. It's more about the development of your weaponry and also your treaties and the positioning of your people, which also involves social engineering. So that's reason why i like the thirty-six stratagems. It's like the reason why the a little bit more about the thirty-six stratagems is the fact that they are 36 different strategies that are written out, given a story to each one to help better explain it.

It's like two or three thousand years old now. Another thing, let's talk about the history, social engineering. I mean Kevin's good, but actually social engineering did you know, occur before him or Frank ever got onto the scene and one of the first noted victims of social engineering. The victim of social engineering was AMA. Note up three. He was social engineered by the priest of the moon, the moon priest of the, the Royal City at that time period where they were actually, in theory, just controlling his whole dynasty, so much so that upon his death his son had to move the royal court to Thebes- and that's when the royal city became to Thebes- to get away from the influence of the moon priest.

And then he proceeded to wipe out the moon priests. But that came later. But that exactly so. Sometimes there are bad consequences, you know, to social engineering. But that was one of the first victims of social engineering. One of the most well-known social engineering attacks that have ever occurred in history is never credited with the social engineering attack and that's the Trojan horse. We all know about the Trojan horse, about how it's you notice that, the program and how you able to do it in computer terms. But do you realize, the very first Trojan horse was carried at. The social engineer carried it out. His name was seen own. He actually disfigured himself physically, you know, cut himself up, made himself, look, you know, like near death. I mean that's called method acting, which I'm not going to go, that you know heart into. But it's like he actually left himself for dead on the beach as the Greek ships left and this guy was actually able to convince the people of Troy. For one, don't kill me, it's like 20, yeah, at the Greeks. I don't like them anymore. We have falling out. You know they chop you up. Hey, they've left a horse. You want to bring it inside? Okay, that was pretty cool social engineering attack. We talked about the horse, but we don't talk about the person who carried it out, and that was a social engineer of massive proportions, so mad props to him. Another thing is the bards of old Middle Ages. They were social engineers because they weren't just trying to entertain but they were actually in the employ of feudal lords who would then get that, gather that information, because who actually went to the end to listen to the bards, the stablehands, the, the, the maids- it's like the guards coming back from the castle, one to impress the local musical traveller, telling, giving them good Intel, and then they would go back and report it. So social engineering has been a lot around, a lot longer than an Amiga. So that actually let me think maybe he's around anymore, but but you understand what I'm saying. It's like a social engineering is here to stay. So also, another thing is: people don't cover very much is social. Who's freaking, attacking me while I'm on a freakin presentation? For gosh sakes, that's not nice. Sorry than then. Okay, that was rude, okay, so how does social engineer actually difference between the cultures? Okay, well, quite simply, there is. In Asia- you talk about conformity, persuasion mean people don't want to stand out too much, you don't like creating disturbance, and you can use that during your your, your social engineering gagement. One of the trust models used very well- as in Japan, where you gotta trust model, which is: I trust you until you give me a reason not to trust you- social engineering terms we call that jackpot. It's like: yes, you should trust me till you can't trust me anymore. In Europe, its authority based persuasion. In other words, like in the Russian trust model: your untrusted until your trusted. Well, that might be a different, bigger problem, correct? Not really. I'm walking up to the place. It's like I'm here for the surprise inspection of the server farm. I need to be let in, sir. You're not on the list. What part of surprises you not understand?

Obviously you're not in control of the situation. If you're not even understanding. I'm supposed to be here today, so why did they let you on this shift? Let me in the server room and, if you're lucky, i won't put you on the report. And that's how you do conformity. That's how you do an authority base. And then, don't worry, i always put them on the report. I was just like i will put them on there. So, and that's how you do when you're dealing with like european, it's like you're dealing with authority based persuasion and North America it's need-based persuasion, which is really cool because you got to be polite. I was actually asked to do this demonstration socially. During the demonstration, in a secured location, I can't tell you mean what city was in. It wasn't like a main one, it was just a bit of guilt with financial stuff. And instead of going, you know, through the, the bulletproof glass and the man trap and the armed guard and the metal detector and the x-ray, I just hanging out by the employee entrance and waited for my target, which was a guy being followed by a girl, and so I go in and insert myself in between the guy. He opens up the door, and I held the door open, for I am a gentleman after all, and then I followed in right behind her. It's like those are the kinds of things that we do a lot in North America. It's like you won't, you'll question people, but what happens when I roll up in a wheelchair with four boxes on my lap and ask you to let me in. Are you gonna be that a whole that's not gonna let me in the door? No, should you be? Yes, you should. But we want to be polite more than we want to be secure, and that's one of the biggest problems that we manipulate here in North America, South America, it's like reciprocation based conformity. What I do with that persuasion, what I do with that, it's a good like: hey, you know what? I'll put you on the report. Show exactly how well you did you help me out here. You make my report look good. I'll make, I'll make sure you look good. It's like I don't want to eat there either. It's like I do put them on the report, okay, when they let me into the server room because they want to look like they're doing a good job. So I do appreciate that. Now, why are we having to do these things? Why are we talking about social engineering so much lately? It's like, well, quite frankly, it's because of the fact that there's a new OSI model in town. Okay, this whole seven layer thing is gone. It's like 136 is busted, i mean, okay, yes, i will admit we still have sequel slammer going out the internet for some strange, freaking reason, okay, but but it's slowly dying out. People are understanding the firewalls might be a good thing to block. You know 1433, but also layer 7. It's like we can still attack layer 7, Thank You Adobe and Microsoft. It's like we can still attack layer 7, pretty good. But now we're getting heuristic intrusion prevention systems on the desktop. We're getting a more secured code, we're getting more patches coming out, you know, every day. So that's sort of not dying away by any means, but it's slowing down. So where do we have to go? We have to go to layer eight, the human layer, the physical layer. Reason why this person, this gentleman here, is on here. He's the poster boy for layer eight security. Because this gentleman and stuff you know, actually was in tampa, florida, in march, spent 18 hours in an office building. 18 hours in an office building with no one questioning them. Khakis and dresses. I've brought dinner. Okay, I would love to tell you his name. He has never been caught, but he did still awful lot of laptops, cell phones.

He actually stole a suit. So next time you see him he'll probably be wearing the suit when he's robbing your building. So at least he's upgrading wardrobe. So that is the reason why we have to deal with layer eight now. This is a perfect example, thanks to jay crane on Twitter, who actually gave me this. This is the perfect example of why we need layer eight security and how effective it can be. Right here, these three. Right here is him attempting to do a network-based penetration attack. Red is denied, gray is either a taint Don attainder or not tried and greenest success. So network-based attack right here: deny, deny, deny, deny, deny. Okay, you're not getting in that way. It's like utter fail. So you know you don't go home dejected. Though what do you do? You come over here to the physical location at headquarters. Let's try. Wi-fi not not happening. Oh, how about walking through the front door behind somebody that seemed to work? Let's find an empty conference room. Bingo, let's get our laptop onto the network. There we go, and let's just jump right over here to where we've got domain admin credentials. For some reason, I think they stopped. It's like I don't think these weren't not attainable. I just said I think the company just okay, you went back off. So that's how that goes. That's why this is so needed and it's usually so successful. I have not always been 100% successful when a network-based penetration test. I have been a hundred percent successful in every social engineering engagement I've ever been on and, like I said, I'm not that talented, so it's like. It's just that's the way it rolls. So it's like- and hopefully I'm not going to get now, i'ma here, it's like I might get caught next time, but so far as of this time I've been 100 successful.

So let's start with one of stratagems. Stratagem three is killing with a borrowed knife. In other words, you want to turn and employees assets against them, so it's not really you the one attacking, you let those people be the attacker. And some of the great tools for this is, of course, the googles, because you know everybody wants to be a trillionaire, and but also you have facebook and twitter. And well, do we still use myspace any money? Just wondering, that's professional curiosity. But there's also there's these tools out there. Those are, those are what you're going to use to do your data mining, to actually try to circumvent those. I'm going to be on Facebook all over the place, my profile, not me personally, but Cathy, hi, Cathy. I like long walks on the beach, watched all the Buffy seasons. They were awesome. It's like I've seen serenity. It's like I don't like the notebook or vampires that glitter, so it's like. But we also happen to be in the same company fan page and I just friended you because you know we're in the same, we work at the same company in different cities and stuff, you know. But you're really great to help me out and be friends and and, yes, I'll help you with your farm and you know I'll kill you. You need mafia wars and it's like it'll be all great for about two weeks and then I'm gonna need help- my executive assistant who's lost his passwords and stuff. You don't need me to reset them, but I can't get ahold of the network guy. Can you help circthen all that process and get me in trouble? I'm gonna get fired for this. I mean, seriously, I need your help. It's like can you hook me up and just reset the password for that account and just saved the day for me? Be my hero, you will. I'll give you an extra callant farmville thanks. There you go, and that's how you the employee.

But how else do you do it? How else do you do social jeering, besides directly manipulating people? Well, it's also good for doing Intel. There's a lot of good choices thanks to a couple other people. It's like. I'm not going to drop dachshund Adam Savage like I planned, because I can stalk. Use a much better website for that now, it's like. But also we also have evil, which actually shows the facebook phone numbers. People that poster actual phone numbers on facebook. Also a one-stop shopping for phone numbers there. Please rob me and oldie. But a goodie, it's like. And this i can stalk to you. Actually, when you take an iphone picture and still has geo data in it, they're nice enough to tell you exactly where you're located and then put it on the internet for everybody to see. That's where the whole stalking thing comes in. And then my favorite is just the old twitter search headed to, because i started out this talk when i was thinking about doing this and showing that- the dangers of Twitter's- i decided to go bad. I want to do the most evilest thing that I could think of by using Twitter. What could I do that could be so evil on Twitter? It's like, what could I do? What kind of damage cut do if I had resources and I had the time and the meanest and you know, and just I'm not really a mean guy- butts like, if I, if I was thinking that way, what could I do? Well, I could search my locations. You know the twitter app on the blackberry that's so nice to tell you exactly we are geographically at at the moment- and so I started searching for my loke and I found this guy. It's like teaching healthcare provider cpr at wh. The only thing that made this guy different than anybody else was I was wondering what WH was. It's like, what's the wh? What turns out it's washington adventist hospital, which is right down the street from Walter Reed Hospital. Any feds that know where this is going? I'm a very good guide. This is all hypothetical and I'm not trying to do anything bad. So, please, you know you got other things on me and your files that you don't need to add this to it.

So what I thought I'd to do with, like hmm, let me find it more about this listing guy. Now he's got my attention, now I'm interested. So where do I go? Oh, hi, Steve way, say hello to steve. It's like he's on. He's on linkedin. He's a volunteer EMT. It's like the Volunteer Fire and Rescue Association. What I liked about here is that he's a consultant at northrop grumman mission systems. You know, that's telling me like possibly top secret clearance. It's like used to use databases and stuff. You know 20-year database design development. If I'm going to do something bad, especially in the Washington DC area, it's like I'm not going in as the kabob salesmen. I'm not going in as a street vendor selling hot dogs and water. I'm going in as a first responder. Why? Because I'm because people aren't going to be the douche bag to stop the fireman to get into the fire for proper credentials. We weren't going to stop the police officer trying to respond to an event, especially a major event that might involve important people that happen to live in the area, especially around Walter Reed Hospital, especially a third EMT there, to help out and assist. I could lead pretty bad, but you'd have to find this guy.

I can't track him down everywhere he zags. Hope that he's at the same spot with as soon as I get there, right, so I gotta have to know where he lives. Where would he live? Oh, he lives right here. Thanks, Steve. Again I feel sort of bad, you know, for Steve, because i'm dropping docs on him, stuff like this, but it's like he dropped them to the world. I'm just showing it to you guys. So i'm actually showing it to less people than he did. Oh, so i don't feel too bad about it now i know where he lives. So now, when he's dead and i got his identity and stuff you know, and certain events can occur in stuff you know that i can make occur- i might be able to have access to Walter Reed Hospital, which is a very bad thing, which is a very evil thing, which I would never do in real life, ever. Okay, but had to put its claim right there just because i'm paranoid.

So I love lington. Let's not just pick on the little people. Okay, linkedin is the facebook for corporations. I mean, seriously, and they're also a great gold mine. Look right here we've got Scott, not the popular profile. So I don't care who's popular or not. I mean I never did in high school because I wasn't. But but let's look at these people. We don't care about the marketing and recruiting and placement. Why would they be popular? Because you want to get a job. I'm looking down here. Who got promoted, who are new hires? Oh, this person. Three months ago they might have a personal assistant that I'm. Now they're a personal assistant. We just started out three months ago. We're working on ramping up our new data center and we're going to need a? Need you to reset the passwords because they got out of sync because of the RSA token? He just reset all the password. I would greatly appreciate it. It's like a. Also another good thing is I'm from I'm I i graduated from University of Oklahoma. If this was University of Texas, it's like and was the highest percentage. That's where I've come from as well- bases in Oklahoma City and Tulsa. So if of attacking Oklahoma, I'm from the Tulsa office, from the Tulsa office, I'm attacking Tulsa. I'm coming from the Oklahoma City office.

A lot. I actually finished a recent social engineering gagement, was able to forge an email, put it on ipad and get access to a server room. From two different searches on Twitter and LinkedIn, I was able to forge it an email good enough to put on and get me into a server room just from the information I gathered off this. And I didn't attract the low-level guy. I was attacking someone higher up. It's like the executives are like that. You get CIOs, CEOs. They're susceptible this kind of attack and you have to be careful what you publish on linkedin and twitter. So I'm not just picking on the. I'm not coming the guy that's just trying to hit on like the users. Everyone said users are stupid, humans are stupid, know, people are just not educated.

That's the issue. Just like this uneducated network administrator who put his diagram on rape, my network diagram calm he actually put when he submitted it. Ip address and other miscellaneous information has been removed. My supervisors would feel quite unhappy with me if I posted the full version, even though I did post a full version of SDS network diagram for the Encore building synergy business park with also the devices that I'm actually using. Yeah, they're not gonna get mad about that being shown at Def Con, I'm sure right now now, this, this next slide- I am totally not be asking you on this one because I honestly did not believe it myself, isn't? I had to google the company because i did not believe this was real. I pinged the IP address to see it. I did dns stuff, you know, IP lookup on it. This is the actual external IP address of the companies and there's their internal IP addresses and there are some of the different firewalls that they're using, the names of the version of the firewall and their website server and they're telling us all the internal and external IP addresses. Ouch, that's also what we call jackpot. Okay, that wasn't a user, that was an IT network guy, soon to be unemployed network IT guy. It's. Hey, it's freely accessible on. Rate my network diagram, calm, which has got to be one of the best social engineering network resources that I've ever had. Okay, yeah, that was the same place, yet, oh, just goes. And please, guys- I don't shell to be malicious- please rate their diagram.

Let me be fair. Alright, cool, so make sure you do that. Now let's go to one of the other stratagems. This is the strategy, mr scheme with beauties, and basically it's going to be talking about how we're dealing with online versus in real life social engineering gagement sand the problems people with a voice like mine have- yes, not just visual, but audio. So, as we talked in previous stratagems, being able to full someone online is pretty easy. When you get to the point where you're dealing with calling the person in real life, that's when it gets a little more difficult, because it's one thing to be able to say hi, I'm Cathy on facebook and be able to exchange emails. It's another thing when you need to talk to the person in real life and tell them that you're Cathy. It's like: so how you gonna do that? It's very simple: you need to be able to change your voice in a way that will make the person make it sound more believable.

It helps if you background noise, unlike what I'm trying to do it in a very quiet situation, but you want to be able to make it works convincing where it sounds like: oh, I am Cathy. It's like I do need help with that password. Could you help me out please? So that's one of the main things: when you're dealing with doing social engineering in real life, you're going to want to have the ability to be able to change your voice or have someone- an employee- that can impersonate a female or be a female or an older person or the target you trying to choose. If you want to go after someone that's executive. The world of warcraft headsets really good with being an old person. Maybe it'll it too convincing because I don't know if you're going to get you 10 d. That's all to sound like. They're such a little still be working I could pay for up. That's the owner of the company. Ah, there are CEO. Something like a beeline to it. Ah, that's not the closest thing to me. It's an old fashion show wha-ah-ah headset. I resist it. What they are with the female, because that sounds like the most convincing, without hardly any tweaking at all on the on the settings. So hopefully you you like that. It's like I. Hopefully this helps show you some of the fact that thing. This is just one headset with preset of voices. I mean, and trust me, all the other sets, all the other voices, aren't as convincing as this one.

I don't think you guys are going to take me seriously if I try to ask for a password reset like this, and I don't think you're going to be able to get anything from someone if you tell them straight up. Yet just give me your password now. Yeah, are you on Pinterest? Come to work? So you went to be creative to take. There's other voice changers out there. This is just one and it's just happened. It was just a find and that's one of the things I liked about it. It was just by accident, as as- oh, this can be used for social engineering. It's like there's other devices that I'm sure much more sophisticated. They do the same thing. So please remember, it's like if it's on line, so if you can't trust who you're talking to online- one of the things I said in my book. You know, it's like guys or guys, girls or guys and 14 year olds are FBI agents. That's the internet, but also now and more and more you'll see in real life, you can't trust you. The person on the other two the phone line, for the same reason. And there we go. That's going on us. Thank you, let's go. Our next try, Adam, I'm like so over time right now they're going to be dragging me off in about ten minutes. Our next item is learning a tiger from its lair in the mountain. You wait for the worker to take his network to you. I don't know about anybody else return who likes to go to jail and explained above them stuff you know just murders family. That you're in there because of a computer crime, yeah, that's not going to end well for you at all, ever okay. So you want to make sure that you can limit your risk and one of the best ways to do that is not get caught and not be getting caught in the main headquarters. So where do you go? You go within a two-mile radius of the major starbucks, panera, bread, you know place where you can actually do still access their network. How do you do that? Through their laptop. It's like being able to use a mimic, an access point. Thank You, Microsoft, for making sure that everybody beacons out: hey, are you there? Are you there? Are you there? Are you there? And I'm always going to guess I am, yes, I am, yes, I am. Please join me, I'm there for you. It's like we're not going to cuddle, but it's like it'll be beneficial for at least one of us, so, so, so that's what- the kinds of tax that you can do- this is another way to do it- of my friend of mine and co-author of the book Kent neighbor to actually took this picture at a panera bread outside of where he was. A was staying right outside of the main company headquarters area. This lady left her laptop, her purse and her latte, it's like- for over 15 minutes unattended. I'm not going to try to install malware. I'm not going to try to hijack her session. I'm not going to try to do some kind of cool Lee middle and the man man-in-the-middle attack. I'm taking her laptop, I'm putting it in her purse and I'm malicious, I'll take her coffee too. It's like a, and then I'm walking away and gathering the data. Yeah, they're going to come after me. So that's one of the problems with when we're talking about wireless security. It's just physical and and also from the network base. Now let's go and talk with tossing out a brick to get a jade. It's like which one is the scariest picture in there? Out of all those pictures? Which is it scariest? It's the middle one, because that's the one you're going to put in your computer, and I like USB drives unlike personal devices. This is a picture of me right there again and, trust me, it's something like that picture, believe me.

But guess what i'm wearing under that nice suit? That's my best to doom. I call out the best of doom because I think it sounds cool and I'm reliving my childhood, but it's like that's the name and I'm keeping it okay. What can i doing? The best of doom? Well, here's the part where we come to the hacker striptease. Come on, okay. So you throw money, road days, it's all good. So here's the best to do. Let's go and see what we've got in here. We got a couple of drives here. They're really nice. They've got a- they're saying cruiser, thank you say. Encourage her for giving some environment to manipulate so we can suck down the system hash and the password hashes of a system just by plugging it in 45 seconds and then going off to the next machine. Those are really good, very handy. That's just empty pockets here. Oh, these are really nice. I drop these. I don't drop these in parking lot. People dropped even parking lots with malware on them. Now I put them in an envelope, address it to someone in the company and then put it on their desk when I'm in there.

What are they going to do? They're going to plug it in and they're going to double-click on that pay raise for 2011, right, just to see, just to make sure there was supposed to be the one to get it and stuff. You know they want to make sure they returned to the rightful owner, right? So that's what else we got. Oh, these are really good, because no one ever notices ease when they're logging your keystrokes and stuff, you know, behind your computer. Those are really nice. Sometimes it's like you can't have taunt. You got some time. You got some time on your hands. It's like you're there at nine- stuff. You don't want to go and decrypt the passwords there. You don't try to be on the location. That's okay. I take the hard drive with me. I do that later. Sometimes I want the system to still be on, but I still want to be able to attack it and stuff. So nice little USB wireless devices i can connect and bridge and then I'm just, you know, hacking from the convenience to my car, jamming out. It's got our conditioning, it's good. And let's see here also, if I want to record a phone conversation, try to manipulate or to actually just leave one of some of those desk while they're talking, try to get some incriminating evidence there. If I want do forensics on the machine, that always helps to have something to available for that, let's see button, button. Who's got the button? Here we go, network crossover cable. If I, if you have USB rights and you think overprotective, because we're, we're protecting USB rights, I'll just join the network directly to the other machine and then download the files that way.

And then here we've got some hard drives. I like this because this is the rainbow tables, so I can these little password attracting right there. Don't worry, I do have a permit. It's all good. Here's just loaded with malware. This is just all different kinds because I might want to, you know, get a custom one out there.

On networks. I get to choose and I want to be able to compromise and take that data. So it's like I always carry, at least you know one or two terabyte hard drives with me that are the same size, because you want to be able to backup the data. What am I going to manipulate with that? How am I going to manipulate all that data? How many to crack? How am I going to do that warrant? Well, I do it this way. This helps: 40 gig hard drive, one gigahertz processor, 1 gig of ram, running back track for. Thank You, Teton, you help me out with that. It's like just plug that in right here, network jack, I'm good to go. I'm doing a wiretap on your network, backing it up to a one terabyte hard drive. I can get some password hashes off of that, i think, especially if it's duct tape underneath the desk. Here's another one because I- this is one of my newer toys. It's like a does not mine, of course, someone else to use this one to jailbreak. It's like the reading. I like this because metasploit- Thank You, HD, who was able actually to- I was actually not an engagement- breaking into a network gateway and from here. So everybody's walking past being and I'm just, like you know, trying to get into the, trying to guess the password, turn SSH tunnel and the manager actually comes into. So how are you liking your steak? Well, I'm loving it. I'm having a great time, sabes. Other new iPads: yes, it does a lot of a lot of cool things and closed out that. Show them the pictures. Show them the videos didn't show me breaking his network and it was all nice and fun on that. So those are some of the things that you can get and those are some of the things that are available. It's like it's just that easy to bring into it. I actually brought that into a secured location one time, which now I'm banned from because they don't like people carrying small little USB devices on their person. This is my favorite: eight gigs right here. It's like that goes through security checkpoints everywhere in every country and it's got a nice. Okay, don't hurt me. Okay, I'm running long as I'm talking. I can I talk any faster? I don't think so, but I'm trying. So. So there's nice little giggle USB Drive for that. So let's talk about the next one. Usually, after I tell all the people of the things I can do, I want to get out of there. So that's the strategy was: escape. It's the best scheme. It's like you do that. How do you escape fake engagement letters? Those are my favorite. It's like I actually was caught inside a dumpster in houston. A lot of my stories end up with me in a dumpster, but but this one was. I was stopped by HPD and they were wanting to question me at gunpoint about what I was doing there. I showed them the engagement letter- the one that I had was legitimate one- and they looked at it and gave it back to me. They didn't call, they didn't verify anything. So now I carry two engagement letters- one's the real one and the one that it's fake. That actually tells them: please, the system in any way, shape or can't, yeah, you can, and make sure you call his phone number and stuff you know and verify that he's supposed to be there, which you know. They've never called me. So it's like I've just been wasting those go plans but, but, but that's what you can do, that's how you do. It's like it: I love it when they do help me. It's like, yeah, here's the engagement, can you help me? I need to take that server out. It's like this isn't the first element, that you don't worry, I'll put your name on the report. It's like how you're doing a good job, I really appreciate it and you did a great job catching me and I don't, like I said, I try not to lie. I do put them on the report, and so that is that's one of the best games, just like using those engagement letters. Now, what we got to talk about is how we try to solve this in the next two minutes. It's like we try to do my security awareness. But we're doing security near wearing is wrong, and most companies look at this top security awareness poster from a company so great. Now you have insecure employees that have low self-esteem. That's not the way to go, man. It's like that. The last, the bottom three just show you don't even know what's going on because that hold mouse thing is just creepy. So we gotta get better security. We're not now. As security professionals made security awareness posters, we would try to get the point across, but people may not appreciate it as much. Now problem is we're also too technical, so sometimes we use terms and we try to put it in ways that we think are self-explanatory, but users may not know. You can't be so out there that they don't understand what exactly is going on. Some of them did. Others are going to be googling later. That's awesome, Google Spanish Inquisition, but I mouth of what you have to do is you have to get one targeted specifically to your company's, to your people. Understand it. Google headquarters has a good security awareness poster. That's effective. Thank you, Ophelia- sorry for all the Google guys in here, just being funny name. So you got to strike an even tone. You got to be able to educate them and give them some information. Think they can actually use something like just basic. You're reporting suspicious people, okay so, and i said i'm not trying to target anybody you know by what they look like.

I mean, cuz going to glamour shots is not a crime, it's just I'm just trying to inform people. You know that certain, even if you are the number one hacker, it's like you should be aware of them. He's out in case they ever show up in your building. Yes, he threw a look at London. So well, can we do? You're doing what you should be doing. One of the people things if you would understand is you're doing what you're supposed to be doing. Right now. You're at a security conference, you're at a hacking conference and you're trying to learn and hopefully you're sharing that information with others. That's when the biggest things that we have in here we're always about communicating and trying to break things. We need to start getting together as a community and start understanding and learning and teaching others. Every everybody here should be learning and what they know the most about and developing a talk for it too. Give it later in another conference. It's like, I mean, that's what we should be doing. We should be learning and sharing that knowledge. We got to share it more. Hanky, can't give me, can't get me, I'm done. Oh, that's it. Guys, seriously, that's it.