Volume 02 Issue 22
In this issue
There is a new edition of the Social
Engineering: The Art of Human Hacking. The first edition is no
longer being sold, so if you have a copy - there is a new edition that
contains some updated pics to chapter 5 and 6. The content is the same.
We will be leaving the poll up for a little while longer. So if you haven't had a chance to yet vote, head over to this months Social-Engineering Poll and give us your opinion.
The "Schmooze Strikes Back" Adult SE CTF is full under way and we are preparing for this event in the next few weeks.
In addition, we have launched the first ever SE CTF for Kids at Defcon 19 - this will truly be an event to NOT miss.
Finally, Spy Associates continues to send us cool devices to test. Please visit their page to check out some of the coolest devices around.
Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...
Want to say thank you to our sponsors this month
Spy Associates for continually giving us some awesome products to test out.
The EFF for supporting freedom of Speech
Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.
Offensive Security for their continual Support. Are you looking for world class security training? Offensive Security has live classes scheduled now. Sign up before they fill up!
A special thanks to our Editor: John 'J' Trinckes, Jr
Offensive Security Live classes constantly sell out - register early to make sure you don't miss out of the next class.
Email Chris anytime at [email protected]
Social Engineering During Job Interviews
Recently, I got an email from a fan of Social-Engineer.Org, Chris Hammond (thrasher). He has read the book, listened to the podcasts, and read the newsletters. He has recently had a chance to try his new found skills on a job interview, wondering if he could give himself an advantage during the job interview.
We caught up with him and had the following conversation.
SEORG: Chris, Thanks for talking with us about this experience you had. Can you tell us what you do presently?
thrasher: I work as a consultant for a large firm where I do mostly security, privacy, and governance related consulting. I have never done an SE engagement, but I am a huge fan of all your work.
SEORG: If you do not do social engineering during your engagements, can you tell me what opportunities you have to actually try your hand at these skills?
thrasher: I was recently invited to interview for a health sector privacy contract. I got to thinking that some of the SE concepts I heard about during your podcasts with Kevin Hogan and especially, Robin Dreeke, could really make an interview go smoother.
SEORG: That sounds interesting... what did you get a chance to try?
thrasher: I started out with the premise that if I could build a rapport with the interviewers, I could then try to make them want to help me out by awarding me and my firm the contract over other candidates.
SEORG: Excellent. What was your plan to do that?
thrasher: I actually had a very specific rapport building plan as follows:
1. Smile with eye brows raised;
2. Use an endearing head-tilt;
3. Use lots of eye contact - but not too much so I am not creepy;
4. Mirror my interviewers' body language;
5. Focus on listening and talk only when necessary; This one was really the opposite of my past job interview behaviors where I focused primarily on getting key messages across.
6. Look out for their physical signals as much as possible; and
7. Use no pretext and stick to drawing deeply on my own experiences - especially where I felt my experiences overlapped with theirs.
SEORG: Wow, that is really detailed. Did it work?
thrasher: Yes, after a short amount of time, I detected that a reasonable rapport had been established.
SEORG: How did you know?
thrasher: They started to share past compliance horror stories and to joke about how IT and privacy people often do not see eye-to-eye.
SEORG: Excellent indicators. So what did you do to take it to the next level?
thrasher: I tried giving them an opportunity to help me out. I told them, quite truthfully, that I had done the kind of work they needed on multiple occasions in the past; however, I had worked overseas for three years and needed to get back in the game. I needed to learn what had changed in the local regulatory regime. This contract would be a great opportunity for me to do that.
SEORG: OK, so let me get this right, first you used some excellent SE skills to build a strong bond of rapport, then you literally just told them the truth? How did this work out?
thrasher: (laughs) Yah, it was quite interesting and way different from my past interviews, but the conversation went long and personal. A week and a half later, my firm was awarded the contract.
SEORG: Congrats! And Excellent work.
What Can We Learn?
What I personally find interesting is how the principles of social engineering are used in many aspects of everyday living. This is a classic example and one that was very effective.
Being an effective social engineer means being a good communicator, whether that is written, verbal or in non-verbal language. It is not always about "tricking" someone into believing something they shouldn't or don't want to. Thrasher showed us that by effectively communicating his skill set and his abilities, it made it clear they were the wisest choice for this job..... and they got it!
To bullet out what you can take away from this account:
Thank you for sharing this with our team and taking the time to talk with us.
Do you have a similar story or account of success? Contact us at [email protected]
Written by Chris Hadnagy
Looking for Professional Social Engineering Services?
Social-Engineer.Org is branching out with our new website Social-Engineer.Com (coming soon!)
We are providing some of the following services:
For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at:
This years Social-Engineer.Org CTF at Defcon 19 is sponsored by: