DEF CON 27 Social Engineering Village Notes

The "Awesome" Philosophy

Marcus Liotta begins with a unique perspective on personal effectiveness in security and social engineering contexts.

Core Insight: "Not everybody can be awesome, but you can teach people how to believe you are awesome. That gives you motivational value, confidence in yourself, and enables you to do things like get up on stage at SE Village."

Benefits of Being Perceived as Awesome:

Increased personal motivation and confidence
Enhanced ability to influence others
Greater professional opportunities
Improved social engineering effectiveness
Better team leadership and collaboration

Current Threat Landscape Statistics

2016-2017 Threat Increases:

55%

of email is considered spam

80%

more attacks on Mac OS

600%

more attacks on IoT devices

2017-2018 Threat Evolution:

Some malicious attacks decreased (surprisingly)
Ransomware increased on corporate gateway infrastructure
55% of email still spam in 2018
80% increase in IoT device attacks
1000% increase in PowerShell-based ransomware

PowerShell Importance: "PowerShell is a very useful tool. I use it in system engineering all the time and highly recommend anybody in the technical field learn at least a little bit about PowerShell because it's such a powerful tool."

Spear Phishing & Current Attack Methods

71%

of current attacks against companies involve spear phishing

Spear Phishing Definition:

"The act of gathering information beforehand to specifically target individuals for whether it be information, profit like getting a wire transfer because you're trying to be the CEO and get an accountant to do it, etc."

Additional Attack Statistics:

1 in 10 emails at corporate gateways are malicious (up from 7% a year ago)
7,700 organizations hit by email compromise scams every month
These represent only successfully invaded organizations

Training Imperative: "If your employees are not trained or users are not trained to combat this, then often they're not going to know to disobey orders. It's very important to have training sessions throughout corporate infrastructure."

Emerging Physical & Location-Based Threats

New Attack Vectors:

Wi-Fi Replication

Fake Wi-Fi gateways that mimic legitimate ones to steal credentials and information from connecting devices

Mobile Hijacking

Malware on mobile devices for credential theft, cryptojacking, and information gathering

Drone-Based Attacks

Mobile malicious Wi-Fi portals and surveillance using drone technology

NASA IoT Compromise (June 2019):

A NASA engineer accidentally hooked up a Raspberry Pi to an important network segment, leading to compromise and theft of moon landing data. Demonstrates how even advanced organizations can be vulnerable to simple IoT-based attacks.

Human Factor: "All the threats I've talked about have one common factor: people. People are the main threat behind any attack because without scripting that code for a specific purpose, you're not going to have anything at all."

Psychological Manipulation Tactics Effectiveness

Threats & Abuse

Not Effective - Makes people uncooperative and defensive

Charm Tactics

Effective - Creates positive reactions and builds rapport

Mutually Beneficial

Effective - Classic "Nigerian Prince" style approaches

Reason-Based Tactics

Not Effective - People don't want to do additional work

Human Nature Insight: "People at a very genetic level, a very base level, don't want to do things. I'm lazy, I'm sure most of you are lazy. Telling somebody if you do this then it's going to work out this way - they don't care because it's going to take too much time and effort."

Social Engineering Attack Methodology

Standard Attack Progression:

Victim Identification: Attacker identifies potential target
Research & Analysis: Victim is researched directly or indirectly
Approach Determination: Direct or indirect approach selected
Tactic Exploration: Common social engineering tactics applied
Result Achievement: Success or failure of the attempt

Trust Building Principle: "You basically have one shot with any one person. Once it's done, they don't trust you anymore. The whole point of social engineering is you have to build trust so they like you and want to help you."

Advanced Psychological Techniques

Lying by Omission

Selectively withholding information rather than outright falsehoods. Example: "Your dog won't tell you he dumped over the trash."

Rationalization

Justifying questionable actions with plausible explanations. Example: "I'm just cleaning up" when caught somewhere unauthorized.

Guilt Tripping

Making others feel responsible for problems. Example: "I couldn't do my job because that report you put on my desk got thrown away."

Servant Role

Using authority figures who are "just doing their job" to compel compliance without question.

Bandwagon Effect

Justifying actions because "everybody does it." Common in workplace scenarios for bypassing procedures.

Lying Limitations: "Lies do not maintain over a period of time. It is very difficult to maintain a lie for any significant period. If you're trying to do things as an attacker and you want additional access later, lying is only going to hurt your purpose."

Practical Prevention Strategies

Essential Security Measures:

Door Access Controls: Physical security for workplace entry
Screen Lock Timeouts: Automatic locking of unattended devices
Suspicious Behavior Reporting: Clear procedures and contacts
External Email Flagging: Visual indicators for external messages
Attachment/Link Caution: Training on email security

Recommended Training Schedule:

Quarterly security awareness training
Phone caller identity verification procedures
Clear reporting channels for security concerns
Assume callers and emails could be fraudulent

User Education: "Users are not the enemy. The user complains - you want to not crush their rebellion if you're in IT. Teach people to be suspicious and assume that callers and emails could be fraudulent."

The Art of Being Awesome - Practical Applications

Marcus's "Awesome" Methodology:

Be Bold

Be the person who raises their hand and has answers. Confidence builds perception of competence.

Mirror Behaviors

Match other people's mannerisms and interests to build rapport and likeness.

Repeated Word Play

Consistently use specific phrases that become associated with your personal brand.

Corporate "Awesome" Experiment:

Marcus consistently used the phrase "I'm just awesome like that" when helping coworkers. After 27 days, dozens of people were repeating the phrase about him without prompting, demonstrating the power of consistent personal branding.

Additional "Awesome" Techniques:

Don't Say "Google It": Provide answers directly rather than redirecting
Leave Personalized Reviews: Use names and specific compliments in business reviews
Always Be Available: Be the person who can get things done
Leverage Teamwork: Recognize everyone has unique attributes to offer

Restaurant Review Strategy: "I have gotten free sushi at a number of sushi restaurants just by leaving personalized 5-star reviews with server names. When you come back, they remember you and you start getting free stuff."

Key Takeaways for Security Professionals

Essential Lessons:

Human psychology is the foundation of all security threats and defenses
Charm and mutually beneficial approaches outperform threats and reasoning
Trust building is more effective than deception for long-term access
Personal branding and perceived competence enhance social engineering effectiveness
Emerging threats combine digital and physical attack vectors
Continuous user education is crucial for organizational security

Final Thought: "Everybody has an attribute that you do not have. It's important to rely on team members and use your friends for what they have to offer because everybody has something to offer."

Security Mindset: The most effective security professionals understand both technical vulnerabilities and human psychology. Being "awesome" isn't just about personal success - it's about building the trust and influence necessary to implement effective security measures.