hacking humans prodigy podcast social engineering

Hacking Humans

The days of robbing banks at gunpoint are gone. It's much more profitable to hijack networks. To better protect themselves companies hire people to test their security, but no firewall is going to stop a social engineer. Especially not one like Chris Hadnagy.
chris hadnagy prodigy podcast
Chris Hadnagy

Lowell: What does a hacker look like? In my mind, they have fingerless gloves, long hair cutoff, Jean jacket, and maybe some weird sunglasses. Okay. That’s a pretty eighties image. My friend imagines them more as a computer nerd stereotype, pale tall lanky, and wearing a star wars shirt. Obviously, they don’t all look the same, but most people probably associate the word hacker with a computer criminal, but not all hackers are bad and not all of them hack computers.

Some of them hack humans, they’re called social engineers. So I’m a big fan of the podcast, dark net diaries, which tells stories from the dark side of the internet. It also focuses on the good guys. They’re the ones who get paid to think and act like a bad guy to find vulnerabilities in a client’s security.

They break in and tell the client how they did it. Then the client fixes those problems. So they’re more secure against real attacks. It’s called penetration testing or pen testing for short. And there’s two basic sides of it. Virtual and physical. Obviously it’s much safer for a cyber criminal to hack into a network virtually.

So pen testers will figure out any way they can to hack into the network using the same tools and creative strategies that a criminal might. The other side to pen testing is physical, actually gaining access in-person to a facility in order to place malicious software onto their network. The first thing that comes to my mind is a cat burglar who breaks in, in the middle of the night, activates alarms and picks locks.

But it turns out that’s not always the simplest way. Sometimes it’s just to act like you’re supposed to be there and walk in the front door. My name is Lowell Brillante and this is prodigy.

The world is a complex place and we can’t constantly be evaluating every bit of data in order to make a decision or choose what or what not to focus our attention on. So our brain uses mental shortcuts. We call Horace sticks in order to reduce the cognitive load. This is a massively helpful feature, but just like a computer network, it has vulnerabilities that criminals can hack or take advantage of.

You probably know these criminals as competence, men, or con men. One classic example is the ring con. This works by making someone believe that a cheap ring is worth a lot of money and that they’ll get a reward if they return it. It’s been depicted in numerous movies and it always seemed exaggerated to me, but I still, I get pulled off on the YouTube channel, the real hustle.

First, a guy posing as an art school student asked a jewelry shop. If he can put up a flyer for a charity event in the window for a couple of days, it’s for charity. So the owner agrees and the guy puts the flyer on the inside of the shop. The back of the flyer has a picture of a missing ring and offers a $500 reward.

The guy then goes outside the shop and puts another flyer for the charity event over the missing ring ad. So the owner is not aware after the shop closes, a woman removes the charity flyer from the outside of the shop window revealing the missing ring ad this small act of having the ad inside the shop instead of outside is a subtle way to make the con more valid.

She waits until someone walks by then gets their attention and tells them she found this ring, but it has to get on a flight and won’t be able to collect the reward. When the shop opens the next day, she keeps talking about how unfortunate it is till the target suggests that they could actually return it for her.

Oh. But then she won’t get the reward. So she says, well, give me a hundred dollars and you can return it for the full 500 tomorrow. When the shop opens that way, I won’t get nothing and you’ll get a $400 profit. There’s an ATM right over there. Scams like this are actually really common and there’s a ton of variations on it that you wouldn’t suspect.

They’re a perfect example of social engineering. There’s four types of social engineering attacks, phishing vishing, smishing and impersonation. Let’s go over them. First is fishing they’re email-based attacks designed to get you to take an action, like send money, but it can be as simple as clicking a link.

Earlier today, I received a company email with a brief explanation that we had an updated template for our email signatures, and we should all adopt it so that we represent a uniform company. I’d never been given a template for my email. So I was concerned that mine would look bad compared to everyone else’s.

So a millisecond later I clicked the link was that risky. I barely checked to sending from, I never heard of the guy sending an email, but there’s plenty of people in the company that work in other states that I’ve never heard of. I don’t even know what our CEO looks like. A minute later, people started chatting in base camp about whether the email was legit or not.

Someone reached out to support and discovered that the email was real. The reason that we were concerned about the legitimacy is social engineering. A while back our company hired a social engineer to send us phishing emails. A lot of people clicked on them and they used it as a lesson to identify real attacks.

I think people were annoyed when it happened, but clearly it helped. I consider myself pretty tech savvy compared to the average person. So I used to think that these were jokes that only dumb people fell for like the classic Nigerian prince scam. But those are only obvious when they aren’t targeted a skilled social engineer can get you to click a malicious link near 100% of the time.

I don’t question whether it’s okay to click a link, Winston, an email from my boss, but spoofing an email address or phone number. It’s not that hard. When Chris is hired to send phishing emails, he has a 75% success rate. Vishing stands for voice phishing. So anything that involves someone calling you on the phone, you probably get these calls every day, but don’t answer, but fishing can be powerful, especially when combined with other vectors.

If someone were to slow your internet connection down to a trickle for a couple hours, then call you posing as your internet provider and say your computer was hacked. I’m guessing you’d give them access to it. Smishing. I don’t know how to say it. SMS seeing smishing smishing is fishing with text messages.

I get these two. I have an old listing on Yelp somewhere, and I’ll get texts from people looking to hire me that are definitely scams. Impersonation is acting like someone. The target can trust like a remote worker, calling them to get login info or a cable guy who needs to service your router. Episode 69 of dark net diaries feature the person who wrote the framework for social engineering.

His name is Chris Hadnagy

Chris: social engineering. I define it as any act that influences a person to take an action that may or may not be in their best interests. And I used this broad definition again, because I think there was a lot of positives to how we communicate that involves social engineering.

It’s not always focusing on the negative, it’s understanding how we communicate with other people and how other people want to be communicated with. And then using that to influence them in a direction you want.

Lowell: Chris just released a book called human hacking when friends influence people and leave them better off for having met you.

He’s written several technical books on social engineering in the past while giving lectures on the subject, he noticed more and more people outside the industry were attending. They wanted to learn the skills to apply to their own lives. So we decided to write another book this time. One that would be helpful to me and you.

So I read the book and talked to Chris about some aspects of it. I found really interesting. The first thing is building rapport. Which is building a mutual understanding and connection with the target

Chris: about 10 principles to building rapport. And, uh, when you, when you apply some of these to a person that you just met, or a person you’re talking to on the phone, or even through social media or email.

That person starts to, uh, release a chemical called oxytocin in their brain. And oxytocin makes them feel trust with you. It makes them feel a bond with you. They start to, um, think of you as a close friend. They begin to trust the words that you say. All of those things lend itself to, um, to someone being influenced, whether it can be positive or negative.

Right. That could be good if it’s somebody who you’re trying to influence, like, um, you know, to make a change in their health or get a raise or something like that. And it could be negative if it’s someone trying to Phish you or Vishu. Um, look at another principle, like ones of elicitation, where elicitation is really the art of having a conversation filled with questions without actually ever asking the questions you want.

Um, and when people are really skilled at elicitation, the target or person of interest feels like they just had a wonderful conversation with another person, but that conversation of course, uh, revealed a ton of details. About that individual. Um, and then that information is generally used either again later on in the relationship or by a malicious person and scamming them.

Lowell: Elicitation is a psychological technique for getting someone to reveal information without asking for it. Overtly it’s very powerful and difficult to defend against. Here’s an example from Chris’s book quote, we weren’t trying to steal their money. We were just doing it for fun to see if we could. We were an acquaint Italian restaurant in Washington, DC.

The kind where the tables are packed, close together, couples were enjoying their meals on either side of us. Hey, my friend said to me as per our previously arranged plan, did you read that article in USA today that said that 68% of people surveyed use their birthday as their bank pin? Well, I totally believe that I said taking a bite of spaghetti, Pomodoro.

I mean, my pen is zero seven, seven, four. Of course that wasn’t my birthday or my pin number, but the people around us didn’t know that my friend wiped tomato sauce from his mouth, man. That’s so stupid. People can guess that I use a combination of my wife’s and my birthday. It’s one, two, zero for a guy next to us.

Couldn’t help it over here. Nodding at his wife, he said, I told you using your date of birth was a stupid idea. Yeah, she said, but it’s really easy to remember. One zero, one eight. It was choked in my food. I couldn’t believe it. This woman had just given us and everyone else sitting around us or pin, but it got better.

The woman said to her husband, no one can remember your number two, four, three seven one four. That’s not it. Julia. The man said it’s two, four, three seven, nine, four. The waitress who was refilling our water glasses chimed in, well, I use bank of America and they let us use words or numbers. So I just use the name of my daughter’s favorite stuffed toy.

And that’s Panda.

Chris: Yeah. Or you can even say something like, um, you know, like with elicitation, you can, you can just come up to a neighbor and say something like, uh, you know, we’re thinking of moving into the area, is this a good neighborhood to raise a family? You know? And then they start telling you all the pros and cons and you say, you know, it’s, it’s hard to know because you drive around, you see all these houses, they look really nice, but I’m not sure if they fit our price range.

Like what should I be expecting to pay. For a house in this area, you know, and then they may throw out a price or you could try a principle, the most elicitation, which is like deliberate, false statement. You can say something like, uh, Man. I heard houses in this area really expensive. Like they can be as much as a half a million dollars.

And if that’s wrong, a person will be like, no, no, we got our house for like 250, you know, like, oh man, I don’t know where I heard that, but I’m so glad you corrected me. That’s way more affordable. Right. And that’s how you can use elicitation. And then, you know, if you bring the. So, you know, you think it’s a good place to raise a family and then they go, yeah, I think it’s okay.

Oh, do you have kids? You know, is that there? Are they good for your kids here? And they’re like, oh yeah, I have a son and a daughter. And next thing you know, is, you know, how much they paid for their house, you know, where they live, you know, what family they have, you know, what they think about the neighborhood.

You know, there’s so many things you can find out and it looked like just a natural conference.

Lowell: My first thought, when I started researching, this was how is this different from manipulating or deceiving

Chris: someone. They can look almost identical, but influence is when the end of the result is not necessarily bad for the target or the person of interest where they’re influenced to take an action and it doesn’t leave any lasting harm or emotional scar.

Whereas manipulation is more about you. Right. What you want as the attacker or what you want as the person. So I define that too, as like influence is getting someone to want to do what you want them to do. Whereas manipulation is just getting someone to do what you want. Right. So if I, if I get you to want to do something, then it’s a good idea.

Cause you love it. You’re at your idea. And now it becomes something that you’re invested in. But if I enforce you to do something where I get you to do something that you really didn’t want, and it doesn’t matter how you feel, you’re going to feel bad about it before, during and after. And I don’t care because I’m a manipulator.

If you were to walk up to someone and say, oh wow, he’s really influential. Or he’s an influencer that usually has a very positive connotation. Whereas if you say, wow, he’s a manipulator that has a very negative connotation. So I look at those two words as the line that separates them is really how it makes the person feel and what the motivator is for you doing that action.

Lowell: It’s a very fine line. And in my opinion seems very arbitrary because it’s the engineer who determines what is best for the person and not the person themselves. Regardless if you’re being legally paid by a company to maximize security that is clear and the conditions are set beforehand. So since not every person has the same personality, different people respond better to different types of interactions.

We’ll get into that right after a quick break. Welcome back to prodigy for more info or to get in touch with me, visit prodigy podcast.com. Chris teaches people to use a simple and quick psychological profiling method called disc, which helps people determine the preferred communication style of themselves and others.

Disc is an acronym for four types of communicators, dominant influencing steadiness and conscientious dominance are direct and results oriented. Influencers are enthusiastic and optimistic. Collaborators, steadiness are sincere, calm and supportive and conscientious are organized and factual. At first, I was really skeptical of this.

A lot of these personality profiles Mount to pseudo-science or as I like to call it junk science. However, Chris explains that everyone displays degrees of all four, which is situation dependent. So I might act differently at work than I do at home. I can definitely see how using a profiling method like this is beneficial when you have very little time to determine how to interact with someone.

Chris: Yeah, I’d love disc profiling. Uh, for me, it’s, um, it’s one of the most powerful tools that we use here at our company. So basically, uh, disc was, uh, started way back in the 1930s by a man named William Marston. He was a psychologist and an inventor, and he, he, uh, started to analyze how people’s blood pressure changes when they lie.

And from that he invented the polygraph machine. Um, after that, he started to analyze how communication profiles can make it easier or more difficult for someone to lie in different things like that. And from that he developed what we now call disc, which is, um, four different styles of communications that EV that every person can fall into one of those four as a primary.

Uh, now we all have a little bit of each, but usually what we’re all primary and one of them, uh, and what it does is it help someone see like a direct person. Which is the D and I was someone who’s influencer, the S as someone who is steady, and then the C is someone who’s conscientious. And each one of those have a different style of communication and different things that really stand out in that style of communication.

And if you can identify what somebody is, even the first few seconds of talking to them, uh, it becomes really easy for you then to alter your style of communication, to make them feel good about interacting with you.

Lowell: Um, have you interacted with me enough to take a guest of mine?

Chris: Uh, if I had to guess it would be a C or a D.

Yeah. Do you know yours? I think

Lowell: I’m a

Chris: D D yeah. Yeah,

Lowell: I’m pretty direct.

Chris: And to the point, definitely C or D because you’re on the task side, which was definitely evident, especially with some of the technical problems we had and you wanted them fixed really badly. Um, and I, I leaned towards C only because I thought of, um, some of the detail that you had, like saying, Hey, can you record, can you do this?

Some of that backup is something that detail is very important to you, but, um, You know, the, the D side of it definitely comes out easy.

Lowell: Yeah. The C definitely applies a lot too. Um, and you have this helpful cheat sheet in the back of your book that shows how to identify and, um, communicate with the different types.

Chris: Yeah. Yeah. For me, it’s, uh, over the years of using that, I started to develop little like notes where I would say, okay, whenever I meet an I. Here’s some things I noticed that are important to them and I’d write them down. And then one day I was teaching a class and uh, somebody asked, you know, it’d be really great as if we had a cheat sheet on this.

And I’m like, oh, I have one of those I made for myself. And it was just an Excel spreadsheet, but it wasn’t pretty like those charts. And I pulled it up on the screen and they were like, this is amazing. Can I have it? And I’m like, yeah, sure.

Lowell: Yeah. Like how you included the caveat that disc profiling, it’s not a strict rule.

It’s like more of a guide for quick assessments.

Chris: Yeah. Some people at work are, are very direct, but then at home they’re really laid back and calm. So, you know, the thing, I try to tell people all the time with disc, it’s not a psychological profile, it’s a communications profile and our communications change depending on where we are, you know, I may be really direct when I’m at work and I’m under stress, but you know, then maybe if I’m.

With my family and my kids, I may be much less because I am not the drill Sergeant. Like I am at work. So if you, depending, if you’re going to try to influence me and you come to my place of work, you may be like, oh, I have to talk to Chris, like a D where you come and you see me in the weekend at a park with my family.

You may have to change because I may be a little softer. So it’s, it’s just a matter of, of realizing that just because you know what I am here in this situation doesn’t mean you should always use that. At its core,

Lowell: social engineering is about empathy. Empathy is the ability to understand and share the feelings of another person.

If you can understand their wants and needs at a fundamental level, you’ll know exactly what you need to give them in order to achieve the desired result.

Chris: If you think about what it takes to communicate. So let’s just think about today’s society, uh, most of the time, uh, and, and you know, this is a generalization, so I understand that.

So I’m not judging every person. I’m just saying generally, when we look at communications today, they’re very, one-sided most people enter a conversation thinking, what do I want out of this? Or what can I get out of this? What, what can I get from this guy? Like, what am I going to get from Ben here? Like, what’s going, what do I want from this conversation?

And. When you take that process out and you say empathetically, I’m going to enter this conversation with what can I give. To Ben in this conversation, what can I do to make his job or his life a little better now I’m probably going to still get what I wanted out of it, but we’re going to have a much more fruitful conversation because I’m coming at this with an empathetic thought and not all about myself.

Uh, we don’t enter conversations that way. Normally you can see that on the internet, people argue about the dumbest things and they get belligerent and racist and sexist over stupid things because they lacked that one simple thing of empathy to just say, I’m not going to treat another person this way, even if I don’t agree.

We may have completely different politics, morals, religion, beliefs, whatever, but it doesn’t matter, right. It doesn’t. Why should that matter in this conversation? It doesn’t, you know, and, and I have a good friend that says, like, if you look at each person as their own private reality TV show, you approach that person.

Curious, like, I want to know what makes you tick, what makes you do this thing that you’re doing? What makes you make this podcast? Like, I want to understand that and that makes me curious. So I don’t care about the answer. I can not agree with the answer, but it doesn’t matter. You can say like I wanted to do this because I want it to meet hot chicks.

Well, you’re not getting that today. You know, so you didn’t accomplish your goal today, but if it’s like, I want it to be, you know, educate others on these things. Okay, great. Now I’m curious, like what brought you there and that all that kind of thinking, it helps you enter a conversation with that empathetic feeling that helps you want to get more out of it for the other person?

Lowell: Yeah. I was trying to apply it to my life. Um, I definitely wanna be promoted at work, so I was thinking, what would my boss want based on what I know about her, it’s someone who doesn’t need to be managed. So. I need to complete every task with like the smallest amount, direction and oversight as possible.

Chris: I love that thought process because when you enter any goal conversation, whatever with that mindset, then you’re going to not only probably accomplish the goal that you want out of it, but everyone that you interact with along the way is going to feel better. Pretexting

Lowell: is designed as an appearance, assumed to mask the real motive.

It’s basically how you present yourself in order to gain entry, your information. In an episode of Seinfeld, George uses a pretext of always appearing stress at work. So people think he’s very busy and don’t bother him. Chris defines pretext as the art of creating context or occasion for a conversation.

So you’re more likely to achieve your goals. One example I liked from an episode of darknet diaries was a female social engineer who would wear a fake pregnancy belly to get people, to hold doors for her that normally required a key card to get through. They call this

Chris: tailgating. Here’s a definition for pretexting, uh, which is, uh, it’s the narrative that you want someone to believe where you were the smallest detail.

See most of the time when we go into a narrative, we want to make sure that people know well, um, I’m doing this, but a pretext, if you think about this, um, from a social engineering perspective. So let’s say from a adversarial simulator, right. Doing a test, I don’t want the security guy to remember me or knows me.

So if I’m entering as pest control, then my outfit, my clothes, my, my equipment, my clipboard, everything better screen pest control. So I’m just basically ignored by him. And he goes, oh, that’s the pest control guy. Let him in.

Lowell: So basically, if it fits within the model they have in their brain, then they can ignore it.

But if it doesn’t, then they’ll start to ask questions.

Chris: Exactly. Oh, and, and that’s, and you know what interesting about that statement? That is what I love about that is we talk about this all the time, because in social engineering, from the testing perspective, like what I do for a living is you have to realize and play on people’s biases.

So that, that woman, that young woman I was telling you about, she’s a tall, attractive blonde, younger woman now of her. And I go break into a building together. Uh, but every aspect she is smarter, she is in better shape. She is, she is just better at the job, but she can’t be the boss. Right. She, and, and our pretext, if we’re pest control, because exactly what you said is what will happen.

The security guy will go, wait, hang on. She’s his boss. And soon as he starts thinking. Then we lose because now he’s pondering. And when he starts thinking we’re going to, we’re going to get shut down. So we have to look at people’s biases and say, I have to use that. Even if it’s wrong, I hate it, but I have to use it.

I have to realize that when her and I break into a building together, I have to be the boss because that’s what people expect. Something that I

Lowell: really appreciated in Chris’s book was his description of mistakes he had made in the past, which he uses as a teaching method. He outlines the five main errors he sees engineers make, which cause people to wake up, wake up, meaning to become alert, that something isn’t right.

This is a popular concept in filmmaking as well. You don’t want to remind the viewer that they’re watching a movie. Good editing is the type that you don’t notice. Recently. My friend went out with a guy who told her he was a Navy spy, whatever that means he made a bunch of really odd claims. Like he told her he bought a boat and sent her a blurry photo of the title document.

He also said that his motorcycle was in the presidential motorcade and that it didn’t have a license plate because the Navy didn’t want him to have one. He stood her up and he went silent only to reappear a week later and tell her he was robbed. This is an example of oversharing or what Chris calls negating the frame.

This guy, isn’t a social engineer. More like some form of narcissist or grifter, but a pretty bad

Chris: one. When you succeed, you’re like, yes, that worked. But when you fail, you can sit back and go, man, why did that not work every time? Now I can sit there and tell you the five things I did wrong or where I messed it up and go.

Yep. That’s why that whole job went down south. Right. And I, when, when you can learn from that, it just makes you better next time.

Lowell: So a lot of the concepts may seem obvious to you. This is not uncommon. Game theory is incredibly obvious, but when someone properly defines it, then it can be iterated. Also creating the framework, makes it quicker and easier to properly execute.

Chris: And that’s what I love about this is a lot of these skills are things that we all already have, but sometimes we lost the sense of using them, but I’m in, look, I’ll be the first to admit, uh, I will have to remind myself about the empathetic dead pretext all the time. Cause I’m like, you know, a very direct person.

My profile is D so if there’s a problem, someone disobeyed in the family, I’m more likely to go, Hey, what the heck? Why did you do that? And that is not empathetic debt. So. I have to constantly remind myself, well, the skills are there. I know them. I just have to apply them. And most people have the same thing.

They know the right way to go, but they just have to remember. And it’s hard to do when we have emotions.

Lowell: I love to help people, but I also can’t stop myself from correcting people, especially if I think they’re wrong, even if they are wrong, people usually don’t respond well to this. If it doesn’t affect me, then should I

Chris: try and correct them?

Uh, ego suspension. So this is probably the hardest thing on the planet for most of us, but especially Western white males, um, you know, which you and I both fall into, uh, I think there’s a societal expectation for us to, to kind of have the knowledge and be right. We, we link being right to our success and sometimes to our Manliness by.

Not being right or admitting that we don’t know something. We feel it may devalue us, but here’s what I always ask people to do. And anyone who’s listening to this podcast, I asked you to do this, think about one person in your life that you consider to be truly humble. Okay. So let’s, let’s do this. So you think about one person.

I don’t care who it is. I don’t need to know, but when you hang out with that person, how do they make you feel? Yeah, they make me feel good

Lowell: and they don’t do any of that stuff. And I always think I should be more

Chris: like that. Right. Okay. So this is what I always find fascinating in media movies, radio, we always paint people who are meek and humble as weak.

We always say, look how weak their, they didn’t get revenge. They didn’t get vengeance. But yet every time I asked that question, people answer like you do. They make me feel good. They make me feel like I should be better. So now imagine if every person we can deal with said that about you or me now, wouldn’t that be powerful?

So suspending our ego could be a huge deal because people now want to listen to us. They want to be motivated by us. They want to work with us. So there’s so much power behind doing this. The hard part is that sometimes I have to sit back and say, you know, it’s okay that I’m not right this time. You know, it’s okay that you and I believe differently.

Or

Lowell: even if I know someone’s wrong, like not be compelled to correct them.

Chris: Exactly. You know, just sit there and say, you know what, um, you know, let’s say you and I were having a conversation and you know, you’d said something about, uh, I don’t know, a political belief that I didn’t agree with. Uh, do I really need to correct?

You? Do I need to like, does it have to happen? Like by, by me correcting you, you’re going to go. You know what Chris, you’re a hundred percent, right? I believe that way now. No, it’s not going to happen. But now if you came to me and said, Hey, Chris, I’ve got a question. I’m really curious about this. Now you’re asking me for my advice.

But in other times I can just look at that as a conversation and go, you know what? Ben’s got a different thought than I do. Let’s just use that. Let’s go with that. And I don’t need to correct you and with people can get in that mindset. Imagine how much more peace we’d have, like on the internet. Twitter, you know, these things.

Imagine if that were the case, we’re going to

Lowell: learn about the power of reciprocation, right after a quick break, welcome back to prodigy for more info or to get in touch with me, visit prodigy podcast.com. Reciprocation is a rapport building technique where you give a subject something of value in order to make them indebted to you.

Just enough to give you a favorable response. It’s important to note that the gift shouldn’t be so large, that it’s overwhelming. Something like holding the door or paying a specific compliment can be enough. The first example that comes to my mind is in a Christmas episode of the office, when Michael gives Ryan a video iPod to creating too large of an imbalance, gets her best thought of as subjective, not one size fits all, spend the time to assess what is valuable to the individual and choose accordingly.

Chris: Reciprocation. If we think about that, how powerful that really is, you hold the door for somebody, you know, there’s two sets of glass doors and you hold that first door. It is really odd. For the person to enter that second set and not even at least do it, they’re behind hold right where they just put their hand back and hold it for you.

They’re going to do something, you know, most likely, they’re going to say, thank you and hold the next door for you. That is just a small sampling of how reciprocation works. The value that they perceive from that is what they feel they will owe you. So think of it that you walking out of a grocery store, some woman reaches in her purse to grab her keys, outfalls, a little thing.

You get up to be like, oh, this is money. And you go up to her and you say, Hey, this dropped out of your purse. I want to return it to you. Now she is like, oh my gosh, that’s unbelievable. Like, thank you so much. You’re such an honest young man. Well, thank you. You know, and now at that moment, if you were to ask her for something and it can’t be anything, like, can I have your car?

No, that’s not going to work. Not unless you found 40 grand and your returns, you know, but if, if you, if you were to ask for a little something like, Hey, I need some advice. Like I’m new here. Where can I go for this? She’s more than likely to spend time talking to you because she owes you. Right. Whereas if you just walked up to a strange woman in the grocery store parking lot and said, Hey, can I ask you some advice?

You may be like, well, what is this? Like, am I getting mugged what’s happening here? Right. So reciprocation is a powerful principle when, when used properly.

Lowell: Yeah. And it’s even more powerful if you target someone specifically. Right. So if I do research on someone, I can figure out like the best gift for the moment.

Chris: A hundred percent you can go to someone’s Facebook or Twitter or LinkedIn, and you can find out things. They value clubs. They’re a part of books. They love music. They like, and now you can know, I mean, I’ve done this before, where we’re doing vishing calls and, um, I’ll do some research on the person we’re about to Vish like a CEO or something.

And on their Facebook page they have, oh, I took my son to a. Um, I dunno, named Brittany Spears concert, right? Whatever it took my daughter, a Brittany Spears concert, you know, I love her. She’s one of my favorites. Now, when I make that call, I’ll be playing a Brittany Spears song in the background. Right. Not really loud, but I’ll be playing in the background.

And even if they don’t say anything, they hear it. And that puts them in the frame of mind of, oh, that’s where I just was with my daughter the other night at that concert. And it makes them more compliant and happy and they want. To do more. So it’s, it’s amazing what, what you can get from people when you just use the things that they really like.

Um,

Lowell: I would never do this, but I even had the thought of engineering, a minor crisis, um, and then like showing up to help solve it. Um, oh, and by the way, I’m also applying for that job opening you have. But, uh, one story from the book that stood out to me was the ultimate security guard. Um, he was the one that used like several different tactics on and none of them worked and I was wondering.

If there could have been like one more strategy you could use, which would be like anger, indignation. So as the last resort, getting like frustrated and threatening to cancel the job. So the guard thinks he’s delaying your work and might get in trouble.

Chris: Yeah. So, um, I could tell you another story where we actually, uh, not at that job, but where we had a similar situation where we actually entered a building, got in, then a manager had stopped us and she said, you don’t belong here.

And she brought us to security and then she left us and she goes, these guys are running the building, like take care of them. So security says to us, Hey, well, what are you doing here? And we’re like, man, we’re supposed to be here. We’re doing an audit. And he’s like, do you have any proof of that? I said, yeah, let me call the boss.

You’ll know who he is. So I called the guy who was out in the van and I said, Hey, Tom. I’m like, uh, who’s our contact at the bank? And the guy knew, like he can tell, I was, he’s like, oh, it’s a Joe Smith. Right? I’m like, Hey, can you get Joe and put them on the phone, the security guard here and needs to talk to him.

So I’m saying a name now out loud that he knows, like he knows the VP, right? So I’m like, oh Mr. Smith. I got a quick question. I’m down here at, you know, one, two, three building security guard was alerted by a manager. I guess you forgot to tell them that we’re supposed to be here today. Security guard needs validation that we’re supposed to be here.

Can I have you talk to him? He’s like, yeah, sure. Put them on the phone. Right. So I hand my cell phone to the security guard. Security guard gets a Mr. Smith and he’s like, yep. Yeah, I’m sorry. It probably was my fault. I should have told you. So you had them on the list. Uh, why don’t you add them to the list now?

Just get, you know, get their names, put them on there, but, um, I really need them to finish this on the next 30 minutes. So just let them go wherever they need to go. So he hangs up security guard goes, okay. You’re clear. You know, where do you need to go? I go, I need to go to the server room and, uh, it’s locked and he’s like, come with me, I’ll let you in.

He just walked her to the server room. I locked the door and let us know.

Lowell: Although using social engineering to break into places is possibly the coolest job I can think of. I’m not going to try and break into that industry. I want to apply these techniques to advance my current career path. And that was the motivation for Chris to write this book.

He started noticing people who weren’t social engineers. I tend to seminars

Chris: or wrote my first four books. Right? So they were all about social engineering, but from a security industry. And then over the last decade, I was training this class and I started to see more and more non-security people coming to the class.

And I realized that. Wow. These skills were being used by salespeople, managers, CEOs, psychologists therapists. I started seeing this list of people that were coming to my classes. I started doing these classes for the FBI, for government. I got invited to the Pentagon to debrief on this stuff. I was like, what the heck?

Like this is huge. And it hit me. And that’s how this book came about. Is it made me realize that these skills can be used by anybody. So, you know, you’re sitting there saying, okay, people listening, they want to advance their career. And yeah, there is a, there is some truth to the fact that you work hard, you can advance, but sometimes people work really hard and they never move forward in their job.

Human nature is that we tend to promote move forward. People that we like, people that we get along with, you know, I’m the boss of my company and I got 20 employees and I’m definitely going to. Um, make sure that those, you know, the ones that I really get along with the ones, I like the ones that are working hard, the ones that sound good, uh, you know, that make the company sound good.

Those are the ones that are getting advanced first. And there’s a little bit of self-serving in that, but there’s also the idea of it’s. Who can I trust? Or if I liked them,

Lowell: then other people probably will

Chris: too. That’s right. Exactly. And it’s not all about hard work. It has a lot to do with it. Right. And I’m not going to take somebody who’s really good looking, but they’re lazy and they get advanced just because they’re good looking, right.

We’re not that shallow, but when you have, when you have someone who’s like, okay, you present really well. You look professional, you’re working really hard. And man, you’re a great communicator. They could hit the stars. That’s what happened when I wrote human hacking. Um, you know, I kinda. Did a play on words, um, you know, from the win friends and influence people.

And then I added and leave them feeling better for having met you. This is about how to get the things you want out of life in a positive way. Not by hurting people, by making people feeling better by using empathy and compassion. Right. So realizing that there’s so much more that I can get out of life.

If I understand more about this guy right here, and if I get more about me and I understand what is good and what is bad, what ticks people off and what doesn’t, I’m more likely to succeed in life than if I continue to live my life the way I did for the first 20 something years, which is, you know, aloof and not really knowing why did people get mad when I just said these things?

Or why are people always angry when I just telling them what’s wrong? You know? And. Having that self-awareness really helps you to, to make, uh, to make a change.

Lowell: Just the fact that Chris agreed to give me a time with such a busy schedule made me think he was a great person, but then I found out about his work with something called the innocent lives foundation.

If Batman was real, this is what he’d be doing.

Chris: Yeah. So, uh, about five or so years ago, um, during a pen test that I was doing, we had, um, uncovered a guy who was in this organization. We were testing that was, um, sadly he was filming his own child pornography and then trading it on the dark web at, at work.

He was fit training on his work computer and, uh, he’s sitting in prison right now. And I never thought about the skills that I have as a tester, as an auditor, as a pen tester. Um, Being used for anything like that. Like that was new to me. Like, wow, wait, I can do these things. Like I can do stuff like that.

And it felt really good to be able to, to help stop crime against a child. The more I talked to other people in my industry about this, the more I found out that a lot of people had similar sick circumstances happen, but they didn’t know how to handle it. So I sat back and I said, I wonder if, um, I started an organization.

I started to ask people if I started the organization that gets all these people with this amazing skill together, and we can work together to help law enforcement. So not a vigilante group. Right. We see these all the time on Facebook groups of people who have the right motive, but they, they. They convinced some pedo that there are a 13 year old girl, they get them to meet them at McDonald’s and then they fill in them and embarrass them.

Those groups are useless and I hate to be mean, but they are because that guy’s not going to jail because some group on Facebook filmed them, he’s now educated and he’s smarter and he’s more aware and he’s going to go and abuse kids and not get caught. So I tell people don’t, don’t do that. And I said, we’ll never do that.

What I wanted to do was take people that are so skilled that oh, sent him. You know, these kinds of human hacking skills and work with federal law enforcement to help trap these folks who are preying on children and get them arrested. So we’ve been around for four years. Uh, we just completed our 327th case.

Um, and we get to work with law enforcement to help find an unmasked people who are anonymously hiding on the open on the dark web, uh, trying to prey on, on children. So we’re a nonprofit, a five oh one C3. I started that on the side, you know, I, I just felt this passion to do it. And, uh, and we have 50 volunteers now and five full-time employees.

So it’s amazing. People can check it out at, uh, innocent lives foundation.org, and they can, you know, they could check out the website and if you want to help, great. If you want to volunteer great. If you want to donate great. We can use all of it. So, yeah. Thank you for asking about that.

Lowell: And you have podcasts that goes into these topics in a lot

Chris: more depth, right?

I’ve been doing the podcast now for 12 years. Um, and 12 years ago, when you looked at tech podcasts, they weren’t. They, they were a bunch of guys sitting around talking and drinking and smoking cigars and talking about security. And I said, I want to do something different. I want it to have like psychologists that researchers and, um, musicians and actors and comedians on and talk to them about their job, nothing to do with security.

And then see if we can learn something to apply it to security. So for 12 years, I’ve been doing that, um, then inviting all sorts of people on, and we talk about the, uh, the job they do, whether it’s, uh, from a psychological aspect or physiological aspect. And then we think about what can we learn from that and how can that make us better communicators?

Uh, so it’s the social engineer podcast or the se podcast and, uh, yeah. Um, I’ve, it’s been a great ride and then doing it so far, it’s been really good. So. Think episode 147 or something now. So then where can people go to

Lowell: find out more info about the

Chris: book? Uh, if anyone does buy the book, uh, we have a website, the human, uh, it’s called human hacking book.com.

Um, you may be interested in this. If you read it. There’s a resources section on there where I put a bunch of downloads that people can have some files, some of the pictures in color, some worksheets that can help make the book even better. If you’re reading it and trying to use it for any purpose, there’s some things on there that can be used to make it better for you.

So people can check that out and they can reach out to me on Twitter. If they have any questions, I’m human hacker. On Twitter and they can, uh, you know, reach out and I’d be more than happy to chat with people.

Lowell: I learned a lot of really interesting stuff when making this episode, especially about how to improve my interactions with people, because I want people to like me and I want to succeed.

But one thing that really stood out to me is that if someone really wanted to hack me, they absolutely could. And I’d probably never notice. This was just a small taste of what you’re learning. Chris had Maggie’s book. Title is human hacking. When friends influence people and leave them better off for having met you definitely pick up a copy.

You can also learn more technical details from his podcast called the social engineer podcast. They have over 140 episodes. His Twitter handle is@humanhackerandhiswebsiteissocial-engineer.com. If you find this subject interesting, then I highly recommend the podcast darken and diaries. It’s true stories from the dark side of the internet.

Chris is the subject of episode 69 human hacking. It’s where I got the idea for this episode. The host Jack resetter will be on soon for an episode about how to get into cybersecurity. Thanks for listening to prodigy. We’ve got a bunch of really interesting episodes coming out. So please subscribe to the show because I’ll be back next week.

With another episode of prodigy, Prodigy’s creating produced by me, Lowell Berlanti. The executive producer is teller clang. For more podcasts from iHeartRadio visit the iHeartRadio app or wherever you get your podcasts.

SHARE

Share on facebook
Facebook
Share on pinterest
Pinterest
Share on twitter
Twitter
Share on linkedin
LinkedIn