podcast

Information is the life blood of social engineering.

Joe ponders how a phone number is obtained. Dave's friend avoids a Google gift card scam. Christopher Hadnagy returns with an update to his book, The Science of Social Engineering.

Transcript

Christopher Hadnagy: [00:00:00] Information is the lifeblood of the social engineer.

Dave Bittner: [00:00:04] Hello, everyone. And welcome back to yet another episode of the CyberWire's "Hacking Humans" podcast. This is the show where, each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:27] Hi, Dave.

Dave Bittner: [00:00:27] Later in the show, we're going to be joined by a returning guest, Christopher Hadnagy. He's a social engineering expert. He's got a new edition of his book out, and he's going to tell us all about that.

Dave Bittner: [00:00:37] And before we jump into that, though, we've got a quick word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:13] And we are back. Joe, you want to kick things off for us this week. What do you got?

Joe Carrigan: [00:01:17] Well, I got a story from a friend of mine, actually. This is interesting, I thought. His daughter works in a mall.

Dave Bittner: [00:01:23] 'K.

Joe Carrigan: [00:01:23] And somebody got her phone number to begin communicating with her.

Dave Bittner: [00:01:27] OK.

Joe Carrigan: [00:01:28] So here's how this worked.

Dave Bittner: [00:01:29] Wait - welcomed communications or unwelcomed communications?

Joe Carrigan: [00:01:34] I think they're welcomed. I don't know.

Dave Bittner: [00:01:34] OK.

Joe Carrigan: [00:01:34] And I would like to talk about it here because I found it a little bit disturbing. And my wife was actually involved in this conversation as well. What happened is she works in a mall. And somebody came into the shop she works at and says, I need to use your phone to make a phone call.

Dave Bittner: [00:01:48] Is this a stranger or someone she's an acquaintance with?

Joe Carrigan: [00:01:52] This is someone she knows...

Dave Bittner: [00:01:52] OK.

Joe Carrigan: [00:01:52] ...Someone that also works in the mall.

Dave Bittner: [00:01:53] OK - so someone she's seen around.

Joe Carrigan: [00:01:55] Correct.

Dave Bittner: [00:01:55] All right.

Joe Carrigan: [00:01:56] So she lets the guy use her phone.

Dave Bittner: [00:01:57] OK.

Joe Carrigan: [00:01:58] The guy makes a call. And then he hands her phone back to her and says thanks...

Dave Bittner: [00:02:02] All right.

Joe Carrigan: [00:02:02] ...And walks out.

Dave Bittner: [00:02:03] All right, no problem there.

Joe Carrigan: [00:02:04] Yep. Shortly thereafter, she begins receiving phone calls from him.

Dave Bittner: [00:02:08] Oh.

Joe Carrigan: [00:02:08] Right? So he got her number somehow.

Dave Bittner: [00:02:10] OK.

Joe Carrigan: [00:02:26] And the girl's father and I are, of course, sitting there going, how did he do that? What did he do?

Dave Bittner: [00:02:26] Right. Was he rifling through her contacts list? Or...

Joe Carrigan: [00:02:26] Or did he, you know, spend time going through her - you know, going through her phone settings and looking up her phone number?

Dave Bittner: [00:02:26] Right.

Joe Carrigan: [00:02:26] And my wife comes up with the simplest explanation.

Dave Bittner: [00:02:26] (Laughter).

Joe Carrigan: [00:02:27] Right? She looked at us and she goes, no, dummies...

Dave Bittner: [00:02:32] (Laughter).

Joe Carrigan: [00:02:32] ...He just called his phone from her phone.

Dave Bittner: [00:02:35] Oh.

Joe Carrigan: [00:02:35] And her phone number comes up on the caller ID, and then he adds her to the contact list. And that's how he did it. I thought that was interesting. And I'm like, well, that's brilliant; I'm going to have to talk about that on the next "Hacking Humans" podcast (laughter).

Dave Bittner: [00:02:47] Yeah, that is interesting. So he's using this excuse that he left his phone in the car.

Joe Carrigan: [00:02:55] Right. Can you help me? I need to make a quick phone call.

Dave Bittner: [00:02:55] And this is a way to get perhaps someone who had his eye on...

Joe Carrigan: [00:02:58] Right.

Dave Bittner: [00:02:58] ...Get her contact information.

Joe Carrigan: [00:03:00] Exactly. It's a good way of asking - can I have your number? - without actually asking, can I have your number?

Dave Bittner: [00:03:05] I question if this is a good way to build a trustful foundation of a new relationship.

Joe Carrigan: [00:03:11] I also question that.

(LAUGHTER)

Dave Bittner: [00:03:13] Right? I mean...

Joe Carrigan: [00:03:16] I mean, you know, I don't know about you and how most women think. But if a guy...

Dave Bittner: [00:03:20] I don't how most women think, Joe.

Joe Carrigan: [00:03:22] I don't either.

Dave Bittner: [00:03:22] It's been - I've been married for almost 25 years. And it remains a mystery...

Joe Carrigan: [00:03:25] But I wonder...

Dave Bittner: [00:03:26] ...A wonderful mystery, by the way.

Joe Carrigan: [00:03:27] Yes.

Dave Bittner: [00:03:27] I love you, dear.

(LAUGHTER)

Joe Carrigan: [00:03:29] I will tell you how my wife would have reacted to somebody who did this.

Dave Bittner: [00:03:32] Yeah?

Joe Carrigan: [00:03:32] The first time they call her, she would say - how did you get my number? And then she would have put it together, of course, because she figured this out. Right?

Dave Bittner: [00:03:38] Yeah.

Joe Carrigan: [00:03:39] She's a smart woman.

Dave Bittner: [00:03:39] Yeah. Well, remember - they are always smarter and one step ahead of us - always.

Joe Carrigan: [00:03:43] Definitely.

Dave Bittner: [00:03:44] Yeah.

Joe Carrigan: [00:03:44] I've got to take my wife to DEF CON next year...

Dave Bittner: [00:03:48] (Laughter) OK.

Joe Carrigan: [00:03:48] ...And take her to the Social Engineering Village (ph) because I think she has a great future in that.

Dave Bittner: [00:03:52] Right, right.

Joe Carrigan: [00:03:53] But you're right. I find this a little bit creepy. If it were me, I'd be blocking that number. You would not be able to get through again, for no other reason than the surreptitious nature in which you acquired my phone number.

Dave Bittner: [00:04:03] Well - and it also strikes me that the first time that this guy calls her, he's not in her list of contacts, so his name's not going to come up...

Joe Carrigan: [00:04:12] Right, exactly.

Dave Bittner: [00:04:13] ...'Cause I don't answer...

Joe Carrigan: [00:04:13] Yeah, I don't...

Dave Bittner: [00:04:14] ...Any calls - if they're not in my...

Joe Carrigan: [00:04:15] If it doesn't come up with a name, I don't answer it. It goes right to voicemail.

Dave Bittner: [00:04:18] So...

Joe Carrigan: [00:04:18] Or I do call it and try to annoy whoever is on the other line.

Dave Bittner: [00:04:21] Yeah. But we're old. So maybe the young kids...

Joe Carrigan: [00:04:26] (Laughter) We are old.

Dave Bittner: [00:04:26] Maybe they just answer...

Joe Carrigan: [00:04:26] These kids today might answer the phone.

Dave Bittner: [00:04:40] They see who - yeah, they're much more adventurous and have more free time and all that stuff than we do. So yeah, that's an interesting one. I wonder - how would you protect yourself against that? I mean, obviously don't hand your phone to someone.

Joe Carrigan: [00:04:40] Yeah.

Dave Bittner: [00:04:41] But this was someone she was familiar with. So she thought she was just helping someone out.

Joe Carrigan: [00:04:44] Right. Yeah, I don't know how you protect yourself with it. You know, just say, I don't have a phone right now.

Dave Bittner: [00:04:50] Right. Yeah.

Joe Carrigan: [00:04:51] Or say I have a prepaid phone, and I'm out of minutes, so no.

Dave Bittner: [00:04:55] (Laughter) The problem is everybody always has their phones out. So being able to say - how many times do you go into a retail store these days and the people are all standing behind the counter looking at their phones?

Joe Carrigan: [00:05:05] Yeah.

Dave Bittner: [00:05:05] Yeah.

Joe Carrigan: [00:05:05] I don't know how you protect yourself against this. I mean, this is just a creepy thing. I guess the answer is, when you get a first phone call, you go - you know what? - this really creeps me out. Please don't call me again.

Dave Bittner: [00:05:14] Right. Thanks. Yeah. Move on, weirdo (laughter). All right. Well, that's a good one. My story also comes from a friend of mine. This is a friend of mine. I'm going to call her Debbie (ph) because that's her name.

Joe Carrigan: [00:05:27] OK (laughter).

Dave Bittner: [00:05:28] And she works in HR for a tech company. And one day, she came in to work, and she got an email from her boss, the CEO of the company. And it said, please let me know if you have time to take care of something for me within the next hour. And so she responded to the email and said, certainly; I'm happy to help with whatever you need, boss. And the response was, I'm going to be meeting with some clients this week. Would you please go out and get me some Google gift cards?

Joe Carrigan: [00:05:58] Google gift cards.

Dave Bittner: [00:05:59] Google gift cards. These are gift cards - similar to Apple Store gift cards...

Joe Carrigan: [00:06:03] Right.

Dave Bittner: [00:06:04] ...I guess Google has their own version of this.

Joe Carrigan: [00:06:06] Yes.

Dave Bittner: [00:06:06] So now, she was unfamiliar with really what Google gift cards are, so she did a quick, well, Google search. And sure enough...

Joe Carrigan: [00:06:15] And I'll bet Google goes - hey, we got gift cards right here.

Dave Bittner: [00:06:15] Right, exactly. Yeah, you don't need any of those Apple gift cards.

Joe Carrigan: [00:06:22] No, buy these.

Dave Bittner: [00:06:22] Buy these, yeah. So she actually gets in her car, heads over to the local supermarket, the Safeway, and buys $1,000 worth of Google gift cards.

Joe Carrigan: [00:06:31] Wow.

Dave Bittner: [00:06:32] Her boss said, I need 10 gift cards, $100 each. So she goes, and she uses her company credit card buys, $1,000 worth of cards, comes back to the office, emails her boss and says, hey, I've got these cards. What would you like me to do? He says, terrific; can you email me the numbers off the cards? So she starts emailing him the numbers. Now, lucky for her, the numbers on the cards are very, very small.

Joe Carrigan: [00:06:59] Right.

Dave Bittner: [00:07:00] And so, turns out she misreads some of the numbers. And she gets an email back from her boss that says, hey, these numbers aren't working quite right. You know, can you just check it? And please, send it to me again. So she says, you know what? This is ridiculous. I'm just going to go down the hall and hand these cards to my boss.

Joe Carrigan: [00:07:20] Right.

Dave Bittner: [00:07:20] And then he can read them. You know, maybe his eyes are better than mine, whatever. He can do what he wants with them. So she goes down the hall and knocks on her boss's door. He's happy to see her. She says, hey, I got these Google gift cards. And he says, oh, well, that's - I guess that's nice. I could see there being some times when we'd want to use Google gift cards. It was nice of you to think of that. I'll hang on to them. And she says, wait; you didn't want me to go buy Google gift cards? He says, no.

Joe Carrigan: [00:07:49] Uh-oh. The jig is up now.

Dave Bittner: [00:07:56] The jig is up. Right. So turns out - I'm sure, you know, our listeners saw this coming a mile away...

Joe Carrigan: [00:07:56] Sure.

Dave Bittner: [00:07:57] ...It was not her boss who had been sending her these emails.

Joe Carrigan: [00:07:59] Right.

Dave Bittner: [00:08:00] It was someone who had spun up an email address that looked just like her boss's. So they'd done their homework, and she fell for it. Now, another interesting component of this is that when she contacted Google to say - hey, can we deactivate these cards? - Google said no.

Joe Carrigan: [00:08:19] Really?

Dave Bittner: [00:08:20] Yeah, they said no. So she contacted the grocery store...

Joe Carrigan: [00:08:24] Right.

Dave Bittner: [00:08:24] ...Where she bought them. And they said, oh, yes, absolutely. We'll deactivate the cards and refund your money.

Joe Carrigan: [00:08:30] Really?

Dave Bittner: [00:08:30] Yep.

Joe Carrigan: [00:08:30] So the grocery store hits one out of the park here.

Dave Bittner: [00:08:32] Exactly. The grocery store was able to get her money back right away, deactivated the cards. So all's well that ends well.

Joe Carrigan: [00:08:39] But Google couldn't do anything?

Dave Bittner: [00:08:41] I don't know that they couldn't or they wouldn't.

Joe Carrigan: [00:08:43] It sounds like they wouldn't.

Dave Bittner: [00:08:44] Yeah.

Joe Carrigan: [00:08:45] Come on, Google. You're better than that.

Dave Bittner: [00:08:49] (Laughter) Yeah, I guess they choose not to be. It could just be a matter of the volume of scamming that they deal with.

Joe Carrigan: [00:08:56] Yeah.

Dave Bittner: [00:08:56] The grocery store was better equipped to handle it.

Joe Carrigan: [00:08:58] Yeah, maybe the grocery store is better equipped to handle - exactly.

Dave Bittner: [00:09:01] Yeah.

Joe Carrigan: [00:09:01] You took the words right out of my mouth.

Dave Bittner: [00:09:02] Yeah. So a cautionary tale - how could you protect yourself against this? A couple of ways, I suppose. I've seen many organizations have emails that automatically get flagged if they come from outside the organization.

Joe Carrigan: [00:09:15] Yes.

Dave Bittner: [00:09:15] Right? It's like those old horror movies.

Joe Carrigan: [00:09:16] Right.

Dave Bittner: [00:09:17] The call is coming from inside the house.

Joe Carrigan: [00:09:19] Right.

Dave Bittner: [00:09:19] Yeah. So that would flag the email from the boss.

Joe Carrigan: [00:09:24] This email came from an external source?

Dave Bittner: [00:09:24] Correct.

Joe Carrigan: [00:09:25] Yep.

Dave Bittner: [00:09:25] So that would help. But then also just - you know, before you go out and buy $1,000 worth of stuff or even more, maybe just walk down the hall, knock on the door and say, hey, I'm heading out to buy those gift cards you wanted. You need anything else while I'm out? (Laughter).

Joe Carrigan: [00:09:40] Right. Yeah, that's a good idea. I mean, we talk...

Dave Bittner: [00:09:42] You need a gallon of milk?

Joe Carrigan: [00:09:43] We talk about this all the time.

Dave Bittner: [00:10:01] Yeah.

Joe Carrigan: [00:10:01] And we talk about when you're getting hit up by someone you think is your boss to move a large amount of money, this would be a good time for a phone call or a visit to the office just to make sure that this is someone you're talking with...

Dave Bittner: [00:10:01] Yeah.

Joe Carrigan: [00:10:01] ...That you're talking with the right person. However, $1,000 might not seem like a lot to a person in a corporation, depending on how transactions are on a regular basis.

Dave Bittner: [00:10:01] Yeah.

Joe Carrigan: [00:10:01] Here's the thing. If I'm running an HR organization, why would the boss task me with going out and getting something like this?

Dave Bittner: [00:10:09] I guess - I don't know. Who knows? You're willing, right?

Joe Carrigan: [00:10:12] Yeah. Right.

Dave Bittner: [00:10:12] You're a good - you're a helpful employee. You're a good soldier.

Joe Carrigan: [00:10:16] You're available, and you've done stuff like this in the past.

Dave Bittner: [00:10:18] Well - and you're trusted with the money.

Joe Carrigan: [00:10:20] Right. And you're trusted with the money, right.

Dave Bittner: [00:10:22] Yeah. You - they...

Joe Carrigan: [00:10:22] You have a corporate credit card. There's one thing.

Dave Bittner: [00:10:24] Right, exactly, exactly. So yeah - an interesting story about someone being targeted there. These bad guys didn't have to do a lot of homework.

Joe Carrigan: [00:10:32] Nope.

Dave Bittner: [00:10:32] But they did their homework and were very close to getting what they wanted. So buyer beware there. All right, Joe, it's time to move on to our Catch of the Day.

(SOUNDBITE OF REELING IN FISHING LINE)

Dave Bittner: [00:10:45] Our Catch of the Day this week was sent in by a listener. We love when our listeners send in our Catches of the Day. This is from someone named Gareth (ph).

Joe Carrigan: [00:10:54] Gareth.

Dave Bittner: [00:10:55] Gareth. And Gareth sends this. And he says, Catch of the Day, this is just ridiculous. Maybe some kind of machine learning generated this. Kind regards, Gareth. And the subject is - Julie.Parker-Welsh (ph), we are upset. But your application 9948 not agreed on. Greetings, Julie.Parker-Welsh. You can earn from $726 per day. We are upset, but your appeal not confirmed. From this project, you in no case similar letters do not get. From this portal, you will see specifically joyful messages, for example, such as finance prepared by for translation. It is your notification will arrive already today, so every day Allison Lewan (ph) is your personal manager.

Dave Bittner: [00:11:46] Joe, I have no idea what's going on. There's a link here. So you could click through on the link. And the link, it's a typical...

Joe Carrigan: [00:11:54] Is this a drunk email? Was somebody hammered when they wrote this?

Dave Bittner: [00:11:58] Right. I don't think so.

Joe Carrigan: [00:11:58] No. I think this is just somebody who is not a native English speaker who has a tenuous, at best, grasp on the language, writing something in an attempt to scam somebody.

Dave Bittner: [00:12:05] Yeah. I don't know. It went through some sort of translation layer, obviously, it seems like.

Joe Carrigan: [00:12:09] Yes.

Dave Bittner: [00:12:10] But how does this work? How? I mean, this is so bad. (Laughter) How could this - do they just get enough people who are just curious enough to click the link because they're amused or bored or...

Joe Carrigan: [00:12:28] It could be. Or maybe this one didn't work at all. Maybe people looked at this and said, I have no idea what this means. You know?

Dave Bittner: [00:12:28] I hope so. (Laughter) It's just awful.

Joe Carrigan: [00:12:30] What I hope is that nobody responded to it and said something like, I don't understand this - because then you're starting to interact with these people.

Dave Bittner: [00:12:39] Yeah.

Joe Carrigan: [00:12:39] Just delete it.

Dave Bittner: [00:12:40] Yeah. Well, maybe this is how the bad guys figure out what works and what doesn't. This goes in the doesn't-work pile.

Joe Carrigan: [00:12:47] (Laughter) Right.

Dave Bittner: [00:12:47] But it made it through. So it's interesting.

Joe Carrigan: [00:12:49] I'm amazed this made it through the spam filter.

Dave Bittner: [00:12:51] Yeah. I don't know. I don't know. Perhaps Gareth was - you know, maybe it's his job to sort through these things. I don't know, but we appreciate him sending it in to us. (Laughter) It's one of the stranger ones we've received. So as always, if you have something interesting for Catch of the Day, please do send it to us. You can find out how to do that by going to thecyberwire.com and looking at our contact page. We'd love to hear what you've got.

Joe Carrigan: [00:13:15] Keep 'em coming.

Dave Bittner: [00:13:16] And that is our Catch of the Day. Coming up next, we've got Christopher Hadnagy. He's going to be telling us about the new edition of his book. It is called, "The Science of Human Hacking."

Dave Bittner: [00:13:25] But first, a message from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS text, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:14:18] We are back. Joe, we have our first returning guest on "Hacking Humans" podcast.

Joe Carrigan: [00:14:23] All right.

Dave Bittner: [00:14:24] Christopher Hadnagy is back. He, of course, is a well-known expert when it comes to social engineering, runs a lot of trade shows, conferences and so forth. Runs the social engineering Capture the Flag types of things. And he has a new edition of his book. His previous book was titled "The Art of Human Hacking," and he has updated it. And it is called "The Science of Human Hacking." So here's my discussion with Christopher Hadnagy.

Christopher Hadnagy: [00:14:50] When I wrote my first book, it was very much like art. I was doing these things, and they were working, and I was amazed and everyone that tried them was amazed. And it was kind of - I don't want to discredit it, but it was kind of like street magic. You know? You do these things and, wow, people just fall for it. And it was great. Now, jump forward a decade. And it became where we have this training class I've been teaching for eight years. I have 12 employees. And I've had to duplicate the process that was just me a decade ago. And what I learned from having to train other folks is that you have to have a repeatable process, and that repeatable process is where science comes in. As if, I can explain to you, you know, not just tilt your head and smile and people will build rapport with you. I need to explain to you scientifically what is at work. And if you understand the mechanisms behind it then you can duplicate it, and it becomes a repeatable process. So the update really was trying to understand how all these things work from a scientific level and then being able to duplicate them.

Dave Bittner: [00:15:52] So can you give us a sampling of what types of things we'll find in the book? What are some of the scientific conclusions?

Christopher Hadnagy: [00:15:57] Let's just take one, for example - one or two. So in my first edition of the book, I talked a lot about how to get people to like you. There's a couple tongue twisters. People like people that are like them, and people like people that like them. Right? So these two things, if you think about them, they're very true. Well, there's a researcher named Dr. Paul Zak who did research into a molecule called oxytocin, and it's something that scientists ignored for many, many years. They didn't realize what it was or what it did. And Dr. Zak and some of his fellow researchers figured out that this is the molecule that gets released in our brains when we feel trust - when we feel that someone trusts us, when we feel rapport with people. He helped us to realize how to get people to trust us, how to release that chemical.

Christopher Hadnagy: [00:16:44] So from a scientific level, sure, I can tell you the tongue twisters. You know, people like people that like them. And that means you should like people. But hear it from a scientific level, if I tell you that nonsexual touch, that the right nonverbals, that showing interest in other people, that trusting someone, making them believe that they're being trusted with a secret, all will release oxytocin. Oxytocin will automatically build rapport and trust. You were the dealer, and now you have a friendship with the person that you're building that trust with. So you take something that before was very artistic and now you break it down to a 10-step, repeatable scientific process.

Dave Bittner: [00:17:23] I guess what I perceive as being that some people simply have a knack for these sorts of things is kind of like stand-up comedy. You know? There are some people who just seem to be naturally funny. I can teach someone how to tell a joke, but if someone has that knack just the way they are, the way they were raised - whatever - boy, they have a real head start.

Christopher Hadnagy: [00:18:26] I would agree with that 100 percent. There are definitely people who will be able to become a professional social engineer much easier than others because of their natural inclinations, their personality. They, you know, they just have that natural smile. They are not afraid to talk to strangers. They're not afraid to put themselves in awkward situations. All of those things would definitely excel that person at this field. But that doesn't mean that someone who doesn't have those things can't learn it. The aspect of the new book was to say, hey, I get it. Yep, there are going to be those folks who just turn the switch on and they are these magical individuals that can talk to anyone, but you can also learn these things by understanding how they work.

Christopher Hadnagy: [00:18:26] I'll use an analogy. It's like learning how to repair a car. You know, the first time you open the hood and you look at the car, you're like, what the heck is all these wires and all these pieces? If you actually went to an automotive course, you learned how an engine works. You learned what those wires meant, what a carburetor is, what the spark plugs are. You learned what all those things are. Now when you open the hood and you look at the engine, it's not so scary. You say, oh, yeah. I get it. I know what that does. I know where that is. And the more practice, you can become a master. It's the same with this. We open the hood of a human and we're like, I don't understand why these things work. When you get to that scientific level, you begin to not only understand it, but it starts to make a lot of sense.

Dave Bittner: [00:19:05] Yeah. It's an interesting insight. I want to switch gears a little bit and talk about DEF CON this most recent year. You're very active, one of the starters of the social engineering Capture the Flag competition. Can you sort of set the table for us, describe what goes on there? And what was this year's competition like?

Christopher Hadnagy: [00:19:22] Sure. So we developed the SECTF, as we call it - or, as you said, the social engineering Capture the Flag - to be a contest that shows why and how social engineering is so dangerous and how effective it is year, after year, after year. And the way we designed it was to set contestants up to call target companies and to obtain flags. And a flag is a tidbit of information, something like, who handles your dumpster removal, or what operating system is the computer that you're on or what janitorial service do you have? Questions that, by themselves, they're not going to lead you to passwords, right? They're not going to hack the company with that information. So they're not damaging, but they don't make sense to really tell someone over the phone just without a real good pretext. Our competition was designed to show how a complete novice - a lot of people who sign up don't have experience in this, but that someone who does it could get on the phone and talk to complete strangers and get unbelievable amounts of information from a complete stranger just by asking.

Dave Bittner: [00:20:22] How does it work? You put someone in an isolated booth so that they can have an audience?

Christopher Hadnagy: [00:20:27] (Laughter) Yeah. So this year, we upgraded the booth. So since we started, we always had a booth. We used just pieces of Plexiglas with a foam top. And this year, we went all out. We figured, it's our ninth year. We should upgrade a little bit. That booth was getting old and a little bit rickety. So we decided to upgrade to an actual, professional, voice recorder sound booth, one that, like, a rock star would use to record. So it's got this giant glass window in the front. And you step inside, and it's completely soundproof with the foam on there. And you have LED lights. And the person is sitting isolated in this booth while everyone gets to watch. And just because the room was so big this year, we even went as far as putting a GoPro inside, on the window, so people on the sides have a clear view of the stress and anxiety on the contestant as they're sitting in that booth.

Dave Bittner: [00:21:16] So the folks who win the Capture the Flag competition, what are some of the common traits that they have? What are they able to do that regular people can't?

Christopher Hadnagy: [00:21:24] The last couple years, people that have won - so not this year. Whitney won this year, and she does have experience in this. But previous to this year, people who won were not experienced at social engineering, and yet they get in the booth and they all have this common trait. And Whitney has it, too. It's primarily, first, thinking on your feet. So having the ability to - 'cause things don't go as planned. Right? You get on the phone and somebody throws you a monkey wrench, or they don't have what you thought they would have in front of them so you have to work around it. Or they say something that you never thought somebody would say. Having the ability to think on your feet, to adjust and adapt quickly, those are the people that generally excel at this kind of a career or competition, and then secondly, not having the fear to try things. Right? So sometimes people, they psych themselves out. They say, I would never answer a question on the phone about my computer. Well, I'm not even going to ask that. And people who go in with it with the attitude, I'm just going to try, see what happens, generally walk in with that confidence, and they're able to get people to tell them almost everything.

Dave Bittner: [00:22:31] Now, on the flip side, what about the folks who don't do so well? Where do they come up short?

Christopher Hadnagy: [00:22:36] Yeah. So the folks that don't do so well, there's two common themes for those who don't do well. First is, the beginning part of the competition is, we give the contestant their target company and for three weeks they get to do OSINT. That stands for open source intelligence. So they get to do OSINT on their targets to try to find what flags - those information tidbits are found online. Those who don't do well generally are the contestants that did not spend time, energy or effort - enough of that - in the OSINT piece. So they get into the booth and they're not really prepared. Information is the lifeblood of the social engineer. So if you get into that booth with a little bit of info, you're not going to be adaptable or flexible. And then secondly, the quality that I see most often for people who don't do well is when they let the fear get the best of them. Everyone's afraid. I mean, I've been doing vishing now professionally for 10 years, and I still get nervous when I get on a call. It just happens. It is just the way it is. But you're getting in front of - on a phishing call in front of 500 people, 600 people, whatever. You're doing this in front of a lot of people. You can use that fear to motivate you, or you can use it to completely psych yourself out. And those who use it as a motivator, they tend to do a lot better.

Dave Bittner: [00:23:53] Now, Chris, I know something that is important to you is that people use these tools responsibly and to the point where you all have put together a code of ethics.

Christopher Hadnagy: [00:24:03] Yeah, we have. Thank you for asking. So for us, like you said, one of the most important things - our mantra in our training classes and in our companies, leave them feeling better for having met you. And that's a really important aspect of being a social engineer because you have to think like a bad guy all day. But we need to remember at the end of the day, I'm not the bad guy. I'm a good guy, and my job is to help my clients. My job is to help the companies that pay me, help them learn how to defend against these type of attacks. And I can't do that by always being malicious.

Christopher Hadnagy: [00:24:35] So we just issued a code of ethics. It's like a code of conduct for professional social engineers. And it's a - it outlines the ethical way to approach this industry, being a person who's hired to hack other people. But how can you do that ethically? It's on the social-engineer.org site under the framework, and it's the first top heading. And I'm really excited about how it's - we just released it, so this is kind of brand new. We've been talking to you about it. And it's been adapted by a bunch of pen test companies, and even a large organization now over in Europe has adapted our code of ethics to become part of their internal policy. So I'm really excited to see how it's been accepted. And I'm sure there will be a lot more coming up about that, too.

Dave Bittner: [00:25:24] All right, great. Well, again, Chris, thanks for taking the time for us. I appreciate it. Happy to help...

Christopher Hadnagy: [00:25:29] No problem.

Dave Bittner: [00:25:29] ...Spread the word about your efforts.

Dave Bittner: [00:25:31] Nice to have Christopher back.

Joe Carrigan: [00:25:33] Yes, our first returning guest. That's great.

Dave Bittner: [00:25:34] Yeah.

Joe Carrigan: [00:25:37] I'm about halfway through this new book of his.

Dave Bittner: [00:25:37] OK.

Joe Carrigan: [00:25:37] And it's really good. It's a page turner. I mean, it's one that gets you in and - which is kind of unusual for this kind of book. But it's - I find it absolutely fascinating. I would recommend you pick it up and read it. I think it's important that he points out that a natural talent helps. As I was talking about earlier in this episode, my wife, I believe, has this natural talent, that she can think on her feet and...

Dave Bittner: [00:25:59] Yeah.

Joe Carrigan: [00:25:59] ...Get through things. And I...

Dave Bittner: [00:26:00] Mine does, too. My wife can talk her way into anywhere.

Joe Carrigan: [00:26:04] Yeah.

Dave Bittner: [00:26:04] She's talked us into Disney World.

Joe Carrigan: [00:26:06] Really?

Dave Bittner: [00:26:07] Yeah.

Joe Carrigan: [00:26:07] That's amazing.

Dave Bittner: [00:26:08] I know.

Joe Carrigan: [00:26:09] (Laughter).

Dave Bittner: [00:26:09] I just sit - I stand back. She's like, I got this. And she goes up and talks to the customer service person. I stand back. And the next thing you know, we're in Disney World. We're riding Space Mountain.

Joe Carrigan: [00:26:18] Amazing.

Dave Bittner: [00:26:19] Yeah (laughter).

Joe Carrigan: [00:26:19] My wife has done similar things. I think I need to send her to one of Chris' classes.

Dave Bittner: [00:26:23] OK.

Joe Carrigan: [00:26:23] I really like the car analogy. I say this a lot about just basic computer science and stuff like that. And one of the things people always say is, you don't need to know how a car works to use a car.

Dave Bittner: [00:26:33] Right.

Joe Carrigan: [00:26:33] My comeback to that is if you know how a car works, it makes you a much better driver, right?

Dave Bittner: [00:26:39] OK.

Joe Carrigan: [00:26:39] I think the same is true with social engineering. The same is true with just about anything. You know, if you get into it, it makes you better at it. Again, thinking on your feet is paramount, he said. But really, the - one of the things everybody should realize is that the OSIG, the open-source intelligence gathering, is the lifeblood of social engineering. It's how these social engineers acquire the information so that they can seem like they're a knowledgeable person when they make that first contact with you.

Dave Bittner: [00:27:03] Right, do their homework ahead of time.

Joe Carrigan: [00:27:05] And he says at DEF CON, they get three weeks to do their homework.

Dave Bittner: [00:27:08] Yeah.

Joe Carrigan: [00:27:08] So I think that's plenty of time.

Dave Bittner: [00:27:09] So they're going in there well-rehearsed...

Joe Carrigan: [00:27:11] Right.

Dave Bittner: [00:27:12] ...You would hope.

Joe Carrigan: [00:27:13] Yeah, I was trying to penetrate a bureaucracy earlier this week. And just using Google was able to get a hold of somebody that was able to give me some information. Now, I wasn't trying to get any information I shouldn't have access to. I was actually trying to find information from somebody in the government and where I needed to go. And I actually found somebody. It's very difficult to get a hold of people.

(LAUGHTER)

Dave Bittner: [00:27:31] No kidding.

Joe Carrigan: [00:27:31] But I managed to get a hold of somebody...

Dave Bittner: [00:27:32] Yeah.

Joe Carrigan: [00:27:32] ...Just by using the OSIG.

Dave Bittner: [00:27:34] OK.

Joe Carrigan: [00:27:34] And the guy helped me out. It was great. I'm also very happy to hear that Chris is developing a code of ethics. That is something I think was missing, and it's very important that we have that I believe.

Dave Bittner: [00:27:44] I also liked the point he made about leaving people feeling as though they had a good interaction with you...

Joe Carrigan: [00:27:50] Right.

Dave Bittner: [00:27:50] ...Because I think so much of the social engineering work, the professional pen testers, can inadvertently leave people feeling kind of dumb.

Joe Carrigan: [00:27:59] Yeah, exactly.

Dave Bittner: [00:28:00] I fell for this, and I...

Joe Carrigan: [00:28:00] Right.

Dave Bittner: [00:28:01] You know, so I think if you can go in and use them as teaching moments...

Joe Carrigan: [00:28:05] Right. I don't know how Chris does these things after he has an engagement. But I'm sure the very first thing he tells them - or if I were doing this, the very first thing I would say is, just because this happened, you are not stupid.

Dave Bittner: [00:28:15] Right.

Joe Carrigan: [00:28:15] You're not dumb.

Dave Bittner: [00:28:16] Yeah.

Joe Carrigan: [00:28:17] OK. You fell for this, and here's why you fell for this because, like he says, oxytocin, I believe, is the name of the chemical he talks about...

Dave Bittner: [00:28:22] (Laughter) Right, not OxyContin. Yeah.

Joe Carrigan: [00:28:23] Not OxyContin or oxycodone.

Dave Bittner: [00:28:25] Yeah.

Joe Carrigan: [00:28:25] Oxytocin...

Dave Bittner: [00:28:25] Right.

Joe Carrigan: [00:28:27] ...Which - I don't know. Maybe it's similar. Who knows? I'm not a chemist.

Dave Bittner: [00:28:29] Yeah.

Joe Carrigan: [00:28:30] I'm not a biochemist. But there's reasons that you've actually got essentially wiring in your head that makes you vulnerable to this stuff because of who you are and because of how we're evolved to be.

Dave Bittner: [00:28:39] Yeah. Well, again, thanks to Christopher Hadnagy for joining us. The new book is "The Science of Human Hacking." We hope you will check it out. And thanks to all of you for listening.

Dave Bittner: [00:28:47] And of course, thanks to our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:29:04] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:29:12] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:29] And I'm Joe Carrigan.

Dave Bittner: [00:29:30] Thanks for listening.

Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire