Jordan Harbinger, expert in interpersonal dynamics and social engineering, gives a great keynote at DerbyCon event, highlighting the methods it takes to elicit confidential information from people with top secret level security clearance.
Thank you guys for coming to DerbyCon, aka EarlyCon, aka HangoverCon right now. And I appreciate that you’ve all spread out to make the room look fuller: that helps my self-esteem a little bit. First, thanks to everybody who helped DerbyCon happen; I really appreciate you guys having me out here; I think it’s awesome to have an audience of people that really have no choice but to listen to me for an hour.
My name is Jordan Harbinger and I am all up in your business, literally, in this case. Top secret cleared staff, government employees and contractors have certain protocols for disseminating information, rules to follow regarding Internet use and social media, and plenty of you guys in here probably have direct experience with that.
But what happens when an employee is looking to jump ship or leave the company, and then they just don’t care about those policies anymore? What happens when they don’t know that they’re doing any harm? And so I put this question to the test and I mined a bunch of confidential information from dozens of contractors and personnel from law enforcement, and military, and high-profile defense contractors by using LinkedIn and other social media, all from home and nearly all of it using my iPhone.
So, if someone told you that you won a contest and all they needed to redeem your prize was some personal information, such as your mother’s maiden name and your Social Security Number, how many of you guys would fall for that scam? Few of you are a little bit less sharp than you appear. I would hope nobody would fall for that, it’s one of the oldest scams in the book.
Now, have a look at me for the next few minutes as I use basically the same scam, with a slight variation, on thousands of military and government contractors with top secret level security clearances. And today I’m gonna show you how I did this step by step and also share some thoughts on what might be done to stop it, or at least try to prevent it in the future.
So, one day I sat down in my living room and I got bored, and when that happens stuff goes down, I’ll just leave it at that. But within one hour I had a list of 7,700 government and military contractors, politicians, personnel, and all of them with a top secret level security clearance. And I did it all with my iPhone.So, here we go: Hollywood Boulevard, this is right outside where I live, and this happens more often than you would think: Spiderman in cuffs. You haven’t lived until you’ve seen a Teletubby getting shoved into the backseat of a squad car after an altercation with Darth Vader.
Alright, so before the guys with badges get upset, I’m just gonna let you know right off the bat that I have not elicited any classified information; confidential and classified – totally different story. And I haven’t impersonated any federal employees or elicited anything that is worthy of protection of the law as far as you guys know.So, a little bit of background on me, I’m a social engineer by trade and by nature, and I was wiretapping when I was 13 years old, which is like: “Mom, what were you doing? Where were you?” I think any statute of limitations is probably wrong by now; if not, just kidding.
I was listening to a married couple in my neighbourhood, they were getting divorced. So, I heard the guy talking to his Mom, to his wife, soon to be ex-wife, to his friends, and so I got a really unusual insight to social dynamics and social nature, really complicated social situations early on.
And when I was in elementary school, I tried to develop a system for becoming cool and popular, and funny how that worked out, right? And that’s actually something I’m still working on; my company is called The Art of Charm. These days I run a company called The Art of Charm, based in LA, and the principal function of the said company is to teach men to be more charismatic, outgoing and meet and connect with women very strongly.
So, what would happen if I mixed the dating science with the intelligence gathering stuff? What happens when you mix the art of charm with social engineering? So, I hunched this would go pretty well, given that the human element of security is always the weakest. And I had no idea just how much would come so quickly.
And by the way, I like interactive stuff, I’m a teacher usually, so if you guys have questions or something is totally confusing, raise a hand and I will more than happily engage questions from the audience, we’ll have plenty of time for that as well. Honestly, it took me 10 times more to prepare this presentation than it did to get all of the top secret level clearance people into one database in one place; at least 10 times as much. And I definitely rehearsed it way more. PowerPoint alone took me 10 times as much time as it did to get to the database.
So, one day I was sitting around headquarters at The Art of Charm; we have live residential week-long programs in LA and New York where guys will fly in from wherever they are, and they will live with my coaches and myself, and we teach them all about rapport, and attraction, and running through drills, and things like that.
And I started talking about some of the clients and what they did, and it turns out that a few guys had government security clearances and they were going through the upgrade process. And it came out that I had a government security clearance from way back in the day for some work I did in college at an embassy overseas in South America. And some of the guys in the room perked up about their project and their clearances, and their top secret level stuff.
As it turns out, when you start discussing projects and use a little bit of elicitation, you can create that feeling of trust and that rapport. And when people start feeling like they’re in similar company, they lose that inhibition to keep things secret. You think: “We’re all computer guys, we’re all hackers, we can talk about our projects and exploits. We’re in good company, people will appreciate it more. We don’t have to be quite as careful, because we’re in good company.”
And so, I realized that with trust and comfort caused by rapport and that feeling of similarity, the information flows really freely, even when one of your principal jobs is to keep things secret. And so, some of the principles of trust value and rapport and other well-established psychological principles that we use for dating at The Art of Charm, can really be used for social engineering purposes. In fact, I would argue that social engineering and dating are pretty similar in a lot of ways; just that one hopefully involves a lot of authenticity, trust and honesty, and the other one involves hijacking your passwords and credit card information. That one is dating, nailed it!
One of the funniest parts about this, and one of the most sobering parts about this was that I was actually able to reproduce these types of chatter, these types of talk with these guys from MI6 and other organizations that you guys have heard of, who knew when they were talking that what they were talking about was probably not something they should be discussing openly, especially in a public place or wherever we happen to be at the time. You just can’t help yourself: when you’re on a roll, you’re on a roll, and if you mix alcohol in there, then you’ve got a recipe for a disaster, or in my case, for a PowerPoint presentation at DerbyCon, for a keynote.