Well folks I think we hold a record… my team and I did a 7.5 hour IAmA. Thank you for all your amazing questions and comments.

I hope we answered as good and professionally as we could.

Feel free to check out our sites

http://www.social-engineer.com http://www.social-engineer.org

Till next time!!

**My Proof: Twitter https://twitter.com/humanhacker Twitter https://twitter.com/SocEngineerInc Facebook https://www.facebook.com/socengineerinc LinkedIn https://www.linkedin.com/pub/christopher-hadnagy/7/ab1/b1 Amazon http://www.amazon.com/Christopher-Hadnagy/e/B004D1T9F4/ref=sr_ntt_srch_lnk_1?qid=1403801275&sr=8-1

PODCAST: http://www.social-engineer.org/category/podcast/

Comments: 3017 • Responses: 45  • Date: 

monkeedude12121664 karma

How can you assure me that this isn't a data-mining operation to determine which Reddit users have an interest in social engineering?

loganWHD1175 karma

I can't assure of you that. LOL but I can say - its not. trust me.

Kidding, there is no benefit in me doing that, but thanks for the laugh

zakmdot1053 karma

What tips could you give someone to better avoid falling prey to any of your tactics?

loganWHD1331 karma

Great question. Thank you. Depends on the type of attack. But let me first say that critical thinking is key in staying safe, as well as education.

With Phish: Hover over link, don't click suspicious, don't reuse passwords With Vish: If the call gets suspicious don't be afraid to say "I DONT KNOW" With impersonation: Always ask to see badges. Don't let people tailgate.

There are plenty more but just a few tips here.

BendmyFender222 karma

Could you elaborate more on tail gaiting? What could happen when someone tail gates?

loganWHD664 karma

Yes sorry. Tailgating means to follow someone into the company. If I dress like you and your fellow co-workers then come and walk with the crowd at lunch return, I can get past security many times with no badge.

That is tailgating.

Or entering a door that has been opened by someone with a badge before it locks again.

Xeno_phile218 karma

I assume you don't mean to not let people follow your car too closely; what do you mean by "tailgating" here?

chouclud558 karma

following someone through an access-controlled door without showing your own credentials

like at an office building where doors require that you swipe your badge to open them

Worfrat1312 karma

[deleted]

loganWHD170 karma

HAHA

Xeno_phile94 karma

Ah, that makes sense. Where I work I'd say an average of 3-4 people go through the badge-locked door per swipe.

chouclud201 karma

I've worked at several big tech firms and only at this last one is there a sign above the reader that says "no tailgating". It is surprisingly effective. Nowhere else I've worked does everyone badge in as a matter of habit. We'll hold the door open for each other but we wait to hear the telltale beep and click of the lock for everyone.

loganWHD205 karma

That is what I mean!!! simple education makes people aware. Awareness leads to less breaches. I love it, thank you for sharing!

Owatch738 karma

How gullible are people when it comes to not asking questions or reporting suspicious anomalies at their jobs? For example, I recall hearing that a study was conducted where a sign would be placed on a normally secure door to a facility that said "Please leave unlocked", and the door would actually be left unlocked in several cases. Is this a problem you often encounter when conducting scams? I also hear it's fairly easy to walk in and inform somebody your're there to fix ___ computer, and they'll normally leave you to it if you look professional enough. How much is this a case in your job?

loganWHD1384 karma

Recently I walked in the executive level of a building and sat in the presidents conference room by just saying I was there to do a quote for pest control.

In another job I roamed a warehouse containing millions of dollars worth of mercy by stating i was there to inspect the trash bins.

It is unfortunately, very easy. People feel weird asking questions, especially if you are friendly and nice. People don't want to be rude.

Owatch384 karma

Why is this considered to be an avenue of exploitation for malicious individuals? I mean, getting into anything unauthorized is undoubtedly a problem, but oftentimes offices and executive levels especially are heavily under surveillance. If you could get in and slip a flash drive into a PC, or do something else to their hardware, wouldn't you be quickly caught?

Have you ever gotten into some place, only to be apprehended later? (As in, their current security standards held up)

loganWHD518 karma

OWatch, yes I have been caught. In one case we had a fake "get out of jail letter" that had the guard who caught us lead us to a secure area. In other places I have been caught or stopped thanks to people following policy and protocol.

Why is it an avenue? It is the weight of info held by the person. If I can get to execs over the front desk, I am more likely to find more damaging info.

Does that make sense?

Owatch149 karma

Yeah it does! Thanks for answering. I feel like most of my questions are sort of bland, I just am not sure what to ask. I'm not involved in that sort of security much at all, but I do love to listen in on podcasts here and there, and I find it a really interesting field. It sound's like quite a fun job, although I'm sure there are a lot of cringe-worthy aspects to it. (As in, why did you just tell me that information, now I can do XYZ).

Would you consider yourself to be a "Red Team" operative? Do you work alone, or with other people?

I'm sort of all over the place, but do you do any work with stuff like Gas Station card exploits? Apparently people will pay attendants to look the other way while they install hardware to collect card data when it gets swiped, then get's downloaded over bluetooth when the criminal parks nearby. Might you have attempted to gain access to any supposedly secure card swiping systems at places ordinary people might not look? (Shopping centers, gas stations, ect)

loganWHD172 karma

Owatch, my whole team is not listed here but take a look https://www.social-engineer.com/about/

this is some of us.

I have not tried to gain access to those systems. My goal many times to find the methods where those things COULD occur, but to not do them. So we create the environment, then report and help fix

Owatch67 karma

Cool! Thanks for the AMA.

loganWHD94 karma

Thank you for joining and asking great questions

T-town04672 karma

When I've talked to people about this sort of thing, I've often heard them say "I'm not doing anything wrong and I have nothing to hide, why should I worry about that?", How do you respond to people like that? In other words, why should we pay attention to this sort of thing?

loganWHD822 karma

Oh i like this question a lot. Yes I hear this a lot with clients. So lets use Target breach as an example. Yes, true, your credit card company will make you whole financially… but what about the phishing emails and scam calls afterwards? Smart scammers are not going for the quick win of a few dollars on your CC, they want the long hall. Opening credit accounts, loans, visas, passports, stealing your identity… sure you are doing nothing wrong, but you can be a victim.

FullMetalJoint339 karma

Do you have any advice for someone who is interested in working as a social engineer? I'm not even sure where to get started

loganWHD466 karma

FullMetalJoint, great question. First let me say this: it is hard.

There are only two ways I know to tell people to try You have to start at the bottom of the barrel and work up. Start as a data collector, help a pen test company with some menial tasks then work up to a phisher and social engineer.

The other way is to make a name by research, writing or projects and break into the industry by meeting those in the industry and greeting them and working with them on projects. It is not the easiest in either path but it is the best ways I know.

A few articles we wrote that might help: http://www.social-engineer.org/social-engineering/a-lesson-from-a-young-social-engineer/

http://www.social-engineer.org/how-tos/characteristics-of-an-effective-and-successful-social-engineer/

FullMetalJoint36 karma

Very cool, thank you for the info!

loganWHD43 karma

you are welcome

loganWHD73 karma

Some other pointers can be your education

Info Sec study is important Psychology and then courses like the one we offer can help: https://www.social-engineer.com/certified-training/

FruitbatNT286 karma

What's your Password?

loganWHD713 karma

password124 of course see what i did there?

Elvisthegreat239 karma

Is there anything that you're amazed still works?

loganWHD439 karma

Elivsthegreat, love this question too.

There are many scams i see that I am amazed still work. Like a new version of the 419… where people get emails claiming to be from a rich widow in Africa and if you marry her she will split her wealth.

People still fall for these and I wonder why and how? Then I think about how people make decisions and I understand it, although it is still disturbing.

itsokbrotato203 karma

This needs more visibility.

Have you even fallen for a scam? Phishing or otherwise? What happened? What should you/would you have done in hindsight?

loganWHD314 karma

What do you suggest? I agree with you. We need more visibility on this topic.

Oh my, I have fallen for a phish before. I was so busy one year I clicked on a phish that looked just like an Amazon email. I ALMOST logged in, giving them my credentials, but fortunately saw the .RU instead of .COM and realized it was a scam.

I have also falling for other scams in the past. It is human nature. The difference is that I know what I see now and can stop, think and correct my course.

Owatch197 karma

Might seem unrelated, but are you familiar with Paul's Security Weekly Podcast?

loganWHD260 karma

Its not unrelated. I was just on that. So yes, love those guys

QEDLondon162 karma

Is there anything I can do to fuck with companies that sell or misuse my information ? I often give my dog's name or give myself a spurious title like "Doctor" or "Lord" when I have to sign up for things on websites to see where my info goes to. Any other, better advice?

loganWHD165 karma

The best solution is to opt out of what information you give. I have an email set up that i use JUST for this type of stuff. I don't care what goes there and there is not much personal data tied to it.

But you can also check data aggregation sites often and cleanse your info.

patval155 karma

Hey Chris, it's mum! I'm stuck at the airport in Zambia. Can you quickly send me 2000$ by wire transfer ?. My phone does not work here. I need the money quick and will give it back to you when I get back !

Ok, other question: do you sometimes have fun with fraudsters like they do on 419eaters.com ?

Edit: Oh My God Thanks For The Gold! :))

loganWHD124 karma

HA… Yes I do. I once recorded a session from fake Microsoft support.

I like to see how far I can get them and how much info I can get from them.

spuntf139 karma

Have you ever found yourself in a situation where breaking through security was difficult? If so, how did this place protect itself from your techniques?

loganWHD374 karma

Yes I think of two scenarios I can think of, i will share one...

We had a very polite and nice security guard that had one rule - If your name is not on the list you do not pass. My name (fake) was not on his list and he was not letting me pass. He used policy with politeness and professionalism to win.

SoEuro135 karma

I've been following the social engineering podcasts for a while and saw the SE-CTF at defcon last year, what you guys do is amazing, keep it up.

Everybody always says you can read all you want but the real learning comes from practice. How should someone ethically practice SE skills? Thanks!

loganWHD196 karma

SoEuro, Thank you for being a fan!!

We try to teach in our classes to practice both verbal and nonverbal skills without malicious intent in the public. Chat up a neighbor or stranger. See how much they will tell you. Learn how to suspend your ego, active listen and ask good questions - the core of elicitation. Use those skills with family, friends and strangers.

Then when it comes time to use them as an SE it is second nature.

Does that help?

WonTheGame72 karma

Can you elaborate on the concept of ego suspension? How to check one's self, the hazards of failing to do so, and how to put "I" on hold, if you could.

loganWHD161 karma

WonTheGame, I love this question. Ego suspension is in essence suspending your need to be right or important and allow someone else that privilege… even if you are right.

It is a VERY powerful method of building rapport.

Here is a great newsletter we wrote on it: http://www.social-engineer.org/newsletter/Social-Engineer.OrgNewsletterVol.04Iss.48.htm

And a great podcast about it too: http://www.social-engineer.org/podcast/episode-020-rapid-rapport-for-social-engineers/

Natewich134 karma

Do you think we are too over-reliant on tech?

loganWHD221 karma

Yes we are. We use social media on EVERY DEVICE. It is even on scales, refrigerators and stoves now a days.

We have become a truly connected society and although that is cool to some extent, it means we are opened up to serious attack.

loganWHD20 karma

This is why we do constant writing on the blog https://www.social-engineer.com/blog/

and monthly podcasts too to help people learn

Revan256110 karma

During a face-to-face social engineering engagement, what is your most hilarious "fail" moment?

I had the privilege of taking Chris Hadnagy's class last year, and it was a life-changing experience. Not only do you learn essential tactics to build rapport, influence those around you and build these insanely strong 5-minute relationships with others...but the long-lasting effects are so much more gratifying. He teaches you how to better communicate with those around you, but more importantly, how to modify your form of communication to help you relate to whomever with you're speaking. Basically, his course turns you into a dynamic conversationalist who's equipped with a multitude of tools at your disposal to gain almost anyone's trust. I with I could explain it better, but it's phenomenal how much better your personal and business relationships will become. Anyway, just wanted to throw in my 2 cents! If anyone is interested in his course, I'm happy to answer questions about my experience (I do have an NDA about the class-specifics and material that I cannot disclose; more of general purpose questions I can answer). Well worth the investment any day of the week!

TL;DR His class is the most (legal) fun and thought-provoking 5 days you'll ever spend.

loganWHD157 karma

WOW thank you. This is one of the nicest things I have heard about our class. Seriously, thank you!!

My best fail moment, I was video taping my engagement for a physical break in and using a hidden camera in a button. As I entered the server room I got the network admin with the secretary in a compromising …. situation. That was embarrassing.

Another personal fail, is I was asked by the client to tell the staff before i left this was a test. Despite my objections they wanted it done. So I did it, I was taking and locked in a closet while they verified my details.

ThatSteeve101 karma

Reading through this AMA, damn engrossing/informative, I can't help but ask the least insightful question here: Have you seen Sneakers?

loganWHD185 karma

ThatSteeve

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons."

Does that answer your question?

I love that movie… it is my job. :)

ddavidn93 karma

Great information in this thread, thanks for doing this. At what point does being secure move from "safe" to "paranoid"? I save my passwords with LastPass, for instance. Would I be paranoid to quit doing that and try to memorize large strings of random characters for all my passwords? What about surfing the surface web with an anonymous proxy (such as Private Internet Access)?

loganWHD99 karma

This is a great question!!

So I try to tell people that we have to live in this world. We can take the paranoid route, the super critical thinking route or somewhere in between.

Now I am not talking about the INTENDED attacker here… but the average attacker is looking for the low hanging fruit. So make your self not that… good idea to use LONG passwords and a password manager that doesn't store in the cloud or web. Good to do back ups and make sure they are encrypted and to use VPN's when you travel.

I say that the level of paranoia you display should be commensurate to the info you are protecting. Does that help?

You might want to read this http://www.social-engineer.org/social-engineering/stealing-credentials-via-social-engineering/

lexalexander1083 karma

What was the catalyst that sparked your interest in social engineering? Mine was reading The 48 Laws of Power at 16 and finding Robert Greene's number to get advice from him. Do you have a similar situation?

loganWHD90 karma

I had the pleasure of working with the team that creates BackTrack (now Kali) and the mastermind behind that, Mati, was my mentor and friend. He nurtured my skill set in this. I guess I was always an SE but never knew it…

After working with them on pen testing, I started to write about it and develop my framework and course, which lead to a book.

Along the path I have talked with, met and worked with some of the greatest minds on earth to help perfect this.

Thank you for the great question

loganWHD36 karma

Most recently I have to say my work with Dr. Paul Ekman has changed my life though:

http://www.paulekman.com/paul-ekman/

My first podcast with him is here: http://www.social-engineer.org/podcast/episode-032-non-verbal-human-hacking/

xmarteo79 karma

[deleted]

loganWHD114 karma

Wow this is such a huge question.

I don't think you can mandate this type of education. But here is what I would do…

First, I would teach critical thinking to all our children. They need to learn how to spot danger, and too many times they are not taught how to think.

Second, I would help people get motivated to want to stay secure. Loose the attitudes that "its not that bad" or "it won't happen to me".

But mostly, I try to make these topics more readily open for people to discuss and understand so a change can be made.

Aipre77 karma

What's your mother's maiden name?

loganWHD136 karma

Smith or Doe… chose one

lexalexander1074 karma

What's the best social engineering insight/hack that you know? Second, what are some books and ways to get better at social engineering?

loganWHD114 karma

Hello and thanks for the question.

The best hack I know? There are so many to mention. There is on particular devastating one I know of, but i don't want to call it the best. AS it is disturbing. But it involved 3 day campaign using a fake website, a phone call and then phish and another call to get someone to give over their whole identity. It was terrible, real and worked!

Of course I want to recommend my two books, Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Side of Security.

but we have a list of great books on our site here: http://www.social-engineer.org/resources/seorg-book-list/

MonstyArts67 karma

If someone threatens to SWAT my house how do I avoid that from happening?

loganWHD121 karma

You really can't. All you can do if you know when, is to call them first and tell them you were told someone will prank you. Most likely they will still send police since this may be a great ploy to have police avoid your house for a crime.

Either way, you are gonna get attention.

rationaljackass32 karma

As far as home security is there a huge difference between completely wireless and hardwired systems?

loganWHD43 karma

That is hard to answer because there are many factors. ie. does the wireless system allow for WPA or better encryption? What happens if someone can disrupt your signal?

I usually prefer hardwired systems over wireless when I recommend, but sometimes a wireless cam that works with the system is a nice way to protect remote areas.

loganson30 karma

how many people have you phished?

loganWHD89 karma

Last year I phished 275,000 The year before about 200,000 This year slated for over 1.6 million.

Crazy no?

Funski3327 karma

What's your educational background?

loganWHD39 karma

Interesting question because it wouldn't seem like i would end up here.

I was a programmer. Went to school for programming. Ended up with networking, security and computer applications.

But my only two degrees are OSWP and OSCP. Yet I loved studying psychology.

Recently, I have graduated from Paul Ekman's MFE Classes with an expert level.

That is about it. Mostly self taught and the school of hard knocks.

4a4a10 karma

Do you think the details of Frank Abagnale's book are completely made up or just mostly made up?

*edit - spellnig

loganWHD13 karma

I don't think they are made up at all. I have spoken to Frank before and a few of my friends know him personally, I would say he is really that ballsy and good. We reference our thoughts here http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/

ryanblake199310 karma

What sort of training do you have?

Did you study?

What made you choose this career path?

Is there much money involved?

loganWHD14 karma

My training ranges. I am not degreed in psychology, but I studied it for years.

I also have only two certs, both from Offsec. OSWP and OSCP

I study people, I study nonverbal and verbal communications and I study how and why people make decisions.

I chose this path because I am good at it, and I enjoy it too. Right now security is very good as a job. There is lots of work and many companies learning they need help.

iam_notstephano8 karma

What does one have to do in order to be in a career such as yours? I'm starting college this fall and this intrigues me.

loganWHD13 karma

I think psychology is good as well as info sec. The blend of the two makes for a good SE.