Social Engineering for Everyday (Startup) Life - Extended
•
4 gefällt mir•819 views
Social Media Week Berlin talk from Sept. 23, 2013. Want to learn more about the dark art of social engineering? Wish you could peek behind the curtain and get a look at how hackers and mentalists seem to be one step ahead of the rest of us? Wondering how you could be like them? This talk dispels the myth and mystery of social engineering and explains how you can actually start doing it yourself. We start by looking at its history and building a basic knowledge of the core principles of this sly art. Then, we explore the social engineer’s toolkit and walk through a concrete example to unpack the 5 steps to engineering a tricky situation we all encounter at work. Finally, we wrap up by pinpointing what it takes to succeed as a social engineer and reviewing some take-home assignments everyone can try. And for those who know that you’re either playing the game or being played, I welcomed challenges during the Q&A.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Social Engineering for Everyday (Startup) Life - Extended
Ähnlich wie Social Engineering for Everyday (Startup) Life - Extended (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (15)
Social Engineering for Everyday (Startup) Life - Extended
- 1. @deadroxy Social Engineering for Everyday (Startup) Life Johanna Brewer frestyl Co-Founder Doctor of Computers
- 2. @deadroxy What is Social Engineering?
- 4. @deadroxy Social Engineering != Hacking
- 5. @deadroxy
- 6. @deadroxy Social Engineering == Inception?
- 9. Shane
- 13. @deadroxy Social Engineering == Stealing?
- 14. @deadroxy Social Engineering The art of crafting a social situation in which the actors are more likely to follow the engineer’s desired path.
- 16. Not Magical
- 17. Not
- 21. @deadroxy
- 22. @deadroxy “freestyle is the best live music discovery app ever!” #fail –Some Blog
- 23. @deadroxy From: Megan (megan@frestyl.com) To: Some Blog (blogger@someblog.com) Subject: Correction to your blog post You misspelled our company name in your blog post. The correct spelling is: frestyl. Please update it.
- 24. @deadroxy From: Megan (megan@frestyl.com) To: Some Blog (blogger@someblog.com) Subject:Thanks! (and small correction to your blog post) Hi Blogger, Thanks so much for the post!! Just a quick favor... I noticed “frestyl” was spelled incorrectly. Do you think you could update it? Thanks so much!
- 25. @deadroxy From: Megan (megan@frestyl.com) To: Some Blog (blogger@someblog.com) Subject: ??? ...These aren’t the droids you’re looking for...
- 26. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 27. @deadroxy What resources did Megan have?
- 28. @deadroxy Hmm.
- 31. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 32. @deadroxy 6 Key Principles of Influence
- 34. @deadroxy Reciprocity people tend to return favors
- 35. @deadroxy Commitment & Consistency people who commit (orally/in writing) are likely to honor their commitment
- 36. @deadroxy Social Proof people do things they see other people doing
- 37. @deadroxy Authority people tend to obey authority figures
- 38. @deadroxy Liking people are easily persuaded by people they like
- 39. @deadroxy Scarcity perceived scarcity will generate demand
- 41. @deadroxy Following & Flowing people tend to take the path of least resistance
- 42. @deadroxy Self-Satisfaction people love to feel good about themselves
- 43. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 46. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 50. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 51. @deadroxy From: Megan (megan@frestyl.com) To: Some Blog (blogger@someblog.com) Subject:Thanks + BIG favor to ask Hi Blogger, Thanks so much for the post! I shared it on all our social media channels and we are getting lots of likes + retweets!... The set up.
- 52. @deadroxy ... I have a real huge favor to ask though. I made a big mistake. I’m a new communications intern at frestyl, and when I sent you our info I must have spelled the company name wrong. Totally not true.
- 53. @deadroxy ... My boss made a big deal about getting our branding right when I contact press, and I obviously screwed that up completely. Everyone hates their boss.
- 54. @deadroxy ... If there’s ANY way you could make the correction for me in your post, it would be a HUGE help. The effortless save.
- 55. @deadroxy 1. Review Your Resources 2. Pick a Principle 3. Create a Context 4. Sign Post the Path 5. Press Play
- 56. @deadroxy ... I’m just hoping my boss hasn’t checked her Facebook yet. Thank you again sooo much!! The Kill.
- 58. @deadroxy Everybody Feels Like a Winner
- 59. @deadroxy Is SE just a big con?
- 60. @deadroxy
- 61. @deadroxy #1: Do no harm; do some good
- 62. @deadroxy #2: It’s just a game
- 63. @deadroxy #3: Make believe like you mean it
- 64. @deadroxy #4: Practice, practice, practice
- 65. @deadroxy You’re either playing the game or you’re being played
- 66. @deadroxy Social Engineering for Everyday (Startup) Life Questions? Challenges?
Hinweis der Redaktion
- Hi Everybody, I’m Johanna - the co-founder of frestyl and I also have a PhD in Computer Science to show my nerd cred. For those of you who know frestyl, you usually hear me talking about live music discovery, but today I get to tell you about one of my biggest passions: social engineering. And I’m going to explain how you can actually use it.
- So what is social engineering? Well despite the fact that it contains the word “engineering”...
- It doesn’t necessarily have anything to do with computers. In fact, it often doesn’t.
- That’s because social engineering is not the same thing as hacking. Hacking is about breaching digital systems that you don’t have access to (like picking a lock), but social engineering isn’t about breaking into anything. In fact, unlike most hacking, it’s complete legal. But it’s true that the best hackers often use social engineering techniques to breach systems. They’ve learned...
- why break in when you can get someone to give you their keys? It’s true.. a big part of social engineering is about manipulating people into giving you what you want.
- And recently, Shane MacDougall made big news at DEFCON (the hacking conference) by doing just that. He won the social engineering “capture the flag” contest by inception’ing a Wal-Mart executive to hand over his identity. That sounds like something from a movie right...
- Like, something straight out of Hackers...
- or Girl with a Dragon Tattoo.
- Yeah so this is Shane. It took him 20 minutes sitting in a booth with his computer and a phone to get the information. So, first of all - even though in our minds, we hackers pretend we look really cool, we aren’t. But more importantly, this is just one kind of social engineering. The kind hackers practice. The kind that they made famous. So for those of you who have heard of social engineering, it’s probably because of this guy...
- Kevin Mitnick. He was once the most wanted computer criminal in the US and was subsequently arrested and incarcerated. Kevin was released from prison in 2000 and eventually became a security consultant. But after his release he was barred from using technology for 3 years.
- It was during that time he wrote and published The Art of Deception. He describes a series of exploits (tricks) in the book, none of which involved programming or hacking. Many people consider this book the bible of social engineering. So what’s in this bible?
- Pizza! Well one of the most famous tricks is called “free pizza for life.” Basically, a way of tricking the people at a pizza shop into giving you a free pie. Of course, it only works once or twice before they catch on... so hopefully you live near 365 pizzerias.
- So basically at this point it sounds like social engineering is about getting people to give you stuff they didn’t want to give you... identities... pizza... maybe some money... Social engineering sounds a lot like glorified stealing. Right? Well it’s a lot more than that.
- Social Engineering is the art of crafting a social situation in which the actors are more likely to follow the engineer’s desired path. Of course that path could be “give me some pizza.” But there’s a lot of other things you might want people to do, that aren’t just about giving you free stuff. Though, that is still one of my favorite tricks. You might want and investor to give you a higher valuation, you might want a media partner to give you some special coverage, you might want your boss to give you a raise.
- That all sounds too good to be true right? What is this magical cure for all my social problems? I want to make everyone do whatever I say, all the time - sign me up!
- Well, social engineering is not magical.
- It’s also not particularly easy.
- But it is 100% real and you can learn how to do it.
- But, like any art, it takes some practice. And for anything that requires practice, it’s important to be practical. So I’m going to walk you through a real example of how we do everyday social engineering at frestyl.
- Our communications intern Megan came to me with a problem this summer. This by the way, is exactly how she presented it. So, Megan had recently worked with a blogger who wrote a post about frestyl. And after it was published - she noticed our product name was misspelled. This is pretty normal seeing as this is how we spell frestyl...
- Hey, we are a cool live music startup. What do you want?
- So a blogger misspells our name, and of course we want them to change it. So what are Megan’s options?
- Well, she could tell the blogger they made a mistake and ask them to fix it. <read email> That’s pretty dry and robotic though. I’m pretty sure no one except bots send out emails like that. But okay, at least we are thinking now. Clearly, just telling a person to do what you want is not the way to go. And probably most of you would send something like this...
- <read email> You’re probably thinking, yeah that sounds nice. What else can you do? I mean, asking nicely, throwing in a bunch of thank you’s, what more is there? The secret of social engineering, is that there is way more.
- Social engineering techniques give us the tools to figure out how to write an email that this blogger just can’t refuse. I’m going to break it down into 5 easy steps.
- When engineering anything, the first thing you need to do is take a look at what materials you have on hand. In a social situation this means understanding your leverage, disadvantages, value, drain, knowledge, ignorance, etc.
- So in our example, what resources did Megan really have to work with?
- Well not too much. She doesn’t have any particular leverage with this blogger since they had only just gotten in contact. Megan didn’t have much of value to give in exchange (it’s not like we are giving out fabulous perks to our media partners). She really didn’t have much power over this blogger at all. But what Megan did have going for her, where some useful “disadvantages”. She’s an intern. Sorry, it’s true... but everyone considers interns the lowest rung on the ladder. But sometimes when people perceive you to be at a disadvantage, you can use that in your favor.
- If the owner of this SUV had a disability, and special parking permit, this would be fine. If however, this car belongs to a superstar athlete, parking in a handicapped spot is really not cool. But, I have to warn you we’re about to get into what for some people is a deep moral gray area.
- No, I don’t think it’s cool to get a fake permit and park in a reserved space. But is it okay to limp into soccer practice and pretend you hurt your ankle because you don’t want to play? I’m pretty sure everyone here has called in sick once to take the day off. But, we’ll get back to these moral quandaries later... poor, disadvantaged Megan the intern has 4 more steps. Next, she needs to...
- Picking a principle to work with. First off, what are these principles?
- They are the 6 key principles of influence and they are the secret sauce of social engineering. They are brilliantly outlined in a book by Robert Cialdini called...
- Influence: The Psychology of Persuasion. You should read it, but since you don’t have time now, let’s go through this Blinkist style. First principle:
- People tend to return favors. If you give me some of your company schwag, I’m more likely to give you some of mine. And you might want that because I work somewhere with awesome schwag. Principle number 2...
- People who say yes or write you a confirmation, anything that feels official, are much more likely to keep their word. Letters of Intent, Memorandums of Commitment, make up anything, just get customers to sign it and swear on something precious to them. Principle number 3...
- People are lemmings. They copy each other. We all know about social proof. But standing next to the right person at a networking event can open big doors. Principle number 4...
- But then there’s authority... people always listen to the man in the uniform (even if he’s not actually a police officer). If you’ve got a C in your title, use it. Principle number 5...
- Of course we all know about liking... but it goes beyond Facebook friends. Even if I don’t know the person I’m in this super important meeting with, I can do my homework first. And if I can get them to like me quickly by connecting over some trivial shared passion (omg you love home brewing too?!?), I’m at an advantage. And finally, principle number 6...
- Scarcity. Like coveted beta invites, we all know about trying to generate demand. But if I’m a successful investor, and I’ve cultivated a reputation for being short on time, when I give you half an hour, it seems like years.
- But wait - there’s more. The 6 principles are great, but there’s actually two that I have given myself the authority to add (because I use them all the time). So, onto number 7...
- People tend to take the path of least resistance. It’s true that people will often obey directions from authority figures, or copy what they see other people doing, but in a broader sense, as a species we generally avoid conflict of any kind. We don’t go against the grain. Most people drive within the lines. So when you sit down in a board room, and your team sits around one corner, there is no longer the classic “other side” of the table. Most investors will just follow your lead instead of forcing the seating arrangement that suits them. So you’ve just gained a big tactical advantage. But the 8th principle, is the most important. And it’s the most controversial when I talk about this...
- People love to feel good about themselves. When given an opportunity, they will take it without hesitation. However, most normal people are lazy (as we saw with the last principle), so we don’t have billions of people running around handing each other flowers! So why is this principle so useful? Because if you can create a situation where a person can feel fantastic about themselves, feel like a hero, and make it be entirely effortless on their part - they will, almost invariably, take the bait.
- So now that we all know the principles, let’s talk about what Megan should do. Since she’s at a general disadvantage in this situation, her best bet is going to be to use a cocktail of...
- non-Authority, Reciprocity and Self-Satisfaction. This is basically the social engineering version
- of pretending to fall on your own sword in front of another person. Basically, you’re making yourself appear to be in great danger, needing to be saved! But to be saved, we need to be saved from something. And that’s where this context comes in...
- Creating a context is like setting the stage. When you walk up to an airport counter and say “I missed my flight because I was stuck in traffic” it sets a very different tone than “I missed my flight because I just performed CPR on a man who collapsed in the parking garage and saved his life”. Heroes get special treatment.
- And so do cats. Cats are amazing at this. They can get out of trees...
- but they are always convincing firefighters to save them. So what context can Megan create that will allow her to be rescued?
- The evil boss! That’s me be the way before I have coffee.
- So now all that’s left is to sign post the way for our blogger. We need to explain how easily Megan can be saved. So let us go back to our email...
- Megan starts by setting up some reciprocity... <read email>
- Then, she takes all the blame for something that is so not her fault. <read email> Man this girl must be clueless.
- Then, Megan introduces the blogger to her world of the angry boss <read first line> and repeatedly falls on her sword <read second line>.
- Then, she explains how she can be rescued from this hellish nightmare. <read email> All the blogger must do is simply make a quick change on Word Press. And with a few key strokes, he is going to save this poor little intern’s entire career. He could be a hero.
- And to set everything in motion, Megan adds a final sense of urgency...
- <read email> She is there, watching the minutes tick by until I wake up, check my Facebook, and have her executed. But this blogger can save her by essentially doing nothing. So this - ladies and gentlemen - is an email they basically can’t refuse. Because...
- Everybody loves to be a hero. It feels so good to be a hero. But that is the true art of the game...
- To craft a situation in which all the players feel like winners, because then they want to keep playing. Simple, right? Well, some of you might be thinking...
- “ Hey, wait a second. Isn’t making everyone ‘feel’ like a winner, just a nicer way of saying that social engineering is about conning people?” The truth is, it’s up to you, but every social engineer needs to wade through the deep gray areas and develop their own style and limits.
- It can be a little confusing to put on the “gray hat” at first but I’m going to leave you with the four rules I live by to get you started on your path.
- I make it a practice to only use my powers for good, and when trying to engineer a situation, I make it a policy not to make anyone’s lives worse for my (or other people’s) benefit. But even if you’re not so pure at heart, it’s important to remember that the principle of reciprocity shows us we need to give something to get something back. And so doing something actually helpful to another person is often one of the best ways to start creating a context. The classic “Here, let me help you with that...” is a great way to open someone up. Being nice works. But more importantly, you need to stay grounded...
- and remember that SE is just a game. When I work on engineering a situation I make sure never to risk too much. I treat every SE win as a bonus, but I always go in assuming I’m not going to be successful. That way, you never have too much on the line. If you lose, you should walk away no worse off than you were before. So giving your boss an ultimatum like “give me a raise or I’m quitting” is probably not a wise move. I wouldn’t gamble so recklessly, but when you do make your move...
- You have to believe every word you are saying. In social engineering, confidence is king. If you aren’t buying what you are selling, nobody else will. You can tell yourself it’s like acting, pretend like you are a spy, but whatever you do, you need to commit 100% to the context you are creating and really live the whole moment like it’s real. So how do I manage to be so convincing? It’s not a gift...
- It really comes down to practice. And I honestly practice every day. I look for trivial situations to challenge myself with: can I get to the front of this line? Can I get upgraded on my flight? Can I get into this event for free? Worst case scenario, I don’t and I’m right where I started. BUT I’ve improved my skills and I’m starting to feel more comfortable getting rejected. And to be honest, that does happen a lot especially when you are just starting out. But, it’s worth it. Because the ones who don’t give up become the true social engineers - and when you meet another one during your exploits you’ll be able to share the insider’s nod that says:
- You’re either playing the game, or you’re being played. And that’s the secret of...
- social engineering for everyday startup life.