I have to admit I spent I don't know, maybe twenty minutes this morning stressing over a new password. I did the whole routine, you know, capital letters, a number, a special symbol, the whole nine yards, the whole nine yards. And I sat there looking at it, thinking, Okay, this is it. I am fort Knox. Nobody is getting into this account.
It's a satisfying feeling, though, isn't it locking that digital door?
It is? But then I started reading the material for today's deep dive, and that feeling of security just completely evaporated because I realized my twelve character uncrackable password, it's just totally useless if I will, if I just tell it to you.
And that is the uncomfortable truth we're digging into today. We tend to think of security as a technology problem. Firewalls, encryption, two factor off, all the tech stuff, but we almost always ignore the single biggest vulnerability in any system. And it's not the software. It's not the hardware, it's the meatware.
It's us, the human being sitting in the chair.
Precisely today, we're diving into social engineering. The Art of Human Hacking by Christopher Hadniggi and this source, it really challenges that traditional idea of.
What a hacker is.
Yeah, when I think hacker, I picture, you know, a guy in a hoodie in a dark room furiously typing green code onto a black screen.
We all do.
But Hadniggi argues that the most dangerous hackers don't hack computers. They hack people. He defines social engineering as and I want to get this wording right, the art and science of skillfully maneuvering human beings to take action.
And we should probably clarify that action is usually something that is definitely not in their best interest. It's manipulation. But it's not just you know, lying, it's manipulation down to a science.
The source uses this metaphor that I found really really helpful. It compares a social engineer to a master chef.
I like that analogy a lot. It really works.
It makes sense, right, because a chef doesn't just throw one raw ingredient on a plate. You don't just hand someone to raw potato and call it a meal. You have to mix.
Things right, and in the world of social engineering, those ingredients are things like elicitation, pretexting, and psychological triggers.
So a master social engineer minces them in just the right amounts, adds a little pressure or urgency the heat, the heat, and serves up the perfect attack. They're blending all these elements to bypass your logic and get to your emotional control panel.
Okay, but before we get too deep into this recipe, we need to drop a massive disclaimer.
Here, Yes, a big one.
The stuff we're.
Talking about today, this is the playbook used by criminals, con artists, spies.
We have to be crystal clear about that. Yeah, the purpose of this deep dive and the purpose of a Hadnig's book is strictly security through education. Right.
You can't defend yourself against a weapon if you don't even know what it looks like. We're analyzing these methods so you can spot them, not so you can go out and use them.
Please do not rob a bank.
The police don't.
All right, So let's look at that first ingredient in the chef's kitchen. The source argues this is the foundation of every it's information gathering.
Yeah, there's a quote in there from Napoleon Bonaparte. War is ninety percent information. If a social engineer wants to target you, they don't just walk up cold they do their homework first.
And when we say homework, we are not talking about a quick Google search. The level of detail here is obsessive. There's a case study in the book about a guy named Madia Heroni.
Oh yeah, this one's great.
He's a professional penetration tester. Yeah, one of the good guys.
Right.
He's hired to break into this secure banking facility. But this place was a fortress, almost zero web footprint, no obvious servers to attack, tight physical security, a hard target.
So the front door is locked, the back doors walk, all.
The windows are barred exactly. So Madie stops looking at the building and starts looking at the people inside. He starts digging into the personal lives of the high ranking staff.
And he finds this one tiny, seemingly useless detail about a top executive.
He was a member of a stamp collecting forum stamp.
I mean, come on, you literally cannot get a more innocent hobby than that.
It seems innocent to you and me, but to a social engineer, that's a golden ticket. Madi saw that this executive was really active in threads about rare stamps from the nineteen fifties, so.
He didn't attack the bank. He attacked the hobby.
He pivoted completely.
Maddy went and registered a domain Stamp collection dot com or something like that. He built a fake website, filled it with pictures of these rare nineteen fifties stamps.
And then he crafted the perfect.
Email, posing as someone who just inherited his grandfather's collection.
Hey, I have these old stamps. Are they worth anything?
That was the hook, and he sends this to the executive's corporate email.
Now you gotta put yourself in the executive's shoes.
You're at work thinking about spreadsheets, right Suddenly an email pops up about your absolute favorite niche passion. Your guard doesn't just go down, it vanishes.
He clicks the link.
Of course, he clicks the link, and that's where the tech comes in. The website had a malicious frame embedded in it that exploited a vulnerability and Internet explorer.
So he didn't even have to download a file called virus dot ex or anything.
Nope, he just had to look at the pretty stamps. The moment the page loaded, Maddy had control of his computer and through that the entire banking network.
That is terrifying because the executive didn't do anything stupid, you know, he just engaged with his hobby.
That's the chef at work.
But information gathering isn't always that high tech. Sometimes it's remarkably gross. We have to talk about dumpster diving.
I was hoping we'd get here. The book spans a surprising amount of time on trash. I guess the logic is one man's trash is another man's password.
It's a gold mine.
People assume that once they toss something in the bin, it just sort of disappeared.
Yeah, into the magic trash void.
But until that truck comes, it's fair game. The source tells this story about the Canadian CTU, the counter Terrorism Unit.
Now, if I'm thinking secure organizations, these guys are at the top of my.
List, you would hope so.
But a social engineer, just to prove a point during an audit, went through their garbage and he found top secret defense documents.
No way.
Oh yeah, we're talking.
Floor plans of the Canadian Joint Incident Response Unit, locations of security fences, patrol schedules.
Just sitting there in a bag.
Thatd is just negligence on a whole other level. Yeah, but surely most places shred that stuff.
They do, but even then people mess it up. I didn't realize there was such a strict hierarchy of shredders.
The strip cut versus crosscut debate.
Yeah, it matters so much.
Most people buy those cheap strip cut shudders that turn paper into what spaghetti?
Yeah, like long ribbons exactly.
Well, if you have enough patients, and social engineers have infinite patients, you can just tape those back together. There's even software that can do it for you now.
So a strip cut shredder is basically just a puzzle maker for bad guys pretty much.
The source says, you need a crosscut shredder, the kind that turns paper into confetti, a fine minced mess. You aren't taping that back together, No.
To self, buy a better shredder. Yeah, but it's not just physical anymore. It's digital. The book uses this TERMO loved digital exhaust.
It's a perfect metaphor. Right, we leave traces of ourselves everywhere online. The source mentions a site called icanstockhu dot com. It doesn't exist anymore, but it showed how dangerous geotagging is.
That's when your phone embeds the GPS coordinates right into the photo file.
Yes, so people were posting pictures of their cats or their dinner on Twitter. This site just scraped those photos and plotted them on a map in real time so you could see, Oh, user one two three is that this specific intersection right now?
Or even worse, User one two three is in Hawaii, which really means User one two three is definitely not at home, so come rob their house exactly.
It's creating a pattern of life, and that brings us to the next big section. Once you have the dots, the info, you have to connect them, and you do that by talking to people.
This is the art of elicitation.
Elicitation it's one of those things that feels like a superpower once you learn what it is. The book defines it as the subtle extraction of information during an apparently normal conversation.
The keyword there is normal. It can't feel like an interrogation right.
If it does, you've failed.
It relies on our deep seated human programming. We're wired to be polite, to seem helpful, to look intelligent. We love to be praised, and.
There's this specific technique in the book called the false statement. I actually tried this on a friend the other day, and I was shocked at how fast it worked.
It is frightfully effective.
Yeah.
The basic idea is, if you want the truth, don't ask a question, tell a lie.
Right, Because people have this burning need to correct others. Yeah, we hate being wrong, but we love pointing out when someone else's it's the ego.
So a social engineer doesn't ask what were your sales last quarter? That's a huge red flag.
Instead they lean in and say something like, man, I heard you guys had a rough quarter. Rumor as sales are down to like, what, twenty three percent, And.
The employee's brain just snaps, what, No, way, we did great, we were at thirty percent.
And boom, you just handed over proprietary data. Yeah, and you feel good about it because you defended your company, You.
Corrected him misconception. You don't even realize you've been played.
There's a much heavier example in the book, though it involves nuclear weapons. This one gave me chills.
This is the story of the senior scientists from Los Almos who visited China in nineteen eighty. Now this guy knew the Chinese scientists were going to pump him for info on neutron.
Bombs, so he had his guard up. He was ready for the interrogation.
He was, and he stonewalled them on every classified question. But elicitation works best when your guard is down. So there's a dinner, cocktails, toasts, everyone's relaxed.
And he starts telling a story.
He uses an analogy. He's trying to explain fusion, so he makes a hand gesture. He talks about rolling deterium and tritium into a ball and then rolling them off a table.
Now to me, that sounds like this. It's not nonsense rolling off a table.
To a lay person, yes, But to the Chinese researchers who were stuck on how to ignite the reaction, that was everything. By describing it as rolling a ball, he was inadvertently confirming a theory about spherical compression.
He didn't give a formula, but that one little analogy that.
Was a missing puzzle piece. He gave away the method of ignition with a hand gesture because he wanted to tell a good story.
Wow. Speaking of manipulation, there's another trick called preloading. This is less about getting info out and more about planting an idea. Right.
Preloading is about manipulating the context, so that when you ask for something, the answer is already yes in the target's brain.
The book uses the steak dinner strategy. I feel like I've been the victim of this one.
We all have a husband wants steak, knows his wife hates the steakhouse.
If he just asked directly, she'll say no.
So he asked a hacker in a way.
Early in the day, he mentions how good the neighbor's grilling smells. Later, he leaves a coupon for the steakhouse on the counter. He's setting the stage.
He's marinating her brain in the.
Idea of steak exactly by the time he actually asked, she's much more likely to say yes. He manipulated the sensory input to get the results he wanted.
Okay, so we've gathered the ingredients, we've mixed them with elicitation. Now we get to the performance. Section three. Pre Texting.
Pretexting is what people usually think of as the con but the book makes a key distinction. It is not just lying. Lying is saying I'm a doctor.
Pretexting is wearing the scrubs, having the stethoscope, knowing the jargon, and acting like you're late for surgery. It's method acting.
And the golden rule here is simplicity. Amateurs create these super elaborate backstories that fall apart under pressure. A good pretext is simple, Hi, I'm from it, I'm here to fix the printer.
We have to talk about the Stanley Mark Rifkin heist. This case, steady reads like a movie.
It's a classic. Riffkin was a computer consultant for a bank. He had a badge that got him in the building. He walks down to the secure wire transfer room.
He just walks in like he.
Owns the place.
He's taking notes, acting busy, and he spots the daily transfer code written on a piece of paper pinned to the wall.
Which can we just pause on that writing the password on.
The wall huge failure.
But notice what Rifkin does. He doesn't steal anything. He memorizes the code and walks out. He goes to a payphone.
This was the seventies, right.
And he calls the very room he was just in, And this is the pretext. He becomes Mike Hanson, a branch manager. He's casual, professional. He gives the clerk the code he just memorized, and.
Because he had the code, the clerk trusted the voice exactly.
The clerk's brain thinks only authorized people have the code, so Mike Hanson must be real. Rifkin transferred ten point two.
Million dollars, ten million dollars, No guns, no masks, no computer hacking, just a payphone and a fake name.
That is the power of a good pretext. But it's not just lone wolves. The book brings up the Hewlett Packard scandal. This was corporate warfare.
Yeah, this one shocked me.
The chairman of HP was trying to find a leak on her board, so she hired security consultants who started calling phone companies and.
They pretended to be the board members themselves.
They did.
They impersonated them, use their social security numbers, and use these heartfelt please to customer service reps to get their personal phone records.
Wow.
It shows that.
Even at the highest levels, these tactics are used because they work. It really blurs the line between a security audit and a criminal act.
So underneath all of this there's a psychological game being played. The book talks about thinking like a hacker.
It's a total mindset shift. A normal person sees a trash bag as garbage a social engineer sees it as a puzzle.
There's that story about the rental car.
Right, a social engineer found a ripped up check in a rental car. Most people would ignore it. This guy taped it back together. He had the account number, the name, everything for identity theft. He saw value where we see waste.
And then there's cognitive dissonance. How does a hacker use that.
It's that uncomfortable feeling you get when you hold two conflicting beliefs. Your brain hates it and wants to resolve it immediately.
Okay, so give meetings.
A guy walks into your restricted office. He's wearing a confident smile and holding a clipboard. Your brain sees two things belief A intruder belief B he looks like he belongs here.
In my brain wants the path of least resistance exactly.
It's socially awkward to confront someone. It's easy to assume they belong so your brain just decides, I mean, it's probably fine. The social engineer uses your own politeness against you.
There's one last concept that sounds like it's from a sci fi novel, the human buffer overflow.
Yeah, so in computing a buffer overflow is when you flood a program with too much data and it crashes, letting you rewrite the code.
And the theory is you can do the same thing to a person.
You overload their sensory input. Think of a mother with a screaming baby at an airline counter. The attendant is being hit with auditory stress, emotional stress, social pressure.
Their brain just locks up.
It stops processing logic, it goes into survival mode. The attendant might just stamp the ticket to make the noise stop bypath protocol.
And a social engineer can fake that chaos.
They can manufacture it. They can scream, act furious, create artificial urgency to overload you so that you stop thinking and just react.
That is devious. So where does this leave us? I mean it feels like the deck is stacked against us.
It can feel that way.
But remember the goal security through education, right.
You can't patch a human like you patch software. I can't download a security update from my brain.
No, but you can upgrade your own software through knowledge. If you know elicitation is a real technique, you'll pause the next time a stranger asks a weirdly specific question about your work.
And if you know about pretexting. You'll actually double check the ide of the guy who says he's from the.
Water company exactly.
It's about moving your default setting from trust to verify.
I want to leave everyone with a final thought that really stuck with me. We talk about digital exhaust. I want you to think about your own life for a second.
It's a scary thought experiment.
Spend just one week digging through your trash, reading your shredded mail, and looking at the geotags in your last five photos. Could they become you? Could they walk into your bank and convince the teller they are you.
That is the question everyone should ask themselves before they post that next photo or toss that bank statement.
In the bin.
Definitely something Tom all over, Stay safe out there, watch your trash, and thanks for listening to this deep dive.
Be safe.