How to master the art of deception like a hacker

Wow. [LAUGH] Thanks for finding out passwords. Snow. Stephanie, you are a social engineer And your title is Chief People Hacker. Yes. At IBM, that is the coolest job title ever. And for the past three weeks, you have been hacking, attacking, and social engineering My colleague Graham Cates and myself, you found so much information that it generated a 20 page report. That is amazing and horrifying. [LAUGH] But let's start with the basics. Okay. When we say social engineering What do you mean specifically? What does this type of hacking entail? So social engineering is convincing people to perform an action or give out information that's not normally something they would do. So it's really Going out there and seeing what information you can get from them. Specifically we look at phishing. So that's sending out an e-mail with malicious links or attachments. And what a lot of people don't realize is Is if they click on the link or open the attachment, it could give someone access to their information or even their computer. You found out a lot about den Yes. But you found out just a crazy amount about me and my whole family really my wife, my my young daughter when she was born, my address my cell phone number It's kind of a whole different world of information about me and I'm curious what that could give you access to. So, with your cell phone number and seeing different accounts you have, I know that your interested in food and you like to take pictures of food. So as an attacker I could use that information and send you a text message, but it could contain a malicious Clink. Or if I know that you're out of the town and I did see a post where the family was going on vacation,that's something that as an attacker I would know that your house is most likely vacant.>> What's fascinating Stephanie is that your skills are so good That you're in disguise right now. I am yes. [LAUGH] Let's take a look at Stephanie Snow post disguise. Absolutely so I am in disguise now this is not what my hair looks like at all [LAUGH]. So I use this [UNKNOWN] a lot when I go on site cuz I don't want be recognized or am I have to use multiple personalities? If something does work the first time, I have to try something else. And this really helps me [UNKNOWN] pretending to be someone specific, like a flower delivery person I'm gonna change into two uniforms. The wig that I use is just something I would use for an auditor and I'd wear a suit. I actually go online and try to find information and pictures of people in those same job roles to look as much like them as I can. So you've now taking up your disguised you're dressed as yourself presumably. So you didn't actually break into the CBS news headquarters. But you brought along tools that could show us how you would be able to do that if you wanted. Absolutely, so I actually made you a fake card, and can I see that? Yeah. So to show how this would work, this is like a regular RFID system that many buildings have. So you need to barge in to get access to the building. So your card is programmed and it works. What I would then do is take my RFID captioned device. And what this is, is this is a longe-range reader. I hide it in my purse, and nobody knows it's there. So what I do is, I wear my purse around. And I would stand next to an elevator, in line at the coffee shop, and all I would need is 20 inches of distance between my purse and your badge. And I would be able to capture all of the data that is on your badge. So then I would go back to my hotel room And I'll get the data off of this reader. [BLANK_AUDIO] So I have a micro SD card in here that I would then pull out, plug into my computer, and I would use this Proxmark. What this does it will [UNKNOWN] the data that I give it onto a new card. So I'm taking the data that I captured from your card, and I am programming it to this new card. So it will now work just as if it was your card. I didn't do anything wrong, but you were able to get access to the building, using me as a vulnerability. Exactly. And that's just very, very close distance. I don't even have to be at your building. I could be in line for lunch or somewhere just close to employees. All right, Stephanie, a large part of your job requires that you build trust, build a rapport, and you do that often by spoofing a phone number to appear as though it's coming from a trusted source. It could be a friend, it could be a family member, it could be a bank, right? And all of us have seen these spam robo calls on our phone. Sometimes a robo call that get me look as though they're coming from my number or a very similar number. You can even spoof how two different contacts could look like each other. Tell me how this process works, and can you show us?>> Yes, absolutely. So you need a mobile app, and I'm not gonna tell you which one.>> So you are going to make it look as though my phone is being called from Graham's phone.>> Right. All right. [BLANK_AUDIO] I feeling a calling and It says Graham Kates. But it is in fact, you calling you from your mobile phone. Exactly. I think there's something that's really important to point out here, which is that it's not that you designed some sort of program but it's that anyone could get that and do the same thing. Absolutely in it's just It's an app and you can make your phone number appear as anyone. Snow you've demonstrated to us that we're absolutely unsafe everywhere. How do we protect ourselves? That's a great question. So how you can protect yourself online is really stop and think about what you're posting. Do you really need to tell everyone that you're going on vacation? And also check websites to see if your information is leaking anywhere so you can get that removed. Those two things are very important when it comes to social media. As far as your badges, there's no reason you need to take it everywhere with you or leave it in your car. It should be hidden so that someone like me or an attacker can't visually see it to recreate a copy or clone it. Before you came here you told us you had some surprises to show us, some things that you found about us that you didn't necessarily want to put in your report, and we're ready to see them. All right. Graham, this is for you. Dan, for you. Man. The magical mystery envelope. Wow. [LAUGH] Thanks for finding our password [UNKNOWN] This is [LAUGH] Maybe my oldest password, it's what I have being trying to phase out Okay From my various web sites [LAUGH] When I was just like a little kid and I didn't know any better. So unfortunately things like this are in data breaches and if I can get it, so can attackers. [BLANK_AUDIO]