I'm not sure if some of you just stayed out all night rather than getting up early, but
thanks for coming anyway.
My name is Sharon Conheady and I'm a very nice little Irish girl.
Actually I'm so nice that my fellow countrymen decided I was really showing them up and they
sent me to live in England where I work in London as a pen tester and social engineer.
So I first spoke about social engineering here at Recon a couple of years ago.
Since then I've been touring around speaking at lots of different conferences on social
engineering.
One question I get asked over and over again is can anybody be a social engineer?
Is it something you're born with or is it actually a skill you can learn?
So I absolutely believe that anybody with the desire to do so can be a social engineer,
even geeks.
So I only have an hour to talk to you today so that's not really enough time to bring
somebody up from the audience and train them in how to be a social engineer.
So instead here's a geek I prepared earlier.
We had a couple of alternative names for this presentation.
Well you're all really clever people so buffer overflows for you guys are easy.
They're not for me, I'm not very clever at all.
Lying is easy.
Like we said, you can't go through the firewall, go through the secretary.
And I don't mean that in any other way than please break into the building through the
secretary.
And it's very important as this is a security conference and it's a security talk to have
a Sun Tzu quote.
So to attack where they show etc. etc.
I'm sure you can all read that so you have a fairly clear idea.
We did have one other name which was screw you and the data packets you wrote in on but
we weren't sure about that one so we moved past that quite quickly.
So moving on, the theory of social engineering and Sharon will talk about some of the stuff
behind what we do.
So we've heard loads about social engineering lately and social engineering individuals
is absolutely huge.
We all get a phishing attacks and here of identity scans every single day.
But is social engineering organisations actually a real problem?
Alex and I love to run social engineering tests but we began to question ourselves over
whether they were valid tests because we didn't know if it was a real problem.
So we spoke to a few people in defence industry, financial industry etc. to quiz them on if
social engineering was a real problem.
And the outcome was it doesn't seem to happen much but when it does it's phenomenally dangerous.
So some examples from the past couple of years of social engineering was a guy in Antwerp
actually made friends with some bank staff and made off with £14 million worth of diamonds.
And I quote what the press said about him was he used a weapon rarely used on bank staff
and that was personal charm.
The Comcast hackers who took down the Comcast website and webmail service last month came
to have used social engineering in an interview with Wired.
I don't know if your Comcast service is as bad as the services we get in the UK who can
blame them.
But my favourite story about social engineering in the last couple of years concerns a little
kid in the States and this little boy is only about 10 years old and last year he decided
he'd run away from home.
So he went to his airport, he heard the last passenger announcement and he ran up to the
security desk and he said that's me, I'm the last passenger.
But I've lost my boarding card, my mum and dad are already on the plane and he was actually
half way across America and had already changed planes by the time they caught him.
So I think when this kid learns a bit about computers and what he can use his talents
for he's going to be really, really dangerous.
The important thing you should know about this child who managed to get his plane, see
some of you might not realise that at about 3 o'clock on the day we were travelling from
the UK I had to rewrite most of this presentation because she'd missed her plane.
So this kid can socially engineer his way onto a plane but she can't even show up to
get the right one.
So we'll argue about that later.
I didn't get the right plane, Alex came in a real cheap ass airline and I came in the
lap of luxury and paid the cheap ass airline price, it was really good.
So in actual fact she wins on the social engineering again which has infuriated me from the time
she showed up at the pub.
So we'll move on.
So from some of these examples you might think that social engineers, well to be a social
engineer you have to be sophisticated, smooth talking, suave, a kind of 007 type character.
But actually it's probably more like Alex and myself were the real social engineers.
So just some quick notes, we're all geeks so we're all friends here, right?
Hands up who's not a geek.
I said hands up who's not, oh sorry, actually, fine.
So basically this stems down to many years ago freaks and geeks, sideshows.
There were freaks who were people who were born in such a way that they would entertain
people in these rather macabre sideshows and geeks were people who, they did things that
nobody else would do like bite the heads off chickens and unpleasantness like that.
Now we're avoiding the bite in the heads off chickens but we are doing things that nobody
else will do simply because we're interested.
So like we say we kind of made ourselves and hopefully this video clip will work and you'll
see what I mean.
Ah damn it.
Oh dear me.
What are you laughing at?
This flipping circuit board, Jen.
Some chump has run the data lines right through the power supply.
Amateur hour.
Tears in my eyes.
So there you have an example of, well, the IT crowd so just to give them their credit,
it's a fantastic show about people to some extent like us and that's the opinion that
everybody has of us.
You know we're these kind of outsiders, weirdos, sit in the corner, get on with it, etc. etc.
So there's an assumption that we're a bit, well, rubbish really except when it comes
to tech.
So Sharon's got some things to say about that particular topic.
So Alex and myself got to wondering, well, how are geeks perceived in modern society?
So I decided to do a very scientific test and ask some of my non-geek friends to describe
geeks.
And actually it turned out I only have two friends, one's Alex and one's imaginary and
they're both geeks.
So here's my survey from interviewing random people around London pubs on how they describe
geeks.
Some words I agree with.
I think, yeah, we probably are highly intelligent and obviously we are obsessed with technology.
One or two descriptions.
Little bit insulting actually.
But then we got to thinking, actually you take these characteristics and maybe they
are into something.
They've just got the wrong end of the stick.
So where people in general think we're smartasses, we think we're quick thinkers.
Where people think we're unrealistic, we think we're imaginative.
Where people think we're into weird stuff and have strange hobbies, we think science
fiction and role playing is absolutely normal.
And where people think we're unfashionable, we think we're beautiful.
We love our geeky t-shirts.
But then we got to thinking that actually one or two of these attributes are actually
really useful for social engineering.
For example, our role playing skills allow us to come up with some really, really great
scenarios to get into buildings.
We're really good at making up stories that will actually let us in somewhere.
We're intelligent.
We're going to solve the problem.
We're always going to find a way in.
We're absolutely obsessive, so we will find a way in.
Doesn't matter how long it takes, we'll find a way in.
We're used to being the invisible guys at the party.
Actually, we're pretty good at going unnoticed.
So people don't really tend to challenge us when we're on site.
And we look like geeks.
We're good at impersonating geeks.
We can talk to other geeks.
We've geeky friends we can bounce our ideas around with.
That's me and Alex.
And best of all, we're obsessed with technology.
So we know what the cool tools are for social engineering.
We know how to make the most of our mobile phones, for example.
Or in my case, how to use my little handbag with the secret video camera in it that the
average person might not be able to do.
So how do we go around making a social engineer?
What can we do?
What skills have we got?
Well, research, imagination, plausibility.
We can come up with plausible reasons for why we're trying to get into somewhere because
we've all had people show up and talk to us and say, I need to get to this system or this
room to do X.
And it seems quite plausible at the time, mostly.
So we're now able to use those things and extrapolate backwards and say, OK, well, it's
quite plausible that a guy from the telecoms company is going to want to get into our machine
room to look at the lines.
So if I just phrase that in exactly the same way as I've heard it, I can walk into your
machine room.
And we've done it.
We've walked in.
We've shown up as British telecom engineers, walked into somebody's machine room, been
shown around everything, and been left alone.
And generally speaking, we've had so much success with stupid little tricks like this.
This stuff really isn't actually as hard as it seems.
We've all got the skills to do it.
And it's pretty easy to get together and do it.
All it takes is a little bit of effort.
Sharon said something before about how she could make anybody into a social engineer.
There's only one provisor to that.
I had a recent experience with a colleague of mine who we were working on a piece of
work.
And we'd set up the meeting.
And he was very, very nervous because it is actually quite a scary thing to do for the
first time when you're breaking into a building.
And you're sitting there thinking, oh, god, my heart's going.
And calm down.
Calm down.
I'll get this in the end.
It'll be all fine.
It'll be fine.
And he took me aside and he said, we've made the initial connection to the client.
We sold them our story.
And we were willing to go in.
Only after a couple of hours of talk, he got rather worried about this.
And he said to me, I don't think I can do this.
It's going to be too hard.
He said, no, no, no.
You'll be fine.
Just calm down.
Relax.
Just play the role that you've been set.
You'll be fine.
He goes, I don't think I can do this because basically what we're doing, it's dishonest.
Well, yes.
And we're lying.
Yes.
And we're taking advantage of somebody's niceness.
Yes.
Yes, we are.
Yes.
I don't think I can do that.
So the one thing you've also got to be able to do is actually be willing to do it.
If you are too nervous about doing it, as in you don't feel that you could get it right,
then you will fail.
You've got to actually have some belief in yourself to do it.
And it's having that will to do it.
And to be honest, it is terrifying.
It is scary.
But it's great fun.
And the adrenaline kick you get will last for days afterwards, months.
And you'll wind up doing talks at conferences and going around the world.
Yeah, anyway.
So.
So one of the good things about being a geek is people have certain expectations of us,
which we can challenge.
And you really need to use what you've got.
But do you want to be sidelined?
What?
So a stripper.
Yeah, we'll get on to that.
Oh, right.
So if you look at Alex and myself, for example, who do you think studied psychology, talking
to people all day and stuff like that?
And who do you think studied computer science?
Show of hands.
Her.
Her.
So he's a psychologist.
I'm the computer scientist.
But if I go into a building somewhere, people aren't going to expect me to be the computer
scientist.
And I really use that to my advantage.
So I play roles like graduates, temps, school teachers, girlfriends.
Stripper I have not yet actually played, but I think it would be really, really successful.
Show of hands.
Who thinks I could play the stripper?
You, sir, are very strange.
You, you're all very weird people.
I see this as a public challenge.
Very strange.
Very strange.
A public challenge to you, Alex, to go in somewhere as a stripper.
Depends on the client.
Anyway.
So on the other hand, Alex, look and well, Alex is kind of an outer geek.
I'm an inner geek.
And he plays more geeky roles like engineers, techie journalists, delivery guys, that kind
of thing that I probably couldn't get away with.
So the lesson is you use what you've got and turn it to your advantage.
We did a piece of work recently again, beginning of the year, where we went in as fire extinguisher
inspectors.
Now, I'm horrendously dyslexic, which you won't notice from these slides because I got
somebody who can spell to check them mostly.
If you do notice one, please tell me at the end because I won't care.
Anyway, I went in as a fire inspector.
I showed up and I prepared a bunch of props, including a list of this company's equipment,
fire equipment, all the appropriate looking document, which I obviously downloaded from
the net, and a set of forms that I'd put together in Word that had the company name at the top
and a selection of information that I wanted to record from each of the fire extinguishers.
We went in, we walked around, we were recording the fire extinguishers up until the point
where the gentleman escorting us got bored and left us alone for a little while.
We had freedom to do things.
However, I suddenly realized that I'd misspelt the name of the company we were pretending
to be on the top of the forms.
So if you are having somebody show up, walk around your building, just have a quick look
at the information and the props they've got with them because if they've misspelt their
own company name, that's a really big giveaway that perhaps they're not legitimate.
Just a hint.
If they've even misspelt their own name, which is an experience I had before when pretending
to be somebody else, I decided, best I did, to pretend to be Alex Smith.
Once again, I can't spell, so I put the name wrong in the register.
And on the ID card that I made and when I phoned up, I spelt it wrong.
So they had three different spellings of my name, yet they still let me in.
And it was meant to be my name.
Generally speaking, people don't misspell their own names, but still.
So I also went in somewhere as a fire extinguisher inspector before, but I went in representing
the local council in England and I learned that that's actually illegal.
So don't try that.
So us as targets.
We can't really talk about conning people if you don't assume that there's a chance
that you could get conned yourself.
So basically what it is, is if you're working in a support role or any technical role, you
have a huge amount of information that could be valuable to an attacker.
So we're kind of looking after the Holy Grail.
It's in a castle somewhere and we told them we already had one, et cetera, et cetera,
Monty Python joke here.
Anyway, the thing about that is that there is a camaraderie between us, all of us.
We're interested in technology.
So when you phone up and you're talking to some guy at the far end, he's going to be
interested in technology or he's going to be working at a bank, one or the other is
possible.
But we're going to be working together.
So you make yourself feel liked by this person.
It's very, very easy to do because we are geeks.
They're geeks.
You're just talking to someone.
It's not much effort to chat to them and get on well with them and say, yeah, I know what
it's like doing support roles.
I've done support roles.
They're dull.
To give you an example, a couple of years ago, Alex and I social engineered this organization.
We found the name of the IT manager pretty easily on the website.
And we just did a Google search on him and found that he'd recently attended a security
course actually, certified ethical hackers.
So we rang him up and we said, oh yeah, we attended this course as well.
The guy was out of the office, but we got talking to his colleague.
We said, yeah, yeah, we attended this course as well.
We were on the course with Bob.
We were just wondering if he was around, if he wants to meet up for a couple of drinks.
And we got quite far in that one, didn't we?
So this is once again, we're just like you.
We've done these courses.
We both have done that course.
It's brilliant.
It's excellent stuff.
But having had those experiences, you meet people on courses, use it.
You've all been on course.
You all met people at conferences, use it.
Say, oh yeah, were you at this conference or that conference or the other conference?
And somebody somewhere eventually say, oh yeah, I went to that one.
Go, yeah, I'm sure I saw you there.
I've met you before.
All pretty basic tricks to make that initial connection.
Obviously, we're not going to use recon for such evil means.
That's OK.
It's going to happen.
So social self-defense.
How can we stop this stuff?
Well, we don't trust people, generally speaking, especially if they phone up asking us for
stuff.
Most people in technical jobs go, well, actually, it would be all right to give.
No, it wouldn't be all right to give you that.
I don't want to.
We have a very suspicious nature.
And generally speaking, if somebody asks us for some specific information, to an extent,
we will extrapolate and go through it and think, well, what could they do with that
information?
Although, you might get lucky.
And generally speaking, we obviously all have a lack of communication skills.
So it's really quite difficult to talk to us.
Right?
Maybe not.
So if you are interested in doing social engineering, you can actually get paid for it.
Alex and myself both do.
It's really good fun.
And it's really interesting actually trying to convince your organization to perform social
engineering tests.
This is getting a bit sales-like, but clients really go for it.
They think it's a really fun thing to do.
And although you don't get much money for social engineering, you can sell them loads
of crap after that.
And also, before I forget to say it as well, people sometimes say to me, that's really
mean being a social engineer.
You pick on individuals.
It's really not nice.
When we write our reports, we never name the individual.
It's obvious enough to figure out who they are.
But we never name the individual and we never blame it on the individual.
More often than not, it's a case of failure of processes and procedures actually.
Also the other thing is, if you manage to talk your way past a receptionist or a security
guard, then you have a slight problem.
If the organization decides to respond to this issue by getting rid of the receptionist
or the security guard, is the new receptionist or security guard going to be any better?
No, probably not.
Whereas if they train the ones who we've conned or we've tricked into being more aware and
understanding the kind of methods that we've used to get past them, they will improve their
game.
Yeah, that did actually happen to me.
I social engineered an organization and they got rid of all their security folk.
Their contract was up for renewal in a couple of months anyway, but they decided to bring
in a whole new company.
And within two weeks, I got past them as well.
So they were really sorry about that.
Running tests is really good because it makes people more aware and gives them practice
at dealing with social engineering situations.
So probably the first company would have been much better anyway.
So the issue is basically, you know those T-shirts that say there's no patch for human
stupidity, social engineer?
You've seen those?
There is a patch for human stupidity.
Education, very easy.
Or kill them.
Education.
Kill them.
Yeah, politically contentious there.
Anyway.
So that's the fluff.
Now onto the interesting stuff, we hope.
What we want to talk about is, say for example you want to get into this industry and you
want to do social engineering.
So first rule of social engineering club is anyone?
Oh, audience participation.
Well, it is early in the morning I suppose.
We're following the rules.
Oh, good boy.
Yeah, that's good.
Yeah.
Basically, where can you get informal practice?
What we mean by credentials is when you phone your bank or you are dealing with a call center
that requires information for you, only you, I hasten to add, see what you can get away
with not telling them.
So say for example they need your mother's maiden name.
Can you talk them out of that and get something else?
That one's really hard to do.
Or if they need letters from your password and you go, oh, actually I've forgotten my
password.
I need to change it.
How can I go about that?
And just see what holes there are in those systems for your information only.
I hasten to add before I get arrested or any of you lot do saying I was just doing what
Alex told me to.
When you phone a bank in the UK, they ask for a nine digit number.
Well, they ask for certain figures out of it and sometimes you can almost just pose
what you're saying if you like.
They hear what they expect to hear anyway and they just fill it in themselves.
They're really good like that.
Yeah, they tend to be looking at a screen looking for numbers.
So you give them something that sounds about right, roughly mumbled, there you go.
Yeah, fine.
Or talk really quickly in an Irish accent.
That works for some of us, not for rest.
Rail cards.
I don't know what you guys have in Canada in terms of transit systems, but in London
and in most of the UK we have little bits of paper which are our tickets.
And they're weekly, monthly, et cetera, et cetera.
So what you try and do is you try and get past the guy checking your ticket with an
old ticket.
Still have your valid ticket in your pocket.
I'm not suggesting that you jump trams or trains or not pay for your service.
Have it with you, but see how many times you can get past somebody with old tickets or
not showing them a ticket at all or showing them something that isn't a ticket.
For example, I was told by somebody when I was doing a talk on social engineering that
they got into a government facility somewhere using soft fruit.
They used a pear.
And somebody disputed whether it was soft fruit, but we'll move on to that.
They held up a fruit and the security guard went, okay.
We did a social engineering exercise on a client where we managed to get hold of an
old coffee cup, the kind that came out of their vending machines, which were pretty
distinctive.
And when we walked into the building with a guy in just a shirt holding a coffee cup
who looked like he'd gone out for a cigarette, they let him in because he had the coffee
cup.
So these authentication mechanisms are not authentication mechanisms.
A plastic coffee cup and fruit are not a good way to work out whether somebody's meant to
be in a building or not.
Minor point.
The pizza walk.
Basically, when you're doing social engineering, there is an issue of how do you deal with
something that you weren't expecting?
I presume not that I'm pimping any company at all, but if you go into a fast food company
like McDonald's or Burger King or whatever, and you ask for, or even a pizza company,
and you ask for a special from another company, see what happens.
Because they'll be, either they'll give you what they think their special is, that's fine,
you might end up with some food you don't want, or they say we don't have it.
And you have to be capable of dealing with people going, no, you can't do this.
How do you deal with that situation?
Okay, you look like a complete idiot doing it.
You say, yeah, I'll have a Big Mac, we don't serve them, that's McDonald's.
So, all right, I'll have the chicken McNuggets.
It's like, no, we don't serve them, that's McDonald's.
Just doing this and being able to deal with that situation where somebody throws you a
curve and says no is vitally important when you're doing social engineering.
Because there will be points, not often, but there will be points when somebody challenges
you, and you have to respond in a way that gets around that challenge.
So that's what we refer to as the pizza walk.
Once again, informal practice.
This is a picture of our friend, Nick.
He's a fantastic social engineer as well.
He's one of the other guys in the UK who we work with a lot.
And this is him getting into a private party at Ferrari, I think it is, in Italy somewhere.
He managed to get in.
He just walked in, looked like he owned the place, they let him in.
It's great stuff.
So there he is, and he managed to get in.
He wasn't doing anything illegal, he didn't take anything away, he didn't break anything,
he just, he was interested.
Didn't even get a car.
He didn't even get a car, but you probably would have, wouldn't you?
Yeah, right.
So he managed to get in doing this.
So there's other ways you can do it.
I mean, don't break the law, and we'll get to that one in a minute, but you can still
get practice in this without actually breaking into people's companies.
It's a very bad idea to do it if you're not allowed to.
Urban exploration, fascinating sub-area of hacking, geekery, that kind of thing.
People who are into this sort of thing go into areas of cities that are not used or
disused or abandoned or whatever.
Very, very interesting.
Sometimes quite dangerous, but kind of intriguing.
However, once again, no lockpicking, no breaking into things, no breaking and entering, because
that brings us kind of neatly to, well, there's a list of laws in the UK that I know you'd
break if you were doing things you shouldn't.
The impersonating government officials is what Sharon referred to before when she talked
about going in to look at an organisation as the fire inspector.
Trespass, well, obviously, places you shouldn't be.
Deception, if you get anything for your lies, if you manage to con money or equipment out
of somebody, then that's deception.
Breaking and entering, obvious, going equipped, having the tools to commit a crime, theft,
vandalism, la-da-da-da-da.
These are all things that you could be charged with if you practice this and don't do it
in a sensible way.
So I'm not suggesting everybody goes out there and tries to break into, I don't know, Comcast
or the power company or whatever.
Just think about these things when you're doing them and you can get away with actually
having the experience of doing little bits of social engineering or getting the skills
you need if you want to be able to go to somebody and say, yes, I can do social engineering.
So preparation and planning.
What do you need before a social engineer?
Well, you need to know where you're going, for example, Buckingham Palace, which we've
never done actually.
That'd be good.
No.
Not as an Irish person tries to put it in there.
Make sure you've got a camera phone.
Certain companies are slightly more generous with their budget on that one than some.
So as you can see there, there's an improvised camera phone.
And with the camera phone, do turn the sound off because it's really obvious when you take
a photo and it goes, click.
And also, high visibility jackets.
Just imagine blending into the background in a high visibility jacket, nine times out
of 10, this has got me into places I really shouldn't have got into just because I'm
wearing something that looks like I'm a workman or a tech or whatever.
There's a bunch of guys in the UK and they decided that London didn't have enough public
benches.
So they made it their life's mission to put more public benches in and around London
City.
So they put on a couple of fluorescent jackets and some hard hats and they actually managed
to shut down one of the main roads in around Piccadilly Circus in London just by going
in there, looking important and putting in a public bench.
Preparation is pretty much the ultimate part in terms of actually having these things pulled
off quite well.
So some cases you might actually get to prayer in a slightly different way.
Now I'm sure that that wouldn't necessarily suit me, but it might suit Sharon.
So preparing for getting into a place, if they're having a party, Christmas party is
often a good way to get into a building.
So dress up, dress down, dress appropriately and find something that would get you into
the place.
But the thing you've got to remember is that whatever you do, I mean really, when you're
doing social engineering exercise, never, ever forget that.
That is the one reason that you don't get done.
You don't get banged up, you don't get taken away by the police or Her Majesty's Constabulary
for a little bit of a chat.
You definitely need your get out of jail free card.
Now what we're talking about here is a letter from the client with contacts referring to
who you can get hold of in their company, contacts that you can get hold of in your
company to explain what you're doing there and that you're not meant to be banged up.
And basically just a way of getting out of jail free.
It's essential that you've got multiple copies of this.
It's essential that they're properly dated.
It's essential that the client is actually there and also it's a point of pride that
we've never had to use them.
So we've always had them but never, ever have we been caught in such a way that we've actually
had to give up.
We kind of refer to it as the second nine methodology, as in the only time you give
up is when they're dialing the second nine of 999 or 911 in this case.
And people are really, really reluctant to challenge you.
I think we've been challenged once or twice and you get over the first initial challenge
and they're fine.
They really feel like they've done their part already.
So yeah, there is a methodology for social engineering.
There's really, really not much to it.
You've got a couple of phases and each phase fits into the next.
So at each phase you get a little bit of information.
Might be the information you're after in the first place, in which case you stop, or you
use it to go on to the next phase.
So generally for us it fits into looking stuff up on the internet, calling people up on the
internet, and eventually going on site of what we like to call extreme social engineering,
which is the best one.
So where do you start when you want to do your intelligence gathering?
Well, the company's website is really, really useful.
Things that you wouldn't normally look at, like company reports, has tons and tons of
information in, like people's names.
So people you could impersonate or people you could target, important people whose names
you could drop if you really want to.
I don't know if many of you are aware of the MaltEgo tool.
It's really, really good for passive information gathering, written by some guy in the UK.
I should also say about that.
It recently went corporate and then went community again, which is kind of cool.
So there's a corporate version that is very, very cool, and there's a free version.
And the last email I saw basically said, use this tool responsibly in the same way as drink
Jack Daniels responsibly.
It's pretty good, and it's very, very useful for all that initial information gathering.
One of the best places you can look for information in the last couple of years has really come
on is social networking sites are absolutely superb.
Particularly the likes of LinkedIn allows you to map an entire organization.
You can practically get the whole org chart from LinkedIn.
Once you get a couple of names, map it through, find out who works for who, who's so-and-so
secretary.
It's really, really useful.
So one quick question.
Well yesterday there was a talk and somebody said who had a Facebook page, right?
So how many of you were lying?
Okay.
The interesting thing about having a Facebook page or having LinkedIn is it's useful for
information gathering.
So have one, just cripple it so that you can put yourself on the right networks and actually
collect that data.
So you can find out about these people ahead of your social engineering attempt.
Also it's not a bad idea to look at things like Google hacking because there's all sorts
of cleverness you can pull out of there that you can use for social engineering attacks
or further information gathering.
Google Maps is obviously really useful if you want to go on site.
Find out what's near the building.
See if you can see any entrances for people coming in or out that you can use.
Where do the smokers congregate, et cetera.
So when you phone people up, how do you do it?
Well once again this is the whole idea of the camaraderie that we're talking about.
I'm just like you.
I used to do your job.
So say for example you phone up and you pretend to be an ISP abuse team member.
So you're saying we're getting terrible really bad emails from somebody in your company.
We just need to find out who it is.
We've got a list of names.
Can you tell us who it is?
After about the third name, they'll start giving you names.
So you're collecting that information from them.
So this is the kind of the classic social engineering attack where you're safely in
another building, maybe in another country, in another part of the city.
You're able to talk to these people on the phone without actually getting too close to
the target.
Freelance IT journalist, you'd be surprised how many people give away very detailed information
about their organization to somebody who claims to be a journalist.
These people write this stuff down and put it in publications or on the web and people
will give this information to them because well they're on the phone, it's safe.
The guy seemed to be quite nice.
So I've, for example, I was on the phone to a client and got chatting to this guy who
managed the help desk and asked him all sorts of tedious questions about whether he thought
he got enough staff training, whether he thought that his team had the appropriate skills they
needed and he was very, very happy to talk to me about it.
Then I started asking him about his security side of things.
Did he want training in security?
Was that something that was vitally important to his organization?
And then he started to share information with me about how the schema for their password
system worked when they reset it.
So if I was to then phone up and ask for a password to be reset, I'd know roughly how
it would have been reset using their favorite football team or the last score or the last
game of their favorite football team plus the date that it was reset on.
You get these little juicy tidbits of information, you try and put it together and go, well that's
way too much information to be giving out to somebody when they're in this situation.
There's no reason to give that away.
Furthermore, in this particular case, the guy basically told me that if I was to be
on site at his company, I would probably be able to walk around the building, find pads
on people's desks and flick the three pages down and I'd find their passwords.
I thought that's fantastic.
So when I was on site at his building, I walked around to these desks that he'd already told
me roughly where they were in the building.
I flicked three pages down into the pads and found some very critical passwords.
So this information that he was giving because he thought I was no threat, I was on the end
of the phone, allowed me to get more when I went on site.
Recruitment agents, everybody wants a new job, right?
So they'll tell you all sorts of things about you.
Send them, ask them for their CVs, home addresses, companies they've worked for previously, further
information you can throw into your information gathering on Google or whatever to find out
about the target organization you're working for.
And the one that I haven't done but Sharon has was the charity worker.
Yeah, the ethics of social engineering are really, really interesting actually.
I was social engineering an organization, I looked on their website and I saw that they're
really interested in corporate social responsibility and I teamed up with this charity to do loads
and loads of work with them.
So they're really, really promoting this.
So I rang up not actually as a charity worker but as another, as somebody from a different
organization interested in working with this charity.
So I got talking to the lady for ages and ages about the kind of activities they do
and eventually I just kind of brought it to a close and said, hey, how about we meet for
lunch one day?
And then afterwards I felt really, really guilty and couldn't go through with it so
I canceled that because I thought that was really, really awful, actually taking advantage
of charity stuff to get in somewhere but it really works.
Another one I did, another company had entered a team into a charity run, a charity 10K run
and they promoted this heavily as well.
So I got a list of the people who ran in it, the winners, that was published online somewhere
and I put it in an Excel spreadsheet and emailed it to the organization as a Trojanized email.
So I said congratulations to everybody who entered the race, here's a list of where you
came and particular congratulations to John Smith who came first in the race, hope to
see you again next year.
So that was really good, that worked but ethically dubious.
Yeah, the worst one I've had in that respect was phoned up a client, spoke to the client,
had a fantastic chat with this wonderful person who gave me all sorts of fantastically useful
information and right at the end I said, all right, you've been really helpful, I'd like
to put your name in a drawer for a bottle of champagne, okay, she gave me her name,
I say and you've been so helpful, I'm going to send an email to your boss telling him
how helpful you've been and this really nice person turns around to me and says, well,
that'd be really good, I only started here two weeks ago.
You should have sent them a bottle of champagne.
I felt so bad about the whole idea of, if you've only just started two weeks ago, you
obviously haven't been trained to understand that this kind of thing is a risk.
So best if you are, but still, you do feel like a scum sometimes.
So there is an issue of how do you deal with this, can you avoid feeling bad?
No, but can you protect that person?
Probably.
So once again, removing names, making sure that their boss doesn't actually find out
it was them that gave you all the information.
So recon, yeah.
Reconnaissance of the place that you're going to break into.
I have spent many hours doing this and it is dull.
And cold in London.
Really dull and cold.
The problem with recon is that, not recon, but the problem with reconnaissance is that
you have an issue where you could dedicate months to it, absolutely huge amounts of time
and still not see everything that happens on that building, or all the people who come
in or go out or whatever.
So you have to make a guess.
You kind of look at the size of the building, okay, well, six floors, fine.
Roughly maybe 150 staff, maybe more, maybe 200-ish.
I'm going to dedicate two days to this.
And then you spread that two days out over maybe three weeks, or you do it in a two day
block or however.
But it really is, this is just the finger in the air kind of thing.
You're never going to be sure about this because you could just miss the fact that every Saturday
they leave the gates open and you're only checked on Monday and Tuesday.
So this is a real issue actually.
If you get this right, this is a lot more by luck than judgment, but it can really let
you in.
Also, when you're doing your recon, make sure you have a get out of jail free card because
it might just be that some idiot does leave the door open and you can get in there and
then and you have to do the attack then.
So that can be risky, but once again, have the letter with you and you're probably sweet.
So it's more a case of looking for how people ingress the building, egress the building.
Do people go out for lunch?
Do they stay in for lunch?
Do they come in with bags of food?
For example, one social engineering job that not myself but one of my colleagues was on,
they noted that there was a big security presence at this building, in and out, guards, gates,
the whole bit.
And when everybody went for lunch, they went for lunch through a hole in the fence because
it was close to the shops.
So they bought some fruit from the shops and they walked in with a plastic bag which had
the name of the shop that was closest and they got let straight in the building with
a group of people because the staff were finding ways around the security because obviously
the security wasn't working and they were able to get in and get out.
Once again, authentication through plastic bags, not a good idea.
Moment of max stampede, that's not our quote, that's another gentleman's quote, but the
idea is finding the point at which everybody's going in.
So first thing in the morning, everybody's going in.
Straight after lunch, everybody's going in.
That's the time when the security guards are going to be the most busy, that's the time
when you attack.
Quite simple.
And looking for unusual ways in, like I said, sometimes there's underground car parks.
I have done some wonderfully fun stuff where I marked a nine digit keypad or a 10 digit
keypad with some lines to see if anybody pressed the buttons to work out what they were.
Unfortunately I discovered a bit later that they decided to disable that and what happens
is that a security guard comes out and opens the door for you.
So I was a little bit disappointed by that.
It was my moment of James Bond glory and it fell flat.
So there we go.
So you've done your recon, you decide to actually go in for the kill and get into the building.
Obviously it's taken a lot of preparation and you've put a lot of thought into deciding
if you have a legitimate reason or if you're just going to sneak in.
So as Alex said, depending on the size and I guess the security posture of the organisation,
you can either maybe try tailgating your way in.
I often go in just carrying a couple of cups of coffee or a reel in my laptop bag behind
me and people open the doors.
But if the controls are a bit tighter than that, you're probably going to have to set
yourself up with some more legitimate reason for getting in there.
So set up a meeting with somebody there in advance, something along those lines to get
in.
You need to decide if you're going to target any random individual, follow them in, ask
them a question and walk in with them or if you're going to pick on somebody that you've
planned all along.
And what I found really important is you must have an exit strategy.
And I fell for this one myself lately.
I was in an organisation, social engineering it.
I told some of you guys about it yesterday I think.
I ended up hiding underneath a help desk for the best part of an hour, sniffing some network
traffic and stuff.
And then I walked around the building for another hour because I just couldn't get out.
You needed a pass to get out and I was absolutely stuck.
And there's a guy waiting for me outside the building.
I was really, really stuck.
I couldn't get out.
I'd done some brilliant social engineering and if I were to turn myself in at that stage,
it would be really terrible.
So I was walking along and I saw a group of about a dozen people following this guy who
was giving some kind of tour.
So actually they're a pretty rough looking crowd.
I went up to the biggest and the baddest looking guy with a huge diamond earring about this
slide.
And I find when I'm social engineering, Alex will probably agree with me, but it really
helps to wear a low cut top, which I know he does the whole time.
So up to this guy I'm like, can I join your tour?
And he didn't know what to make of it.
So he's like, yeah, come on.
The guy who's giving the tour, I see him looking at me kind of funny.
So straight away I whip out my mobile phone and I start talking really loudly and obnoxiously
on it.
I was actually calling the guy outside to say I think I might be onto something.
So I was like, yeah, yeah, just join this tour.
It looks really, really good.
Yeah, I think I'll be out.
It's over in about 20 minutes.
So the tour turned out to be a catering school, learning how to cook fish and chips.
So I'd spent half an hour learning how to cook fish and chips.
I'm a really bad cook, so it was probably good that I did it.
And the guy who was giving the tour actually shook my hand on the way outside.
It was really nice to meet you.
And he said, you know, I was going to tell you earlier and get security to escort you
out, but you're on your phone, so I couldn't disturb you.
Just goes to show, you know, it's really good.
Nobody will question you if you're on your mobile talking really loudly.
One of the things that I've noticed as well is if you've got a feeling that you're about
to be busted, and you might, it does happen that you think, that guy is walking towards
me pretty intensely.
He was sitting over there, and I'm sitting here, and now he's walking towards me.
Right, what do I do?
You've got, you need to have like a backup plan.
And this is the discussion about exit strategies.
However, I found it's really useful if you look a bit like a techie to, before he opens
his mouth, say, can I see your security pass, please?
And that will throw him on the back foot straight away.
At which point he'll go, why?
And you go, well, I'm doing a security sweep.
And they go, oh, all right, all right.
They'll show you the pass.
That's quite useful in itself.
You say, well, I'm not sure about this.
Can we try that door there?
You swipe the pass.
The door opens.
You say, well, that seems all right.
Now, whatever you do, because we're doing a security sweep, don't tell anybody, because
there might be people around here we've got to stop.
At which point the guy goes, well, you're obviously legitimate, because nobody who's
illegitimate, who's not meant to be here, would ask me for their pass, would they?
No, hang on.
So you then walk out the door, and you have freedom, and you're escaping.
And to be honest, that can be terrifyingly scary, especially when you think you're about
to be busted.
I think that would work for you, Alex.
But no one's going to believe that I was doing some kind of security test, actually, Richard.
Tough for them, huh, huh?
But I think if I were ever challenged like that, I just pretend I'm lost.
I'm a real bimbo.
I'm lost to whatever.
Start crying if I have to, and then they help me.
Thomsil in distress style.
Works better for me than playing the geek.
So once again, everything we're saying is kind of play to your strengths.
Know what you're good at.
If you look like a geek, be a geek.
Don't pretend to be an accountant.
If you look like an accountant, pretend to be an accountant.
That's the thing.
You need to, to some extent, to consider yourself as, would I stop me getting into this place?
And if the answer is, well, no, it would seem all right, then you're probably all right.
I'd stop you.
It wouldn't stop me.
Yeah, thanks.
So, yeah, basically, this comes down to, I fancy trying this idea out.
This gentleman here is, well, I'll move on to the next slide, and you can have a quick
read.
So it is a bit long, so I do apologize, but do have a quick read.
Everybody got that?
Good.
So basically what we're saying is that they'll let any old clown in.
So what we want to do is we want to take this and say, as an example of a way to get in,
it's not always the subtlety that will get you in the door.
Some of these are completely insane.
There's a group of people who do political activism, who use these same techniques to
get into buildings that we do for security testing.
Now, we tend to try and make them a bit more subtle, and I've never dressed up as a clown,
although, God, if somebody would pay me to do it, I'd love to try it.
But it's a demonstration of the fact that sometimes the more obscure it is, the more
people just go, well, all right then.
So these things can happen.
So now we come to the bit where we actually need some, well, audience participation, but
not actually here a bit later on.
If people are interested in this, we're trying to set something up.
So we've got a plan for the future, and Sharon will explain.
So Alex and I represent a small group of individuals in the UK who meet a couple of times a year
to discuss social engineering techniques that we've tried that have or have not been successful.
And we've decided to call it the Ethical Association of Social Engineers, because Alex thinks this
spells easy because he's dyslexic.
So we just intend creating a forum for people to share ideas and methodologies, because
when you're doing ethical social engineers, you've got a limited time frame, and sometimes
it can be difficult trying to come up with a new idea that works every single time.
So if you could just take somebody else's idea and maybe adopt it, it's really good.
So we had some kind of store of these ideas.
It would be really useful.
And we'd love to hear from anybody else who has done social engineering or is interested
in doing social engineering.
And Alex, do you want to say your last line there?
I know you're proud of it.
Yes, yeah, white hat, not complete twat.
That's that simple.
Don't be an idiot.
You're there to test somebody's security.
You're not there to get people in trouble.
So we're trying to put together a set of behaviors for on-site attacks on the phone.
For example, Sharon noted some time ago that there was a group of guys who did a very successful
social engineering demonstration where they pretended somebody was dead and got a lot
of information from the organization they were working for.
But think about it this way.
If you're sitting there and you're doing your job or you're on holiday and somebody
phones up and says, yes, this person's died, and they go through all the process of having
this person leave the organization, contacting his relatives, sending them flowers.
I mean, the emotional distress that you are causing this person's family is immense.
It's not nice.
We want to be invited back for tea afterwards.
A successful social engineering attack should not be the kind where you've burned all your
bridges.
We want to be able to leave a nice, juicy hole in their defenses so that next time when
we come back, we can sit down with them, have a cup of tea, and they don't want to kill
us.
We're not about pissing them off.
We're about showing where the problems are.
So the idea is to come up with some ethical behaviors to use during social engineering
attacks that are not actually going to cause people, you know, the company's loss of property,
loss of working time, or emotional damage to their staff.
We're not about causing people problems.
We're about fixing them.
I actually, I was reminded of that story early in the week, Alex.
I forgot to tell you, I was pen-testing an organization and found an FTP server full
of death certificates.
And I thought, shall I take a copy?
But then I remembered our stance on being ethical social engineers and decided not to,
or not that I'd admit to anyway.
So basically, that's us.
Please feel free to mail us.
We'd love to hear war stories, ideas, tricks, descriptions of stuff, the way in which you've
come up with ways of getting into places you probably shouldn't.
You can file off the serial numbers as much as you like, and we'd rather it that way.
We don't want any client details.
We don't want any organizations embarrassed.
We just want to have a set or a library of techniques that we can all use and share with
each other to be able to do our jobs better.
Because I'm sure that everybody will have come up with some clever ideas and want to
share them with us, and we're quite happy to put something together.
We've been looking at a couple of places of starting to look at social engineering as
a methodology, but we want to be careful that we don't just have it as a script.
Because if it's a script, it's not going to work.
It's that simple.
We want to have people being creative, coming up with new ideas, anything from making ID
badges to breaking into places via picking some locks.
A very useful book on this is the No Tech Hacking book.
I'm sure everybody's seen Johnny Long's presentation on it, which is fantastic.
But that book definitely has some breakdowns of information in terms of social engineering
attacks and also just breaking into places that you probably shouldn't.
That's basically the end of our talk.
Any questions?
Yeah?
Did you ever use your gender well to get into places?
Say again?
Did you ever use your sexuality to get into places?
Did I ever use my sexuality to get into places?
I didn't know I had one.
No.
No.
I try and be nice.
Sometimes that might come across as being a little bit too friendly with certain people
that I like.
I have actually a serious question.
So outside of Britain, how long have you been in the US?
The organization I work for have done this in the US and in Europe.
Some of my colleagues have, before they worked with me, have done this in Europe as well.
I'm very, very interested.
There's a talk I want to do at some point about the differences between social engineering
in the UK, the US, Europe.
I think that's a very valid point.
The cultural differences between different countries are just so immense.
It would be nice to have that information.
That's one of the things we wanted to look at in our ethical association, our big easy.
We were talking to an Italian guy the other day and he said to us, actually, you know
what?
These techniques would not work initially because people are really, really suspicious
over there and really concerned about security.
I did raise the fact that they published every citizen's tax details on the internet a couple
of weeks ago, but he maintained that they were really security conscious and these techniques
just wouldn't fly initially.
On Ireland, on the other hand, people really, really want to help you and probably to get
in somewhere you just say, well, I'm your cousin, let me in.
That's actually a very important quote.
I think the issue with this is quite simple.
There is a way in and there is a way to attack these organizations and societies and organizations
in different societies.
That might simply be down to power structures.
Say for example you're in, in theory, I've never done this, but say for example you're
in Japan and if you're able to say I am more senior than your boss, do what I say, then
perhaps people will listen to you.
Whereas in the US, because it's service culture and in the UK, if you say please help me,
people are more likely to listen to you.
So in terms of the power angle that you take, it is going to be dependent on the organization,
where they're based, as much information as you can get.
So research, once again, that's always going to be a friend.
You've got to be careful though.
I was asked to do a social engineer in China, where the last guy who tried it was shot.
And I turned that one down.
I was asked to do one in Qatar near Dubai recently and I thought, well you know what,
I can't really go in as a woman.
They're really not going to expect me to go in there.
So it's really interesting looking at what works in different countries actually and
it's something we would love to explore further.
Any other questions?
Fantastic.
Excellent stuff.
Well thank you very much for your patience.
Thank you.
Please, please, please, if you have done this before or you're interested in it, contact
us, because we're wanting to put together something legitimate and the more people we
get who are actually into this and not just social engineering to get free pizza.
Although if you do, do the pizza walk and get free pizza, let me know.
That'd be kind of cool.
But yeah, if you're into this and you want to do more of it and you want to work with
us, please feel free to contact us.
We'd be interested in chatting to you about the difference between UK and the US and Canada
and France and wherever you're from.
It'd be good.
So please help us out.
Thank you very much.
Thank you.