November 12th, 2012Real Life and the Application of Social Engineering Part I
Chris and I decided to break this up into 6 different Blog posts, so as to give you guys a break from my long winded tale. To give you a slight overview of what is to come in this tale, or wet your proverbial appetite so to speak, I will give out a few spoilers.. This story deals with a very few “Episodes” from my life that lead me down a surreal path that somehow include 2 continents, Felony Fugitive Status for 7 years, ¼ of a million dollars cash in small denominations, Covert Spy Agencies, the U.S. Army, and Alex Trebek (from Jeopardy!) ** Disclaimer** I never met said host of the world’s best trivia game show, but without him most of the really good twists in my story wouldn’t have happened. So, enjoy the first installment of the 6 part series.
The title of this little story represents the strange twists and turns my life has taken. If you would have asked me, at 18, if this is how my life would have turned out, I would have asked you “to share that good stuff you were smoking”.
This is my first time telling this story to an open audience and I have to admit, I’m a little nervous about how it will be received; both by the S.E. community and any Agencies involved. I need to thank Chris Hadnagy for giving me the opportunity to share this story and Jay Trinckes for editing it, so that I don’t sound like a complete buffoon.
Hello everyone, my name is Robert “Bobby” Gude and I’m from San Antonio, Texas. I was raised in an Air Force family where my father was an E-9, or Chief Master Sergeant, and who retired in this city. My childhood was untypical for an Air Force “brat”, as this was the only city I ever lived in, until after High School graduation, but that is another story. I was lucky enough, as a kid, to develop long term relationships with friends that most military brats don’t have the chance to develop and that would later come back to help me out of a sticky situation. Which, is what this story is all about, but I’m getting a little ahead of myself.
I recently went to the DefCon 20 event at the Rio, in Las Vegas, where I was entered into the “Social Engineering Battle of the Sexes Competition”. I had an ‘Epic Fail’ during the competition that dealt with time zones and my lack of remembering them. Plus my inexperience of performing in front of a crowd of what felt like 10,000 people (but was only around 100 or so) would lead to my troubles. The competition; however, was only a minor reason for me going to DefCon in the first place. The real reason I went was to meet some real Social Engineers/Penetration Testers and ask questions. You see, I have extensive experience in this field (just not from the right side of the law) and never in front of a crowd (I’m a backstage kind of guy). I wanted to know how I could use my experience to get ‘lawful’ employment. I didn’t tell my story to anyone I talked to, in fact, I only told Chris, from SEORG.ORG (the contest’s organizer), some of
what I’m about to tell you. This is only after the fact since I never found a time Chris wasn’t in demand by someone including the Director of the N.S.A. After finally getting a chance to tell Chris my story, he asked me if I would be willing to openly write about it. It was our hope to help all the Agencies involved prevent future attacks by making my story into lessons.
This was a new way of thinking for me and I am not used to some of the professional terms used in the Social Engineering field. Forgive me if I take the long route explaining something that there is an acronym for that would have summed it up in 5 letters. Everything I learned about this field has been by trial and error, I wasn’t even aware of the phrase “Social Engineering” until a few years ago. I just knew that I was good at acting, which can come in handy if no one knows that fact.
So here it goes, but I need to throw in a little more background first. I’m not the smartest, the handsomest, nor the nicest guy you will ever meet, but I do have one thing; a great deal of good luck, sometimes. Some of my friends have said, “I’m the smartest, dumbass, you will ever meet”, but I like to think that I just ‘Forrest Gump’ my way out of stuff. Or better put, I used to have a knack for stupidly getting into trouble, but smartly using luck to get myself out of it.
My manipulation started, like most people, with my parents. I found if you asked my parents questions, they usually gave out information that seemed harmless, but was actually very useful. As a young child, I could remember getting busted for not taking a nap. I would ask my parents innocently, how they could tell. My mother responded that she could tell by my eyes because “they didn’t look groggy at all”. So, needless to say, every time after that, my eyes would look groggy when I came out from my ‘nap’. This was the first time I can remember manipulating someone by ‘acting’. To be good in the field of acting (or do what I have done, which I will describe in this story) you will need to work on your lying skills. Essentially, good acting is all about how well you can lie.
Later, when I was a teenager, I got a job selling car stereo equipment from the back of my car. My business was all legal and I even had to get a license from the city, but we made it seem like it was an ‘illegal deal’ to customers. My customers thought they were getting a “deal of a lifetime”. When the police showed up, did their checks on me (which always seemed to happen), and everything was clean, I would reverse tactics. I then used the line, “See folks, all 100% legal. Come check it out!” I would even pitch the cops for some merchandise. This is how I came to be fearless when approaching strangers and starting conversations. I must admit though, I am better at social engineering in person with small groups, or one-on-one, than I am with large groups. It became easy for me, somehow, to read body language/visual cues and instinctively use them to my advantage. If I’m involved in a small group, I can spot the ‘alpha’ and usually make him, or her, the ‘beta’ without them even realizing it. This is the best way I can really explain it since I’m not really sure how I do it; it just comes naturally to me in social situations.
When I was around 19 or 20, I got involved in something stupid and was convicted of Burglary of a Habitation. I was sentenced to 10 years of probation. There is a lot more I could say about this, but it isn’t relevant to the story. Suffice it to say, I had too little experience in the criminal justice system and the sentence came out of the 144th District Court in San Antonio. In addition, my lawyer sucked. These things being said; however, as far as I know, all statute of limitations have expired on everything else I’m about to tell you from here on out.
When I was in my early twenties, I was pretty broke. I couldn’t really afford car insurance. I did have a friend; however, who worked at a little mom-and-pop type insurance company. I convinced him to fill out a policy application and create a fake insurance card for me. That worked fine, for a few months, until I was pulled over by a police officer in a little suburb city that was notoriously known for their ‘tough cops’. The officer decided to call the insurance company and check the policy number. Well, of course, the company told him it was a fraudulent card. I was arrested and charged with insurance fraud. My mistake was having the card typed up as being good for a year instead of the usual 6 months that most insurance companies write-up. (Note: the officer was most helpful in pointing that out to me).
With the threat of having the case sent to the 144th District Court and my probation being revoked, I started looking for a way out of this mess myself. Since my last lawyer didn’t help and I didn’t want my fate to end up with anyone else, I had to take care of it on my own. My friend had already quit his job at the insurance agency and I got this idea to check the Texas State Board of Insurance to see if the insurance company had any complaints against them. As luck would have it, the agent had 17 complaints for embezzling his customer’s money. The local grocery story had a fax machine that you could pay to use and I had the Texas State Board of Insurance fax me a copy of the complaints. I took them straight away to my probation officer and told her that I was now number 18.
A few weeks went by and it was time for my day in court. As I waited for my name to be called on the docket, it wasn’t. I asked the bailiff about my case and he informed me that all charges had been dropped by the State. The prosecutor never checked to see if I actually filed a complaint against the insurance agent. The court apparently accepted the faxed copies I submitted as evidence, never followed up with an investigation, and never advised me that my case was dropped. In those days, e-mail and cell phones weren’t used, but I figured I would have at least gotten a letter from the court/prosecutor’s office, or something. This was the first time I “rolled the dice” with the courts, but in no way was it the last time (or the most beneficial time for me).
EXPLOIT USED: Besides some awesome luck, I exploited the laziness of the overworked public employee.
VULNERABILITY EXPOSED: Lack of basic investigation by an overworked Prosecutors’ Office. They may have even called the agency themselves, but apparently never asked the right questions. I’ll never know for sure and except for my summons to the court (i.e. court date) that I received upon exiting jail; I never received another piece of paperwork about the case.
PATCH: Better staff training. Maybe even restructuring the way investigations are conducted. This was so long ago that I’m sure, by now, changes have been made, but not being on probation (or at least reporting in) or being in the criminal justice system for over a decade, it’s hard to give more specific recommendations.
What should be said about this time in my life was that like most kids and people on up into their early 20’s, is that I was always pushing boundaries. What’s worse is that I was pretty good at it, when I really focused at least. Like water trying to find a crack is how someone once put it to me. Tune in next week for a glimpse into how I managed to end up in Moscow Russia, bribe a judge, outsmart my Probation Officer(but not without really making her mad though), and gain sensitive information that, at that time, wasn’t open to the public.
Editing Jay Trinkes
Tune in for the next installment and to continue the story.