This document discusses social engineering and how humans can be manipulated to gain access to information. It provides historical examples of social engineering attacks and explains that social engineering works because people are kind, naive, trusting and scared. The document outlines the social engineering process of identifying a target, determining the objective, and creating a plan to manipulate the target into divulging information. It argues that in today's digital world, people leave extensive online footprints that can be used against them in social engineering attacks.

1. Because We Are Just
Humans
EHB Keynote - April 2014 - Xavier Mertens

2. TrueSec
$ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger, Hacker @ night
!
• BruCON co-organizer
2

3. TrueSec
The InfoSec World…
3

4. TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
4

5. TrueSec
Agenda
5
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion

6. TrueSec
“Social What?”
6
“Social engineering (SE) is the use of techniques
to manipulate people into performing actions or
divulging confidential information, rather than by
breaking in or using technical hacking
techniques”
!
OR
!
“A fancier way of lying”

7. TrueSec
Attackers Are Lazy!
7
Why make it complicated?

8. TrueSec
First in the analog life
8
Vendors: “It’s the last one, hurry up!”
!
Headhunters: “I’m Alice from Marketing, May I
speak to Bob, please?”
!
Kids: “May I go to this party?”
!
… Women of course! (Maybe the wickests! ;-)

9. TrueSec
Sand in the gears
9

10. TrueSec
Really?
10

11. TrueSec
$ man 3 human
• People aren’t stupid (…well, only some :-])
• But they are…
• Kind
• Naive
• Trustful
• Voluntary
• Scared
11

12. TrueSec
PeopleVS. Computers
12

13. TrueSec
Agenda
13
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion

14. TrueSec
The Trojan Horse
14

15. TrueSec
Victor Lustig
15

16. TrueSec
Bernie Madoff
16

17. TrueSec
Christophe Rocancourt
17

18. TrueSec
Agenda
18
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion

19. TrueSec
Why?
19
… Because it works!

20. TrueSec
How?
20
… Sometimes being a good guy, sometimes being evil!

21. TrueSec
It’s Cheap!
21

22. TrueSec
A nice target
• People know useful information
(passwords, procedures, paths, phone
numbers)
• People have access to
• Files
• Papers
• Badges
22

23. TrueSec
A “Swiss Army Knife”
• People can interact with systems or people
• Download a file
• Disconnect a system
• Introduce to someone else
• Send a mail or fax
• Get personal info
23

24. TrueSec
Attacks
• Physical
• Tailgating
• Shoulder surfing
• Trashing
24
• Technical
• Phishing
• XSS
• Human DoS

25. TrueSec
Our toolbox
• Mail → Easy, anonymous and free
• Phone → Quick and direct access to the
target
• Fax → Don’t under estimate the power of
a fax in 2014!
• Snail mail → A stamp or nothing…
25

26. TrueSec
Psychology
• Fear
• Credulity
• Desire
• Solidarity
26

27. TrueSec
The Process
• The target
• The objective
• The plan
27

28. TrueSec
The Target
• People
• Age, sex, social status, studies, …
• Company
• Open hours
• Jargon
• Procedures
• “Names”
28

29. TrueSec
The Objective
• Which info are we looking for?
• Which questions to ask?
• Cross-check
29

30. TrueSec
The Plan
• Write down a scenario
• Work below the radar
• Reminders, lexique, …
• Path
• “B” Plan!
30

31. TrueSec
TrainYourself
• Challenge your friends!
• It’s a game!
31

32. TrueSec
Agenda
32
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion

33. TrueSec
A fact…
33
“We located the problem: It is
located between the keyboard
and the chair”

34. TrueSec
Pwn3d!
34
This is a mass-pwnage device!

35. TrueSec
The new OSI-model
35
Layer 1 - 6
Layer 7
Layer 8
(“user” or “political”)
Over used
Getting better defended
Can’t be patched! ;-)
(Source: @jaysonstreet)

36. TrueSec
You’ve been “Doxed”
36

37. TrueSec
Your Footprint
• In our modern life, we are 24x7 online
• We like to share
• We like to contribute
• Want an example?
37

38. TrueSec
At Home?
38

39. TrueSec
Maltego
39

40. TrueSec
B.Van Rillaer
40

41. TrueSec
B.Van Rillaer
41
• bert.van.rillaer(at)ehb(dot)be
• vanrillaer(at)gmail(dot)com
• +32 2 559 15 xx
• +32 486 33 xx xx
• Study @ KUL 1999-2003 (License in
Computer Science)
• Clarinet player?

42. TrueSec
B.Van Rillaer
42
• Twitter: @bvanrillaer
• 72 followers, last tweet 22/03
• Tweet most between 11:00 - 17:00
• Tablet Acer A200
• Mobile Samsung Galaxy S3 (GT-I9300)
• Active on G+, sell/buy on Kapaza

43. TrueSec
B.Van Rillaer
43

44. TrueSec
Classic IT requests
• Could you give me the password?
• Could you power on/off this device
• Could you “put your idea here”
44

45. TrueSec
Interested?
45

46. TrueSec
Interested?
46
• SET (https://www.trustedsec.com/
downloads/social-engineer-toolkit/)
• Maltego (https://www.paterva.com/)
• Your own toolbox!

47. TrueSec
Conclusions
47

48. TrueSec
Conclusions
48

49. TrueSec
Conclusions
49
“You don’t know what you can get away with
until you try.”
!
- Colin Powell

50. TrueSec
Thank you! More info?
@xme
xavier@truesec.be
http://blog.rootshell.be
https://www.truesec.be
50