We have all had the experience of being taken advantage of at some point in our life. Con artists are often very friendly and charming. Jason Hartman is joined by author, Chris Hadnagy to discuss social engineering and framing, and how it relates to personal, business and national security issues. The discussion centers on Chris’ book, Social Engineering: The Art of Human Hacking. Chris defines social engineering as “any act that influences a person to take an action that may or may not be in their best interest.” He talks about the most important aspects of human hacking, such as influence – establishing rapport and asking for someone’s help. Other aspects include reciprocity, concessions and social proof. Chris also explains the process of framing. Our framing is our foundation, our beliefs and morals, and social engineers work to understand a person’s framing, looking for common ground. To learn more about these types of social engineering, the positive and negative sides of them, visit www.HolisticSurvival.com.
Chris Hadnagy, aka loganWHD, has been involved with computers and technology for over 14 years. Presently his focus is on the “human” aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics around the globe and also has had many articles published in local, national and international magazines and journals.
Chris is a student of Paul Ekman’s training classes on Microexpressions and has spent time learning and educating others on the values of nonverbal communications. He has combined what he learned with years of experience in a new research he has called nonverbal human hacking used to influence other people’s emotions.
He is also the lead developer of Social-Engineer.Org, as well as the author of the best-selling book, Social Engineering: The Art of Human Hacking. He has launched a line of professional social engineering training and penetration testing services at www.Social-Engineer.Com. His goal is to help companies remain secure by educating them on the methods the “bad guys” use. Analyzing, studying, dissecting, then performing the very same attacks used by malicious hackers on some of the most recent attacks (i.e. Sony, HB Gary, LockHeed Martin, etc), Chris is able to help companies stay educated and secure.
Chris runs one of the web’s very popular security podcasts, the Social-Engineer.Org Podcast, which spends time each month analyzing someone who has to use influence and persuasion in their daily lives. By dissecting what they do, we can learn how we can enhance our abilities. That same analysis runs over to the equally popular SEORG Newsletter. After two years, both of these have become a staple in most serious security practices and are used by Fortune 500 companies around the world to educate their staff. Chris can be found online at www.social-engineer.org, www.social-engineer.com and twitter as @humanhacker.
Narrator: Welcome to the Holistic Survival Show with Jason Hartman. The economic storm brewing around the world is set to spill into all aspects of our lives. Are you prepared? Where are you going to turn for the critical life skills necessary for you to survive and prosper? The Holistic Survival Show is your family’s insurance for a better life. Jason will teach you to think independently, to understand threats and how to create the ultimate action plan. Sudden change or worst case scenario, you’ll be ready. Welcome to Holistic Survival, your key resource for protecting the people, places and profits you care about in uncertain times. Ladies and gentlemen, your host, Jason Hartman.
Jason Hartman: Welcome to the Holistic Survival Show. This is your host Jason Hartman, where we talk about protecting the people places and profits you care about in these uncertain times. We have a great interview for you today. And we will be back with that in less than 60 seconds on the Holistic Survival Show. And by the way, be sure to visit our website at HolisticSurvival.com. You can subscribe to our blog, which is totally free, has loads of great information, and there’s just a lot of good content for you on the site, so make sure you take advantage of that at HolisticSurvival.com. We’ll be right back.
Narrator: Here’s your chance to catch up on all of those creating wealth shows you’ve missed. There’s a 3 book set with shows 1-60, all digital download. You save $94 by buying this 3 book set. Go ahead and get these advanced strategies for wealth creation. For more details go to Jasonhartman.com.
Start of Interview with Chris Hadnagy
Jason Hartman: Hey, it’s my pleasure to welcome a very interesting guest and a very interesting topic: Chris Hadnagy. He is the author of Social Engineering: The Art of Human Hacking. And if you are not sure what those things mean, we are going to find out. Because this is a lot of ground we’re going to cover here in terms of what is social engineering, what is framing, what is personal hacking, how does it relate to national security issues, and business security issues and personal security issues. So a lot to cover here. Chris, welcome. How are you today?
Chris Hadnagy: I’m doing great. Thanks for having me on the show Jason.
Jason Hartman: My pleasure. Where are you located by the way?
Chris Hadnagy: Actually in North East USA, in Pennsylvania near New York.
Jason Hartman: Good stuff. Well what is social engineering?
Chris Hadnagy: I’d define social engineering as any act that influences a person to take an action that may or may not be in their best interest. It’s a very broad definition, but that’s because I don’t always think social engineering is a negative. Sometimes it’s a positive.
Jason Hartman: And so, human hacking though…is that a part of social engineering?
Chris Hadnagy: That kind of focuses on the negative parts of social engineering. So, the human hacking aspect takes all the principles, the psychological and physical principles of social engineering like persuasion, influence, manipulation, rapport building, and it focuses on how those skills are used to make someone do something definitely not in their best interest.
Jason Hartman: And so, what you do as a business is quite interesting. You’re like sort of a different version of a private investigator almost. You basically, you are hired by companies to hack their people and hack their systems? Is that correct?
Chris Hadnagy: Yes. Companies will hire me and my company to test their employees susceptibility to common scams, like fishing or phone elicitation or even on-site attacks. And we’ll test their people network by actually sending fishing Emails or making phone calls to them or visiting their people on site and seeing what information we can gather and how far we can take an attack, then reporting that back to a company so that we can fix those holes before the real attackers come in.
Jason Hartman: So, what you’re doing then basically, is a company will hire you and you might call their employees up and ask them questions and see what you can learn, right?
Chris Hadnagy: Yes. Exactly.
Jason Hartman: Very interesting. Well, talk to us a little bit about influence if you would. You’ve got chapters in your book about NLP or Neuro Linguistic Programming, and persuasion, influence, manipulation…let’s kind of dive into that subject and drill down a little bit if we could.
Chris Hadnagy: Sure. I think influence is a very important topic. Not just in what I do, but in everyday life. Things like, I always start off with building rapport. Building rapport is just an essential piece of communication between people. If you and I had absolutely no rapport, this conversation would be horrible for your listeners. So we have to have a rapport just to be able to converse. And social engineers know that and they’re masters of setting up a nice rapport establishment between them and their targets, either through charm, through a smile, through the way that they ask questions, even through fake accents or other things like that. But they are very good at building a common ground and quickly developing a friendship between them and their target. And that of course makes the rest of influence, which is asking for their help – trying to get information from them, trying to elicit little pieces here and there that with the normal person, a red flag wouldn’t go up when that kind of question is asked.
Jason Hartman: You know, it’s interesting because I’m sure everybody listening has been taken advantage of at one time or another in their life. And I remember the times I have, I’ll talk to a mutual friend about the person who did the wrong, or at least in my eyes did wrong, and they’ll say something like, he or she is so nice. I really like them. Well, duh. Of course! Every con artist is nice. That’s the tools of the trade is to be nice and likable. Otherwise you can’t pull off your con, right?
Chris Hadnagy: Right. They use very simple principles. You think about Robert Cialdini. He wrote the book about persuasion, and influence. The man’s a genius. You think about the principles he talks about like reciprocation. Very simple. Just a simple example: if you’re walking into a building, and someone holds a door for you and there’s double doors. Generally what do we do at the next door? We hold it for them. It’s just a simple psychological principle. Something as simple as that. If somebody gives us something, we have this feeling of indebtedness to give them something back. Whether it’s a compliment, whether it’s a physical gift, whether it’s information. Social engineers are con artists and they use that. They maybe give a compliment or they give a little information out with the expectation that that feeling of reciprocation will then cause the person to do the same in return. And that is used very heavily in social engineering. Because that psychological principle is just something we can’t get away from. They give something away, they create those feelings, then they make their request of the target. And usually, that request is then given. That’s just one out of the many principles of influence that are used heavily in this type of work.
Jason Hartman: Reciprocity, right? That’s the one you were referring to?
Chris Hadnagy: Yes. Exactly.
Jason Hartman: Give us a couple more of those if you would.
Chris Hadnagy: Sure, I think another one that’s probably used heavily is concession. Concession is generally thought about as a principle of influence when it comes to sales. You have this offer and you can seed something, you give a discount. But in social engineering, the act of yielding is actually something that is very important. People today aren’t yielding. They tend to be a little less humble, a little more arrogant, so anyone who is yielding is an attractive personality to another person.
So someone who can concede, who can actually kind of come into the target looking a little more humble, looking a little more conceding to them, that is something very attractive to the target. And then when they make their request, the request is more easily granted because of those type of feelings. We see this actually in phone scams a lot. They’ll do things…this is not even a scam, let’s just say in legitimate purpose and then you can see how it could be used in a scam.
You’ll get a call from a company who’s trying to solicit funds and they’ll start out with something high. “Most people are donating at least $200 to our cause today. Can you do $200?” “Oh man, I can’t do $200 man, the economy is just killing me right now.” “Oh okay, well you know what? We have some who are willing to donate just $20.” Now 20 sounds so much less than 200. But if they started out with 20, and you rejected that, there’s not much more place to go. 5? And that’s really low. But by starting out with 200, such a high number, when they concede to something lower, then it becomes easier to grant that request.
Information is the same way. The social engineer asks for something that maybe is too high to give, the next time they come back they’ll concede with something lower. And that probably was their true target, was to get that information anyway. But it seems less important because you started out with something so high.
Another big one is social proof. This is probably the one that’s used very heavily. Social proof, probably the funniest examples of those, you might think of the old candid camera, where they had people in an elevator and the people who were part of the show would turn a certain way in the elevator that made no sense, like facing the back wall. And total unknown targets would come into the elevator, see everyone standing the wrong way…
Jason Hartman: They’d face the other way?
Chris Hadnagy: A matter of seconds and they would be facing the other way. And that’s social proof. Because psychologically we want to fit in with others. We want to seem like we’re part of the tribe, like we’re part of the crowd. So a social engineer knows that and they will portray things as, and we probably all have been approached by people selling things door to door. In our area, I don’t know if this is in other areas where your listeners are, but in our area we actually have people who sell meat from door to door. They have these big freezers on the back of their truck, and their approach is always something to the sense of, I’m almost sold out because all your neighbors bought everything in my freezer. I only have a couple packs left and I thought, hey I saw you in the yard. Let me stop and offer it to you before I leave. Now that kind of social proof is used because they’re letting me know that all my neighbors, everyone else around me trusts this guy and was willing to give him money.
Jason Hartman: Yeah, better follow the herd. Yeah.
Chris Hadnagy: And most people will fall for something like that. I want to be just like that. Social engineers use that type of social proof even sometimes on a very personal level. Calling and letting you know that it’s okay because, well I was just talking to Melissa yesterday. And Melissa gave me some information. I’m just calling back to see if I could get a little more. Maybe you could help me out with this next question. And by using something as simple as that, in someone’s mind the red flags are put down. Their guards are down because Melissa did so it must be okay.
Jason Hartman: So what is framing then?
Chris Hadnagy: Framing is a very interesting concept. If you think about frame, just in the sense of a building. The frame of a house is its structure. It’s what holds the rest of it together. That’s very similar to us as people. Our frame is our structure. It’s what makes up our beliefs, our understandings. It’s what makes up where our thoughts and processes come from and go. And that’s a very important topic for social engineers to understand because you need to be able to quickly decipher someone’s frame to determine if you’re in line with it or if you need to change it.
So someone’s frame could be, let’s say their beliefs. Either politically, religiously, morally; it could be just their beliefs because of their job, their frame of mind. We use that a lot. Their frame of mind and what they’re doing with their job. Whether they’re doing their job mindlessly or whether they’re doing it with a lot of intent and concentration. You need to understand that about a person before you approach.
Jason Hartman: So that’s just basically relating to the person then, right? Understanding their frame of reference. Is that what you’re saying?
Chris Hadnagy: Yes, very true. And it’s hard to do a lot of times because we come into a situation with our own frame of mind. And our own frame of mind sometimes blocks the view of someone else’s frame. And that can make it really difficult. But social engineers and scam artists, they’ve been able to master that and been able to come into a situation with a clear frame. And looking at it from someone else’s frame of mind. Being able to align the two frames is a very difficult thing at times but again, social engineers have mastered that art in finding a common ground; a bridge between your frame and my frame. And being able to say, here’s where we meet in the middle.
Jason Hartman: They’re basically exploiting the concept of people like people who are like them, right?
Chris Hadnagy: I love that statement because it is so true. It is. And you could even take that a step further with framing: People like people who actually like them. So con artists and social engineers take that even the one step, not even making themselves like the person like birds of a feather, but then they come in with that natural rapport and charming, and when you feel liked, when you feel accepted, boy that goes a long way in creating that bridge between two frames.
Jason Hartman: Yeah. What are some of the physical tools? We talked about some of the intangible tools, personality traits, gift of gab type stuff. But are there actual physical tools that these hackers use?
Chris Hadnagy: There are. From simple things, like on a pretext, maybe an outfit could be a physical tool. Tell you the truth, something as amazing simple as a clip board becomes an amazing tool for a social engineer. You wouldn’t believe the authority that a clip board gives a person. So it could be an outfit, a clip board, a hard hat, things like that. Or it could be even more serious tools like lock picks, software tools, things that help with information gathering. Other tools like that that are used by engineers.
Jason Hartman: Right. But I mean, when you get into lock picks, that’s completely illegal. These people don’t have any qualms about breaking laws, right?
Chris Hadnagy: No. If they did they wouldn’t be in the business they’re in. And to tell you the truth, lock picks are only illegal in certain states right now.
Jason Hartman: Oh I didn’t mean it’s illegal to own one. I meant it’s illegal to pick someone’s lock and break into their house or something, right? That’s what I meant.
Chris Hadnagy: Some of the recent scams that have occurred, especially using some of the horrible things like the tsunami in Japan, 911, these type of things; hackers and social engineers and scam artists will use those events to pilfer money and information from people. So they already have no qualms about pulling on the heart strings and using some of the worst scenarios on earth to steal from people. Picking a lock is like probably small on the scale of what their conscience allows.
Jason Hartman: Wow. That’s just amazing what they do. So give us maybe some case studies. In your book, you talk about hacking the DMV, the department of motor vehicles, the social security administration. How some CEO’s are just over confident and I guess they’re easy prey when they’re over confident.
Chris Hadnagy: What’s interesting about that account with the CEO and pen testing, a lot of times with social engineering people will automatically assume I won’t fall for that; I’ll never fall for that. Someone could ask me questions all day long and I’m relatively secure.
Jason Hartman: Pen Testing
Chris Hadnagy: Penetration testing.
Jason Hartman: Oh penetration testing. Okay.
Chris Hadnagy: Sorry, pen testing for short. I’m glad you asked. But a penetration test is just testing the ability for an outside person to penetration your inside network. So in this sense, social engineering penetration testing, is testing the people network.
Jason Hartman: So the CEO isn’t stupid. The CEO got where they go because they’re smart, right? And they think they’re smart. So what kind of thing do they fall victim to then?
Chris Hadnagy: Well a lot of times, and this is exactly the way we have to work and it’s kind of a sad story this one in the big. It’s not something I’m proud of, but it is the way social engineers, malicious social engineers will work. So this particular CEO had a liking for cancer drugs because someone in his family had battled with cancer. So every year he worked with a local bank on putting on a cancer drive and they left some of their documentation about it on their server in the open. So it wasn’t something that had to be hacked. Something you could find on Google.
If you went to their URL, you searched their server, you saw some PDFs, you downloaded them, you saw that they had put a few thousand dollars into a cancer drive every year, they helped the local bank put on this drive. So we knew that that’s where their emotional heart strings were attached, was on this cancer drive. So we were able to utilize that by basically calling, pretending we were from the bank, saying that we were interested in helping them set up this cancer drive for this coming year, and I had a PDF that I wanted him to take, download and open up on his computer. But in order to do that, I needed to know the version of his PDF reader.
That way I can make sure that it works because I have brand new software, and if he has an older version it might not work.
He was more than willing to give me that information and of course like most people who haven’t updated recently, he was using an old, outdated and vulnerable version of his adobe software PDF reader. We were able to encode a PDF with malicious software, which means that we can take what looks like a legitimate PDF and in the background, put like a virus, or a Trojan, something that would infiltrate his computer and give us access to his computer remotely.
I sent him that PDF through his Email, he opened it and we gained access to his network through that type of attack. All because of using something that was close to his emotions, asking him questions that he was willing to answer, and then utilizing that information in an attack against his company.
Jason Hartman: Wow, that’s just amazing. So PDF files can definitely carry malicious malware then?
Chris Hadnagy: They can. Especially, and I hate to bash a company, it’s not necessarily against adobe, but especially adobe because they’re heavy on java script. The PDFs themselves are evil in a sense but java has a plethora of vulnerabilities. So a program that relies heavily on that needs to be updated, monitored, and people who think more critically when accepting files. That causes those vulnerabilities.
Jason Hartman: Sure. One thing that Apple likes to brag about is that their computers just don’t get viruses. Can you do this? Can you hack a mac as easily as you can a PC?
Chris Hadnagy: It’s actually funny that you bring that up because I just wrote an article about this. For years, Apple on their website had a banner as one of their sales pitches, as the reason to buy a mac was it is not susceptible to PC viruses. Now that statement in itself is true. A mac is not susceptible to PC viruses. So in essence, it was kind of a neat marketing ploy. Because you could say that a hundred percent, not susceptible to PC viruses. Yes that is true. But there are enough mac related virus and mac hacking attacks out there that mac people should still be aware of those and they should still realize that those attacks are realistic. Now are they as prevalent as windows based attacks? No. and that’s merely because 90% of the computers in the world are windows based. So if an attacker is going to go after, they’re going to go after low hanging fruit and where there’s more availability for them.
Jason Hartman: Yeah, a hacker just like any “business” person wants a big market. And so the PCs have the bigger market. But what should the mack people do? What should the PC people do? I’ve never understood the world of the anti-virus software. How can they possibly know about every piece of malware out there and update? Especially the mac people. Because I think they’re kind of like the over confident CEO. What should they do? Every PC person with half a brain runs an anti-virus system like Norton or something. But mac people, I don’t find that they usually do that.
Chris Hadnagy: This is a very bold statement and I might get flack for this, but anti-virus software is an administrative tool, it’s not a security tool.
Jason Hartman: Interesting. What do you mean by that?
Chris Hadnagy: It’s because of what you just said. The virus that comes out today is not going to be updated in my anti-virus until tomorrow or next week. So if I’m the unlucky recipient of the virus that is brand new, I cannot be protected from it, from an anti-virus software package. So do they help, let’s say the majority of users get protected from the everyday Trojan ware virus? Sure they do, as long as you’re using a good one and as long as you’re using one that’s updated.
Now, a more important aspect of keeping yourself free from viruses is critical thinking, in my opinion. What we see a lot of times with our clients with those who are infected, are because they downloaded files without thinking. They opened things without thinking, they clicked on links without thinking. They download every screen saver and tool bar and they let it install.
There’s a brand new thing out there called Ransomware. This is scary as heck. So you download a program that looks legitimate. It comes from a legitimate looking website. You know those really long contracts that you just click yes, yes, yes, yes on? Well on the bottom of one of these contracts it basically states in Ransomware, that we’re going to install this program on your computer. We’re going to then stop your computer from accessing anything but our website and if you want us to remove this software, this free piece of software that you allowed us to install, you’re going to pay us 19, 20, 30, 50, whatever dollars. And you click yes on it because nobody reads the 19 pages of small print. So you click yes, now your computer’s locked up. There’s a problem. There’s banners that pop up and say you want it removed? Click here. You get fooled to go to their website, and people, and now of course there’s manual ways to do it, but most people don’t know that. So they end up paying them the money.
And it’s all legal, because on the legal contract you clicked yes, I agree to these terms and conditions. So, I’m allowing you to install this and I’m going to then pay you to remove it later on. And when you try to sue them or complain, they’re going to say hey, you clicked the legal contract. So I’m sorry that you feel bad about this, but you shouldn’t have clicked yes. Again, could be stopped by critical thinking and not just downloading programs and installing them by clicking the yes 300 times and then allowing people to take over your computer.
Jason Hartman: I hate to say it, but there ought to be a law! I’m the last one that wants more government regulation but some of this stuff is so highly technical that people just don’t have time to deal with it. It’s just amazing. Okay, well what other hacks or things do you want to talk about? I guess just take it where you want. There’s so much here. This is such a big area.
Chris Hadnagy: I think social engineering to me is something that is not discussed enough, so I kind of give you some high praise for being a non-security related program that is actually willing to talk about this. If some of your listeners have heard about the group anonymous…
Jason Hartman: Sure have, yeah.
Chris Hadnagy: So these groups, these hacktivist groups have been attacking companies let’s say for the last 18-24 months. And one of their members who recently left was interviewed by a major news outlet and it was a female member. And she said, social engineering was used in every attack that anonymous launched. And you start to analyze, because what happens when these attacks are released on the news, you hear about the server that was hacked, you hear about the website that had an injection on it. But you never hear about the social engineering. And you wonder why. And that’s because it’s not sexy, it’s not elite, let’s say. The server wasn’t compromised.
So you look at a case like a company, WHMCS, I think it is. They make web based software that helps invoice and bill clients. Their hack was very simple. A hacktivist group called UGnazi basically went to the database administrator social media pages, they built a profile on him, they were able to develop details that probably would be the answers to some of his security questions. They then called the database administrator hotline, and said I forgot my password can you please reset it? They said sure, no problem; what is the answer to security question number 1? they had the answer because they built the profile off his social media page, the password was reset, they downloaded 1.7 gigs of credit card numbers and then they erased the guy’s servers.
Jason Hartman: Unbelievable. Scary stuff, wow.
Chris Hadnagy: The details of them are not focused on enough, because great, 1.7 gigs of credit card numbers. That’s probably hundreds of thousands or millions of credit card numbers.
Jason Hartman: Sure it is, yeah.
Chris Hadnagy: But at the same time, it was done through a simple phone call and social media release information leakage. So I think programs like this are great because they focus on what people aren’t hearing. And that’s the amount of information that we release on the web is a danger for us. We put everything on our life out there and it can be used by the malicious people to basically gain the information on us and infiltrate our databases, our networks, or our personal lives.
Jason Hartman: Yeah, well I always found it amazing. You look at something just like Facebook, okay? And a common security question is “what’s your mother’s maiden name?” “What’s her birthday?” “What high school did you go to?” And people will put their complete school history, from kindergarten on*, they’ll put their date of birth, they’ll show who their family is. Because you can use them as a special friend category, your family, right? And you’ll have the mother’s maiden name…it’s shocking that we’re still using these things as security questions. You can call, everybody does business with at least a few major banks. So you could call up and impersonate the person pretty easily. It is scary as heck. Now, granted some of these security questions are getting a little bit better, like “what’s your favorite color?”, “Who was your first crush?” or “where did you live when you were 5?” but even that stuff can be figured out. It’s voluntarily posted right on Facebook half the time.
Chris Hadnagy: Last year there was a string of celebrities who had their Email accounts hacked and then there were pictures of their breasts or nudity all over the internet spread. That was done through exactly what you just said. They basically just went to the celebrities social media pages, build a profile on them, went to their Gmail, Yahoo, Hotmail, whatever account, said oh I forgot my password, please remind me of my password. And they just answered the three security questions, which were all goofy things like “Where’d you go to high school?”, “What’s the name of your dog?”, “What’s your mother’s maiden name?” which all of these things were on their social media pages. And answered those questions, got an Email sent to them with their password reset link, reset their password, went through their sent mail, found these pictures that they posted and then basically stole them and put them all over the internet.
Jason Hartman: Which Email accounts are most susceptible to hacking? I remember someone hacked Sarah Palin’s Gmail account, I remember that a few years ago. Heard it on the news. Is there one that’s better than the other, by any chance?
Chris Hadnagy: It’s not necessarily that there’s one better than the other. It’s the security of the password. So people will choose very weak passwords. When Sony was hacked by anonymous, and they released 200 million account numbers all over the web, the passwords that were released were analyzed by a few security researchers and they found that the most commonly used passwords were between 6 and 8 characters. A 6 and 8 character password can be cracked by a rainbow table in under 10 seconds.
Jason Hartman: What’s a rainbow table?
Chris Hadnagy: A rainbow table is a database of precomputed hashes. So a hash is like a digital fingerprint for a password, and normally what you have to do when you want to crack a password is use a big powerful computer to calculate what the hash is for each character and then compare it to the hash that you have and see if it compares and say yes, I got it. But some of these guys figured out, hey we can precompute all of those hashes. And then all we’re doing is a basic lookup in the database. You’re able to crack passwords at lightening speeds now. 6 to 8 characters, within seconds those are cracked.
Jason Hartman: So, how long should someone’s password be?
Chris Hadnagy: Well, that’s a really good question. They’re saying that anything under 14 characters is weak. Anything under 14.
Jason Hartman: Wow. 14 characters or more. And how often should someone change their passwords?
Chris Hadnagy: Well this is another big thing that that information from Sony was found. A, people reuse their passwords everywhere. So let’s say your password is super secure. Let’s say you have a 20 character password that has numbers, characters, upper and lower case, it’s got everything. And you use the same password everywhere though. And now your password is secure but let’s say their databases aren’t and that website gets hacked. Now the first thing that these hackers do is they say your email address, they find out every social media account, banking, whatever, and they go and they test that password against all your other accounts. Because 78 plus percent, in the Sony case it was over 80%, I think 90% reused their password on other sites. So, password reuse is another big issue.
Jason Hartman: I’ve always thought password reuse is a huge mistake. But what should someone do? How should they remember all of these passwords? Easily anybody who’s an internet oriented person living in the modern world, especially if you’re in business, you’re dealing with a couple hundred different websites. What do you do?
Chris Hadnagy: There are some very good, secure password managers out there that are both for Mac and Windows. Another great idea is there’s a freeware program called TrueCrypt. And TrueCrypt creates containers, so like little partitions on your drive, little spaces for you to hold files, and the encryption on TrueCrypt has not yet been cracked by anyone. So right now, up to date, it’s uncrackable. And you can store whatever you want in your TrueCrypt container. You can store a text file that has all your passwords listed in it. But when that TrueCrypt container is not mounted, it’s not active, no one can access it.
So I tell people, you have one really, really secure long password for your TrueCrypt container, and then all your other passwords can sit inside there in plain text. And that way you can remember them. So you can put, my Google password is this, my bank password is that, but you have one really long one that you remember that’s on for your TrueCrypt container or your password manager.
Jason Hartman: So aren’t you trusting then, the TrueCrypt company or whatever company makes that software, to, well you said it hasn’t been hacked, and that’s great. But aren’t you trusting them not to be malicious or evil in some way?
Chris Hadnagy: Well you are to an extent. The thing about TrueCrypt is it’s not “on the cloud”, it’s not sitting on the web somewhere. It’s actually handled right there on your computer. But you still are, any time you download third party software you are trusting that company to not be malicious and to do what they say they are doing. So that is always an inherent risk. And someone in my field, like me, it is true. We can go around this circle for weeks because I’m one of those guys who’s overly paranoid. So anybody could be, anything could be a way into your life, a way to hack you. So anything could be a detriment. So I do think that but at the same time I say at some point, if you’re going to have to either, the only way to truly be secure, is to unplug your computer, get off technology and move to the mountains out in the middle of nowhere.
Jason Hartman: Yeah, and be Theodore Kaczynski. That doesn’t sound very appealing. That doesn’t sound very appealing at all. But yeah, you’re right. There’s just a lot of vulnerability. We’ll be back in just a minute.
Narrator: Now’s your opportunity to get the Financial Freedom Report. The Financial Freedom Report provides financial self-defense in uncertain times. And it’s your source for innovative forward thinking, investment property strategies, and advice. Get your newsletter subscription today. You get a digital download and even more. Go to JasonHartman.com to get yours today.
Jason Hartman: Just address one last subject here before you go. Because there’s just so much to cover here. I’d love to have you back on for a future episode. But I think it’s fair to ask you about probably the most common area in which people are susceptible and that is the area of identity theft. You talked about computer hacking and hacking one’s password and that’s a category, a portion of identity theft. But there’s much more to it than that. Do you recommend that people use these services like Lifelock? I hate to mention their name because there’s a zillion others, but what do you think about that kind of stuff?
Chris Hadnagy: So, do I have time for a short story?
Jason Hartman: Yeah.
Chris Hadnagy: Okay, so on my podcast I had a guy who was an ex identity thief contact me; he wanted to come on the podcast. I’m usually leery about that because I don’t want to promote anything terrible. So I kind of rejected him a few times of his advances, and then basically one day he sent me an Email that had every piece of information on me including my social security number, my banking information, my full name, address, date of birth, to me he sent it. And I’m like, okay now you have my interest. And me being mister security, I was like how the heck did he get all of this?
So we had him on the podcast after he told me how he did it, so I can fix it before we released it to the public, and he outlined how he was able to perform this attack and get all of my information on the podcast. And I was fascinated because I have everything locked down. I don’t have a lot of information about myself on the web, that kind of information. But he was able to impersonate me, calling one of these credit banks saying the company had pulled my report for a resume for a job interview and some of the information was wrong and he wanted to verify what they had. And the lady on the phone went through all of the information and verified and verified it again and gave him everything that he needed.
All of this was done off of just a little bit of information that was on the web that had my name and address listed. So right away I started looking into things like that, like companies that sell this software. Unfortunately, I believe that the guy from Lifelock was actually a victim of identity theft after he put his social security number out there.
Jason Hartman: So, I guess Lifelock didn’t work then? It didn’t protect the owner?
Chris Hadnagy: But here’s the thing that I found. The credit bureaus in America at least, in this country, were able to do what Lifelock does for money, for free. So I’m able to go to Equifax, or one of the other ones, and I’m able to put an alert on my account that says if anybody tries to use my credit information, you have to first answer these three questions that I choose, you have to answer questions that are things that I tell them, and you have to alert me. So you actually have to alert me before you are allowed to use my credit. That’s the same thing Lifelock does, the alert comes to me, so now if someone tries to use my credit, I’m alerted and they have to know detailed information about me before they are able to do it. So that helps.
Jason Hartman: But that’s just one form of identity theft. That one form is simply the form of credit. People can open bank accounts, they can use your medical history, your criminal, they can create a criminal history on you when it’s not even you. I think there are five basic forms of identity theft, right?
Chris Hadnagy: Well there’s another one. I’m not sure you were thinking about this one too, about parents using the credit of their children now. Have you heard about this? Parents in bad straits, they get the [0:36:20.2] of their kids, their minor kids, they get credit cards, loans, [0:36:24.9], and then they don’t pay them off. And this one kid, he realized after he was graduated from college, went to go get loans, and was told he had horrible credit. What do you mean I have horrible credit? Well you have like 17 year old debt. How could I have 17 year old debt? I’m 19 years old. And finding out that his parents had used his social security number to obtain loans and then never paid them off.
Jason Hartman: Unbelievable. Usually that happens the other way around. That’s the story I’m used to is kids getting their parents to co-sign on something and then the kids being flaky and not taking care of business and being responsible. But don’t the credit agencies know that the kid is two years old? How do you open credit accounts with the social security number of a two year old, in that example?
Chris Hadnagy: That’s an excellent question. And I would imagine that they falsify the reports on that, as far as birth date and things like that, I would imagine that there cannot be legitimate loans given to a two year old or to an infant. But these things occur. Also another big one is the databases that are out there that release information about people who have passes away. There’s actually databases online that will give away the social security number of deceased people. So you find someone who just died, maybe the same age group as you, and you just take their identity.
Jason Hartman: Unbelievable. This is just amazing. It really is. So your verdict on identity protection services like Lifelock, yes or no? What?
Chris Hadnagy: Well, I’ll say this. They have a value.
Jason Hartman: Better than nothing?
Chris Hadnagy: Better than nothing. They have a value but there are also, with a little bit of effort, there are more things that could be done without spending the money. There are more things that can be done to protect yourself. The problem I have, and it’s similar to anti-virus. Like when I said anti-virus was a management tool, an administrative management tool, people get anti-virus and then they say oh I’m protected. I can click anything. Because anti-virus will save me. And people get things like Lifelock and then they forget to critically think. And they think that they’re protected. So regardless if you use anti-virus or you use a service like Lifelock or something else, it still doesn’t absolve you from having critical thinking structure in your life. Those things are not 100% protective measures. You still have to be able to plan out what’s going to happen if you get attacked. You still have to be involved in keeping yourself secure. Those things aren’t a protective bubble around you.
Jason Hartman: And in some ways they may be detrimental because they create a false sense of security and a complacency, don’t they?
Chris Hadnagy: That’s my point. That’s what can happen if you’re not a critical thinker already. I’ve seen too many times people get anti-virus when they buy their computer and they say, well I have anti-virus, how did I get this Trojan on there? Well you realize that since they bought their computer, the free 30 day version of MacAfee that they had has expired, they never renewed any type of anti-virus, they never updated the anti-virus database. So now here they are with an anti-virus on their computer thinking they’re protected, but they never did anything to take that protection further.
Jason Hartman: And one last area of this, all of these different websites out there that, they’re not voluntary, they just keep databases like PeopleFinders.com, Spokeo, these types of websites, where people can find out your mother’s maiden name, your date of birth, their date of birth, it’s just all pulled from public records. How do you get your name out of those things? I know you can opt out individually, but there’s so many of them. First problem, there’s so many of them. They all have different opt out procedures, second problem. Third problem, is that I hear that you can opt out, but six months down the road, you’ll be back in. you have to keep opting out. Any suggestions on those things? Those are just a nightmare.
Chris Hadnagy: Unfortunately no, there are no good suggestions because exactly what you said is the problems. You can go and do all the hard work, get yourself opted out and there is no 100% guarantee that the next time you apply for a credit card online, that your name will not be sold to the next database list and back on all those websites.
Jason Hartman: Unbelievable. These sites have your school records, your birth records, your licensing records if you own airplane registered, a car registered, a boat registered, it’s unbelievable. And it’s just free access to all of this stuff for just $2.95 and you can find out all this stuff about anybody. It’s amazing.
Chris Hadnagy: [0:40:58.6] Like you said, Spokeo, anyone can sign up. You don’t have to be a PI, you don’t have to be law enforcement, anyone can sign up, you can get the unlimited forever plan for like 36 bucks and you can search as much as you want and the information is so detailed at times, that I’ll sign up for those and then do searching on myself at times and see what they have on me. It’s amazing how I’ll be like, oh yeah I forgot about that, all the way back there like 18 years ago.
Jason Hartman: But you’re an expert. You understand the threat here of getting hacked, if you will, of having your life hacked. What do you do? Do you just keep opting out? I suggested, I have a friend that works for Lifelock, and I suggested to her, I said one of the great services they could offer is a way to opt people out of all of these databases out there in addition to the credit monitoring and that type of stuff that they do. I think that’s big business right there, helping people opt out of all of this stuff.
Chris Hadnagy: I think that that kind of a service would be unrealistic because there’d be no way someone could promise that. Because these websites pull from so many data sources that it would literally be a full time job for a team of people to handle one client. What I do, is I spend my time really practicing critical thinking. I know that sounds like a broken record, but I used to have this philosophy that if I get hacked, here’s what I’ll do. I now have the philosophy when I get compromised, here’s how I’m going to handle it. And it’s no longer an if, it’s a when because it’s just so prevalent. And I start to think to myself, okay here’s the information that’s out there, what can people do with it and what do I need to do to protect myself from it being used maliciously?
Jason Hartman: And one of the other things is just stop applying for credit cards, isn’t it? I was at Nordstrom the other day and they were having a sale for card members, and I had a Nordstrom card, I hadn’t used it in forever, and so I picked out a few pieces of clothing and the clerk that was helping me said let me just call and get your Nordstrom account number, well turns out I haven’t used the account in so long, they closed it. So they said, look you can buy all of this stuff on sale today, and the sale was actually pretty good. Plus we’ll send you a $20 gift certificate and all this stuff if you sign up. And I’m like no, I just don’t sign up for these credit cards anymore.
Chris Hadnagy: Yeah, well especially the cards that come from department stores, those lists are used in marketing campaigns. Remember you might have heard the news story about the teenager who, they sued Walmart I think, or was it Target? It was one of the major department stores because they sent her a congratulations on your baby notice before her parents even knew that she was pregnant.
Jason Hartman: Unbelievable.
Chris Hadnagy: About baby products, they assumed by her gender, her age and what she was searching for that she was pregnant and they sent her a Congratulations on your baby, here’s some coupons for your upcoming pregnancy. And her parents didn’t even know that she was pregnant but because of the data collection that these websites do, they were able to discern.
Jason Hartman: Scary stuff. I think privacy is dead. That’s just…this is just really scary stuff. It’s amazing, a friend of mine, she got engaged and as soon as she changed her relationship status of Facebook, all of the ads in the right hand side of the column just started instantly changing as soon as it happened. It’s amazing. In one way, on the face of it it seems kind of good that we can be offered what we want, what we’re interested in, that’s sort of the promise of the modern internet, but on the other hand it is so scary that this can just happen like that. So wow. Give out your website if you would. Tell people where they can learn more, and hopefully we don’t have to spend our whole lives managing our privacy and the threat of being hacked, but I think we do have to spend some time on it, no question.
Chris Hadnagy: My framework and the podcast and newsletter are housed on social-engineer.org and then if you’re interested in finding any more about the commercial services, it’s social-engineer.com.
Jason Hartman: Fantastic. Well, thank you so much for joining us today. And where should they get the book?
Chris Hadnagy: The book’s on Amazon. There’s also a link to it on both the .org and .com sites that will take you right to Amazon. It’s Social Engineer: The Art of Human Hacking. So they can check it out. Any major bookstore, actually I’ve even seen it in brick and mortar stores, like Barnes and Noble and Borders and things like that. They have it anywhere.
Jason Hartman: Fantastic. Well Chris, thanks so much for joining us today. Really fascinating topic. Scary stuff out there, folks. Pay attention. Be a critical thinker. Good advice today. Thank you Chris.
Chris Hadnagy: Thank you.
Narrator: Thank you for joining us today for the Holistic Survival Show. Protecting the people, places and profits you care about in uncertain times. Be sure to listen to our Creating Wealth Show, which focuses on exploiting the financial and wealth creation opportunities in today’s economy. Learn more at www.JasonHartman.com or search Jason Hartman on iTunes.
This show is produced by the Hartman Media Company, offering very general guidelines and information. Opinions of guests are their own, and none of the content should be considered individual advice. If you require personalized advice, please consult an appropriate professional. Information deemed reliable, but not guaranteed. (Image: Flickr | IntelFreePress)
Transcribed by Ralph