Social Media: How You Make Yourself A Target And Help Obstruct Corporate Security

you know hello everyone thank you for being here today I am Christina Locati I am an ethical human hacker is it was introduced in the psychologist I work for a cyber Iskandar huh it is a company that is providing cybersecurity training with the focus on strategy processes and compliance because this is also very important and I am doing all things social engineering I in fact this is a company that my father started and this is also there is on why I got involved in cyber security because I got very early exposure and by getting very early exposure I also developed a very big interest very fast and having him around I also had the opportunity to get involved in projects

from very early on and projects that sometimes were beyond my age but quite fun for me so what I have done so far is penetration tests I have done I have been involved in forensic investigations and of course I have been involved in training because in the end of the day you do figure out that the human element is important we had a great introduction about the human nature and now we are going to talk about how you can cause that human error to happen or how you can use that human error in your favor but first I have my fair amount of questions on my own first of all who in here is a penetration tester Blue Team

Red Team etcetera good physical penetration testers who in here wants to increase his personal or organizational security very good and who knows overall anything at all about social engineering and how it works good so we are going to do the introduction what is social engineering it is the art and science of skillfully maneuvering human beings to take action in some way in their lives that may or may not be in their best interest in the militia social engineering cases it is not in their best interest how does it work nobody goes to battle without a good strategy so clearly there is a backbone strategy happening with two phases planning and preparation and execution it starts with information gathering now

why did any of you had a first date where you didn't know anything about the other person and you were just sitting there being all like mm-hmm so what is your favorite pizza or pasta and you practically didn't know what to do with them well this is never ever the case with social engineers why because they are going to come prepared to you they are going to know a little something about you and they are going to leverage it for example if they are going to know that you're a newly parent so when they encounter you they are going to be your like my three-year-olds just vomited all over my papers I know I don't know what

to do I thought I will either be late or I will be forever indebted to you and you please print it out for me so this is good information gathering this is having some intelligence on the other person that you can use and you can leverage against them then second phase is identifying the possibility victims and targets what does that mean that you need to know who is a newly parent and you need to know who has some certain amount of vulnerability that you can leverage against them then you have protects in the approach the fact that you also appear as a mother for example your background story why are you there why are you asking them to do things for

you this is your pretext and then we go to the execution where you actually approach them you talk a little bit I used to be some amount of just if you are a parent they are a parent you would develop some sort of connection you clearly are from the same tribe now so you actually can be trusted a little bit more and yeah and then comes a little bit the manipulation type of it always you actually drive them to take some sort of action that you want according to your story it all fits together nicely in the end once you are done with what you want to do you leave and you leave the other

person this way knowing or not knowing what happens you usually don't want them to know what happened especially before you have exited the building but now why social media why social media is so important on that well really because it's easy it is a very low barrier to entry for everyone I think it's office advantages to everyone for people in businesses there is a very nice way of exposure and they can showcase their skills they can connect with people they engage bla bla bla there's a whole list it's bigger but for social engineers it's also a battleground this means that they can go there harvest information turn it into intelligence on you so practically gather everything there is on you

categorize and analyze it profile you find your vulnerabilities and then use it all against you again why social media it is actually being used pretty much already employees experience I became more often on social media than any other business platform including email meaning that phishing email is not such a big superstar compared to social media although it really takes most of the fame and according to Cisco as well Facebook space comes I the number one most used way of bridging networks then you have panda security saying that 20 percent of businesses are infected by malware through social media and this is not some only report this is these are all reports than last year how do they

leverage them they're practically two ways social media news and leverage social media the indirect way they don't come in contact with you and this is morally the quick and dirty type of game and the numbers game I think there is a direct contact we are going to talk briefly about the indirect contact and then go more in terms in the direct contact approach in the direct contact there are the consumers comes the consumers comes I'll tell you that you can get something if only you click on this link for this amount of discount so you actually feel that you save a little money here but in fact you pay a lot more and you don't even know it

sometimes you have the facing it makes it very highly tailored according to what you pose and an example here is the example of an employee who had a very nice picnic date with all of his coworkers and then he decided to post about it like we all do sometimes when we want to share things that we did with her people we work with and he loved to show engagement and noise but what happened is what he also received a phishing email shortly after that and what was it saying it was saying hmm oh it was coming from his other co-workers saying that oh I really loved your facebook pictures I took my own here click on the

attachment and here we see them you look particularly good on this third one she opens it it's clearly not the pictures that she was waiting for you have the external applications that give you this little sign saying practically yeah all good it's a free up you can use it all you want we just need one little thing to access all your private information just name profile yeah and whatever else we might need whatever else they might need is everything else you have uploaded there and what they do is they use a data and leverage it against you my weight distribution okay who has received a message like that that says I found this video from you it is amazing

I cannot believe what they see what they seen there I have definitely a lot of times from people that I know or don't know and then you have identity theft and impersonation and these are the people that add you as a friend just because they they look so nice and you have so many common friends and in reality all they want to do is connect with you so that they can expand their network and criminal activity then you have the direct approach we are going to talk a little bit more in depth about this in the demonstration and this includes manipulation online so practically you don't really come see in contact with the online contact

strong either and then you go either through a phone or again the face-to-face known to all of us face to face approach where you either want to enter the building and soul mile where gather more information manipulate in general get your way enough of the theory we are going to jump straight into the practical part with actual posters have been posted I have used very similar posts in my work to leverage others they are not as rare as you think although some of them might look a little bit too much or a little bit too obvious well you would be surprised how many people actually post these things and how easily you can leverage on them we are going to see the

post and on top of it there is a sign saying how you could potentially leverage on something like that vulnerability exposure post things like I should be more concerned about my work but I'm really not what does this communicate to an external party that actually wants to leverage on you it communicates it I really don't care about my company and definitely not about the security so if somebody comes to you with a very good story clearly you're not going to think twice before plugging that USB but now my favorite and seriously this is just candy for penetration testers but also for social engineers posts that require a certain type of document for it from a certain

type of company and they either wanted agent Lee or they wanted at work and this is so beautiful to see as a penetration tester and as a social engineer but it's also so ugly on your side of you because you are going to receive this email very soon but it's going to be nothing like you want people that hate their jobs again make the face guys people that hate their job is not going to care about the security of it at all meaning that if they have some type of personal gain over something that they hate or even if they can be revengeful over the company and their job that they hate so much when they are going to do

it if you ask them if you give them something that is more important to them which is most things over something they hate chances are they are going to do things for you that you want them to do people that are lonely people that have a very soft spot for women this is quite the Kotian vulnerability and if you think this is far-fetched as a penetration tester you do not do it this little bit of limits I would not suggest it I don't think it's in any contract you do things like that but if you find it far-fetched it is not and in fact it was used as a very successful strategy in the cold world between East Germany

and West Germany from the secret services of East Germany what they did is that I practically send real meals secret agents to assistants of very key people in the West German and what this room used it is that they posed as Germans fraud state fraud stairs they had done all the background research on them on their victims they knew exactly what the girls needed to practically fall for them and sometimes really they were not even that handsome with the said their ways they were fulfilling their emotionally needs in other words they got so many confidential documents from these ladies one lady even gave out more than a thousand secret documents and a lot of operations were compromised

like that from East Germany so do you think that this would not happen in a big company heist or in a big company bridge let me just tell you it does and then you have the post that give out some aspect of what happens in the company so for example good you have the reception is gossiping at work do does that mean that means the receptionist are bored to death and what do the reception's want to do to get out of the report Tom tell you want to talk they want something to have to talk about which against mean give them a story give them something to get them interested and they will engage with you and that's what you want you

want them to start with engaging with you now make no mistake blackmail and bribery are very very prominent cyberattack tools again no penetration tester material but this is good for general knowledge and we start with people that really have a big need for money and they post about it what do you think it happens in this case think here a little bit about Maslow's needs what are the first two needs that need to be satisfied and they are very pressing in somebody's behavior need for food need for sale and they are all covered by money so practically if they need money they need survive how does a social engineer leverage that clearly if you need to satisfy your most basic needs

you are going to do things you were not really supposed to do because it's a priority to relieve the tension of feeling safety and satisfying your Singh needs bribery works really well here last thing you want to do is having external factors or third importance type of factors satisfy like securing again personal relationships in the company can also be leveraged according to the high error here in the company and who does what with whom this can be also very well blackmailed and then you have people that are addicted in certain things what happens here a social engineer is very willing to feed your addiction and more than happy to help you with it because they leverage this

against you and make no mistake if you have any sort of addiction don't really talk about it because the sad reality is that your addiction and the person that can influence it for you these two factors on you and last but not least you have the people with a really big egos that want a way that believe they deserve the world that everybody is secondary the date is over they'll actually that they I think they are not being paid enough and these people are just being hunted because of their ego because I need their ego to be fed because they do believe they deserve a lot of things so if you give them what they believe they deserve if they are

going to get what they believe a desert if this means compromising a little something something they are going to compromises because it's all about them after all let's say however that these were a little bit far-fetched this is clear vulnerability exposure let's say none of you does any of these none of you posts that personal things and none of you posts this company inside information let's say you're completely media savvy nobody knows anything online about what your executive position is nobody knows anything about your vulnerabilities but you say you want to share a little something to engage with your friends we will find other job opportunities to have other colleagues working with you and you post a little

something-something online again let's say you're a media savvy what are the other angry somebody's going to try to lead you from there are certain traits that help a lot excavation why because it means you're happy and willing to talk with other people that you don't know and you to this empathy helpfulness trustfulness gullibility and more now these are all very good days and I'm not telling any of you not to have them and get all species lock themselves in the in the basement or put newspapers in your rooms in your windows no no this is not about not posting anything online and being always suspicious and distrustful of everyone be a little bit is just full

okay just but very fine but this is more about knowing how things can be leveraged against you I knowing how to put boundaries when people come to you and they are very nice they're very likeable but start making strange questions the point here is know that a lot of things can be used put boundaries how are your details being assessed well your overall personal brand the way you carry yourself the words you use your selection of activities interests responsibilities they all can be used for somebody to approach you to profile you to engage with you in ultimately it's manipulative but we have an example we have the example of Tom we know nothing about his work we know nothing

about his vulnerabilities but can you make some good assumptions perhaps about his interests are what are they anyone so yeah one is terrible another one is Fitness another one is social is anything else cars yes another one of them so you start looking at things in the big picture in the general overall personal brand yeah you look at body language who knows a little bit about body language in the room we have two feet three three grain a little bit on body language in this case he's being all expansive and open he does not feel the need to protect the vital organs by being all closed up in some way these saw some level of confidence he is even

half naked in some of them meaning he doesn't try to hide behind barriers showing somebody who is actually very comfortable with himself very open and yeah very open yeah

she's very she's definitely showing the ass but he's also really confident and comfortable with himself and the fact that he exaggerates it could mean the opposite but when it comes to feeling comfortable no he's comfortable with the whole thing then we have a variety of faces patience which you do not see but yeah okay how much can I expose him anyway I but I was able to see and I can see that he's being very very expressive the choice of colors matter because the best people tend to be drawn to more dull colors he's you're very happy very colorful very vibrant so we know a little bit something about his psycho synthesis locations very so a lot of

interest a lot of outdoor activities and we can also see different people in different situations you do not see them because again how much connection someone but they are all different and we have very intimate posters with them usually so you can tell you that here's someone who actually has a wide social circle and gets close to people but this is just information you cannot really leverage this with our assumptions that you do that you need to verify or strengthen and that yeah you need to turn practically into intelligence because it's one thing to have information it's another thing to have intelligence how do you make sense of them I have made the profiling matrix

with four columns on the x-axis the columns on the y-axis that assess personality traits interest wounds vulnerabilities and then of course he's safe image because you want to approach him according to his excellent social life and professional life Algy side not people don't show on Facebook or social media who they really are they show who they would really want to be and how they would really like to be perceived by others now you might think that this can be a problem because you don't address them with how they really are but this is in fact excellent because when you encounter someone you actually want support who he believes he is and you want to encourage this idea

of whose ability so you can actually work better with him on the level of how she wants to be treated we had the overall brand we made some assumptions we need to see if they actually stand we look further at other things what here eyes specifically his word words the patterns that come out of his words and they style of his expressions the way he expresses himself how do we do this we look at posts so we start he says has me to make your dream your reality in the first line I have categorized them for you already life is a game play to win let your heart be louder than your words what do

you think this could point us out to acetate it points at points us out to an ambitious person he moves on don't decrease the goalie increase the effort I some things that he did in life that he put his goals and he actually made happen this point I was the determination we strengthen our previous assumptions a little bit more he moves on take care about income I care about the impact do you notice a little bit something about the expression the way he expresses himself big before he was all like played to win to this or do that I did this I did that you can do it he wants to play a little bit of Thorat

ativ he wants to give advice the way he carries himself he's giving advice without being asked to so you can assume that he is actually a person that wants to be addressed in the same way that he addressed the cheetah poses himself and so he wants to have a certain amount of influence of others on others other posts what is life without a little risk make your life your adventure yada-yada he wants to have a little bit of risk an adventure and again we see the pattern of giving advice and appearing authoritative and some engineering kind yes way making new friends should be part of every type and then he also explains how he started

talking to somebody who did not know I'm yeah I started chatting with a random guy next to me not unusual for me which is perfect because now you know you can actually approach him and that he is an extra way this strengthens your previous assumptions and it fulfills some extra points on what she wants because of the way he expresses himself how can you find out a little bit something about his best professional life you add up the two previous categories and you can make some logical assumptions a person like this is not going to be your backoffice guy he would be just so depressed he is a person that wants to communicate with people all the time

that gives advice that wants to be out there he's not going to be a back office guy he's going to be a friendly lying person would you be a consult an instructor he would love to be instructor and manager something along these lines so you can actually see where he stands in the company ideal he would be team leader in management and then you still want to have a little bit of assumptions on his vulnerability so that you can see whether you can leverage in a conversation what do you do it is psychological principle that when we run with all our strength towards one thing it's because we try to run away from the other so we take all

the previous columns on how he sees himself on how he presents himself on what is important to him and we turn it around because in reality he decides to avoid the exact opposite which means he plays which means he tries to avoid being ineffective being not useful if you wouldn't like to be rejected you wouldn't like to have Locke impact all of these things what does that mean that if you were to approach a person like this you would not go all like listen son I'm going to teach you how life is done no you would approach him on a level that would be more like I really need your help and you look like

you can really useful advice but then if she is let's say a little bit sophisticated if he offers advise up to a point a social engineer can be flexible enough to leverage some of the vulnerability assumptions meaning that if something happens and the person puts a blockage in you you can start being a little bit like you know what I have been spending all this time with you I have shared so much about me and I just don't see any value of this conversation you haven't offered anything but your advice hasn't been very useful don't you have a personal experience or something what is going to happen is that this person is going to want to try to prove

what he wants to believe for himself and does prove you wrong so he will actually try to offer a little bit more than she did before in this case if your assumptions stand how does the social engineer use all that clearly the first columns then interest and wants columns help to be the ground to do approach the other person to engage with them to talk on a level that they understand they're interested in and make conversation with them and it helps a lot in building rapport if he has done much information to work with this is going to be relatively easy the vulnerabilities column is used to typically when you come across a blockage and you want to pinch the other

person to give a little bit more but always careful with that and of course everything is being tailored to the way you respond he has a lot of information to work with now on the other yeah on the other information in the overall personal brand how does he use all that it helps him a lot in his protects why because we all like people that look like us we feel like we come from the same type if we have a lot of shared personality points with another person so what happens here is that a social engineer can use this whole table to craft his personality because in the end of the day we like people that look like

us so he is going to look exactly like you Annalee sign on you can do things about it you can do something about it to increase your personal and organizational security take this is a little bit of a checklist some things are common sense but just remember that common sense is not common practice you can take a picture I don't want to stay on this point very much these are the tools my time so these are the don'ts good interests remember because I know this question will come if I do all these things am I going to be completely secure the answer is no never but the point is not to be completely secure the

point is here that you want to eliminate and layers of attackers meaning that you don't want the school boys having a lot of leverage on you because they want to impress their first girlfriends thank you very much

thank you very much Christina the slides will be shared afterwards so you will all get the chance to have a look at the best practices I actually have the first question the advantage of chairing a session we were talking a lot about trust and insecurity we talked a lot about trust building trust in the security community and being here to learn and yelling I was talking about people trust me too much maybe I should doubt that and you were presenting us with an example of people are very confident they trust in the others in the expose a lot of information where should the boundaries be the boundary should be on what you share about your job the boundary should

be on whether you say sensitive information because a lot of people say sensitive information about their jobs so for example in the case of their own meals if the women knew a little something the human does were the women that were approached if they knew a little something about social engineering they would just stay partners but when they would ask them for documents from their superiors they would not really give them and they would be like ok you're my Romeo I feel very connected with you but I'm not supposed to do that and there is a boundary and there needs to be a boundary on things that you should not share with others and not just be too

open or do too much although you know it's against policy sometimes because people do things against policy thank you and now for the first question mm-hmm I will start there hi I'm Paul I'm a penetration tester from the UK if we were interested in adding social engineering or physical penetration testing to our skill sets are there any resources that you'd recommend that we could start with or any any any particular knowledge bases that you you're aware of that you'd recommend the week that we could use as a resource some can you repeat so further for further research and further investigation into into developing social engineering skills social psychology is your go-to definitely because it helps you understand other

people and it helps you being more comfortable in dealing with them so social psychology definitely is a very relevant topic here there any particular sort of resources for research that you're aware of the week that we might be able to use any any particularly useful yes they're a lot they're really a lot we can have a conversation afterwards and I can tell you all about it and whoever else wants is also very welcome but otherwise this will be very wide okay next question let me start with the person in the back since you already mentioned something before I actually have two questions if it's let's start with the first one then let's see many others we have the first

one is if you actively is social engineering someone do you have a personal problem with that because I always for me I stayed a lot for example the Airbnb apartment and you learn a lot about people if you just stay in the apartment you see a lot of pictures on the wall books and the furniture and stuff it doesn't it feel creepy to you and if yes how do you do that personally sure sure sometimes you also need to sleep at night it's a person what I do is that I separate my professional life or my personal life I know that when I do it professionally it's not so that I can come the other person and give him

nightmares and yeah and harm them I do it to hate them because if I don't do it and somebody else with my issues intense does it then they're going to have a way worse time than if I do it and prepare them for somebody in the future that would have my issues intense so in this side I feel good with myself because I protect but on the personal side I do not do this in my person like really because a very very important differentiation it is one thing to use the skill set to influence others and whole other sorry to use them to manipulate others manipulation is very short-lived in the end of the day somebody else will

understand it you use it against them and it's not doing them any good but if you use this case to build others up and give tailored advice and help this works much better and then you clean your personal life I in anybody's personal life I believe we all just want a clean slate and very clear relationships and you cannot go very far in life without having very clear relationships with others and that's how I sleep at night thank you let's see how many other questions we have in the room before I let you do the second one hands up who still has a question yeah I try to connect only with those people I've met in before and in a physical

world would you recommend this as a rule of thumb I say really found your physical world in your everyday life I'm on Facebook and sing on LinkedIn you risk it on regular basis requests for connection so I try to limit ya answer to those I've met before I'm in the physical world this is would you recommend this yeah I would recommend you basically don't add too many people that you don't know and if you do again just know how what you say can be used against you and know how to put your boundaries in what you will actually share with another person sometimes other people add you on facebook so that you can see them as way

and feel a certain level of comfort with them if they come to approach you Indian and let you know them so as a rule of thumb if you don't really have to add anyone don't add anyone we had the question from the right side of the room all right there's a question so does the Jon profile really exists or it is just a profile pic she's made for this presentation this is a skritching last time everything is real everything comes from real profiles and from real people and that's why faces and names are eliminated yeah but in fact these are also a lot of examples that they're aware some examples that I have personally used this way and they

are all real thanks mmm sharpens who still has questions do we have anybody who belongs to a minority group who might have a question since we had a lot of men asking questions so far women are the main noise okay then hands up again please once more I will go with this site after room first hi thanks for the great talk maybe a follow-up on the thing how how you connect on Facebook or LinkedIn we've recently seen a lot of people uploading the personal context to link because they make it kind of easy to go that down that path and regarding your example do you have any suggestions once the information is out there how can I

fix it afterwards depends on the information that is out there but yeah how can you fix it take it down if it doesn't really have to be there and if you cannot take it down you really need to find your ways of dealing with it and dealing and knowing the fact that somebody can use them and there is a scoring a honeypot strategy that you can have so that if you upload some information that actually matter and you don't want them to be out there depending on the content always of course you can also upload some honeypot information and mislead people but that's a whole other story looking a big answer and the last question for

Cristina's talk there was somebody on this side of the room okay thank you very much for this great presentation my question as an incident responder sometimes you only want or users or people generally then you only notice that information that they disseminated is critical and was used to bridge some companies or something in afterwards and you mentioned yeah don't upload don't post critical information I always find it very difficult to see is this critical information that I'm posting right now sometimes in this context in today's context it's not critical but two weeks later you're met you realize oh crap this was critical what's your take on this define critical information critical information it also depends on

who is actually targeting you so for the not so sophisticated attackers critical information things like the vulnerability post that I posted things that show some type of witness weakness or things that expose things that happen in the company you should not really communicate what happens in the company because it can be used generally try to keep it as innocent as possibly if you can really name something that's completely innocent because you can see everything can be used in the end of the day so if somebody is extremely sophisticated every piece of information is critical information you cannot always control that and this is why training is so important in the end of the day you cannot control the threat of

having somebody using even the smallest piece of information against you but if your employees know how to handle attackers this is critical in fact and not as much why they sir because they are going to share things on the very very basic way nothing about the company nothing about the things that have not been published publicly about the company and yeah no vulnerabilities thank you thank you very much Christina [Applause]