Full talk descriptions below the schedule.
|10:30||Pickpocketing Competition: Wait, Where’s My Badge?!? (Chris Kirsch)|
|10:30||Shift+Restart: Connecting Information via User Account Recovery and Filling in the Blanks (Noel Tautges)|
|11:30||Everything old is new again: A look at historic cons and their transition to the digital world (Snow)|
|11:30||Why We Click: Studying Threat Actors’ use of Principles of Persuasion to Increase Successful Execution (Yoshi)|
|12:00||Lunch & A re-enactment of Whitney Maxwell’s DefCon SE CTF Winning Calls, with Chris Kirsch|
|1:00||Social Engineering from a CISO’s Perspective (Kate Mullin)|
|1:00||Transitive Trust: Pivoting and Escalating Privileges in a Social Engineering Scenario (Tinker Secor)|
|2:00||Getting the Good Stuff: Understanding the Web to Achieve Your OSINT Goals (Micah Hoffman)|
|2:00||The Right Way to Do Wrong (Patrick McNeil)|
|3:00||Lawyers, Guns and Money: An Introduction to Legal, Government, and Business Research (Tracy Z. Maleeff)|
|3:00||How to make social engineering simulations actually useful (Ira Winkler)|
|4:00||Facial Expressions Behind Social Engineering Attacks (Sharka)|
|4:00||Roses are Red, Violets are Blue, We Love Social Engineering, So Should You! (Two sides of the same coin, Social Engineering for Red and Blue Teams) (Krittika Lalwany & David Cafaro)|
|5:00||The Voice Told Me to Do it! (Daniel Isler)|
|5:00||Venemy – An Intelligence Tool for Venmo (Michael Portera & Neal Ferrano)|
|6:00||Networking Reception – LobbyCon!|
How to Make Social Engineering Simulations Actually Useful – Ira Winkler (@IraWinkler)
Smart security programs include social engineering as part of all penetration tests. While they can prove that problems exist, and the potential losses from the problems, they actually do relatively little to secure the organization. Social engineering tests look for vulnerabilities, but are generally “gotcha” tests, where social engineers try whatever it takes to get in. Again, this usually produces sensational reports, and can identify specific vulnerabilities to mitigate, but these tests are generally not repeatable, nor representative of the security of the overall organization. This presentation advocates applying defined statistical sampling, with defined scripts to determine the true level of user-related vulnerabilities throughout an organization. More important, the tests can be repeated to measure improvement over time.
This also means that as social engineers we should define scripts that we stick to, that slowly elevate the level of sophistication to determine the level of awareness demonstrated on the part of the user. Yes, this means the goal is to determine what it takes to get “caught”. Getting “caught” means that we have determined the level of awareness of different users, and that is actually a good thing.
Statistically defined social engineering can be used to determine the levels of human vulnerability between different groups, demographics, and locations throughout the organization. This can then be used to determine the level of awareness training to deliver to the different populations, and track improvement over time. As social engineers, we need to remember that we are security professionals, first and foremost, and it is our primary job to find the most effective way to protect the organization, not just highlight how we can ruin them. We also need to acknowledge that our sense of pride should not come from how sensational our “results” are, but from how secure we leave an organization in our wake.
Pickpocketing Competition: Wait, where is my access badge? – Chris Kirsch (@Chris_Kirsch)
After Chris’ dad got pickpocketed next to him on the Metro in Paris, he got obsessed with pickpocketing. Not only how to prevent it (reasonable) and prove that someone stole from him (really hard), but also how to pickpocket other people (much easier). After researching the topic from an academic perspective, he discovered that testing skills out in the wild is actually quite difficult. Testing out pickpocketing in a 1:1 setting makes it unrealistic, and realistic situations can quickly land you in jail. That’s where you – yes you – come into the picture. At Layer8, Chris will create the world’s first public pickpocketing competition, and you can opt in – as a mark and as a pickpocket – for the entire day. Each competitor will wear a sticker showing that they opted in and carry a neon-colored access badge, key, wallet and phone. To get you started, Chris will give a bootcamp talk to teach pickpocketing techniques for directing and surfing attention, using relative touch, entering personal space, giving shade, fanning, reefing, working in teams as well as stealing wallets, watches, phones, badges, and keys. Learn these valuable life lessons and apply them on your next red teaming engagement to steal access badges, keys, 2FA tokens, phones, documents, USB keys, or to simply to direct attention where you need it. Now all you have to decide is if you’re going to be the the wire or the stall. (Disclaimer: This exercise is for educational purposes only. If you pickpocket people without their consent, expect to go to jail.)
Lawyers, Guns and Money: An Introduction to Legal, Government, and Business Research – Tracy Z. Maleeff (@InfoSecSherpa)
Gain an understanding of how to do basic OSINT research for U.S. and international legal systems, government resources, and businesses. The presenter is a former librarian turned Cyber Analyst who will explain the terminology, methods, and resources – free and pay – available to you. You will come away from this session with basic skills to access a docket from a court case, acquire a federal regulation document, and discover how a financial form called an 8-K can reveal crucial corporate information.
Venmo is a mobile application that allows for sending cash quickly between people and online stores. As of June 2018, Venmo had approximately 23 million users, with transactions totaling over $14 billion in Q2 2018 alone. Unfortunately, Venmo has been under harsh scrutiny by organizations such as Mozilla for making all of its transactions public to anyone to view in real time via an unauthenticated API. User profiles are also public by default meaning anyone can see a user’s last five transactions without being signed into the app. Phone numbers of individuals are easily found and can be used to uncover Venmo account information during OSINT. Venemy (available on github) takes advantage of this by scraping public profiles for transactions that include the other parties, timestamps, and what was bought. This can be converted into a format for graph analytics for use with platforms such as Neo4j, showing relationships that may not have been possible otherwise. This can be incredibly useful for law enforcement to detect illicit transactions and relationships, offensive teams for phishing, defensive teams for reducing personnel exposure, or other unique uses such as the TraceLabs CTF.
Why We Click: Studying Threat Actors’ use of Principles of Persuasion to Increase Successful Execution – Yoshi (@ChicagoCyber)
Why do we click? Threat actors continue to have continued success in eliciting engagements in order to further their operations. When we begin to look at cyber threat activity, we can see that throughout the killchain /attacker life cycle, we can see threat actors using Dr. Cialdini’s Principles of Persuasion to increase the effectiveness of their operations. Regardless of an actor’s level of sophistication, they have begun to use 6 Principles of Persuasion to enhance the effectiveness of their techniques and increase victim engagement from initial approach through post-exploitation. Once we identify examples the six Principles of Persuasion being used in the wild , we can see why they would be useful for threat actors ranging from low level criminal scammers to more advanced nation state actors. Can we better identify what elements of human nature are enabling these malicious actors in order to inform and improve our defenses.
Social Engineering from a CISO’s Perspective – Kate Mullin (@kate944032)
Social Engineering’s application within an organization can validate the need for robust information security awareness training and technical controls. It can also damage Information Security’s reputation in a way that adversely impacts the ability to respond to incidents.
This presentation, based on a CISO’s real world experiences will discuss what works and what has been observed to cause harm.
“THE VOICE TOLD ME TO DO IT” – Daniel Isler (@Fr1endlyRATs)
We do our best to safeguard our access codes and user names. Institutions handle our assets and sensitive information, reminding that for our safety they will never call us for that information, but paradoxically when you call them, it is the first thing they ask for.
Creating an effective relationship of trust with customers can take years to build. The relationship of trust can generate changes in mood, activation of the physical and emotional memory, behavioral changes that allow new possibilities.
Corporate colors and logos characteristic of a brand are easily and freely accessed on the network. As consumers we have been advised to distrust an email with these identities.
Instead, the voice gives us confidence. When we need help, the voice is there. It is the first thing we hear when we call, it tells us how wonderful and beneficial it is to be associated with that brand. A voice that will never harm us, until now.
Identity spoofing is one of the most used social engineering formats to initiate major attacks. But what if cyber-criminals could go further? What would happen if someone could not only impersonate, but actually use the identity of an institution to make an attack on a national level? Is it possible to do this with a minimal investment or without capital? The answer is yes.
With a real example we developed a VISHING with a VO Artist, but with a distorted voice to protect her identity, we tested at a low cost, how easy it was to get sensitive information,
This risk is higher in Countries and Industries where Rules and Compliance is not strong.
How long will it take until someone contacts the official voice of a Organization and obtains the user numbers and passwords of a large part of their customers?
Facial Expressions Behind Social Engineering Attacks – Sharka (@___sh4rk___)
In my talk, I will describe social engineering techniques using knowledge of facial expressions behind influence and persuasion and how I manipulate targets using these techniques into believing my pretext and comply with my (evil) plans. I will explain macro expressions, but also our target’s true feeling’s data leaks in form of micro expressions and why we should also use them in everyday life for situational awareness. I will step over to the defensive side as well and explain how to defend against the attack techniques I use.
Transitive Trust: Pivoting and Escalating Privileges in a Social Engineering Scenario – Tinker Secor (@TinkerSec)
Pragmatically, you cannot walk up to a person in a corporate parking lot, ask to access their IT server room, and immediately be given the keys to their kingdom. Instead, you’ll first need to con a person into letting you into the building. Then, you’ll need to con your way into the IT area and the server room. Finally, you’ll need to have built enough trust that they let you plug into their servers or leave you alone long enough to conduct your actions on target.
In this talk, we’ll cover the psychological concepts of Transitive Trust and Trust Transference and how to use this to escalate privileges and pivot in a social engineering scenario. We’ll discuss a real life penetration test that utilized these concepts. Then, we’ll break down each interaction and handoff, analyzing what worked, why it worked, and what would have stopped it. We’ll start with no access, gain supervised access to the building (guest), obtain authorization to be in the environment (user), and finally be let into the server room (root/admin).
Join us for story, analysis, and discussion to learn what works in Social Engineering and how to protect against it!
Roses are Red, Violets are Blue, We Love Social Engineering, So Should You! (Two sides of the same coin, Social Engineering for Red and Blue Teams) – Krittika Lalwaney (@Ibetika) and David Cafaro (@DavidCafaro)
When humans interact with each other one-on-one and within groups a common jargon of rules and patterns are created for those belonging to that culture or group. Attackers take advantage of these “rules and patterns” through social engineering to gain valuable access and information. These rules and patterns are equally important to both the red team, who must play the role of attackers, and the blue team, who can use the same techniques for defense. The ability to leverage social engineering to steer organizations to the more secure choices, in spite of possible operational/business costs, is a key tool for any security organization. In this talk we will demonstrate both sides of social engineering techniques and how they are leveraged to manipulate your target into making both good and bad security choices within an organization. Two sides of every tool can make both the red team and blue teams more effective in their mission to secure.
The Right Way to Do Wrong: Physical Security Secrets of Criminals and Professionals Alike – Patrick McNeil (@Unregistered436)
In 1905 Harry Houdini wrote his first book entitled “The Right Way to Do Wrong” wherein he divulged the lockpicking and other trade secrets of criminals. People make assumptions about how schemes work and believe them to be complicated, yet in many cases the insider knows how simple they are. Most people assume that besides tailgating and social engineering, real break-ins (or physical security testing) are all about picking locks. However, the secret is that on physical pentests it’s typically unnecessary to do that! Some physical controls have known bypasses, and some building contractors (or even locksmiths) don’t implement things correctly. Just like Houdini, I’ll be divulging the simple tricks of the trade employed by both criminals and professional physical pentesters to bypass physical controls without using lockpicks. You may be shocked and amazed by what you see, and once you leave you’ll be an insider too – seeing insecurity everywhere!
A Board of Strings and Papers: Connecting Information via User Account Recovery and Filling in the Blanks – Noel Tautges (@NoelTautges)
Whether it’s the 2016 Russian disinformation campaign or the leak of the CIA’s Vault 7, online investigations often involve accounts on giant services which seem to be inscrutable fortresses of usernames and profile pictures. This talk aims to provide another angle with which to investigate these accounts and the people behind them: the very information used to sign up for the service, which is exposed in the account recovery process of many popular websites. First, we will cover various websites, including Twitter, Gmail, and Facebook, and how they expose partial user data through recovery information. Next, we will go through several techniques to upgrade these partial emails and phone numbers into slightly more concrete pieces of information that are actually useful. The North American Numbering Plan will be covered, as well as Gmail and Outlook’s respective use of an unrestricted API to check account validity. Finally, we will run these pieces of identity through various methods in order to fully solidify them and leverage them to gain more information about a target. The talk will include a section on mitigation of these techniques, as well as several case studies.
Getting the Good Stuff: Understanding the Web to Achieve Your OSINT Goals – Micah Hoffman (@WebBreacher)
As OSINTers we need to look beyond what is rendered in a web browser. Much like an ocean, the web pages we visit contain a wealth of data under the surface. If you understand how to access that information, you can find pivot points to continue your research.
Come and learn how to decode web traffic using simple tools, to retrieve Google Analytics codes and social media IDs from web content, and how to interact with APIs (Application Programming Interfaces) to grab your OSINT data. This will not be a “use this tool and it’ll do all the hard work” talk but instead, will give you the confidence and understanding of how the web works so that you can develop your own techniques to harvest OSINT data.
Everything Old is New Again: A Look at Historic Cons and their Transition to a Digital World – Snow (@_sn0ww)
What does a pig in a poke, pigeon drops, and salting have in common? They are just a few of old school confidence tricks (cons) used from the late middle ages to more recently which swindled marks out of money. In this presentation Stephanie will cover how some famous historic cons were used in their day, and how they are now being transitioned into today’s digital world.