My main takeaways from @HeatherReyhan’s talk ”How to Social Engineer Your Way Into ANYTHING” at @tarunchitra’s NYC Salon. ?

Heather explains how social engineering is about exploiting people’s cognitive bias: ”triggering people to do what they’re already programmed to do”. Gives ”white/grey hat” examples, like AirBnB founder pretending to be his own agent when cold emailing/calling to get booked.

Heather is obviously not a dum-dum. This is clearly a presentation given by an intelligent person. The way she speaks and reasons about her area of expertise shows that she has pretty decent social skills, a sense of humor and humility.

If you can’t square this with her surrealist rap identity ”Razzlekhan”, read the below passage from her Forbes column. What I can’t understand from CT the last couple of days is why ”Razzlekhan” is evidence against her competence. Being goofy = often strong sign of intelligence

She makes no secret of the fact that she uses social engineering in her own life. Gives examples of places she has infiltrated. She mentions climbing a fence in Egypt and getting a security guard to give her & friends a tour of the restricted palace instead of throwing her out.

I don’t know if Heather & Ilya are the hackers, fwiw. The fact that they had full control over the private keys certainly implies some involvement. But they could just as well have stolen/retrieved it from the real hacker, as well as having been involved in the hack directly.

Here are some interesting chats from last night Mike Belshe - Cofounder & CEO of @BitGo Ben Davenport - Cofounder & CTO @BitGo (at the time of the hack) Zane Tacket - Community Directors @bitfinex (at the time) Zane was the one handling all public comms during the hack

Last screenshot is pretty interesting. @mikebelshe mentions that it was @bitfinex’s systems that were breached, not @BitGo, but @tackettzane seems to insinuate BitGo was atleast also at fault. Curious that no post-mortem was ever written. Maybe it was something.. embarassing?

People on CT seem to have made their minds up that the hack happened in a very sophisticated technical manner, but there is no evidence of this. And people also seem to forget just how potent social engineering can be, if you’re crafty. Tons of major hacks happen via SE…

In fact I think @mikebelshe pretty much reveals that the hack involved a significant human element when he says ”and people”, and that BitGo was not hacked. Sounds like someone finessed their way in… not the ”buffer overflow payload hack” that most people here seem to envision

Often when a hack *is* very technically sophisticated involving 0-day exploits etc, the target will share as many details as possible (to absolve themselves from insider suspicions etc). If they don’t share details, it is more likely it happened in a way they’re not proud of.

Back to the talk. Heather mentions people that she’s been able to meet through social engineering. Has a collage of photos. We can see John McAfee 1st row, 3rd column. She also mentions tricks for quickly building rapport with such an individual.

She gives some examples of how to influence people. - Flattery - Being useful to them - Bribery - Fear She puts emphasis on the last one for some reason. She says you risk people calling the cops on you, but if you do it subtly, it can work very very well…

She talks about doing as much research as possible on a target online first. Things like getting a map over the area. What does the company org chart look like. Stalking people’s social media. Figuring out their likes/dislikes.

@paoloardoino (CTO of @bitfinex) is reading this thread as I’m typing it, and just added that how the hack exactly went down is probably worthy of a book. Make of that what you will.

I wish people would stop asking this question. There is *no* evidence that the private keys were unencrypted in cloud storage. I already tweeted about this. See tweet below.

Some further explanation since people seem to be able to drop the idea that anyone who managed to hack Bitfinex must be a super-person Can’t you accept that hackers aren’t perfect? Tbh, a really really talented person doesn’t need to commit risky crimes to reach their goals…

Besides, it is not *that* stupid to keep an encrypted file containing a private key in cloud storage! It adds some level of risk, sure, but if it is well-encrypted it wouldn’t necessarily result in a hack…

The FBI traced them first via the blockchain and found them using services like @bitrefill with their *personal emails*, ordering stuff to their *home address*. This, if anything, was way way dumber than the above. They FBI knew who they were.

After the FBI knows who they are, they seize all equipment. Analyze the devices. Maybe they find a partial password accidentally logged somewhere and bruteforce the rest. Maybe they find the whole password. In any case, the error was getting doxxed, *not* having the keys on cloud

Or maybe they even gave the pw up willfully when the gig was up? As @udiWertheimer says, the FBI had already caught them and had evidence it was them. Again, the error was getting caught.

There are more parts to how the doxxing supposedly happened for those who are interested here: (20 pages)

Anyway, back to Heather. She mentions examples of how to use information from your research to build rapport. Maybe you’re happening to stand around with some food they like that you’ve researched etc. My interpretation: Basically Barney Stinson-esque wooing of targets.

This is something I’ve personally not heard before fwiw

These are pretty common social engineering techniques (on the topic of ”blending in”). Like, you could put on handyman’s clothes, go into a busy store, look like you belong and start moving expensive clothes out of a building saying you’re repairing something or whatever.

She mentions that one of her personal favorites is layered clothing as you can change appearence as you go (taking off layers/clothes => new look) and mentions the things you can do with a scarf to wildly transform yourself (e.g. turn it into a turban if necessary).

She gives personal stories of screwups, like trying to get in somewhere by reading a name of the list of names the doorguard keeps and accidentally + unknowingly trying to impersonate a large man. Sounds like she’s pretty passionate about this and has tried it in the wild a lot

Lmao

It splits into exercises now that are going to be based on real-life slightly-tweaked-for-privacy situations that Heather actually has been in. Someone asks why she does it and she responds ”for the challenge of it”. Goofy.

She recounts some stories at the end of it, also referencing things her friends did (e.g. a friend who broke into a Y Combinator event and got funding from @paulg) and how her friends act toward eachother—for example, if one gets caught, they’re on their own.

This is interesting because it sounds like Heather might be part of some kind of hack/social-engineer-for-fun collective (wouldn’t be weird if that’s her hobby), suggesting she maybe wasn’t working alone on the @bitfinex job, but rather being part of a group that did it.

Lastly, she is asked about ethics. She says that to her ” the ends justify the means”, and ends with ”I have my own ethics, I’d say”.

Oh, right, the link. Here it is: