Christopher Hadnagy
0 views • 11:01

I can get 75% of you to give me your social security number your date of birth, or other really personal identifying information. Now why can I make such a bold claim? Because statistically, that's exactly how all of you will act. Last year, in this country alone, 500 million dollars was lost to one type of attack, and that's called phishing. And it's email-based attacks. And last year, we counted and I estimated that I personally sent over 13 million phishing emails. Now you may be sitting there saying, my God, why would you admit to anyone that you sent 13 million phishing emails when you just told us how terrible they are? Well, I'm what you would call a hacker. But not this kind of hacker. I don't sit in my mom's basement with a hoodie on, wreaking havoc on the internet. I'm a good guy. And the type of hacking that I do is I try to understand these breaches, and then I try to figure out how we can help people be protected from them. But I focus on one area, and that's called social engineering. Social engineering is defined as any act that influences a person to take an action that may or may not be in their best interest. I like this broad definition because I don't always think that social engineering is negative. I think we need to really understand the positive side of social engineering so we can understand how malicious actors use it. Now, let me give you an example. How many of you have one of these? I have one, she's still that cute, but not that young anymore. Now, hopefully there's one guy that's watching this that can understand this story so I'm not alone. But if you have a beautiful little daughter, you may have been asked at one point to have a princess tea party while your makeup and your nails were being done. And maybe there's pictures like this floating there around about you. Well, you may say, how is this a positive example of social engineering? I mean, you love her so of course you would say yes to this. Well, that is true, but we need to understand the relationship between emotional content and brain chemistry. And when we understand that emotional content will allow certain chemicals to be released inside my brain which will make it easy to say yes to the very decision that if any of you ask me for the same thing, the answer is going to be much, much different. So when we begin to understand those brain chemistry that gets released — those chemicals, those hormones, we begin to understand how we can make yes decisions. So my quest became to understand how humans make decisions. What are the sciences behind this? Then I wanted to learn how to exploit them. So, I started on research projects and talking with world-renowned researchers. That led me to a personal favorite of mine. But first, understand how it applies to four different areas of malicious social engineering because we can't really focus just on the positive when we're talking about it in the sense of how we stay secure. So we need to understand these four vectors. First is phishing, email based attacks. Then second is vishing, that's voice phishing. So any type of attack that comes over your phone, any type of scam like that. Then SMiShing, which is text-based phishing. So any type of text messages that come in that would be attacks. And then the ishing guy took a small vacation and we're left with impersonation, which is any in-person attack, someone who makes believe they're someone that they're not. So I wanted to see how the science behind the research, that these researchers have performed for decades could be applied to these four vectors. I had the privilege of working with a personal legend of mine, Dr. Paul Ekman. And really, he could be called the granddaddy of nonverbals. He's been studying microexpressions and nonverbals for longer than I've been alive. And he taught me so many things, but I want to boil it down to two. First was Dr. Ekman taught me what a microexpression is, and that is it's a 1/25 of a second muscular response to emotional stimuli. So one of our senses takes in something, it creates an emotion, our face shows it through a muscular response. Second, the most fascinating part, was that if you make the facial expression, you actually can create the emotion. Let's have an example. This is a classic fear expression. Now, fear is oftentimes shown with the eyes opening super wide, the mouth is pulled back, not just open, but pulled back in an eek position, and you usually hear and audible gasp. (gasps) OK, so on the count of three, I want you all to do this with me. You're going to open your eyes really wide, pull your lips back, eek, and you're goning to do (gasps) OK? One, two, three. (gasps) OK, now, how many of you that played along actually got goosebumps? Maybe some of you watching this feel a little anxious or worried. Why? It's the very science behind it is that when we create the facial expression, we create the emotion. Now I really don't want to sitting here for the rest of my talk feeling anxious, worried, or afraid so let's end with something beautiful, and that's happiness. Now, happiness is not just in the mouth. That's a fake smile. Happiness is shown with the whole face and the eyes. So I want you to do this with me. Smile but get those eyes, don't worry about your crow's feet and you'll feel all the anxiety you just felt a minute ago, just worry away. It's working for me, too. So that feels really good. Now the next conversation I had was with a researcher named Dr. Paul Zak and he wrote a book called The Moral Molecule. And in his book, he outlined research into something called oxytocin. And oxytocin, he found, was linked strongly to trust. And one thing that he taught me which I found truly fascinating was that it's stronger in us when we feel trusted, not when we feel trust. So think about this. If I say to you, hey, I got something I want to tell you that no one else knows. And you believe it, oxytocin is released, I'm your supplier. Automatic rapport and friendship. Beautiful way to start off. The last area of research was done by Dr. Daniel Goleman, and he coined the phrase amygdala hijacking. Now, what is the amygdala? It's a small walnut-sized piece of gray matter in the brain, its purpose is to process emotional stimuli. And one of the things that he proved through his research is that the amygdala can actually trigger physiological and psychological responses before the brain has time to kick in. Looking at fMRI images of emotions being triggered in the brain, we can see all these different areas lit up, but here's what he found is that logic centers are not. They actually shut down when strong emotions like fear are triggered. In that sense, a person would make an emotion-based decision. Now, how do we apply this all to social engineering? Well, here's a case study. I got asked to test the security of a company so I started off with a phishing email. I told them that I had10 brand new iPhones and that to win one of the iPhones, there's a raffle. They have to click on this link go to this webpage, and give me what we call their domain credentials, which is the username and password to your computer. Out of 1000 people, how many people did it? 75%. So now I had 750 domain credentials for a major corporation in the United States. I took the top 25 of those, and I called them. And I said I was Paul from tech support, we saw that they just clicked on a phishing email, and now their machine was laden with malware. So to clean it, I needed them to go to this website, download an .exe and install it, but it wasn't a cleaning tool. It was a program called a reverse shell, which allowed me access onto their desktop. I want to play one of these calls for you so you can hear how these exact studies work. -(Recorded voice) -Chris: Did your password change? - Man On Phone: Yes, I did. Chris: OK, excellent. Just wanted to tell you that was really good. That's the way it should have been handled. -Man On Phone: OK, yeah. As soon as we realized, the two of us jumped right on it. Chris: OK, so there was another guy on your team then also? - Man On Phone: Yeah, I think it was J.R. (bleep). - Chris: J.R., OK, I am going to write down and I'll be talking to him later on. So just to follow up what we're doing, are you on the VPN right now? You're on your work machine? Man On Phone: Yes. Chris: OK, I'm will give you an internal address. It's an FTP site that we set up for (bleep) employees. You can go to there, you can see there's one file there that you'll be able to download and it will just clean up any residual mess from that website. So if you're at your machine, just open up a browser and I'll give you the address. Type in FTP. Man On Phone: FTP? Chris: Yes, F as in Frank, T as in Tom, then P as in Paul and then a colon and then two slashes and these are the slashes that are by your question marks, the same button as your question mark. - Man On Phone: Got you. FTP, OK - Chris: And then the word is update dash, and the dash is like the minus sign. - Man On Phone: Got you -Chris: (bleep) dot com. - Man On Phone: OK. - Chris: And it should open up and it should say index of and it should have one file. It's a file called (bleep) PC Checker. - Man On Phone: OK, you know, it's there. OK, click on that? - Chris: Yeah, click on that. - Man On Phone:OK. - Chris, And it should, it should download. It should ask if you want to run or save. Click run. - Man On Phone: OK. -Chris: if everything goes good, you should get no alerts. You know, if you have a residual problem from that site, then you'll get message. But if nothing happens, then everything's clean and good and we're done. - Man On Phone: OK, I just got a second thing that said the publisher could not be verified. Are you sure you want to run this software? - Chris: Yes, click OK - Man On Phone: Run again? OK (Laughter) - Chris: OK, that's good. So if you got no error message, then you're good to go. You're clean. -Man On Phone: OK well thanks for the help. - Chris: Not a problem, we'll talk to you later. - So 24 out of 25 complied. Now sometimes when we see attacks like this, I hear people in my industry use a phrase like this. That there's no patch for human stupidity. Let me tell you why I feel this is such a wrong statement. I really feel this is not a great way to educate. And I will do it by telling you a really embarrassing story. I'm what's known as an Amazon junkie. I'm one of those guys, like, if I'm in a department store with my wife and I'm shopping, I'm actually on the Amazon app looking for the product going — but in two days, it could be at my house and I save like four cents. All right, so, I'm one of those guys. Well, I was preparing for a conference and I got an email that said one of my recent Amazon orders would not be shipped due to declined credit card. I clicked on the link without thinking, without doing anythingI I tell all my clients to do. I then went to the webpage and I started entering my credentials before I realized it was a phish. Whoa, I can't believe it, right? A guy who sent 13 million phishing emails and wrote a book on phishing got phished. (Laughter) I fell for it. So I don't want you sitting here thinking, well, then there's no hope for us, is there? 'Cause there is. Let me me give you the one clue. Dr. Goleman told us what happens, how to get his research subjects back to critical thinking. It was time. So next time you feel emotional about an email, a text message, a phone call, or a person you meet, just tell yourself, it's OK to wait. A short pause can return your brain back to critical thinking and you will not be one of the 75%. Thank you. (Applause)