DeepSec 2012 Talk: I’m the guy your CSO warned you about
Social engineering has a bit of a soft touch. Mostly people think of it as “you can get into trouble by talking to strangers”, remember the “don’t talk to strangers” advice from their parents, dismiss all warnings and will get bitten by social security leaks anyway. You have to talk to people, right? You are aware that attackers will use social engineering to get past the expensive security hardware and software. Being aware is very different from being prepared. This is why we asked an expert of social engineering to give you an example of his skills. Be warned, it won’t get pretty and you won’t leave the presentation with the warm and cosy feeling that everything will be alright. To give you a sneak preview, here’s a digital letter from Gavin Ewan himself:
‘I’m the Guy your CSO warned you about’ is not your typical social engineering talk. Gone is the snake oil sale of analysing the minutia of pop psychology and trying to squeeze out real answers to the questions asked during a real social engineering attack. In comes a hard hitting account of a social engineering attack drawn from real sources but anonymised to protect the pwned. From the account given, attendees of the talk will see that a real social engineer doesn’t once pick up a psychology textbook, instead they use the real dirty hacks that quite frankly we all enjoy. If you want an hour of being told that ‘looking to the right makes you easier to social engineer’, go to another talk. If you want to see how the real bad guy operates, and talk about how to defend against him, then I look forward to seeing you there.
You see we really care about security being close to the real world experience. The same way attackers do not stick to the rules of sending “proper” TCP/IP packets or “proper” HTTP requests, the same way social engineering attacks do not follow textbook examples from psychology lectures. You have always to take the real world into account – and we strongly recommend that you do! Don’t miss this talk or at least don’t complain if attackers rob you over the phone!