Event takeaway: Layer8 Conference

My key takeaways

HUMINT phrases to identify background characteristics

• an interesting OSINT aspect in conversation is special prononciation of certain words identifying the persons origin
  • List of words of identifiers per language

The great casino heist: key takeaways from my first big social engineering engagement

• "get out of jail"-cards must be signed to work
• career pages on websites may have some kind of maps from the site for orientation if someone comes for an interview
• a suit, a clipboard and some confidence might bring you very far esp in a service industry
• heist a casino without access to the cashier room? Get access to the CFO account with a phishing attack

Beyond Influence Techniques: Broadening your Social Engineering Skillset Through Psychology

• 3 important pillars of human behaviour in SE
  • understanding
  • predicting
  • influencing
• There are universal elements like "laws of trust" and individual elements like "beliefs" in understanding people
• 4 domains of studying basic human make-up:
  • social psy
  • perception
  • cognition
  • biopsy
• the halo effect is handy for SE: eg the dress may make you look trustworthy
  • works mainly through social learning
  • a coping mechanism to handle perceptions
  • this know how can also be used in creating persuasive sock puppet accounts
• Makes you look trustworthy
  • look happy & relaxed
  • calm stead voice
  • look like you counterpart (tribal effect)
• we have "behavioral script" for every environment
  • know them to blend in
• with COVID there have a lot of lay-offs and new hires
  • employees may don’t know anymore who is allowed and who is a stranger
• employee statements on company review sites may indicate for a SE who is esp stressed out, so an easier target as stress reduces analytical thinking

• Attentional processes are the brain’s way of shining a light to what is relevant to the person and filtering out the rest.

• 3 filters for our thinking outcomes:
  • experience
  • knowledge
  • emotions
• a pause before speaking might indicating cognitive filtering
  • that’s why SE try to avoid space for thinking for their victims
• "What’s in it for me?" is a great question to answer in a first encounter
• emotions, stress and fatigue are created through hormones
• these positive hormones like dopamine, serotonin and oxytocin are highly addictive
  • if you "like" someone, they are released and you don’t want to stop them eg by denying a request from this person
  • stress has the ability to rule over a lot of other priorities we might have
    • Fridays might be more dangerous to fall for an SE attack

Pivot, Pivot, Pivot!

• start with a specific goal like the location, phone number, latest image,… not all you can find

Illuminating Maritime Supply Chain Threats using OSINT: A Suez Canal Post Mortem

• the MV Ever Given (stuck in the Suez canal) is 218 Nicolas Cages long :rofl:
• IMB Piracy & Armed Robbery Map 2021
• The event shows how important shipping is for our world economy
  • maritime IT systems can be found via Shodan and are attacked with ransomware already

The Psychology of Attack and Defense

• children are trained to fit into social norms also if it means lying or masking their true opinions
• 
• 50 cognitive biases

• If the facts don’t fit the frame, it’s the facts people reject, not the frame. — Susan Bales, President of FrameWorks

• Lures that get you manipulated by SE:
  • greed
  • curiosity
  • self interest
  • urgency
  • fear
  • helpfulness
• Dark patterns are an upcoming issue in UI Design

• astroturfing:

  grass roots campaigns started under false pretexts

• Cheap-fakes are more damaging in RL than deepfakes
  • e.g slow downed vids to make a politician look drunk
  • a statement took out of context
• even if we know something, it doesn’t mean that we intent to act on it. Even if we intent to do something, it doesn’t mean that we act on it.
  • Security awareness is not the same as secure behaviour
  • What somebody knows never stopped a breach

• We are lazy, social and creatures of habit — BJ Fogg

• his "Fogg Behaviour Model" is used in social media to increase interactions

From the Dumpsters to the Front Page

• security people should be ambassadors for the whole organization
• Data may be spread over eg
  • home office
  • corporate office
  • business partner office
  • is reliable data disposal available everywhere?
• big companies like Micro$oft, Oracle and Kraft have admited to have once gained knowledge through dumpster diving
• the optimistic bias is an issue in cybersecurity
  • ever tried to text while driving?

• if you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. — Bruce Schneier

• Maginot line of France vs Germany in WWII
  • well planed an executed but useless, as it didn’t include the border to Belgium
  • cyber security must be seen holistically
• security might not be your job, but if the company get’s crushed by a cyber attack, it might also be your job that is lost
  • everyone is a part of security
• How to fix it:
  • know your digital footprint
    • involve your users to figure this out
  • think outside the box
  • build an army and train them
  • create awareness
• testing only to pass or "checking the box" is a surefire to fail
  • try harder to fail, so you can find all the faults
• 95% of security breaches are human error based. If your test is 100% technology driven, … :shit:
• security is like car insurance: if you don’t need it’s a waste of money. If you need it, you are happy to have it

Psybersecurity: The Signs and Symptoms of a Mental Health Attack Surface

• security professions like medical professions work in
  • high stress environments
  • have to make decisions with incomplete and unknown information
• look for horses (common), zebras (rare) and more

No1Slav: Dark Web Identity Resolution

• Stronghold Paste is/was a pastebin on the TOR network
• Dread is a darkweb forum where people talk also about marketplaces

Env

• Provided by Patrick Laverty

• Provided by Lea Snyder

• Presenter (I have attended)

  • Grigorios Fragkos
  • Nicholas Doerner
  • Christina Lekati
  • Mishaal Khan
  • Wondersmith_Rae
  • Perry Carpenter
  • Matt Malone, Vistrada
  • Ryan Louie
  • Erika Sonntag

• Website

• Videos

additional links

• https://www.slideshare.net/ChristinaLekatis/layer8-con-beyond-influence-techniques-broadening-your-social-engineering-skillset-through-psychology
• https://discord.com/invite/trustedsec
• Holehe
• Retrieve without notifying the user, several elements related to an email address
• apps using AI for face manipulation