James Crossman (http://jamescrossman.com) has led an interesting life. His discussion on security and social engineering might just blow your mind. He knows more than most people should about hacking, penetration testing and information theft.

James shares valuable stories and experiences in social engineering and how to keep your company's privacy in check.

Learn more about the awesome SchipulCon 2011 speakers here: http://www.schipulcon.com/speakers

https://www.tendenci.com

 

 So we'll just consider this an informal

fireside chat

and in fact that will work well too because that means that

As we go along feel free to go ahead and interrupt me if you have any questions, just stop me

And I'll try to answer them

And that way you'll go ahead and keep me from getting into long drawn-out war stories

Or any of the other things that can happen if I if I stay too

Too wrapped up in all this on my own

Okay, Dale Carnegie once said that

Before you can speak about anything there are two things you have to establish: one is

what it is you're going to say and

secondly

why it is that you're capable of speaking on this subject

essentially establishing your credentials.

Which is why we're going to fly right to that section

So I'm going to talk about ideas. I'm not going to talk about tools

This is not a discussion about how to secure your server

to protect against the latest

Wordpress attack, this is not about any specific tool. There's a piece of wisdom

I received once a long time ago that said that masters are concerned about the work and apprentices are concerned about their tools

So since someday I'd like to be a master of these things

I'm going to go ahead and stay focused on the work itself and on the ideas

The first idea that I really want to bring home is that social media is vital to profitability. I know that

I'm speaking to the choir here, but in a lot of cases there may not be

Enough information to bring back to your companies. I know a lot of other people are going to be speaking with

Charts, tables and all sorts of information to arm yourselves, so that you can go back and talk about that

But I'm going to try to focus instead on the idea of information space

That is that around each person and around each business and around each entity whether it be a corporation or anything else

there's this information space that surrounds it

And in part social media is the current tool that we use

to let us share and expose our information space to one another, so that we can work with each other.

As a result

Because we're sharing this information

We're also increasing risk to the organization, to the individual.

Lots and lots of horror stories. I won't go into a lot of them. Some of them I've lived

And I may touch on those, no war stories

But the idea that we have to share information in order to be functional as people and as businesses

But the very act of doing so increases

The innate risk that we carry, so we have to find ways to either reduce that risk

Or learn to accept it, or learn how to work within it

So knowing these things are going to help us a lot

And then finally I'm going to talk a little bit, because this is the profitability section, I'll try to speak on

Things that we can do, things that you can take away

To protect your business. Now, there's not going to be a lot of new stuff here. I want to talk if I can basically

Vigilance and education - these are your defenses.

Nothing new there. I am hoping though that with some of the ideas I want to talk about

To maybe reframe how you look at these ideas for vigilance and defense.

Now as for myself, I can speak on these things because I have a very deep and very thorough background in deception.

At 15 years old I needed money, my dad said get a job

I went to the mall. I couldn't get a job, but there was a carnival there

and I made a lot of money and I decided to stay with the carnival and

Probably should have let my parents know, but I came home about a week later, and we had a lot of fun getting back together

And I and I met law enforcement for the first time who I got to work with many times later in my career

Later using the background of some of the things that I had done as a hobby when I was younger

As well as some of the things that I learned in the carnival

because the carnival was full of wonderful lessons like

I can take this guy

for over a hundred dollars if I let this little girl beat him

and give her two twenty dollars worth of stuff off my walls

Because I could get him engaged in it. One of the first things I was taught in the carnival was piss them off

Get them angry at you, and then take that anger and transfer it to those three little milk bottles that they just can't knock down

You know they wouldn't have a problem if they were just good enough, strong enough

virile enough to knock down those milk bottles

So coming back and leveraging that background, and those early lessons in deception

I went ahead and became a professional magician working in the old playboy club in the French quarter

Also at 15, and I did so because I lied

I told them I was 23. I knew people would lie about 18 and 21, but I figured no one lie about being 23

And as a result I was never asked for an ID,
I was never asked for any identification

And I got my first start working as a magician, and magic is

one definition of magic that I really enjoy is it's the

principles and

practices of deception

for the purposes of entertainment

And as it turns out, I got to leverage a lot of this background in other projects. When I started defending

Nuclear weapons facilities

I used my background in deception. If you try to do anything logical in that environment

And you break in we'll catch you because everything's a little backwards

if you've ever seen the movie Sneakers

With Robert Redford, I like to tell my clients. I'm a lot like Robert Redford with just more girth

I used to lead a team, and I used to work in the business of

Penetration assessments. That is to say that I would break into businesses at their request, and then document how we broke in

so that we could train their employees better

I did that in part over the web through applications and through internet based attacks

And I did that in part through social engineering

I would actually walk in and talk my way into my own office behind the firewall

connect and see what I could steal, or I would go through and just lie and walk through a business

and try to gain information from specific systems or targets

I know that in fact it was this background specifically that's why I'm here and getting a chance to share this with you

Apparently some of the stories I've told over beers have gotten around

My business cards say that.I'm a technologist, a photographer, a naturalist and a thinker

And that's because somehow I've got to be both James Crosman

I've got to deal with all these different parts of myself, but specifically in the technologist area

This is what I can talk to it. I know a lot of people here

Have known me is just a fellow geek at netsquared, or at the geek gatherings, or have seen my photography

But my primary background has been a technologist

I actually walked into a computer store needing a job in 1981, so 30 years ago

And I've been working with computers ever since then. I started connecting people together

back in 1983 when the ARCNET chip set first came together

And I became fascinated by the fact that I could do something in this room on my computer

And you could see it on your screen over there

And a lot of what I've seen develop and a lot of the ideas I've started there

We now call social media. A lot of times it started back then beforehand

But we didn't quite use those names. I have designed secured networks for a variety of corporations

for law enforcement agencies, and even a couple of department of energy nuclear facilities

In 1996 I switched over and started working in information security specifically because those were the days when it was fun.

And it was profitable. I could walk into anyone's business

I could say let me show you something and sit down at their browser

And in a couple seconds I could say this is the root of your web server. These are all your files, watch

what happens when I change this file and

Then I could get business and it was great

but then in 2001 came the US Chinese hacking war and then later 911

And somewhere in the middle of this we had started a company called Bear Center

Which later became the hosting provider for FBI.gov, Nasa.Gov and I was the information security officer

So I went ahead and got my CISSP back in 2001

As a result of operating these type of systems, I was what's called a blue team leader

I worked on the blue team, so in war games over information security with hackers

there's usually a red team and a blue team if you're in the military

A blue team is the one the sneaker teams come after, the red teams are also called sneaker teams

So I'm used to having navy seals climbing through my ventilation duct work at my facility

Trying to break into my data center while I'm trying to catch them

Or trying to pin down where they are

It was a lot of fun

But it also gave me a chance to work with some of the best hackers in the world

When they would try to attack the systems that we hosted

So one of the things I got used to doing was throwing a computer out there that was defenseless

So they would promptly take it over and use it as a place to stage their attacks from and they put all their good

Brand new special hacking tools on it. So after a day or so of the war games, depending on how long we'd go

I'd just go and unplug it and take the computer away, and that's how I built my library of hacking tools

When I left this business, I went ahead and became a red team leader

So that's when I started working on the penetration assessment side. I started breaking into companies

over the internet

And then one day I was called and was told our social engineer wasn't there

Could I please go ahead and do a social engineering gig. It was okay if I got caught

Because in this particular case

We had failed the client a year earlier and the client had spent the entire year

practicing

Learning how to defend themselves against social engineering

So it was expected that I would get caught

by 1:30 in the afternoon, I had my own office

I had my own connection to

their network behind the firewall, and I had my own pass card to get me into the different floors of the building

so

At that point I tended to get a lot more assessments.

I was also the the former chair for a while, infragard is a joint operation between

commercial entities and the FBI, and for a while I used to lead the the incident response team

for the Houston area until the FBI decided that there was just too much liability

involved and they didn't want to be in that game anymore

Within social media I've been active since 1980s

I met the mother of my children in the 80s online

I dated my first murderess

online in the 80s

Those two stories are actually connected, but they're not the same person. I sort of broke up with the murderess

over the phone in order to go out with the woman I later married

And then she murdered the guy she dated right after me so, that she met online

The murderess, not my ex-wife

So yeah, my ex-wife. Yes, we broke up in person

I was a compuserve sis op in order to establish some geek cred. I don't even know if people recognize that name anymore

And I started working in the virtual teaming space in 1993 and had IBM underwrite my home laboratory for a while because I led the

virtual team of network professionals for the NPA before it died

In addition

In my personal experience, I went through hurricane Ike in Social Media

And I got to hear on the radio about all these people who are alone and afraid when I finally got bored and turned on

the radio

and I didn't have that experience because I was connected with everyone else via Twitter

And a lot of people don't realize it, but the fact that Twitter's based on text messaging or SmS communications

That is much more reliable in the event of an emergency than telephones, so throughout the entire Ike incident

We were able to stay connected with who had electricity, who needed situations

I had people contacting me via Twitter to check on my neighbors who were their family, who found me via Twitter

In addition my daughter

I met her mom online. I wanted her raised to take advantage of this new social endeavor, and so in her playpen

she had a 122 key keyboard opposite her busy box

I thought it was just wonderful that when she was nine years old I found my html reference books in her room

Then I started finding books like Hacking Exposed, How to Hack Windows, How to Hack in Linux

Showing up in her room as well

And it led to a lot of red team vs blue team in the house

But in her case, she actually also ended up running away into Houston, fifth largest city in the United states at the time

through Twitter, Facebook and

other social media outlets people would stop her almost every day and say are you Victoria?

You should call your dad, he loves you

Then finally, and she is back. She's three years sober, and I'm going to be a grandfather soon

So this is very happy ending, and then finally

For a while with my last company, I decided to see whether not I could sell mattresses online via Twitter

And I was successful enough that that company, who was a mattress reseller, ended up creating an online store to capitalize on it

I'm also the guy who thinks that this is brilliant

There was a there was a joke Facebook site not long ago that had

the storyline of someone saying, or as a screenshot of

someone's Facebook account that said I just survived my first earthquake

They're going to evacuate the building now

So this was someone that before they evacuated they had to update their Facebook

Now, for a while I was responsible for human lives as well as information security

So I think this is great. I know that the person who took this photograph told me he thought it was a joke

But, if you don't have a sign like this get one, because this is the kind of thing that people will look at

laugh at

And then if there's a fire, they'll remember it

so

Enough about me. Social Media

Let's talk about the noosphere. This is an idea that I came across in the 80s

It was originally written about by de Chardin, and he was for a long time the defacto

Patron Saint of the Internet before the Catholic church got together and found a proper Patron Saint of the internet

De Chardin was a geologist. He was a paleontologist

He was a philosopher and a jesuit priest. A lot of his writings are still under wraps and have not been released

At one point the church decided to censor him a little further and so they said we're just going to send you away

Where you won't be a problem anymore. Go to China. You won't be a problem in China

So he was at ground zero when the Peking man was found and that continued a lot of his research, but Chardin

Thought that the noosphere was the next part of evolution, that

Planets start with the geosphere. There's a planet, a rock

After that the biosphere begins to develop around it, life develops

and then finally the noosphere - this idea that we have a

region of collective human thought

invention and

spiritual seeking, and that this forms natively

Around us as we develop, as we mature, and as we evolve and that

Chardin went ahead and predicted that this would continue to get organized and that we would be better at it

And how we shared our experiences, how we shared our thoughts

And how we shared our spiritual seeking, and if this doesn't sound like the description of what

Social media has become,

I don't know what is.

The idea of the noosphere was that it it came about and it's been evolving all along with us

That would make social media just the latest tool for how we interact with the noosphere, how we are part of it

Some very interesting ideas

Similar to the noosphere is this idea of information space around it

I'll probably slip and call it infospace a few times. I try not to because that's now a company

And a commercial entity, but it's still just the idea that that around all of us is this information area

Information about myself, information about my business, what it is I'm doing, my secrets, where I'm going, what business

I'm after, what I'm going to bid for this proposal

And if that information is communicated incorrectly, then I'm at risk

The other thing that we need to be aware of is that

Several years ago a document was published called The Clue Train Manifesto

And I don't know how many of you all are familiar with it or not

It was revolutionary at the time, and I don't hear a lot talked about it much anymore

So I borrowed parts of it for this because this is the second idea to help you understand

Social Media

This is from the preamble, and it is that a powerful global conversation has begun

Through the internet people are discovering and inventing new ways

to share relevant knowledge with blinding speed. As a direct result

markets are getting smarter and

They're getting smarter faster than most companies

Now this is the area and this is the purview of social media because the first three theses

of the The Clue Train Manifesto is that markets are conversations

And conversations are how noospherical entities or people or organizations communicate

That the markets consist of human beings and not demographic sectors

That conversations among human beings sound human

They're conducted in a human voice. It's not marketing speak. It's not happy speak. It's not corporate speak

the summary of the Clue Train Manifesto is that

Every organization has only two choices

One is either to lock yourself behind

facile corporate words and happy talk brochures

And the other is to join the conversation

Now there's going to be a lot of advice on how you can join the conversation

But if you think of the conversation as taking place where these two forces are interacting, this is not

a new technology

This is a natural evolutionary force

Driving us to interact more with each other

And it's been interesting because I've tried to carry the The Clue Train Manifesto into corporate America into the companies that I've worked for

And it doesn't work because it is diametrically opposed to traditional marketing, market thinking

Look how many

Twitter accounts are in the names of companies

Rather than in the names of the individuals, I don't want to talk to IBM. I'd rather talk to Jeff at IBM

Even if he's a peon because chances are he knows something or he can get something done

Social Media is being rapidly adopted and there's a very real lack of understanding within our organizations about it

Some of the threats of social Media - and some these are just catch alls

common password usage

How many people here have a Twitter account?

How many of us have Flickr or Script, how many of us use the same passwords?

That's good. It's very good. I use it because I actually have a tiered approach of passwords

Depending on the the security level the password gets it, when it gets to banks or my website

Or anything like that those passwords are never shared between anything else. That keeps it simple

We love stories

We like to tell stories. We like to receive the attention that comes from stories

You're rapt attention, the fact that y'all are hanging on my every word, this is good stuff

And we like to hear stories. We tend to simplify things in our lives such as passwords. If you've looked at

Hcs attack against Twitter, that entire attack went down, and I'll go into a little more depth - it went down because

Users use the same passwords within the ecosystem of the web from one social media entity to another

to another, they use the same passwords

In this case

a gmail account

Privacy and confidentiality is part of our threats in

Information security we learned that the idea of information security is

three separate items, also refer to as CIA. It is the confidentiality of the information, it is the integrity of the information, andit is the

availability of the information, and if those three things are

compromised then we have a

Breach of information security. Protecting those things are important

Confidentiality of our information space is what we also consider privacy

I saw a neat poster the other day that has a picture of a person in a shower with a webcam

Pointed at it, and it says privacy helps us keep our dignity

That was rather clever, and our integrity is at risk if our privacy is compromised, if our information space is violated

But social media also lets us tell our own stories

So we get a chance to say what we do. We get to share what our

Organizations are doing better than anybody else, and these stories get to be told by people who know the stories better than anyone else

Who are uniquely qualified to tell them

I remember when internet email was a big thing, and companies fought it. What a waste of time, but we don't think of any organization

today as being very viable unless they have some sort of

of internet email, any ability to communicate with other organizations - and social Media is that new

ability to communicate with other organizations. A lot of companies tried to prohibit internet email when it first came out

Just llike a lot of companies are trying to prohibit Social Media. The idea isn't

Prohibit, the idea is learn how to manage it

Then social media connects the information spaces between ourselves our organizations, and those within our organization

Now social engineering, on the other hand, uses that same idea -social, the same need to connect with each other

But we engineer it to take advantage of people, to leverage, deception and so on to

to attack

One of the big

Movements in social engineering right now is this concept of spearfishing. I know a lot of you all have seen the eBay

Notices that says your passwords changed

Or from Paypal please login and update your password, and that's a standard phishing attack

When we bought a hosting facility that was operated by a very large manufacturer here in Texas earlier

We had a problem because their facility had been designed improperly, and as a result when we bought it

There were two rival

Organized crime entities that were using it as bases to attack

phishing attacks from, and then they would raid each other servers to steal all the credit cards that the other organization had stolen

And it was a nightmare to try to solve and get through it

Another part of what's happening with social engineering is that we have this ecosystem of the web, but when the web was originally created

Trust was built into it. It was inherent in it

There's a de facto

Trust relationship between entities in the environment

Almost everything within the current Eco system uses identity because, after all, the basic rule of security is who do you trust?

To establish who you are, almost everyone uses two things - an email address and a password

How many people have multiple email addresses they also use to manage their security?

Personally I started it to stop spam and I'm having trouble remembering sometimes so now I get two emails from everybody

The one I created just for them to manage spam and when I use my main email later

sure

I think there's I think there's value and I think there's risk. You're putting all your eggs in one basket.

So how well are you managing it, or how well are they managing your information because

You're putting the keys

Do you trust these people to the keys to your home?

Well, and there's a variety of services like it. There's even within corporations

We deal with single sign-on solutions on a regular basis. It's all about managing

Who are you? Now what is nice is it breaks down this whole idea of

Common passwords, but if I can get to it, well, now I've opened up everything

And then of course part of the current Ecosystem is all of these sites have a mechanism to allow us to remember who we are

going back to that attack by HC against Twitter

The Mechanism he used was specifically

Gmail's

I forgot my password

In that case when you said I forgot my password, when he got someone's Id and had their email

It came back and said oh, I've sent a copy of your password to

First initial blank at H blank.com so he thought oh, I wonder if he means hotmail

And he's a gmail user than chances are he's abandoned his hotmail account and hotmail actually purges their mail accounts on a regular basis

so he went over and registered a

hotmail account in that guy's name, and he went and did it again, and he got the gmail account

of this particular user emailed to his new

falsely created Hotmail account, and he started going through his gmail and in one of the emails he found a

Thank you for signing up for our new service, your id is x your password is y

And it was the same as his Gmail

So here's another example of someone simplifying their password use, so hacker crawl used that

To break into, to start his attack in Twitter

That's how he gained access within Twitter for those users and was able to get access to the 130 some odd

sensitive twitter.com

Documents that he was then passing around on the internet because he was angry at them

and so within an attack there tends to be

A few specific phases, the phases that I use and go through a lot

And that most people do. You can usually see a reconnaissance phase, the development of the attack, and then the actual execution of the attack

Under reconnaissance there's search engines. I don't need to tell you who's probably best for this

But there's a fascinating book out there called Google hacking

because what this one gentleman did was he went out and discovered that you could type in that Google tends to

create error messages, and

Specifically, Google will often stumble across vulnerable systems

so he discovered that if you put in error messages that it would pop, bring up a list of

Systems that were there. In fact there are some very nice tools that, let me go ahead and say I'm targeting this domain

run every known Google attack against it

And it'll pull every one of these queries in Google targeted against that domain

So that I can see oh, they've got a vulnerable sequential, oh I can probably get in through a sequel injection attack

Because of search engines are part of who manages and carries our information space today - all the information being cached,

All of our old historical records. I was very surprised when in the later years of the company after we were hosting

fbi.gov and nasa.gov

That someone found in an email that I had written to a forum where I said oh, we found a way

To manage our farms of web servers and look for for evidence of compromise

By using the database of all the files that we backed up

Because some of the worms

created specific files, so I mentioned the U.S. Chinese hacking war. That's notable because

The code Red worm actually came out of that war and code red version to specifically

And code red version 2 left a specific artifact that we could then search for

And we could identify all the servers where the people who were supposed to be running them didn't patch their servers and had become compromised

This led to a write up about how we were so insecure

We were having compromised systems, but in most cases if there's a tool that looks for something

Chances are that organization doesn't have it

We were impacted less by worms, by viruses, by other attacks than almost any other

Competitor of ours because we had these tools, but also because that we became later

This evidence was used against us in an attack against our credibility and they went out and found old forum postings of mine

Social media - looking for the blogs of the people who are involved

right now google has talked about a

targeted series of attacks against U.S. and South Korean

senior government officials going on by China

Where they're doing specific spear phishing attacks

Because they're learning about who these people are and then they're posing as themselves, and we'll go into spearfishing in just a minute

But again the idea of

Leveraging social media outlets, blogs, and so on to find out about people because if I want to pose as your friend I need to

Know about what's going on. If I want to break into your company, I need to know something about who works there, what y'all do

especially if you're a branch office, and you have a headquarter somewhere else because

Obviously headquarters has given me the crap job of coming out to your site having to inspect your security

Did you go ahead and log on to that server please so that I know that it works?

I need to video tape it for evidence. I can take it back and show those jerks back at headquarters

type slowly

there's actually a famous attack that used that approach they whip through and

posed as a film crew

From the local university doing an expose on security and as they walk through the business

they just kept their cameras on and they'd sweep over desks and

Then later go back frame by frame and look for papers left on the desks and then

videotape that. They'd ask people to log in the systems for

them while they videotape them

Then you need to develop the attack

People are always the weakest link within an organization. I can build a technical control that will stop everybody who tries this approach

None of those things will help if someone will open the door for me

When I did social engineering Penetration assessments part of our rules of engagement were I won't pick a lock

If a door is locked, I won't go through it

unless I can have someone open it for me

Or have them open it for themselves walk off

And then I'll just stick my foot in the door wait till they leave the area and then I'll walk through it

I usually will build a profile of anyone that I'm going to target

I need to know who they are, I need to know what their roles are within the organization

What email addresses do they use, where are they coming from, what city and state do they live in?

Where else do they tend to travel and work from?

What are their interests?

After all

You know that guy that you've been arguing with online for the past year in that other forum?

It's me

I'm that guy, remember when I said this? See, now you know it's me

So finally you go out and you actually execute the attack against the organization, or against the individual

Spearfishing - I already mentioned the use from China

against Gmail accounts for the U.S. and South Korean officials

This is a fairly recent development, but it's not uncommon

Once they can get this information, see phishing didn't work as a broadband attack because it became spam

All of us know, I hope, that if you get an email from

From Paypal saying would you please log in and take a look at this?

You know not to

But there was a compromise recently

again by a Chinese hacker against a

member of the Defense department

And in this case it was an email saying hey, Bob

How was fishing last weekend? By the way

Here's a list of all the spare military surplus stuff that we're looking for, do you have any of this that we can buy?

And it had a spreadsheet attached, so Bob went ahead and clicked on the spreadsheet

Spreadsheet launched a macro, he executed the macro, the macro compromised the system, and they were in

That's spearfishing because it was targeted against a specific

Individual and one email was sent to that one individual, unlike a traditional phishing attack

There was no spam filter, there was nothing that raised everyone's awareness that this particular attack was going on

This wasn't a broad let me see how many credit cards I could get. This was a specific I know this person

I know what they like. I know what they do. I know who they are online

I'm going to go ahead and see what I can get out of them

Of course I also like phone calls

one

One of my

Favorite best most successful, whatever word would apply the best attack I used against a different bank was

Part of the target list I received were, these are all of our top tellers

Go ahead, see who you can get information from

So these are the people with the most seniority, these are people with the most training

And I figured these are people that were the problem, the people that would probably work the hardest

So I called them

Hi, my name is

Whatever, Paul Alexander

And I'm from the Cross Mage human resources consulting group and

we were contacted by the bank to see whether or not we would conduct a

Survey to see whether or not there's interest in a flex time

Approach, and I found this great flex time survey - it asked all sorts of questions like did you take any time off this past year

because of burnout?

what do you think of your commute every day? Do you like traffic?

And there were these great conversation starters in these questions, and I'd sit there for 30 minutes with each person and go through this survey

And then when I was done, I'd say you know here at Cross Maje human resources, we

We believe that security is important, and we want to protect your privacy

So if we want to talk to you about this later

Could we get an ID and a password that we could use so that we could verify it's you before we talk about these

things?

Now I had an 80% result

From that survey eighty percent of those tellers when I sat back down and got into an internal system

I could use that ID and that password and I had full access to the system

Now this is nothing new. Mitnick used this attack years ago. In fact, that's where I originally read about it. He went dumpster diving

Pulled up a corporate phone list that had home addresses on it. So he sent out cards and said Hi

You have won this wonderful vacation

Please send an ID and a password and your information so that we can make sure it's you

And that's how he got in

I don't know

His technical skills weren't great, but he was a brilliant, brilliant

social engineer

Kevin Mitnick was, or is.

Oddly enough he also had a background in Magic and being a magician

we talked about targeted emails

And the value there because they're not broadband. They're not going out to multiple people

There's no chance of them triggering a spam filter or anything like that

I would also make friends

I can't tell you how many times I'd go through a

Debriefing after a successful attack against an organization, and I would hear things like but he was so polite

He was so nice

And in fact, it was funny

There was a university where that was IT's response - they said when have we ever hired polite and nice people?

That should have been the very first thing that tipped you off

So I would make friends in companies

If I had to break into a company right now with no warning or anything else

I'm going to go see if I can get to one of the restaurants on one of their floors

I'm gonna go sit in a stall and I'm going to wait

until someone else comes in

Then I'm going to time leaving the stall at the same time so that we're washing our hands next to each other and start talking

About the game last night

We'll just chat each other up and make new friends

so we walk down the hallway, and I'll see whether or not he opens the door for me

A lot of times he will

if not, I

walk past the door

I let him go in and then I run back and stick my foot in the door, and wait till he leaves

It was actually funny. I had a client send me a video of me actually doing that

That they found

months after the assessment where they were going through their footage in one of the Hallway video cameras

And there's me walking past the guy as he goes in the secure door, and then there's me running back after the doors. It's shutting

Sliding in to get my foot in right before it closed

Spearfishing

always comes from a trusted source

The attack against the Department of Defense

individual worked because his job specifically was

working with Surplus within the the defense department and moving it out of the company, so it was a

perfectly

normal trusted communication that someone say this is what we want to buy, any tanks for sale?

It'll come from family, it'll come from a co-worker, it'll come from friends

I don't know if any of y'all have received an email

This is not spearfishing, because it tends to broad-spectrum, but have any of you received the email that says Hi

I'm your friend, family member, or co-worker and

I'm stuck out of the country. I just got robbed. I don't have my passport. Can you please wire me some money?

Yeah

Yeah, so

If you are an organization and you've got sensitive data, that attack works just fine. In fact, if you disguise it a little bit

So you actually use proper English, don't sound Nigerian, you know, it has a much higher success rate

Spearfishing tends to directly ask you questions. It'll ask you to either send information

It'll ask you to click on the link, itll ask you to check out Hey is this you in this video?

So let's talk about your businesses

Policies are a

Natural evil, and I spent a lot of my time writing policies for businesses now. I do a lot of iso 27,000 consulting

So, there's really only three options for businesses today.

We can either deny everything, sorry you're not allowed to use any social Media outlet whatsoever

This doesn't work, and it doesn't make sense because that first premise - social media is vital to your business

We can allow everything, allow everyone to do anything they want to online. That tends to not work either because of

If everybody loses a half hour per day

People actually can keep track of that, tell you exactly how much that costs

I had an employee

Who left actually on time from work from one company, and I was called in to explain that either

I was not making them clean their desk

Or I was allowing them to stop working five minutes early to clean their desks before they left

It was the only way they could leave on time and, what it would cost if everybody in the company

left early, five minutes, stopped working early to clean their desks. So trust me, people can calculate this

Or you can allow it and monitor the access

And see what they do and give them guidance, give them education

You can keep track of your own information space. What do you keep in your conference rooms?

I love conference rooms, if I break into a company, I'm looking for your conference room

Why? Because it's where strangers go and look like they belong

I've been known to take out my little Elf camera

Take pictures of things in the conference room

and then when someone walks in, hold it against my ear like it's a cell phone and

Yell at the person that I'm on a private call, get the hell out. And that won't work anywhere else

but a conference room. And people leave things in conference rooms - there are network jacks in conference rooms,

There are corporate directories in conference rooms. What do you leave there?

Yes, it is

What do you keep on the website?

I actually had a college that I, or university that I penetrated, and

I had one very sharp individual call human resources and report me

did not trust me at all, no matter how charming I was

Because they actually had all their new hire paperwork online

I had actually had it all printed out, and so I was able to prove to HR - Look, I mean

I'm a new employee. Here's all my paperwork. I meant to bring this to you. By the way

I need to install a new virus update on your computer while I'm here. Can I do that?

The planning and event time frames. This is, the idea here is

When you say I'm going on a trip, when do you say that? Do you say that weeks in advance so that people know you're gone?

I like to say that, the last day of my trip, say I'm coming home

Security

Is essentially the people, the processes, and the technology. I'm trying to get through the rest of this. The idea of

Security is that we're free from danger

Who do you trust - we've already talked about that

Bring your own devices

This is a big thing in

The industry right now. This is where

People want to use their own new latest generation phone, their latest tablet, and so on to work within the system

And it's usually driven by management

So when we do this, if we're going to work on these policies we need to be able to retain the right

To seize this equipment if there's ever a lawsuit or legal action, and then give it to them. Consider creating a corporate app store for them

I'm working backwards

Let's talk about advanced persistent threats for just a moment

All Detection systems work if there are x number of events over y amount of time, I can detect you

If you're a government entity or an organized crime

group, then chances are you've got the time and the ability to go very slow

And be hard to detect

There's a thesis out by a group in Australia that says that if you manage any kind of natural resource

Oil, gas, water, anything, then odds are you are already the target of an advanced persistent threat

Best practices - I talked about iso 27,000

This is actual best practice

That you can use in your organization. It's been tried, it's true. It works, there are free government resources

Check NIST

Great resource. If anyone's interested in iso 27,000, It's 300 swiss dollars if you want to buy it

From them, or if you want a different title page

you can get it for Thirty bucks from

From another group that I can tell you later

The defense - I already covered this. It's education. Its vigilance

the takeaways

Never give you credentials to anyone. Don't send them an email, don't give them to someone else, don't let someone

Kind and charming borrow your access card for just a few minutes

Don't access sensitive information from an unmanaged system, should be an unpatched PC, or another server

Keep your tools up to date. It could be your software, could be a website, could be a skill set

Have processes in place for the execution

Of data. If I want you to, if I want a friend of mine to click on an ecard

My friends usually know or I will tell them hey I sent you an ecard. I'll send them a text

I'll send them something else to say that it's done

Use different passwords or email identities. Check your privacy settings and your tools. I'm rushing through this because they're saying stop back there

Check where you send information

No, we recovered that. Think before you post, and again, what stories do you tell? Think about that when you live online

And when in doubt, change your password

Thank y'all very much