NLP for Social Engineers

October 5, 2009

Anybody in the industry who has talked to me about NLP has understood my utter frustration about the state of NLP learning and its application to social engineering. It got me riled up enough to do a post on NLP and science a few months ago.

And, for the past few months, I’ve been pondering the idea of doing a free education series for the industry on what NLP is and how to use it as a social engineer. But, as anybody who knows me knows, I’ve been a bit busy. Foreground is taking off, having made the INC 5000 due to the phenomenal amount of growth (and corresponding amount of work for each of us). And my own projects (Connected Career, Information Security Leaders, and the projects we do through Michael Murray and Associates) have added an even bigger load.

But I got really riled up when I read the NLP section of the new Social Engineering framework. Because, while true, it doesn’t teach the reader anything useful about how to use NLP in SE. (That shouldn’t be taken as a criticism – I believe strongly in the project and will be helping to edit and correct deficiencies and gaps over the coming months… the guys over there are doing the community a phenomenal service).

So, I sat down and started recording the material I had been putting together over the previous months. It’s going to come out to about 10 hours of audio, video and a whole pile of exercises. I even did a video to explain what you’re going to get.

Check out the video and sign up here.

Technorati Tags: Hypnosis, NLP, social engineering, social-engineer.org

Hacker Halted Redux

September 28, 2009

I had a blast at Hacker Halted last week, and I did a talk that I was incredibly excited about. It was the first time I was going to talk about some of the new research I’ve done and, while I didn’t plan to give out a huge number of details on the methods, I hoped that the talk was going to be well received.

Well, I’m sure that it would have been, had it actually finished. Because I didn’t read the program nearly closely enough, and I prepared a normal 80 minute talk, only to realize that my speaking slot was 45 minutes.

So, I only got about 1/2 way through my slides, and much of the meat was lost. A couple of audience members talked to me afterwards and seemed a bit disappointed, so I promised I’d provide the talk another way.

I do like to keep promises. So I sat down at my computer this morning and recorded the slides and the audio. The entirety of the talk that the audience would have seen is below.

Let me know your thoughts and opinions and ask questions if you have them (since I didn’t get to take audience questions at the conference, either).

Technorati Tags: hacker halted, social engineering

Social Engineering Abounds

September 16, 2009

I’ve been ranting for years that we need more exposure about the threat that is Social Engineering. As time goes on, we move more toward a model where the human is the prime exploit target.

I just found out that some other people are thinking the same way. Today launches the first Social Engineering Framework. I’ve recently become a contributor, as have many incredible names in this industry.

I expect great things from that crew and hope to be part of some of them. Also, keep your eyes out for new developments here – I’ve been head-down working on some SE-related projects that all will hit in Q3 and Q4.

Greed as a prime motivator

July 22, 2009

I found this article the other day about the teen in Great Britain who managed to completely dupe a bunch of airline executives in believing that he was a millionaire who was looking to buy into their company and expand it. The key to the attack is that greed was the prime motivator in the attack. From the article:

“When asked how he had managed to fool them, one of the airline execs in Jersey stated:

“If they were real then there would have been opportunities for us to expand our business and that’s not the sort of thing we are going to ignore.””

That quote is the key to it all – we can all learn something from this executive. The problem is that the higher ups in this company were willing to throw caution to the wind when granted a potential for monetary gain. Of course they’d love to expand their company, but at the cost of ignoring security and inviting the con-artist into their inner sanctum?

The question is would this executive also be answering a phishing email like the one I got from Jassay Goran in the Solomon Islands that promised me I’d get $8.5 million if I followed a few simple steps? People involved in social engineering are often extremely bright, inventive and ingratiating – as I have said repeatedly in talks, social engineering is primarily a crime of the imagination. Note that in his explanation and defense of his actions, the executive used the phrase, “if they were real,” as the pretext for his action. Anytime someone does that, they’re taking a big chance with that little word “if.”

I’ll comment more on this article and overall story in a later blog. I think there’s something to be learned from a fact that’s recently been reported about this 17-year old—he has Autism. Also, this story really makes me reconsider the whole topic of user education. More thoughts after the pre-Blackhat rush settles a tad.

Technorati Tags: con artist, con man, security awareness, social engineering

Modern Social Engineering

March 17, 2009

I’ve spent a lot of my time lately working on projects related to social engineering. Writing articles, prepping class material, and just generally having conversations and brushing up on my skills. For those that don’t already know, Chris Nickerson and I are doing a full five-day class on Social Engineering at ChicagoCon in May, and there’s much to prep for.

In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net

Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:

Determining Tests
• Types of testing
o Direction of attacks
o External
? Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand

• Malicious attachments
? Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
? Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
? Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying

Check out the webinar, and hopefully you sign up for the class.

Technorati Tags: chicagocon, Chris Nickerson, influence, SE Master Class, Security, social engineering

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent Posts

  • Return-to-Barry-White Human Exploitation
  • NLP for Social Engineers
  • Hacker Halted Redux
  • Recap: The Hope Symposium
  • Social Engineering Abounds
  • Greed as a prime motivator
  • Constraints and The Bandwidth Problem
  • Social Networking and Security
  • Obama and Hypnosis
  • NLP is not Science

• Categories

  • Business
  • Career Skills
  • Hypnosis
  • Management
  • Marketing
  • NLP
  • Personal
  • Security
  • social engineering
  • Uncategorized

• Archives

  • November 2009
  • October 2009
  • September 2009
  • July 2009
  • April 2009
  • March 2009
  • January 2009
  • December 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006

• Links

• Meta

  • Log in
  • WordPress
  • XHTML