Most security failures don’t start with a dramatic breach or a mysterious hacker sitting in a dark room. They usually start quietly. Someone assumes a system is locked down. Someone trusts that a door shouldn’t open, or that a machine “just works,” or that no one would ever think to look there. Over time, those small assumptions stack up, and that’s where things tend to go wrong.
Today’s guest is FC Barker, a renowned ethical hacker, social engineer, and global keynote speaker with more than three decades of experience legally breaking into organizations to expose their blind spots. Formerly the head of offensive cybersecurity research at Raytheon and now co-founder of cybersecurity firm Cygenta, FC is also the author of How I Robbed Banks, a book packed with true stories from the field.
In this conversation, FC shares what he’s learned from decades of breaking into places he was hired to protect. The stories range from funny to unsettling, but they all point to the same pattern: technology usually isn’t the weakest link. People are. From outdated systems that can’t be replaced to everyday workplace habits that quietly invite risk, this episode offers a grounded look at how intrusions really happen and what actually makes environments safer.
“Pen testers get blamed for everything. If anything breaks while we’re there, it’s automatically our fault.” - FC Barker Share on XShow Notes:
- [03:06] FC grew up before cybersecurity existed and learned computers when manuals were thicker than the machines themselves.
- [05:27] How early internet culture shifted from curiosity-driven exploration to the rise of malicious actors.
- [07:15] Why inviting external testers to break into your systems was once an unthinkable idea and how that changed.
- [09:35] The danger of internal blind spots and why external validation is often more valuable than internal confidence.
- [10:46] Unexpected discoveries during penetration tests, including systems no one remembered were even running.
- [12:23] Choosing unusual, esoteric security projects and why unconventional systems often hide the biggest risks.
- [12:50] A real-world operation that involved reverse-engineering hardware to shut down power infrastructure in seconds.
- [16:29] One of the easiest break-ins ever happens accidentally, proving how fragile some systems really are.
- [17:21] The most common technical failure seen across organizations: poor network segmentation.
- [18:36] How a routine internal scan accidentally knocked an entire country’s banking connection offline.
- [20:04] A bank unknowingly runs its internal network on an IP range owned by the U.S. Department of Defense.
- [21:43] A mysterious daily network outage turns out to be caused by a single employee’s music collection.
- [23:07] Plugging into a forgotten network switch triggers a fire during a government penetration test.
- [25:15] Why penetration testers are often blamed first even when nothing has been touched yet.
- [26:25] Discovering malicious insider code planted by coordinated nation-state actors.
- [29:41] Why some outdated systems must remain untouched and why “just update everything” isn’t realistic.
- [33:15] Implanting covert hardware inside everyday office devices to gain persistent network access.
- [35:01] How avoiding people altogether is often the most effective form of social engineering.
- [37:10] Why attackers move from the top floors down and how authority bias works without a single word spoken.
- [38:35] Clothing, context, and small visual cues that instantly make people assume you belong.
- [42:26] A penetration test derailed by an unexpected office costume day—and why randomness can be a defense.
- [44:33] A simple exercise anyone can use to start thinking like an attacker by examining their own home.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Cygenta
- Dr. Jessica Barker
- FC aka Freakyclown – LinkedIn
- How I Rob Banks: And Other Such Places
Transcript:
FC, thank you so much for coming on the podcast today.
Thank you very much for having me, Chris. It's a pleasure to be here.
Looking forward to this. Can you give myself and the audience a little bit of background about who you are and what you do?
Yeah, absolutely. So my name is FC. I'm probably better professionally known as my ethical hacking handle, which is Freaky Clown. I've been a cybersecurity professional now for 30 plus years. I've been the head of ethical hacking at a couple of places. I've been the head pen testing at a couple of places, head of physical security at a couple of places. I was even the former head of offensive cybersecurity research for Raytheon, a very large defense firm, before I started my own company called Cygenta with my wife. I'm the author of a book called How I Rob Banks. And I've also helped out on a couple of other books and friends that have also written books as well.
I love that. What got you interested in hacking and cybersecurity?
Well, I kind of predate a lot of this, right? So I'm a lot older than I look. When I grew up, there was no such thing as cybersecurity. There was really no, there wasn't the World Wide Web. We had the internet, but no World Wide Web yet. My first computer had toggle switches. It didn't even have a mouse and keyboard. So when they came along, that changed the game. Then the World Wide Web came along and that changed it even more.
So I sort of grew up tinkering with computers. And when you got a computer back then, you got a massive thick manual on how to use it. Like, you turn it on, you get a little prompt and you have to like program it to do anything. So from there, I think my interests sort of grew because I was pretty much a lonely kid, bringing myself up in a poor family. A couple of friends had computers. I tinkered with them.
And then eventually, I went to college. You couldn't study computers back then. There was nothing like that. So I ended up doing science. I was studying biology, chemistry, physics, and nuclear physics at one point. I quit that to get a job as a sysadmin for a small company. And as part of that, I realized that the only way to defend against these now malicious criminals that were coming out was to learn how to do it myself. And that was really the start of it for me.
And so when did you get to become where ethical hacking was your career?
I don't actually know. Like, yeah, it transitioned from sysadmin to security professional, like without the title, because like I say, it was so new back then. And then eventually I got actual job titles with that in. And so I think that that's probably around then. So I was probably … I have no idea. I can't even remember what company I was working for, but I have such a poor memory. So yeah, I've been in it for a while, let's put it that way.
It's an interesting transition because there's definitely a world of we're running systems, we're running security, we're running networks, and then to transition to… hey, I want to be, I want to go to work and poke at other people's stuff, not just my stuff.
Yeah, definitely. I mean, you have to remember, it's a completely different world back then. You know, we had, a whole web server was run off of an FTP system, right? Like it wasn't even secure. You'd log into some things and there wasn't even a password system, let alone a password set. So you just log in with your username and that would be it. we used to do things like dialing up other computers. It was peer-to-peer. I mean, I'm sure you've done the same later.
I've read a BBS in the 80s.
Yeah, BBS's were a huge thing. So yeah, it was great. Like that was, it was like the Wild West, but everyone was kind of nice. Like, everyone was behaving themselves. And then you had stuff like Chris Stoll with the Cuckoo's Nest book, which is fantastic read if anyone hasn't read it, sort of tracing down like the first types of hacks that were happening. I think that was a huge transitional period for a lot of people, where they realized like, oh, there are malicious people out there and now they're starting to use computers and now they're starting to do things that we weren't expecting. So we have to start to defend against them.
So, clearly, the defense piece makes sense, I think, for most people. Okay, we've got a platform, we want to defend it, and we're going to try to break into our own stuff to see how good the defenses are. How does that transition now into, I want to start a company, and hey, world, I want to break into your stuff, but I promise I won't do anything bad.
I actually don't know how that happened.
It's kind of a weird pitch to make. Like, I think if you look at it now, oh, pen testing, okay, everybody kind of thinks about that as a reasonable thing to do if you have something that has a public internet service. But 20 years ago, inviting people to try to break in, or I'm not inviting people to break in, like, I offer a service where I try to break into your stuff and I promise I won't do anything bad.
Yeah, I think how it really happened, right, at least from my perspective, how this worked was we had a web server that was run on a VPS, right? But in those days, it was a physical box that you went and put in a data center somewhere. And when you have that, there's a lot of money involved in that. And so what you do is you piece that web server up into other web servers, and you offer that as a service.
So I remember one of the first companies I worked for, there were like five or six different websites, different companies on one server. And when you have someone who knows about security testing your product, it's very easy to offer it to everyone else on there, right? What you realize very quickly is it doesn't matter how good your security is. If someone else's security is bad, they get onto the same server. And once they're on the server, then they can get it to you anyway. So offering it to our other clients at the time made sense.
Exploiting Trust (Part 1) Share on XAnd I think some of those companies, they matured, they grew up, they got bigger, they had their own stuff. And then they realized, actually, we need someone external to come and look at our security, because they're trying to run a company, a clothing shop or a DVD shop or whatever. Then they need someone with experience to do that. And then it's very, I mean, back then there was like a hacker group like London 2600. I was very involved in that. So you have these collectives of computer security nerds that are talking to each other and they're all getting jobs in higher places. And so word quickly spreads, I think is where that happened. And then it's a really obvious thing. It's like, why should I become a security expert when I can get someone that knows how to run systems and then get a security expert in? And validation from externals is always, always a way easier sell to the board than it is doing internally.
Yeah, and from a practical perspective, if you built the security, you don't know where your vulnerabilities are because you have blind spots, you have biases. I built this. Of course it's secure. There's nothing wrong with it. And someone comes in like, oh, well, just turn it to the left and it works.
Yeah, exactly. I mean, my book is full of those sorts of stories where people that have installed the security systems don't understand them enough in the bigger picture that it's very easy to bypass them. I'm very lucky that I have broken into many, many weird and wonderful places, including a couple of castles. Now, when you're talking like a castle that was built in like the 10 hundreds, then they weren't thinking the same way I think about how to get into these places. So it's a fascinating world. It really is.
Yeah. And so with the ethical hacking and trying to break into other people's stuff, what are some of the more interesting things that you've been able to access unexpectedly to your clients?
Ooh, right. So yeah, I have to be careful because obviously we have to think about secret stuff that we've done. But there's all sorts of really random things that we've come across. I remember once in a pen test, there was a very awkward situation where we discovered a secret web server running on some client software on their stack. And we looked at it, we're like, oh, this is a bit racy. So we called the board in and we had this conversation and they're like, oh, I think we know what this might be. Let's call in our tech guy.
So their system admin comes in. And he deadpan, he comes in. He's like, “So what's the issue?” And we're like, “Well, we found this hidden web server. Do you know anything about it?” He's like, “Oh, yes, that's my wife's site.” And we all just sort of blankly looked at him like, “Your what now?” And he's like, “Yeah, if anyone's interested in anything else, any other content, just let me know.” And we were like, “We're done here.” Like, just no. It was just the weirdest, weirdest moment I think in a pen test ever.
But yeah, you get in, you get some really interesting things you get to do when you do pen testing, right? I'm, I'm very, very fortunate that I get to choose my clients very carefully. I only pick things that are very strange or esoteric or fun that I think I'd want to hack. We did something for a client where we did these hardware sensors that they put underwater and nobody had ever tested them. It was never a reason to. And we took it apart and we completely own this device. And it was a fun challenge. It was like two weeks worth of work just digging into it. It was incredible. So yeah, I get to do some very fun things.
And I think actually one of the fun things that's kind of relevant nowadays is, you know, the recent Venezuela operation was an absolute resolve. And a lot of people have seen this where they say, oh, can we, they turned off the power. Right, well, 15 years ago, at least now, I created a device for doing just that when we were involved in an operation to take over, well, to help the regime change of a country. Our team was involved and they said, can you turn off the power for us? And it took maybe two or three weeks of effort to reverse engineer some of the hardware. I built a device that was pre-Raspberry Pi. It was along an Arduino-ish type device that we gave to the boots on the ground to implant, and we turned off the power in 21 seconds. And boy, that was a good day. You know, so finding really interesting things is always fun for me, and I'm very fortunate that I get to pick and choose what I want to work on.
I mean, that's got to be fun of like, We don't have access to the physical, the real target we have. Do you create a fake environment?
No, so from our intelligence on the ground, we were able to find out what they used in a similar way to the uranium enrichment plants that got taken over, right? There just happened to be some promotional video that showed some hardware. We figured out what the hardware was. We looked at that. We got hold of similar hardware, and we literally had a manual, it was this thick. They were there were two books this thick, and I spent a week reading them and I said, hang on, I think I think we can do this, this and this. And so we built some like prototypes first of all, and it kind of worked. We found somewhere else that had one running and we tried it on that and it was successful. And we were like, okay, well, you know, this little squad is gonna have to get in and put this in place because I'm not going. So yeah, it was a fun time. It was a very fun job, that one.
That is a total blast. On the total no boots on the grounds, no physical access to anything. What has been kind of like the easiest gig that you've had in getting in getting access to someone's platform?
The easiest, right?
Because everyone asks you about what was the hardest thing to get access to? What was the easiest?
I mean, the easiest, you don't even really remember half of them because they're so easy. But there was one time years ago, two colleagues and I were at a pen test and they wanted us to look at a thin terminal system. I'm not gonna name them, but it was getting to the point where we were having a bit of a competition of how to break out of this thin terminal software and get remote code execution or code execution rather. And so we were doing all these fancy things and it became a competition between the three of us.
And then our client came over and he was like, “Hey, like what's going on? Like you lot are just giggling and you lot giggling is not good for me. It's a little disconcerting.” Yeah. So we were like, “Oh, we're really sorry. We're just trying to like show how easy it is.” And my friend turned around and he's like, “It's so easy to break out of this. Like, you could literally just mash the keyboard.” And he turned around and he just slammed the keyboard. And it did actually break it out. And we were like, “No. What did you press?” So we spent the next two hours trying to figure out what keys combination he pressed to do the breakout. It was hilarious. But the client was like, what are you doing?
Just mash the keyboard. Just mash the keyboard.
It was brilliant.
So is there like two or three things that clients consistently forget about or where there's like, hey, now we've done lots of work protecting our web server or whatever, these interfaces and these platforms.
Yeah, I think unless you're talking about like cultural and educational things, technically the biggest thing I always see is they haven't segmented their network well enough. Whether or not that's with a proper air gap system for very sensitive stuff or even just assigning IP ranges to certain departments. It's easier if your sales team is on its own segmented network. And then you poke holes through to where they need to go. That's a massive one I see.
””Technically Share on X haven't segmented their network well enough.” – FC Barker” username=”easypreypodcast”]
I remember once we went into this bank and we were scanning internally, they said they had a flat network, but it was segmented. And we're like, “Flat but segmented? What do you mean?” And they're like, “Oh, just different countries. The different countries are segmented.” And we're like, “Well, obviously, because they'll be on a different ISPs.” And they're, “Oh no, we have interconnectors between the countries that we can talk to each other.” And so my colleague is scanning through some stuff and suddenly the client rushes over. He's like, “Brazil's just gone offline.” And we are like, “What?” And they're like, “Oh, it's saturated the line.” And we're like, “We are only like port scanning. How have we saturated the line?” They're like, “Oh, it's only like an ISDN line or something.” Oh my goodness. So we're like, “Maybe don't.”
So yeah, like really foundational things I find most hilarious with companies 'cause they've spent billions across the whole industry on cybersecurity, the new flashy blinky box that does something, the new software that they never configure, and there's these foundational things that you think, What on earth are you doing? I remember one bank, this was decades ago, and we used to go in there every year for annual pen test. And every year, the top of the report would say, the biggest issue you have is you've not used an RFC 1918 compliant address. So for those people that are not technical, that's just a standard of like, these are, not internet-facing addresses, so no one can route to them. And basically, they had picked an IP range from the internet and just used that for their entire bank internal network structure.
And so I looked it up using WhatIsMyIPAddress. Because why wouldn't I, right? So I remember doing that. And it turned out it was a Department of Defense IP range. And I was like, and I was like, what? Like, if anything leaks out, if you misconfigure something and you suddenly start hammering your internal servers and you're hitting their servers, you're going to get a knock on the door. So every year for like 5 years, I went in and said, you have to change this. They never did. So they got fired as a client. It was like, if you're not listening to me.
So weird. I remember I was working at a company and we had been bought out by another company. I was not in IT at the time. I was kind of IT adjacent. And you try to connect the networks because some other people are in our office. And after they've been up and running for a while, everything was cool. And then one day, everything would just grind to a halt at like four o'clock. And we're like, the salespeople couldn't get on this, the sales mainframe, the internet would just… And then about, half an hour, 45 minutes later, hour later, everything was perfectly fine again. And it just kept happening, day after day after day. And we're like, this is just too regular, there's something… And so we kind of figured out something is saturating the internet connection. What is going on? Because it hasn't happened before.
We do all sorts of tests and we can't make it happen, but something is causing this to happen. And so me, the IT guy, we're just going to stand and stare at the room, you know, big, you know, war room style seating at 4:00. And we see this guy get up and go home. And we go running over his computer and just unplug it. And as soon as we unplug his computer, the network's perfectly fine. We plug his computer back in and the network screams to a halt. And we're like, okay, what's going on? He had put like 2 terabytes of music on a folder on his desktop. And every day, roaming profiles would kick in, probably misconfigured, and sync up his desktop to the remote server.
Oh, wow. I love simple things.
All of his music, delete.
Bet he was furious. That's amazing.
But those are those weird things that users just do. You know, why would why would putting music on my desktop cause the… Yeah, I mean, it shouldn't, right? It shouldn't, but those weird things can happen.
Yeah, I remember going into a pen test once for a government site. And we turned up and we're like, okay, we need to plug into the network. Where are we plugging in? And they're like, “We don't know. We literally have no idea what you're on about.” So we poke around and we find this like dusty old cupboard and we find a network switch in there. Like not even like, uh, it wasn't good. So we plug in and we're chucking packets over this little switch. And then all of a sudden there's panic, alarm goes off and we're like, what's going on? People are rushing over to the cabinet. It's caught fire because this switch hadn't been used so much. Oh no. And it was just caked in dust and it just got too hot and caught fire. We were like, “We should probably end that pen test.”
But the good thing is pen testers get blamed for everything. Whenever they go in anywhere and anything breaks, pen testers, it's your fault. What are you doing? Of course. We keep logs of everything. I remember once we went in and we sat out, we got assigned our desk and we sat down at this desk and the client came over and was like, “What have you broken?” And we're like, “Nothing. Like, what do you think we've broken?” They're like, “Oh, someone's corrupted the database.” And we're like, “Okay, and you think that's us? Like, we're not testing the database, we're here to test something else.” They say, “Yeah, yeah, it's definitely the pentesters. Sysadmins also say it's the pentesters.” I'm like, “Okay, well, you know, can you restore it?” And they're like, “We tried that, the backups aren't there. So you must have deleted those.” And we're like, “Okay, we're gonna have a little conversation here that's gonna prove that it's not us.” And they're like, okay, cool. So we just open up our rucksacks and we're like, our laptop are still in our rucksacks. We haven't been given cables or anything to plug in. Like, we've literally just been sitting here waiting. So it's your fault. It's like seeing the realization on the client where they're like, oh, we haven't done anything wrong. It was quite hilarious. But yeah, we get blamed for everything.
And I guess like in many environments, there's probably someone that's going to be adversarial to your presence.
Yeah, because you've either got like security staff that think you're there to make them look stupid. Or to look over their shoulder and like kind of look at their homework and be like, well, I know you're doing that wrong. Sometimes we do. But you know, you then also get people that are acting maliciously within the company and they don't want to be seen. They don't want to be found.
Years ago, I was working on a government project where we were there and looking at something else. I think we do like a code review. And as part of the code review, we spotted some anomalies, and we're thought ‘this is kind of odd'. This behavior here shouldn't be in this code. And then we started looking back into like who wrote that code, and then who signed off on that person writing the code? And we drug it out a little bit and we sort of did some triaging and we looked into it, and we called the client in and they helped us out. And we found out that the person that wrote the code was a malicious insider. The person that signed it off was also a malicious insider working with them. And the person that oversaw the project was also a malicious insider. Oh, three. All three of them were working for a different nation-state, shall we say.
And the reason this came about, how this all happened was, I'll have to be very careful not to name any names. So government department needs a new piece of software. And government says, “This is very sensitive. We have to only use people from our nation on it. So you have to have people here in the building to work on this.” And so the subcontractor was like, “Okay, yeah, that's cool. It's gonna cost us a lot more, but we'll do it.” So rather than use their remote coding teams, what they did to get around the system was they flew their entire remote coding team over the country and put them up in hotels and said, “Well, they live here now, they're here in the ground. We can use them.”
And what we hadn't known or what they hadn't known at the time was the nation-state where these coders were from had been infiltrated by these malicious nation-state actors. And so that's how they got into the government system. And it was just pure coincidence that we found this like piece of code that looks suspicious. So yeah, it's people like that don't want to be found. And that was a big thing back then.
That's crazy that they would bring all three of them.
Oh, no. Oh, sorry. When I said all three, it was only the three that worked for the nation-state. The team was 20-something people, like 27 people.
But still that you brought, it wasn't that you brought one threat actor into the building.
Yeah, because they knew what they were doing, right? Because they knew that they'd have one good coder that would slip in some backdoor stuff and then have someone to sign it off. So they very carefully positioned those people in those positions so that when they did come over, they were able to do that.
That's absolutely scary.
Yeah, it really is. And it shows the level of nation-state threats, right? Like that's where I used to work it. And some of that stuff is … it would blow a lot of people's minds if you knew some of the stuff we did. And it's like, okay, that's kind of cool. I can never, ever talk about it, but damn, that's cool.
Okay. So there's, one question I have to ask you about. When you're doing your physical pen testing and technical pen testing, the people often talk about, there's that machine in the closet that everyone says don't touch because if you touch it, like everything's going to break.
Yeah.
In my experience, that has been the case, but I don't have the experience that you have. Is that the case that there are lots of those machines in the closets that don't get updated, that people are told, whatever you do, don't touch this because if someone touches this, everything breaks?
Yeah, there's two sides to this, right? And there's the, from my side, there's the fun side, which is implanting devices like that, because that's a good fun thing to do. And then there's the other side, which I think a lot of people don't appreciate. You see the blanket statement, it's just make sure everything's updated, right? Well, that doesn't work in every situation. And this is, this shows the difference between someone who thinks they know what they're doing and someone with experience.
Exploiting Trust (Part 1) Share on XSo I'll give you an example of this. You go into a medical system, right, some hospital, and they've got $1,000,000 MRI machine that runs on Windows XP. And you're like, what the hell are you doing? Upgrade this. Well, they can't because the manufacturer of that MRI machine no longer exists. The software that it runs has to run on Windows XP. It cannot run on anything else. So they are stuck with that operating system. They cannot update it. And then you get people like, well, okay, well, just buy another one. Well, now that machine costs $10 million. So what is the hospital to do? Do they spend $10 million for the latest machine that runs on Windows 11? Or do they just keep that $1 million machine that works perfectly fine, and they segment it off from their network and it's all protected with other means, that's still just as good as updating it? If no one can get to it, then it's fine. So seeing these people that sort of blanket statement like, oh, just update everything. Well, it's not always that easy. So there are legitimately machines that have to stay in the corner collecting dust and do not turn it off, do not update it because it needs to run and it's life critical in some cases.
Exploiting Trust (Part 1) Share on XSometimes you get like a stupid … I remember once we went into this place and it was running an AS400. Now, but for anyone that doesn't know that, that's a very old computer. And I would love to one day run a CTF where everything is just on an AS 400 and just watch all of the script kiddies and all the kids that are running AI go, how do I log in? What is that? Just give them the login credentials and be like, now do something. So it is a really old kit. And we went in and they were like, they just gave us the manuals and we're like, they don't know how to run it. We just have to try and work out how to do it.
But on the other side, as I was saying, the flip side is you get to implant hardware and put stuff like that in. So I remember once breaking to a building and I broke in and I stole a telephone, like one of these new VoIP phones, right? A desk phone. And I took it back to my hotel. I've got pictures of this. I talk about it a lot. And inside, during my hotel, I don't have a lot of hobbies, right? I'm a bit of a geek and a nerd. So I took this back to my house. I took it apart, saw how it worked. And I put in a Raspberry Pi one. That's how long ago this was. It was the first one that ever came out. And we used that and I put that into the phone. Then I broke back in the next day and put the phone back where it was. And it still worked as a VoIP phone. Still everything functioned properly. But I soldered this Raspberry Pi to, you know, vampire tap the power, vampire tap the network, and it had a wireless access point. So I could sit in the car park, Wi-Fi into the Raspberry Pi, and it's directly onto the network. And then anyone scanning it would just see the VoIP phone. They wouldn't see the Raspberry Pi because of the way it is bridged. So doing stuff like that is fun because, you know, building hardware for a specific use case is always a challenge, but it's always like, it's always super effective.
Yeah. Interesting. So on the human side now, the social engineering aspect of all of this, do you have much experience doing that? Because there's a certain amount of, you know, if I'm trying to get people to give up usernames and passwords, you've got to get them to do that. What's kind of your experience on the social engineering side?
So social engineering is very interesting, right? And this is more of my wife's subject matter. She's the expert on doing this, but I use social engineering a little bit in my physical assessments. Because I'm trying to get people to open doors that they shouldn't or show me things that they shouldn't or, you know, give up things that they shouldn't. So there is a little bit, but what I've found most effective in the last 30 years of doing this is avoiding people. I don't like people. I hate socializing, I hate talking to people. So I will do everything I can to not interact with people when I'm doing a physical assessment.
One of my classic things of trying to get through a door, for example, if it's shut and I don't have an access card, is I'll wait until someone's coming towards it and I'll do what's known as tailgating, which is I wait for them to open the door and then I follow them through. But that comes with some problems because if you do that, they might turn around and ask you who you are. It's rare, but it does happen. So what I've discovered is they also might consider, why haven't you used your badge to open the door, right? So what I said to have is a drink in one hand. So I'll have a coffee mug or something like this in one hand. And in the other hand, I'll have a chocolate bar.
Now I can still speak, right? So they might still turn around and be like, who are you? What are you doing? So what I like to do is as I'm approaching those, put the chocolate bar in my mouth, right? Now I've only got one hand free for holding the door open, but I can't swipe a badge because I've got this in this hand, and I can't talk to them because I've got chocolate bar on the other. And they can see that. So generally how this happens is they walk up, they kind of look at me, they open the door, I sort of do some nodding with my head and raising my eyebrows and hold the door open for them, and then they let me through. So it's like physical stuff like that, is probably not classified as social engineering, but the odd nod of a head and stuff like that is very effective.
I think that absolutely is social engineering. Yeah. You have ways that people want, most people want to be helpful.
Very much so.
You've taken away the suspicion of, you've addressed the issue of why you're tailgating without ever actually having to explain all this to them.
Exactly. It's like physical comedy in some way. Another great way of disarming people is, and this works incredibly well in the brain, right? So if you want to tailgate some people in, say through the smoking area, or you're in a building and you need to get through some doors. So what I'll often do when I get into any building, the first thing I do is I go to the highest floor I can. I try and work my way down. And there's a psychological aspect to that, which is people will just unbiasedly know that the higher up people are, the higher they are in the building, right? The C-suite sits on the top floor, not on the bottom floor. And the lower minions sit on the lower floor. People know that psychologically.
So I get up to the top floor as quickly as I can, which means as I'm coming downstairs, if anyone's coming up, they won't challenge me because they assume that I'm coming down from something, some higher authority. Whereas if you're going up and someone sort of sees you like bolting for a door, they might be more suspicious than if someone's coming down going into a door. So that's one aspect.
Is it also a little bit of, if you're coming downstairs, It's the mentality is you're leaving. You're not someone who's come into the building. You're someone who's exiting the building. And it's perfectly okay for people you don't know to exit the building.
Exactly.
But it's not okay for people you don't know to enter the building.
Yeah, so again, that's a bit more social engineering without even really calling it that. Another thing I like to do is when I do get to that top floor is I'll … You know, I dress appropriately to the target. So if they're all wearing $1,000 suits, I wear $1,000 suit. If they're wearing scruffy casual wear, I wear scruffy casual wear. So it's dependent on where my target is. But generally it's in a suit. And what I'll do is I'll get to the top floor and I'll stash the suit in a bathroom. So the jacket, I'll take that off, stuff that into a bathroom stall and leave, right? Now I'm just wearing a shirt, maybe a tie. Right. That indicates to everyone that my jacket is somewhere on a chair. Right.
That’s absolutely social engineering.
Exactly. Right. And this works even better if you're trying to get into a building and it's raining. Take your jacket off, leave it in the car, leave it behind a bush, whatever. Run through the rain, get completely drenched, and then run for a door. and be like, I've left my jacket inside. I just ran to the car and now I can't get back inside because my pass is upstairs. No one's breaking into a building looking like that. You sympathize with that person. You go, okay, he's an idiot. He's left his jacket inside. Because who wouldn't, right? Unless you work there, you wouldn't be doing that. So people can be manipulated very easily with stuff like that.
It's all the cognitive biases that we have from the patterns of what everyday life looks like.
Yeah.
It's the same reason why if you see someone walking around with a clipboard, there's this implicit like, oh, I don't recognize them. Well, they must be an inspector, a utility person, a maintenance person that I just don't know.
Yeah, I mean, I've never had to use a clipboard because some of the places I I break into. I've never had to wear a high-vis jacket because if you break into an investment bank wearing a high-vis jacket, you get kicked out. Yeah. I remember once getting yelled at for not wearing a tie in an office that I didn't work in. I broke into this building. It was an investment bank. And they said to me, like, right at the very beginning, they're like, “Look, you can go anywhere you want. Just stay off the investment floor. The traders, they're very Interesting.” That was all they said was interesting. All right, fine. So I do all of the tasks that I'm given and I'm like, I want to see this investment floor.
So I go through this door and almost immediately this big fat dude, like you can imagine investment banker, right? Like this big fat dude at this little desk starts yelling at me. I'm not going to repeat it because it's a bit sweary. And he's like, what are you doing? And I'm like, holy **** this is like the fastest I've ever been caught. Like, what the hell is going on? I was taken aback. And he's like, “Coming here without a tie on.” And he opens his drawer and he's got like 20 silk ties in this drawer all rolled up. And he just grabs one and throws it at me. And he's like, “Before I get in trouble over you not having a dress code.” It's like, okay, cool. He didn't care who I was and what I was doing. He just cared that I wasn't wearing this necktie. It was bizarre.
I think that's social engineering again. Like it shows the cognitive biases that he's so concerned about. It's not an issue of whether you belong there or not, but you're not dressed properly for the environment. And once we've solved that problem, it doesn't matter who you are anymore.
And it does work the other way, right? So I said earlier that I dress appropriately to the target. And I remember this one time, a bank came to us and said, like, can you break into our headquarters? And I was like, yeah, cool. It's going to be super simple. And I did a bit of reconnaissance on the building and I was like, okay, right, this is gonna be easy. I went into their reception, kind of figured out the lay of the land of that. Came back, I think it was like a Friday. Yeah, it must've been a Friday. I came back on a Friday. It was early in the morning and I rock up. I'm in this nice suit because everyone's wearing nice suits. And I hide myself just off to the side, like to the right of this reception area. And I'm waiting for my moment where the security guard is going to do his little patrol and then I can jump over this little glass barrier and I'm in.
So I'm waiting for this. And then all of a sudden I see a dinosaur walk across the reception, followed by like Jack Sparrow. And I'm like, what the… heck is going on. And then I clock the receptionist is dressed like a cat. She's got like little cat ears and little whiskers drawn on. And then I look at the security gard and he's got little devil horns on and a tiny little plastic pitchfork. And I'm like, oh, they're having one of those charity dress up days. And I'm in a suit. So I very quickly exited and came back to the following. I didn't have a costume to wear.
So the moral of the story is companies should do random dress up days to thwart unexpected interlopers. Yes.
Yeah. That was hilarious trying to explain that to my bosses at the time. Like, yeah, I couldn't do the test today because Jack Sparrow was there. And they're like, what?
I mean, like, what are the odds that the costume party happened on the day that you were…
Exactly, one in 365, right? Like, it's a chance.
Now, it may have been more interesting if you knew that there was a costume party.
Amazing. Imagine that, that would be an amazing story. Like, going dressed as Spider-Man, something with a mask over my face.
And just ask people, who do you think I get people to try to guess who you are?
Going as the Hamburglar, just starts stealing stuff on people's desks.
And you're like, I interacted with every single employee. Yeah.
Come around with a little charity bag. I'll just give us money.
So for the audience who we're not ready to hire pen testers or, you know, we're not ready to hire for someone to come in and do this, but we need to up our game. What are the couple of things that people should do to up their game? How do they think outside of their box, outside of their mindset?
Yeah. I think the easiest way to do that is to start by looking at a house, right? Like look at your own house in the same way that a criminal would. And we've all done this where we forget our keys. You forget your keys and you're like, crap, now I have to break into my own house. How am I gonna do that with the least amount of damage, the least amount of my neighbors calling the police? Like what ways? What are the 10 ways that I can get into my window? Because you will suddenly be like, oh, I could break in through the bathroom window because that's pretty, it's pretty crap and it's pretty low. Or I could like jump over the back wall and then get in through the back door. And maybe, I remember that actually the cellar door that I've got is a bit weak. It's got rotten frames. I could just probably rip the door off. And suddenly you're like five or six ways into your house deep. And you're just like, my God, my house is literally just open to any criminal that wants to come past.
And then you start taking that mindset to the office. And you start thinking, right, okay, if I didn't have a badge, could I just jump this barrier? Would anyone even notice? Would I get into trouble for it? I can guarantee you everyone has done this in their own office at some point where they've needed to get through something and they've found a way around it. Or they've tailgated through a door that they didn't have their pass for. And then just thinking about those and be like, how could I stop this? Or how can I make it slightly harder? Maybe it is raising the barriers slightly more because then it becomes more suspicious if someone's jumping over it. So yeah, taking that mindset from your house to the office and then beyond is probably the easiest way to transition through that.
Exploiting Trust (Part 1) Share on XI like it. That's easy because everyone can start with their home.
Oh yeah. Don't start with your friends' homes. Don't start with like the Louvre or something.
Definitely not without their permission.
Yeah, yes, yeah.
So if people want to learn about more about what you and your company do, if they're interested in like, hey, we need to up level what we're doing here, how can they reach out to you guys?
Well, the first thing is we probably don't want to work with you, right? We're very picky about our clients because we want to do interesting things for interesting people. So if you're looking at your first pen test, it's probably not us, right? If you've got some esoteric hardware or some crazy new thing that you're building, then contact us. And you can do that via our website, cygentasecurity.com, or you can find myself on like YouTube or LinkedIn or Twitter, X, whatever you want to call it. You can find my wife through her website, drjessicabarker.com. And then just contact us and see if we'll talk to you.
Awesome. FC, thank you so much for coming on the podcast today.
No worries. Thanks for having me, Chris. It's been an absolute blast.
