My key takeaways
HUMINT phrases to identify background characteristics
- an interesting OSINT aspect in conversation is special prononciation of certain words identifying the persons origin
The great casino heist: key takeaways from my first big social engineering engagement
- "get out of jail"-cards must be signed to work
- career pages on websites may have some kind of maps from the site for orientation if someone comes for an interview
- a suit, a clipboard and some confidence might bring you very far esp in a service industry
- heist a casino without access to the cashier room? Get access to the CFO account with a phishing attack
Beyond Influence Techniques: Broadening your Social Engineering Skillset Through Psychology
- 3 important pillars of human behaviour in SE
- understanding
- predicting
- influencing
- There are universal elements like "laws of trust" and individual elements like "beliefs" in understanding people
- 4 domains of studying basic human make-up:
- social psy
- perception
- cognition
- biopsy
- the halo effect is handy for SE: eg the dress may make you look trustworthy
- works mainly through social learning
- a coping mechanism to handle perceptions
- this know how can also be used in creating persuasive sock puppet accounts
- Makes you look trustworthy
- look happy & relaxed
- calm stead voice
- look like you counterpart (tribal effect)
- we have "behavioral script" for every environment
- know them to blend in
- with COVID there have a lot of lay-offs and new hires
- employees may don’t know anymore who is allowed and who is a stranger
- employee statements on company review sites may indicate for a SE who is esp stressed out, so an easier target as stress reduces analytical thinking
-
Attentional processes are the brain’s way of shining a light to what is relevant to the person and filtering out the rest.
- 3 filters for our thinking outcomes:
- experience
- knowledge
- emotions
- a pause before speaking might indicating cognitive filtering
- that’s why SE try to avoid space for thinking for their victims
- "What’s in it for me?" is a great question to answer in a first encounter
- emotions, stress and fatigue are created through hormones
- these positive hormones like dopamine, serotonin and oxytocin are highly addictive
- if you "like" someone, they are released and you don’t want to stop them eg by denying a request from this person
- stress has the ability to rule over a lot of other priorities we might have
- Fridays might be more dangerous to fall for an SE attack
Pivot, Pivot, Pivot!
- start with a specific goal like the location, phone number, latest image,… not all you can find
Illuminating Maritime Supply Chain Threats using OSINT: A Suez Canal Post Mortem
- the MV Ever Given (stuck in the Suez canal) is 218 Nicolas Cages long :rofl:
- IMB Piracy & Armed Robbery Map 2021
- The event shows how important shipping is for our world economy
- maritime IT systems can be found via Shodan and are attacked with ransomware already
The Psychology of Attack and Defense
- children are trained to fit into social norms also if it means lying or masking their true opinions
- 50 cognitive biases
-
If the facts don’t fit the frame, it’s the facts people reject, not the frame. — Susan Bales, President of FrameWorks
- Lures that get you manipulated by SE:
- greed
- curiosity
- self interest
- urgency
- fear
- helpfulness
- Dark patterns are an upcoming issue in UI Design
-
- astroturfing:
- grass roots campaigns started under false pretexts
- Cheap-fakes are more damaging in RL than deepfakes
- e.g slow downed vids to make a politician look drunk
- a statement took out of context
- even if we know something, it doesn’t mean that we intent to act on it. Even if we intent to do something, it doesn’t mean that we act on it.
- Security awareness is not the same as secure behaviour
- What somebody knows never stopped a breach
-
We are lazy, social and creatures of habit — BJ Fogg
- his "Fogg Behaviour Model" is used in social media to increase interactions
From the Dumpsters to the Front Page
- security people should be ambassadors for the whole organization
- Data may be spread over eg
- home office
- corporate office
- business partner office
- is reliable data disposal available everywhere?
- big companies like Micro$oft, Oracle and Kraft have admited to have once gained knowledge through dumpster diving
- the optimistic bias is an issue in cybersecurity
- ever tried to text while driving?
-
if you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. — Bruce Schneier
- Maginot line of France vs Germany in WWII
- well planed an executed but useless, as it didn’t include the border to Belgium
- cyber security must be seen holistically
- security might not be your job, but if the company get’s crushed by a cyber attack, it might also be your job that is lost
- everyone is a part of security
- How to fix it:
- know your digital footprint
- involve your users to figure this out
- think outside the box
- build an army and train them
- create awareness
- know your digital footprint
- testing only to pass or "checking the box" is a surefire to fail
- try harder to fail, so you can find all the faults
- 95% of security breaches are human error based. If your test is 100% technology driven, … :shit:
- security is like car insurance: if you don’t need it’s a waste of money. If you need it, you are happy to have it
Psybersecurity: The Signs and Symptoms of a Mental Health Attack Surface
- security professions like medical professions work in
- high stress environments
- have to make decisions with incomplete and unknown information
- look for horses (common), zebras (rare) and more
No1Slav: Dark Web Identity Resolution
- Stronghold Paste is/was a pastebin on the TOR network
- Dread is a darkweb forum where people talk also about marketplaces
Env
-
Provided by Patrick Laverty
-
Provided by Lea Snyder
-
Presenter (I have attended)
- Grigorios Fragkos
- Nicholas Doerner
- Christina Lekati
- Mishaal Khan
- Wondersmith_Rae
- Perry Carpenter
- Matt Malone, Vistrada
- Ryan Louie
- Erika Sonntag
additional links
- https://www.slideshare.net/ChristinaLekatis/layer8-con-beyond-influence-techniques-broadening-your-social-engineering-skillset-through-psychology
- https://discord.com/invite/trustedsec
- Holehe
- Retrieve without notifying the user, several elements related to an email address
- apps using AI for face manipulation