Speaker: Crux Conception @cruxconceptoin (pen name)

For more, see the table of contents

On walking in

• He asked what talk was in the room and teased people about giving too much info
• Also commented there is too much info (wifi password) on the badge

Social Engineering

• Ability and talent to connect with emotion
• Can be offline or online
• We all do it. Ex: lying about what movie you want to see.
• May earn trust
• Goal is to do something or gain data
• Highly evolving method
• Teaching in college now

Examples

• Anonymous test messages with links
• Facebook messages asking where from

Exercises

• Phishing – say have tickets but didn’t plan trip. Asks for employee id to confirm. Also gave up name by confirming it and said interested in going to Budapest (came from screensaver), – Called you so already know name.
• Team building – where grow up, how many siblings and unique challenge from childhood. Think about how much you disclosed and if you held anything back.
• Scenario where pen tester tries to get in building. Try to get someone to let you in. Most people say take to security or get security
• Scenario – pen tester pretends changed auto pay info and asks for employee id
• Companies have offices all over US. Try to get id number by calling Miami office and speak to receptionist then victium

Useful insider info

• Knowing how much a company would pay to recover from an attack
• Ids
• Names
• Departments

Attacks

• Fill in the blanks
• Spoof text message numbers
• Israeli software to crack phone. Don’t even have to click link anymore. Get access to phone just by sending a SMS.
• 40% of major companies reported industrial espionage incidents in 2016
• Ex-employee stealing self driving car info from Apple. We focused too much on China. More African students in US than anywhere else.
• Leaking is making info public. Info is power. Have goal.
• Spilling is like leaking without intent.
• Sharing info at conferences. Ex: where you work.
• Russian and China trying to steal COVID vaccine research using malware and spear phishing
• Twitter hack on Obama/Biden/Bezos.etc, Trying to get money. Got data from internal employees
• Fake social media

Espionage

• Steal sensitive data
• Espionage is like a double life
• Affects personality
• Traits (thrill seeking, sense of entitlement, desire for power/control) are also found in politicians and CEOs
• Helpful to be calm (see in tech a lot) and strong sense of responsibility
• May have regrets after
• Logical at the time
• More life crises because more than one personality

Tips

• When someone calls and says “is this Jeanne”, ask who it is rather than confirming
• Be cautious when people ask you a lot of questions
• No defense. Just try to avoid answering too many questions.
• Be careful if they initiate call.
• Think about info they should now. Ex: HR has employee id already

Human Traits

• In psych, organized means have life together.
• Psychopath – born that way. Sociopath – traumatic event started it

My take

Crux is an ex-cop. I like that they had someone from outside development for a different perspective than we usually get. He’s a good speaker and kept it interactive. The scenarios were fun to think about.