There are many ways your network can be accessed, not just remotely but physically. How equipped are you and your coworkers to prevent intrusions? Today’s guest is Jayson E. Street.
Jayson is the author of Dissecting the Hack: The F0rb1dd3n Network Series. He is the DEFCON Groups Global Ambassador and the VP of InfoSec for SphereNY. He has also spoken at DEFCON, DerbyCon, GRRCon, and at several other cons and colleges on a variety of Information Security topics. Jayson was also featured in The National Geographic series Breakthrough Cyber Terror.“The biggest thing that people can do to protect themselves is to listen to the voice in the back of your head saying that something is odd or unusual. Realize when you’re at work, part of your job and responsibility is to think… Click To Tweet
- [1:00] – Jayson explains how he hacks to help.
- [1:59] – People want to see how Jayson can get into their facility and rob them.
- [3:39] – Jayson shares how “being the bad guy” can get the information needed to educate users and clients on preventing more.
- [4:51] – Jayson has been known to rob banks and shares the story about how he robbed the wrong bank because he had to go to the bathroom.
- [7:24] – The devices Jayson uses emulate keyboards and code.
- [9:03] – Some employees for big companies like Microsoft have posted their badge on social media from which Jayson prints and uses as his own.
- [10:08] – How did Jayson get caught in robbing the wrong bank?
- [13:21] – He found out later that the bank he robbed by mistake wound up wiping their machines which cost them a lot of money even though Jayson’s procedure was harmless.
- [16:01] – Jayson has a 100% success rate which shows how employees trust anyone who looks official.
- [17:13] – What is the yellow method and why does Jayson use it?
- [18:18] – Jayson describes the facility that took the longest amount of time to get into in Jamaica.
- [20:17] – In one instance, Jayson did not go back to talk to the client after conducting the pen test for a charity.
- [22:30] – When these tests happen, it isn’t about winning and losing. Jayson makes sure he is caught so he can provide education and training.
- [25:08] – “The biggest thing that people can do to protect themselves is to listen to the voice in the back of your head saying that something is odd or unusual. Realize when you’re at work, part of your job and responsibility is to think that something bad may happen.”
- [26:25] – Companies need to give a proper avenue for employees to feel comfortable in reporting something strange.
- [28:39] – Jayson shares some of the techniques he uses that have a 100% success rate in penetrating the company’s network.
- [30:06] – At events, oftentimes there are company USB drives loaded with giveaway items. These could be dangerous to use.
- [31:39] – There is no way to completely eliminate threats. The important piece is how you respond to a threat.
- [33:10] – Network security is great, but physical security of a network is just as important.
- [35:01] – Jayson explains that the users of the programs in a network are the people that need to have the proper education.
- [37:45] – Jayson has a program where he gamifies security education.
- [39:50] – Many people don’t realize how easy it is for an official looking badge to be recreated.
- [41:41] – Jayson describes his most boring and simple robbery he completed in 15 seconds.
- [42:29] – What was Jayson’s most successful interaction?
- [43:51] – After obliterating a company one year, management took the lessons to heart, educated their team, and had him come back the next year.
- [46:19] – If pen testers are not rooting for the client, they are in the wrong business.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Jayson E. Street Home Page
- Jayson E. Street on Darknet Diaries Podcast
- Jayson E. Street on Twitter
- Jayson E. Street on LinkedIn
- Dissecting the Hack: The F0rb1dd3n Network by Jayson E. Street
Can you give me and the audience a little bit of background as to who you are and what you do?
I am the VP of Infosec for SphereNY, which is the boring way to say what I am. It's like I'm a hacker who likes to help people be better secure by robbing them. Then giving them that experience, letting them understand what occurred, and then teaching them that to be better next time when an actual threat comes into their environment.
That sounds like a lot of fun.
It is. I've had a lot of fun doing that. I've also had a lot of fun getting caught because on all my engagements, I make sure I get caught at least once to give a positive aspect of the engagement for the users.
So let's talk about getting hired by the “victim,” by the client, let’s say. Get the terminology correct. The client target hires you to rob them. Can you tell us what that's like?
What it’s usually doing is it’s usually in tandem with a network-based penetration test. It is where people want to see, “Can you get into our facility? Can you actually convince a user to plug in a USB drive that might have a malicious payload on it, or can you get secrets or can you steal data?”
My attack methods are very unconventional for most people that you would see as red-teaming or penetration testing. I go in and I literally go, “I'm going to be the worst thing to happen to you at the worst possible time and the worst possible way.” I'm really great at parties. I will figure out what I can steal from you, what kind of laptops are unsecured, what kind of other items are unsecured that I could then take with me.
I then see how I could cause physical damage, how I could jeopardize human life. Do I have access to fire panels? Can I stop the fire systems? Is there anything combustible? I saw one area when I was doing a research facility—they had very heavy glass in this quarantine chamber, but there were also these pipes leading out that have access to it. I could then create some kind of explosion in those pipes that would then break the glass and then release whatever contaminants that were in the quarantine area, which would have been hazardous.
I see what kind of espionage I can do. What kind of information I can steal, what kind of IP can be taken. I do those kinds of things. I just really am a bad person as much as I possibly can be. One of my mottos is, “Let's go be bad guys from Firefly.” But then after I've gone through that engagement—or not like after the whole report—I don't write reports and memos that you're going to get three months later that something bad happened.
I leave the facility, two minutes later, I've then come back and then I educate the users exactly what occurred. It's like, “Hi, I just wanted you to know it was nice of how you were doing, you were being very polite, but I was robbing you. I was a bad guy. This is what you need to know for next time if someone tries to do what I just did.”
That sounds incredibly crazy exciting. I know you have a story of a bank robbery gone bad. Can you give us the short version of that and then we'll tell people where they can get the long version of it?
Yes, everybody wants to talk about the one wrong bank I robbed, no one talks about all the other banks that I robbed that I was supposed to rob.
We’ll talk about them afterward.
OK, there you go. For the record, I've robbed a lot of banks successfully that were the ones I was supposed to rob. The one that I did was quite humorous because it was the day before I was supposed to be filming for The National Geographic series Breakthrough, episode 2, season 2 of their episode where they go along and watch me as I rob a bank in Beirut, but it was for a different bank then at that point.
But the day before, I was hired by another client to rob them as well since I was in the neighborhood. Pepsi has gotten me into a lot of trouble, not because of drinking it, but because of its byproducts. I almost died peeing off a cliff in Bulgaria. I mean, just all these different things that have occurred because I had to go to the bathroom. I had to go to the bathroom really badly in Beirut.
The guy told me, “Go down this way; it's the bank there on the right. You should be fine.” I'm walking down the sidewalk and I'm just looking into each stall because I would like to be able to find the place before the actual client. Because I always attempt to go to the bathroom or tell someone I need to go to the bathroom, but that is usually a pretense to get away from the main area so I can then explore. I get lost to go into the bathroom for hours sometimes. But this time, I genuinely needed to go to the bathroom immediately.
I didn’t…saw the door, I could not get to a place, and then I saw the door. I saw teller lines to the bank. I walked in, I did not look at any of the signage or anything; I just needed to find the bathroom. In Europe, and most other countries, including the Middle East, the bathrooms are usually in the basement or the second floor. I just started looking for stairs and so I just walked in, like I knew what I was doing and I was in a hurry because I was, which actually helped my pretense very well.
Then I went up the stairs, it was on the second floor. I did what I needed to do. I came back out feeling very happy and refreshed. “Oh, there are some people right there at their desks, let me rob them first.” Then I just immediately started. I plugged in my device, it was a Rubber Ducky from Hak5. Darren Kitchen was also on this engagement, he's a brilliant hacker and creator of tools for security awareness and penetration. He did this Rubber Ducky that looks like a regular USB drive, but it emulates a keyboard.
While you think you're plugging in a USB drive, the computer thinks it is plugging in a keyboard and you have already pre-programmed all the keys. Anything that you can do on a computer does not require a mouse; it can be done by key commands that can all be pre-programmed first. So thousands of lines of code can happen in seconds. That's what this does. Thousands of lines of code in seconds is an exaggeration, but it can be very fast to execute these payloads.
Since I'm doing a security awareness engagement and I do not like to make people feel threatened after the fact that I could have compromised them, or that I could have stolen data, my payloads are always harmless. This is one of the key reasons that kept me out of jail because mine was you plugged it in, notepad opened, and it automatically typed “security audit completed. Thank you for your participation [smiley face]” and then that's it. That's all. You can just unplug it and you say, “OK, it was done. Thank you very much. That's all we needed to do.”
Then I go to the next one. By the third one, the person was like, “Who are you?” I'm like, “Oh goody, it's like this person's questioning me. I'm not going to give it up right now.” I let them go as far as they can to see exactly what will happen. So I was like, “Oh, I'm here with Microsoft.” I have a Microsoft badge. I love employees that post their badges on social media. Going to Instagram and typing in #newbadge or #newjob is one of the reasons why people in information security drink.Going to Instagram and typing in #newbadge or #newjob is one of the reasons why people in information security drink. -Jayson Street Click To Tweet
I was like, “No, I'm with Microsoft. We're doing an audit on this.” He’s like, “Well, you need to talk to the supervisor.” I'm like, “OK, no problem.” I have a forged email on an iPad that I create, always. It's for a pretense of what I'm supposed to be doing there, and so I showed the supervisor the forged email. It's coming from the CEO to the CFO who then sent it to myself and my supervisor telling me what I needed to do.
They read it; it was very convincing. I did all this research and recon called […] on the bank so I know who all the employees were, I knew all the things that were going on. The supervisor reads it and he’s like, “OK, I understand what you're doing. This is for the bank next door. What did you do to our computers?” I am very good at quickly thinking on my feet. I have had guns pointed at me, I've had situations that were very hostile, and I'm very good at thinking. The only words out of my mouth at that point was, “This is unfortunate.”
You can talk to my friends, I think for the first time in decades I did not have anything to say. I had no response except for that it was unfortunate. Seven minutes later or so, I'm in the back of the manager's office with about seven people speaking Arabic very angrily around me, which made me slightly nervous. I panicked again and I was like, “No, it's fine. I was doing an audit. This was for security. Don't worry about it. Look, it’s a harmless payload.” And I plugged the USB into the manager's computer so the notepad would pop up so they could see. “See, it's just a notepad.” And then I turned around and I realized, “Oh, I just compromised another computer but with more witnesses this time. That does not look good.” Then it proceeded to get worse from there and I ended up in the main headquarters of the building for the bank talking to the IT security team who were dead set on the fact that I sent a malware payload, which I had explained to them what was going on. And then I explained to the supervisor what was going on and they understood, finally.
I do not like to say this often because it sounds very arrogant, but in that situation, I thought it was more than suited to save myself that I literally told them and said, “You can Google me, this is what I do.” Usually, that's very horrible when people do that, but this one was very necessary because they were able to actually Google me and see what I was doing and what I've done, and that I was not just a criminal.
I mean, I was, but I’m not like a typical criminal that they would face. By the time that they’ve done that, I mean, I was talking, I was laughing, I was making jokes, I was trying to be as harmless and adorable as I could be. I tell people, “I don't do APT—Advanced Persistent Threats—I think that's ridiculous.” APT stands for adequate phishing techniques. I do BAD—Basic Adorable Destruction—that’s what I do, so I was trying to be all that.
By the time that the call was over, the CIO was talking to the CIO—the one who actually hired me to rob his bank. They were talking on the phone and they alternated in Lebanon. They'll alternate between French, Arabic, and English, so I was picking up a little bit. Finally, the one thing that I did find that gave me relief was when he said, “So, do I have to share the bill now?” It was then when he said that I realized, “OK, it's like I think I've explained it all. I think it's all done.” They let me go.
I did not breathe easy until I was on a plane to Paris, to be honest with you. I was there for like three or four more days. I was still very nervous because I found out the next day that that branch that I was in actually did a forensic wipe on all their machines. They closed early that day and they did a forensic wipe on all their machines. That was a very good procedure. I'm not mad about it, but that probably costs some money, and they probably weren't too happy with me. So I'm very glad that I got out and I'm very glad they were understanding about it.
Yeah. I would be particularly concerned about it being in a foreign country because you're not a national of this country.
Yes. I like the challenge. Most of my places do happen in other countries. I go and do a lot of foreign places. I do some in America, but for some reason, I like to do something exciting. I have the luxury of choosing. It's like “OK, I'll take this client or I'll take this client.” I like them to be interesting and unusual, and if I do it in the US, it's got to be unusual.
I had one where I really wanted to do this one engagement, but my boss found out that it was part of an arms deal to South America from the US. I was like, “Dude, I would give them a discount for that. That sounds even cooler, let's do it.” He's like, “No.” It turns out, no one who’s a stakeholder in a company wants to be involved in a US arms deal to South America unless they're part of the military, DOD, consulting, or another industry. So yeah, that was very disappointing, but I try to keep them interesting.
That's definitely interesting. I know you've told a longer story over with Jack Rhysider at Darknet Diaries, right?
That is correct—episode 6.
We'll make sure to throw that in the show notes. For those who want to listen to it, they can click on it and hear the full story there. It was interesting that you're talking about how you were able to plug the USB drive into multiple machines before someone even said, “Wait, wait, what are you doing?” That baffles me that you were able to get to interact with multiple employees before they even questioned what you are doing.
Oh no, I've been doing this for 10 years or so. I have a 100% success rate. Even when I get caught now, and even when I get unintentionally caught, I still managed to at least get one machine compromised. I still managed to get one USB into a device.
The quickest it took me to actually deploy a Rubber Ducky was around 15 seconds, and that was actually on video. Darren Kitchen was nice enough to get the body footage of that from the National Geographic where they showed me from walking in the front door to plugging in a device, and I compromised that whole entire branch on that one. That was good. I mean, for me, not for them.
I have been able to get the devices in so many different places, and it’s just quick to get full access.
You talked about what's the quickest one; what was the longest one, and why did it take so long?
The longest one was I was robbing a financial institution in Kingston, Jamaica. I did a lot of recon, I did more recon on that. People don't realize, 90% of your engagement should be reconnaissance. It should be researching and doing it. Me, on the other hand, I do what I call the yellow method where I promise the client that I will do no more than two hours on Google to find out the information that I need to try to compromise them.
I do that because I think that clients get a false sense of security when they hear all the eliteness that their team's done and the zero-days they popped. I want them to realize that when I show up, I am the least common denominator. It's like, this is so easy that even I can do it, you should be severely afraid.
Yeah, it’s the concept that if I could do this with two hours of research, can you imagine what someone would do with weeks or months of planning?
Exactly, and then they can explain a way of getting a report from an elite pen tester or red teamer, and they say, “Oh well, we're safe then because you guys are so advanced. We don't have to worry about you guys. You guys, of course, you're going to get in.” I tell them it's like I walked up the street, I had no idea who anybody was. And as you can tell, it took me two minutes and 22 seconds and I have full access to your bank for 30 minutes. That is terrifying, and so that gets action.
This one in Jamaica, it literally took me 1 hour and 45 minutes. It’s the longest I've ever taken to do research and recon on a facility. I realized that I had to go in—I mean, their lobby is a mantrap. You have to be buzzed in from the street, then you get into the office—the waiting office area, the reception area—where there's an armed guard, a receptionist, then a nice couch, and a fern or something, I guess. Then another secured. You have to get through them to get to the other area, and that goes into the atrium.
So at first, I went in, I realized that the only way that I was going to rob these people was by robbing the charity organization that they have in their organization. They have a whole different charity-run organization, and it's across the street—their headquarters—but they're on the same network. People think physically instead of logistically.
I robbed a treasury once in the United States where their headquarters were also well-fortified, but they had a satellite office about 30-50 miles away in a regular office building. The network was on the same—I might as well have been sitting next to the treasurer in that office over there, but they didn't see it that way until I showed up and compromised that building.
The same thing happened here. Their network was shared, so that was actually within my scope. I went in as a TV producer doing an episode on companies that are doing community good in their areas, and it was one of the most shameful things I've ever done. I was very embarrassed. It was the only time I did not go back to talk to the client. The person who was hiring me, […], he had to handle that, and my colleague who was invaluable during the pen test, Michael Knight.
We did all that stuff and it did not prepare me for the actual feeling of like, “I just can't believe I compromised these people.” I started believing it halfway through. I thought I was going to put them on television, but I was able to get it in. But that was one of the most difficult ones to get. They were very secure. They were very well locked down, and that they're even more so now. I would be terrified to try to attack them now.
I assume it feels bad to go in and lie to a charity trying to get into the entity associated with the charity.
I don't mind lying to people. Honestly, in my profession, I tell people I lie for a living, I don't do it for free, so I'm very unfiltered. You have to be careful what questions you ask me, but I'm helping them, I'm doing them a service. That was the only time I thought because I got so convinced, I got so wrapped up in the story that I oversold it. But usually, I don't feel bad because it was bad, but I was there to help them.
I talked to a person I had compromised years ago. We just had a conversation last week and they were telling me why they hated me so much. Because I'd worked with them since then, and I noticed that they'd always […]. They called me to ask me for some help on something. We started talking and it was so great because, for all this time, they were hating me, the way that they said it is because “I lost to you and I hate losing.” I was so happy because I was like, “Oh, you got it wrong, you’re misunderstanding what occurred, let me fix that. You won, I was not your competitor, I was not something that you were winning against. I was the teacher, I taught you that lesson. You just said just earlier before you said that how you became more vigilant, how you became more active in making sure no one got past you again. You won, that’s what you did, that was not a loss.”
There's a Christian rapper named Lecrae that I listen to and he's like, “I take the L’s but they’re never a loss, they’re a lesson.” I gave you the lesson, I didn't give you a loss. I gave you the lesson, and you won because you took it and learned from it. That's what people need to understand when this pen test kind of thing happens. I'm not your adversary, I’m your advocate. I'm there to help you.That's what people need to understand when this pen test kind of thing happens. I'm not your adversary, I’m your advocate. -Jayson Street Click To Tweet
That's a great way of looking at it. I'm sure that helps your clients to feel like, “OK, this is a learning experience rather than a security failure, in a sense.”
No, I do not do red-teaming, I do not do pen testing. I only do security awareness engagement. I frame it that way, so they know from the get-go I am not going to be reporting people who failed. I am not going to be documenting those things. I am there to educate people once something has happened. In every engagement that I do, it is 100% guaranteed that I will get caught. Even if I have to unplug the machine during the business hours of a bank, which I have done, to convince someone they should question me why I'm taking their server out of their bank, but I gave them the win.
I had a telecom company that will never hire me again because the CEO demanded in the scope of engagement that I recorded all the names of people who clicked on the phishing link, and that I had to be successful. From one to 100, I could choose whoever I wanted. At the end of the engagement, I gave him the report. I only had targeted one person, it was him, the CEO, and he clicked the link. I showed him, “This is not a good test. This was a gotcha. You need to help educate them and let them know what's going on.” He took that somewhat well, but I don't think I'll be back.
What are some of the recurring themes and lessons that you're teaching your clients?
The biggest thing that people can do to protect themselves is there is a voice in the back of your head that we don't listen to. It's the one that says, “This seems odd. This seems unusual.” But humans don't like to think something bad is going to happen. They need to realize when you're at work, part of your job and your responsibility is to think something bad may happen. That computer is just like, if a delivery person had a van and they kept crashing the van, they would be fired. If you kept clicking links and jeopardized the company’s security, you could get fired. There are repercussions for that, so you have to be cautious.
I always get emails, I always get attachments, but do I get this kind of attachment from this person? Why did they send that to me? Then just call them on the phone and confirm before you click on the links. “Hey, I just got this weird attachment, or I just got this email from you saying I'm supposed to do that. Did that really come from you?” That shows them that you're very security-conscious, that you care about what you're doing. And it also helps promote security for everything else. Question that and then act on it.Companies need to give a proper avenue for employees to feel comfortable to report something. -Jayson Street, VP of InfoSec, SphereNY Click To Tweet
Also, companies need to give a proper avenue for employees to feel comfortable to report something. They have to have an extension available, an email address. It’s like, “Forward any suspicious emails to us. Call us if you see someone strange in the building. If someone tries to come up to your desk, and they say they're from the help desk or they're from IT, call headquarters. Call this number and question that they're supposed to be there.” I would be stopped so much more frequently if that one thing was in place, but they don't do that.
Back before I started working for myself, it was a company I was working for and I got an email from the building owner basically saying kind of along the same lines. “If people come into your office and you don't recognize them, you need to either call the police or stop them.” Because they had a rash of people walking into offices with a clipboard and they would walk in the front door.
They know where the exit on the far end of the room is. They come in and just walk with the sense of “I belong here,” and they wait until they are walking down the aisle past someone's desk where their purse or their phone was. They grabbed it, continued, and they'd walk out the door. Everyone was like, “Well, the person looked like they belonged here.” “Well, did you know them?” “No, but they seemed to know where they were going.”
There was a story from decades ago in Houston, Texas, where a gentleman stole hundreds of thousands of dollars worth of equipment. He went down the aisles with a cart and was literally stealing printers, computers, purses, devices, and stuff. Going to his van in the loading dock, loading it up, and then coming back.
I have a clipboard as well. I'm installing two different mini cameras in it. It already has an RFID scanner in it so I can clone badges, and it also has a WiFi Pineapple that is a malicious access point to make people connect to it. That's my clipboard.
I also have envelopes, which are the scariest ones because that envelope is blank with a marker just next to it. I look at cubicles that are unattended, I take a blank envelope, I write the name of that person on it, and then I take one of my malware USB devices that will call back out and go to a page that's harmless, but it will record that it was clicked. I will then put the USB drive in there and put it on their desk. Almost 100% success rate on those.
Is there a note saying, “Hey, plug this in”?
No, just their name and a USB drive.
I would be like, “Why is this here?”The worst thing than no security is the false sense of security people have when they're inside their office environment. -Jayson Street Click To Tweet
Obviously you're in a safe environment. The worst thing than no security is the false sense of security people have when they're inside their office environment when they're in their cubicles. The harder your security is externally or what it appears to be, the easier it is to betray trust once you're in.
Yeah, it makes me think of going to marketing conferences 10 years ago. Everyone used to have all their marketing collateral on a USB drive at the trade shows. They're like, “Oh, here's a USB drive.” And I'm like, “No. Even if you didn't put something bad on there, there have been USB drives shipped for manufacturers with malware on them. I'm not sticking that into my computer. I don't know where that thing's been.”
Exactly. There have been countless things where people do that. They'll get vendor’s USB drives that are giveaways, grab them by the handful, take off, then go up, put malware on it, weaponize it, and then go and drop them back in the bowl.
Yeah. Anything that can be plugged into your computer, if you didn't buy it yourself, you shouldn't be plugging it into your computer. I freak out about that kind of stuff.
A hundred percent. I use virtual environments. All my social media is on a browser and a different virtual machine on a different OS. I have another VM that does my emails, and I have another VM that does my research. I have VMs for all these different things. My machine also has 128 gigs of RAM because it takes a lot to do all these VMs. I have multiple VMs because I don't want anything too much on the host machine except for my video games, Skype for video calls, and things like that.
It's assumed that the device will be compromised at some point.
A hundred percent assume compromise. Once we start understanding that our blue teams and defenses—blue teams are the people who are the defenders, red teams are the ones that go after. Because I was in this old paradigm back in the early 2000s and late ‘90s, where it's like, we needed to build bigger walls. We needed bigger defenses. We needed that defense in depth.
We now need to realize that they're now parachuting over the walls. How fast can you detect? How fast can you respond to the incident? Those are the two key factors for the survivability of a company now. Not being able to defend against it, not being able to have all the latest and greatest blinky boxes out there that will defend your perimeter. It's like, how quickly can you detect a compromise, and how quickly can you respond to it are going to be the key indicators of success.How quickly can you detect a compromise, and how quickly can you respond to it are going to be the key indicators of success. -Jayson Street Click To Tweet
That resonates really well with me because it's that mentality of, as soon as you think that you are 100% safe is where you're in trouble. You think your wall is high enough that you don't care. If someone ultimately does pull over the wall and gets in, they've got access to everything because, “Oh, I was just worried about the wall.”
I did an engagement early on when I started doing it. The sit-down with the networking team was so arrogant. They were like, “Yeah, you can't get in, we've got these layers, we’ve got these layers.” They were correct. Their external defenses were amazing. In the hotel room, I launched it in a map scan. It just started hitting all their IP addresses. Then at 5:30 PM, I went into the main office. They had a visitor bowl of badges because the receptionist leaves. They put a bowl on the desk and you just drop your badge in.
It's still active. It hasn't been deactivated because no one's there. I take one of those, that gets me into the front door, cleaning crew got me everywhere else. It was a couple of days, but I’m doing the exit interview, the CEO’s very upset. The network people seemed very happy because they realized that I did not get in through their network. Then the CEO has, in front of them, a folder with the printouts of the emails that I sent them from unlocked workstations and all the pictures from all the different places that I had access to compromise their network.
You didn't get in through the network, but you still got all the goodies.
Yeah, and I was still on their internal network. I still bypassed everything. I don't have to bypass the firewall if I can bypass your receptionist.
You talked about response times once you know you've been compromised. What do you see is what's normal once a company has realized someone has broken into our network or accessed stuff that they shouldn't? What's the normal time that companies take to be able to deal with that?
I think, currently, right now, it's anywhere from six months to a year to do it. That's also when they start when they first detect that, which is usually being generous, six months out after the compromise. We don't have enough people questioning and understanding when the compromise occurs. We have access to the best intrusion and detection system on the planet that we never utilize—security never utilizes—and that's our users.
They do the same job over and over and over again every day. They know when an anomaly happens, but we don't train them. You can't put in a snort box and just leave it with the default rules and say that you've got an IDS system. You've got to fine-tune that. We have to start tuning, explaining, and educating our users on what to be aware of, and then empowering them. Being a good force and a positive force in an interaction with them.
They only interact with security when something bad goes on. They do not want to talk to you. When I was in law enforcement, I met everybody on their worst possible day. Something just bad happened to them, so I showed up. I just showed up, something bad is about to happen to them. It was never a good day for them.
If you don't start making other positive changes and other positive things by doing raffles for a security audit. It's like giving rewards for people who do the right thing, who catch a phishing attempt, who do things like that. If you don't start making it more positive, then you're not going to get any progress. But as soon as you start teaching them and understanding what it's in for them, how they benefit from it, then you've got the most insane defense system that you can have. It's not a blinky box, it's actually the humans saying, “This looks suspicious. I'm going to call someone.” That's your response.
It's almost like running an internal bug bounty program or a bounty program internally.
Exactly. A friend of mine, a colleague also, Ben […], told me one where he saw a company actually do that. Every quarter, they give away $2000. It's around $2000. If you want to be entered into that contest, you need points, you need tickets. You get tickets by reporting a phish. You get tickets by stopping someone who was tailgating. You get tickets from reporting something suspicious. If it was an actual phish, you may get 10 tickets, but you got more and more tickets. It never got over $2000.
The company got to manage their budget, but the participants would steadily increase over time when people realized there was money on the line—something for them.
It's about that positive experience. You've made intrusion detection, you’ve made cybersecurity a positive response for people as opposed to—
“Hey, you didn't report this, so we're going to slap you on the wrist.” Or, “You didn't do this, we're going to slap you on the wrist.” We're now going to reward you.” Do the gamification for doing the right thing.
Exactly. I've taught a class on blackhat about that. It's like how to create a security awareness program by social engineering your employees and then educating them afterward.
I like that. That's a good business model. We're going to gamify your network security.
There was another one. They did one where they would have a user who volunteered and had to keep secret, but he would get his new badge that had all the same access, but they changed his picture to Waldo. The competition was if you found Waldo during that quarter, you got the prize. People started looking at badges more. People made sure people were wearing their badges and wearing them properly because there was something in it for them.
I'm trying to think of a couple of places that I've worked where we've had badges. I don't know whether it was intentional or just the way the badges were built. They almost always flipped around so that the name and the face were facing in, and it was just a white badge facing out. No one ever went like, “Who's that? Let me see your badge.” No one ever asked.
I had one place where they had that, where they had a colored lanyard just to show them their plate, but the badge was blank. I actually had a different kind of badge and I just put that in there. One time I did it with just paper. If you looked at the folding thing, it was just a white piece of paper because no one looked.
That strikes me as it would be really easy to recreate for companies that have fairly innocuous badges. Like you said, to look on Instagram for, “Hey, I got my new badge.” “OK, now I know what it's supposed to look like.”
That is sad, yeah.
For that matter, you could probably just print the company logo and your face on something and people would just assume it's a badge. “Oh, he's just got one of those old-style badges or it's a new badge.”
I've had friends and colleagues who have printed me badges instantly within an hour of finding it on Instagram to go and compromise the company the next day. I currently have—thanks to my friend, Felipe Teton—a Cisco badge. I have the new and old Microsoft badges. I also have an FBI and CIA badge. I would never use those on an engagement, for the record, for anybody listening. I have several other Oracle badges. I have all these different employee badges.
I actually caused a stir when I actually put up the Cisco badge showing it because they were not happy with that. All of them look legit, like the employee badge. but they actually gave me a couple of those badges too. It's quite scary. It's under $500, I believe, for a badge maker off of amazon.com.
I would be surprised if it's even that amount of money. You're trying to make it cheap for businesses to have badges. You don't want a barrier to entry for a little mom-and-pop company to have to spend $10,000 to create their badges.
That is correct.
I had asked this of another physical pen tester. I'll ask the question that hopefully, no one has asked you before: What was the least interesting or most boring successful robbery—let’s use that word? Where things were just like, “Oh, I just walked right in and, like, whatever.”
If you don't mind, I think the most boring one was when I just robbed the bank within 15 seconds—and the manager—I did a crosstalk attack between the person handing me off to the manager. He thought that they vetted me. That person thought he was going to vet me and no one vetted me. He escorted me through the whole building, even making an employee that was on a break to come back and unlock his workstation so I could get 100%. He also personally walked me into the data server and let me in.
I would like to comment on what is my most successful. That was not my most successful engagement. That was my most boring one. My most successful engagement occurred in January of 2020, last year. It's like I'm in the before times right before everything went down. I got caught. I'm telling you, it was great.
I went there the year before in 2019 and I destroyed them. I got access to everything I went through. I found a way in through the freight elevator. They've never been penetrated before, but I found a way to circumvent their security, the dock, and the freight elevator. They're all looking for public interface; I always try to go for the freight elevator.
I get in there, I do a phone attack where I'm acting on the phone. Then when a person comes in—because they still had their doors locked there—and as soon as someone goes by, I just say, “Oh no, no, no, someone's coming. Here's someone right now; they'll let me in. You don't have to come down. I'll just go with him.” Then they feel like they were vetted like, “Oh, someone was already coming.” I'm saving them a trip.
Also, you listen very quietly. Because people walk by, the motion sensor goes off on the other side because of US regulations, the door has to unlock to motion sensor internally. Then you just open up the door and you must have had a badge to get in. I went through them like butter. It was very disturbing for those people, but they learned.
I gave them my lessons, I told them what happened, and then management took it to heart. Management started driving security awareness programs. Management started making sure the employees understood what occurred, why they needed to do better, and how that it was a learning experience, and the employees listened.
I showed up the next year. As soon as I got into the lobby, the receptionist was like, “Ah.” “I am here to see this person,” and I acted like I was walking in, just walking in. “Excuse me, you need to register.” I was like, “Oh, yeah. OK, here, I'll just sign in. I'm up to see this first.” They gave me a badge. I was like, “OK.” I started walking up. “Excuse me, you’ve got to wait for them to come down and get you.” I'm like, “OK, that's fine.”
It's locking me down. This was a new receptionist from the year before. This person did not know who I was. They weren't doing it because they recognized me. They're legit. That was policy. I was able to get in. I was like, “Oh, I need to go to the restroom real quick.” Always have to go to the restroom.
That was insecure there. They had to unlock that door there. I walked in, and instead of going left, I turned right down the hallway. I compromised two machines very quickly. I did get a success, but then I noticed as I was doing that, I saw someone looking at me. I could have then gone down the stairwell, but I'm not there to get…escape. I'm there to get caught. I'm there to see what else occurs.
I walked back, the person who was supposed to meet me sees me and he says, “Yeah, she already saw you on the camera and was reporting you that you deviated from where you're supposed to be.” I was like, “Perfect.” Now that that was established, I started doing some of the other sections. Yeah, I was able to compromise maybe one or two, but in every section in that organization, someone questioned me. Someone stopped me and said, “Excuse me, I don't think you're supposed to be here.” I would need to contact IT. Every single time.
That was a zero-compromise environment because even if you could have escaped, they would have known that those machines were compromised. It was wonderful. It was the best engagement I've ever been on because I got caught all the time. If you're not rooting for your client, you're in the wrong business. People forget.
Red-teamers have this rockstar mentality like they're coming in as the big, bad breakers and ninjas. Your only existence for a red team and purpose is to make the blue teams better, to make your clients better. It's not to break them. It's never been to expose a weakness. It has been to help them, help them be more secure, and help them learn from what you discover.
You're there as their advocates, not their adversary. You're there to make sure they get better. If you can go in the next year, get in through all the same ways, and do all the same things, you failed. That's not a success. That’s sad.
Success for you is when you go back and you fail.
Exactly. I'm literally smiling. I usually celebrate ice cream when I compromise somebody because they learned, and I learned, and I got to win. I like to celebrate it with ice cream. I got a huge thing of ice cream because I was so ecstatic. That was the best success that I've ever had. It was amazing.
That's awesome. I think that's a great spot to finish up because that really is the mentality I would love to see, just in the way that people look at security of like, “Hey, we improved, and that was the goal. My client is better.”
They've learned. No one's going to be perfect, but they've made progress, and we can celebrate that they've made progress.
If people want to find you and your company, where can they find you?
I'm all over the internet. I live-tweet my life, unfortunately sometimes, because I don't filter. But on Twitter, @jaysonstreet. Also, my website has most of my stuff, jaysonestreet.com. I also own the misspelling, jasonestreet.com because it's not common, but I've got that one too. It will still get to that site. That has a lot more information you probably want to know about me.
Those are the two main things. I'm out there. I'm very public with my life. I'm here to help and I want people to know more about that stuff.
That's totally awesome. Jayson, thank you so much for coming on the Easy Prey Podcast today.