WEBVTT

00:00:00.000 --> 00:00:05.000
JACK: Okay, so, one year when I was in college, I took a job at the Renaissance

00:00:05.000 --> 00:00:08.720
Festival. If you don’t know what that is, it’s a place where people dress up like they did in

00:00:08.720 --> 00:00:13.560
the 15th century and do things from that time period like jousting and falconry,

00:00:13.560 --> 00:00:19.120
and eating old-fashioned food. It’s almost like an amusement park, with tall walls all around it,

00:00:19.120 --> 00:00:24.840
and you have to pay to get inside. [MUSIC] Well, when I got a job there, my boss forgot to give

00:00:24.840 --> 00:00:32.280
me an employee pass to get in. So, every day that I came to work, I had to find a way to sneak into

00:00:32.280 --> 00:00:38.480
the festival. This was such a fun thing for me to do because I had an honest reason to sneak into

00:00:38.480 --> 00:00:43.640
the Renaissance Festival. I figured out where employees park and I saw there was a security

00:00:43.640 --> 00:00:49.080
guard watching the back gates and side entrances and stuff. But I quickly learned their habits and

00:00:49.080 --> 00:00:54.080
was able to find ways to go around them. Over time, the security guard started to notice

00:00:54.080 --> 00:00:58.960
me more and more and thought I was suspicious because I was showing up every day and always

00:00:58.960 --> 00:01:05.120
avoiding them. Once, they even got in their golf cart and came straight towards me. I just ducked

00:01:05.120 --> 00:01:10.360
behind some trees or some cars or something and waited for them to roll on by in their golf cart.

00:01:10.360 --> 00:01:14.480
Then when the coast was clear, I’d pop up and go the other way and figure out a way to get in the

00:01:14.480 --> 00:01:21.360
festival. This went on for months until my boss said hey, I was talking with the front office

00:01:21.360 --> 00:01:26.880
today and we were going over some things, and I realized I never gave you an employee badge. How

00:01:26.880 --> 00:01:33.080
have you been getting in every day? I said well, it’s no problem; I’ve got ways of getting in. He

00:01:33.080 --> 00:01:40.680
said hm, I bet you do, but I don’t want to be the one to be blamed if you get caught. I said okay,

00:01:40.680 --> 00:01:44.920
okay, I’ll just say I work at some other area of the festival. This way it won’t come back to

00:01:44.920 --> 00:01:51.880
you. He was flabbergasted but gave me an employee badge anyway which was actually good, because the

00:01:51.880 --> 00:01:56.400
security guard finally caught me the next day and was all like, finally gotcha; now you’re coming

00:01:56.400 --> 00:02:02.120
with me, pal. I was like, but look, I have an employee pass. Then he was flabbergasted because

00:02:02.120 --> 00:02:06.320
he thought he’d caught me doing something wrong. Well, he did the right thing and he actually

00:02:06.320 --> 00:02:17.937
escorted me to the front office to make sure my badge was valid. Fun times there. Fun times.

00:02:17.937 --> 00:02:20.240
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:02:20.240 --> 00:02:36.900
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:36.900 --> 00:02:45.480
JACK: Can you pronounce your name for me?

00:02:45.480 --> 00:02:49.640
ALETHE: Sure. My name is pronounced Alethe, like a lethal weapon.

00:02:49.640 --> 00:02:54.200
JACK: What are you doing these days with social engineering type stuff?

00:02:54.200 --> 00:03:00.080
ALETHE: So, I work for a company called Critical Insight. Client base is really

00:03:00.080 --> 00:03:04.280
centered around organizations that provide critical infrastructure,

00:03:04.280 --> 00:03:10.400
so hospitals, water systems, manufacturing, DoD contractors,

00:03:10.400 --> 00:03:19.160
but kind of my core interest is growing our social engineering side to do more vishing, phishing,

00:03:19.160 --> 00:03:25.220
and more actual social engineering physicals where we’re doing the engagements onsite.

00:03:25.220 --> 00:03:30.520
JACK: Yeah, Alethe’s job is to social engineer Department of Defense contractors to try to get

00:03:30.520 --> 00:03:36.280
them to do things they really shouldn’t do. But how did Alethe get to this point? Well,

00:03:36.280 --> 00:03:42.744
that’s actually a very interesting story, so let’s rewind to when she was a kid.

00:03:42.744 --> 00:03:51.880
ALETHE: [MUSIC] So, this is kind of a weird, weird journey, so buckle up because this is definitely

00:03:51.880 --> 00:04:00.640
not the normal how-did-you-get-into-infosec type of story. But I always tell people I

00:04:00.640 --> 00:04:07.840
am not good at reading people because I’m a social engineer. I’m a social engineer

00:04:07.840 --> 00:04:13.920
because I’m good at reading people. The way that I became good at reading people is

00:04:13.920 --> 00:04:22.400
through a very chaotic series of unfortunate events and terrible relationships. Really,

00:04:22.400 --> 00:04:28.760
that’s the core of how I became who I am, is a series of really crazy events.

00:04:28.760 --> 00:04:30.691
JACK: Can we go that far back?

00:04:30.691 --> 00:04:33.440
ALETHE: We’re gonna go – we’re gonna – yeah, we’re gonna go all the way back

00:04:33.440 --> 00:04:42.080
to the beginning. [MUSIC] So, I was born and raised in South Africa by American parents. When

00:04:42.080 --> 00:04:49.360
I was around five or six, things with my parents weren’t going so great. By the time I was seven,

00:04:49.360 --> 00:04:55.640
they had separated and were living in different houses. This was kind of the beginning of

00:04:55.640 --> 00:05:04.880
me having to grow up pretty quickly. My mom was always kind of like the cool big sister,

00:05:04.880 --> 00:05:14.240
and she really let me have so much freedom as a kid just to explore my own creative ideas and do

00:05:14.240 --> 00:05:22.720
some really dangerous stuff without really putting guardrails on me. I was the oldest of three kids

00:05:22.720 --> 00:05:31.400
and so, I kind of ended up taking charge of my younger siblings. When I was seven or eight,

00:05:31.400 --> 00:05:39.800
we left the country kind of under the cover of darkness and without the knowledge of my dad. So,

00:05:39.800 --> 00:05:47.120
we moved from South Africa to Botswana to live with my grandparents for a while while my mom

00:05:47.120 --> 00:05:55.800
kinda figured out what she was gonna do. Then we moved from Botswana to California around the time

00:05:55.800 --> 00:06:04.520
I started fourth grade. When we were living there, we were – my brothers and I were welfare kids,

00:06:04.520 --> 00:06:12.280
and this is kind of where I got started, really honestly started, in social engineering. I was

00:06:12.280 --> 00:06:16.520
always kind of a manipulative kid. I could figure out how to get adults to

00:06:16.520 --> 00:06:22.620
do what I wanted them to do for me. But this is really where things started to get interesting.

00:06:22.620 --> 00:06:26.800
JACK: She was a latchkey kid, meaning she’d be home alone with her brothers

00:06:26.800 --> 00:06:31.520
while her mom was at work. This gave her freedoms to do things without an adult

00:06:31.520 --> 00:06:35.800
telling her what to do. On top of that, her family didn’t have that much money.

00:06:35.800 --> 00:06:39.280
ALETHE: In the 90s, it was like, my mom would just kick us out on the weekends

00:06:39.280 --> 00:06:43.800
and I would just rollerblade around town for twelve hours and get the bus,

00:06:43.800 --> 00:06:53.120
go downtown, go through all the shops. I learned to shoplift. We would sneak into movie theatres,

00:06:53.120 --> 00:07:00.560
we would just get into pretty harmless trouble just as pre-teenage kids rolling

00:07:00.560 --> 00:07:03.680
around downtown doing whatever the heck we could get away with.

00:07:03.680 --> 00:07:09.740
JACK: She was practicing how to be sneaky and manipulate adults into getting what she wanted.

00:07:09.740 --> 00:07:16.200
ALETHE: At the age of eleven, I had my own videotape, like VHS cassette tape

00:07:16.200 --> 00:07:22.960
rental account at the movie store that was between my school and my house. They would

00:07:22.960 --> 00:07:27.400
let eleven-year-old me come in and rent movies and take them home and trusted

00:07:27.400 --> 00:07:30.940
me to bring them back. They opened the account for me with no ID, no nothing.

00:07:30.940 --> 00:07:34.000
JACK: In seventh grade, she moved back to South Africa to live with

00:07:34.000 --> 00:07:38.560
her dad for a while, and he enrolled her in a very strict Catholic school.

00:07:38.560 --> 00:07:45.960
ALETHE: I made the worst possible mistake that any new kid – I mean, I wasn’t a stranger to being a

00:07:45.960 --> 00:07:52.840
new kid in a new school where people already had established friends and relationships, and you

00:07:52.840 --> 00:07:58.560
were a complete outsider because I had done it now a few times. But this time I decided that

00:07:58.560 --> 00:08:04.960
I was gonna try to be one of the cool kids, which was the worst thing I ever could have done ever,

00:08:04.960 --> 00:08:10.720
ever, ever, because I started making up just total BS stories about all these crazy things

00:08:10.720 --> 00:08:18.360
that I did when I lived in America. It was like, the worst – it totally backfired. So, this was a

00:08:18.360 --> 00:08:26.000
really great lesson for me as a social engineer, that over-embellishing – instead of having all the

00:08:26.000 --> 00:08:32.080
kids at my new school think I was super cool, they actually thought I was a complete and total idiot.

00:08:32.080 --> 00:08:36.480
JACK: Kids were picking fights with her. Nobody trusted her. The only friends that

00:08:36.480 --> 00:08:42.440
she made were other liars. She didn’t like that. Her dad moved her to another school,

00:08:42.440 --> 00:08:45.400
and this one was an all-girls school. Now,

00:08:45.400 --> 00:08:50.600
this was in the late 90s in South Africa, and not many schools had computer programs then,

00:08:50.600 --> 00:08:55.140
but this one actually had a computer lab and really tried to get the girls into computers.

00:08:55.140 --> 00:09:02.960
ALETHE: So, I started doing computer science. I learned to code in Turbo Pascal. I was just

00:09:02.960 --> 00:09:11.360
completely hardcore sucked into this idea that I was going to learn to code so that

00:09:11.360 --> 00:09:18.920
I could hack this game that we would play just on the LAN at the school that was called LORD,

00:09:18.920 --> 00:09:27.840
Legend of the Red Dragon. It’s a completely text-based roleplay game type scenario. So,

00:09:27.840 --> 00:09:31.640
I was obsessed with this game and I would spend most of coding class playing the game,

00:09:31.640 --> 00:09:37.520
and then catch up on all the coding stuff after school and do my assignments and stuff like that

00:09:37.520 --> 00:09:43.360
then. But I just became completely obsessed with computers and technology and coding,

00:09:43.360 --> 00:09:48.200
and I just went completely all-in on biology and computer science,

00:09:48.200 --> 00:09:59.160
and that was my thing. When I graduated, I went to school at the University of Capetown and I was

00:09:59.160 --> 00:10:06.000
doing a Bachelors in Chemical and Molecular Sciences with a minor in Computer Science.

00:10:06.000 --> 00:10:14.960
This was the year that I just decided to completely just [MUSIC] demolish my life. I

00:10:14.960 --> 00:10:22.640
was eighteen and my parents were super-strict, so I decided I was gonna just ditch class and

00:10:22.640 --> 00:10:29.880
go hang out with my boyfriend and just be a kid, ‘cause I finally had some freedom outside of this

00:10:29.880 --> 00:10:38.000
very structured all-girls uniform Catholic school environment. So, I got into trouble. I got into

00:10:38.000 --> 00:10:44.160
big trouble, and I started – for years, I had been hanging out in IRC chat rooms and stuff,

00:10:44.160 --> 00:10:49.160
talking to just random people. I started a few friendships with people and some of them

00:10:49.160 --> 00:10:57.800
escalated over the course of four or five years, and even though I had a boyfriend in real life,

00:10:57.800 --> 00:11:03.960
I also had a few people that I was keeping in contact with over on IRC chat rooms. One

00:11:03.960 --> 00:11:09.360
of these people essentially groomed me over the course of four or five years,

00:11:09.360 --> 00:11:15.360
and it got to the point where I so implicitly trusted this person and was so turned against

00:11:15.360 --> 00:11:20.540
my own family that I made some really, really terrible decisions, like awful decisions.

00:11:20.540 --> 00:11:25.760
JACK: The person she was chatting with online was from Virginia, on the other side of the world from

00:11:25.760 --> 00:11:32.160
where Alethe was, in South Africa. The person asked Alethe a lot of personal details. ASL,

00:11:32.160 --> 00:11:37.960
to begin with; age, sex, location, then more details like her phone number and

00:11:37.960 --> 00:11:43.104
eventually her address. When they got her address, that’s when things got weird.

00:11:43.104 --> 00:11:48.040
ALETHE: [MUSIC] They were sending me care packages from the United States. So, all I

00:11:48.040 --> 00:11:54.680
know is that the packages came from Virginia, and that when my folks figured out what was going on,

00:11:54.680 --> 00:12:02.200
they lost it. It really freaked them out, and they were completely justified in their freaking out,

00:12:02.200 --> 00:12:11.160
for sure. So, it was kind of like the catalyst of this series of events that eventually let

00:12:11.160 --> 00:12:16.160
– it ended in me getting kicked out, and South Africa is not the greatest place for

00:12:16.160 --> 00:12:26.760
you to live alone as a young woman. It’s very dangerous, so my dad was like look,

00:12:26.760 --> 00:12:31.560
you can’t stay here. You’re not going to class, you’re not holding up your end of the bargain,

00:12:31.560 --> 00:12:38.440
basically. He was completely justified in doing this, but he gave me the opportunity to move

00:12:38.440 --> 00:12:46.520
back to the states and kind of reboot my life. I think it really was the best possible scenario,

00:12:46.520 --> 00:12:53.360
given the damage that I had done. I was very destructive in my own life, just had destructive

00:12:53.360 --> 00:13:01.440
tendencies. I struggled with depression and anxiety, and just trying to find and figure

00:13:01.440 --> 00:13:08.040
out who I was was gonna be something that I would be a lot more successful doing here in the states.

00:13:08.040 --> 00:13:12.880
JACK: So, she moved from South Africa back to California, which is where she’s been for

00:13:12.880 --> 00:13:17.000
the last twenty years. But it wasn’t easy getting established back in the states.

00:13:17.000 --> 00:13:22.040
Her college credits didn’t transfer, which meant she had to start over with college,

00:13:22.040 --> 00:13:27.560
and she didn’t have a good job to get by with. Her future was just not looking so good, and that

00:13:27.560 --> 00:13:33.880
led her to depression and anxiety, and she was worrying about how she’d find food just to live.

00:13:33.880 --> 00:13:37.840
ALETHE: I literally took a job scooping poop at a pet store for minimum wage,

00:13:37.840 --> 00:13:46.120
and at the time, that was $6.25 an hour. I loved that job because everybody there was so neat,

00:13:46.120 --> 00:13:49.140
and I got to play with puppies, which was great.

00:13:49.140 --> 00:13:52.800
JACK: Working retail taught her some new skills about how to deal with

00:13:52.800 --> 00:13:56.960
angry customers. It improved her social and communication skills,

00:13:56.960 --> 00:14:02.160
and then she got a job at a title company where she had to research who owned certain properties.

00:14:02.160 --> 00:14:05.880
ALETHE: Through the course of these positions, I learned a lot about

00:14:05.880 --> 00:14:09.760
public record. I was essentially searching public record for information about people

00:14:09.760 --> 00:14:13.720
and property and putting together chains of title of property. Like,

00:14:13.720 --> 00:14:17.360
from the beginning of time until now, who’s owned this property? What documents have

00:14:17.360 --> 00:14:21.954
been recorded against it? What easements or leans are against the property, et cetera?

00:14:21.954 --> 00:14:25.720
JACK: This is where she picked up some OSINT skills. OSINT is an acronym;

00:14:25.720 --> 00:14:30.280
it stands for Open Source Intelligence Gathering. She was learning how to find people and what

00:14:30.280 --> 00:14:34.120
properties they’ve owned over time. If it was owned by a business, then she could

00:14:34.120 --> 00:14:39.000
look up who the owners of that business were. There are a lot of details in public records,

00:14:39.000 --> 00:14:44.240
and she became a whiz at mining these public records to find the information she needed. But

00:14:44.240 --> 00:14:48.040
then she quit doing that and had a string of other jobs that all gave her new knowledge in

00:14:48.040 --> 00:14:52.840
different areas such as selling mobile phones, doing social media management, marketing,

00:14:52.840 --> 00:14:57.800
doing tech support for software. Then she landed a job at a staffing company where she was doing

00:14:57.800 --> 00:15:03.560
research and writing reports. Around that time, her and her husband started an IT company

00:15:03.560 --> 00:15:08.040
themselves. It was small and not big enough for them to quit their job and do it full-time,

00:15:08.040 --> 00:15:12.160
but they wanted to make sure their services were secure, which is how they heard about

00:15:12.160 --> 00:15:18.680
Defcon. [MUSIC] Defcon is the largest hacking conference held every year in Las Vegas, Nevada.

00:15:18.680 --> 00:15:24.120
ALETHE: The first Defcon that I went to, I discovered the Social Engineering Village

00:15:24.120 --> 00:15:30.920
and it was kinda like, everything I had been doing since I was a kid

00:15:30.920 --> 00:15:36.120
kind of all coming together under one umbrella called social engineering.

00:15:36.120 --> 00:15:40.680
JACK: At Defcon they have these villages; there’s bio-hacking villages which has

00:15:40.680 --> 00:15:44.560
people hacking medical devices and their own bodies. There’s a Car Hacking Village

00:15:44.560 --> 00:15:48.200
where they have an actual car in the conference that you can try to hack into,

00:15:48.200 --> 00:15:52.360
and there’s just so many. There’s Lockpick Village, IoT Village, Wireless Village,

00:15:52.360 --> 00:15:57.240
Voting Machine Village, but one of the most popular is the Social Engineering Village. Here,

00:15:57.240 --> 00:16:01.680
they have speakers up on stage sharing their tricks of the trade, which is basically how to

00:16:01.680 --> 00:16:05.880
manipulate people to get them to do things that you want them to do, such as letting

00:16:05.880 --> 00:16:11.240
you in a secure building, clicking a link in a phishing e-mail, or calling someone up and getting

00:16:11.240 --> 00:16:16.520
them to tell you a key bit of information that might help you break into the place.

00:16:16.520 --> 00:16:20.920
ALETHE: At first, I was really focused on the manipulation and

00:16:20.920 --> 00:16:25.480
the coercion and all of the negatively slanted words that really fall under

00:16:25.480 --> 00:16:31.840
social engineering. It just completely captured my attention and my focus.

00:16:31.840 --> 00:16:34.920
JACK: But if you hang out in the Social Engineering Village long enough,

00:16:34.920 --> 00:16:39.640
you’ll realize that the main event is the contest, and the final round of the contest

00:16:39.640 --> 00:16:45.440
is done on stage live in front of everyone. The contestant goes into a soundproof booth

00:16:45.440 --> 00:16:51.040
and calls up a company to try to get someone there to tell them some key information,

00:16:51.040 --> 00:16:55.000
and this is broadcasted live in the conference room in front of everyone.

00:16:55.000 --> 00:17:00.640
ALETHE: They told me about the social engineering Capture the Flag contest where they put folks into

00:17:00.640 --> 00:17:05.120
a soundproof booth, they give them twenty minutes, and they call a target company,

00:17:05.120 --> 00:17:10.080
and they have to elicit information from the employees of their target company over the

00:17:10.080 --> 00:17:15.760
phone. [MUSIC] I was completely floored. I thought there is no way I could ever do something like

00:17:15.760 --> 00:17:22.360
that. That is absolutely insane. I’m the type of person that will send 150 e-mails before I pick

00:17:22.360 --> 00:17:27.800
up the phone just to avoid talking to people. Generally speaking, that’s me. I was like,

00:17:27.800 --> 00:17:31.760
this is nuts. There’s no way that I can ever do something like that. That’s crazy,

00:17:31.760 --> 00:17:39.280
but I want to watch this happen. So, the next year, we went to Defcon and I was like, see you,

00:17:39.280 --> 00:17:45.520
everybody that I came with; I’m gonna go grab some food and sit in the back of SE Village all day to

00:17:45.520 --> 00:17:50.720
make sure that I can listen to all these calls. So, I went to Starbucks, I grabbed breakfast

00:17:50.720 --> 00:17:56.280
and a couple snacks and a coffee and a water, and then I stayed for the rest of the day to

00:17:56.280 --> 00:18:02.040
listen to the remaining contestants. Then the next day, I kinda did the same thing. I didn’t leave;

00:18:02.040 --> 00:18:04.920
I didn’t leave to go to the bathroom, I didn’t leave to go get lunch. I was

00:18:04.920 --> 00:18:11.580
there from like 10:00 until after 2:00 when they ended the last of the seven calls for each day.

00:18:11.580 --> 00:18:15.320
JACK: These are always interesting calls to watch. It’s live, so you don’t know what’s

00:18:15.320 --> 00:18:20.440
gonna happen next, but the contestant has a goal to get certain flags. The flags might

00:18:20.440 --> 00:18:25.920
be the things like what make and model is your laptop? Are security guards watching the front

00:18:25.920 --> 00:18:30.680
door? What software is on the laptop? What are the password policies at the company,

00:18:30.680 --> 00:18:36.264
or other security-related pieces of information. The more flags you get, the more points you get.

00:18:36.264 --> 00:18:40.240
ALETHE: [MUSIC] So, the neat thing about the social engineering Capture

00:18:40.240 --> 00:18:46.120
the Flag is that each of the contestants – and there’s only fourteen each year,

00:18:46.120 --> 00:18:50.080
they are selected from a group of two hundred or three hundred applicants,

00:18:50.080 --> 00:18:58.800
and they get a Fortune 500 company as a target about six weeks ahead of Defcon. They get four

00:18:58.800 --> 00:19:05.600
weeks to do OSINT and investigate that target and find as much information as they can about them,

00:19:05.600 --> 00:19:10.040
and then see if they can find very specific flags of information that the contest runners have

00:19:10.040 --> 00:19:16.360
assigned points. Then they compile a report, they submit that to the contest runner and it’s graded,

00:19:16.360 --> 00:19:20.440
and then they use all the information that they found during the course of their OSINT,

00:19:20.440 --> 00:19:27.880
their investigation, to then call that target from a soundproof booth in front

00:19:27.880 --> 00:19:35.040
of five hundred to a thousand hackers, live, in a room with a twenty-minute time limit. It is like,

00:19:35.040 --> 00:19:40.360
the most high-pressure, crazy situation ever and you’re just praying that somebody answers

00:19:40.360 --> 00:19:46.040
the phone. Then once they do answer the phone, you’re praying that you can keep your stuff

00:19:46.040 --> 00:19:51.280
together and remember who you decided you were gonna pretend to be to get these people to give

00:19:51.280 --> 00:19:56.300
you those same flags of information or confirm them, if you already know, over the phone.

00:19:56.300 --> 00:19:59.640
JACK: The more Alethe watched these people make these phone calls and

00:19:59.640 --> 00:20:03.880
try to social engineer people, the more she wanted to do that.

00:20:03.880 --> 00:20:11.560
ALETHE: I saw the movie Hackers after it first arrived in South Africa and it was just like,

00:20:11.560 --> 00:20:16.640
oh my gosh, this is who I want to be. I thought for the longest time that I

00:20:16.640 --> 00:20:21.040
just wanted to be Dade and be cool like him. That was the first time I saw social

00:20:21.040 --> 00:20:25.420
engineering, that part where he social engineers the guy at the TV station.

00:20:25.420 --> 00:20:31.240
JACK: Here’s the clip she’s referring to, from the 1995 film called Hackers.

00:20:31.240 --> 00:20:32.840
NORM: [MUSIC] Security. Norm, Norm speaking.

00:20:32.840 --> 00:20:36.520
DADE: Norman? This is Mr. Eddie Vedder from accounting. I just had

00:20:36.520 --> 00:20:41.520
a power surge here at home that wiped out a file I was working on. Listen,

00:20:41.520 --> 00:20:44.720
I’m in big trouble. You know anything about computers?

00:20:44.720 --> 00:20:46.820
NORM: Uh, gee…

00:20:46.820 --> 00:20:53.600
DADE: Right, well, my BLT drive on my computer just went AWOL and I got this big project due

00:20:53.600 --> 00:21:01.240
tomorrow for Mr. Kawasaki, and if I don’t get it in, he’s gonna ask me to commit Hari Kari. Yeah,

00:21:01.240 --> 00:21:09.160
you know these Japanese management techniques. Could you read me the number on the modem? It’s

00:21:09.160 --> 00:21:13.600
a little boxy thing, Norm, with switches on it. Lets my computer talk to the one there.

00:21:13.600 --> 00:21:15.520
NORM: 2125554240.

00:21:15.520 --> 00:21:23.960
ALETHE: It just completely floored me. I thought that that was the coolest thing ever, ever,

00:21:23.960 --> 00:21:30.960
and I wanted to be like that so badly. It felt like I kinda put all that stuff on hold for –

00:21:30.960 --> 00:21:35.360
I think I was a teenager when I saw that, so it felt like I put all that stuff on hold for like,

00:21:35.360 --> 00:21:41.640
ten or fifteen years. Then walking into Defcon the first time, it was just like, oh my god,

00:21:41.640 --> 00:21:46.640
I’m home. These are my people. This is the island of misfit toys that I have been looking

00:21:46.640 --> 00:21:55.240
for [MUSIC] for over a decade. Everybody was so flipping welcoming and accepting and supportive

00:21:55.240 --> 00:22:02.160
and awesome that I was just like, I want to live here. So, it was kinda like finding my

00:22:02.160 --> 00:22:10.760
niche. After the second Defcon, after watching all of the calls at SE Village and seeing actual,

00:22:10.760 --> 00:22:18.960
real social engineers do the thing in front of everyone and just – I just wanted to be like that.

00:22:18.960 --> 00:22:24.600
I wanted to have that confidence and I really wanted to push myself to get more comfortable

00:22:24.600 --> 00:22:29.800
with having uncomfortable conversations with people, because I felt like it would just make

00:22:29.800 --> 00:22:36.280
me a better business owner, a better communicator, a better employee, a better parent, a better

00:22:36.280 --> 00:22:41.500
spouse. I just didn’t think that I could really go wrong with improving those types of skills.

00:22:41.500 --> 00:22:45.480
JACK: She goes home that year thinking about competing in the next social engineering

00:22:45.480 --> 00:22:50.720
Capture the Flag contest. She wants to try it, but she doesn’t think she’ll qualify,

00:22:50.720 --> 00:22:55.940
and she questions herself. But then at the last minute, she decides to apply to be a contestant.

00:22:55.940 --> 00:23:00.080
ALETHE: I ended up getting selected as one of the fourteen contestants.

00:23:00.080 --> 00:23:05.040
JACK: About three months before Defcon, they assign the contestants their target. Alethe

00:23:05.040 --> 00:23:10.320
was assigned a trucking company in the US, and she had about four weeks to do OSINT on them

00:23:10.320 --> 00:23:15.480
and turn in her report. Now, with OSINT, you can only get data that’s publicly available.

00:23:15.480 --> 00:23:20.160
You can’t call someone or phish someone or hack into something to get the information. She had

00:23:20.160 --> 00:23:24.520
to find as much information as she could about this company through public sources

00:23:24.520 --> 00:23:28.960
such as going to the company’s LinkedIn and seeing who works there and then finding those

00:23:28.960 --> 00:23:34.960
employees on their social media accounts and looking at their profiles. This first round of

00:23:34.960 --> 00:23:39.400
the contest is to try to gather certain flags or pieces of information from the

00:23:39.400 --> 00:23:44.360
company and compile that into a report and turn it in a month before Defcon begins.

00:23:44.360 --> 00:23:50.720
ALETHE: So, flags, they are everything from information that will – that would help in

00:23:50.720 --> 00:23:57.240
the contest of a physical pen test, so who does the garbage service, who’s the janitorial service

00:23:57.240 --> 00:24:02.400
provider, who runs the cafeteria, who’s the vending machine service and repair company,

00:24:02.400 --> 00:24:10.240
those kind of things. Then there’s company-wide type technology, like who’s the VPN provider,

00:24:10.240 --> 00:24:15.520
do they have Wi-Fi available on site, what is the SSID or the name of that Wi-Fi that

00:24:15.520 --> 00:24:22.400
is available to guests or internally, the version and the type of browser they use,

00:24:22.400 --> 00:24:30.920
their PDF viewer, the – whether or not they use a specific parcel service,

00:24:30.920 --> 00:24:35.600
the make and model of the laptop or computer that the employee was issued.

00:24:35.600 --> 00:24:39.344
JACK: Alethe begins collecting data on this trucking company.

00:24:39.344 --> 00:24:46.480
ALETHE: [MUSIC] So, I had a tough time figuring out the best way to do this. In brief,

00:24:46.480 --> 00:24:51.240
I basically – I started at the company website and then from there, I’ll move

00:24:51.240 --> 00:24:58.160
into company review websites like Glassdoor and Indeed to learn about company culture and

00:24:58.160 --> 00:25:05.040
any inflammatory things that I can use to kind of build rapport with the employees. Then from there,

00:25:05.040 --> 00:25:11.440
I look at job – open job descriptions, if they name any specific types of technology or Help

00:25:11.440 --> 00:25:16.480
Desk services that they use and things like that can be useful to me. Then once I’m done

00:25:16.480 --> 00:25:23.720
with company review websites and job descriptions, then I’ll get into some more detailed snooping.

00:25:23.720 --> 00:25:28.600
Usually this involves a lot of Google dorking because now I’ve kinda got an idea of what type

00:25:28.600 --> 00:25:35.360
of pretext I’m gonna use, and I want to find more information to support that pretext. So,

00:25:35.360 --> 00:25:42.360
say I want to impersonate an internal employee and call the Help Desk, then I might be Google

00:25:42.360 --> 00:25:51.360
dorking to look for all documents that are on that domain that are a file type PDF that contain

00:25:51.360 --> 00:26:00.560
the word ‘onboarding’ or ‘new hire’ or something like that, ‘cause I want to find where it says if

00:26:00.560 --> 00:26:05.880
somebody’s abusing technology, call this number, and usually that’s their internal Help Desk.

00:26:05.880 --> 00:26:12.400
So, that’s kind of an example. But I kind of just – I use a lot of social media as well,

00:26:12.400 --> 00:26:20.960
so I will find the address of the headquarters or the branch locations that I want to target

00:26:20.960 --> 00:26:26.160
and – or where the employees sit, who I want to target. Then I will put that address into

00:26:26.160 --> 00:26:32.280
Instagram, into the location search, and find all the pictures that are geotagged to that location

00:26:32.280 --> 00:26:39.320
and see if I can find things in those pictures that will help me, stuff like employee badges,

00:26:39.320 --> 00:26:44.320
things that would show employee ID numbers so I can get a good idea of what those look like and

00:26:44.320 --> 00:26:52.320
how they’re composed. I’ll also look for pictures where – there’s always one where it’s like,

00:26:52.320 --> 00:26:56.880
the Starbucks coffee cup in front of the open monitor with all their applications open. That’s

00:26:56.880 --> 00:27:06.400
my favorite. Then from there, I just kind of snoop around until I find some more of the stuff that I

00:27:06.400 --> 00:27:13.000
want. I want to know who the cafeteria vendor is. One of my most favorite pretexts is that

00:27:13.000 --> 00:27:19.880
I will call and pretend to be from the corporate office of the cafeteria vendor for the cafeteria

00:27:19.880 --> 00:27:25.840
that’s within the headquarters or the office of – office building of my target company,

00:27:25.840 --> 00:27:31.280
because it’s usually – it’s not close enough to them for them to go oh, what’s your name?

00:27:31.280 --> 00:27:38.160
Let me put it in the global directory and pull you up, but because it’s an entity that has

00:27:38.160 --> 00:27:44.240
authorization to be within their building, it’s kind of inherited the trust of that organization,

00:27:44.240 --> 00:27:48.400
and so therefore I would inherit it, saying that I work for that cafeteria vendor,

00:27:48.400 --> 00:27:52.280
that they’ve already had an existing working relationship with forever. So,

00:27:52.280 --> 00:27:58.520
the more information I can gain through OSINT, the better equipped I’m gonna be on the calls,

00:27:58.520 --> 00:28:02.760
and that’s really where I think the majority of social engineers, especially

00:28:02.760 --> 00:28:07.280
in the context of the social engineering Capture the Flag have been successful,

00:28:07.280 --> 00:28:12.580
is just being over-prepared with knowledge about the company and what they have, use, and do.

00:28:12.580 --> 00:28:16.860
JACK: She spends the four weeks collecting as much data as she could about this.

00:28:16.860 --> 00:28:19.160
ALETHE: I turned in my report and I was kinda like well,

00:28:19.160 --> 00:28:25.720
hopefully that wasn’t terrible. I was actually fifth out of fourteen; my report was scored

00:28:25.720 --> 00:28:30.660
fifth-highest points based on the flags of information that I found on the target.

00:28:30.660 --> 00:28:35.120
JACK: Whoa, that’s pretty good for a first-time competitor. The final score is a combination

00:28:35.120 --> 00:28:38.640
of the points you get from this report and the points you get from the live,

00:28:38.640 --> 00:28:44.040
on-stage call at Defcon. So, she has a chance of being in the top few if she

00:28:44.040 --> 00:28:47.040
can outscore some of the others that did better than her on their report.

00:28:47.040 --> 00:28:53.960
ALETHE: So, what happens at Defcon for the actual competition is you report to SE Village, they get

00:28:53.960 --> 00:29:01.240
you checked in and whatnot, and then when it’s your turn, they put you into the booth, you get a

00:29:01.240 --> 00:29:09.840
pair of headphones, and you are sitting on a stool in front of a pretty high-quality microphone. You

00:29:09.840 --> 00:29:17.800
have a list of the numbers that you want to call, and you have a list of the numbers that

00:29:17.800 --> 00:29:24.220
you would like to spoof to support your pretext, or who you’ve decided you’re gonna pretend to be.

00:29:24.220 --> 00:29:29.440
JACK: Now, the target they gave her is just this company. They didn’t provide any phone numbers or

00:29:29.440 --> 00:29:35.480
specific people to target at the company. That was all up to Alethe to figure out which person

00:29:35.480 --> 00:29:41.160
or people to target and what their phone numbers were. The company that runs the Social Engineering

00:29:41.160 --> 00:29:46.520
Village has some pretty good lawyers to help make sure this is all legal. So, Alethe provided the

00:29:46.520 --> 00:29:51.704
phone numbers to the contest runner who then dials a number and connects her to the call.

00:29:51.704 --> 00:29:57.400
ALETHE: [MUSIC] During the contest, not only are you on a stage in a booth with glass

00:29:57.400 --> 00:30:03.280
in front of you and everyone watching, but they also have cameras inside the booth. So,

00:30:03.280 --> 00:30:12.960
you’re on two or three giant screens in this enormous ballroom inside a casino at Defcon,

00:30:12.960 --> 00:30:22.120
and everyone is just watching your every twitch. So, once you’re ready to go,

00:30:22.120 --> 00:30:27.920
they start the twenty minutes on the timer, and it’s a big, red numbered timer that they

00:30:27.920 --> 00:30:34.680
hold in front of your face. Then you say call Number 1 or 2 or 3 or whatever it is

00:30:34.680 --> 00:30:40.200
on your list, and Spoof Number 1 or 2 or 3 or whatever it is on your list, and you go.

00:30:40.200 --> 00:30:46.640
JACK: Alethe was prepared for this, though. She had a plan. She had a pretext ready,

00:30:46.640 --> 00:30:50.160
which is who she was going to pretend to be when calling these people. She

00:30:50.160 --> 00:30:53.720
had practiced this pretext in her head, and she knew a lot about the

00:30:53.720 --> 00:30:57.240
people she was going to be calling from all the past research she did on them.

00:30:57.240 --> 00:31:02.520
ALETHE: So, you can bring whatever material you want into the booth. There are people that like

00:31:02.520 --> 00:31:09.000
to bring props like keyboards and stuff like that. I went very low-tech. [MUSIC] I brought in three

00:31:09.000 --> 00:31:17.000
sheets of paper, and one of them was a list of all the flags that I’d made my top priorities

00:31:17.000 --> 00:31:25.720
of each of the flags that I wanted to get, and then I kinda drop a four square for my pretext. I

00:31:25.720 --> 00:31:33.480
have a magic quadrant kind of an idea, but one square is who I am and my information of me,

00:31:33.480 --> 00:31:38.720
my pretext person that I’m pretending to be, one square is who I’m targeting; their phone number,

00:31:38.720 --> 00:31:43.720
their information, e-mail address and whatever about them so that I remember who I’m talking

00:31:43.720 --> 00:31:51.840
to and I don’t freak out. Then I have a box that has the key points of my pretext,

00:31:51.840 --> 00:31:57.480
like what company do I work for, why am I calling, what do I need? Then I have the other box that’s

00:31:57.480 --> 00:32:00.880
my goals for the call. Like, these are the flags that I want to get out of this call.

00:32:00.880 --> 00:32:04.200
JACK: She was able to get a few more flags from this other person,

00:32:04.200 --> 00:32:08.600
and then her time was up. So, she ended the call. On Saturday, they tally up the

00:32:08.600 --> 00:32:14.880
scores and announce the winners. Alethe got sixth place, but to her, she had a blast.

00:32:14.880 --> 00:32:19.640
ALETHE: Having the ability to make people laugh and have them respond to what I was

00:32:19.640 --> 00:32:26.480
doing in that way was just phenomenally rewarding. It made me feel amazing. So,

00:32:26.480 --> 00:32:33.400
after that, I was like, this is what I want to do for my life. [MUSIC] This is it.

00:32:33.400 --> 00:32:36.640
JACK: While she was in Vegas that year, something else happened.

00:32:36.640 --> 00:32:42.589
ALETHE: At that Defcon, I ended up getting pregnant.

00:32:42.589 --> 00:32:44.960
JACK: Now, she knew she wanted to compete in next year’s social

00:32:44.960 --> 00:32:56.080
engineering Capture the Flag, which was one year away, and by this point in her life,

00:32:56.080 --> 00:33:06.480
she already had three kids. This was such an important competition for her. She was

00:33:06.480 --> 00:33:12.780
absolutely determined to compete. So, May rolls around, which is when you apply for the contest.

00:33:12.780 --> 00:33:16.220
ALETHE: I applied while very pregnant.

00:33:16.220 --> 00:33:19.680
JACK: She gets accepted to compete. She has the baby,

00:33:19.680 --> 00:33:22.428
and shortly after that, they give her the target.

00:33:22.428 --> 00:33:27.080
ALETHE: So, I was on maternity leave and I was like, I can use my maternity leave to do

00:33:27.080 --> 00:33:31.320
the OSINT. That would be perfect because I won’t be juggling a newborn and work

00:33:31.320 --> 00:33:34.780
and the OSINT. It’ll just be a newborn and the OSINT and the other three kids.

00:33:34.780 --> 00:33:39.920
JACK: So, she spends her maternity leave doing the OSINT part, researching the client, finding

00:33:39.920 --> 00:33:44.440
the best way to approach them, and gathering as many flags as she could for the report.

00:33:44.440 --> 00:33:49.960
ALETHE: I only focused on doing better than I had the year before. That was my main objective,

00:33:49.960 --> 00:33:55.240
was I just want to do better than sixth. That’s it. If I can get into the top three, that would

00:33:55.240 --> 00:33:59.880
be amazing, but I just want to do better than I did the year before. I almost did not want

00:33:59.880 --> 00:34:05.600
to win. I didn’t want to win because as soon as you win, you can’t compete anymore; you’re out. I

00:34:05.600 --> 00:34:13.320
really enjoy playing the game more than anything. So, I went into it determined to do better than

00:34:13.320 --> 00:34:20.640
sixth. I did the OSINT for my report, I turned the report in, and I ended up placing third in

00:34:20.640 --> 00:34:27.120
the report scoring. So, I was like hey, if I hold third, that would be crazy. If I was able to push

00:34:27.120 --> 00:34:33.460
it up to second after the call round, that’ll be nuts. [MUSIC] So, I went to Defcon, took the baby.

00:34:33.460 --> 00:34:37.480
JACK: For this trip to Defcon, she takes herself and her three-month old baby,

00:34:37.480 --> 00:34:41.920
and her husband. The other three kids stayed back at home in California. So,

00:34:41.920 --> 00:34:47.440
they fly out to Las Vegas. Defcon starts on Thursday and goes all weekend to Sunday. She

00:34:47.440 --> 00:34:51.480
had to get back home by Sunday night because her kids started school Monday morning.

00:34:51.480 --> 00:34:57.480
ALETHE: So, I ended up bringing a three-month-old baby with me to Defcon, which I don’t recommend,

00:34:57.480 --> 00:35:02.040
and I highly discourage anyone to do in the future, because it’s not great. It’s not a

00:35:02.040 --> 00:35:06.520
fun experience. But I committed to competing and I wasn’t sure if I was gonna be able to compete

00:35:06.520 --> 00:35:11.640
after that. So, I was just like, I’m gonna go for it. She’ll be young enough and I’m an experienced

00:35:11.640 --> 00:35:18.000
enough mother to know that a kid under the age of four months is highly portable, easy to feed,

00:35:18.000 --> 00:35:25.960
very easy to take care of, and very cooperative compared to the toddler age for going to Vegas.

00:35:25.960 --> 00:35:30.360
So, in the morning, I just got all my stuff ready, went to SE Village. I was competing

00:35:30.360 --> 00:35:35.400
on the first day, which was Thursday, and I was the last person to compete that day,

00:35:35.400 --> 00:35:39.680
so I was seventh on the first day. I tried to watch the rest of the calls,

00:35:39.680 --> 00:35:43.320
but I really wanted to be respectful of the other contestants, so if the baby got fussy,

00:35:43.320 --> 00:35:48.680
I would walk out to the hallway and go take care of her or stand in the back of the room

00:35:48.680 --> 00:35:54.640
just so that other people could see and I wasn’t a distraction or being distracted. So,

00:35:54.640 --> 00:35:59.320
I missed so many of the calls which sucked because I really wanted to watch them all.

00:35:59.320 --> 00:36:03.400
Then when it was my turn to go, I ran to the bathroom five minutes before my time,

00:36:03.400 --> 00:36:08.800
and I’m like, don’t worry, I’m coming back! Then change the baby, finish nursing the baby. I run

00:36:08.800 --> 00:36:13.600
back up to the front, throw the baby at my husband, and just prayed she didn’t start

00:36:13.600 --> 00:36:19.680
crying while I was in the booth, because as a mom, it just triggers you, especially very

00:36:19.680 --> 00:36:25.080
shortly after having a baby; if you hear a baby crying, it just sidetracks your whole brain,

00:36:25.080 --> 00:36:30.120
and I wanted to be able to maintain that focus. So, I was praying she wouldn’t start crying,

00:36:30.120 --> 00:36:35.160
and sure enough, as soon as I started dialing the first number, she started crying. I think

00:36:35.160 --> 00:36:39.560
it’s just because they were like, broadcasting the ringing of the phone out to the whole room,

00:36:39.560 --> 00:36:44.840
but it was just kind of an overwhelming situation for her, which I totally appreciate. So,

00:36:44.840 --> 00:36:50.840
I just had to put myself in the zone and ignore everything outside of the booth. Everything

00:36:50.840 --> 00:36:56.040
outside of the booth just was blackness and I had to focus on who I am, who I’m calling,

00:36:56.040 --> 00:37:01.600
what I’m doing, what I’m saying. [MUSIC] That’s all that matters right now. So, my first call was

00:37:01.600 --> 00:37:07.360
gonna be to tech support and I was gonna pretext as a new intern because it’s summer, and this

00:37:07.360 --> 00:37:13.320
company had a lot of summer interns and they were very public about that on social media, so it fit.

00:37:13.320 --> 00:37:16.400
I was just gonna be like, I’m trying to go to this website for training and I can’t get there.

00:37:16.400 --> 00:37:24.080
Can you help me? Can you try it? Finally, I convinced this person to go to the link,

00:37:24.080 --> 00:37:27.560
and they confirmed what they saw, and then I just said oh my gosh,

00:37:27.560 --> 00:37:32.720
I’m such an idiot. I wasn’t even on the internet. I just tried to get off the phone with them as

00:37:32.720 --> 00:37:38.200
quickly as possible so I could salvage as much of my twenty minutes as I could. So,

00:37:38.200 --> 00:37:45.520
after that call, I hung up and I decided that I was going to target their regional sales people,

00:37:45.520 --> 00:37:51.240
their remote salespeople that were responsible for various regions of the United States. My

00:37:51.240 --> 00:38:02.040
target was a ginormous tobacco company, so I almost didn’t feel bad. So, I ended up getting

00:38:02.040 --> 00:38:10.920
their cell phone numbers and – through my OSINT for these regional salespeople, and I learned a

00:38:10.920 --> 00:38:18.120
ton about how they treat their salespeople from the company reviews that were left on Glassdoor

00:38:18.120 --> 00:38:24.120
by salespeople. I knew that they had company cars, company laptops, company cell phones,

00:38:24.120 --> 00:38:31.080
and all that stuff. So, I knew a lot of what they would have already, and I could just make

00:38:31.080 --> 00:38:37.680
this super easy and ask them to confirm it. But I needed to figure out how I was going to give

00:38:37.680 --> 00:38:44.800
myself the authority to ask those questions without raising their eyebrow, so to speak.

00:38:44.800 --> 00:38:53.480
So, the pretext that I came up with was I was helping IT contact people whose computers hadn’t

00:38:53.480 --> 00:39:02.040
connected to the VPN in a while because we were getting ready to replace remote workers’ laptops,

00:39:02.040 --> 00:39:07.880
and we were trying to confirm what software and applications they had on their computer

00:39:07.880 --> 00:39:12.640
before we ship the replacement computers out. [MUSIC] Every remote worker wants a

00:39:12.640 --> 00:39:20.680
new laptop because every remotely-deployed laptop has issues. It’s just a fact. So,

00:39:20.680 --> 00:39:26.960
I was like, I’m incentivizing them with a new laptop. They are going to trust me because I

00:39:26.960 --> 00:39:34.760
sound nice and likeable, and I’m an internal employee. So, I started the call by saying hi,

00:39:34.760 --> 00:39:43.920
this is Bethany. I’m calling from the headquarters in this town. So, immediately they know who I am,

00:39:43.920 --> 00:39:49.800
where I’m calling from, and that I’m an internal employee, so I’ve knocked all those things out of

00:39:49.800 --> 00:39:56.200
the list of objections already. I’ve made them feel better about the fact that I’m internal by

00:39:56.200 --> 00:40:02.280
saying where I am located, so they feel safe that I’m calling from the headquarters and I

00:40:02.280 --> 00:40:11.640
know where that is and it sounds legit. Then I gave myself a name that was a little younger,

00:40:11.640 --> 00:40:19.520
and I tried to sound – like, I raised my voice a teeny bit just to sound a little younger.

00:40:19.520 --> 00:40:24.000
Then if they pushed back about the IT part, I was just gonna be like yeah, I’m an intern;

00:40:24.000 --> 00:40:30.720
I’m just helping IT and so, I don’t know, but they just gave me this list and the sooner I can

00:40:30.720 --> 00:40:38.760
get this done, the faster you’ll get your laptop, basically. Zero people pushed back. No people. So,

00:40:38.760 --> 00:40:42.680
I just – I said we’re getting ready to send out these laptops. Do you have a couple minutes just

00:40:42.680 --> 00:40:47.960
to go through your computer with me and answer a few questions to make sure that we get you all the

00:40:47.960 --> 00:40:51.920
programs and applications that you need installed before we ship this out? They’re like, of course

00:40:51.920 --> 00:41:01.480
I do. I talked to one gentlemen and then he was like – he was super helpful, and I got through

00:41:01.480 --> 00:41:09.320
my whole list of flags, really. Like, every single flag, he just gave it to me. Then I very politely

00:41:09.320 --> 00:41:13.800
ended the call and I decided instead of calling the person that I’d planned to call, I was gonna

00:41:13.800 --> 00:41:21.080
call the next one. I don’t know why I decided to do that, but I did. It was just the most amazing

00:41:21.080 --> 00:41:28.400
success on each one of the calls, and on the last call, the guy that I called was like, oh man,

00:41:28.400 --> 00:41:34.600
well, I’m not on my computer because I’m actually three months into my four-month paternity leave.

00:41:34.600 --> 00:41:41.000
I was expecting him to shut me down. I just said oh no, I’m so sorry. I’m so sorry to bother you.

00:41:41.000 --> 00:41:45.080
Let me let you go, because I was trying to conserve as much time as possible to try to

00:41:45.080 --> 00:41:52.560
make another call. He’s all well, hold on, let me just go get the laptop. I was like, what? So,

00:41:52.560 --> 00:41:57.120
he went and got the laptop and as he was booting it up, I was just like okay, shoot, what can I

00:41:57.120 --> 00:42:02.240
get out of him while this thing is booting up? [MUSIC] I was just like yeah, that’s so crazy.

00:42:02.240 --> 00:42:09.080
I just had a baby too, which is totally true; I’m looking at my three-month old baby. He was like,

00:42:09.080 --> 00:42:14.360
instantly ready to just tell me everything. So, I asked him, while your computer’s booting up,

00:42:14.360 --> 00:42:19.920
is it the – this brand, this model? He’s like, yeah. I was like and, did you have to type in

00:42:19.920 --> 00:42:25.200
the thing for BitLocker just now? He’s like, oh yeah. I was like and – you know, and I just

00:42:25.200 --> 00:42:31.640
walked him through all the stuff. At the end of the call, it was like, I knew I had seconds left

00:42:31.640 --> 00:42:36.840
and I wanted to make sure that I ended it on a nice note and it wasn’t just like a click,

00:42:36.840 --> 00:42:43.360
hang up. So, I wrap things up with a bow and just thank the guy profusely and told him to enjoy the

00:42:43.360 --> 00:42:50.120
rest of his leave. I still feel freaking awful for every single one of these calls.

00:42:50.120 --> 00:42:57.960
I feel gross about what happened after I hung up, and did they ever reach out to IT? Did they

00:42:57.960 --> 00:43:03.560
figure it out that they got scammed? Or what did they feel about that? Did I make them feel bad?

00:43:03.560 --> 00:43:10.040
‘Cause I really hate that. I hate that aspect. The nice thing about doing this for real, for money,

00:43:10.040 --> 00:43:16.320
with clients who know I’m gonna call them and who I give a report to, is that I can kinda beg

00:43:16.320 --> 00:43:23.080
forgiveness after the fact and make amends, so to speak, with them, and just be like, yeah, sorry.

00:43:23.080 --> 00:43:28.680
That was a test and you did really great at this part, but you did really bad at this part. This is

00:43:28.680 --> 00:43:33.440
a safe learning experience. It’s much better that you failed now than with an actual attacker, kind

00:43:33.440 --> 00:43:39.920
of a thing. But these scenarios, it’s just like, I still wonder. I still remember the names of the

00:43:39.920 --> 00:43:47.560
people that I targeted the first time around. I wonder how they are and how their kids are, how

00:43:47.560 --> 00:43:53.300
the job’s going. I feel like we’re friends ‘cause I just completely over-researched all of them.

00:43:53.300 --> 00:43:58.120
JACK: She came out of the booth and felt really good about the points she scored. She knew she

00:43:58.120 --> 00:44:03.480
got a lot of great flags and used her time very effectively. The audience seemed to really like

00:44:03.480 --> 00:44:09.080
it, too. They seemed entertained. These calls aren’t recorded, so I can’t play any of them

00:44:09.080 --> 00:44:13.760
for you. Nevada is a two-party consent state, so they can’t record them by law. But despite

00:44:13.760 --> 00:44:18.360
her feeling good about it, there were still seven more contestants competing the next day,

00:44:18.360 --> 00:44:24.520
and two of those were the ones in first and second place. So, it was too hard to tell if she had won

00:44:24.520 --> 00:44:30.520
at that point, and wouldn’t know until Saturday. So, Friday, the rest of the contestants do their

00:44:30.520 --> 00:44:35.900
things, and then Saturday rolls around. Alethe goes to the party where they announce the winners.

00:44:35.900 --> 00:44:41.440
ALETHE: They announce the second place and it wasn’t me. I was like oh, well, you know. Maybe

00:44:41.440 --> 00:44:46.800
next year. Then they announced that I won [MUSIC] and I just was like – first thing I said was,

00:44:46.800 --> 00:44:53.360
oh shit. I’m like, holding a baby and I’m like, I don’t even – how to – how do I know – I don’t even

00:44:53.360 --> 00:44:59.400
know what to do with myself. So, it was really, really amazing. Then I realized that my flight –

00:44:59.400 --> 00:45:06.000
I didn’t expect to win. I had scheduled a flight that left at 3:00 PM on Sunday from Las Vegas,

00:45:06.000 --> 00:45:12.640
and closing ceremonies start at 4:00. So, the airport that we fly in and out of,

00:45:12.640 --> 00:45:18.120
there’s one flight per day, so that – if you miss that flight, you’re it – you’re done. I

00:45:18.120 --> 00:45:24.440
had a kindergartener that was starting his first day of school on Monday morning, so there was no

00:45:24.440 --> 00:45:31.160
getting back on Monday sometime. It had to be Sunday. So, we ended up missing the flight,

00:45:31.160 --> 00:45:35.300
and we went to closing ceremonies ‘cause it’s just – it’s a once-in-a-lifetime opportunity.

00:45:35.300 --> 00:45:41.200
HOST: Welcome to the stage of the social engineering contest. [APPLAUSE]

00:45:41.200 --> 00:45:43.340
ALETHE: I took the baby up on stage with me.

00:45:43.340 --> 00:45:48.400
HOST: Okay, so, is this the first time there’s a baby on stage at Defcon? So,

00:45:48.400 --> 00:45:52.560
she won the SECTF. No, just kidding; she didn’t. She didn’t. [LAUGHTER] It

00:45:52.560 --> 00:45:57.440
was the second year in a row that women dominated the competition. We, again,

00:45:57.440 --> 00:46:04.200
have two women in the first and second place, so good job. Keep it coming. Our first place winner,

00:46:04.200 --> 00:46:13.280
Alethe, is standing here. I’m gonna give her a bottle of alcohol, okay? [APPLAUSE]

00:46:13.280 --> 00:46:25.800
I’m gonna give her a tenth-year SE Head Award, and Defcon’s gonna give her a black badge. [APPLAUSE]

00:46:25.800 --> 00:46:30.040
JACK: [MUSIC] The coveted black badge. By winning this contest,

00:46:30.040 --> 00:46:35.960
the main prize you get is a Defcon black badge, which is very prestigious,

00:46:35.960 --> 00:46:40.760
despite the award ceremony being hosted by a guy named Grifter. On paper, all it does is

00:46:40.760 --> 00:46:46.840
it gives you free access to Defcon for life, but it carries a lot of prestige. Lots of companies

00:46:46.840 --> 00:46:51.720
out there will hire someone who has earned a black badge from Defcon because they know

00:46:51.720 --> 00:46:57.460
Defcon contests are incredibly competitive and whoever wins it must be very good at what they do.

00:46:57.460 --> 00:47:04.400
ALETHE: Just an incredible honor, and as soon as we were done on stage,

00:47:04.400 --> 00:47:09.280
then I had to like – we ran back to the hotel, got our bags out of the bellhop,

00:47:09.280 --> 00:47:16.100
drove to the airport, and then rented a car at the airport and then drove home overnight.

00:47:16.100 --> 00:47:19.800
JACK: The ride home was something like a seven-hour drive. Yeah,

00:47:19.800 --> 00:47:25.200
a baby in the car on an all-night drive, trying to get back before school starts in the morning,

00:47:25.200 --> 00:47:30.600
it was very tiring. [MUSIC] In the car ride home, Alethe began wondering where her career

00:47:30.600 --> 00:47:35.560
would go from here. She hoped someone would hire her to do this for a living,

00:47:35.560 --> 00:47:40.720
but if that didn’t happen, she thought maybe she’ll just start her own business doing this,

00:47:40.720 --> 00:47:45.320
like a consultant. They got home around 2:00 AM and got everyone to bed.

00:47:45.320 --> 00:47:48.160
ALETHE: After that, it was like, I got two hours of sleep, woke up,

00:47:48.160 --> 00:47:52.040
got the chalkboards all made up, and then did first day of school pictures with my kids,

00:47:52.040 --> 00:47:58.240
and it was like back to normal life. I went back to work at the staffing company.

00:47:58.240 --> 00:48:03.440
JACK: Going back to work at that staffing company was not nearly as fun as the rush

00:48:03.440 --> 00:48:08.440
of doing social engineering engagements. So, she set off searching for a new role

00:48:08.440 --> 00:48:13.080
as a social engineer somewhere. You know what? There are quite a few companies out there that

00:48:13.080 --> 00:48:17.920
do hire social engineers. It can be included as part of a security assessment to see if

00:48:17.920 --> 00:48:22.600
the company has any weak points that a social engineer can expose. Sometimes social engineers

00:48:22.600 --> 00:48:27.400
go onsite to do a physical assessment to try to find a way in the building and plant some

00:48:27.400 --> 00:48:32.000
rogue hardware in the network that someone can jump into from outside and then bounce

00:48:32.000 --> 00:48:36.840
off to get inside the network. The human is the weak link in many organizations, and hiring a

00:48:36.840 --> 00:48:42.400
social engineer can help you make that link stronger. This is what Alethe wanted to do.

00:48:42.400 --> 00:48:44.760
ALETHE: I was trying to get into information security,

00:48:44.760 --> 00:48:51.280
but I was lacking a lot of the full-scale pen-testing skills at that point. So,

00:48:51.280 --> 00:48:55.160
I was applying to jobs and people were thinking she’s got a black badge,

00:48:55.160 --> 00:49:01.240
she knows everything. Then they were looking at my resume and going, wait a second. I was getting

00:49:01.240 --> 00:49:08.560
messages on LinkedIn from German CEOs asking if I was actually me, because my resume didn’t

00:49:08.560 --> 00:49:13.980
match this person that was in this German article about a social engineer who won the black badge.

00:49:13.980 --> 00:49:20.040
JACK: She didn’t have any luck finding a job as a social engineer, but she’s Alethe,

00:49:20.040 --> 00:49:23.780
and when Alethe is determined to do something, nothing will stop her.

00:49:23.780 --> 00:49:27.360
ALETHE: I actually ended up deciding that I was gonna start consulting on the side,

00:49:27.360 --> 00:49:31.320
and I did it with the blessing of the staffing company and my boss there. But

00:49:31.320 --> 00:49:36.680
I started doing security awareness training and then social engineering assessments and testing,

00:49:36.680 --> 00:49:43.440
phishing on my own as a consultant. I mean, I started a number of businesses. My husband and

00:49:43.440 --> 00:49:48.480
I have started a number of businesses, and it wasn’t too far-fetched for me to create

00:49:48.480 --> 00:49:53.480
my own consulting revenue. So, that’s what I started doing. I started consulting through

00:49:53.480 --> 00:50:00.160
Dragonfly Security, and I built up a nice little client base here locally.

00:50:00.160 --> 00:50:04.160
JACK: Some of these companies already have security awareness training. This is where

00:50:04.160 --> 00:50:07.840
every employee of the company has to watch a thirty-minute presentation and then take

00:50:07.840 --> 00:50:12.080
a quiz about what security best practices there are. But some companies want to take

00:50:12.080 --> 00:50:16.600
this training a step further and send phishing e-mails to all employees to see

00:50:16.600 --> 00:50:21.180
if any of them would still fall for it after they’ve been trained in security awareness.

00:50:21.180 --> 00:50:27.400
ALETHE: I don’t believe personally in setting your employees up to fail, so I always encourage

00:50:27.400 --> 00:50:33.040
doing the security awareness training at least within six months of doing testing. But it’s

00:50:33.040 --> 00:50:38.400
really – it’s an opportunity for employees to learn from the experience and practice

00:50:38.400 --> 00:50:43.680
defending against these types of attacks, because it’s something that if you’re caught off-guard,

00:50:43.680 --> 00:50:49.680
it can be extremely easy to fall for the types of tactics that these manipulators will use,

00:50:49.680 --> 00:50:55.600
and the psychology behind social engineering, which really centers around the six principles

00:50:55.600 --> 00:51:01.480
of influence. So, all the stuff that scammers use to trick you into answering their questions,

00:51:01.480 --> 00:51:08.400
and also that used cars salesmen use to get you to buy a car. But it’s an

00:51:08.400 --> 00:51:16.000
opportunity for clients to sometimes check a compliance box, but more often than not,

00:51:16.000 --> 00:51:21.320
it’s really to make sure that their staff are absorbing the security awareness training and

00:51:21.320 --> 00:51:25.360
that they’re able to defend against these kind of attacks in a real world simulation.

00:51:25.360 --> 00:51:31.000
JACK: So, she did that for a while on her own, but really wanted to be part of a team where she could

00:51:31.000 --> 00:51:35.600
learn from others who do this, and to be able to focus on it more, because as an independent

00:51:35.600 --> 00:51:40.280
contractor, you’re spending half your time just trying to find clients. So, she eventually

00:51:40.280 --> 00:51:45.400
found an opportunity to join a company called Critical Insight which does provide penetration

00:51:45.400 --> 00:51:51.200
testing to clients as well as social engineering engagements. This is where Alethe is today. One of

00:51:51.200 --> 00:51:56.584
the things she does there is try sending phishing e-mails to clients to test their reactions to it.

00:51:56.584 --> 00:52:01.120
ALETHE: [MUSIC] In a phishing engagement, I’m going to try to phish every person at

00:52:01.120 --> 00:52:10.800
least twice during the campaigns that I launch against the client. I do this because – and not

00:52:10.800 --> 00:52:16.480
for the purposes of just collecting statistical information like how many clicked on the link,

00:52:16.480 --> 00:52:23.400
how many opened the e-mail. What I’m actually focused on is how many people

00:52:23.400 --> 00:52:29.400
report that phishing e-mail, how quickly is the first report received, and what types

00:52:29.400 --> 00:52:36.040
of internal communications are happening at the client during the course of the campaign. Like,

00:52:36.040 --> 00:52:41.320
that’s what I’m really looking for. That’s what I want to see. I don’t really put a

00:52:41.320 --> 00:52:46.200
lot of emphasis on how many clicks there were, though I do report it. Typically,

00:52:46.200 --> 00:52:53.920
I would expect between 10% or 20% click rate from the average organization. Maybe four or

00:52:53.920 --> 00:52:59.840
five years ago it would have been a 30% to 40%, 30% to 60% click rate. But now that people are

00:52:59.840 --> 00:53:04.020
becoming more security conscious and more aware of social engineering, that number is going down.

00:53:04.020 --> 00:53:08.120
JACK: So, when a company hires her to run a phishing campaign on the company,

00:53:08.120 --> 00:53:08.960
here’s what she’ll do.

00:53:08.960 --> 00:53:14.120
ALETHE: What I typically do, I will set up a landing page that is to collect credentials

00:53:14.120 --> 00:53:20.680
and I will set that landing page up to look like an internal portal that that employee

00:53:20.680 --> 00:53:26.760
is used to putting their credentials in. Then I will, over the phone, direct them to go to

00:53:26.760 --> 00:53:34.320
my suspicious URL. So, company.us or company.org if that’s something that’s not registered by the

00:53:34.320 --> 00:53:42.960
company already. Then they’ll go there, and it’s a fail if they go there, and then it’s a fail,

00:53:42.960 --> 00:53:48.000
another fail, if they enter their credentials and I’m able to capture those credentials,

00:53:48.000 --> 00:53:53.020
because now I can log in as them and get to things that I should not be able to get to.

00:53:53.020 --> 00:53:57.760
JACK: Sometimes she sends an e-mail like this to everyone in the company. Sometimes she’s given the

00:53:57.760 --> 00:54:02.480
task to target certain individuals, like perhaps some key people in the company. On assignments

00:54:02.480 --> 00:54:07.000
where she has to target certain individuals, she’ll sometimes do vishing calls. This is

00:54:07.000 --> 00:54:12.320
like phishing, but it’s a phone call. Just like during the contest she practiced in, she’ll call

00:54:12.320 --> 00:54:16.720
up people to try to get information from them or get them to do something they shouldn’t,

00:54:16.720 --> 00:54:23.800
and then put that in her report. Her clients are often involved with critical infrastructure

00:54:23.800 --> 00:54:30.360
or even Department of Defense contractors. So, that’s the story of how Alethe became a person

00:54:30.360 --> 00:54:36.480
whose day job is phishing Department of Defense contractors. It’s a wild and weird journey for her

00:54:36.480 --> 00:54:42.620
to get here. Sometimes we need to go through wild and weird journeys just to find our true calling.

00:54:42.620 --> 00:54:48.480
ALETHE: All of that crazy stuff really has allowed me to get better at – able to pivot

00:54:48.480 --> 00:54:55.480
in conversations and kind of critically solve problems very quickly. That’s something that I

00:54:55.480 --> 00:54:59.280
think is really beneficial for social engineers. I know a lot of social engineers encourage people

00:54:59.280 --> 00:55:06.760
to do improv. I’ve never done improv, but I think that just naturally running towards uncomfortable

00:55:06.760 --> 00:55:12.620
conversations that are organic and real is the only way to really get good at this stuff.

00:55:12.620 --> 00:55:16.400
JACK: Running towards uncomfortable conversations

00:55:16.400 --> 00:55:20.960
that are organic and real is the best way to get good at this.

00:55:20.960 --> 00:55:27.080
ALETHE: Like, take your mixer that you bought at Costco eight years ago and go try to return it.

00:55:27.080 --> 00:55:33.400
JACK: Huh. I wonder if I’d be good at this, because I’ve had quite a bit of

00:55:33.400 --> 00:55:38.880
uncomfortable conversations, and I don’t have that social anxiety that comes with them anymore,

00:55:38.880 --> 00:55:42.480
like sneaking into the Renaissance Festival; that’s no problem. I don’t

00:55:42.480 --> 00:55:47.240
mind dumpster-diving or asking a store if I can have things that aren’t actually for sale there

00:55:47.240 --> 00:55:51.840
like decorations or promotional banners or something. [MUSIC] I have zero worry

00:55:51.840 --> 00:56:00.520
about being kicked out of a place that I’m not supposed to be in. Maybe this is the job for me.

00:56:00.520 --> 00:56:08.240
(OUTRO): A big thank-you to Alethe Denis for sharing this wild adventure with us. If you’re

00:56:08.240 --> 00:56:12.560
on Twitter, you should follow her there. Her name is @AletheDenis. If you want to

00:56:12.560 --> 00:56:16.320
know more about social engineering, I’ve got some book recommendations for you in

00:56:16.320 --> 00:56:22.960
the show notes, but you can also find them at darknetdiaries.com/books, so go check those out.

00:56:22.960 --> 00:56:28.120
I try real hard to provide a valuable show to you by going through the painstaking process of

00:56:28.120 --> 00:56:32.920
putting all this together and getting you a new episode every two weeks. Am I doing good? Do you

00:56:32.920 --> 00:56:38.440
find this show valuable? If so, please consider supporting it through Patreon or through Apple

00:56:38.440 --> 00:56:43.440
Podcasts. By supporting the show, it tells me that you like it and want more of it, so thank

00:56:43.440 --> 00:56:49.240
you. This show is made by me, the slow reader, Jack Rhysider. Sound design by the fast-traveling

00:56:49.240 --> 00:56:54.960
Andrew Meriwether, and our associate producer just back from his trip at a watery get-together is Ray

00:56:54.960 --> 00:56:59.880
[REDACTED]. Our theme music is by the bountiful Breakmaster Cylinder. I like to play chess against

00:56:59.880 --> 00:57:04.600
computers, but I don’t get upset when the computer beats me because I’ll always just challenge them

00:57:04.600 --> 00:57:18.840
to a round of kickboxing afterwards, and I always win that. This is Darknet Diaries.