WEBVTT 1 00:00:00.120 --> 00:00:02.359 I have to admit I spent I don't know, maybe 2 00:00:02.399 --> 00:00:05.839 twenty minutes this morning stressing over a new password. I 3 00:00:05.879 --> 00:00:09.919 did the whole routine, you know, capital letters, a number, 4 00:00:10.039 --> 00:00:13.080 a special symbol, the whole nine yards, the whole nine yards. 5 00:00:13.240 --> 00:00:15.839 And I sat there looking at it, thinking, Okay, this 6 00:00:15.880 --> 00:00:19.559 is it. I am fort Knox. Nobody is getting into 7 00:00:19.640 --> 00:00:20.199 this account. 8 00:00:20.280 --> 00:00:23.760 It's a satisfying feeling, though, isn't it locking that digital door? 9 00:00:23.920 --> 00:00:26.160 It is? But then I started reading the material for 10 00:00:26.199 --> 00:00:31.280 today's deep dive, and that feeling of security just completely 11 00:00:31.359 --> 00:00:36.920 evaporated because I realized my twelve character uncrackable password, it's 12 00:00:36.920 --> 00:00:40.039 just totally useless if I will, if I just tell 13 00:00:40.079 --> 00:00:40.399 it to you. 14 00:00:40.960 --> 00:00:43.399 And that is the uncomfortable truth we're digging into today. 15 00:00:43.159 --> 00:00:46.960 We tend to think of security as a technology problem. Firewalls, encryption, 16 00:00:47.000 --> 00:00:49.439 two factor off, all the tech stuff, but we almost 17 00:00:49.520 --> 00:00:53.560 always ignore the single biggest vulnerability in any system. And 18 00:00:53.600 --> 00:00:56.359 it's not the software. It's not the hardware, it's the meatware. 19 00:00:56.600 --> 00:00:59.079 It's us, the human being sitting in the chair. 20 00:00:59.359 --> 00:01:04.239 Precisely today, we're diving into social engineering. The Art of 21 00:01:04.319 --> 00:01:08.599 Human Hacking by Christopher Hadniggi and this source, it really 22 00:01:08.680 --> 00:01:10.599 challenges that traditional idea of. 23 00:01:10.480 --> 00:01:11.400 What a hacker is. 24 00:01:11.640 --> 00:01:14.359 Yeah, when I think hacker, I picture, you know, a 25 00:01:14.400 --> 00:01:17.840 guy in a hoodie in a dark room furiously typing 26 00:01:17.920 --> 00:01:19.760 green code onto a black screen. 27 00:01:19.959 --> 00:01:20.560 We all do. 28 00:01:20.680 --> 00:01:24.840 But Hadniggi argues that the most dangerous hackers don't hack computers. 29 00:01:25.000 --> 00:01:28.879 They hack people. He defines social engineering as and I 30 00:01:28.879 --> 00:01:31.400 want to get this wording right, the art and science 31 00:01:31.439 --> 00:01:34.200 of skillfully maneuvering human beings to take action. 32 00:01:34.400 --> 00:01:37.000 And we should probably clarify that action is usually something 33 00:01:37.040 --> 00:01:39.959 that is definitely not in their best interest. It's manipulation. 34 00:01:40.840 --> 00:01:43.879 But it's not just you know, lying, it's manipulation down 35 00:01:43.920 --> 00:01:44.599 to a science. 36 00:01:44.719 --> 00:01:47.879 The source uses this metaphor that I found really really helpful. 37 00:01:48.239 --> 00:01:50.840 It compares a social engineer to a master chef. 38 00:01:51.000 --> 00:01:52.799 I like that analogy a lot. It really works. 39 00:01:52.879 --> 00:01:55.079 It makes sense, right, because a chef doesn't just throw 40 00:01:55.120 --> 00:01:57.599 one raw ingredient on a plate. You don't just hand 41 00:01:57.599 --> 00:01:59.680 someone to raw potato and call it a meal. You 42 00:01:59.719 --> 00:02:00.480 have to mix. 43 00:02:00.359 --> 00:02:04.000 Things right, and in the world of social engineering, those 44 00:02:04.200 --> 00:02:09.919 ingredients are things like elicitation, pretexting, and psychological triggers. 45 00:02:10.479 --> 00:02:13.199 So a master social engineer minces them in just the 46 00:02:13.280 --> 00:02:16.479 right amounts, adds a little pressure or urgency the heat, 47 00:02:16.560 --> 00:02:19.639 the heat, and serves up the perfect attack. They're blending 48 00:02:19.680 --> 00:02:22.960 all these elements to bypass your logic and get to 49 00:02:23.000 --> 00:02:25.360 your emotional control panel. 50 00:02:25.479 --> 00:02:28.120 Okay, but before we get too deep into this recipe, 51 00:02:28.159 --> 00:02:30.400 we need to drop a massive disclaimer. 52 00:02:29.919 --> 00:02:31.400 Here, Yes, a big one. 53 00:02:31.439 --> 00:02:32.120 The stuff we're. 54 00:02:31.960 --> 00:02:34.960 Talking about today, this is the playbook used by criminals, 55 00:02:35.520 --> 00:02:37.039 con artists, spies. 56 00:02:37.159 --> 00:02:38.960 We have to be crystal clear about that. Yeah, the 57 00:02:39.000 --> 00:02:40.800 purpose of this deep dive and the purpose of a 58 00:02:40.800 --> 00:02:44.199 Hadnig's book is strictly security through education. Right. 59 00:02:44.400 --> 00:02:46.520 You can't defend yourself against a weapon if you don't 60 00:02:46.520 --> 00:02:49.159 even know what it looks like. We're analyzing these methods 61 00:02:49.159 --> 00:02:51.479 so you can spot them, not so you can go 62 00:02:51.520 --> 00:02:52.159 out and use them. 63 00:02:52.240 --> 00:02:53.199 Please do not rob a bank. 64 00:02:53.240 --> 00:02:53.840 The police don't. 65 00:02:54.199 --> 00:02:56.319 All right, So let's look at that first ingredient in 66 00:02:56.360 --> 00:02:59.520 the chef's kitchen. The source argues this is the foundation 67 00:02:59.639 --> 00:03:02.240 of every it's information gathering. 68 00:03:02.520 --> 00:03:06.280 Yeah, there's a quote in there from Napoleon Bonaparte. War 69 00:03:06.439 --> 00:03:09.800 is ninety percent information. If a social engineer wants to 70 00:03:09.840 --> 00:03:12.599 target you, they don't just walk up cold they do 71 00:03:12.680 --> 00:03:13.599 their homework first. 72 00:03:13.879 --> 00:03:15.919 And when we say homework, we are not talking about 73 00:03:15.960 --> 00:03:19.639 a quick Google search. The level of detail here is obsessive. 74 00:03:19.759 --> 00:03:21.400 There's a case study in the book about a guy 75 00:03:21.479 --> 00:03:22.520 named Madia Heroni. 76 00:03:22.680 --> 00:03:24.120 Oh yeah, this one's great. 77 00:03:24.159 --> 00:03:26.960 He's a professional penetration tester. Yeah, one of the good guys. 78 00:03:27.159 --> 00:03:27.360 Right. 79 00:03:27.520 --> 00:03:30.680 He's hired to break into this secure banking facility. But 80 00:03:30.759 --> 00:03:34.719 this place was a fortress, almost zero web footprint, no 81 00:03:34.840 --> 00:03:39.759 obvious servers to attack, tight physical security, a hard target. 82 00:03:39.879 --> 00:03:42.560 So the front door is locked, the back doors walk, all. 83 00:03:42.479 --> 00:03:45.960 The windows are barred exactly. So Madie stops looking at 84 00:03:46.000 --> 00:03:48.560 the building and starts looking at the people inside. He 85 00:03:48.599 --> 00:03:52.000 starts digging into the personal lives of the high ranking staff. 86 00:03:51.680 --> 00:03:56.240 And he finds this one tiny, seemingly useless detail about 87 00:03:56.240 --> 00:03:57.479 a top executive. 88 00:03:57.560 --> 00:03:59.800 He was a member of a stamp collecting forum stamp. 89 00:04:00.599 --> 00:04:03.360 I mean, come on, you literally cannot get a more 90 00:04:03.400 --> 00:04:04.479 innocent hobby than that. 91 00:04:04.879 --> 00:04:07.280 It seems innocent to you and me, but to a 92 00:04:07.319 --> 00:04:11.199 social engineer, that's a golden ticket. Madi saw that this 93 00:04:11.360 --> 00:04:14.879 executive was really active in threads about rare stamps from 94 00:04:14.919 --> 00:04:16.439 the nineteen fifties, so. 95 00:04:16.360 --> 00:04:18.480 He didn't attack the bank. He attacked the hobby. 96 00:04:18.600 --> 00:04:19.959 He pivoted completely. 97 00:04:20.360 --> 00:04:23.920 Maddy went and registered a domain Stamp collection dot com 98 00:04:24.040 --> 00:04:27.759 or something like that. He built a fake website, filled 99 00:04:27.800 --> 00:04:31.160 it with pictures of these rare nineteen fifties stamps. 100 00:04:30.879 --> 00:04:32.720 And then he crafted the perfect. 101 00:04:32.360 --> 00:04:36.160 Email, posing as someone who just inherited his grandfather's collection. 102 00:04:36.839 --> 00:04:38.920 Hey, I have these old stamps. Are they worth anything? 103 00:04:39.199 --> 00:04:41.079 That was the hook, and he sends this to the 104 00:04:41.120 --> 00:04:42.600 executive's corporate email. 105 00:04:42.680 --> 00:04:44.720 Now you gotta put yourself in the executive's shoes. 106 00:04:44.759 --> 00:04:48.680 You're at work thinking about spreadsheets, right Suddenly an email 107 00:04:48.680 --> 00:04:52.199 pops up about your absolute favorite niche passion. Your guard 108 00:04:52.240 --> 00:04:54.160 doesn't just go down, it vanishes. 109 00:04:54.279 --> 00:04:55.000 He clicks the link. 110 00:04:55.120 --> 00:04:57.040 Of course, he clicks the link, and that's where the 111 00:04:57.079 --> 00:05:00.519 tech comes in. The website had a malicious frame embedded 112 00:05:00.600 --> 00:05:03.879 in it that exploited a vulnerability and Internet explorer. 113 00:05:03.959 --> 00:05:05.800 So he didn't even have to download a file called 114 00:05:05.839 --> 00:05:07.399 virus dot ex or anything. 115 00:05:07.639 --> 00:05:09.959 Nope, he just had to look at the pretty stamps. 116 00:05:10.600 --> 00:05:13.680 The moment the page loaded, Maddy had control of his 117 00:05:13.759 --> 00:05:17.439 computer and through that the entire banking network. 118 00:05:17.680 --> 00:05:21.279 That is terrifying because the executive didn't do anything stupid, 119 00:05:21.600 --> 00:05:23.800 you know, he just engaged with his hobby. 120 00:05:24.000 --> 00:05:25.199 That's the chef at work. 121 00:05:25.639 --> 00:05:29.720 But information gathering isn't always that high tech. Sometimes it's 122 00:05:30.120 --> 00:05:34.160 remarkably gross. We have to talk about dumpster diving. 123 00:05:34.399 --> 00:05:36.680 I was hoping we'd get here. The book spans a 124 00:05:36.680 --> 00:05:39.800 surprising amount of time on trash. I guess the logic 125 00:05:39.920 --> 00:05:42.879 is one man's trash is another man's password. 126 00:05:43.040 --> 00:05:44.000 It's a gold mine. 127 00:05:44.040 --> 00:05:46.120 People assume that once they toss something in the bin, 128 00:05:46.199 --> 00:05:47.720 it just sort of disappeared. 129 00:05:47.279 --> 00:05:48.800 Yeah, into the magic trash void. 130 00:05:48.959 --> 00:05:51.959 But until that truck comes, it's fair game. The source 131 00:05:52.000 --> 00:05:55.519 tells this story about the Canadian CTU, the counter Terrorism Unit. 132 00:05:55.720 --> 00:05:57.879 Now, if I'm thinking secure organizations, these guys are at 133 00:05:57.920 --> 00:05:58.519 the top of my. 134 00:05:58.560 --> 00:05:59.560 List, you would hope so. 135 00:06:00.279 --> 00:06:02.920 But a social engineer, just to prove a point during 136 00:06:02.959 --> 00:06:05.800 an audit, went through their garbage and he found top 137 00:06:05.839 --> 00:06:07.199 secret defense documents. 138 00:06:07.399 --> 00:06:07.759 No way. 139 00:06:07.959 --> 00:06:09.360 Oh yeah, we're talking. 140 00:06:09.160 --> 00:06:13.439 Floor plans of the Canadian Joint Incident Response Unit, locations 141 00:06:13.480 --> 00:06:15.959 of security fences, patrol schedules. 142 00:06:16.759 --> 00:06:18.120 Just sitting there in a bag. 143 00:06:18.199 --> 00:06:21.759 Thatd is just negligence on a whole other level. Yeah, 144 00:06:21.800 --> 00:06:24.079 but surely most places shred that stuff. 145 00:06:24.319 --> 00:06:26.040 They do, but even then people mess it up. I 146 00:06:26.040 --> 00:06:28.319 didn't realize there was such a strict hierarchy of shredders. 147 00:06:28.360 --> 00:06:30.199 The strip cut versus crosscut debate. 148 00:06:30.279 --> 00:06:31.560 Yeah, it matters so much. 149 00:06:31.600 --> 00:06:34.199 Most people buy those cheap strip cut shudders that turn 150 00:06:34.279 --> 00:06:36.079 paper into what spaghetti? 151 00:06:36.199 --> 00:06:38.000 Yeah, like long ribbons exactly. 152 00:06:38.560 --> 00:06:41.240 Well, if you have enough patients, and social engineers have 153 00:06:41.480 --> 00:06:44.560 infinite patients, you can just tape those back together. There's 154 00:06:44.560 --> 00:06:46.279 even software that can do it for you now. 155 00:06:46.360 --> 00:06:48.720 So a strip cut shredder is basically just a puzzle 156 00:06:48.759 --> 00:06:50.560 maker for bad guys pretty much. 157 00:06:50.680 --> 00:06:53.560 The source says, you need a crosscut shredder, the kind 158 00:06:53.560 --> 00:06:56.959 that turns paper into confetti, a fine minced mess. You 159 00:06:57.000 --> 00:06:58.759 aren't taping that back together, No. 160 00:06:58.800 --> 00:07:01.959 To self, buy a better shredder. Yeah, but it's not 161 00:07:02.040 --> 00:07:06.040 just physical anymore. It's digital. The book uses this TERMO 162 00:07:06.160 --> 00:07:07.680 loved digital exhaust. 163 00:07:08.040 --> 00:07:11.399 It's a perfect metaphor. Right, we leave traces of ourselves 164 00:07:11.439 --> 00:07:16.040 everywhere online. The source mentions a site called icanstockhu dot com. 165 00:07:16.279 --> 00:07:20.000 It doesn't exist anymore, but it showed how dangerous geotagging is. 166 00:07:20.319 --> 00:07:23.600 That's when your phone embeds the GPS coordinates right into 167 00:07:23.680 --> 00:07:24.399 the photo file. 168 00:07:24.519 --> 00:07:26.800 Yes, so people were posting pictures of their cats or 169 00:07:26.839 --> 00:07:30.560 their dinner on Twitter. This site just scraped those photos 170 00:07:30.560 --> 00:07:32.480 and plotted them on a map in real time so 171 00:07:32.519 --> 00:07:34.600 you could see, Oh, user one two three is that 172 00:07:34.720 --> 00:07:36.839 this specific intersection right now? 173 00:07:37.040 --> 00:07:39.279 Or even worse, User one two three is in Hawaii, 174 00:07:39.480 --> 00:07:41.879 which really means User one two three is definitely not 175 00:07:42.000 --> 00:07:44.160 at home, so come rob their house exactly. 176 00:07:44.240 --> 00:07:47.279 It's creating a pattern of life, and that brings us 177 00:07:47.279 --> 00:07:49.680 to the next big section. Once you have the dots, 178 00:07:49.720 --> 00:07:52.240 the info, you have to connect them, and you do 179 00:07:52.319 --> 00:07:53.519 that by talking to people. 180 00:07:53.800 --> 00:07:55.319 This is the art of elicitation. 181 00:07:55.600 --> 00:07:58.560 Elicitation it's one of those things that feels like a 182 00:07:58.680 --> 00:08:01.439 superpower once you learn what it is. The book defines 183 00:08:01.480 --> 00:08:04.920 it as the subtle extraction of information during an apparently 184 00:08:04.959 --> 00:08:05.920 normal conversation. 185 00:08:06.199 --> 00:08:09.040 The keyword there is normal. It can't feel like an 186 00:08:09.079 --> 00:08:10.079 interrogation right. 187 00:08:10.120 --> 00:08:11.279 If it does, you've failed. 188 00:08:11.600 --> 00:08:14.839 It relies on our deep seated human programming. We're wired 189 00:08:14.879 --> 00:08:18.279 to be polite, to seem helpful, to look intelligent. We 190 00:08:18.399 --> 00:08:19.560 love to be praised, and. 191 00:08:19.519 --> 00:08:23.040 There's this specific technique in the book called the false statement. 192 00:08:23.399 --> 00:08:25.560 I actually tried this on a friend the other day, 193 00:08:25.600 --> 00:08:28.639 and I was shocked at how fast it worked. 194 00:08:28.800 --> 00:08:30.439 It is frightfully effective. 195 00:08:30.720 --> 00:08:30.959 Yeah. 196 00:08:31.040 --> 00:08:34.399 The basic idea is, if you want the truth, don't 197 00:08:34.440 --> 00:08:36.600 ask a question, tell a lie. 198 00:08:36.840 --> 00:08:40.320 Right, Because people have this burning need to correct others. Yeah, 199 00:08:40.639 --> 00:08:42.799 we hate being wrong, but we love pointing out when 200 00:08:42.799 --> 00:08:44.440 someone else's it's the ego. 201 00:08:44.919 --> 00:08:48.519 So a social engineer doesn't ask what were your sales 202 00:08:48.600 --> 00:08:50.720 last quarter? That's a huge red flag. 203 00:08:50.840 --> 00:08:52.919 Instead they lean in and say something like, man, I 204 00:08:52.960 --> 00:08:55.240 heard you guys had a rough quarter. Rumor as sales 205 00:08:55.279 --> 00:08:57.240 are down to like, what, twenty three percent, And. 206 00:08:57.200 --> 00:09:00.679 The employee's brain just snaps, what, No, way, we did great, 207 00:09:00.840 --> 00:09:02.320 we were at thirty percent. 208 00:09:02.080 --> 00:09:04.960 And boom, you just handed over proprietary data. Yeah, and 209 00:09:05.000 --> 00:09:07.399 you feel good about it because you defended your company, You. 210 00:09:07.360 --> 00:09:10.120 Corrected him misconception. You don't even realize you've been played. 211 00:09:10.240 --> 00:09:12.399 There's a much heavier example in the book, though it 212 00:09:12.399 --> 00:09:15.559 involves nuclear weapons. This one gave me chills. 213 00:09:16.000 --> 00:09:18.519 This is the story of the senior scientists from Los 214 00:09:18.559 --> 00:09:22.639 Almos who visited China in nineteen eighty. Now this guy 215 00:09:22.720 --> 00:09:25.200 knew the Chinese scientists were going to pump him for 216 00:09:25.279 --> 00:09:26.879 info on neutron. 217 00:09:26.440 --> 00:09:28.480 Bombs, so he had his guard up. He was ready 218 00:09:28.480 --> 00:09:29.240 for the interrogation. 219 00:09:29.399 --> 00:09:33.559 He was, and he stonewalled them on every classified question. 220 00:09:34.200 --> 00:09:37.600 But elicitation works best when your guard is down. So 221 00:09:37.720 --> 00:09:42.879 there's a dinner, cocktails, toasts, everyone's relaxed. 222 00:09:42.519 --> 00:09:43.879 And he starts telling a story. 223 00:09:44.159 --> 00:09:46.759 He uses an analogy. He's trying to explain fusion, so 224 00:09:46.799 --> 00:09:49.879 he makes a hand gesture. He talks about rolling deterium 225 00:09:49.879 --> 00:09:51.960 and tritium into a ball and then rolling them off 226 00:09:51.960 --> 00:09:52.399 a table. 227 00:09:52.480 --> 00:09:54.360 Now to me, that sounds like this. It's not nonsense 228 00:09:54.480 --> 00:09:55.679 rolling off a table. 229 00:09:55.519 --> 00:09:58.840 To a lay person, yes, But to the Chinese researchers 230 00:09:58.879 --> 00:10:01.240 who were stuck on how to ignite the reaction, that 231 00:10:01.360 --> 00:10:04.519 was everything. By describing it as rolling a ball, he 232 00:10:04.639 --> 00:10:07.879 was inadvertently confirming a theory about spherical compression. 233 00:10:08.000 --> 00:10:10.360 He didn't give a formula, but that one little analogy that. 234 00:10:10.279 --> 00:10:12.799 Was a missing puzzle piece. He gave away the method 235 00:10:12.840 --> 00:10:14.879 of ignition with a hand gesture because he wanted to 236 00:10:14.919 --> 00:10:15.759 tell a good story. 237 00:10:16.039 --> 00:10:20.759 Wow. Speaking of manipulation, there's another trick called preloading. This 238 00:10:20.799 --> 00:10:23.759 is less about getting info out and more about planting 239 00:10:23.840 --> 00:10:25.000 an idea. Right. 240 00:10:25.440 --> 00:10:28.159 Preloading is about manipulating the context, so that when you 241 00:10:28.279 --> 00:10:31.039 ask for something, the answer is already yes in the 242 00:10:31.080 --> 00:10:31.919 target's brain. 243 00:10:32.279 --> 00:10:36.639 The book uses the steak dinner strategy. I feel like 244 00:10:36.679 --> 00:10:37.799 I've been the victim of this one. 245 00:10:37.919 --> 00:10:41.120 We all have a husband wants steak, knows his wife 246 00:10:41.159 --> 00:10:42.159 hates the steakhouse. 247 00:10:42.440 --> 00:10:44.679 If he just asked directly, she'll say no. 248 00:10:45.000 --> 00:10:47.080 So he asked a hacker in a way. 249 00:10:47.440 --> 00:10:49.679 Early in the day, he mentions how good the neighbor's 250 00:10:49.759 --> 00:10:53.440 grilling smells. Later, he leaves a coupon for the steakhouse 251 00:10:53.519 --> 00:10:55.799 on the counter. He's setting the stage. 252 00:10:56.080 --> 00:10:57.559 He's marinating her brain in the. 253 00:10:57.519 --> 00:11:00.000 Idea of steak exactly by the time he actually asked, 254 00:11:00.279 --> 00:11:03.000 she's much more likely to say yes. He manipulated the 255 00:11:03.039 --> 00:11:05.039 sensory input to get the results he wanted. 256 00:11:05.120 --> 00:11:08.200 Okay, so we've gathered the ingredients, we've mixed them with elicitation. 257 00:11:08.559 --> 00:11:12.120 Now we get to the performance. Section three. Pre Texting. 258 00:11:12.320 --> 00:11:15.240 Pretexting is what people usually think of as the con 259 00:11:15.679 --> 00:11:17.720 but the book makes a key distinction. It is not 260 00:11:17.840 --> 00:11:19.879 just lying. Lying is saying I'm a doctor. 261 00:11:20.200 --> 00:11:24.559 Pretexting is wearing the scrubs, having the stethoscope, knowing the jargon, 262 00:11:24.960 --> 00:11:28.080 and acting like you're late for surgery. It's method acting. 263 00:11:28.000 --> 00:11:31.000 And the golden rule here is simplicity. Amateurs create these 264 00:11:31.039 --> 00:11:35.120 super elaborate backstories that fall apart under pressure. A good 265 00:11:35.120 --> 00:11:38.519 pretext is simple, Hi, I'm from it, I'm here to 266 00:11:38.519 --> 00:11:39.200 fix the printer. 267 00:11:39.679 --> 00:11:42.080 We have to talk about the Stanley Mark Rifkin heist. 268 00:11:42.799 --> 00:11:44.440 This case, steady reads like a movie. 269 00:11:44.519 --> 00:11:47.799 It's a classic. Riffkin was a computer consultant for a bank. 270 00:11:47.960 --> 00:11:49.480 He had a badge that got him in the building. 271 00:11:49.759 --> 00:11:52.679 He walks down to the secure wire transfer room. 272 00:11:52.759 --> 00:11:53.840 He just walks in like he. 273 00:11:53.799 --> 00:11:54.559 Owns the place. 274 00:11:54.840 --> 00:11:58.039 He's taking notes, acting busy, and he spots the daily 275 00:11:58.080 --> 00:12:00.440 transfer code written on a piece of paper pinned to 276 00:12:00.480 --> 00:12:00.960 the wall. 277 00:12:01.159 --> 00:12:04.039 Which can we just pause on that writing the password on. 278 00:12:04.039 --> 00:12:05.120 The wall huge failure. 279 00:12:05.480 --> 00:12:09.360 But notice what Rifkin does. He doesn't steal anything. He 280 00:12:09.440 --> 00:12:12.039 memorizes the code and walks out. He goes to a payphone. 281 00:12:12.080 --> 00:12:13.440 This was the seventies, right. 282 00:12:13.320 --> 00:12:15.600 And he calls the very room he was just in, 283 00:12:15.960 --> 00:12:18.919 And this is the pretext. He becomes Mike Hanson, a 284 00:12:18.919 --> 00:12:22.039 branch manager. He's casual, professional. He gives the clerk the 285 00:12:22.080 --> 00:12:23.360 code he just memorized, and. 286 00:12:23.360 --> 00:12:27.279 Because he had the code, the clerk trusted the voice exactly. 287 00:12:27.879 --> 00:12:31.000 The clerk's brain thinks only authorized people have the code, 288 00:12:31.039 --> 00:12:35.480 so Mike Hanson must be real. Rifkin transferred ten point two. 289 00:12:35.320 --> 00:12:39.519 Million dollars, ten million dollars, No guns, no masks, no 290 00:12:39.600 --> 00:12:42.480 computer hacking, just a payphone and a fake name. 291 00:12:42.639 --> 00:12:45.600 That is the power of a good pretext. But it's 292 00:12:45.639 --> 00:12:48.399 not just lone wolves. The book brings up the Hewlett 293 00:12:48.399 --> 00:12:51.480 Packard scandal. This was corporate warfare. 294 00:12:51.879 --> 00:12:53.080 Yeah, this one shocked me. 295 00:12:53.360 --> 00:12:55.480 The chairman of HP was trying to find a leak 296 00:12:55.519 --> 00:12:58.440 on her board, so she hired security consultants who started 297 00:12:58.480 --> 00:12:59.960 calling phone companies and. 298 00:13:00.080 --> 00:13:01.919 They pretended to be the board members themselves. 299 00:13:02.000 --> 00:13:02.480 They did. 300 00:13:02.720 --> 00:13:06.080 They impersonated them, use their social security numbers, and use 301 00:13:06.159 --> 00:13:09.159 these heartfelt please to customer service reps to get their 302 00:13:09.200 --> 00:13:10.320 personal phone records. 303 00:13:10.399 --> 00:13:10.720 Wow. 304 00:13:11.000 --> 00:13:11.639 It shows that. 305 00:13:11.600 --> 00:13:14.039 Even at the highest levels, these tactics are used because 306 00:13:14.039 --> 00:13:16.960 they work. It really blurs the line between a security 307 00:13:16.960 --> 00:13:18.279 audit and a criminal act. 308 00:13:18.759 --> 00:13:22.240 So underneath all of this there's a psychological game being played. 309 00:13:22.240 --> 00:13:24.519 The book talks about thinking like a hacker. 310 00:13:24.720 --> 00:13:27.799 It's a total mindset shift. A normal person sees a 311 00:13:27.799 --> 00:13:31.120 trash bag as garbage a social engineer sees it as 312 00:13:31.159 --> 00:13:31.639 a puzzle. 313 00:13:31.879 --> 00:13:33.600 There's that story about the rental car. 314 00:13:33.799 --> 00:13:37.000 Right, a social engineer found a ripped up check in 315 00:13:37.039 --> 00:13:40.320 a rental car. Most people would ignore it. This guy 316 00:13:40.440 --> 00:13:43.159 taped it back together. He had the account number, the name, 317 00:13:44.000 --> 00:13:48.120 everything for identity theft. He saw value where we see waste. 318 00:13:48.360 --> 00:13:51.720 And then there's cognitive dissonance. How does a hacker use that. 319 00:13:51.919 --> 00:13:54.639 It's that uncomfortable feeling you get when you hold two 320 00:13:54.759 --> 00:13:58.320 conflicting beliefs. Your brain hates it and wants to resolve 321 00:13:58.320 --> 00:13:59.000 it immediately. 322 00:13:59.120 --> 00:13:59.879 Okay, so give meetings. 323 00:14:00.480 --> 00:14:02.879 A guy walks into your restricted office. He's wearing a 324 00:14:02.919 --> 00:14:06.559 confident smile and holding a clipboard. Your brain sees two 325 00:14:06.600 --> 00:14:10.799 things belief A intruder belief B he looks like he 326 00:14:10.840 --> 00:14:11.440 belongs here. 327 00:14:11.559 --> 00:14:14.480 In my brain wants the path of least resistance exactly. 328 00:14:14.600 --> 00:14:17.480 It's socially awkward to confront someone. It's easy to assume 329 00:14:17.480 --> 00:14:19.720 they belong so your brain just decides, I mean, it's 330 00:14:19.759 --> 00:14:23.240 probably fine. The social engineer uses your own politeness against you. 331 00:14:23.879 --> 00:14:25.840 There's one last concept that sounds like it's from a 332 00:14:25.879 --> 00:14:28.279 sci fi novel, the human buffer overflow. 333 00:14:28.559 --> 00:14:31.679 Yeah, so in computing a buffer overflow is when you 334 00:14:31.720 --> 00:14:34.519 flood a program with too much data and it crashes, 335 00:14:34.879 --> 00:14:36.120 letting you rewrite the code. 336 00:14:36.200 --> 00:14:37.919 And the theory is you can do the same thing 337 00:14:37.960 --> 00:14:38.559 to a person. 338 00:14:38.759 --> 00:14:42.600 You overload their sensory input. Think of a mother with 339 00:14:42.679 --> 00:14:46.559 a screaming baby at an airline counter. The attendant is 340 00:14:46.600 --> 00:14:51.039 being hit with auditory stress, emotional stress, social pressure. 341 00:14:51.200 --> 00:14:52.519 Their brain just locks up. 342 00:14:52.559 --> 00:14:56.320 It stops processing logic, it goes into survival mode. The 343 00:14:56.360 --> 00:14:59.159 attendant might just stamp the ticket to make the noise 344 00:14:59.200 --> 00:15:00.679 stop bypath protocol. 345 00:15:00.759 --> 00:15:03.039 And a social engineer can fake that chaos. 346 00:15:03.120 --> 00:15:06.519 They can manufacture it. They can scream, act furious, create 347 00:15:06.600 --> 00:15:09.360 artificial urgency to overload you so that you stop thinking 348 00:15:09.440 --> 00:15:10.759 and just react. 349 00:15:10.879 --> 00:15:15.919 That is devious. So where does this leave us? I 350 00:15:15.919 --> 00:15:18.080 mean it feels like the deck is stacked against us. 351 00:15:18.159 --> 00:15:19.200 It can feel that way. 352 00:15:19.399 --> 00:15:22.399 But remember the goal security through education, right. 353 00:15:22.519 --> 00:15:25.320 You can't patch a human like you patch software. I 354 00:15:25.320 --> 00:15:27.480 can't download a security update from my brain. 355 00:15:27.720 --> 00:15:31.000 No, but you can upgrade your own software through knowledge. 356 00:15:31.480 --> 00:15:34.799 If you know elicitation is a real technique, you'll pause 357 00:15:34.840 --> 00:15:37.799 the next time a stranger asks a weirdly specific question 358 00:15:37.840 --> 00:15:38.559 about your work. 359 00:15:38.679 --> 00:15:41.080 And if you know about pretexting. You'll actually double check 360 00:15:41.120 --> 00:15:43.360 the ide of the guy who says he's from the. 361 00:15:43.279 --> 00:15:44.399 Water company exactly. 362 00:15:44.639 --> 00:15:48.559 It's about moving your default setting from trust to verify. 363 00:15:49.080 --> 00:15:51.120 I want to leave everyone with a final thought that 364 00:15:51.200 --> 00:15:55.879 really stuck with me. We talk about digital exhaust. I 365 00:15:55.879 --> 00:15:57.759 want you to think about your own life for a second. 366 00:15:57.840 --> 00:15:59.240 It's a scary thought experiment. 367 00:16:00.720 --> 00:16:04.879 Spend just one week digging through your trash, reading your 368 00:16:04.879 --> 00:16:07.799 shredded mail, and looking at the geotags in your last 369 00:16:07.840 --> 00:16:11.399 five photos. Could they become you? Could they walk into 370 00:16:11.440 --> 00:16:13.679 your bank and convince the teller they are you. 371 00:16:14.080 --> 00:16:16.559 That is the question everyone should ask themselves before they 372 00:16:16.559 --> 00:16:19.120 post that next photo or toss that bank statement. 373 00:16:18.759 --> 00:16:19.159 In the bin. 374 00:16:19.440 --> 00:16:23.000 Definitely something Tom all over, Stay safe out there, watch 375 00:16:23.039 --> 00:16:25.600 your trash, and thanks for listening to this deep dive. 376 00:16:25.919 --> 00:16:26.600 Be safe.