🔑 Key Takeaways
- Our past experiences, no matter how unpleasant, can shape our future in unforeseeable ways. Embrace your journey and use it to your advantage.
- Our experiences, both good and bad, can shape our paths in life and the skills we develop. Focus on positive interests and passions to create a fulfilling career despite setbacks.
- Be alert while interacting with strangers online, avoid sharing personal information easily, stay informed of the digital footprint. Persevere through tough times, value small jobs for learning opportunities. Acquire OSINT skills from publicly available information.
- The Social Engineering Village at Defcon hosts a Capture the Flag contest where participants use manipulative tactics to extract sensitive information from a target company in front of a live audience, testing their knowledge and skills in high-pressure situations.
- Social engineering can enhance communication and interpersonal skills. Participating in interactive events can improve confidence and OSINT skills. Public sources are valuable but staying ethical is crucial. The hacking culture can offer a sense of belonging and acceptance. Honing social engineering skills can be beneficial to everyone.
- Preparing with knowledge about a company's culture, technologies, and internal processes through OSINT can increase social engineering success rates. Social media platforms can reveal valuable information to impersonate trusted entities and gain access to sensitive information.
- With a well-prepared plan and thorough research on targets, a low-tech approach of using just three sheets of paper with prioritized flags, pretext details, and call goals helped Alethe secure the third position and enjoy the game more.
- With determination, focus, and preparation, mothers can successfully multitask and balance competing and caregiving responsibilities. Alethe's hacking competition experience demonstrates that even with a three-month-old baby, it's possible to compete and succeed.
- Building trust through friendly communication and relatable conversations can lead to successful outcomes, but it is important to consider the impact on the other person and make amends if necessary.
- Participating in safe learning experiences, winning competitions, and achieving success requires hard work, perseverance, and sacrifices. Success is a combination of talent, effort, and opportunity.
- Social engineering involves manipulating human psychology, and security awareness training is crucial to avoid falling prey to cybercriminals. Aspiring to enter the field can involve starting a consulting business or joining a security company with ample learning opportunities and exposure to different clients.
- Running phishing campaigns can improve awareness and reduce the risks of social engineering. Companies should aim for a 10% to 20% click rate, and employees should be cautious of suspicious URLs to prevent credential theft.
📝 Podcast Summary
How Alethe's Unfortunate Life Led Her to a Unique Career in Social Engineering
Alethe, a social engineer working for Critical Insight is good at reading people because of the series of unfortunate events and terrible relationships she faced in her life. Growing up in South Africa, Alethe had to grow up quickly when her parents separated when she was just seven years old. Her mom, who was like a cool big sister, let her explore her creative ideas and take risks without any guardrails. Alethe's interest in social engineering grew over time and she now helps organizations providing critical infrastructure, including DoD contractors, to secure their systems. Alethe's unique journey shows that sometimes our past experiences can lead us to unexpected and valuable places.
Overcoming Adversity through Computer Science
Growing up with limited resources and freedom, Alethe developed manipulation and sneaky behaviors as a pre-teen. However, a strict Catholic school experience taught her the negative consequences of lying and over-embellishing. Despite the setback, Alethe's interest in computers and coding provided a focus and direction for her life. She pursued studies in science and computer science, ultimately leading to a fulfilling career. The key takeaway is that early experiences, both negative and positive, can have a significant impact on an individual's life trajectory and skill development.
The Importance of Online Safety and Perseverance in Career Journey
Alethe's experience of being groomed by a stranger she met online highlights the dangers of interacting with strangers online. Her story emphasizes the importance of being vigilant and aware while interacting with people online and not sharing personal information easily. Alethe's career journey, starting with a minimum wage job, teaches us the value of perseverance in difficult times and how small jobs can lead to a lot of learning and opportunities. Her acquisition of OSINT skills through her work at a title company highlights the power of publicly available information and reiterates the importance of staying informed and aware of the digital footprint we leave behind.
The High-Stakes World of Social Engineering at Defcon
Defcon is an annual hacking conference that features various villages where participants can try to hack different devices and systems. The Social Engineering Village is one of the most popular ones, where people learn how to manipulate others to get what they want. The main event in this village is the social engineering Capture the Flag contest, where contestants try to get information from a target company live on stage, with five hundred to a thousand hackers watching. The contestants have six weeks to investigate their target and gather information, and then they have twenty minutes to make the call and try to get specific flags of information assigned by the contest runners. It is a high-pressure situation that requires an in-depth understanding of social engineering tactics.
The Benefits of Social Engineering and Hacking Culture
Social engineering is a powerful tool that can help improve communication, and interpersonal skills in different settings such as business and relationships. Participating in interactive events such as capture the flag contests can help develop confidence and sharpen OSINT skills. Public sources are valuable to learn more about a target, but one has to be creative in gathering information while staying ethical. The hacking culture can offer a feeling of belonging and acceptance that can be difficult to find elsewhere. Being a misfit is not an issue in this environment and honing social engineering skills can be beneficial to anyone.
The Importance of OSINT in Social Engineering
Being over-prepared with knowledge about the company, its culture and the technologies they use through OSINT can equip social engineers with necessary information to succeed in social engineering. Social engineers use company websites, review sites, job descriptions and Google dorking to gain insights into the company's internal processes. Social media platforms like Instagram can reveal geotagged employee pictures with company IDs, badges, applications open on the monitor, and locations of the cafeteria. Such information can be used to impersonate an internal employee, vendor, or a trusted entity and get access to sensitive information. The better equipped social engineers are with the data collected, the better his/her chances of success in social engineering.
Alethe's Low-Tech Approach to Winning the Social Engineering CTF Competition
Alethe had a well-prepared plan and pretext for social engineering Capture the Flag competition, which helped her to secure the third position. She had researched her targets thoroughly and had a clear idea of her goals for the call. Alethe had gone into the competition determined to do better than sixth, and focused on doing better than the previous year. She had a low-tech approach; she brought in three sheets of paper, one with a list of all the flags she had prioritized, another with her pretext person and target details, and the third with key points of her pretext and goals for the call. This helped Alethe to win and enjoy the game more than anything.
Balancing Hacking and Motherhood: Alethe's Experience
Competing in a hacking competition with a three-month-old baby is not recommended, but Alethe, an experienced mother, managed it. She missed some calls to care for her baby and prayed she wouldn't cry while she competed. She pretexted as a new intern to access tech support and then targeted regional salespeople of a tobacco company. She used OSINT to learn about the company and confirmed information with the salespeople. She knew that the salespeople had company-issued laptops and cell phones, among other perks, which made it easy to ask confirmation questions. Alethe's experience shows that with determination, focus, and preparation, mothers can balance competing and caregiving responsibilities.
Building Trust for Successful Verification of Remote Workers' Laptops
The approach taken for verifying software and applications on remote workers' laptops before shipping replacements out was successful due to building trust and being friendly while making calls. The person calling from IT used a tactic of introducing themselves as an internal employee from the headquarters, incentivizing with a new laptop, and creating a relatable conversation with the other person. The approach effectively removed objections and made the other person feel secure about the authenticity of the call. The friendly interaction led to the other person being forthcoming with information, leading to a successful outcome. However, the person who made the calls is concerned about the impact on the other person and feels the need to make amends and apologize after the fact.
Success Requires Talents, Efforts, and Opportunities
Participating in safe learning experiences can help you learn from mistakes and improve skills. Winning competitions can lead to prestigious awards like the Defcon black badge, which can open up job opportunities. However, success often requires hard work, perseverance, and sacrifices. Alethe's journey to winning the social engineering contest involved over-researching her targets, impressing the audience with her flags and time management, missing her flight, attending the closing ceremonies with her baby, and driving seven hours overnight to get back home. Despite the challenges, Alethe hoped to turn her passion into a career or business. Overall, success requires a combination of talent, effort, and opportunity.
Social Engineering: Identifying and Strengthening Weak Points in Security
Social engineering is an emerging security field that helps companies identify and strengthen their weak points. It involves manipulating human psychology, which scammers and cybercriminals also use to exploit vulnerabilities. Companies can hire social engineers for physical assessments and phishing campaigns to test employees' ability to recognize and report suspicious activity. Regular security awareness training is also essential to avoid falling into the traps of social engineers. For those who aspire to enter the field, starting a consulting business and specializing in social engineering assessments and testing is an excellent option. Joining a security company, like Critical Insight, can also provide ample learning opportunities and exposure to different clients.
The Importance of Being Mindful of Phishing Attacks
Phishing is a serious security threat and businesses should be cautious. Social engineers use tactics like setting up a landing page and making a suspicious URL to trick employees into providing their credentials. Alethe's job includes running phishing campaigns for companies and she emphasises the importance of running towards uncomfortable conversations that are organic and real to get good at this. People are becoming more aware of social engineering, and companies should aim to achieve between a 10% or 20% click rate rather than expecting 30% to 40% or 30% to 60%. Alethe's clients include organizations involved in critical infrastructure or even Department of Defense contractors. It is vital to be mindful of phishing attacks and their consequences.