0:00

Okay. So one year when I was in college, I took a job at the Renaissance festival.

0:04

If you don't know what that is, it's a place where people dress up.

0:07

Like they did it in the 15th century and do things from that time period like jousting and falconry and eating old fashioned food.

0:14

It's almost like an amusement park with tall walls all around it.

0:18

And you have to pay to get inside.

0:20

Well, when I got a job there, my boss for God, to give me an employee pass to get in.

0:26

So every day that I came to work, I had to find a way to sneak into the festival.

0:32

This was such a fun thing for me to do because I had an honest reason to sneak into the Renaissance festival.

0:39

I figured out where employees park and I saw there was a security guard watching the back gates and side entrances and stuff, but I quickly learn their habits and was able to find ways to go around them over time.

0:51

The security guards started to notice me more and more and thought I was suspicious because I was showing up every day and always avoiding them.

0:59

Once they even got in their golf cart, he came straight towards me and I just ducked behind some trees or some cars or something and waited for them to roll on by in their golf cart.

1:09

Then when the coast was clear, I'd pop up and go the other way and figure out a way to get into the festival.

1:14

This went on for months until my boss said, Hey, I was talking with the front office today and we were going over some things.

1:23

And I realized I never gave you an employee badge.

1:25

How have you been getting in every day?

1:27

I said, well, that's no problem.

1:30

I've got ways of getting in.

1:31

And he said, Hmm, I bet you do, but I don't want to be the one to be blamed if you get caught.

1:38

And I said, okay, okay.

1:40

I'll just say I work at some other area of the festival this way.

1:44

Won't come back to you. He was flabbergasted, but gave me an employee badge anyway, which was actually good because the security guard finally caught me the next day and was all like finally got ya.

1:55

Now you're coming with me pal.

1:56

And I was like, but look, I have an employee pass.

1:59

And then he was flabbergasted because he thought he caught me doing something wrong.

2:03

Well, he did the right thing and he actually escorted me to the front office to make sure my badge was valid, fun times.

2:11

Their fun times.

2:13

These

2:13

are

2:13

true

2:13

stories

2:13

from

2:13

the

2:13

dark

2:13

side

2:13

of

2:13

the

2:20

internet.

2:20

I

2:20

am

2:20

Jack

2:25

reciter. This is darkness diaries.

2:44

This episode is brought to you by skiff.

2:46

Do you store documents or use collaboration tools online?

2:49

If you do, you're letting someone else store your information on their systems.

2:54

And some of those companies don't encrypt your documents and can peak in them if they wanted.

2:59

And that's where Skift comes in. Skiff is the first collaboration platform built for privacy from the ground up.

3:06

Every document note, an idea you write is end-to-end encrypted and completely private, only you and your trusted collaborators can see what you create.

3:13

Unlike Google docs, Evernote, or notion, no one, not even skiff ever has access to your stuff.

3:19

And that feels good.

3:21

Skiffs founders are former space X and apple engineers, and they teamed up with advisers, including the CTO of signal messenger and the chief information security officer of the New York times to bring you a product built with privacy.

3:33

First skiff is inviting darknet dyes listeners to skip the 60,000 person wait list and start using it today.

3:40

So go sign up for free at skiff.org/darknet that's S K I F f.org/darknet.

3:55

Can you pronounce your name for me? Sure. My

3:56

name is pronounced a leaf, like a lethal weapon.

4:00

What are you doing these days with social engineering type stuff?

4:05

So I work for a company called critical insight.

4:08

Client base is really centered around organizations that provide critical infrastructure.

4:14

So hospitals, water systems, manufacturing, DOD contractors, but kind of my, my core interest is growing our social engineering side to do more fishing, fishing, and more actual social engineering physicals, where we're doing engagements on site Leith's

4:37

job is to social engineer, department of defense contractors, to try to get them to do things they really shouldn't do.

4:43

But how did a leaf get to this point?

4:46

Well, that's actually a very interesting story.

4:48

So let's rewind to when she was a kid.

4:53

So this is kind of a weird, weird journey.

4:57

So like buckle up because this is definitely not the normal.

5:03

How did you get into InfoSec type of story?

5:07

But I always tell people I am not good at reading people because I'm a social engineer.

5:15

I'm a social engineer because I'm good at reading people.

5:20

And the way that I became good at reading people is through a very chaotic series of unfortunate events and terrible relationships.

5:31

And really that's the core of how I became who I am is a series of really crazy events.

5:39

So Can we go that far Back?

5:41

We're going to go, we're going to, yeah, we're going to go all the way back to the beginning.

5:44

So I was born and raised in South Africa by American parents when I was around five or six things with my parents going so great.

5:57

And by the time I was seven, they'd separated and were living in different houses.

6:03

And this was kind of the beginning of me having to grow up pretty quickly.

6:09

My mom was always kind of like the cool big sister and she really let me have so much freedom as a kid just to explore my own creative ideas and do some really dangerous stuff without really putting guard rails on.

6:29

I was the oldest of three kids.

6:33

And so I kind of ended up taking charge of my younger siblings.

6:36

And when I was seven or eight, we left the country kind of under the cover of darkness and without the knowledge of my dad.

6:48

So we moved from South Africa to Botswana, to live with my grandparents for a while, while my mom kind of figured out what she was going to do.

6:59

And then we moved from Botswana to California around the time I started fourth grade.

7:08

And when we were living there, you know, we were my brothers and I were welfare kids.

7:14

And this is kind of where I got started really honestly, started in social engineering.

7:21

Like I was always kind of a manipulative kid.

7:24

I could figure out how to get adults to do what I wanted them to do for me.

7:29

But this is really where things started to get interesting.

7:34

It was a latchkey kid, meaning she'd be home alone with her brothers while her mom was at work.

7:38

This gave her freedom to do things without an adult, telling her what to do on top of that, her family didn't have them.

7:46

And in the nineties it was like, you know, my mom would just kick us out on the weekends and I would just rollerblade around town for 12 hours and get the bus go downtown, go through all the shops I learned to shoplift.

7:59

We

7:59

would

7:59

sneak

7:59

into

7:59

movie

8:03

theaters. We would just get into like pretty harmless trouble, just as pre teenage kids, rolling around downtown, doing whatever the heck we could get away with.

8:15

She was practicing how to be sneaky and manipulate adults into getting what she wants At

8:21

the age of 11. I had my own video tape, like VHS cassette tape rental account at the movie store.

8:29

That was between my school and my house.

8:32

And they would let 11 year old me come in and rent movies and take them home and trusted me to bring them back.

8:39

They opened the account for me with no ID, no nothing.

8:42

What grade? She moved back to South Africa to live with her dad for awhile.

8:45

And he enrolled her in a very strict Catholic school.

8:49

And I made like the worst possible mistake that any new kid, I mean, I wasn't, I wasn't a stranger to being a new kid in a new school where people already had like established friends and relationships.

9:02

And you were like a complete outsider because I'd done it now a few times.

9:06

But this time I decided that I was gonna try to be one of the cool kids, which was like the worst thing I ever could have done ever, ever, ever, because I started making just total BS stories about all these crazy things that I did when I lived in America.

9:23

And it was like the worst.

9:26

It totally backfired.

9:27

So this was like a really great lesson for me as a social engineer that, you know, over embellishing instead of having all the kids at my new school, think I was super cool.

9:39

They actually thought it was a complete and total idiot.

9:44

Kids were picking fights with her. Nobody trusted her, the only friends that she made were other liars.

9:48

And she didn't like that.

9:50

Her dad moved her to another school and this one was an all girls school.

9:55

Now this was in the late nineties, in South Africa.

9:58

Not many schools had computer programs then, but this one actually had a computer lab and really tried to get the girls yeah.

10:05

Computers. So I started doing computer science.

10:07

I learned to code and turbo Pascal.

10:10

And I was just completely like hardcore sucked into this idea that I was going to learn to code so that I could hack this game that we would play just on like the land at the school that was called Lord legend of the red dragon.

10:30

It's like a completely, text-based like role-play game type scenario.

10:35

And so I, I was obsessed with this game and I would spend most of coding class playing the game and then catch up on all the coding stuff like after school and do my assignments and stuff like that then.

10:48

But I just became completely obsessed with computers and technology and coding.

10:54

And I just went completely all in on like biology and computer science.

10:58

And that was my thing.

10:59

And when I graduated, I went to school at the university of Cape town and I was doing a bachelor's in chemical and molecular sciences with a minor in computer science.

11:15

And this was the year that I just decided to completely just demolish my life.

11:23

I

11:23

was

11:23

18

11:23

and

11:23

my

11:23

parents

11:23

were

11:23

super

11:29

strict. And so I decided I was going to just ditch class and go hang out with my boyfriend and, you know, just like be a kid.

11:38

Cause I finally had some freedom outside of this very structured, all girls uniform, Catholic school kind of environment.

11:45

So

11:45

I

11:45

got

11:45

into

11:47

trouble. I got into like big trouble and I started, I for years, I'd been hanging out and IRC chatrooms and stuff, talking to just random people.

11:56

And I started a few friendships with people and some of them escalated over the course of like four or five years.

12:03

And even though I had like a boyfriend in real life, I also had a few people that I was keeping in contact with over IRC chat rooms.

12:13

And one of these people essentially groomed me over the course of four or five years.

12:19

And it got to the point where I so implicitly trusted this person and was so turned against my own family.

12:26

But I made some really, really terrible decisions, like awful decisions.

12:32

The person she was chatting with online was from Virginia on the other side of the world, from where Elise was in South Africa, the person asked leaf a lot of personal details, ASL to begin with age sex location, then more details like her phone number and eventually her address when they got her address.

12:51

That's when things got weird, They

12:54

are sending me care packages from the United States.

12:57

So all I know is that the packages came from Virginia and that when my folks figured out what was going on, they lost it.

13:06

It really freaked them out and they were completely justified and they're freaking out for sure.

13:13

And so it was kind of like the catalyst of this series of events that eventually led, like it ended in me getting kicked out and South Africa is not the greatest place for you to live alone as a young woman.

13:31

And it's very dangerous.

13:34

So my dad was like, look, you can't stay here.

13:38

You're not going to class. You're not holding up your end of the bargain basically.

13:42

And he was completely justified in doing this, but he gave me the opportunity to move back to the states and kind of reboot my life.

13:53

And I think it really was the best possible scenario.

13:56

Given the damage that I had done, I was, I was very destructive in my own life.

14:01

Just had destructive tendencies.

14:04

I struggled with depression and anxiety and just, just kind of like trying to find and figure out who I was, was going to be something that I would be a lot more successful doing here in the states.

14:19

So she moved from South Africa back to California, which is where she's been for the last 20 years, but it wasn't easy getting established back in the states, her college credits didn't transfer, which meant she had to start over with college and she didn't have a good job to get by with her future was just not looking so good.

14:37

And that led her to depression and anxiety.

14:40

And she was worrying about how she'd find food just to live.

14:44

I, I literally took a job scooping poop at a pet store for minimum wage.

14:48

And at the time that was $6 and 25 an hour.

14:51

And I, I loved that job because everybody there was so neat and I got to play with puppies, which was great.

15:00

Working retail, taught her some new skills about how to deal with angry customers.

15:04

It improved her social and communication skills.

15:07

And then she got a job at a title company where she had to research who owned certain properties Through

15:13

the course of these positions. I learned a lot about public record.

15:17

I was essentially searching public record for information about people in property and putting together chains of title of property.

15:23

Like from the beginning of time, until now who's owned this property, what documents have been recorded against it?

15:29

What easements or liens are against the property, et cetera.

15:33

This is where she picked up some skills, oh, Cintas an acronym.

15:36

It stands for open source intelligence gathering.

15:38

She was learning how to find people and what properties they've owned over time.

15:42

If it was owned by a business, then she could look up who the owners of that business, where there are a lot of details in public records.

15:49

And she became a whiz at mining, these public records to find the information she needed, but then she quit doing that and had a string of other jobs that all gave her new knowledge in different areas, such as selling mobile phones, doing social media management, marketing, doing tech support for software.

16:05

And then she landed a job at a staffing company where she was doing research and writing reports around that time.

16:11

Her and her husband started an it company themselves.

16:14

It was small and not big enough for them to quit their job and do it full time, but they wanted to make sure that their services were secure, which is how they heard about Def con Def con is the largest hacking conference held every year in Las Vegas, Nevada.

16:29

And the first Def con that I went to, I discovered the social engineering village and it was kind of like everything I'd been doing since I was a kid kind of all coming together under one umbrella called social engineering At

16:47

Def con, they have these villages, there's biohacking villages, which has people hacking medical devices and their own bodies.

16:53

There's a car hacking village where they have natural car in the conference that you can try to hack into.

16:58

And there's just so many there's lock pick village, IOT village, wireless village voting machine village.

17:04

But one of the most popular is the social engineering village.

17:08

Here. They have speakers up on stage sharing their tricks of the trade, which is basically how to manipulate people, to get them to do things that you want them to do such as letting you in a secure building, clicking a link in a phishing email, or calling someone up and getting them to tell you a key bit of information that might help you break into the place.

17:27

And at first I was really focused on like the manipulation and the coercion and like all the like negatively slanted words that really fall under social engineering.

17:36

And it just completely captured my attention.

17:41

And my focus, If

17:43

you hang out in the social engineering village long enough, you'll realize that the main event is the contest.

17:48

And the final round of the contest is done.

17:51

Onstage live in front of everyone.

17:53

And the contestant goes into a soundproof booth and calls up a company to try to get someone there, to tell them some key information.

18:01

And this is broadcasted live in the conference room in front of everyone.

18:06

They told me about the social engineering capture, the flag contest, where they put folks into a soundproof booth.

18:12

They give them 20 minutes and they call it target company.

18:15

And they have to elicit information from the employees of their target company over the phone.

18:21

And I was completely floored.

18:23

I thought, there's no way I could ever do something like that.

18:26

That is absolutely insane.

18:28

Like I'm the type of person that will send 150 emails before I pick up the phone just to avoid talking to people, generally speaking that's me.

18:36

And so I was like, this is nuts.

18:39

There's no way that I can ever do something like that.

18:42

That's crazy, but I want to watch this happen.

18:44

So the next year we went to Def con and I was like, see ya, everybody that I came with, I'm going to go grab some food and sit in the back of se village all day to make sure that I can listen to all these calls.

18:58

So like I went to Starbucks and grab breakfast and like a couple snacks and a coffee and a water.

19:04

And then I stayed for the rest of the day to listen to the remaining contestants.

19:08

And then the next day I'd kind of did the same thing and I didn't leave.

19:12

Like I didn't leave to go to the bathroom. I didn't leave to go get lunch.

19:15

I was there from like 10 until after two, when they ended the last of the seven calls for each day.

19:23

These are always interesting calls to watch it's live.

19:25

So you don't know what's going to happen next, but the contestant has a goal to get certain flags.

19:29

The flags might be the things like what make and model is your laptop are security guards watching the front door, what software is on the laptop?

19:38

What are the password policies at the company or other security related pieces of information?

19:43

The more flags you get, the more points you.

19:47

So the neat thing about the social engineering capture, the flag is that each of the contestants and there's only 14 each year, they are selected from a group of 200 or 300 applicants.

20:00

And they get a fortune 500 company as a target about six weeks ahead of Def con.

20:08

They get four weeks to do and investigate that target and find as much information as they can about them.

20:16

And then see if they can find very specific flags of information that the contest runners have assigned points.

20:21

And then they compile a report.

20:24

They submit that to the contest runner and it's graded.

20:26

And then they use all the information that they found during the course of their their investigation to then call that target from a soundproof booth in front of 500 to a thousand hackers, live in a room with a 20 minute time limit.

20:44

I mean, it is like the most high, crazy situation ever.

20:48

And you're just praying that somebody answers the phone and then once they do answer the phone, you're pregnant, you can keep your stuff together.

20:57

And remember who you decided you were going to pretend to be, to get these people, to give you those same flags of information or confirm them.

21:04

If you already know over the phone, The

21:07

more elite watch these people make these phone calls and try to social engineer people.

21:11

The more she wanted The do that, like I saw the movie hackers after it first arrived in South Africa and it was just like, oh my gosh, this is who I want to be.

21:25

Like I thought for the longest time that I just wanted to be Dade and be cool, like him.

21:29

That was the first time I saw like social engineering, that part where he social engineers, the guy at the TV station, here's the clip She's

21:37

referring to from the 1995 film called hackers Security,

21:41

norm nervous making Norman is Mr.

21:44

Eddie better from accounting?

21:46

I just had a power search here at home and wiped out a file.

21:49

I was working on it.

21:50

Listen, I'm in big trouble.

21:53

You know anything about computers G right.

21:58

Well, my BLT drive on my computer just went AWL well, and I got this big project due tomorrow for Mr.

22:05

Kawasaki. And if I don't get it in, he's going to ask me to commit Harry Carey.

22:11

Yeah. Well, you know, these Japanese management techniques, could you read me the number on the modem?

22:17

That's

22:17

a

22:17

little

22:17

boxy

22:17

thing,

22:17

normally

22:17

switches

22:17

on

22:22

it. That's my computer. Talk to the one there do one to 5, 5, 5, or two core, zero.

22:31

It just completely floored me. I thought that that was the coolest thing ever, ever, and I wanted to be like that so badly.

22:36

And it felt like I kind of put all that stuff on hold for, you know, I think I was like a teenager when I saw that.

22:44

So it felt like I put all that stuff on hold for like 10 or 15 years, and then walking into Def con the first time, it was just like, oh my God, I'm home.

22:52

Like, these are my people. Like this is the island of misfit toys that I've been looking for for over a decade.

23:00

And everybody was so flippant and welcoming and accepting and supportive and awesome that I was just like, I want to live here.

23:08

And

23:08

so

23:08

it

23:08

was

23:08

kind

23:08

of

23:08

like

23:08

finding

23:08

my

23:08

niche,

23:08

you

23:08

know,

23:08

after

23:08

the

23:08

second

23:08

Def

23:08

con,

23:08

after

23:08

watching

23:08

all

23:08

the

23:08

calls

23:08

that

23:08

se

23:08

village

23:08

and

23:08

seeing,

23:08

you

23:08

know,

23:08

actual,

23:08

real

23:08

social

23:08

engineers

23:08

do

23:08

the

23:08

thing

23:08

in

23:08

front

23:08

of

23:25

everyone. And just like, I just wanted to be like that.

23:29

I wanted to have that confidence. And I really wanted to push myself to get more comfortable with having uncomfortable conversations with people, because I felt like it would just make me a better business owner, a better communicator, a better employee, a better parent, a better spouse.

23:47

And it just didn't think that I could really go wrong with improving those types of skills.

23:53

She goes home that year, thinking about competing in the next social engineering capture, the flag contest.

23:57

She wants to try it, but she doesn't think she'll qualify and she questions herself.

24:02

But then at the last minute, she decides to apply to be a contestant.

24:07

I ended up getting selected as one of the 14 contestants.

24:11

About three months before Devcon, they assign the contestants, their targets.

24:14

Elise was assigned a trucking company in the U S and she had about four weeks to do oh, scent on them and turn in her report.

24:22

Now with, oh, since you can only get data, that's publicly available, you can't call someone or fish someone or hack into something to get the information.

24:29

She had to find as much information as she could about this company through public sources, such as going to the company's LinkedIn and seeing who works there and then finding those employees on their social media accounts and looking at their profiles.

24:43

This first round of the contest is to try to gather certain flags or pieces of information from the company and compile that into a report and turn it in a month before Def con begins.

24:55

So flags, they are everything from information that will ha would, that would help in the contest of like a physical pen test.

25:03

So who does the garbage service?

25:06

Who's the janitorial service provider who runs the cafeteria, who's the vending machine service and repair company, those kinds of things.

25:14

Then there's like company-wide type technology.

25:17

Like who's the VPN provider.

25:19

Do

25:19

they

25:19

have

25:19

wifi

25:19

available

25:19

on

25:23

site? What is the access ID or the name of that wifi that is available to guests or internally the version and the type of browser they use their PDF viewer, the, whether or not they use a specific parcel service, the make and model of the laptop or computer that the employee was issued.

25:46

Belief begins collecting data on this trucking company.

25:50

So I had a tough time figuring out the best way to do this in brief.

25:56

I basically, I started the company website and then from there, I'll move into company review websites like Glassdoor and indeed to learn about company culture and any like inflammatory things that I can use to kind of build rapport with the employees.

26:13

And then from there, I look at job open job descriptions, if they name any specific types of technology or, you know, help desk services that they use and things like that can be useful to me.

26:25

And then once I'm done with like company review websites and job descriptions, then I'll get into some more detailed snooping.

26:34

Usually this involves a lot of Google dorking because now I've kind of got an idea of what type of pretext I'm going to use.

26:40

And I want to find more information to support that pretext.

26:44

So say I want to impersonate an internal employee and call the help desk.

26:51

Then I might be Google dorking to look for all documents that are on that domain that are a file type PDF that contain the word onboarding or new hire or something like that.

27:08

Cause I want to find where it says, you know, if somebody is abusing technology, call this number and usually that's their internal help desk.

27:15

So that's kind of an example, but I kind of just, I, I use a lot of social media as well, so I will find the address of the headquarters or the branch locations that I want to target and or where the employees sit, who I want to target.

27:34

And then I'll put that address into Instagram, into the location search and find all the pictures that are geo-tagged to that location.

27:42

And see if I can find things in those pictures that will help me stuff like employee badges, things that would show employee ID numbers.

27:51

So I can get a good idea of what those look like and how they're composed.

27:55

I'll

27:55

also

27:55

look

27:55

for

27:55

pictures

27:55

where

27:55

there's,

27:55

there's

27:55

always

27:55

one

27:55

where

27:55

it's

27:55

like

27:55

the

27:55

Starbucks

27:55

coffee

27:55

cup

27:55

in

27:55

front

27:55

of

27:55

the

27:55

open

27:55

monitor

27:55

with

27:55

all

27:55

their

28:06

applications. That's my favorite.

28:08

And then from there, I just kind of Snoop around until I find some more of the stuff that I want.

28:17

Like I want to know who the cafeteria vendor is.

28:21

One of my most favorite pretexts is that I will call and pretend to be from the corporate office of the cafeteria vendor for the cafeteria that's within the headquarters or the office of office building of my target company, because it's usually like, it's not close enough to them for them to go, oh, what's your name?

28:42

Let me put it in the global directory and pull you up.

28:44

But because it's an entity that has authorization to be within their building, it's kind of inherited the trust of that organization.

28:53

And so therefore I would inherit it saying that I work for that cafeteria vendor, that they've already had an existing working relationship with forever.

29:02

So the more information I can gain through and the better equipped I'm going to be on the calls.

29:09

And that's really where I think the majority of social engineers, especially in the context of the social engineering after the flag have been successful is just being over-prepared with knowledge about the company and what they have used.

29:22

And do She spends the four weeks collecting as much data As

29:26

she could about this. I turned in my report and I was kinda like, well, hopefully that wasn't terrible.

29:31

And I was actually fifth out of 14.

29:34

My report was scored fifth highest points based on the flags of information that I found on the target.

29:41

Well, That's pretty good for a first time competitor.

29:44

The final score is a combination of the points you get from this report and the points you get from the live onstage call at Def con.

29:51

So she has a chance of being in the top few, if she can outscore some of the others that did better than her on the report.

29:58

So what happens at Def con for the actual competition is you report to se village.

30:04

They get you checked in and whatnot.

30:06

And then when it's your turn, they put you into the booth.

30:11

You get a pair of headphones and you are sitting on a stool in front of a pretty high quality microphone.

30:18

And you have a list of the numbers that you want to call.

30:24

And you have a list of the numbers that you would like to spoof to support your pretext or who you've decided you're going to pretend to be No,

30:35

the target that gave her is just this company.

30:37

They didn't provide any phone numbers or specific people to target at the company that was all up to a leaf to figure out which person or people to target and what their phone numbers were.

30:49

And the company that runs the social engineering village has some pretty good lawyers to help make sure this is all legal.

30:55

And so Aleves provided the phone numbers to the contest runner who then dials a number and connects her to the call During

31:02

the contest. Not only are you on a stage in a booth with glass in front of you and everyone watching, but they also have cameras inside the booth.

31:12

And so you're on like two or three giant screens in this enormous ballroom inside a casino hall to have gotten.

31:22

And everyone is just watching your every Twitch.

31:26

And

31:26

so

31:26

once

31:26

you're

31:26

like

31:26

ready

31:26

to

31:26

go,

31:26

they

31:26

start

31:26

the

31:26

20

31:26

minutes

31:26

on

31:26

the

31:34

timer. And it's a big red numbered timer that they hold in front of your face.

31:39

And then you say, you know, call number one or two or three or whatever it is on your list and spoof number one or two or three or whatever it is on your list.

31:49

And you go, ALIF

31:52

was prepared for this though.

31:54

She had a plan, she had a pretext ready, which is who she was going to pretend to be when calling these people.

32:00

And she had practiced this pretext in her head and she knew a lot about the people she was going to be calling from all the past research she did on them.

32:08

So you can bring whatever material you want into the booth.

32:12

There are people that like to bring props like keyboards and stuff like that.

32:15

I went very low tech. I brought in like three sheets of paper, and one of them was a list of all the flags that I'd made, like my top priorities of each of the flags that I wanted to get.

32:29

And then I kind of dropped like a Foursquare for my pretexts.

32:35

And I have like a, you know, like magic quadrant, kind of an idea, but one square is who I am.

32:41

And my information of me, my pretext person that I'm pretending to be one square is who I'm targeting their phone number, their information, email, address, whatever about them.

32:53

So that I remember who I'm talking to and I don't freak out.

32:55

And then I have like a box that has the key points of my pretext.

33:01

Like what company do I work for?

33:04

Why am I calling? What do I need?

33:05

And then I have the other box.

33:07

That's like my goals for the call. Like, these are the flags that I want to get out of this call.

33:12

She was able to get a few more flags from this other person.

33:14

And then her time was up.

33:16

So she ended the call on Saturday.

33:18

They tally up the scores and announced the winners belief got sixth place.

33:22

But to her, she had a black Having

33:26

the ability to make people laugh and have them respond to what I was doing in that way was just like phenomenally rewarding.

33:34

Just it made me feel amazing.

33:36

And so after that, I was just like, this is what I want to do for my life.

33:40

This is it.

33:44

Oh, well, she was in Vegas that year. Something else happened At

33:48

that Def con I ended up getting pregnant.

33:53

She really wanted to compete in next year's social engineering contest, but with a baby on the way that complicates things stay with us because after the break, she comes up with a plan Support

34:06

for this episode comes from Blinkist.

34:08

For some reason, my life is busier now than it's ever been.

34:11

And when my life gets busy, I feel like I don't have enough time to read entire books.

34:15

And this is where Blinkist comes in to help Blinkist takes thousands of non-fiction books and condenses them down to what they call blinks, which are the key takeaways from the book.

34:25

So in 15 minutes, I can get the core concepts of great books like the four-hour workweek by Tim Ferriss, zipped by Roger McNamee or why we sleep by Matthew Walker and get this.

34:36

If you're still just too much on the go and you can't sit down for 15 minutes to read something, you have audio versions of these blinks too.

34:42

So you can listen on the go right now for a limited time, Blinkist has a special offer just for you.

34:48

Go to blinkist.com/dark net to try your free seven day trial and save 25% off a new subscription.

34:55

That's Blinkist spelled B L I N K I S T blinkist.com/darknet to start your seven-day free trial and get 25% off.

35:05

But only when you sign up at blinkist.com/darkness.

35:13

By this point in her life, she's already had three kids.

35:15

Now another is on the way and the social engineering capture, the flag contest was one year away, but this was such an important competition for her, that she was absolutely determined to compete in it.

35:26

So may rolls around, which is when you apply for the contest.

35:31

I applied well, very pregnant.

35:33

She gets Accepted to compete.

35:35

She has baby.

35:37

And shortly after that, they give her the target.

35:40

It was on maternity leave. And I was like, if I can use my maternity leave to do the , that would be like perfect, because I won't be juggling a newborn and work.

35:49

And the ocean it'll just be a newborn and the ocean and the other three kids.

35:53

So she spends her maternity leave doing the AU center part, researching the client, finding the best way to approach them and gathering as many flags as she could for the report.

36:02

I only focused on doing better than I had the year before.

36:05

That was my main objective was I just want to do better than six.

36:09

That's it like if I can get into the top three, that would be amazing, but I just want to do better than I did the year before.

36:16

I almost did not want to win.

36:18

I didn't want to win because as soon as you win, you can't compete anymore.

36:21

You're out.

36:21

And I really enjoy playing the game more than anything.

36:25

So

36:25

I

36:25

went

36:25

into

36:25

it

36:25

determined

36:25

to

36:25

do

36:25

better

36:25

than

36:31

six. I did the Olsen for my report.

36:33

I turn the report in and I ended up placing third in the report scoring.

36:39

So it was like, Hey, if I hold third, that would be crazy.

36:43

If I was able to push it up to second, after the call around, that'll be nuts.

36:48

So I went to Def con took the baby A

36:52

trip to Devcon. She takes herself and her three month old baby and her husband, the other three kids stayed back at home in California.

36:58

And so they fly out to Las Vegas, Def con starts on Thursday and goes all weekend to Sunday.

37:04

And she had to get back home by Sunday night because her kids started school Monday morning.

37:09

So I ended up bringing a three month old baby with me to Def con, which I don't recommend.

37:15

And I highly discouraged anyone to do in the future because it's not, it's not great.

37:19

It's not a fun experience, but I'd committed to competing.

37:22

And I wasn't sure if I was going to be able to compete after that.

37:24

And so I was just like, I'm going to go for it.

37:27

Like, she'll be young enough. And I'm an experienced enough mother to know that a kid under the age of four months is highly portable, easy to feed, very easy to take care of and very cooperative compared to like the toddler age for going to Vegas.

37:42

So in the morning I just got all my stuff ready, went to SC village.

37:47

I was competing on the first day, which was Thursday and I was the last person to compete that day.

37:53

So I was seventh on the first day and I tried to watch the rest of the calls, but I really wanted to be respectful of the other contestants.

37:59

So like if the baby got fussy, I would walk out to the hallway and go take care of her or stand in the back of the room, just so that other people could see.

38:07

And I wasn't a distraction or, you know, being disrupted.

38:10

And so I missed so many of the calls, which sucked because I really wanted to watch them all.

38:16

And then when it was my turn to go, like I ran to the bathroom like five minutes before my time.

38:21

And I'm like, don't worry, I'm coming back.

38:22

And then change the baby, finished nursing the baby at run back up to the front, like throw the baby at my husband and just like prayed.

38:30

She didn't start crying while I was in the booth.

38:33

Because as a mom, it just like triggers you especially very shortly after having a baby.

38:38

If you hear a baby crying, like it just like sidetracks your whole brain.

38:42

And I wanted to like, be able to maintain that focus.

38:45

So I was praying she wouldn't start crying and sure enough, as soon as I started dialing the first number she started crying.

38:52

And I think it's just because they were like broadcasting the ringing of the phone out to the whole room, but it was just kind of like an overwhelming situation for her, which I totally appreciate.

39:01

So I just had to like put myself in the zone and like ignore everything outside of the booth.

39:08

Like everything outside of the booth just was blackness.

39:10

And I had to focus on who I am, who I'm calling, what I'm doing, what I'm saying.

39:15

Like, that's all that matters right now.

39:16

So my first call was going to be to tech support and I was going to pretext as a new intern because it's summer.

39:24

And this company had a lot of summer interns and they were very public about that on social media.

39:29

So it, it fit.

39:30

And I was just gonna be like, I'm trying to go to this website for training and I can't get there.

39:34

Can you help me? Can you try it?

39:36

And finally, I convinced this person to go to the link and they confirmed what they saw.

39:43

And then I just said, oh my gosh, I'm such an idiot.

39:46

I wasn't even on the internet by just trying to get off the phone with them as quickly as possible.

39:51

So I could salvage as much of my 20 minutes as I could.

39:54

So after that call, I hung up and I had decided that I was going to target their regional sales people, their remote sales people that were responsible for various regions of the United States.

40:08

And my target was a ginormous tobacco company.

40:13

So I almost didn't feel bad.

40:15

So I, I ended up getting their cell phone numbers and through my for these regional salespeople.

40:25

And I learned a ton about how they treat their salespeople from the company reviews that were left on glass door by salespeople.

40:36

And I knew that they had company cars, company, laptops, company, cell phones, and all that stuff.

40:42

So I knew a lot of what they would have already.

40:47

And I could just make this super easy and ask them to confirm it.

40:51

But I needed to figure out how I was going to give myself the authority to ask those questions without raising their eyebrows, so to speak.

41:01

So the pretext that I came up with was I was helping it contact people whose computers hadn't connected to the VPN in awhile, because we were getting ready to replace remote workers, laptops.

41:18

And we were trying to confirm what software and applications they had on their computer before we shipped the replacement computers out.

41:28

And every remote worker wants a new laptop because every remotely deployed laptop, laptop has issues.

41:34

It's just a fact.

41:35

And

41:35

so

41:35

I

41:35

was

41:35

like,

41:35

I'm

41:35

incentivizing

41:35

them

41:35

with

41:35

a

41:35

new

41:40

laptop. They are going to trust me because I sound nice and likable, and I'm an internal employee.

41:49

So I started the call by saying, hi, this is Bethany.

41:53

I'm calling from the headquarters in this town.

41:57

And so immediately they know who I am, where I'm calling from, and that I'm an internal employee.

42:04

So I've like knocked all those things out of the list of objections already.

42:09

And I've made them feel better about the fact that I'm internal by saying where I am located.

42:15

So they feel safe that I'm calling from the headquarters.

42:19

And I know where that is. And it sounds legit.

42:21

Then

42:21

I,

42:21

I

42:21

gave

42:21

myself

42:21

a

42:21

name

42:21

that

42:21

was

42:21

a

42:21

little

42:21

younger

42:21

and

42:21

I

42:21

tried

42:21

to

42:21

sound

42:21

like

42:21

I

42:21

raised

42:21

my

42:21

voice

42:21

just

42:21

a

42:21

teeny

42:21

bit,

42:21

just

42:21

to

42:21

sound

42:21

a

42:21

little

42:35

younger.

42:35

And

42:35

then

42:35

if

42:35

they

42:35

pushed

42:35

back

42:35

about

42:35

the

42:35

it

42:35

part,

42:35

I

42:35

was

42:35

just

42:35

going

42:35

to

42:35

be

42:35

like,

42:35

yeah,

42:35

I'm

42:35

an

42:41

intern. I'm just helping it. And so, I don't know, but they just gave me this list and, and you know, the sooner I can get this done the faster, you'll get your laptop.

42:50

Basically, zero people pushed back, no people.

42:54

And so I just, I said, you know, we're getting ready to send out these laptops.

42:59

Do you have a couple minutes just to go through your computer with me and answer a few questions to make sure that we get you all the programs and applications that you need installed before we ship this out.

43:08

And they're like, of course I do.

43:10

And I talked to one gentleman and then he was like, he was super helpful.

43:16

And I got like, through my whole list of flags, really like every single flag, he just gave it to me.

43:23

And then I, you know, very politely ended the call.

43:27

And I decided, instead of calling the person that I planned to call, I was going to call the next one.

43:32

And I don't know why I decided to do that. But I did.

43:34

It was just like the most amazing success on each one of the calls.

43:40

And on the last call, the guy that I called was like, oh man, well, I'm not at my computer because I'm actually three months into my four month paternity leave.

43:51

And I was expecting him to shut me down.

43:53

And I just said, oh no, I'm so sorry.

43:57

Like, I'm so sorry to bother you.

43:58

Let me, you know, let me let you go. Cause I was like trying to conserve as much time as possible to try to make another call.

44:03

And he's all, well, you know, hold on, let me just go get the laptop.

44:07

And I was like, what?

44:07

So

44:07

he

44:07

went

44:07

and

44:07

got

44:07

the

44:07

laptop

44:07

and

44:07

as

44:07

he

44:07

was

44:07

like,

44:07

booting

44:07

it

44:07

up,

44:07

I

44:07

was

44:07

just

44:07

like,

44:07

okay,

44:14

shoot. What can I get out of him? Well, you know, this thing is booting up.

44:17

And so it was just like, yeah, that's so crazy.

44:19

I just had a baby too, which is totally true.

44:22

I'm like looking at my three months old baby.

44:24

And he was like, instantly ready to just tell me everything.

44:28

And so I asked him like, you know, while their computer's booting up, is it the, this brand, this model?

44:34

And he's like, yeah. And I was like, and did you have to type in the thing for BitLocker just now?

44:39

And he's like, oh yeah. And I was like, and you know, and I just walked him through all this stuff.

44:44

And at the end of the call, it was like, I knew I had like seconds left and I wanted to make sure that I ended it, you know, on a nice note.

44:53

And it wasn't just like a click hang up.

44:55

And so I wrapped things up like with a bow and just thank the guy profusely and told him to enjoy the rest of his leave.

45:01

And I still feel freaking awful for every single one of these calls.

45:07

Like I feel gross about what happened after I hung up.

45:13

And did they ever reach out to it and like, did they figure it out that they got, you know, scammed?

45:18

Or what did they feel about that?

45:20

Did I make them feel bad? Cause I really hate that.

45:22

I hate that aspect.

45:23

The nice thing about doing this for real, for money with clients who know I'm going to call them and who I give a report to is that I can kind of like beg forgiveness after the fact and like make a men's so to speak with them and just be like, yeah, sorry, that was a test.

45:41

And you know, you did really great at this part, but you did really bad at this part.

45:45

And you know, this is a safe learning experience.

45:47

It's much better that you failed now than with an actual attacker kind of a thing.

45:51

But at these scenarios, it's just like, I have, I still wonder, like I still remember the names of the people that I targeted the first time around and I wonder how they are and how their kids are like how the job's going.

46:06

Like, I feel like we're friends because I just like completely over-researched all of them.

46:11

She came out of the booth and felt really good about the points she scored.

46:14

She knew she got a lot of great flags and used her time very effectively.

46:19

And the audience seemed to really like it too.

46:21

They seemed entertained.

46:22

These calls aren't recorded.

46:25

So I can't play any of them for you.

46:27

Nevada is a two party consent state.

46:29

So they can't record them by law.

46:30

But despite her feeling good about it, there were still seven more contestants competing the next day.

46:35

And two of those were the ones in first and second place.

46:39

So it was too hard to tell if she had one at that point, wouldn't know until Saturday.

46:44

And so Friday, the rest of the contestants do their things.

46:48

And then Saturday rolls around.

46:50

Elise goes to the party where they announced the winner.

46:54

They announced the second place and it wasn't me.

46:56

And I was like, oh, well, you know, maybe next year.

46:59

And then they announced that I won.

47:02

And I just was like, first thing I said was, oh shit, I'm like holding a baby.

47:08

And I'm like, I don't even how to like, how do I know?

47:10

I don't even know what to do with myself. So it was really, really amazing.

47:14

And then I, I realized that my flight, like I didn't expect to win.

47:18

I'd scheduled a flight that left at 3:00 PM on Sunday from Las Vegas and closing ceremony start at four.

47:25

So the airport that we fly in and out of like there's one flight per day.

47:32

So that like, if you miss that flight, you're it you're, you're done.

47:35

And I had a kindergartner that was starting his first day of school on Monday morning.

47:40

So there was no getting back on Monday sometime like it had to be Sunday.

47:45

So we ended up missing the flight and we went to closing ceremonies because it's just, it's a once in a lifetime opportunity, welcome to the stage, The

47:55

social engineering contest.

47:59

And I took the baby up on stage with me.

48:01

Okay. So is this the first time it was a baby on stage at Def con.

48:05

So she won the sec CTF.

48:07

No, just kidding. She didn't know it was the second year in a row that women dominated the competition.

48:13

We again have two women in the first and second place, so good, good job.

48:18

Keep it coming. Our first place winner a leaf is standing here.

48:23

I'm going to give her a bottle of alcohol.

48:24

I'm

48:24

going

48:24

to

48:24

give

48:24

her

48:24

a

48:24

10th

48:24

year

48:24

se

48:24

head

48:24

award

48:24

and,

48:24

and

48:24

Def

48:24

con

48:24

is

48:24

going

48:24

to

48:24

give

48:24

her

48:24

a

48:24

black

48:37

badge. So The

48:43

coveted black badge by winning this contest, the main prize you get is a Def con black badge, which is very prestigious.

48:53

Despite the award ceremony being hosted by a guy named grifter on paper, all it does is it gives you free access to Def con for life, but it carries a lot of prestige.

49:03

Lots of companies out there we'll hire someone who has earned a black badge from Def con because they know Def con contests are incredibly competitive and whoever wins.

49:13

It must be very good at winning Just

49:15

an incredible honor. And as soon as we were done on stage, then I had to, like, we ran back to the hotel, got our bags out of the bellhop, drove to the airport and then rented a car at the airport and then drove home overnight.

49:34

The ride home was something like a seven hour drive and yeah, a baby in the car on an all night drive trying to get back before school starts in the morning, it was very tiring.

49:44

And in the car ride home, Elise began wondering where her career would go from here.

49:49

She hoped someone would hire her to do this for a living.

49:52

But if that didn't happen, she thought maybe she'll just start her own business doing this, like a consultant.

49:59

They got home around 2:00 AM and got everyone to bed.

50:03

After that, it was like I got two hours of sleep, woke up, got the chalkboards all made up and then did first day of school pictures with my kids.

50:09

And it was like back to normal life.

50:11

And I went back to work at the staffing company, Going

50:17

back to work at that staffing company was not nearly as fun as the rush of doing social engineering engagements.

50:22

So she set off searching for a new role as a social engineer somewhere.

50:27

And you know what? There are quite a few companies out there that do hire social engineers.

50:32

It can be included as part of a security assessment to see if the company has any weak points set.

50:37

A social engineer can expose. And sometimes social engineers go onsite to do a physical assessment, to try to find a way in the building and plant some rogue hardware in the network and that someone can jump into from outside and then bounce off to get inside the network.

50:51

The human is the weak link in many organizations and hiring a social engineer can help you make that link stronger.

50:57

And this is what ALIF wanted to do.

51:00

I was trying to get into information security, but I was lacking a lot of the like full-scale pen testing skills at that point.

51:07

And so I was applying to jobs and people were thinking, you know, she's got a black badge, she knows everything.

51:13

And then they were looking at my resume and going, wait a second.

51:16

I was getting messages on LinkedIn from German CEOs asking if I was actually me because my resume didn't match this person that was in this German article about a social engineer who won the black badge.

51:32

She didn't have any luck finding a job as a social engineer, but she's a leaf.

51:37

And when a leaf is determined to do something, nothing will stop.

51:42

I actually ended up deciding that I was going to start consulting on the side and I did it with the blessing of the staffing company and my boss there.

51:48

But I started doing security awareness training and then social engineering assessments and testing, fishing on my own as a consultant.

51:57

I mean, I started a number of businesses.

52:00

My husband and I have started a number of businesses and it wasn't too far fetched for me to create my own, you know, consulting revenue.

52:08

So that's what I started doing. I started consulting through dragonflies security and I built up a nice little client base here locally.

52:19

These companies already have security awareness training.

52:21

This is where every employee of the company has to watch a 30 minute presentation and then take a quiz about what security best practices there are.

52:28

But some companies want to take this training a step further and send phishing emails to all employees to see if any of them would still fall for it.

52:36

After they've been trained in security awareness, I

52:39

don't believe personally in setting your employees up to fail.

52:43

So I always encouraged doing the security awareness training at least within six months of doing testing, but it's really, it's an opportunity for the employees to learn from the experience and practice defending against these types of attacks, because it's something that if you're caught off guard, it can be extremely easy to fall for the types of tactics that these manipulators will use.

53:07

And the psychology behind social engineering, which really, really centers around the six principles of influence.

53:14

So all the stuff that scammers use to trick you into answering their questions, and also that used car salesman used to get you to buy a car, but it's, it's an opportunity for clients to sometimes check a compliance box, but more often than not, it's really to make sure that their staff are absorbing the security awareness training and that they are able to defend against these kinds of attacks in like a real world simulation.

53:45

She did that for a while and her own really wanted to be part of a team where she could learn from others who do this, and to be able to focus on it more because as an independent contractor, you're spending half your time just trying to find clients.

53:56

So she eventually found an opportunity to join a company called critical insight, which does provide penetration testing to clients as well as social engineering engagements.

54:05

And this is where Elise is today.

54:08

One of the things she does there is try sending phishing emails to clients, to test the reactions to it And

54:14

a fishing engagement. I'm going to try to fish every person, at least twice during the campaigns that I, that I launched against the client.

54:23

And I, I do this because, and not for the purposes of just collecting statistical information, like how many clicked on the link, how many opened the email?

54:35

What I am actually focused on is how many people report that phishing email, how quickly is the first report received and what types of internal communications are happening at the client during the course of the campaign.

54:52

Like that's what I'm really looking for.

54:55

That's what I want to see. I don't really put a lot of emphasis on how many clicks there were though.

55:01

I do report it. And typically I would expect between like 10 or 20% click rate from the average organization, maybe four or five years ago, it would have been like a 30 to 40, 30 to 60% click rate.

55:16

But now that people are becoming more security conscious and more aware of social engineering, that number is going down.

55:22

So when a company hires her to run a phishing campaign on the company, here's what, What

55:27

I typically do is I will set up a landing page that is to collect credentials and I will set that landing page up to look like an internal portal that, that employee is used to putting their credentials in.

55:40

And then I will over the phone, direct them to go to my suspicious URL.

55:45

So company.us or company.org.

55:49

If that's something that's not registered by the company already, and then they'll go there and you know, it's a fail if they go there and then it's a fail, another fail if they enter their credentials and I'm able to capture those credentials because now I can log in as them and get to things that I should not be able to get to.

56:11

Sometimes she sends an email like this to everyone in the company.

56:14

Sometimes she's given the task to target certain individuals, like perhaps some key people in the company and on assignments where she has to target certain individuals.

56:21

She'll sometimes do vishing calls.

56:24

This is like fishing, but it's a phone call just like during the contest she practiced in, she'll call up people to try to get information from them or get them to do something they shouldn't and then put that in her report.

56:36

And her clients are often involved with critical infrastructure or even department of defense contractors.

56:43

And so that's the story of how a leaf became a person whose day job is fishing department of defense contractors.

56:51

It's a wild and weird journey for her to get here, but sometimes we need to go through wild and weird journeys just to find our true calling.

57:01

All that crazy stuff really has allowed me to get better at able to pivot in conversations and kind of like critically solve problems very quickly.

57:10

And

57:10

that's

57:10

something

57:10

that

57:10

I

57:10

think

57:10

is

57:10

really

57:10

beneficial

57:10

for

57:10

social

57:14

engineers. I know a lot of social engineers encourage people to do improv.

57:18

I've never done improv, but I think that just naturally running towards uncomfortable conversations that are organic and real as the only way to really get good at this stuff, Running

57:31

towards uncomfortable conversations that are organic and real is the best way to get good at this.

57:39

Take your mixer that you bought at Costco eight years ago and go try to return it.

57:45

Huh? I wonder if I'd be good at this because I've had quite a bit of uncomfortable conversations and I don't have that social anxiety that comes with them anymore.

57:56

Like sneaking into the Renaissance festival.

57:58

That's no problem. I don't mind dumpster diving or asking a store.

58:02

If I can have things that aren't actually for sale, they're like decorations or promotional banners or something.

58:07

And I have zero worry about being kicked out of a place and I'm not supposed to be in.

58:12

Maybe this is the job for me.

58:14

A

58:14

big

58:14

thank

58:14

you

58:14

to

58:14

ALIF

58:14

Dennis,

58:14

for

58:14

sharing

58:14

this

58:14

wild

58:14

adventure

58:14

with

58:25

us. If you're on Twitter, you should follow her there.

58:27

Her name is ALIF. Dennis, if you want to know more about social engineering, I've got some book recommendations for you in the show notes, but you can also find them@darknetdiaries.com slash books.

58:38

So go check those out.

58:39

I try real hard to provide a valuable show to you by going through the painstaking process of putting all this together and getting you a new episode every two weeks.

58:48

Am I doing good? Do you find this show valuable?

58:51

If so, please consider supporting it through Patrion or through apple podcasts by supporting the show.

58:58

It tells me that you like it and want more of it.

59:00

So thank you. This show is made by me, the slow reader, Jack reciter sound design by the fast traveling Andrew Merryweather and our associate producer.

59:09

Just back from his trip at a water, he get together is re drafted.

59:12

Our theme music is by the bountiful Breakmaster cylinder.

59:15

I like to play chess against computers, but I don't get upset when the computer beats me, because I'll always just challenge them to a round of kickboxing afterwards.

59:23

And I always, when that this is darkness diaries, Okay. So 107 year when I was in college, I took a job at the Renaissance Festival. If you don't know what that is, it's a place where people dress up like they did it in the fifteenth century. And do things from that time period like jousting and falconry and eating old fashioned food. It's almost like an amusement park with tall walls all around it, and you have to pay to get inside. Well, when I got job there, my boss forgot to give me an employee pass to get in. So every day that I came to work, I had to find a way to sneak into the festival. This was such a fun thing for me to do because I had an honest reason to sneak into the Renaissance festival. I figured out where employees park and I saw there was a security guard watching the back gates and side entrances and stuff, but I quickly learn their habits and was able to find ways to go around them over I figured out where employees park. And I saw there was a security guard watching the back gates and side entrances and Skiff, but I quickly learned their habits and was able to find ways to go around them. Over time, the security guards started to notice me more and more and thought I was suspicious because I was showing up every day and always avoiding them. 107 they even got in their golf cart and came straight towards me and I just ducked behind some trees or some cars or something and waited for them to roll on by in their golf cart. Then when the coast was clear, I'd pop up and go the other way and figure out a way to get in the festival. This went on for months. Until my boss said, hey, I was talking with the front office today and we were going over some things and I realized I never gave you an employee badge. How have you been getting in every day? I said, well, it's it's no problem. I've got ways of getting in. And he said, I bet you do, but I don't wanna be the one to be blamed if you get caught. And I said, okay, okay, I'll just say I work at some other area of the festival. This way, it won't come back to youve. was flabbergasted, but gave me an employee badge anyway, which was actually good because the security guard finally caught me the next day and was all like, Finally gotcha. Now coming with me, Powell. And was like, but look, I have an employee pass. And then he was flabbergasted because he thought he caught me doing something wrong. Well, he did the right thing and he actually escorted me to the front office to make sure my badge was valid. Fun times there. Fun times. These are true stories from the dark side of the Internet I'm Jack Re iter. This is Darknet diaries. This episode is brought to you by episode is brought to you by skiff. Do you store documents or use collaboration tools Do you store documents or use collaboration tools online? If you do, you're letting someone else store your information on their systems. And some of those companies don't encrypt your documents and can peak in them if they Some of those companies don't encrypt your documents and can peek in them if they wanted. And that's where Skift comes that's where Skiff comes in. Skiff is the first collaboration platform built for privacy from ground up. Every document note and idea you write is end to end encrypted and completely private. Only you and your trusted collaborators can see what you create. Unlike Google docs, Evernote, or notion, no one, not even skiff ever has access to your Unlike Google Docs, Evernote, or Notion, no Not even Skiff. Ever has access to your stuff. And that feels and that feels good. Skiff founders are former SpaceX and Apple engineers, and they teamed up with advisor including the CTO of Signal Messenger and the Chief Information Security Officer of The New York Times 25 bring you a product built with privacy. First skiff is inviting darknet dyes listeners to skip the 60,000 person wait list and start using it first. Skiff is inviting Darknet diaries listeners to skip the sixty thousand person waitlist and start using it today. So go sign up for free at skiff.org/darknet that's S K I F So go sign up for free at skiff dot org slash Darknet. That's SKIFF dot org slash dark net. Can you pronounce your name for me? Sure. My name is pronounced a lethal like a lethal weapon. What are you doing these days with social engineering type are you doing these days with social engineering type stuff? So I work for a company called Critical Insight. Client base is really centered around organizations that provide critical infrastructure. So hospitals, water systems, manufacturing, DoD contractors. But kind of my my core interest is growing our social engineering side to do more fishing, fishing, and more actual social engineering physicals where we're doing engagements on-site. Yeah. Elise's job is to social engineer department of defense contractors to try to give them to do things they really shouldn't do. But how did a leaf get to this point? Well, that's actually a very interesting story. So let's rewind to when she was a kid. So this is kind of a weird weird journey. So, like buckle up. Because this is definitely not the normal How did you get into InfoSec type of story? But I I always tell people I am not good at reading people because I'm a social engineer. I'm a social engineer because I'm good at reading people. And the way that I became good at reading people is through a very chaotic series of unfortunate events and terrible relationships. And really that's the core of how I became who I am is a series of really crazy events. So Can we go that far go that far Back? We're going to go, we're going to, yeah, we're going to go all the way back to the We're gonna go we're gonna yeah. We're gonna go all the way back to the beginning. So I was born and raised in South Africa by American parents. When I was around five or six, things with my parents weren't going so great. And by the time I was seven, they separated and were living in different houses. And this was kind of the beginning of me having to grow up. Pretty quickly. My mom was always kind of like the cool big sister and she really me have so much freedom as a kid just to explore my own creative ideas and do some really dangerous Skiff. Without really putting guardrails on. I was the oldest of three Skiff, and so I kind of ended up taking charge of my younger siblings. And when I was seven or eight, we left the country kind of under the cover of darkness and without the knowledge of my dad. So we moved from South Africa to Botswana 25 live with my grandparents for a while while my mom kind of figured out what she was gonna do. And then we moved from Botswana to California around the time I started fourth And when we were living there, you know, we were my brothers and I were welfare kids. And this is kind of where I got started, really honestly started in social Like, I was almost kind of a manipulative kid. Like, I could figure out how to get adults to do what I wanted them to do for me. But this is really where things started to get interesting. She was latch key meaning she'd be home alone with her brothers while her mom was at work. This gave her freedoms to do things without an adult telling her what to do. On top of that, her family didn't have that much money. And in the nineties, it was like, you know, my mom would just kick us out on the weekends, and I would just roll her blade around town for twelve hours. And get the bus, go downtown, go through all the shops. I learned 25 shouldnt, we would sink into movie theaters. We would just get into, like, pretty harmless trouble just as, you know, pre teenage kids rolling around downtown, doing whatever the heck we could get away with. She was practicing how to be sneaky and manipulate adults into getting what she wanted. At the age of eleven, I had my own video tape like DHS cassette tape rental account at the movie store that was between my school and my house. And they would let eleven year old me come in and rent movies and take them home and trusted me to bring them back. They opened the account for me with no ID, no nothing. In seventh grade, she moved back to South Africa to live with her dad for a while, and he enrolled her in a very strict Catholic school. And I made, like, the worst possible mistake that any new kid and, I mean, I wasn't I wasn't a stranger to being a new kid in a new school where people already had, like, established friends and relationships, and you were, like, complete outsider because I'd done it now a few times. But this time, I decided that I was gonna try to be one of the cool which is like the worst thing I ever could have done ever, ever, ever. Because I started making just total BS stories about all these crazy things that I did when I lived in America and it was, like, the worst. It totally backfired. So this was, like, a really great lesson for me as a social engineer. That, you know, over embellishing, instead of having all the kids at my new school think was super cool they actually thought it was a complete and total idiot. Kids were picking fights with were picking fights with her. Nobody trusted her, the only friends that she made were other Nobody trusted her. The only friends that she made were other liars. And she didn't like that. Her dad moved her to another school and this one was an all girls school. Now, this was in the late nineties in South Africa. Not many schools who had computer programs in, but this one actually had a computer lab and really tried to get the girls into computers. So I started doing computer science. I learned to code in Turbo Pascall. And I was just completely, like, hardcore sucked into this idea that I was going to learn to code so that I could hack this game that we would play just on, like, the land at the school that was called Lord, Legend of Red Dragon. It's like a completely text based, like, role play game type scenario. And so I I was obsessed with this game and I would spend most of coding class playing the game and then catch up on all the coding stuff like after school and do my assignments and stuff like that then. But I just became completely obsessed with computers and technology and coding, and I just went completely all in on, like, biology and computer science. And that was my thing. And when I graduated, I went to school at the University of Cape Town. And I was doing a bachelor's in chemical and molecular sciences with minor in computer science. And this was the year that I just decided to completely just demolish my life. I was eighteen and my parents were super strict. And so I decided I was gonna just ditch class and go hang out with my boyfriend you know, just like be a kid because I finally had some freedom outside of this very structured all girls uniform. Catholic school kind of environment. So I got into trouble. I got into, like, big trouble. And I started for years, I'd been hanging out in IRC chat rooms instead of talking to just random people. And started a few friendships with people and some of them escalated over the course of, like, four or five years. And even though I had, like, a boyfriend in real life, I also had a few people that I was keeping in contact with over IRC chat rooms. And one of these people essentially groomed me over the course of four or five years. And I got to the point where I so implicitly trusted this person and was so turned against my own family that I made some really, really terrible decisions, like awful decisions. The person she was chatting with online was from Virginia. On the other side of the world from where Alethe was in South Africa. The person asked Alethe a lot of personal details ASL to begin with. Age sex Then more details like her phone number and eventually her address. When they got her address, that's when things got weird. They are sending me care packages from the United sending me care packages like from the United States. States. So all I know is that the packages came from Virginia and that when my folks figured out what was going on, they lost So all I know is that the packages came from Virginia, and that when my folks figured out what was going on, they lost it It really freaked them out. And they were completely justified in their freaking out for sure. And so it was kind of like the catalyst of this series of events that eventually let like, it ended in me getting kicked out, and South Africa is not the greatest place for you to live alone as a young woman and it's very dangerous. So my dad was like, look, you can't say here, you're not going to class, you're not holding up your endtoend the bargain, basically. And he was completely justified in doing this, but he gave me the opportunity to move back to the states. And kind of reboot my life. And I think it really was the best possible scenario given the damage that I had done. I was I was very destructive in my own life. Just had destructive tendencies. I struggled with depression and anxiety and just just kinda like trying to find and figure out who I was was gonna be something that I would be a lot more successful doing here in the states. So she moved from South Africa back to California, which is where she's been for the last twenty years. But it wasn't easing getting established back in the states. Her college credits didn't transfer, which meant she had to start over with college and she didn't have a good job to get by with. Her future was just not looking so good. And that led her to depression and anxiety and she was worrying about how she'd find food just to live. I I literally took a job scooping poop at a pet store for minimum wage. And at the time that was six dollars and twenty five cents an hour. And I I loved that job because everybody there was so neat. And I got to play with puppies. Which was great. Working retail taught her some new skills about how to deal with angry customers. It improved her social and communication Skiff. And then she got a job at a title company where she had to research who owns certain properties. Through the course of these positions, I learned a lot about public record. I was essentially searching public record for information about people and property and putting together chains of title of property, like, from the beginning of time until now, who's owned this property? What documents have been recorded against it? What easements or liens are against the property, etcetera? This is where she picked up some skills. Ocint is an acronym. It stands for Open Source Intelligence Gathering. She was learning how to find people and what properties they've owned for time. If it was owned by a business, then she could look up who the owners of that business were. There are a lot of details in public record. And she became a whiz at mining these public records to find the information she needed. But then she quit doing that and had a string of other jobs that all gave her new knowledge in different areas. Such as selling mobile phones, doing social media management, marketing, doing tech support for software, and then she landed a job at a staffing company where she was doing research and writing reports. Around that time, her and her husband started an IT company themselves. It was small and not big enough for them to quit their job and do it full time but they wanted to make sure their services were secure, which is how they heard about Defcon. Defcon is the largest hacking conference. Held every year in Las Vegas, Nevada. And the first defcon that I went to, I discovered the social engineering village and it was kinda like everything I'd been doing since I was a, you know, kid kind of all coming together under one umbrella called social engineering. At Dafcon, they have these villages. There's biohacking villages, which has people hacking medical devices and their own bodies. There's a car hacking village where they have natural car in the conference that you can try to hack into. And there's just so many. There's Lock Pick Village, IoT Village, Wireless Village, Voting Machine Village, but one of the most popular is the Social Engineering Village. Here, they have speakers up on stage sharing their tricks of the trade, which is basically how to manipulate people to get them to do things that you want them to do. Such as letting you in a secure building, clicking a link in a phishing email, or calling someone up and getting them to tell you a key bit of information that might help you break into place. And at first, I was really focused on, like, the manipulation and the coercion and, like, all the negatively slanted words that really fall under social engineering, and it just completely captured my attention and my focus. But if you hang out in the social engineering village long enough, you'll realize that the main event is the contest. And the final round of the contest is done on stage live in front of everyone. And the contestant goes into a soundproof booth and calls up a company to try to get someone there, to tell them some key information and this is broadcasted live in the conference room in front of everyone. They told me about the social engineering capture the flag contest where they put folks into a Soundproof booth. They give them twenty minutes, and they call a target company, and they have to elicit information from the employees of their Darknet company over the phone, and I was completely floored. I thought there's no way I could ever do something like that. That is absolutely insane. Like, I'm the type of person that will send a hundred and fifty emails before I pick up the phone just to avoid talking to people. Generally speaking, that's me. And so I was like, this is nuts. There's no way that I can ever do something like that. That's crazy, but I want to watch this happen. So the next year, we went to Devcon and I was like, See everybody that I came with. I'm gonna go grab some food and sit in the back of Essie Village all day to make sure that I can listen to all these calls. So, like, I went to Starbucks and grab breakfast and, like, a couple of snacks and a coffee fee and a water. And then I stayed for the rest of the day to listen to the remaining contestants. And then the next day, I kinda did the same thing. And I didn't leave. Like, I didn't leave to go to the bathroom. I didn't leave to go get lunch. I was there from, like, ten until after two when they ended the last of the seven calls. For each day. These are always interesting calls to watch. It's live. So don't know what's gonna happen next, but the contestant has a goal to get certain flags. The flags might be the things like what make and model is your laptop. Are security guards watching the front door? What software is on the laptop? What are the password policies at the company? Or other security related pieces of nonfiction? The more flags you get? The more points you get. So the neat thing about the social engineering capture the flag is that each of the contestants, and there's only fourteen each year, They are selected from a group of, you know, two hundred, three hundred applicants, and they get a Fortune five hundred company as a Darknet, about six weeks ahead of Deafcon. They get four weeks to do Ascent and investigate that target and find as much information as they can about them and then see if they can find very specific flags of information that the contest runners have assigned points. And then they compile a report, they submit that to the contest runner, and it's graded, and then they use all the information that they found during the course of their OSENS, their investigation 25 then call that target from a soundproof booth in front of five hundred to a thousand hackers live in a room with a twenty minute time limit. I mean, it is like the most high pressure crazy situation ever and you're just praying that somebody answers the phone and then 107 they do answer the phone, you're praying that you can keep your stuff together and remember who you decided you were gonna pretend to be. To get these people to give you those same plagues of information or confirm them, if you already know, over the phone. The more elite watch these people make these phone calls and try 25 social engineer people, the more she wanted to do that. Like, I saw the movie hackers after it first arrived in South Africa. And it was just like, oh my gosh. This is who I wanna be. Like, I thought for the longest time that I just wanted to be dead and Cool. Like him. That was the first time I saw, like, social engineering, that part where he's social engineers, the guy at the TV station, Here's the clip she's referring to from the nineteen ninety five film called hackers. Security norm. Norm speaking. Norm is mister Eddie Better from accounting? I just had a power search here at home and wiped out a just had a power search here at home and wiped out a file I was working on and Listen, I'm in big trouble. You know, anything about computers? G. Right. Well, my BLT drive on my computer just went AWOL and I got this big prime a do tomorrow for mister Kawasaki. And if I don't get it in, he's gonna ask me to commit Harry Carey. Carey. Yeah. Well, you know, these Japanese management tech Nissan. you read me the number on the modem? It's a little boxy thing normally switches on it. Like, my computer. Talk to the one there do one to 5, 5, 5, or two core, Talk to the one there. 2125554240. It just completely floored me. I thought that that was the coolest thing ever, ever, and I wanted to be like that so me. I thought that was the coolest thing ever ever. And I wanted to be like that so badly. And it felt like I kinda put all that stuff on hold for, you know, I think I was, like, a teenager when I saw that. So 25 felt like I put all that stuff on hold for, like, ten or fifteen years. And then walking into Devcon the first time, it was just like, oh my god. I'm home. Like, these are my people. Like, this is the island of MiFID toys that I have been looking for. For over a decade. And everybody was so flippin' welcoming and accepting and supportive and awesome that I was just like, I wanna live here. And so it was kinda like finding my my niche youve know, after the second defcon, after watching all the calls at Essie Village and seeing you know, actual real social engineers do the thing in front of everyone and just, like, I just wanted to be like that. I wanted to have that I wanted to have that confidence, and I really wanted to push myself to get more comfortable with having uncomfortable conversations with people. Because I felt like it would just make me a better, you know, business owner, a better communicator, better employee, a better parent, a better spouse. I just didn't think that I could really go wrong with improving those types of skills. She goes home that year about competing in the next social engineering capture flag contest. She wants to try it, but she doesn't think she'll qualify, and she questions herself. But then at the last minute, she decides to apply to be a contestant. I ended up getting selected as one of the fourteen contestants. About three months before Deafcon, they assigned the contestants their target. Elise was assigned a trucking company in the US, and she had about four weeks to do Ocint on them and turn in her report. Now with Ozent, you can only get data that's publicly available. You can't call someone or fish someone or hack into something to get the nonfiction. She had to find as much information as she could about this company through public sources, such as going to the company's LinkedIn and seeing who works there and then finding those employees on their social media accounts and looking at their profiles. This first round of the contest is to try to gather certain flags or pieces of information from the company and compile that into a report and turn it in a month before Devcon begins. So flags, they are everything from information that will that would help in the contest of, like, a physical contest. So who does the garbage service? Who's the janitorial service provider? Who runs the cafeteria? Who's the vending machine service and repair company? Those kind of things. Then there's, like, company wide type technology, like, who's the VPN provider? Do they have WiFi available on-site? What is the SSID or the name of that WiFi that is available to guests? Or internally, the version and the type of browser they use, their PDF viewer, the whether or not they use a specific parcel service, the make and model of the lap top or computer that the employee was issued. Belief begins collecting data on this trucking company. So I had a tough time figuring out the best way to do this in I had a tough time figuring out the best way to do this. In brief, I basically I started the company website And then from there, I'll move into company review websites like Glassdoor and Indeed. To learn about company culture and any like inflammatory things that I can use to kind of build rapport with the employees. And then from there, I look at job open job descriptions, if they name any specific types of technology or, you know, help desk services that they use and things like that can be useful me. And then once I'm done with, like, company review websites and job descriptions, then I'll get into some more detailed mooping. Usually, this involves a lot of Google doorking because now I've kinda got an idea of what type of pretax I'm gonna youve, and I want to find more information to support that pretax. So say I wanna impersonate an internal employee and call the helpdesk, then I might be Google Darknet to look for all documents that are on that domain, that are a file type PDF that contain the word onboarding, or new hire or something like that. Because I wanna find where it says, you know, if somebody's abusing technology called this number and usually that's their internal help desk. So that's kind of an example. But I kind of just I I use a lot of social media as well. So I will find the address of the headquarters or the branch locations that I wanna target and or where the employees sit. Who I want to Darknet? And then I'll put that address into Instagram, into the location search, and find all the pictures that are geotagged to that location and see if I can find things in those pictures that will help me. Stuff like employee badges, things that would show employee ID numbers so I can get a good idea of what those look like and how they're composed. I'll also look for, you know, pictures where there's there's always one where it's like the Starbucks coffee cup in front of the open monitor with all their applications up. That's my favorite. And then from there, I just kind of snoop shouldnt I find some more of the stuff that I want. Like, I wanna know who the cafeteria vendor is, one of my most favorite pretexts is that I will call and pretend to be from the corporate office of the cafeteria vendor for the a material that's within the headquarters or the office of office building of my Darknet company because it's usually like, it's not close enough to them for them to go, oh, what's your name? Let me put it in the global directory. But because it's an entity that has, you know, authorization to be within their building. It's kind of inherited the trust of that organization. And so therefore I would inherit it saying that I work for that cafeteria vendor, that they've already had an existing working relationship with so therefore, I would inherit it saying that I work for that cafeteria vendor that they've already had an existing working relationship forever. So the more information I can gain through Ascent, the better equipped I'm gonna be on the calls, and that's really where I think the majority of social engineers, especially in the context of the social engineering capture of the flag, have been successful. Is just being over prepared with knowledge about the company and what they have used and do. She spends the four weeks collecting as much data as she could about this. I turned in my report and I was kinda like, well, hopefully that wasn't terrible. And I was actually fifth out of fourteen, my report was scored fifth highest points based on the flags of information that I found on the target. Well, that's pretty good for first time competitor. The final score is combination of the points you get from this report and the points you get from the live on stage call at defcon. So she has a chance of being in the top few if she can outscore some of the others that did better than her on the report. So what happens to Devcon for for competition is you report to Essie Village. They get you, you know, checked in and whatnot. And then when it's your turn, they put you into the booth, you get a pair of headphones, and you are sitting on a stool in front of a, you know, pretty high quality microphone. And you have a list of the numbers that you want to call and you have a list of the numbers that you would like to spoof to support your pretext or who you've decided you're gonna pretend to be. Now, the target they gave her is just this company. They didn't even provide any phone numbers or specific people to target at the company. That was all up to a leaf to figure out which person or people to target and what their phone numbers were. And the company that runs the social engineering village has some pretty good lawyer. To help make sure this is all legal. And so Elite's provided the phone numbers to the contest runner who then dials a number and connects her to the call. During the contest, not only are you on a stage in a booth with glass in front of you, and everyone watching, but they also have cameras inside the booth. And so you're on, like, two or three giant screens in this enormous ballroom inside a casino hunt that's gone. And everyone is just watching every twitch And so once youve, like, ready to go, they start the twenty minutes on the timer and it's a big red numbered timer that they hold in front of your face. And then youve you know, call number one or two or three whatever it is on your list and spoof number one or two or three or whatever it is on your list and you go. Alethe was prepared for this though. She had a plan. She had a pretext ready, which is who she was going to pretend to be when calling these people. And she had practiced this pretext in her head. And she knew a lot about the people she was going to be calling from all the past research she did on them. So you can bring whatever material you want into the booth, there are people that like to bring props like keyboards and stuff like that. I went very low tech. I brought in like, three sheets of paper and one of them was a list of all the flags that I'd made like my top priorities of each of the flags that I wanted to get. And then I I kinda draw up like a four square for my pretext. And I I have, like, a, you know, like, magic quadrant kind of an idea. But one square is who I am and my information of me, my pretext person that I'm pretending to be. One square is who I'm targeting their phone number, their information, email address, whatever. About them. So that I remember who I'm talking to and I don't freak that I remember who I'm talking to and I don't freak out. And then I have like a box that has the key points of my pretext? Like, what company do I work for? Why am I calling? What do need? And then I have the other box that's like my goals for the call. Like, these are the flags that I wanna get out of this call. She was able to get a few more flags from this other person and then her time was up. So she ended the call. On Saturday, they tally up the scores and announced the winners. ALIEF got sixth place. But to her, she had a blast. Having the ability to make people laugh and have them respond to what I was doing in that way was just like phenomenally rewarding. Just it made me feel amazing. And so after that, I was just like, this is what I wanna do for my life. This is it. Now while she was in Vegas that year, something else happened. At that defcon. I ended up getting pregnant. She really wanted to compete in next year's social engineering contest, but with a baby on the way that complicates things stay with us because after the break, she comes up with a plan really wanted to compete in next year's social engineering contest. But with a baby on the way, that complicates things. Stay with us because after the break, she comes up with a plan. Support for this episode comes from for this episode comes from Blinkist. For some reason, my life is busier now than it's ever For some reason, my life is busier now than it's ever been. And when my life gets busy, I feel like I don't have enough time to read entire when my life gets busy. I feel like I don't have enough time to read books. And this is where Blinkist comes in to help Blinkist takes thousands of non-fiction books and condenses them down to what they call blinks, which are the key takeaways from the this is where Blinkist comes in to help. Blinkist takes thousands of non fiction books and condenses them down to what they call blinks, which are the key takeaways from the book. So in 15 minutes, I can get the core concepts of great books like the four-hour workweek by Tim Ferriss, zipped by Roger McNamee or why we sleep by Matthew Walker and get So in fifteen minutes, I can get the core concepts of great books like the four hour workweek by Tim Ferriss, zucked by Roger Me, or why we sleep by Matthew Walker and get this. If you're still just too much on the go and you can't sit down for 15 minutes to read something, you have audio versions of these blinks you're still just too much on the go and you can't sit down for fifteen minutes to read something, have audio versions of these blanks too. So can listen on the go. Right now, for limited time, Blinkist has a special offer just for you. Go to blinkist dot com slash Darknet to try your free seven day trial and save twenty five percent off a new description. That's Blinkist spelled BLINKIST blinkist dot com slash darknet to start your seven day trial and get twenty five percent off. But only when you sign up at but only when you sign up at Blinkist dot com slash dark net. By this point in her life, she's already had three kids. Now another is on the way. And the social engineering captured the flag contest was one year away. But this was such an important competition for her that she was absolutely determined to compete in it. So May rolls around. Which is when you apply for the contest. I applied while pregnant. She gets accepted to compete. She has the baby, and shortly after that, they give her the target. So it was on maternity leave. And I was like, if I can use my maternity leave. To do the Ossen, that would be like perfect. Because I won't be juggling a newborn and work and the Ossen. It'll just be a newborn and the Ossen and the other three kids. So she spends her maternity leave doing the o scent part, researching the client, finding the best way to approach them, and gathering as many flags as she could for the report. I only focused on doing better than I had the year before. That was my main objective was I just wanna do better than six. That's it. Like, if I can get into the top three, that would be amazing, but I just wanna do better than I did the year before. I almost did not want win. I didn't wanna win because soon as you win, you can't compete anymore, you're out. And I really enjoy playing the game more than anything. So I went into it determined to do better than six. I did the Osen for my report. I turned the report in and I ended up placing third in the report scoring. So I was like, hey, if I hold third, that would be crazy. If I was able to push it up to second after the call around, that'll be nuts. So I went to Devcon, took the baby. For this trip to Devcon, she takes herself and her three month old baby and her husband. The other three kids stayed back at home in California. And so they fly out to Las Vegas. Steph Khan starts on Thursday and goes all weekend to Sunday. And she had to get back home by Sunday night because her kids started school Monday morning. So I ended up bringing a three month old baby with me to Deafcon, which I don't recommend, and I highly discourage anyone to do in the future because it's not it's not It's not a fun experience. But I committed to competing, and wasn't sure if I was gonna be able to compete after that. And so was just like, I'm gonna go for it. Like, she'll be young enough and I'm an experienced enough mother to know that a kid under the age of four months is highly portable, easy to feed, very easy to take care of. And very cooperative compared 25, like, the toddler age for going to Vegas. So in the morning, I just got almost up ready went to Essie Village, I was competing on the first day, which was Thursday, and I was the last person to compete that day. So I was seventh on the first day. And I tried to watch the rest of the calls, but I really wanted to be respectful of the other contestants. So, like, if the baby got fussy, I would walk out to the hallway. And go take care of her or stand in the back of the room just so that other people could see and I wasn't a distraction or, you know, being disruptive. And so I missed so many of the calls, which sucked because I really wanted to watch them all. And then when it was my turn to co, like, I'd branded the bathroom, like, five minutes my time. And I'm like, don't worry, I'm coming I'm like, don't worry, I'm coming back. And then changed the baby, finished nursing the baby, had run back up to the front, like, throw the baby at my endtoend, and just, like, prayed. She didn't start crying while I was in the booth because as a mom, it just like triggers youve, especially very shortly after having a baby, if you hear baby crying, like, it just like sidetracks your whole brain. And I wanted to, like, be able to maintain that focus. So I was praying she wouldn't start crying and sure enough as soon as I started dialing the first number she started crying. And I think it's just because they were, like, broad casting the ringing of the phone out to the whole room, but it was just kinda like an overwhelming situation for her, which I totally appreciate. So I just had to, like, put myself in the zone and, like, ignore everything outside of the booth. Like, everything outside of the booth just was blackness. And had to focus on who I am, who I'm calling, what I'm doing, what I'm saying. Like, that's all that matters right now. So my first call was gonna be 25 support and I was gonna pretax as a new intern because it's summer and this company had a lot summer interns and they were very public about on social media, so it it fit. I was just gonna be like, I'm trying to go to this website for training and I can't get there. Can you help me Can you try it? And finally, I convinced this person to go to the link and they confirmed what they saw. And then I just said, oh my gosh. I'm such an idiot. I wasn't even on the Internet. But I just tried to get off the phone with him. As possible, so I could salvage as much of my twenty minutes as could. So after that call, I hung up and I had decided that I was going to target their regional salespeople, their remote salespeople that were responsible for various regions of the United States. States. And my target was a ginormous tobacco And my target was a ginormous tobacco company. So I almost didn't feel that. So I I ended up getting their cell phone numbers and through my OSINT for these regional salespeople. And I learned a ton about how they treat their salespeople from the company reviews that were left on glass door by salespeople. And I knew that they had company cars, company laptops, company cell phones, and all that stuff. So I knew a lot of what they would have already, and I could just make this super easy and ask them to confirm it. But I needed to figure out how I was going to give myself the authority to ask those questions without raising their eyebrows, so to speak. So the pretext that I came up with was I was helping IT contact people whose computers hadn't connected to the VPN in a while because we were getting ready to replace remote workers' laptops and we were trying to confirm what software and applications they had on their computer before we shipped the replacement computers out. And every remote worker wants a new laptop because every remotely deployed laptop laptop has issues. It's just a fact. And so I was like, I'm incentivizing them with a new laptop. They are going to trust me because I sound nice. And likable. And I'm an internal employee. So I started the call by saying, hi, this is Bethany. I'm calling from the headquarters in this I'm calling from the headquarters in this town. And so immediately, they know who I am, where I'm calling from and that I'm an internal employee. So I've, like, knocked all those things out of the list of objections already. And I've made them feel better about the fact that I'm internal by saying where I am located, so they feel safe. That I'm calling from the headquarters and I know where that is and it sounds legit. Then I I gave myself a name that was a little younger, and I tried to sound. Like, I raised my voice just to pee a bit just to shouldnt little younger. And then if they pushed back about the IT part, I was just gonna be like, yeah, I'm an intern. I'm just helping IT and so I don't know, but they just gave me this list endtoend, you know, the sooner I can get this done, the faster you'll get your laptop, basically. Zero people pushed back. No people. And so I just I said, you know, we're getting ready to send out these laptops. Do you have a couple minutes just to go through your computer with me and answer a few questions to make sure that we get you all the programs and applications that you need installed before we ship this you have couple minutes just to go through youve computer with me and answer a few questions, make sure that we get you all the programs and applications that you need installed before we ship this out. And they're like, of course, I do. And I talked to one gentleman, and then he was, like, he was super helpful. And I got like, through my whole list of flags. Really, like, every single flag just gave it to me. And then I, you know, very politely ended the call, and I decided, instead of calling the person that I planned to call, I was gonna call the next one. And I don't know why I decided to do that, but did. It was just like the most amazing success on each one of the calls. And on the last call, the guy that I called was like, Oh, man. Well, I'm not on my computer because I'm actually three months into my four month maternity leave. And I was expecting him to shut me down. And I just said, oh, no. I'm so sorry. Like, I'm so sorry bother you. Let me, you know, let me let you go because I was like, trying to conserve as much time as possible 25 try to make another call. And he's all, well, youve know, hold on. Let me just go get the laptop and I was like, what? So he shouldnt got the laptop. And as he was, like, booting it up, I was just, like, okay. Shoot. What can I get out of him while, you know, this thing is booting up? And so I was just like, yeah, that's so crazy. I just had a baby too, which is totally true. I'm like looking at my three month old baby. And he was, like, instantly ready to just tell me everything. Endtoend so I asked him, like, you know, while their computers booting up, is it the this brand, this model? Role. And he's like, yeah. And I was like, and did you have to type in the thing for BitLocker just now? And he's like, oh, yeah. And I was like, and, you know, and I just walked him through all the stuff. And at the end of the call, it was like, I I knew I had, like, seconds And I wanted to make sure that I ended it, you know, on a nice note and it wasn't just like a click hang up. And so I wrapped things up like, with a bow and just thank the guy profusely and told him to enjoy the rest of his leave. And I still feel freaking awful. For every single one of these calls. Like, I feel gross about what happened after I hung up and did they ever reach out IT and, like, did they figure it out that they got, you know, scammed? Or what did they feel about that? Did they make them feel bad? Because I really hate that. I hate that aspect. The nice thing about doing this for real, for money with clients who know I'm going to call them and who I give a report to is that I can kind of like beg forgiveness after the fact and like make a men's so to speak with them and just be like, yeah, sorry, that was a The nice thing about doing this for real, for money with clients who know I'm gonna call them and who I give a report to, is that I can kinda, like, big forgiveness after the fact and, like, make amends so to speak with them and just be, like, yeah. Sorry. That was a test. And youve did really great at this part, but you did really bad at this part. And, you know, this is a safe learning experience. It's much better that you failed now than with an actual attacker kind of a thing. But in these scenarios, it's just like I have I still wonder. Like, I still remember the names of the people that I targeted the first time around. And Like, I wonder how they are and how their kids are. Like, how the job's going? Like, I feel like we're friends because I just, like, completely over researched all of them. She came out of the booth and felt really good about the points she scored. She knew she got a lot of great flags and used her time very effectively. And the audience seemed to really like it too. They seemed entertained. These calls aren't corded, so I can't play any of them for you. Nevada is a two party consent state, so they can't record them by law. But despite her feeling good about it, there were still seven more contestants competing the next day, and two of those were the ones in first and second place. So it was too hard to tell if she had one at that point. And wouldn't know until Saturday. And so Friday, the rest of the contestants do their things. And then Saturday rolls around. Elise goes to the party where they announced the winners. They announced the second place and it wasn't They announced the second place and it wasn't me. And I was like, oh, well, you know, maybe next year. And then they announced that I won and I just was like, first thing said was, oh shit. I'm, like, holding a baby, and I'm, like, I don't even how do I know I don't even know what to do with myself. So it was really really amazing, and then I I realized that at my flight. Like, I didn't expect to win. I'd scheduled a flight that left at three PM on Sunday from Las Vegas. And closing ceremony started at four. So the airport that we fly in and out of, like, there's one flight per day so that, like, if you miss like, you're it, you're you're done. And I had a kindergartener that was starting his first day of school on Monday morning, so there was no getting back on Monday sometime. Like it had to be Sunday. So we ended up missing the flight, and we went to closing ceremonies because it's just it's a once in a lifetime opportunity. Welcome to the stage. The social engineering contest. And I took the baby up on stage with me. Okay. So Is this the first time as a baby on stage at Dufkansa decline? So she won the Skiff. No. Just get it. She did it. She did it. I just get it. It was second year in a row that women dominated the competition. We again have two women in the first and second place. So good good job. Keep it coming. Our first place winner, a leaf is standing here. I'm gonna give her a bottle of alcohol. Okay. I'm I'm gonna give her a tenth year SE head award, and and Dev Khan's gonna give her a black badge. So The coveted black badge by winning this contest, the main prize you get is a Def con black badge, which is very coveted black badge By winning this contest, the main prize you get is a Defcon black badge, which is very prestigious. Despite the award ceremony being hosted by a guy named Rifter. On paper, all it does is it gives you free access to Deafcon for life. But it carries a lot of prestige. Lots of companies out there will hire someone who has earned a black badge from Defcon because they know Defcon contests are in readily competitive and whoever wins it must be very good at what they do. Just an incredible honor. And as soon as we were done, on stage, then I had 25, like, we ran back to the hotel, gone our bags out of the bell hub, drove to the airport, and then rented a car at the airport and then drove home overnight. The ride home was something like a seven hour drive. Yeah. A baby in the car on an all night drive trying to get back before school starts in the morning, it was very tiring. And in the car ride home, Elise began wondering where her career would go from here. She hoped someone would hire her to do this for a living. But if that didn't happen, she thought maybe she'll just start her own business doing this like a consultant. They got home around 2:00 AM and got everyone to They got home around two AM and got everyone to bed. After that, it was like I got two hours of sleep, woke up, got the chalkboard's all made up, and then did first day of school pictures with my kids, and it was like back to normal life. And I went back to work at the staffing company. And going back to work at that staffing company was not nearly as fun as the rush of doing social engineering engagements. So she set off searching for a new role as a social engineer somewhere. And you know what? There are quite a few companies out there that do hire social engineers. It can be included as part of a security assessment to see if the company has any weak points set. A social engineer can a social engineer can expose. And sometimes social engineers go on-site to do a physical assessment 25 try to find a way in the building and plant some rogue hardware in the network and that someone can jump into from outside and then bounce off to get inside the network. The human is the weak link in many organizations and hiring a social engineer can help you make that link stronger. And this is what Elite wanted to do. was trying to get into information and security, but I was lacking a lot of the, like, full scale pen testing skills at that point. And so was applying to jobs and people were thinking, you know, she's got a black badge. She knows everything. And then they were looking at my resume and going, wait a second. I was getting messages on LinkedIn from German CEOs asking if I was me because my resume didn't match this person that was in this German article about a social engineer on the black badge. She didn't have any luck finding a job as a social engineer, but she's a didn't have any luck finding a job as a social engineer, but she's a leaf. And when a leaf is determined to do something, nothing will stop her. I actually ended up deciding that I was gonna start consulting on the side, and I did it with the blessing of the staffing company and my boss there. But I started doing security awareness training and then social engineering assessments and testing fishing on my own as a consultant. I mean, I started a number of businesses. My husband and I have started a number of businesses, and it wasn't too far fetched for me to create my own you know, consulting revenue. So that's what I started doing. I started consulting through Dragonfly security, and I built up a nice little client base here locally. Some of these companies already have security awareness training. This is where every employee of the company has to watch thirty minute presentation, and then take a quiz about what security best practices there are. But some companies wanna take this training a step further. And send phishing emails to all employees to see if any of them would still fall for it after they've been trained in security awareness. I don't believe personally in setting your employees up to don't believe personally in setting your employees up to fail. So I always encourage doing the security awareness training at least within, you know, six months of doing testing. But it's really is an opportunity for employees to learn from the experience and practice defending against these types of attacks because it's something that if you're caught off guard, it can be extremely easy to fall for the types of tactics that these manipulators will use and the psychology behind social engineering, which really, really centers around the six principles of influence. So all the stuff that scammers use to trick you into answering their questions, and also that used car salesman used to get you to buy a car. But it's it's an opportunity for clients to sometimes check a compliance box. But more often than not, it's really to make sure that their staff are absorbing the security awareness training and that they are able to defend against these kind of attacks in, like, a real world simulation. So she did that for a while on her own, but really wanted to be part of a team. Where she could learn from others who do this and to be able to focus on it more. Because as an independent contractor, you're spending half your time just trying to find clients. So she eventually found an opportunity to join a company called Critical Insights, which does provide penetration testing to clients as well as social engineering engagements and this is where Elise is today. One of the things she does there is try sending phishing emails to clients to test their reactions to it. In the fishing engagement, I'm going to try to fish every person at least twice during the campaigns. That I that I launch against the client. And I I do this because and not for the purposes of just collecting statistical nonfiction, like how many clicked on the link, how many opened the email. What I am actually focused on is how many people report that phishing email, how quickly is the first report received and what types of internal communications are happening at the client during the course of the campaign. Like, that's what I'm really looking for. That's what I wanna see. I I don't really put a lot of emphasis on how many clicks there were, though I do report it. And typically, I would expect between, like, ten or twenty percent click rate from the average organization. Maybe four or five years ago, it would have been like a thirty to forty, thirty to sixty percent click rate. But now that people are becoming more security conscious and more aware of social engineering number is going down. So when a company hires her to run a fishing campaign on the company, here's what she'll do. What I typically do is I will set a landing page that is to collect credentials, and I will set that landing page up to look like an colonial portal that that employee is used to putting their credentials in. And then I will over the phone direct them to go to my suspicious URL. So company dot u s or company dot 0RG that that's something that's not registered. By the company already. And then they'll go there and, you know, it's a fail if they go there. And then it's a fail another fail if they enter their credentials and I'm able to capture those credentials because now I can log in as them and get things that I should not be able to get to. Sometimes she sends an email like this to everyone in the company. Sometimes she's given the task to target certain individuals, like perhaps some key people in the company. And on assignments where she has to target certain individuals, she'll sometimes do fishing calls. This is like fishing, but it's a phone call. Just like during the contest, she practiced in. She'll call up people to try to get information from them. Look, get them to do something they shouldn't. And then put that in her report. And her clients are often involved with critical infrastructure or even Department of Defense contractors. And so that's the story of how a leaf became person whose day job is fishing department of defense contractors. It's a wild and weird journey for her to get here. But sometimes we need to go through wild and weird journeys just to find our true calling. All of that crazy stuff really has allowed me to get better at able to pivot in conversations and kind of like critically solve problems very quickly. And that's something that I think is really beneficial for social engineers. I know a lot of social engineers encourage people to do improv. I've never done improv, but I think that just naturally running towards uncomfortable conversations that are organic and real is the only way to really get good at this stuff. Running towards uncomfortable conversations that are organic and real is the best way to get good at this? Like, take your mixer that you bought at Costco eight years ago and go try to return it. Huh? I wonder if I'd be good at this because I've had quite a bit of uncomfortable conversations and I don't have that social anxiety that comes with them I wonder if I'd be good at this because I've had quite a bit of uncomfortable conversations and I don't have that social anxiety that comes with them anymore. Like sneaking into the Renaissance Festival, that's no problem. I don't mind dumpster diving or asking a store if I can have things that aren't actually for sale there, like decorations or promotional banners or something. And I have zero worry about being kicked out of a place that I'm not supposed to be in. Maybe this is the job for me. A big thank you to Elise Dennis for sharing this wild adventure with us. If you're on Twitter, you should follow her there. Her name is Elise Dennis. If you want to know more about social engineering, I've got some book recommendations for you in the show notes, but you can also find them at Darknet dairies dot com slash books. So go check those out. I try real hard to provide a valuable show to you by going through the painstaking process of putting all this together and getting you a new episode every two weeks. Am I doing good? Do you find this show valuable? If so, please consider supporting it through Patreon or through Apple Podcasts. By supporting the show, it tells me that you like it and want more of it. So thank you. This show is made by me. A slow reader. Jacqueline cider, sound designed by the fast traveling Andrew Maryweather, and our associate producer just back from his trip out of water he get together, Is Ray more adapted? Our theme music is by the Bound Wolf Breakmaster Cylinder. I like to play chess against computers, but I don't get upset when the computer beats me because I'll always just challenge them to a round of kickboxing afterwards and I always win that.

59:26

This is Darknet dairies.