Hi there my name is Chris Hadnagy. I am the Chief Human Hacker for Social-Engineer, LLC, a company devoted to helping large organizations stay safe from malicious hackers by learning how they might bypass their security. Take this opportunity to ask me anything. I run Social-Engineer, LLC, as well as The Innocent Lives Foundation, a nonprofit using white hat hackers to unmask online child predators. With over a decade of experience in being a human hacker I want to talk to you about influence, rapport, nonverbals and using these skills to breach some of the world’s toughest security. My twitter is: @humanhacker, my youtube is : SocialEngineerOrg and you can find out more at www.social-engineer.com andwww.humanhackingconference.com

Proof: https://i.redd.it/dkqojxfy0w651.jpg

Thank you, Reddit! I hope you enjoyed this AMA as much as I did. If you have more questions, please direct message us at @SocialEngineerLLC on Instagram, @humanhacker on Twitter. Thank you!!

Comments: 66 • Responses: 24  • Date: 

R0u53_9 karma

What are the best ways that parents can protect their children from predators and still allow them to use social media?

WileyProfessional7 karma

ohhhh u/R0u53_ this is a wonderful question.

There are a few steps.

  1. First and foremost - talk to your kids. Explain to them in age appropriate conversation, the dangers out there and help them to see how you want to help them
  2. Ensure them they will have freedom and privacy, as they need that.
  3. Then monitor them openly. A parent would never give their child the keys to a car and say "teach yourself to drive" so you can't hand them a phone and say "Stay safe online". Get involved, stay involved and you may keep them safe.

There are a lot of apps you can use to monitor your kids and help them stay safe.

IZiOstra7 karma

Hello and thank you. What are the most common tactics used by social hackers to reach their goal ?

WileyProfessional7 karma

u/IZiOstra nice question! Phishing the biggest risk right now, then vishing (voice phishing). They are using social media to get details on you and breach data, then using those details to attack. It is a scary world out there right now.

Chris

IZiOstra6 karma

With the current Covid crisis, have you seen an increase of malicious attacks such as the two you cited ?

WileyProfessional4 karma

u/IZiOstra another great one. So COVID has opened the attacker surface to astronomical proportions. Think of this- when tsunami's hit Japan, or the earthquake in Haiti, etc, attackers used those event to try and hack localized targets. Japanese people or those who have family.

COVID is effecting the world. So here in USA we are seeing unemployment scams, work from home scams, see who has covid scams and across the globe government assistance scams are growing in number.

Covid has made it easier for people to fall victim to these attacks.

Chris

IZiOstra2 karma

Yeah that was my understanding. With company’s leadership teams being home and feeling safe in there I guess it has been easier for attackers to bypass VIPs assistants and get sensitive information. Thank you for your time. Cheers.

WileyProfessional1 karma

100% true. Sad but true.

Cheers!!

Chris

mbt206 karma

Are you one of those guys in the UK that catches paedophiles trying to meet children online? Those videos are great.

WileyProfessional17 karma

Hi there u/mbt20 - I am in the USA and we do catch pedophiles but we follow strict rules in doing so. We do not make believe we are a 13 year old child to entrap them - we try and locate them using open source resources and find out who they are. If we interact it is with those who have already committed a crime not trying to entice them to commit a crime.

Either way our goal is to stop them from hurting children and spreading child abuse material.

Chris

Security_Chief_Odo5 karma

Hi Chris,

In the era of social media, do you find it easier to conduct social engineering than in the past? What are some of your favorite methods to gain a persons trust for human hacking?

WileyProfessional3 karma

This is an interesting question u/Security_Chief_Odo

In some cases it is easier and in others it is not. For instance, thanks to the media there is more chatter about phishing, vishing, SMiShing and impersonation. So people know more about these attacks which makes it harder.

but on the other side of that coin is that people are working more hours and more jobs than ever before. That busy lifestyle, mixed with the disconnection of our society thanks to social media makes people less aware of nonverbals, less aware of their surroundings and less aware of potential danger - and that all makes it easier.

So the answer really is yes and no - it just depends on the type of attack and the skill of the attacker.

Chris

Levitannin4 karma

Do you use any machine learning / artificial intelligence tools to help you with SE engagements or discovering predators? Or, forbid it, people who put pineapple on pizza?

WileyProfessional6 karma

u/Levitannin we have created technology to hunt pineapple pizza eaters. It is pretty bad to be honest.

Kidding.

We do not use machine learning or AI for predator hunting. Mainly because of what we are doing - we find people who have already committed crimes against children and then we unmask them when they try to hide online and that is all manual work.

We do use some tools in the SE side, but mostly it is a very human centric work.

Chris

Chtorrr4 karma

What would you most like to tell us that no one ever asks about?

WileyProfessional-1 karma

Ha u/Chtorrr what do you want to know?

Digbyte4 karma

In your opinion, does the cybersecurity industry as a whole do enough to adequately handle social engineering threats to security? If not, then what kind of changes should be considered to better protect people?

WileyProfessional4 karma

u/Digbyte WOW such an amazing question at the very end.

No we do not. So there are a few problems. One is that SE is easy to get into but hard to master. Since there is no defacto way of authenticating someone is qualified we have a lot of different methodologies that are being used.

The focus in SE is on the SE not on the client and education. It seems lot of people are in this because it is fun and cool not about educating the end user.

In addition, very few SE's take the time to educate themselves on psychology and other aspects of human behavior that can help them to be better at their job.

There is a lot more we need to do and must do in order to help. This is a great topic.

eveningsand3 karma

Assuming your line of work puts you face to face with some of the worst images humanity can generate, how do you compartmentalize some of what you may encounter (child pornography) from your day to day life?

WileyProfessional5 karma

u/eveningsand this is such a profound question - thank you for this.

So there are a few things we do collectively, then i can tell you what I do.

As an org the first person we "hired" was a therapist to manage wellness for all volunteers. Then we mandate that every volunteer must see her at least 1x per month. More if needed. This ensures everyone is staying mentally safe.

Now that is all well and good but it doesn't mean you don't get affected. So we created a tool that blurs all images and videos so the researcher does not have to deal with the images. With that said, reading what these people say about children is often times worse. So for me I do a few things:

  1. I make sure i spend tons of time with my family
  2. I remind myself of the mission importance and how we are helping save kids
  3. I ensure i spend time away from the work so that is not all i think about

Even with all of this there is no way to fully stop these things from being in your brain.

It is not something everyone can do so it takes a strong person to know you cannot handle it. Thank you for asking this question.

Chris

Levitannin2 karma

Do you do any online SE engagements -- not vishing or phishing but interacting with targets in forums/chatrooms or on social media in order to gather information about malicious activity or to infiltrate a malicious community?

WileyProfessional0 karma

u/Levitannin YES! We have done a number of chat SE engagements as well as tech support lines online. We do a ton of social media OSINT and interaction too.

When it comes to predator hunting - yes all of it is online forums and chats to infiltrate those communities. That is basically the way the work is done.

Chris

mpcampbell2 karma

What’s the stupidest way you’ve seen a social engineer blow an assignment, maybe an early lesson from one of your own failures?

WileyProfessional9 karma

u/mpcampbell i have so many failures its not even funny. HA. Ok so let me think of one in particular.

Well there was this one time i was going to try and get info from a target but I approached him too aggressively and i startled him badly. He literally fell back in his seat and the chair tipped over. Out of fear he was hurt i ran around to lift his chair and ended up putting too much force and flung him face first into the floor and another seat.

He thought i was beating him up and started yelling and a bunch of people ran to his aid. regardless I failed really bad on that one.

I let excitement and nerves get the best of me.

LOL

Chris

WileyProfessional2 karma

Thank you, Reddit! I hope you enjoyed this AMA as much as I did. If you have more questions, please direct message us at u/SocialEngineerLLC on Instagram, u/humanhacker on Twitter. Thank you!!

Time is up! Thanks!

tezzysupreme1 karma

What are you thinking about the future of social engineering? Do you think, it becomes easier or harder in times of digitization? And are there some „101“ for learning SE? Thanks for the answer ahead!

WileyProfessional1 karma

I think attacking is much easier now, protection is harder. We have lost good communications and live in a world that is online.

jrmscooter1 karma

Glenfarclas for the win and of course pineapple on pizza is the best :D.

Now that I have your attention, have you ever been hacked or fall victim to a social engineering attack?

WileyProfessional3 karma

u/jrmscooter you are 50% right. Glenfarclas is by far the best Scotch on the green planet. It is like the tears of an angel have been bottled for consumption.

Pineapple should never be put on pizza its true. Ask any Italian.

Now for your question. YES. I fell for a phishing email, that really got me. oof, it was bad. An Amazon order phish. Mainly because i am an amazon junkie, it got me hook line and sinker.

So embarrassing but it happens. being a hacker doesn't mean i am hacker proof - i am still human.

Levitannin1 karma

Do you prefer pizza with pineapple on top OR circular slices of pineapple topped like pizza?

WileyProfessional0 karma

Pineapple does not belong on pizza. Pineapple is a great fruit but it doesn't belong anywhere near a pizza, it is a cardinal sin. I do not endorse the ruining of innocent and good pizza with such a thing.

MadSecuritySquirrel4 karma

Pineapple is the perfect fruit and compliments pizza perfectly. It is the sweet to the savory of the rest of the pie. This is not debatable and, I have even had pineapple pizza, right off the menu, in the heart of NYC's Times Square, therefore your arguments are invalid.

The innocence of pizza on the other hand can be debated

WileyProfessional1 karma

Just because some fake fans in NYC put pineapple on pizza to appease some poor people who don't know better is not a valid argument. That is like saying, "well they sell boxed pizza at walmart in NYC so it must be good"

No sorry sir, you have failed.

Love ya

Chris

Levitannin1 karma

Is any pizza innocent? Pizza shows up in a lot backgrounds where dangerous things could be going on! Then again, pineapple pizza should be considered innocent until proven guilty, as with all pizza outside of gross chains which are guilty by proxy.

WileyProfessional2 karma

Pizza is innocent but its innocence was ruined by adding pineapple to it. Like adding 7up to wine, or coke to whiskey... why... why i ask? Cause you hate life? Cause you value nothing? Cause you don't have tastebuds?

No, Pineapple on pizza was started by a Greek man in Canada, not an italian. It is an insult.

Levitannin1 karma

One should not speak ill of the dead whom brought delicious joy to many people across the pizza-eating community sir.

Starting to sound like you might be afraid to get out of your comfort zone and try something new! Shouldn't SEs constantly try to understand and get into the mindset of a client/target? What if a cover for an engagement needed to like pineapple pizza to get the intel? Are you going to refuse a job for this?

WileyProfessional3 karma

I have refused jobs for things that break my morals - so yes. And I have tried pineapple on pizza to solidfy my seething hatred for it.

BUT... oh my god you will enjoy this... on July 25th we are doing a charity twitch stream for ILF and if we raise 25K I will MAKE and EAT my own pineapple pizza on camera. SIGH

bspence73371 karma

Are you one of those social engineers who enjoys pineapple on pizza?

WileyProfessional1 karma

I am not. Most intelligent people on earth, like all of Italy, does not prefer to ruin the perfect food of pizza with something like pineapple

Grundlage1 karma

Who is better at their job, your or the Chief Robot Hacker?

WileyProfessional2 karma

I have never went up against a Chief Robot Hacker so i cannot answer that honestly. If we are competing against humans I think i would win, if we are competing about coding, i am sure he would win.

Chris

R0u53_1 karma

How do you become a social engineer? Is there training you can recommend?

WileyProfessional4 karma

u/R0u53_ a self serving answer but yes there is training we offer at www.social-engineer.com. There are really no other practical courses that cover how to become a social engineer while keeping with the motto of "leave them feeling better". So other courses focus too much on tools, which is a fraction of what being an SE is, or on the malicious side, which is not what we are to be.

TheD1v1s1on51 karma

Interesting, can you tell from my current Reddit account, as well as several other accounts if possible found, and use your hack skill to tell what I really am or what crimes I've committed?

WileyProfessional2 karma

u/TheD1v1s1on5 well it is not that easy. Could we? Maybe in time. I can't say for sure. This type of work is not easy or quick it is time consuming. So could we locate your whole life? Maybe. But that would depend on a number of things.

WileyProfessional1 karma

5 more minutes folks - ask me anything