Jayson Street sounds like many smooth-talking Vegas magicians.
He told me, in an interview, that he could guess what I had for dinner last night based on a five-question trick he learned from Penn Jillette, half of the magician duo Penn and Teller. But Street is not an illusionist struggling to get on the famed Las Vegas strip. He is a social social engineer at SphereNY, a New York-based technology company.
Street asked me the following questions:
Where did you meet your last significant other?
Do you consider yourself a carnivore, an omnivore or a herbivore?
There is a numerological element to the underlying theory that will help determine his guess. What is your zip code?
If you won a million dollars today, would you eat in, order take out or dine out?
The last question depends on your age. What is your birthday?
Fifth Domain thought about these questions and answered them honestly. I wanted to see if he could guess I had pizza. But Street was playing a different game.
“Three of those questions were the password email questions that lost Sarah Palin her email address,” Street said, referencing spouse, zip code and birthday. “I cannot tell you what you had for dinner, but I just socially engineered you to get your three password reset questions.”
Some of the most newsworthy hacks have come from some form of human engineering. The hack on Hillary Clinton’s campaign was conducted through phishing. The U.S. power grid has been hacked through “watering holes” or websites where individuals go to download information. One of the world’s most successful hacking groups has sent malware through fake order requests.
“It doesn’t matter how many blinky boxes you buy, if the human is still allowed to be able to say yes, intruders could bypass all your technology on it,” Street said.
Street warned that businesses and government agencies should be aware of an increase in customized attacks based on social media posts. “When you used to send a phish it was generic and easy to spot. Now with social media, I know exactly where you were last night, who you were with, and what company parties you attended … I can then mimic and masquerade as those people to send a targeted email.”
Street said there is one way agencies can fight social engineering attacks.
“There is a patch for human stupidity and that is education. Patch your humans.”
By showing users how information can be weaponized against them, Street says it helps people become more aware. He said that people who fall victim to social engineering attacks should not be punished by their organizations, but educated to learn from their mistakes.
Street also said that gamification was a successful tactic organizations can use to combat social engineering. He proposed that companies set aside $1,000 per quarter for a prize that employees can be entered in through a lottery after spotting a fishing email. The practice can boost awareness and be an insurance policy against a costly hack.
Street referenced a famous Winston Churchill quote that doubled as a good strategy to defeat social engineering.
“Nothing in life is so exhilarating as to be shot at without result.”
Fifth Domain will be in Las Vegas covering BSides, Black Hat and DefCon. We’d love to meet with you. Message us on Twitter.