Darknet Diaries - 107: Alethe
Episode Date: December 21, 2021Alethe is a social engineer. Professionally she tries to trick people to give her passwords and access that she shouldn’t have. But her journey to this point is interesting and in this epis...ode she tells us how she became a social engineer.Follow Alethe on Twitter: https://twitter.com/AletheDenisSponsorsSupport for this show comes from Skiff. Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you’ve created. Try it out at https://www.skiff.org/darknet.Support for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
Okay, so one year when I was in college, I took a job at the Renaissance Festival.
If you don't know what that is, it's a place where people dress up like they did in the 15th century
and do things from that time period, like jousting and falconry and eating old-fashioned food.
It's almost like an amusement park, with tall walls all around it, and you have to pay to get inside.
Well, when I got a job there, my boss forgot to give me an employee pass to get in.
So every day that I came to work, I had to find a way to sneak into the festival. This was such
a fun thing for me to do because I had an honest reason to sneak into the Renaissance Festival.
I figured out where employees park and I saw there was a security guard watching the back gates and side entrances and stuff.
But I quickly learned their habits and was able to find ways to go around them.
Over time, the security guards started to notice me more and more,
and thought I was suspicious because I was showing up every day and always avoiding them.
Once, they even got in their golf cart and came straight towards me,
and I just ducked behind some trees or some cars or something and waited for them to roll on by in their golf cart.
Then when the coast was clear, I'd pop up and go the other way and figure out a way to get in the festival.
This went on for months.
Until my boss said,
Hey, I was talking with the front office today and we were going over some things and I realized I never gave you an employee badge. How have you been getting in every day? I said, well, it's no
problem. I've got ways of getting in. And he said, I bet you do, but I don't want to be the one to be
blamed if you get caught. And I said, okay, okay. I'll just say I work at some other area of the
festival. This way it won't come back to you.
He was flabbergasted, but gave me an employee badge anyway,
which was actually good because the security guard finally caught me the next day
and was all like, finally gotcha, now you're coming with me, pal.
And I was like, but look, I have an employee pass.
And then he was flabbergasted because he thought he caught me doing something wrong.
Well, he did the right thing.
And he actually escorted me to the front office to make sure my badge was valid.
Fun times there.
Fun times.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to's not a fair fight. But I realized
I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they Bye. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Can you pronounce your name for me?
Sure. My name is pronounced Aleth, like a lethal weapon.
What are you doing these days with social engineering type stuff?
So I work for a company called Critical Insight.
Client base is really centered around organizations that provide critical infrastructure.
So hospitals, water systems, manufacturing, DOD contractors.
But kind of my core interest is growing our social engineering side
to do more fishing and more actual social engineering physicals
where we're doing engagements on site.
Yeah, Alith's job is to social engineer Department
of Defense contractors to try to get them to do things they really shouldn't do. But how did Alith
get to this point? Well, that's actually a very interesting journey. So like buckle up because this is definitely not the normal, how did you get into InfoSec type of story. good at reading people because I'm a social engineer. I'm a social engineer because I'm
good at reading people. And the way that I became good at reading people is through a very chaotic
series of unfortunate events and terrible relationships. And really, that's the core
of how I became who I am, is a series of really crazy events.
Can we go that far back?
We're going to go all the way back to the beginning.
So I was born and raised in South Africa by American parents.
When I was around five or six, things with my parents weren't going so great.
And by the time I was seven, they'd separated and were living in different houses.
And this was kind of the beginning of me having to grow up pretty quickly.
My mom was always kind of like the cool big sister. And she really let me have so much freedom as a kid just
to explore my own creative ideas and do some really dangerous stuff without really putting
guardrails on me. I was the oldest of three kids. And so I kind of ended up taking charge of my younger siblings. And when I was seven or eight,
we left the country kind of under the cover of darkness and without the knowledge of my dad.
So we moved from South Africa to Botswana to live with my grandparents for a while while my mom kind of figured out what she
was going to do. And then we moved from Botswana to California around the time I started fourth
grade. And when we were living there, my brothers and I were welfare kids. And this is kind of where I got started, really honestly started, in social engineering.
Like, I was always kind of a manipulative kid.
I could figure out how to get adults to do what I wanted them to do for me.
But this is really where things started to get interesting.
She was a latchkey kid, meaning she'd be home alone with her brothers while her mom was at work.
This gave her freedoms to do things without an adult telling her what to do.
On top of that, her family didn't have that much money.
And in the 90s, it was like, you know, my mom would just kick us out on the weekends and I would just rollerblade around town for 12 hours and get the bus, go downtown, go through all the shops.
I learned to shoplift.
We would sneak into movie theaters.
We would just get into like pretty harmless trouble just as, you know, pre-teenage kids rolling around downtown doing whatever the heck we could get away with.
She was practicing how to be sneaky and manipulate adults into getting what she wanted.
At the age of 11, I had my own videotape,
like VHS cassette tape rental account at the movie store
that was between my school and my house.
And they would let 11-year-old me come in and rent movies
and take them home and trusted me to bring them back.
They opened the account for me with no ID, no nothing.
In seventh grade, she moved back to South Africa to live with her dad for a while.
And he enrolled her in a very strict Catholic school.
And I made like the worst possible mistake that any new kid.
And I mean, I wasn't a stranger to being a new kid in a new school where people already had
established friends and relationships and you were like a complete outsider because I'd done
it now a few times. But this time I decided that I was going to try to be one of the cool kids,
which was like the worst thing I ever could have done ever, ever, ever. Because I started making up just total BS stories
about all these crazy things that I did when I lived in America.
And it was like the worst.
It totally backfired.
So this was like a really great lesson for me as a social engineer
that over embellishing,
instead of having all the kids at my new school think I was
super cool, they actually thought I was a complete and total idiot. Kids were picking fights with her.
Nobody trusted her. The only friends that she made were other liars. And she didn't like that.
Her dad moved her to another school. And this one was an all girlss school. Now this was in the late 90s in South Africa.
Not many schools had computer programs then, but this one actually had a computer lab and really
tried to get the girls into computers. So I started doing computer science. I learned to
code in Turbo Pascal and I was just completely like hardcore sucked into this idea that I was going to learn to code so
that I could hack this game that we would play just on like the LAN at the school that was called
Lord, Legend of the Red Dragon. It's like a completely text-based like roleplay game type
scenario. And so I was obsessed with this game. And I would spend
most of coding class playing the game and then catch up on all the coding stuff like after school
and do my assignments and stuff like that then. But I just became completely obsessed with
computers and technology and coding. And I just went completely all in on like biology and computer
science. And that was my thing. And when I graduated, I went to school at the University
of Cape Town. And I was doing a bachelor's in chemical and molecular sciences with a minor in computer science. And this was the year that I just decided to completely just demolish my life.
I was 18 and my parents were super strict.
And so I decided I was going to just ditch class and go hang out with my boyfriend and
just be a kid
because I finally had some freedom outside of this very structured,
all girls uniform, Catholic school kind of environment.
So I got into trouble.
I got into like big trouble.
And I started, for years, I'd been hanging out in IRC chat rooms and stuff,
talking to just random people.
And I started a few friendships with people and some of them escalated
over the course of like four or five years.
And even though I had like a boyfriend in real life,
I also had a few people that I was keeping in contact with over IRC chat rooms.
And one of these people essentially groomed me over the course of four or five years.
And it got to the point where I so implicitly trusted this person and was so turned against
my own family that I made some really, really terrible decisions, like awful decisions.
The person she was chatting with online was from Virginia, on the other side of the world from where Alith was,
in South Africa. The person asked Alith a lot of personal details, ASL to begin with, age, sex,
location, then more details like her phone number and eventually her address. When they got her address, that's when things got weird. They were sending me care packages like from the United States.
So all I know is that the packages came from Virginia and that when my folks figured out what was going on, they lost it.
It really freaked them out.
And they were completely justified in their freaking out, for sure. And so it was kind of like the catalyst of this series of events that eventually let,
like it ended in me getting kicked out. And South Africa is not the greatest place for you to live alone as a young woman. And it's very dangerous. So my dad was like, look, you can't stay here. You're not going to class. You're not holding up your end of the bargain, basically. And he was completely justified in doing this. But he gave me the opportunity to move back to the States and kind of reboot my life. And I think it really was the best possible scenario given the damage that I had done.
I was very destructive in my own life, just had destructive tendencies. I struggled with
depression and anxiety and just kind of like trying to find and figure out who I was
was going to be something that I would be a lot more successful doing here in the States.
So she moved from South Africa back to California, which is where she's been for the last 20 years.
But it wasn't easy getting established back in the States. Her college credits didn't transfer,
which meant she had to start over with college and she didn't have a good job to get by with.
Her future was just not looking so good. And that led her to depression and anxiety. And she didn't have a good job to get by with. Her future was just not looking so good.
And that led her to depression and anxiety.
And she was worrying about how she'd find food just to live.
I literally took a job scooping poop at a pet store for minimum wage.
And at the time, that was $6.25 an hour.
And I loved that job because everybody there was so neat.
And I got to play with puppies, which was great.
Working retail taught her some new skills about how to deal with angry customers.
It improved her social and communication skills.
And then she got a job at a title company where she had to research who owned certain properties.
Through the course of these positions, I learned a lot about public record. I was essentially searching public record for information about people and property and putting together chains of title of property, like from the beginning of time until now, who's owned this property, what documents have been recorded against it, what easements or liens are against the property, etc. This is where she picked up some OSINT skills. OSINT is an acronym. It stands for Open Source Intelligence Gathering.
She was learning how to find people and what properties they've owned over time.
If it was owned by a business, then she could look up who the owners of that business were.
There are a lot of details in public records,
and she became a whiz at mining these public records to find the information she needed.
But then she quit doing that and had a string of other jobs that all gave her new knowledge in different areas, such as selling mobile phones, doing
social media management, marketing, doing tech support for software. And then she landed a job
at a staffing company where she was doing research and writing reports. Around that time, her and her
husband started an IT company themselves. It was small and not big enough for them to quit their
job and do it full time,
but they wanted to make sure their services were secure,
which is how they heard about DEF CON.
DEF CON is the largest hacking conference,
held every year in Las Vegas, Nevada.
And the first DEF CON that I went to,
I discovered the social engineering village,
and it was kind of like everything I'd been doing since I was a, you know, kid, kind of all coming together under one umbrella called social engineering.
At DEF CON, they have these villages. There's biohacking villages, which has people hacking medical devices and their own bodies.
There's a car hacking village where they have an actual car in the conference that you can try to hack into. And there's just so many. There's lockpick village,
IoT village, wireless village, voting machine village. But one of the most popular is the
social engineering village. Here they have speakers up on stage sharing their tricks of the trade,
which is basically how to manipulate people to get them to do things that you want them to do,
such as letting you in a secure building,
clicking a link in a phishing email, or calling someone up and getting them to tell you a key
bit of information that might help you break into the place. And at first I was really focused on
like the manipulation and the coercion and like all the like negatively slanted words that really fall under social engineering. And it just completely captured my attention and my focus.
But if you hang out in the social engineering village long enough,
you'll realize that the main event is the contest.
And the final round of the contest is done on stage live in front of everyone.
And the contestant goes into a soundproof booth
and calls up a company to try to get someone
there to tell them some key information. And this is broadcasted live in the conference room in front
of everyone. They told me about the social engineering capture the flag contest where they
put folks into a soundproof booth. They give them 20 minutes and they call the target company and
they have to elicit information from the employees of their target company over the phone.
And I was completely floored.
I thought, there's no way I could ever do something like that.
That is absolutely insane.
Like, I'm the type of person that will send 150 emails before I pick up the phone just to avoid talking to people.
Generally speaking, that's me.
And so I was like, this is nuts.
There's no way that I can ever do something like that.
That's crazy, but I want to watch this happen.
So the next year we went to DEF CON
and I was like, see ya, everybody that I came with.
I'm gonna go grab some food
and sit in the back of SE Village all day
to make sure that I can listen
to all these calls. So like I went to Starbucks to grab breakfast and like a couple snacks and
a coffee and a water. And then I stayed for the rest of the day to listen to the remaining
contestants. And then the next day I kind of did the same thing. And I didn't leave. Like I didn't
leave to go to the bathroom. I didn't leave to go get lunch. I was there from like 10 until after two when they ended the last of the seven calls for each day.
These are always interesting calls to watch. It's live, so you don't know what's going to happen next. But the contestant has a goal to get certain flags. What make and model is your laptop? Are security guards watching the front door? What software is on the laptop?
What are the password policies at the company?
Or other security-related pieces of information?
The more flags you get, the more points you get.
So the neat thing about the social engineering capture the flag is that each of the contestants, and there's only 14 each year, they are selected from a group of 200 or 300 applicants.
And they get a Fortune 500 company as a target about six weeks ahead of DEF CON.
They get four weeks to do OSINT and investigate that target and find as much information as they can about them.
And then see if they can find very
specific flags of information that the contest runners have assigned points. And then they
compile a report, they submit that to the contest runner and it's graded. And then they use all the
information that they found during the course of their OSINT, their investigation, to then call that target from a soundproof booth in front of 500 to 1,000 hackers live in a room with a 20-minute time limit.
I mean, it is like the most high-pressure crazy situation ever.
And you're just praying that somebody answers the phone.
And then once they do answer the phone, you're praying that you can keep your stuff together and remember who you decided you were going to pretend to be to get these people to give you those same flags of information or confirm them, if you already know, over the phone.
The more Alethe watched these people make these phone calls and try to social engineer people, the more she wanted to do that. Like, I saw the movie Hackers after it first arrived in South Africa.
And it was just like, oh, my gosh, this is who I want to be.
Like, I thought for the longest time that I just wanted to be Dade and be cool like him.
That was the first time I saw, like, social engineering, that part where he social engineers the guy at the TV station.
Here's the clip she's referring to from the 1995 film called Hackers.
Security, Norm.
Norman speaking.
Norman, this is Mr. Eddie Vedder from accounting.
I just had a power surge here at home that wiped out a file I was working on.
Listen, I'm in big trouble.
You know anything about computers?
Um, gee.
Right. Big trouble. You know anything about computers? Um... Gee. Right, well, my BLT drive on my computer just went AWOL,
and I got this big project due tomorrow for Mr. Kawasaki,
and if I don't get it in, he's gonna ask me to commit Harry Carey.
Uh...
Yeah, well, you know these Japanese management techniques.
Could you read me the number on the modem?
Um... That's a little boxy thing, Norm, with switches on it.
Let's my computer talk to the one there.
2-1-2-5-5-5-4-2-4-0.
It just completely floored me.
I thought that that was the coolest thing ever, ever.
And I wanted to be like that so badly.
And it felt like I kind of put all
that stuff on hold for, you know, I think I was like a teenager when I saw that. So it felt like
I put all that stuff on hold for like 10 or 15 years. And then walking into DEF CON the first
time it was just like, oh my God, I'm home. Like these are my people. Like this is the island of Misfit Toys that I have been looking for
for over a decade. And everybody was so flippant welcoming and accepting and supportive and
awesome that I was just like, I want to live here. And so it was kind of like finding my
niche. You know, after the second DEF CON, after watching all the calls at, uh, SE Village and
seeing, you know, actual real social engineers do the thing in front of everyone. And just like,
I just wanted to be like that. I wanted to have that confidence. And I really wanted to push
myself to get more comfortable with having uncomfortable conversations with people,
because I felt like it would just make me a better, you know, business owner, a better
communicator, a better employee, a better parent, a better spouse. I just didn't think that I could
really go wrong with improving those types of skills. She goes home that year thinking about
competing in the next social engineering capture the flag contest.
She wants to try it, but she doesn't think she'll qualify.
And she questions herself.
But then at the last minute, she decides to apply to be a contestant. I ended up getting selected as one of the 14 contestants.
About three months before DEF CON, they assigned the contestants their target.
Alith was assigned a trucking company in the U.S.
And she had about four weeks to do OSINT on them and turn in her report.
Now, with OSINT, you can only get data that's publicly available.
You can't call someone or phish someone or hack into something to get the information.
She had to find as much information as she could about this company through public sources,
such as going to the company's LinkedIn and seeing who works there
and then finding those employees
on their social media accounts
and looking at their profiles.
This first round of the contest
is to try to gather certain flags
or pieces of information from the company
and compile that into a report
and turn it in a month before DEF CON begins.
So flags, they are everything from information that would help in the contest of like a physical pen test.
So who does the garbage service?
Who's the janitorial service provider?
Who runs the cafeteria?
Who's the vending machine service and repair company?
Those kind of things.
Then there's like company-wide type technology, like who's the VPN
provider? Do they have Wi-Fi available on site? What is the SSID or the name of that Wi-Fi that
is available to guests? Or internally, the version and the type of browser they use,
their PDF viewer, whether or not they use a specific parcel service,
the make and model of the laptop or computer that the employee was issued.
Aleth begins collecting data on this trucking company.
So I had a tough time figuring out the best way to do this.
In brief, I basically, I started the company website.
And then from there, I'll move into company review websites, like Glassdoor and Indeed,
to learn about company culture and any like inflammatory things that I can use to kind of
build rapport with the employees. And then from there, I look at job, open job descriptions, if they name any
specific types of technology or, you know, help desk services that they use and things like that
can be useful to me. And then once I'm done with like company review websites and job descriptions,
then I'll get into some more detailed snooping. Usually this involves a lot of Google dorking
because now I've kind of got an
idea of what type of pretext I'm going to use and I want to find more information to support
that pretext. So say I want to impersonate an internal employee and call the help desk,
then I might be Google dorking to look for all documents that are on that domain that are a file type PDF
that contain the word onboarding or new hire or something like that. Because I want to find
where it says, you know, if somebody is abusing technology, call this number. And usually that's
their internal help desk. So that's kind of an example.
But I kind of just, I use a lot of social media as well. So I will find the address of the headquarters or the branch locations that I want to target and or where the employees sit who I
want to target. And then I'll put that address into Instagram, into the location
search and find all the pictures that are geotagged to that location and see if I can find things
in those pictures that will help me. Stuff like employee badges, things that would show employee
ID numbers so I can get a good idea of what those look like and how they're composed. I'll also look for, you know, pictures where there's always one,
where it's like the Starbucks coffee cup in front of the open monitor
with all their applications open.
That's my favorite.
And then from there, I just kind of snoop around
until I find some more of the stuff that I want.
Like, I want to know who the cafeteria vendor is.
One of my most favorite pretexts is that I will call
and pretend to be from the corporate office of the cafeteria vendor
for the cafeteria that's within the headquarters
or the office building of my target company.
Because it's usually like it's not close enough to them
for them to go, oh, what's your name? Let me put it in the global directory and pull you up.
But because it's an entity that has, you know, authorization to be within their building,
it's kind of inherited the trust of that organization. And so therefore I would
inherit it saying that I work for
that cafeteria vendor that they've already had an existing working relationship with forever.
So the more information I can gain through OSINT, the better equipped I'm going to be
on the calls. And that's really where I think the majority of social engineers,
especially in the context of the social engineering capture the flag have been successful,
is just being overprepared with knowledge about the company and what they have, use and do.
She spends the four weeks collecting as much data as she could about this.
I turned in my report and I was kind of like, well, hopefully that wasn't terrible.
And I was actually fifth out of 14.
My report was scored fifth highest points based on the flags of information that I found on the target. Whoa, that's pretty good for a first-time competitor. The final score
is a combination of the points you get from this report and the points you get from the live on
stage call at DEF CON. So she has a chance of being in the top few if she can outscore some
of the others that did better than her on the report. So what happens at DEF CON for the actual competition is you report to SE Village. They get
you, you know, checked in and whatnot. And then when it's your turn, they put you into the booth,
you get a pair of headphones, and you are sitting on a stool in front of a pretty high quality microphone. And
you have a list of the numbers that you want to call. And you have a list of the numbers that
you would like to spoof to support your pretext or who you've decided you're going to pretend to be.
Now, the target they gave her is just this company.
They didn't provide any phone numbers or specific people to target at the company.
That was all up to Alith to figure out which person or people to target and what their
phone numbers were.
And the company that runs the social engineering village has some pretty good lawyers to help
make sure this is all legal.
And so Alith provided the phone numbers to the contest runner,
who then dials a number and connects her to the call.
During the contest, not only are you on a stage in a booth with glass in front of you
and everyone watching, but they also have cameras inside the booth.
And so you're on like two or three giant screens in this enormous ballroom
inside a casino at DEF CON and everyone is just watching your every twitch.
And so once you're like ready to go, they start the 20 minutes on the timer and it's a big red numbered timer that they hold in front of your face.
And then you say, you know, call number one or two or three or whatever it is on your list and spoof number one or two or three or whatever it is on your list.
And you go.
Alethe was prepared for this, though.
She had a plan.
She had a pretext ready, which is who she was going to
pretend to be when calling these people. And she had practiced this pretext in her head. And she
knew a lot about the people she was going to be calling from all the past research she did on
them. So you can bring whatever material you want into the booth. There are people that like to
bring props like keyboards and stuff like that, I went very low tech. I brought
in like three sheets of paper. And one of them was a list of all the flags that I'd made like
my top priorities of each of the flags that I wanted to get. And then I kind of dropped like
a four square for my pretext. And I have like a, you know, like magic quadrant kind of an idea.
But one square is who I am and my information of me, my pretext person that I'm pretending to be.
One square is who I'm targeting, their phone number, their information, email address,
whatever about them so that I remember who I'm talking to and I don't freak out. And then I have like a box that
has the key points of my pretext. Like what company do I work for? Why am I calling? What do I need?
And then I have the other box that's like my goals for the call. Like these are the flags that I want
to get out of this call. She was able to get a few more flags from this other person and then her
time was up. So she ended the call.
On Saturday, they tally up the scores and announced the winners. Aleth got sixth place.
But to her, she had a blast. Having the ability to make people laugh and have them respond to what I was doing in that way was just like, phenomenally rewarding. Just it made me feel
amazing. And so after that, I was just like, this is what I want to do for my life.
This is it.
Now, while she was in Vegas that year, something else happened.
At that DEF CON, I ended up getting pregnant.
She really wanted to compete in next year's social engineering contest.
But with a baby on the way, that complicates things.
Stay with us because after the break, she comes up with a plan.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast, my focus was on finding a catchy name, some cool stories and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand open for business and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates, and Shopify helps you manage your growing business. Shipping,
taxes, and payments are all visible from one dashboard, allowing you to focus on the important
stuff. So what happens if you don't act now and someone beats you to the idea? The best time to
start your new business is now with Shopify. Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at Shopify.com slash Darknet.
Go to Shopify.com slash Darknet and start selling with Shopify today.
Shopify.com slash Darknet.
By this point in her life, she's already had three kids. Now another is on the way and the social engineering capture the flag contest was one year away. But this was such
an important competition for her that she was absolutely determined to compete in it.
So May rolls around, which is when you apply for the contest. I applied while very pregnant.
She gets accepted to compete.
She has the baby.
And shortly after that, they give her the target.
I was on maternity leave and I was like, if I can use my maternity leave to do the OSINT,
that would be like perfect because I won't be juggling a newborn and work and the OSINT.
It'll just be a newborn and the OSINT and the other three kids.
So she spends her maternity leave doing the OSINT part,
researching the client, finding the best way to approach them,
and gathering as many flags as she could for the report.
I only focused on doing better than I had the year before.
That was my main objective was I just want to do better than six.
That's it.
Like if I can get into the top three, that would be amazing. But I just want to do better than six. That's it. Like if I can get into the top three,
that would be amazing. But I just want to do better than I did the year before. I almost
did not want to win. I didn't want to win because as soon as you win, you can't compete anymore,
you're out. And I really enjoy playing the game more than anything. So I went into it determined
to do better than six. I did the OSINT for my report.
I turned the report in and I ended up placing third in the report scoring.
So I was like, hey, if I hold third, that would be crazy.
If I was able to push it up to second after the call round, that'll be nuts.
So I went to DEF CON, took the baby.
For this trip to DEF CON, she takes herself and her three-month-old baby and her husband.
The other three kids stayed back at home in California.
And so they fly out to Las Vegas.
DEF CON starts on Thursday and goes all weekend to Sunday.
And she had to get back home by Sunday night because her kids started school Monday morning.
So I ended up bringing a three-month-old baby with me
to DEF CON, which I don't recommend and I highly discourage anyone to do in the future because it's
not great. It's not a fun experience. But I committed to competing and I wasn't sure if I
was going to be able to compete after that. And so I was just like, I'm going to go for it. Like,
she'll be young enough and I'm an experienced enough mother to know that a kid under the age of four months is highly portable, easy to feed, very easy to take care of and very cooperative compared to like the toddler age for going to Vegas.
So in the morning, I just got all my stuff ready, went to SE Village.
I was competing on the first day, which was Thursday, and I was the last person to compete that day. So I was seventh on the first day, which was Thursday, and I was the last person to compete that day.
So I was seventh on the first day.
And I tried to watch the rest of the calls, but I really wanted to be respectful of the other contestants.
So like if the baby got fussy, I would walk out to the hallway and go take care of her or stand in the back of the room just so that other people could see.
And I wasn't a distraction or, you know, being disruptive.
And so I missed so
many of the calls, which sucked because I really wanted to watch them all. And then when it was my
turn to go, like I ran to the bathroom like five minutes before my time and I'm like, don't worry,
I'm coming back. And then change the baby, finish nursing the baby and run back up to the front,
like throw the baby at my husband and just like prayed she didn't start crying while I was
in the booth. Because as a mom, it just like triggers you, especially very shortly after
having a baby. If you hear a baby crying, like it just like sidetracks your whole brain. And I
wanted to like be able to maintain that focus. So I was praying she wouldn't start crying. And
sure enough, as soon as I started dialing the first number, she started crying. And I think it's just because they were like broadcasting the ringing of the phone out
to the whole room. But it was just kind of like an overwhelming situation for her, which I totally
appreciate. So I just had to like put myself in the zone and like ignore everything outside of
the booth. Like everything outside of the booth just was blackness. And I had to focus on
who I am, who I'm calling, what I'm doing, what I'm saying. That's all that matters right now.
So my first call was going to be to tech support. And I was going to pre-text as a new
intern because it's summer and this company had a lot of summer interns and they were very public
about that on social media. So it fit. And I was just going to be like, I'm trying to go to
this website for training and I can't get there. Can you help me? Can you try it? And finally,
I convinced this person to go to the link and they confirmed what they saw. And then I just said,
oh my gosh, I'm such an idiot. I wasn't even on the internet. And I just tried to get off the
phone with him as quickly as possible so I could salvage as much of my 20 minutes as I could. So after that call, I hung up and I
decided that I was going to target their regional sales people, their remote sales people that were
responsible for various regions of the United States. And my target was a ginormous tobacco company. So I almost didn't feel bad.
So I ended up getting their cell phone numbers through my OSINT for these regional salespeople.
And I learned a ton about how they treat their salespeople from the company reviews that were left on Glassdoor by salespeople.
And I knew that they had company cars, company laptops, company cell phones, and all that stuff.
So I knew a lot of what they would have already.
And I could just make this super easy and ask them to confirm it. But I needed to figure out how I was going to give myself the authority
to ask those questions without raising their eyebrow, so to speak.
So the pretext that I came up with was,
I was helping IT contact people whose computers hadn't connected to the VPN in a while because we were getting
ready to replace remote workers' laptops. And we were trying to confirm what software
and applications they had on their computer before we shipped the replacement computers out.
And every remote worker wants a new laptop because every remotely deployed laptop
has issues. It's just a fact. And so I was like, I'm incentivizing them with a new laptop.
They are going to trust me because I sound nice and likable. And I'm an internal employee.
So I started the call by saying, hi, this is Bethany.
I'm calling from the headquarters in this town.
And so immediately they know who I am,
where I'm calling from
and that I'm an internal employee.
So I've like knocked all those things
out of the list of objections already.
And I've made them feel better about the fact that I'm internal
by saying where I am located. So they feel safe that I'm calling from the headquarters and I know
where that is and it sounds legit. Then I gave myself a name that was a little younger. And I tried to sound like I raised my voice just a teeny bit just to sound
a little younger. And then if they pushed back about the IT part, I was gonna be like,
yeah, I'm an intern. I'm just helping IT. And so I don't know. But they just gave me this list.
And the sooner I can get this done, the faster you'll get your laptop, basically. Zero people pushed back.
No people.
And so I said, we're getting ready to send out these laptops.
Do you have a couple minutes just to go through your computer with me and answer a few questions
to make sure that we get you all the programs and applications that you need installed before
we ship this out?
And they're like, of course I do. And I talked to one
gentleman and then he was like, he was super helpful. And I got like through my whole list
of flags, really like every single flag, he just gave it to me. And then I, you know, very politely
ended the call. And I decided instead of calling the person that I planned to call, I was going to
call the next one. And I don't know why I decided to do that, but I did.
It was just like the most amazing success on each one of the calls. And on the last call,
the guy that I called was like, oh man, well, I'm not on my computer because I'm actually three
months into my four-month paternity leave. And I was expecting him to shut me down.
And I just said, oh, no, I'm so sorry.
I'm so sorry to bother you.
Let me let you go.
Because I was trying to conserve as much time as possible to try to make another call.
And he's all, well, hold on.
Let me just go get the laptop.
And I was like, what?
So he went and got the laptop.
And as he was booting it up, I was just like, what? So he went and got the laptop. And as he was like booting it up,
I was just like, okay, shoot, what can I get out of him while this thing is booting up?
And so I was just like, yeah, that's so crazy. I just had a baby too, which is totally true.
I'm like looking at my three-month-old baby. And he was like instantly ready to just tell
me everything. And so I asked him like, while know, while their computer's booting up, is it the, this brand, this model? And he's like, yeah. And I was like, and did you have to
type in the thing for BitLocker just now? And he's like, oh yeah. And I was like, and, you know,
and I just walked him through all the stuff. And at the end of the call, it was like, I knew I had
like seconds left and I wanted to make sure that I ended it, you know, on a nice note.
And it wasn't just like a click hang up.
And so I wrapped things up like with a bow and just thanked the guy profusely and told him to enjoy the rest of his leave.
And I still feel freaking awful for every single one of these calls.
Like I feel gross about what happened after I hung up. And did they ever reach out to
IT? And did they figure it out that they got scammed? Or what did they feel about that?
Did I make them feel bad? Because I really hate that. I hate that aspect. The nice thing about
doing this for real, for money, with clients who know I'm going to call them and who I give a report to,
is that I can kind of like beg forgiveness after the fact and like make amends, so to speak,
with them and just be like, yeah, sorry, that was a test. And, you know, you did really great at
this part, but you did really bad at this part. And, you know, this is a safe learning experience.
It's much better that you failed now than with an actual attacker kind of a thing. But in these scenarios, it's just like, I still wonder. I still remember the names of the
people that I targeted the first time around. And I wonder how they are and how their kids are.
How the job's going. I feel like we're friends because I just completely over-researched all
of them. She came out of the booth and felt
really good about the points she scored. She knew she got a lot of great flags and used her time
very effectively. And the audience seemed to really like it too. They seemed entertained.
These calls aren't recorded, so I can't play any of them for you. Nevada is a two-party consent state,
so they can't record them by law. But despite her feeling good about it, there were still seven more contestants competing the next day.
And two of those were the ones in first and second place.
So it was too hard to tell if she had won at that point.
We wouldn't know until Saturday.
And so Friday, the rest of the contestants do their things, and then Saturday rolls around.
Aleth goes to the party where they announce the winners.
They announced the second place and it wasn't me.
And I was like, oh, well, you know, maybe next year.
And then they announced that I won.
And I just was like, first thing I said was, oh, shit.
I'm like holding a baby and I'm like, I don't even know what to do with myself.
So it was really,
really amazing. And then I realized that my flight, I didn't expect to win. I'd scheduled a
flight that left at 3pm on Sunday from Las Vegas and closing ceremonies start at 4pm.
So the airport that we fly in and out of, like there's one flight per day.
So that like if you miss that flight, you're it, you're done.
And I had a kindergartner that was starting his first day of school on Monday morning.
So there was no getting back on Monday sometime.
Like it had to be Sunday.
So we ended up missing the flight and we went to closing ceremonies because it's just it's a once in a lifetime opportunity. Welcome to the stage, the social engineering contest.
And I took the baby up on stage with me. Okay, so is this the first time there's a baby on stage
at DEF CON? So she won the SCCTF. No, just kidding. She didn't. I was just kidding. It was the second year in a row that women dominated the competition.
We again have two women in the first and second place.
So good job. Keep it coming.
Our first place winner, Alith, is standing here.
I'm going to give her a bottle of alcohol.
I'm going to give her a 10th year SE head award,
and DEF CON is going to give her a black badge.
So...
The coveted black badge.
By winning this contest, the main prize you get is a DEF CON black badge,
which is very prestigious, despite
the award ceremony being hosted by a guy named Grifter. On paper, all it does is it gives you
free access to DEF CON for life, but it carries a lot of prestige. Lots of companies out there
will hire someone who has earned a black badge from DEF CON because they know DEF CON contests
are incredibly competitive and whoever
wins it must be very good at what they do. Just an incredible honor. And as soon as we were done
on stage, then I had to like, we ran back to the hotel, got our bags out of the bell hop,
drove to the airport and then rented a car at the airport and then drove home overnight.
The ride home was something like a seven-hour drive.
Yeah, a baby in the car on an all-night drive,
trying to get back before school starts in the morning.
It was very tiring.
And in the car ride home, Alith began wondering where her career would go from here.
She hoped someone would hire her to do this for a living.
But if that didn't happen,
she thought maybe she'll just start her own business doing this,
like a consultant.
They got home around 2 a.m. and got everyone to bed.
After that, it was like I got two hours of sleep, woke up,
got the chalkboards all made up,
and then did first day of school pictures with my kids,
and it was like back to normal life.
And I went back to work at the staffing company.
And going back to work at that staffing company was not nearly as fun as the rush of doing social
engineering engagements. So she set off searching for a new role as a social engineer somewhere.
And you know what? There are quite a few companies out there that do hire social engineers. It can be included as part of a security assessment to see if the company has any weak
points that a social engineer can expose. And sometimes social engineers go on site to do a
physical assessment to try to find a way in the building and plant some rogue hardware in the
network that someone can jump into from outside and then bounce off to get inside the network.
The human is the weak link in many organizations,
and hiring a social engineer can help you make that link stronger.
And this is what Alith wanted to do.
I was trying to get into information security,
but I was lacking a lot of the full-scale pen testing skills at that point.
And so I was applying to jobs, and people were thinking,
you know, she's got a black badge, she knows everything.
And then they were looking at my resume and going, wait a second.
I was getting messages on LinkedIn from German CEOs asking if I was actually me because my resume didn't match this person that was in this German article about a social engineer who won the black badge.
She didn't have any luck finding a article about a social engineer who won the black badge.
She didn't have any luck finding a job as a social engineer, but she's a leaf. And when a leaf is determined to do something, nothing will stop her. I actually ended up deciding that I was
going to start consulting on the side and I did it with the blessing of the staffing company and my
boss there. But I started doing security awareness training and then social engineering
assessments and testing, phishing on my own as a consultant. I mean, I started a number of
businesses. My husband and I have started a number of businesses and it wasn't too far-fetched for me
to create my own consulting revenue. So that's what I started doing. I started consulting through Dragonfly Security and I built up a nice little client base here locally.
Some of these companies already have security awareness training. This is where every employee
of the company has to watch a 30-minute presentation and then take a quiz about
what security best practices there are. But some companies want to take this training a step
further and send phishing emails to all employees to see if any of them would still fall for it after they've been
trained in security awareness. I don't believe personally in setting your employees up to fail.
So I always encourage doing the security awareness training at least within, you know,
six months of doing testing. But it's really, it's an opportunity for employees
to learn from the experience and practice defending against these types of attacks.
Because it's something that if you're caught off guard, it can be extremely easy to fall for
the types of tactics that these manipulators will use and the psychology behind social engineering,
which really, really centers around the six principles of influence.
So all the stuff that scammers use
to trick you into answering their questions.
And also that used car salesmen use
to get you to buy a car.
But it's an opportunity for clients
to sometimes check a compliance box.
But more often than not,
it's really to make sure that their staff
are absorbing the security awareness training
and that they are able to defend
against these kinds of attacks
in like a real world simulation.
So she did that for a while on her own,
but really wanted to be part of a team
where she could learn from others who do this
and to be able to focus on it more.
Because as an independent contractor, you're spending half your time just trying to find clients. So she eventually found an opportunity to join a company called Critical Insight which
does provide penetration testing to clients as well as social engineering engagements and this
is where Alethe is today. One of the things she does there is try sending phishing emails to
clients to test their reactions to it. In a phishing things she does there is try sending phishing emails to clients
to test their reactions to it. In a phishing engagement, I'm going to try to phish every
person at least twice during the campaigns that I launch against the client. And I do this because,
and not for the purposes of just collecting statistical information, like how many clicked on the link, how many opened the email.
What I'm actually focused on is how many people report that phishing email,
how quickly is the first report received,
and what types of internal communications are happening at the client
during the course of the campaign.
Like that's what I'm really looking for. That's what I want to see. I don't really put a lot of
emphasis on how many clicks there were, though I do report it. And typically I would expect between
like 10 or 20% click rate from the average organization. Maybe four or five years ago, it would have been like
a 30 to 40, 30 to 60 percent click rate. But now that people are becoming more security conscious
and more aware of social engineering, that number is going down. So when a company hires her to run
a phishing campaign on the company, here's what she'll do. What I typically do is I will set up
a landing page that is to collect credentials and I will set that landing page up to look like an internal portal that that employee is used to putting their credentials in.
And then I will, over the phone, direct them to go to my suspicious URL.
So company.us or company.org if that's something that's not registered by the company already.
And then they'll go there and, you know, it's a fail if they go there.
And then it's a fail, another fail if they enter their credentials and I'm able to capture those credentials because now I can log in as them and get to things that I should not be able to get to.
Sometimes she sends an email like this
to everyone in the company. Sometimes she's given the task to target certain individuals, like
perhaps some key people in the company. And on assignments where she has to target certain
individuals, she'll sometimes do phishing calls. This is like phishing, but it's a phone call.
Just like during the contest she practiced in, she'll call up people to try to get information
from them or get them to do something they shouldn't, and then put that in her report.
And her clients are often involved with critical infrastructure or even Department of Defense contractors.
And so that's the story of how Alith became a person whose day job is fishing Department of Defense contractors.
It's a wild and weird journey for her to get here. came a person whose day job is phishing Department of Defense contractors.
It's a wild and weird journey for her to get here.
But sometimes we need to go through wild and weird journeys just to find our true calling. All of that crazy stuff really has allowed me to get better at,
able to pivot in conversations and kind of like critically solve problems very quickly.
And that's something that I think is really beneficial for social engineers.
I know a lot of social engineers encourage people to do improv.
I've never done improv, but I think that just naturally running towards uncomfortable conversations
that are organic and real is the only way to really get good at this stuff. Running towards uncomfortable conversations
that are organic and real
is the best way to get good at this.
Like, take your mixer that you bought at Costco eight years ago
and go try to return it.
Huh.
I wonder if I'd be good at this
because I've had quite a bit of uncomfortable conversations, and I don't
have that social anxiety that comes with them anymore. Like sneaking into the Renaissance
Festival, that's no problem. I don't mind dumpster diving or asking a store if I can have things that
aren't actually for sale there, like decorations or promotional banners or something, and I have
zero worry about being kicked out of a place that I'm not supposed to be in.
Maybe this is the job for me.
A big thank you to Alethe Dennis for sharing this wild adventure with us. If you're on Twitter,
you should follow her there. Her name is Alethe Dennis. If you want to know more about social engineering, I've got some book recommendations for you in the show notes,
but you can also find them at darknetdiaries.com slash books.
So go check those out.
I try real hard to provide a valuable show to you
by going through the painstaking process of putting all this together
and getting you a new episode every two weeks.
Am I doing good?
Do you find this show valuable?
If so, please consider supporting it through Patreon or through Apple Podcasts. By supporting
the show, it tells me that you like it and want more of it. So thank you. This show is made by me,
the slow reader, Jack Recider. Sound design by the fast-traveling Andrew Merriweather. And our
associate producer, just back from his trip at a watery get-together, is Ray Redacted.
Our theme music is by the bountiful Breakmaster Cylinder.
I like to play chess against computers,
but I don't get upset when the computer beats me
because I'll always just challenge them
to a round of kickboxing afterwards,
and I always win that.
This is Dark Knight Diaries.