Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Secrets of PickPocketing … Online Training with The Professional Opportunist

Back in October 2012 I attended a Pickpocket Training Day with Professional Opportunist James Brown, and I blogged about it on this site here. It was a great session and many people have asked me about it, but not everyone has the time to travel, or may have logistical and financial constraints based on geographical location. Well now this isn’t a problem as James is now providing an online training course to teach the Secrets of PickPocketing.

I purchased access to this training upon its release back in October 2015 for a couple of reasons. Firstly it serves as a good refresher and future reference material, but I am also a fan of James work so like to check these things out if reasonably priced.

So in this post I am going to provide a brief review of the course and its material and what you can expect. I should start off by saying the presentation of James material is from an “entertainment” perspective, but this shouldn’t put you off as technique is technique. My interests in learning and understanding pickpocketing is two fold, one for awareness to reduce the risk of being a target, and also understand better the motivations, techniques and approaches that are used in criminal activities, so have this knowledge and skills in my repertoire for work, and its good fun to do with friends and people you meet with the right permissions!

The Secrets of Pickpocketing course is the first to cover both the technical skills of theatrical pickpocketing as well as the more important lessons on misdirection, attention management and mindset. This course takes you step by step through the necessary ‘soft’ skills before blending them with the technical steals to give you the best possible foundation.

With 6 hours of tuition, discussion and live performance (including commentary) this course is the perfect introduction to the Art of the Steal.

The training is broken down into five sections, and I will give some coverage of those below. If you dont want to read and just get on with learning / seeing something, click the image at the end of the post and get access to a FREE video to learn the “Easy Steel” pickpocket method.

Introduction – As you would guess from the title its an introduction into the course material thats going to be covered and the format. This helps set the scene for the many hours of footage you are about to digest.

Fundamentals – This section is extremely comprehensive and provides the base level thought process and mindset that should be used when approaching pickpocketing. Firstly it covers mental and physical relaxation, this is a key part in the art of pickpocketing, as it requires smooth and fluid actions, not tense and contorted muscles that are stiff like an iron bar. Then we cover misdirection, its probably no surprise that this is a also important, it defines how and why we would want to redirect the attention elsewhere and away from the area the steal is taking place. Then we look at proximity and approach, so how do you get close to someone and up in their personal space, how can you do that in a non challenging way (James draws on some of his past experiences as a medical professional). Lastly in this section he covers how you put all the fundamentals together, putting the skills and mindset together to create an environment to facilitate dipping / pickpocketing.

Action – Now onto the actual doing of things :) In the action section we start of looking at how we access what someone might have on their person, this could be from a visual and inspection perspective. Then we get started with some method, so we look at  2 approaches to steal from an outside jacket pocket. Then we take a brief stop to look at the ethical and moral concerns of who should you pickpocket, this is from a theatrical entertainment perspective remember, but useful and valuable information for anyone to consider. Next James discusses the situation where someone has nothing to steal and how you could handle this in the entertainment setting (ie give them or get someone else to give them something). Then we are back into method again, covering techniques on stealing from the front trouser pocket and back trouser pocket, then another little break to discuss how you handle the accusations of stealing. Next fear is discussed and how you can overcome it to attempt your first steals, so how to practice, and who to try out your developing talents on. Now back into a chunk of method again, covering steal techniques for the lapel pocket and 5 approaches for an inside pocket. Then another little break to discuss performance theory and the reason and motivation behind what you are doing and how you can present / communicate this to others. Then back into some method again, covering tie stealing, how to combine multiple steals and how to steal cufflinks. Then we have another interlude to discuss knowing and understanding what you are stealing before you go flashing it about (no one wants to be waving a sex toy around behind someones back to everyones embarrassment). Now we move into the closing sections, we kick things off with how to steal different types of watch and how to steal someones belt. Finally James talks about why you don’t need Ninja skills to be a proficient pick pocket and how you can practices these methods that have been taught throughout the section.

Going Forward – This section talks about the next steps, and how you may integrate this into magic, mentalism and hypnosis from a performer perspective. There is also some good examples and live performance which serve as great reference points, and then some conclusionary comments.

In the trenches – Finally we have various lessons learned in the trenches, providing real world examples of how things can turn out. I really like these sorts of sections, seeing and understanding how things work in the real world not just in a training setting. There are also a couple of outtake videos but thats just for shits and giggles.

So I hope you found the above a little informative and you get an idea of the type of concepts covered in the training if you decide to purchase the training for yourself. I really enjoyed the material and have gone back to some of the videos to fine tune some things. James covers this, but you can practice just with a jacket on the back of a chair, but ideally you need to rope friends and family into your training, and if you feel really invested get a shop dummy / mannequin to train with (I keep threatening to do this). At the time of writing the online training costs $147 USD / £104 GBP, and I think thats pretty reasonable, especially as they have already added some more videos based on customer feedback. My only gripe with the training is that its solely online, so if you don’t have an Internet connection your stuffed. I would prefer the ability to simply download the material and add to my media server and sync to my devices so I can sit and watch whenever, but there are of course ways around this.

If this is something of interest, you can find out more and also get access to the FREE video of the “Easy Steel” technique by clicking the image below. Thanks again for visiting the site, please share and subscribe!

Easy Steal

Corporate Red Teaming To Me

I am writing this blog post to share my thoughts on what it means to run and be part of a Corporate Red Team, I am sure there are similarities with Red Teams outside of the Corporate world but I don’t pretend to talk about things I have little to no experience of. The reason for sharing these thoughts are also because I have had emails and DM’s from people asking me about Red Teaming as well as sharing their experience by CV/Resume, so thought I could share here and have somewhere to direct people. I should caveat that things are abit busy right now, so this covers what immediately springs to mind, so feel free to add comments for further discussion and clarification.

Red Teaming isnt better or worse than other forms of security assessment, it just provides a different perspective and should compliment other forms of security testing and should never be considered a replacement. Red Team engagements should be objective focused not controls focused. The objectives should be relevant to the organisation and of importance, trying to see if you can steal the Christmas Card list isnt going to be that valuable to learn about, you need to be going after the secret sauce and on that journey of looking to achieve that objective the effectiveness of controls will become transparent.

The two most important things for an effective and successful Corporate Red Team is the right support within the organisation, and creative, effective, diverse and trustworthy team members.

When I talk about support within the organisation, I am talking about a realistic understanding of the challenge that exists, this doesn’t mean things magically work and everyone rolls out the Red Carpet for an engagement, but it means a pragmatic approach to what you are trying to achieve that will grow and evolve overtime. So you want the board in agreement and awareness of risk (risk always exists, so consider risk of doing VS not doing), CEO, CIO, CISO, and business leaders brought in, as well as legal, privacy and HR teams, they all play a vital role in being able to do effective and realistic adversarial threat simulations. It is important to push the boundaries that are permitted in Red Team operations, but I always ask myself how would I feel if I found out a company I used / worked for employed professionals to use certain tactics on me, would I think it was beneficial overall, or would I be disgusted in that it was permitted. So far this has helped act as a good barometer on how far you look to push things, with the understanding it does result in limitations and frustrations.

Next the people, I put this second only because if the organisation isn’t GAME ON having a team of superheros is about as effective as a chocolate fireguard. So assuming you are good to go, you want people who can adopt an adversarial, threat centric mindset, people who can remain calm when challenged and think outside the box to achieve their objective. You also want people with different skillsets, backgrounds, experience, and perspective. You also want people who can work effectively in a team, and act and think in a way thats best for the team, no super stars who think they are too good to do a task, or think the process doesn’t apply to them. My reasoning for this is as follows, you need people that can work effectively as its not uncommon to have people globally dispersed, so an ability to think in the interest of the team and have empathy is important, this approach also makes the team more effective and can help facilitate a ‘progress over perfection’ approach where people come together to evolve and grow the team and make it great. You want people who think differently and are willing to share their perspectives and have leaders and team mates that value them. Some leaders want a team of clones, who don’t challenge and think differently. If you have this, you wont have awesomeness, you want people to challenge each other (this is done respectfully), challenge leadership and the way things are done, and strive for excellence. Living in an echo chamber might fuel your ego, which is fine but in my experience will ultimately stifle things. Skillset and experience should be obvious, but you are going to be attacking production environments, here mistakes are costly so you want people who are experienced, and think before pulling the trigger. Having a global team can bring its problems if you are not used to working in such an environment, but its important to be aware of cultures, consider time zones, entitlements and more for all the locations you have your people. Looking after your people should be a top priority and they will look after you. Many people I speak to say they are global, but its 10 people in the USA and a token contractor in Brazil or something, thats not global. Having a globally diverse teams means you can act more like the adversary, have people with different cultural knowledge and approaches, ability to read and write in different languages, and dependant on the dispersal of the team members you have a 24 hour force of awesomeness in play. You need to have reciprocal trust and respect for your team mates, know they have your back and you got theirs. Not everyone is built to work from home, or are able to work and communicate effectively in a remote team, but those that are can be very efficient but what works for one doesn’t work for all, so its important to manage expectations and perception across the team when you are not all sat in the same office.

I once interviewed a really knowledgable and experienced mobile pentester who wanted to move into Red Teaming, he said he wanted to join a Red Team so he could really fuck shit up. A professional answer to an interview question I am sure you would agree, but when challenged had no concern to the potential impact or risk for the business, its people, processes or technology involved.

Red Teaming is about playing devils advocate, challenging perceptions and beliefs through tangible results. If your doing Red Teaming right, your mission isn’t to FUCK SHIT UP, its ultimately to accelerate the organisations ability to handle an adversarial attack. This is done by changing cultures from vulnerability to threat centric thinking, partnering with intelligence, monitoring and response teams to leverage information and improve capabilities to detect and respond to an attack and generally make things hard for the bad guys. You should also be looking to allow the organisation to make more informed risk decisions, by taking the theoretical decisions made in a possible attack, and then proving out the results one step at a time, to decide if the risk decision still makes sense.

Just because you have awesome Zero Day Fu, doesn’t mean you need or should be using it during a Red Team threat simulation. Sure you should be advanced and sophisticated in your approach and skills, but if the real adversary can achieve their goal using the clear text creds in the text file on the desktop you just popped, they wont go flashing their awesomeness just because they can and don’t need to. The attack path taken should be appropriate and relevant to the objectives and the adversarial motivation.

Red Teaming has been all the buzz the last few years, and like most things in the InfoSec / Cyber World there are various shades of grey on what this really means. I have spoken to some Red Team leaders and its clear their pentest team just got a rebranding and nothing else changed. I think its hard to find organisations that take Red Teaming seriously and really look to mimic adversarial activities, and I also think this is because the messaging to boards and executives isn’t clear either. So if you are fortunate enough to work for an organisation that is taking Red Teaming seriously, its a sign of maturity, acceptance of reality and a willingness to embrace a change of thinking. That doesn’t mean its going to be easy or without challenge, but most thing that are worth doing and doing well take some effort :)

For me Red Teaming should be as close to the mimicking the adversarial approaches as possible. I say as possible, because if you live in the real world you will realise that when you are doing something for a company there are boundaries, codes of conduct, values, ethics and morals that come into play, so you need to work with these and continue to push the boundaries to increase the value as the landscapes change over time, as well as trust and respect in the teams capability.

So even though the Red Team capability may sit in the InfoSec / Cyber function, it should’nt be what defines it. The scope of Red Teaming should cover the physical, technology, social, people, and process components involved to achieve the goal, and you should be able to maneuver across product, test and development environments, essentially if the bad guys could and can go there so should the Red Team. This means its important to have effective relationships and partnerships with many groups, and consider various regional, regulatory and legislative issues along the journey, but its worth it :) Its also worth noting that over the years the perimeter of an organisation has become hard to define, so 3rd parties, suppliers etc should look to be included over time, but this takes time, contract adjustment, liability acceptance and more, but you should have a vision and be working towards it despite it maybe taking months or years to get there.

The thing most people don’t consider is the psychology of the adversary, they don’t think that if the asset / objective they are looking to achieve is so valuable they will go to great lengths to achieve it. They wont just give up if things seemed locked down, they will take a different approach, that may mean socially engineering someone, bribing someone on the inside, or perhaps they drive a truck through the wall to steal the hard drive. Thats what the Red Team needs to do (within reason), and the end goal is to help the organisation improve their controls and capabilities to a level that the cost and effort is to great and the environment to hostile that only the most determined try, while the others go after someone else.

You achieved the goal of stealing customer data, but you found it in the dev environment? Thats just cheating! People get irked when you find data in places it wasn’t supposed to be, but remember the attacker cares about the data and its value, not where they find it.

Its also important to invest time and money in improving capabilities, evolving the service and investing in your people. The organisations adversaries are constantly upping there game to overcome the obstacles they face, and the Red Team should look to do the same, to find additional attack paths using different methods, as well as keeping things interesting. This requires time and fundings to attend training, work in interesting projects and R&D. The people you have with you on this journey should be passionate and engaged in what they are doing, this should be rewarded. I will also note here that everyone in the team should have a voice in the direction of the team and its capability, it doesn’t matter if you are the seasoned professional, or the new guy or gal out of university, they have perspective and opinions which should be considered, they might have the next great idea. The buck ultimately stops with the leader, but its more effective and productive to have people onboard the fun bus to help keep the wheels and doors on, than dragging them along like cans on the bumper :)

If you have the privilege to lead a Red Team with the right people, your enthusiasm, dedication and approach sends a message to your team mates, those you serve and those who you engage within the industry and community. Leading a Red Team is about helping the organisation focus on strategic issues, things that can be really beneficial and have quick and long term wins, when this isn’t seen you should fight opposition to be focused on the right things, this means the team is used most effectively and keeps the team engaged and passionate about what they are doing, and the activities undertaken clearly connect to team and organisational goals. Each member of your team is special, and all different, so its important to think of them as people and not simply a headcount figure. Understand their needs, how best to interact, how they prefer to be engaged with, along with helping and coaching them to success. You should respect your team, and they should respect each other regardless of grade, skillset, etc. I wouldn’t expect anyone to do something I haven’t done, or wouldn’t do myself, nothing frustrates me more when people say they are above a task. I agree you should be mindful of how to put someones skills and abilities to best use, but no one should be above chipping in and getting things done to move the team forward. You should celebrate people success and achievements, your goal should be to help each member of your team progress to meet their dreams and full potential, managers feel threatened, where leaders partner for success. Finally process and quality is important, but results are what matter the most and what impact you can have. A good leader is honest and transparent with the team, and ultimately takes responsibility for deficiencies in the team and will back up the team and not air issues in public, if you want to flourish in the glory of success, you should take on the failings and take action to remediate, this is where for me progress of perfection is vital.

Life is short, and we spend a hell of alot of time at work, and I am fortunate enough to be in an industry I enjoy, and for all the challenges that may have to be overcome I am fortunate to do the work I do, and even more so to be in the company of such great co-workers, who share my passion and enthusiasm for doing great things, to a high quality and standard, and looking to have fun at the same time.

So my Dream Team consists of people who are interesting, passionate, reliable, trust worthy, team players as well as self motivated and able to work on their own initiative. Need a variance of skills and disciplines, so this should cover capability to attack web, network, OS, database and more, with capabilities in the physical such as lock picking, alarm system knowledge, access controls systems, and an appreciation around psychology to be effective in social engineering, building effective relationships and abilities to influence and drive change. If you see a problem, be part of the solution by offering ways to improve or overcome, don’t look for others to fix the world for you, instead invite them on the exciting journey.

RedTeam2

Like anything on the Internet, these are my thoughts and opinions based on my beliefs and experiences. It doesn’t mean its right, wrong or indifferent, its just how I like to approach Red Teaming.