How to Crack into Social Engineering

Unsecurity Podcast

Brad leads episode 14 with the help of Evan and M1ndFl4y, aka “Ben.” M1ndFl4y is a social engineer at FRSecure, and brings with him fascinating stories about his ability to gain access to facilities and information that he’s not permitted to. Brad and Evan discuss some of those with him, and then chat about how someone could get into social engineering or learn more about the field.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Welcome. This is Monday February. What is today 11th? Even though even put the wrong date in the show notes. Yes, February six. You’re trying to trip me up dang. That was the deal because you messed up that one time when we restarted.

[00:00:37] Evan Francen: Oh, but I changed it online.

[00:00:38] Brad Nigh: Well, thanks. I didn’t tell you I’m brad has been. We’ve got Evan francine here. Good morning. Good morning. How

[00:00:49] Evan Francen: are you doing today? Hmm. Pretty good. Felt like summer this morning because it’s not like 20 below. It was

[00:00:54] Brad Nigh: like 16°. Yeah. Yeah. So fancies do you set up today? We’re trying to do actual true podcast.

[00:01:04] Evan Francen: Yeah, I’m not sure about this room. We might need to get some um, what do you call it? Acoustic tiles or something. But we’ll figure it out. We keep trying and trying. We’ll nail it

[00:01:17] Brad Nigh: eventually. So joining us today is mind flay or been depending on

[00:01:24] Evan Francen: which one is easier. You should just call him Ben, I think. Can we call you Ben?

[00:01:29] “Ben”: Yeah, that works okay. Living

[00:01:31] Brad Nigh: over underground. Who actually how many loops Brandon has to put in when we call the wrong name? I’m not doing Ben, I’ve been. Okay. How are you

[00:01:40] “Ben”: doing? Good, good. Thanks for having me

[00:01:43] Brad Nigh: for coming

[00:01:44] Evan Francen: in this early. Ben is not your real name, is it? No. Okay. But we’re going to call him Ben.

[00:01:49] Brad Nigh: Okay. We’ll pretend.

[00:01:51] Evan Francen: What do we what do we choose? A different name for you?

[00:01:53] “Ben”: I prefer anonymity.

[00:01:56] Evan Francen: Anonymity.

[00:01:57] “Ben”: Anonymity.

[00:01:58] Brad Nigh: Okay.

[00:02:00] Evan Francen: It’s like last week we had what? Superfluous. Superfluous. Yeah, no material meticulous.

[00:02:09] Brad Nigh: It because he’s a politician.

[00:02:12] Evan Francen: All right. All right, so I’m eminent for

[00:02:16] Brad Nigh: you. Yes, that

[00:02:18] Evan Francen: let’s do that.

[00:02:19] Brad Nigh: So then everyone knows other myself, but why are you here so eloquently, But what would you say? Yeah,

[00:02:29] Evan Francen: we’re going to go off a space on

[00:02:31] “Ben”: you. Okay. I do a decent amount of different things. A large majority of the work I do revolves around social engineering, but also do penetration testing web about pen testing, network analysis, firewall, rural assessments. So quite a bit of a lot of the services that you would expect at a security company,

[00:02:55] Evan Francen: so he’s kind of, you’re kind of a Jack of all trades. Yeah, I don’t call you Jack then why we call them then.

[00:03:00] Brad Nigh: Alright, jacket is Jack

[00:03:04] Evan Francen: Jack Benjamin. All right. Oh, so you okay, so you work here at f are secure,

[00:03:13] “Ben”: yep, we’re here since January 2015. So quite a few years now,

[00:03:21] Brad Nigh: one of the elder statesman here. Right.

[00:03:24] Evan Francen: Yeah, I’m glad you’re here, man. Yeah, I know you always got some good stories to share. Hopefully you’ll share something

[00:03:31] Brad Nigh: today. Absolutely. I think one of the things I really love is just coming in the morning and catching you grabbing coffee or whatever and hearing the stories about, oh here’s what I did and watch this video. Those are always fun. So he’s

[00:03:48] Evan Francen: like a ninja to like come in here really early and Ben or Jack, we’ll just show up. He just appears my door. Yeah, scares the crap out of me all sneaks to ceiling tiles to get into people’s locked offices. I mean these guys a different kind of

[00:04:09] Brad Nigh: guy. So you said you do kind of a Jack of all trades, what would be you think you’re one thing you really want to focus on is your area of expertise.

[00:04:21] “Ben”: It’s our passion Jack. So as far as, as far as the work goes, I would say physical social engineering engagements are by far the most there through the most difficult there. They’re the prize. You want to go for, its so much that can happen. You got to think on your feet, you have to read people at a glance, you’ve got to know when to engage, when not to engage, pick your situations. It’s, it’s really exciting, really fun. But yeah, that’s, that’s really what I enjoy.

[00:04:59] Evan Francen: We should get. So we should get more of those engagements. Yeah, train, we should train the salespeople how to, we sell more of those so you can do more of those because you’re really good at it too.

[00:05:13] Brad Nigh: Yeah. So what I was talking to somebody last week and I can’t remember it was with lee and I can’t remember who it was. And I said I think Ben just told me the other day he got caught for the first time. You did, you got caught for the first time. You didn’t hear this? No, go ahead.

[00:05:31] “Ben”: Yeah. So normally I expect to get caught eventually try and test uh the security situation at an environment and see how long it takes. People to realize that I’m there and I shouldn’t be. Normally I can be in a facility for around three hours before people start realizing that something is wrong. three hours, usually about three hours depending on the size of the facility.

[00:05:57] Evan Francen: Can’t do any damage in three hours. Right?

[00:05:59] “Ben”: No, but but I always try and get all my reconnaissance done, do nighttime reconnaissance whenever I can. And before I even started the engagement on a nighttime recon I completely got busted. I was walking around the facility. It was very poorly lit at night checking the entrances and exits and I almost stepped on a possible that guy, he can’t get busted by Apostle. I got busted by a possum. He came out of nowhere and it was, I shined my light down on the ground because I thought something was there and two glowing eyes and gnarly teeth were looking at me. That was shocked me. It was a little that was a little frightening. So yeah, he he busted me. But

[00:06:42] Evan Francen: uh so you were busted by like a human. You were busted by. No,

[00:06:45] “Ben”: no. Yeah it was just worse.

[00:06:48] Brad Nigh: I think I won’t give it being busted by a possum. You’re not

[00:06:51] Evan Francen: expected that right reminds me of the time because I was busted by real real person. I was doing chris had Maggie’s class at Black Hat a couple of years ago and one of our kind of final assignments was a live social engineering exercise. Where um he him and his team would text us who the target was and really what we had to get was like name, address, maybe age where they work, you know, stuff like that. Just kind of demographic stuff. And one of my first target was uh the lady with the high job. All right, is that I say that right hip, hip. Uh Okay so um I’m like I didn’t know what that was and they could see that. I was just kind of like what? So they text me the lady sitting right next to you on the bench. I’m like oh okay so you know so I do my thing. Uh you know and my pretext was not very creative. It was I was a student at the University of Nevada. Las Vegas doing a demographic study. And so I just was gathering information for people that were visiting, you know las Vegas. So I went through my pretext with her and she gave me her information. Um But then I’ll corn my I saw this person because you can tell when somebody approaches you and they approach you in a casual manner or when somebody approaches you in a direct manner. He approached me in a direct manner. So I thought something’s off. But whatever I got my target, I got my thing and then I got my next target. So I go over there. But this guy sort of following me, right? So after I did what I did to that one uh he approached me and says her confronts me and says I’m sorry what are you here for? What are you doing? And I told him I went through my pretext and he said who’s your you know who’s your professor? And I hadn’t prepared anything and I just froze. Right. So it took me out of my pretexts. I didn’t think through a big pretext. I just thought through real basic get the information totally killed me. Then they turn you know, and it turns out he’s a police officer from like new Brunswick or something. But anyway, long story got busted but never on a real engagement. Just that one.

[00:09:20] Brad Nigh: So were you brought up an interesting point here with we can go into where people explaining the methodology. You mentioned pretext alive. So you know when you’re going to do one of these engagements then walk through what is a pretext? What are the different steps that you go,

[00:09:40] “Ben”: okay, so I take a very scientific approach to it. I try and define the goal first to figure out what are my targets, what are the information assets I need together and base a lot of it around that. Which changes passwords are not the only important thing in an organization. Sometimes little things can get you in calling up, giving away information that to them seems trivial, Which would be who does their trash, who takes it out? Try and dumpster dive all the time to get information. It has worked out in the past. I’ve gotten printed power point presentations to boards of directors before with exactly what the strategy is for the organization. So it’s in the dumpster in the dumpster. Yeah. And they had secure shredding facilities in the building, but this template was just thrown in the dumpster. So uh so gathering all the information you can based solely around what you’re going for is the primary objective. So a lot of open source intelligence gathering, hunting down who works at the organization, how long they’ve worked their what their past experiences were, getting demographics on what type of people you’ll be contacting and influencing, attempting to influence that is. But it’s it’s very much figuring out what the culture is. Very big on figuring out the cultural social mores that I’m going to walk into the social norms and trying to figure out how I’m going to fit in. I feel a lot more comfortable in large groups. So I try and focus my pretext around. Okay, I want to go in when there’s a lot of people. I no, I’m pretty good at blending in. So I try and do just that. Um after after finding out a pretext that works, sometimes it’s a new employee pretext, that one works pretty well. A lot of times I’ll go in as a service technician for Printers or it if they have 3rd party services coming in. Sorry, what digging

[00:11:57] Evan Francen: going? Yeah, a lot of meetings today.

[00:12:02] “Ben”: Um So I usually, if I can’t get a solid bead on what service provider they have, I look up every service provider in the area and make myself a fake badge. So I’m billion props. I like using props. It just adds a lot more credibility. So we’ll have a different service vendor badge in different pockets. And if I don’t know for sure I’ll walk in. one of the first things usually see is somebody’s MSP sticker with their name, their logo on some gear. Maybe it’s a computer, maybe it’s a printer. If I hit one that I know I have a badge for, I’ve got verification right there. That okay, this is the vendor. They use outcomes the badge. I now become that vendor. But the tricky part. And what’s so interesting about developing a pretext or what you’re pretending to be or how you’re trying to get into this facility is you really have to live the pretext, you can’t just expect to walk in somewhere and think, oh if I just look like I belong, I’ll be fine. That’s as a tiny portion of it. You have to believe yourself that this is what you’re there for. This is what you’re doing. Choose your words very carefully. I tried very hard not to lie on any engagement because lying brings out micro expressions. And some people are very good at detecting micro expressions and they can they’ll pick up Yeah, without even knowing it. We use micro expressions in daily life. It just happens. So I tried very hard to stay away from that.

[00:13:46] Evan Francen: So it’s like so pretext is almost like acting, right? I mean you choose you’re trying to figure out what your role is in this, your character. Yeah. Would you agree?

[00:13:58] “Ben”: Yeah. and one Great piece of advice client gave me at a speaking engagement was to look into method acting. He was an actor. And

[00:14:10] Evan Francen: but they make great social engineers.

[00:14:14] Brad Nigh: That’s why I took four years of theater in high school. Did you really, I got in as I needed an additional elective as a freshman. I was like, yeah, that’ll be easy. And then it was fun and I got to build things and build sets and that’s what I learned a lot. But I could absolutely. It would be a huge advantage.

[00:14:34] Evan Francen: We bring up another good point too though, where you don’t like to lie because I’ve been asked that same thing because you know, my christian faith I guess, you know, ah people said, you know, don’t you feel bad about that? Well, I would if it wasn’t acting, it is acting, you know, and I’m working on the good side, right? I’m not trying to and chris had Nagy puts it really well. Uh the difference between manipulation and influence, you know, and when you’re doing it as part of a paid engagement, I mean, it’s like I’m getting paid to act, right? So that’s how I justify it in my mind. You know,

[00:15:15] Brad Nigh: had the one the phone calls that I did with right? Uh two months after I started like last minute it was will that would have been was supposed to do it. But he read that british accent and he’s like, I can’t do this. I right. Yeah. I mean if you’re having trouble drinking this morning, what did you do? You spill?

[00:15:40] “Ben”: But yeah, I have a drinking problem and I have a hole in my lip. Apparently my mouth.

[00:15:44] Brad Nigh: That’s all right. So

[00:15:47] Evan Francen: that’s what you were lacking.

[00:15:48] Brad Nigh: So that’s what I totally blew me off. So what happened I got, hey, can you do these calls? Okay, what are we supposed to do? And we’ll just get as much information as you can from that is all I was given. So I was able to call him the help desk and say, oh well, you know, working on security and your patches, we’re getting a report that your patch of your machine isn’t patching correctly. I just need to verify your information went through it. And one of the ladies called me out where I don’t recognize this number is an outside number. Like, oh yeah, working from home, I’ve got to say kid and trying to get it done and she’s like, okay. And I felt really didn’t feel bad because yeah, but I was like, spur of the moment. And at the end she was like, well, I hope your kiddo feels better. And I just, it’s like, oh, they’re totally getting sick now. It’s gonna be some karma coming back

[00:16:44] Evan Francen: another rule that chris had Maggie has and I keep referencing him because I think he’s, well, when I really admire his work, he’s written some great books, he created the world’s first social engineering Framework. I mean, it’s just he has his own podcast, it’s just awesome. But he has a saying to that. It’s leave them feeling better off for having met you, right? So that’s the difference between, you know, in my mind between manipulation and influence. So manipulation is really controlling somebody, right? And you leave them not feeling better off for having met you. So yeah, it’s a for me sometimes it’s a fine line.

[00:17:25] Brad Nigh: I think you’ve had some time to actually prepare. Yeah, we’ll let you know about it. That makes a difference,

[00:17:32] Evan Francen: Jack? That’s what you were saying you’re so good at is the preparation, right? Isn’t there like a book Son by Sun Suit Art of War, know your enemy kind of thing?

[00:17:42] “Ben”: Yeah, I talked about that a lot, as far as what books to read or what philosophies to build off of. I definitely lived to the art of war for a lot of my philosophy and my views on how to go about things. It says in the book, If you know yourself and you know your enemy, you not fear the result of 1000 battles. It’s the same thing if you know you you have to know your weakness is you have to know your strengths and you’ve got to know that if you get in a certain situation where you’ve got a particular weakness, be honest with yourself, don’t get in that situation, you’ve got to get out, you have to know when to use your skills and when to walk away. That’s so important. You can’t just expect to walk in and win every time you’re not going to

[00:18:30] Brad Nigh: there is one sure way to get in every time. Big kick box. Nobody will stop you. He will just let you wherever you

[00:18:37] Evan Francen: need to go in Minnesota. Yeah, in new york will knock it out of your hand and that’s one of the things you were mentioning to is the culture, cultures have a big play in social engineering to I would things that work in Minnesota and the culture is different. Won’t work potentially in san Francisco or new york city.

[00:19:04] “Ben”: Yeah and there’s a culture is it’s broken down everywhere. So you’ve got it it’s different in different states, different countries but it’s also different in other organizations. The size of an organization has a big motivator on what the culture is. Small organizations. Their culture is much more tighten it. Smaller buildings are usually much more difficult to see your way into. Yeah I mean these these people have probably been around for a while. Usually small organization or attention is a lot higher. Everybody knows everybody. Everybody knows the service people, they know who’s coming in and out. It’s very hard to break into that unless you have an ironclad pretext that is very in line with something they’re used to it’s it’s exploiting the behaviors and patterns they’re used to. Whereas with a larger organization they usually rely heavily on physical security controls and their perimeter is usually much more lockdown. But if you can pick a lock and get through the door or talk your way past the security guard and get in. Once you’re in, everyone in the facility has a culture of well if you’re here you’re supposed to be here because this building is locked down. There’s guards on the doors. There’s locks badge access, you shouldn’t be here unless you need to be. So if you’re walking around on escorted but you look the part you act like you need to be there and you just bypass the physical security control. You have a lot of innate trust you just built it makes

[00:20:41] Brad Nigh: sense. Yeah. So we’ll come back one of the ones where you mentioned, you know, talking away past the guard. We’ve, we’ve been talking with that customer and they want you to come back and do it after hours. They don’t trust their questioning there after our security after you, you know, completely from during the garden Dave. But you know,

[00:21:05] Evan Francen: some of the social engineering texas, mine, one of the ones we were looking at, I don’t know if we looked at it together or well, somebody breaking into a power facility utility and that was more, I don’t even know if it was so much social engineering as much as it was just breaking in. Right? I mean, you didn’t engineer anybody, you know, in some, in some of those decks. See you get phone calls to popular. Yeah. Uhh for being anonymous though, you’re getting calls,

[00:21:39] “Ben”: I’m from an anonymous number. Look at that.

[00:21:41] Evan Francen: But you know, some of those things, I mean, so it’s just breaking into a facility. Uh, is that social engineering?

[00:21:52] “Ben”: It’s, I call it the first step if you can’t get your way, if you can’t get through by talking to the receptionist, which I actively avoid

[00:22:03] Brad Nigh: all. Oh yeah, specialists.

[00:22:06] “Ben”: I mean, you’re, unless you’re specifically targeted at seeing the receptionist as a goal. Can someone get through our reception policy and procedure, then Yeah, I’ll try that. But if my goal is to get into a data center, there’s no way I’m using the standard channels. I’m going to find a vulnerability to explain. I’m gonna found find a back channel that they didn’t know. Is there another way into the facility? Another another way to move around that they weren’t expecting? Ah they’re going to harden the easiest entry point where they expect people to come just like you do in a penetration test. That’s usually not your best way yet, right? You’re gonna find an exploit. You’re gonna find some human Faces channel, some side channel. So I mean

[00:22:56] Evan Francen: but you know, but social engineering by definition is a human attack, right? So I mean I I and I think there it’s not like one is more impressive than the other. But when I see some of these videos of people breaking in in the middle of the night and getting access to something and plugging something in that’s breaking in. That’s not social engineering.

[00:23:21] “Ben”: Yeah. That would definitely be more of a physical attack. There’s people there maybe there was social engineering involved in gathering the information or setting something up. But it’s a little tricky to say let’s just do a social engineering test because if you do that, you’re limiting what the results are. Sure. So it’s that’s that’s another reason why it should

[00:23:44] Evan Francen: be a combination of social engineering and physical

[00:23:46] “Ben”: attack. Yeah. That’s that’s why I come at it from a very scientific point of view is what is the end goal? What are we trying to get? And now let’s define the rules of engagement. How restrictive do you want this test to be? What results do you want to really highlight in the metrics that we get from the test? And do you want it to match an adversarial test what an actual attacker would do and we can get pretty close. But I follow the same rules that Christianity sets up is that I’m not going to manipulate. I’m not going to destroy anyone’s worldview when I’m trying to influence them. I’m not bringing their family into it. I’m not gonna right put him in a situation where I’m going to make them make have to make a split decision. Are you going to help another person of a human or not? I stay away from all manipulation tactics. Try and use only positive influence techniques,

[00:24:42] Evan Francen: which is important to note, I think because that restricts, I mean, there’s a gap then between what an attacker would do a malicious attacker would do and what we’re willing to do because malicious Attackers don’t care about bringing your family into it. Using all kinds of emotions.

[00:25:01] Brad Nigh: Right? Well, it’s like when you talk about it all the time with the incident response, we’re playing within the rules and laws and Attackers are not Yeah. So, so we’ll come back to you, Ben, But Evan how was your week? Last week?

[00:25:16] Evan Francen: Last week? Good. Trying to think what I did last week was today.

[00:25:21] Brad Nigh: Had a meeting with a C. So from a large company. Oh yeah,

[00:25:26] Evan Francen: that was good. That was Yeah. Really large. Top 15 largest company in the world. I just had a great it’s fun when well I was there actually as an sme uh, on behalf of a partner who is trying to sell something to the sea so or whatever. And I think they were at the end they might have regretted bringing me because when you have two people who, you know, no security and have the same philosophies on security in the same room. It gets, its like magical. I mean

[00:26:01] Brad Nigh: geek out and everything else just kind of blurs.

[00:26:03] Evan Francen: It’s like low. So like for 45 minutes, it was just this great conversation about this and that on security and you just, you know, we saw eye to eye and then I looked over at the the person who brought me this partner and the look on their face was just, you know, I shouldn’t have brought you. But you know, I think you should have because you have to build rapport, right? I mean that plays into social engineering to right report credibility. Those are things that you can really use, you know, in an attack. This wasn’t an attack. It wasn’t attacking him.

[00:26:40] Brad Nigh: No, I think there’s a great conversation definitely value there, Right? That’s you know, when they worked with customers, like that’s what sells is I get it. I understand where you’re coming from dinner. I think there’s a huge difference in talking to a immediate a sales guy,

[00:27:01] Evan Francen: Right? one. You know, I mean when we’ve been three of us here, we’ve been in this industry long enough. It’s less than, It’s less than two minutes when you’ve already made up your mind on this is whether this is somebody who gets it or not, Is that true for you guys to okay, so you get past that. It’s like who she is awesome.

[00:27:25] Brad Nigh: Yeah. I’ve had this conversation where it’s like right in the first couple of minutes he’s circling like the goose bumps. It’s like, oh yeah, they get it. This is exciting.

[00:27:36] Evan Francen: Yeah. And then I got a message from this. So this so I mean it’s a big company, right? Huge. I can only imagine the things that go on in his mind and the emails he gets and I was talking to you brought up Leanne. I was talking to Leanne last week too and she said The average C So I think of a Fortune 500 company or something Gets 60 700 emails a week. They just get pounded by. I mean the money grab in this industry is crazy. So to be able to have this conversation with him, you know, without the noise was not only was it magical, I guess. And that’s a weird word when you talk about talking to another guy, but it was, I mean I’m very grateful and I have a lot of people get that opportunity. So it was fun. That’s awesome. We’re going to dinner now to hopefully barbecue like barbecue. One of the things you said, sorry, I keep taking over your, your leading the show, but one of

[00:28:43] Brad Nigh: the quotes,

[00:28:46] Evan Francen: but one of the things that you said was you hate going through or you don’t like to go through receptionists. Yeah. One of the attacks, I know that you did. The receptionist was absent from the desk at the time and you found something. Yeah, tell me about that one quick. Have you heard this one? Okay.

[00:29:09] “Ben”: So I was, my intel was lacking on the inside of the building. I couldn’t find a lot of information on how the layout was set up. It was several story building. So I went in and I was just trying to scout the building quickly and realized this is one of the main areas. It wasn’t on the floor. I was expecting there was a reception desk and She was, she was actually at her desk at 1st and struck up a conversation with somebody else who was there. Give a little bit of distraction. And I figured out, okay. They’re probably gonna go away based on what I’m hearing them say. I want to give away too many details about what happened. But uh so I wanted around and waited and listened for footsteps to hear. Okay. Are they leaving the areas? One person to person to people. So they actually walked off to continue their conversation. There was an issue. I jumped the reception desk because that is the prime spot to find visitor keys, vendor badges, anything that’s gonna get me around that organization. The receptionist is probably going to use it because everybody focuses on this is the entry point. So I jumped the desk, went through the drawers real quick and found a maintenance level access badge that got me into pretty much everything in the facility because it was maintenance level. So to prove a point, I went up and walk out on the roof, took some pictures. Selfie. Yeah, took a bunch of pictures of people walking in from above. Take pictures of all their equipment up on the roof. All the electrical H. Vac, yeah, jump in the reception desk.

[00:31:02] Evan Francen: So if you keep badges in the reception desk, lock it

[00:31:05] “Ben”: up, lock, definitely

[00:31:07] Evan Francen: lock them. At least make it, make you have to pick the lock or something. Which chances are should be back by then or he, I guess if it’s a male receptionist. That’s funny. Have we used your name yet? We slip up. Okay. I just want to double check. Jack is still his name.

[00:31:25] Brad Nigh: Yes, sure. Jack,

[00:31:27] Evan Francen: yep. It’s just not what it is. Alright, so back to you leading. Sorry? No,

[00:31:33] Brad Nigh: it’s kind of like I like gyms. Word, lots of a goat rodeo. It’s just kind of all over the place trying to wrangle it. Rygel cats. Right? This is

[00:31:44] Evan Francen: who we are and this is how we how we roll

[00:31:47] Brad Nigh: and what’s fun now. So we’re doing this in what we call the fish bowl I guess. So it’s glass room and so we could start seeing people now starting to come in for the day.

[00:31:58] Evan Francen: Yeah, it’ll be fun. This will be fun. And we’re gonna do, I think the marketing people want to do video. So we’ll have video.

[00:32:04] Brad Nigh: Why would we do that to people?

[00:32:06] Evan Francen: It’s painful enough that

[00:32:07] Brad Nigh: I

[00:32:08] Evan Francen: don’t know if it would be fun. Well that we couldn’t do with you because some people would see Jack’s face. You have to blur that out.

[00:32:15] Brad Nigh: It is a technology where we just put like a black circle painted to his forehead

[00:32:19] Evan Francen: tape of blacks are cup. We should do that anyway. That’d be fun. All right. Anyway. Yeah.

[00:32:26] Brad Nigh: So going back to the opening of the Jack Jack, what’s it Any way you It’s not just social engineering. You just got something published on a pretty well known website. Yeah. Tell us tell us about your little side project.

[00:32:44] “Ben”: Yeah. So a big part of penetration testing. Social engineering. All of that is reconnaissance. It’s open source intelligence gathering and uh it was frequently happening where we would find emails, targets and normally try and get in through external logins with their emails but you need the passwords, the easiest way to figure out somebody’s password is to see if they have been breached before and pull their breach data. So Troy Hunt, Troy Hunt runs a website called have I been public and he does amazing work on that site aggregating and gathering all the breach data you can find, you can look your own name up to see if your email accounts have ever been breached. It lists what breaches they were involved in all the data that was extracted from those breaches. Uh He also provides an API that you can call. So one limitation to it is that you can only look up one email address at a time so they can get kind of time consuming especially in case of red teaming when you need to vet out hundreds or thousands of email addresses. So I wrote a little script that calls the api for a list of email addresses and it does, it pretty quick list which breaches the email address has been involved in and all the data that’s been leaked. So with it you can export to a cbs, you can look at the emails, look at the breaches, pull up the breach data and start searching for past passwords that were leaked. They may still be good but they may not be, it honestly doesn’t matter that much because if we find somebody’s password in the past, we know how they make passwords just by looking at it.

[00:34:38] Evan Francen: You know you know how they construct them?

[00:34:40] “Ben”: Yeah it’s predicting human behavior based on their password and how they decided where they put their numbers. Do they use special symbols? Uh I’ve heard so often that all computers in the they don’t actually have random number generators. They’re all pseudo random number generators. Well I I kind of trying to make an argument that people are kind of pseudo random number generators to. They use a lot of the same stuff in their passwords, a lot of the same key strokes happen. It’s a behavior and if you can nail down their behavior you can greatly reduce the odds that you’re just gonna try junk passwords and you can really focus on. Okay this is the stuff that you used to get in and you really get a window into how they think. So that tool is out there, it’s free for anybody wants to download it. I tried to make the barrier entry encoding very minimal. So it’s just a bash script so look it up on either have I been prone dot com. There’s who’s using the api you can find a link to it on a list on troy hunt site or you can go to get hub and look forward. Mindfully I

[00:35:53] Brad Nigh: am M M D

[00:35:56] “Ben”: E. M. One N. D. F L. Four Y. Okay

[00:36:02] Evan Francen: so you inject about that last week? I mean when you came into my office, you’re like, dude,

[00:36:08] “Ben”: yeah, I was

[00:36:09] Evan Francen: responding to me because Troy hunt, I mean now is huge name in our industry, right? I mean he’s done great work and people follow him. I mean

[00:36:19] Brad Nigh: that’s really, really cool. When we ran it on one of our customers just as a courtesy or service and we found It’s 600 of 1800 of their accounts had been ballpark numbers had been part of a breach in the past. But it was great that yeah, there is. I think the family useful.

[00:36:43] Evan Francen: Sure. Something we should maybe add somewhere devices go to. Yeah. I mean because it’s, it doesn’t increase the likelihood of something bad happening. Right increases risk. Mhm. Good job. That’s really cool.

[00:36:58] “Ben”: Yeah, I hope, I hope it provides some use for anybody who wants to use it.

[00:37:04] Evan Francen: I’m sure. Well like brad was saying it already Dead for one of your clients.

[00:37:10] Brad Nigh: Maybe I haven’t heard back. So maybe they saw that and just like

[00:37:15] Evan Francen: they fired us concussion from

[00:37:18] spk_5: falling out of their chair.

[00:37:20] Brad Nigh: So we’re going back to the social engineering. That’s the kind of the theme of the day today. Um Mhm. Gosh, Well, we may not get too many news stories because it’s more

[00:37:32] Evan Francen: fun.

[00:37:34] Brad Nigh: So we talked about a little bit about how do you become a social engineer. We talked about acting a little bit, but do you have any resources that you would recommend if somebody wanted to get into that?

[00:37:48] “Ben”: Yeah, absolutely. Um, so I would say Like anything else, there is no one path to a job. So it depends on your skill levels. If you are a very technical person, then you might want to start researching actual phishing attacks and how they work, because that is the least involved in actually using your voice, using physical cues, reading cues like that. And that is a skill that takes a lot of time to develop. So if your technical look for fishing dark waters by chris stagnating, that’s an excellent book on how fishing works, what it is, how to do it, right. He’s done some amazing work there. Um, and then work on the actual tools, there are platforms and free tools that you can get that will help create phishing campaigns to figure out how they work, what kind of metrics you can get, how to use those metrics in an actionable report. So you got go fish fishing frenzy, king fisher or all easy, cheap solutions or free solutions that you can use to develop your techniques there. But if you’re not a technical person, say you’ve got a sales background, getting an understanding of uh electronic fishing. I’m sorry, audio fishing. So fishing with V

[00:39:15] Brad Nigh: as I call it with such dumb

[00:39:16] spk_5: names. Yeah,

[00:39:20] “Ben”: that one is very involved in speech pattern recognition and using your voice. The cadence, the pattern, the enunciation. It’s the psychology term for it is neuro linguistic programming. So if you can use NLP neural linguistic programming, you can influence people’s behavior is based on neural linguistic programming, which is actually one of the techniques that hypnosis hypnotists use now. Like all things, it’s not a silver bullet. You’re not just going to be able to, will people to give you their information. But it’s very helpful. And I’ve found people with sales backgrounds are a lot better doing this. Their skill set is much more developed when talking on the phone. They interface with people all the time. It’s something you innately learn and get better at because they talked to so many people and they’re constantly trying to market something which is another great resource for, for electronic and fishing your audio is marketing has done, I don’t even know how many different sources you can get from marketing, but they focus on how to get people to buy things, how to influence an emotional response, how to get people to do something. That’s, it’s an awesome source to look for. As far as impersonal physical, That one is, in my opinion, the hardest because so many things can go wrong. It’s the highest risk. It’s the hardest to break into. Its. It’s very involved on reading people in an instance, looking at their micro expressions and figuring out if there potentially telling you the truth. If they’re hesitant about something if they’re feeling anger, sadness, surprise all the different micro expressions that you can trigger. Be able to read that quickly and then use it to your benefit too influence them to elicit a response.

[00:41:26] Evan Francen: one Thing About Micro Expressions. Um you can tell maybe the the emotion or but you can’t tell why. I think that’s one mistake that sometimes social engineers will make is they identify the the micro expression and then think that they caused it and maybe something. You may not even been part of it at all. Right. You don’t you don’t know what’s going on in their mind. You know the emotion. But you don’t know why

[00:41:57] “Ben”: a great book resource for that is it’s another one. Chris said Nikki Social engineering. The art of human hacking. It’s a really great book on how all this stuff works when you use it. When you can trust it when you can’t the pitfalls things at work. Things that don’t it’s a really good resource. Um I have a lot of experience watching people observation. Uh So I use people’s body language a lot when I do social engineering. So how they carry themselves, how they walk. Are they? You get a sense of so many things. I’ve got kind of a background as an animator. So having to portray emotion. Wait, yeah. Sense of urgency through motion. Yeah. A lot of my training was how to actually see that in people and emulated. Another cool experiment for physical people is go to somewhere where you’re gonna see mascots or people dressed up in a suit and try and gauge. All right. Is it a man or a woman inside the suit? What’s their body structure Like? Are they, have you set, are they skinny? Do they have a limp figure out from there? Walk what that person looks like on the inside of that suit? It’s a really good experiment to try and hone your skills

[00:43:28] Evan Francen: and then tackle them, pull the chute out. Let’s see if you’re

[00:43:31] spk_5: right

[00:43:33] Brad Nigh: about that party that gets to the physical part is a big part is getting over that fear of being or you know, having Evan does deal with the police. So if you’ve gotten over that, you could tackle the mascot and pull it off. If you don’t have to worry

[00:43:50] Evan Francen: when I’ve done physical social engineering attacks for years. Uh huh. I don’t think I’m particularly awesome at it. You know, but I’ve been caught by the police before getting caught by the police dumpster diving and this is where I’m not proud of it because I, I broke the law actually, you know, I mean the, well, because you know, the statute of limitations is over on that. But you know, a lot of times when we do a physical social engineering attack, you’ll have a letter of engagement or some statement from the client that this is what you’re doing. So that you don’t end up in jail. Right? And so in this particular case we’ve created two of these. One was a real 11 was a fake one gave the fake one to the police. So it was and that’s the part words breaking the law. You can’t lie you know to the police about your identity But whatever that’s that was 20 years ago.

[00:44:49] Brad Nigh: You know it’s funny listening to I was

[00:44:54] Evan Francen: did you almost see his name? I

[00:44:56] Brad Nigh: almost did.

[00:44:57] Evan Francen: Jack. Were you offended by that? His micro expressions of anger, contempt maybe did you see the disgust? You see the eighth of a second is uh huh.

[00:45:10] Brad Nigh: But the observation right? Berries some I love going and just watching people. Yeah I’m not a bird. I’d rather be at home. But if we’re going out somewhere it’s so much fun to just watch people and just pick up on that stuff. So it’s kind of funny you know just in from background but that’s the that’s really common I think I guess

[00:45:37] Evan Francen: Yeah all three of us are introverts.

[00:45:39] “Ben”: I’ve got to point to that too. I’ve was speaking engagement and somebody said oh God you must be so extroverted. You’re so good in this situation. I mean I feel awesome talking to like no I am so introverted. This is painful for me to be in a big social setting and I think that’s actually why I enjoy the physical aspect is because I’ve been introverted for so long. It’s become second nature that I need to act like part of the bigger group and act like I’m fine. So I am I recharge by being alone, reading a book to being in a dark room, no other stimulus, no human contact. But when I’m out in public, I’ve got a put on that facade, I have to tell myself, okay, I’m fine. This is fine. Yes. And kind of just pretend to go with it. And I’ve gotten really good at convincing myself that I am confident in this situation and I looked comfortable if I present that to everybody else and it works. It’s

[00:46:49] Brad Nigh: just a skill that you develop. I describe myself as an extroverted introvert, right? So I love going out and talking and especially a couple meetings last week and we’ve got another board meeting. Yeah, okay, that’s fun. I love doing it. But yeah, they were I go home and I’d rather stay home. I don’t want to go out on the weekends. I just, just a day. And

[00:47:14] Evan Francen: that’s and that’s what makes that’s what defines an introvert and extrovert. It’s where you get your energy to get your energy alone because some people get energy in a group, right? But for us it drains us, I might like it. But man, I’m ready to take down after a after a meeting or some kind of presentation,

[00:47:34] Brad Nigh: like there’s all the classes. Yeah, yeah, Just talk for six or 8 hours, it’s just just one of it. Right? So if you could give one piece of advice on how to protect themselves, what do you think that would be?

[00:47:51] “Ben”: Yeah, I get from you only get one piece of advice.

[00:47:58] Evan Francen: Okay, maybe two.

[00:48:01] “Ben”: So I would say read The Art of War. I’m borrowing somebody else’s advice for this one. But it’s it’s such a good book and understanding. Okay, the other war isn’t so much about actual warfare, it’s about the psychological effects, how to think, how to know yourself, how to know what’s happening around you. And if you can really get a beat on yourself, what emotions trigger when you see certain things. And do you see that in the news? Do you see that in phishing emails where instead of thinking your way through something you react. It’s an emotional response to something that maybe somebody trying to influence your behavior, figure out what influences you and learn how to resist it. It’s gonna be different for everybody. So really understand yourself and the triggers that you can help avoid or at least understand that you are being triggered. It’s a weakness that everyone has.

[00:49:07] Evan Francen: Yeah, yeah. Everybody, I mean, social engineers get social engineered. You know, I remember one time Jack, when you social engineered yourself, that’s a whole nother story.

[00:49:19] “Ben”: Yeah. Yeah. That was a weird one

[00:49:22] Evan Francen: he felt for his own phishing attack.

[00:49:25] “Ben”: I was designing a phishing attack for a site I had to create a clone of the site, I thought this site was programmed a different way than it actually was. And I actually grabbed onto a back end of code that wasn’t hooked to anything and was going through and testing out the fish and I got a response from the site that I wasn’t expecting came out of nowhere and I thought, oh my God, I I just logged into this because I use this service to did I just did, I just give this away and but but it was a technical issue was a hook that wasn’t attached. It didn’t actually log anywhere, but I was, I was convinced I had just given my creds ways like I gotta change everything, everybody’s gonna know

[00:50:17] Evan Francen: stop. And then you made the mistake of telling me to tell everybody. I actually use that in presentations before our lead penetration or our lead Social engineer, Social engineer himself. So

[00:50:34] Brad Nigh: before we wrap up, have you been caught better stopped on a physical contest or have you always gotten into a sensitive area, achieved your objective.

[00:50:46] “Ben”: So that’s a loaded question.

[00:50:49] Brad Nigh: I will let you interpret it and answer it as you want.

[00:50:52] “Ben”: All right. So as for the rules of engagement that we set up, we have specific goals to get to. I have never not been able to get to that goal. Sometimes when we go to these different sites, we have multiple physical locations. I may be stopped at one, but allowed to proceed it another. So in total Yes, I’ve already, I’ve always gotten what I wanted or what we were going for. But there have been people who have sufficiently stopped me where I said, Ok, you watch me out of the pretext. This is what we’re looking for and you did an awesome job. Here’s my letter. Let’s go. Talked to a couple of people in security and let them know you’re on the right track. You are a security champion in this organization and I want people to know that I have been stopped and I love it when I am. I wish I would stop

[00:51:48] Evan Francen: And congratulations for busting me. I’m selling these medals for $3 siege. You can put that, you can put on your desk. No, that try it.

[00:52:03] Brad Nigh: You know, it will be in the mail. How about for fishing with credentials?

[00:52:09] “Ben”: Uh so we keep pretty close tabs on that. So overall fishing Is probably around 47% now for click rate. So average industry is 47% for us. uh as far as giving us credentials, last number I looked at was 22

[00:52:29] Brad Nigh: and then if we

[00:52:29] “Ben”: ever

[00:52:30] Brad Nigh: now we don’t do credentials every time. Right? So there’s a difference writing when we go for credentials and the protections around when we go for credentials. Have we ever had a phishing attack where we haven’t gotten at least one set of

[00:52:43] “Ben”: credentials. No, never. And we’ve even,

[00:52:47] Evan Francen: we’ve got, we’ve got results on when we were testing, when we were actually, when we accidentally released fishing, it’s a test

[00:52:56] Brad Nigh: on a test fishing saying our sample for Yeah, we

[00:53:02] Evan Francen: get results back after we tell people that this was just a phishing attack, you can stop clicking disregard whatever and then we still get them After that.

[00:53:10] “Ben”: I’ve had technology in the organization, block fishing or label it is fishing and then the users bypass that technology and try and go to the site and the firewall then kicks in and blocks them from viewing the site. So they went home I think on their mobile device or they go on the mobile device and log in from outside the organization’s protections and give the creds. I’ve had people

[00:53:39] Evan Francen: want so bad to give you my credentials.

[00:53:42] “Ben”: I should note though that most of our testing is not from an adversarial mindset. It’s from a training mindset where we’re trying to train absolutely the people in the organization. So when we do a spearfish Traditionally in the wild we’re going to see a spearfish targeting 1% or maybe even 123 people in the organization tops. That’s awesome for adversarial work red teaming, it’s horrible for trying to get a gauge on the culture and resistance to fishing in an organization. So the numbers we have are are skewed to that methodology where yes, we’re gonna hit everybody at the same time because we get most of our clicks within the first minute in the first minute everyone has clicked, that’s going to click and then awareness is starting to spread through the organization. That okay, this is a weird email. Is this legit and they start looking into it. Did you get it too? Right? Whereas with adversarial stuff, you might not get that.

[00:54:44] Brad Nigh: I think whatever. Uh, one of the most amusing stories was right after we moved into this building and I were sitting or weird over by the kitchen talking and well, that is a funny thing setting up. Come here, we walked back to the lab And it was a USB drop that had been done like 10 months prior.

[00:55:11] “Ben”: Oh yeah,

[00:55:13] Brad Nigh: a year prior and suddenly you dropped like 15 U. S. B. S. And 12 have been returned. And then yeah, I was like 10, 12 months later ping home.

[00:55:24] “Ben”: Yeah, it was,

[00:55:25] Brad Nigh: it was like, it was a relatively new employee that found the USB in a desk drawer, plugged it, right?

[00:55:34] “Ben”: Yeah, it was from, it was from an attack where I had payloads on USPS that I’ve done almost a year before and they couldn’t find some of them which is common. So I’m just go missing or detraction. Well, somebody put this USB in a desk and once that vacant desk was filled with this new person, they sat down there like, oh, what’s, what’s this USB? Why don’t I plug it in? They, I got the call back from the U. S. B. We haven’t engaged with these guys and so long, but we need to give them

[00:56:07] Brad Nigh: a call. Yeah. The best part was, what department was that person? And do you remember I remember this because you were just, they were in compliance? Yeah, it was pretty high up in compliance. So it’s like, oh, they should have known that.

[00:56:25] Evan Francen: It’s too bad. It wasn’t the head of internal audit.

[00:56:28] Brad Nigh: It wasn’t too far off from that. Oh man. All right. Well, good stuff from Mindfully or Jack Corbyn or joe or just gonna start calling the random name on twitter at Mindful Am one in D. F. L. Four Y.

[00:56:49] Evan Francen: You’re gonna get some followers. Yeah,

[00:56:52] “Ben”: spread the word. Yeah, I post occasionally. If I find something cool, I’ll post

[00:56:58] Brad Nigh: post on line.

[00:57:00] Evan Francen: You

[00:57:02] “Ben”: made, you made a funny note about my twitter in this online feed. It’s like, yes, I actually do for ascent and experimentation all the time.

[00:57:11] Brad Nigh: I’ve gotten requests from accounts that have been created by these guys and it’s like in the note, it’s like, hey, it’s a, it’s just one of the other ones. Yeah, it was a bit, we use Tyler. Hey, it’s Tyler. Go ahead and just add me. I’m testing this out. It sounds like, mm No, no, no, we can talk to you like, yeah, no, it’s, it’s legit? We’re just testing to see if we can make this happen on as a earth until, so

[00:57:42] Evan Francen: If you see mindfully the number of tweets go up to like 10 a day. Somebody fished you. You

[00:57:50] “Ben”: have probably

[00:57:52] Evan Francen: that’s outside of the pattern. Yeah.

[00:57:55] Brad Nigh: So we’re wrapping up so we didn’t really get to the news stories. You posted them on your website on the blog. Yeah, there are some interesting ones. 59,000 breaches reported by GDP our regulators, Mac OS zero day exposes the Apple keychain password. Oops, digital signs left wide open with the default password shocking there. I think that’s probably not surprising at all. Uh, you know, Apple released their security update last week for the facetime bug. So I was good

[00:58:27] Evan Francen: 12.1.4 and riot and if your android, they had plenty of problems last week too. So be thinking once better than,

[00:58:37] Brad Nigh: you know, you’re pretty much out of the way.

[00:58:40] Evan Francen: But I do post a lot on twitter. So a lot of these main news are on their um, you have to put up with some of my stupid post to occasionally, like I posted last night, my daughter texted my wife and asked and said, hey, it’s a Abraham Lincoln’s birthday tomorrow, how can we have school? She’s looking for every excuse possible to miss more school. It’s like, well that’s why I posted that. So there’s some stupid stuff about all these new news, you know every morning. It’s kind of a habit to get up and read the news and what’s going on with security.

[00:59:16] Brad Nigh: You need to get better about actually posting. I use it just read and like a news aggregator almost. Yeah,

[00:59:24] Evan Francen: you’re so busy man. I mean, hopefully uh chad comes back this week so you didn’t have to do all the essay where poor guy was dying last week.

[00:59:38] Brad Nigh: It was bad. It’s good. It’s a good problem now, don’t get me wrong, right. But yeah, it was so on twitter at entrancing at mindfully at brad and I and of course, you can always email us questions or suggestions that insecurity at proton mail. Ah

[00:59:58] Evan Francen: give us some suggestions. Tell us how we’re doing. Yeah. Yeah, Mostly we’re looking at

[01:00:04] Brad Nigh: you. Yeah. Alright, next week is Evans week so I’ll do my best to derail you Well. Good.


[01:00:16] Evan Francen: Okay. I think I think doing this, I think my flight derail this just using some kind of mind tricks on us or something. Yeah. Next week I’m not sure what we’re gonna talk about, but we’ll talk about something,

[01:00:28] Brad Nigh: yep. That’s fine. All right, thank you.