a hacker guide to sourcing talent in the 21 century (#sosude 2017)

A Hacker Guide to Sourcing Talent in the 21 Century

Josef “josé” Kadlec

BlackHat Conference Agenda

Term: HACK4x

Sourcing Summit 2016 Agenda

Term: HACK47x ?!?

Recruiters Obsessed by HACKING

Talent Sourcers are modern Social Engineers

Kevin David Mitnick

Who is using it?

The Good

Social Engineers (yes, it’s a job)

Salesmen

Marketing

Sourcing/Recruitment

Candidates (guerrilla techniques)

Law enforcement

The Bad

Corporate espionage

Organized crime

Phishers/Vishers

Scammers

Hackers/Crackers

Phreakers

Script kiddies

Publicly Available Data

LinkedIn, XING and others have changed the game of social engineering

Sourcing techies on Airbnb

site:airbnb.com/users java prague

Sourcing CVs on Googlejava OR J2EE intitle:cv OR intitle:resume OR intitle:vitae

filetype:pdf OR filetype:doc OR filetype:docx OR filetype:rtf

Sourcing in the WHOIS database

(payroll OR accountant OR ucetni) (german OR french) intitle:cv OR

intitle:resume OR intitle:vitae OR intitle:zivotopis filetype:pdf OR

filetype:doc OR filetype:docx OR filetype:rtf site:.cz OR site:.sk

Let’s go blackhat...

I TRIED THAT AT HOME

How do you SMS from a telephone number of your

choice?

Examples

How You Can Do It

The access is available for SOSUDE attendees only.

Is it possible to do with calls as well?

Examples

How you can do it

SpoofCardwww.spoofcard.com

+ group spoofing+ background noises+ change your voice+ any mobile platform

bitphonewww.bitphone.net

+ pay by bitcoins+ encrypted communication+ call directly from your browser

X

Possible sourcing scenarios

Fake number is more effective than a hidden number

Calling a foreign candidate with a local number

Overcoming reception to reach a candidate at work by calling as e.g. an internal employee, branch number, etc.

Attract a candidate who will Google the unknown miscalled number back - e.g. from the CEO of some company (establishing engagement with a candidate)

and many other bad things: )

Copy the voice of anyone (Adobe VOCO)

Copy the voice of anyone (Lyrebird)

Area Based Sourcing

How to crash the party with pushed SMSes?

Why care?

Global Analysis

~ 500+ million LinkedIn users

~ 1,7 billion active Facebook users

~ 3,1 billion people online

~ 4,3 billion unique mobile phone subscribers

Source: Wiki, gsmamobileeconomy.com, internetworldstats.com

Why care?

Czech Republic breakdown

~ 10,5 million inhabitants

~ 1,1 million LinkedIn users

~ 4,7 million active Facebook users

~ 7,7 million people online

~ 14 million SIM cards

How to approach GSM network

GSM Area Mapping

www.opencellid.org

NetMonster app for Android

Motorola C140

How our solution works


Approaching attendees of conferences, summits and meet-ups

Approaching employees of targeted companies

Engage with people passing by your company premises

Track habits, schedule and location of particular people/employees

Complete GSM stalking and hijack … ouch

How you can do it

Bird Catcherwww.toplinkpac.com

www.gammagroup.com

www.neosoft.ch

How do you hack radio?

Hacking Car Radio

How do you get your prime time at the national TV without a

single penny?

How to gather identities of any meet-up or conference via

fake wi-fi?


Collecting contact information and identities at conferences and meet-ups

Sniffing traffic for more data about connected people

www.recruitmentacademy.cz

GoodCall iBeacon Kontakt.io Eddystone beacon

What’s next?

Average Response Rate on LinkedIn

36,4%

Case Study: JavaScript Developer [iBillboard]

Video Sourcing

Video Job Description

https://www.youtube.com/watch?v=uDOetfwu6Gs

Individual Video Approach

Role: ECM Specialist at Tieto20 qualified candidates, LinkedIn response rate: 100%

Virtual Reality Videos360° AND/OR 3D

Live Videos on Steroids

How to live stream to multiple channels

Restream.io

LinkedIn Live?

“We are not going to white collar resort prison, no, no, no.We’re going to Federal POUND ME IN THE ^%*&^@ prison.”

-Office Space movie

Hacking had a Different Meaning

Me Today

a hacker guide to sourcing talent in the 21 century (#sosude 2017)

Education