Security BSides Las Vegas is slated for August 5th & 6th, and in the run-up to this fifth anniversary of the epic event, we are spotlighting some of the really cool presentations that scheduled to take place. Don’t forget that there is no registration for this year’s show, and passes will be provided on a first come basis, so get there early.
Security BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.
We first featured sessions by Guillaume Ross (@gepeto42) on vulnerabilities in URL schemes that could be exploited by malicious actors, and a talk being presented by Rachel Keslensky (@lastres0rt) which examines why the sea of swag at conferences are generally a wasted investment for companies.
Next up is a session being delivered by Nick “MasterChen” Rosario (@chenb0x) titled What I Learned as a Con Man, which will focus on a few case studies of various cons and a breakdown of what, in social practices, makes it easy for a con artist to be successful in social engineering attacks.
This will be Rosario’s first speaking engagement in the information security field, but his extensive experience with the subject matter is based on a background in sales, teaching, and technical writing for 2600 The Hacker Quarterly on the subject of hacking VoIP systems.
The case studies discussed in this session look at what has and has not worked in the past for Rosario in regards to social engineering and manipulation ops. These cases are drawn from his relationships, sales and advertising efforts, and job hunting expeditions that were somehow misunderstood as “hacker for hire” solicitations, and after each case study is presented there will be analysis provided that about what would enable better success in future such cases.
“Every single one of us encounter con-men in some form or fashion in our lives, perhaps even on a daily basis. Whether it be a pushy sales person or a straight up grifter, many people are after your money and information,” Rosario said.
“This talk is aimed towards the fundamentals of conning people out of their assets. With each case study, the audience members can reflect to see if they have been a victim. We need to know the methods used in order to be able to defend against these social attack vectors.”
Rosario says the information presented in his session will be of interest to anyone who has ever been targeted, or are at least a little paranoid of such an incident occurring, including businesses and individuals alike who have information and other assets that need to be secured.
“By understanding the mind and methods of a grifter, I am hoping that my audience will be made more aware of social attack vectors and how exactly these vectors are conducted, because cons aren’t always technical in nature, which means there is more potential here for a bigger pool of attackers,” Rosario said.
“The attacker doesn’t need to know how to program a computer to breakdown weaknesses in the human psyche. While this is well known, I don’t believe this hits home until the target has already been compromised.”
Rosario emphasizes that he is not trying to train a new wave of attackers, but simply trying to provide the audience actionable knowledge that will make them less likely to become victims of human hacking attempts.
“It is a double-edged sword, but I feel that if I expose some secrets, real attackers will be forced to work harder for the same result,” Rosario said. “Whether a con is a failure or a success, something can be learned from each example. Sure, social engineering talks have been plentiful, but I am confident that my talk will bring some new perspectives to light.”
Rosario notes that humans are creatures of habit, and the future vulnerabilities that will be exploited are dependent on an aware culture as a whole – like the social norm to be cautious when dealing with strangers, yet at the same time still trying to remain personable.
“Should we become paranoid and cold towards each other, or should we become more aware of the risks in order to gain a mutual respect for each other while mitigating social attack vectors?” Rosario said. “This talk will examine those questions and the associated dynamics involved.”
- Confessions of a LinkedIn Imposter: We Are Probably Connected
- Grounding Anti-Phishing Programs in Cognitive Foundations
- Manipulating People for Fun and Profit
- The Best CISOs are Social Engineering Masters
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock