Hacking the Male and Female OS (Men are from Windows, Women are from Linux)

operating system I'm using presenter View for the first time by the way so if I make funny faces in my laptop it's because I don't know how to use it um if you don't know what I look like there's a picture um I've been in security for going on nine years now right around in there um a lot of my background is d uh branched into the commercial World more recently and I'm enjoying that tremendously I do a lot of uh physical penetration testing um some Network stuff too social engineering obviously um I do want to give a quick shout out to secure conon I mean I know that we're sponsoring these sides we don't always sponsor the cons that I go

to but they pay for me to come out to cool places like this and talk to cool people like you so thank you secure conon again we're hiring come talk to me so I realized that this is a first con for a lot of people here today I thought that was kind of interesting so we're going to talk a little bit about what social engineering is first before we talk about hacking the operating systems of humans social engineering is basically using persuasion techniques to get a person to give you some kind of information or to do some kind of action to help you in an attack thank you um those in the back am I loud enough is

that good okay if I'm not just let me know so what kind of information are social Engineers looking for sometimes it's really sensitive stuff stuff that people know that they're not supposed to give out but they probably will anyway IP addresses are great ones employee ID numbers are almost trivial to get from just about anywhere um once you start getting into passwords sometimes you get some resistance there those attacks aren't always successful the ones that tend to be even more successful are the ones where we look for data that doesn't necessarily seems sensitive to a lot of folks so things like office codes or you know what what's your office number uh stuff like phone numbers a lot of times

if I'm going to do a phone social engineering exercise I'll call into accounts receivable for that company because they're always going to answer the phone because everybody wants to get paid right so when they answer the phone I say oh I'm sorry I was actually looking for so and so in it can you transfer me this does two things first of all this gets me to so and so in it without having to dial Direct second of all it makes it look like I'm calling from an internal number so then I can use that to my advantage against my target so why does this work I I mean why does this work anyway why do people

tell me this information that they're not supposed to tell me people just like to be helpful we're trained that way from a very young age that we're supposed to be kind to another right do unto others and all that good stuff a lot of people even though their security awareness training programs out there they're really just unaware of what the threat is if a security awareness program covers social engineering it's usually like two bullets at the bottom of a slide like toward the end of the training at that point so you're already just clicking through the slides at that point and you're not reading anyway there there really isn't a lot of high quality training out there to teach

folks about social engineering that's starting to change but it's it's very slow um and going along with being unaware of that threat a lot of times folks will give you a lot of free information stuff that they don't really think is sensitive at all so we've been ingrained that password is sensitive right so if I ask you for your password you might get a little suspicious there are my raffle tickets look at that sorry sorry sorry delivers thank you sir you're welcome now I have to find another excuse to give him a hard time today need an excuse running a true not fun anyway so if I call a help desk and I ask them to reset somebody's password

they're probably going to ask me a lot of questions and you know what what's that person's employee ID number where do they work lots of stuff that I might need to know but if I call and ask for that username hey I forgot my username to get on the computer it it says that it's wrong I know that the password is right because I use the same password for everything can you tell me what my username is and most of the time people will just spit that out even though as you know as hackers that's 50% of the puzzle right I need a username list and a password list if I'm going to try to

brute for something so that just helps me understand that okay I formatted my list right and that person on the other end of the phone doesn't even realize that they've given me something that they shouldn't have um and the government they call this aggregation of data take a little piece from one person a little piece from another person put it together and then you get something really good so I like to start off most of my corporate talks with this quote technology will continue to advance but the greatest vulnerability will always be in the human behind the keyboard that's always going to be true doesn't matter how many times you patch windows or you patch whatever the most

vulnerable thing in your network is the person that uses it because they're harder to patch that's a whole another separate talk I only have like 15 minutes so we're not getting into that this is meant to be a fun talk okay I'm going to pick on guys I'm going to pick on girls it's not meant to be sexist in any kind of way when you do social engineering you have to approach your targets differently um when I approach a male Target I'm going to act completely different than if I approach a female Target I'm not saying it's right or it's wrong I'm just saying that's how it is and that's how it works so if you're easily offended now might

be a good time to go uh get some more breakfast so let's talk about the female operating system guys this this also will help you in relationship 101 I don't do any um marriage counseling or any of that but you might be able to apply a lot of these same principles so females are kind of a lot like Linux all right so I had to put this in giggy terms so that people can understand it we like words we like a lot of words this is why women read romance novels right we like words we especially like words that provoke emotion female minds are mainly emotionally based so the key to I won't necessarily say completely

social engineering but for social engineering females it's all about using the right words to provoke the right emotion to get the response that you want they're based around empathy and I don't think that empathy is much as popular as um you know a lot of the other social engineering terms like deception and things that are mainstream basically you know with empathy when they see a certain situation they react a certain way female brains are also kind of like TCP all right they're they're a connection based protocol right honey does this make my butt look big that's the sin the syag is no deer right and Act is okay and then 30 seconds later it's are you sure this

doesn't make my butt look big so it always needs that that continual connection just like TCP I spent a lot of time looking at pcap files so excuse me if that comes off a little nerdy women also like things that are more Community Based right they they like to know that others are like them that they're normal whatever that is commonality builds credibility with women so a lot of times when they share experiences they're more likely to trust that person so when they relate to experiences and emotions the easiest way that I can think of to explain this is like if statements going back to the geek talk so if I create a situation of

stress then normally that action that comes afterwards is they want to soothe or they want to help or they want to make it they want to make it better right so if I'm running through this building that I've already social engineered my way into and I'm on my way to a meeting and I drop my handouts all over the floor in front of this person's desk and I say oh my goodness I'm late for my meeting these are not my slides can you please print my slides off of this thumb drive so now I don't even have to try to plug it into the machine they've already done it for me oh my presentation's not

on there that's not good give me that back I have to go and I just take off running down the hallway here let me put this Live CD in before I plug it in or the auto run exploit works really well out of the social engineering toolkit if you haven't used it yet might want to check it out so another if statement so if there's uncertainty everybody's been the new person on the job right at one point or another the best way I found to make this work for me is to ask the ladies room is something about females they like to go to the ladies room in groups but it also it's a it's a very

non-threatening question it's a perfectly valid question so when I ask that then normally what happens is they walk me down there and then they kind of chitchat with me a little bit it doesn't matter that I'm not wearing a badge or that I'm not supposed to be there they're not thinking about that I've distracted them enough to where they want to help me even though I probably shouldn't be there so it basically boils down to if you give expected input then you're going to get expected output so let's talk about guys a little bit all right I apologize in advance if this offends you but guys are kind of like Windows sorry guys it doesn't really

matter if it's you know like Vista or any other flavor it's just kind of a general statement guys are gooy based you know you you like pictures and visuals this is why women read romance novels right they read those words that provoke emotions men need to see a situation to provoke emotions what are you talking that's why they read romance novels and guys look at pen yeah for the Articles magazine yes the Articles so I've been told but guys are also very credibility based and that's very different from what we just talked about with women isn't it and I think that this is this is Val's kind of unofficial Theory as to why there aren't as many females in

technology these days and it in particular um a lot of guys are very based on credibility so I have to prove to you that I know what I'm talking about before you'll accept me and respect me as a coworker when it comes to technical things right and women they think just because because we're in the same situation that we both have the same job then you should already respect me because I'm I'm one of you I don't have to prove that I'm already one of you so I think that there's a little bit of disconect there between um male and females and it especially because I've seen it a lot so this was a study done by the

telegraph a while back and they brought in some some pretty women and they they talked to the guys afterwards and the guys couldn't even write down their address after the Pretty Woman had left this is a little strange there's also a lot of research done on these types of subjects and marketing it's a little unexpected but if you think about it the same principles apply with social engineering all right guys they want to distract you with pictures of whatever so that you're not thinking clearly so they can sell you stuff like the GoDaddy girls so they can sell you bad web hosting or they can sell you bad foods I mean it it all works around visuals so if you start to

look at marketing that way that's exactly what happens they distract you and because you're like Windows something like that is going to happen right I didn't have a colonel Panic shot for the ladies that's unfair I apologize so if I'm social engineering and male Target after that bod happens after they're distracted enough I have a lot of different options tailgating I don't even really have to try at tailgating just it's a natural thing guys are taught from a young age to open the door for a lady it doesn't matter if that door has a FR card scanner or not they just don't think about it they open the door and they let me in the other thing is you could get them

talking right so credibility I don't know anything yet because I haven't proved it to you so I can be stupid all day long because I haven't proved it so if I distract long enough I can get one of my other co-workers to do maybe a risky attack at that time to where it's it's almost a cloak and dagger thing right so you got your distraction over here and then your attacker goes around the other side and it makes a great stupid user Ploy unfortunately if I call a help desk and I get a male help desk person I'm going to act stupid I'm going to put in some chewing gun and I'm just going to

not know anything about how this works if I have a female when I make that call completely different situation I'm probably going to cry so that I can get my password reset but either way it works you just have to know how to approach it differently so that is my 14 minutes and 55 seconds of vein uh those of you that are signed up for the class tomorrow that's awesome we're going to have a really good time if you're not signed up um come see the registration folks and the morning they do have a wait list I think so they'll let folks in as space opens up in the classroom so this is me um one last thing we're also going to be

giving away the whiffy pineapple as I had mentioned earlier now that I have tickets so we will hold these up at the registration desk if you give me like 10 minutes I'll be back there with the tickets and some acceptable object to put them in you'll need to be here at the end of the day though in order to receive it so if you're not going to hang around all day don't don't waste my tickets and that's all the time I have so I will be around if you guys have any questions and thanks for having me