BREAKING in BAD (I’m the one who doesn’t knock) - Jayson Street

Video Statistics and Information

Video
Captions Word Cloud
Captions
I've honestly tried to keep it to 45 minutes but like the last time I gave this talk it was like well hours okay I'm trying so this is my legal disclaimer I'm not a lawyer but I've googled on the internet so this is the best proximity of a legal disclaimer I could come up with basically what this states is I am NOT a bad guy I am a good guy who is paid to be a bad guy so I will never try to steal from you kill you or destroy you unless you pay me first so when I talk about examples and things that I've done that sound really horrible and mean and like I can't believe he just did that I was paid to do that from the client to do it to themselves so don't do these things unless you have authorization I think one of the biggest ways is I think between a hacker and a criminal the key thing is permission so I have permission as you can tell there's already a theme title the talk is breaking in bad I'm the one who doesn't knock if you don't know what the Breaking Bad TV show is it's going to be really weird for you because I just that's my whole theme but hopefully you are familiar with a little bit about Breaking Bad and then you'll like at least chuckle halfway through which would be nice Who am I that's what Google's for it's like the main thing you need to know is I'm a guy who likes to do not just red team but blue team so this talk even though it's offensive and talks about some of the things I do from the red team standpoint it's at the end of it I actually give you some blue team knowledge I call this last year was my rant talk this year I call this talk my dessert and vegetables because I give you the dessert first and then the vegetables and they'll be abundantly clear later on one of the other things I hate is apt you know you know apt this apt that apt is basically saying we got pwned by phishing scam but we want to make you tell our investors you know that it was an advanced attack so they'll cover it and they'll feel better about you know getting attacked it's one of these that you see in a lot of these talks and all these things you keep seeing conference after conferences all these advanced techniques now it's like oh well we've got this new injection stuff you know where we can take over a car or we can go when we take it over this or it's like we can go hack airplane sorry side dragon it's like you know we can do all these advanced things how many sites got attacked in the last two or three years because of some crazy zero-day and stuff you know besides the ones we did to Iran but besides those which ones has been knocked out by you know zero day and which ones have been because of a phishing scam or a common sequel injection people keep talking about low-hanging fruit and my whole thing is screw the whole low-hanging fruit and stuff you know the fruit is on the ground and it's about to grow another tree that's where we're at right now in this industry so stop talking about advanced persistent threats and what I sum it up with is is like I do some basic adorable destruction ID like being bad it's like I tried to be the lowest common denominator during the tach you cannot go through one of my attacks and be able to say oh well that Jason he was like an advanced super ninja cyber warrior and stuff you know it's like how could we withstand that kind of attack usually after my attack ago like really that's all you did and I'm like yes it is that easy and that's what to learn let me show you some of the basic steps of being bad these are the key indicators of a person being bad it's like this is really bad for the recording because it's like I can't read this but we'll go for number one step one recon mode is only about two hours of Google and victim's own website though I've never used a full two hours yet ever to se mode is usually walking into victims location and weaning it note sometimes without doing number one I do that quite a bit I will just like walk in and go let's see how this goes and use it goes pretty well three punished mode is basically plugging into a device into the victims computer network sometimes with their help mostly with their help for five profit usually you know me because I'm getting paid for this right so that's all good and they get the profit because I get the knowledge in the get the understanding the educates because the whole thing one of the other key things about this is like the reason why we do this is not because it's just incredibly awesomely fun but it's also to help the person the client so they can become better if you go into a location and you go into a client step you know and you tear up until you destroy their network and then a year later you go back in and you see some of the same failings and you see some of the same mistakes being made you failed the client because you didn't give them obviously a proper information and stuff in education stuff on what they had to fix or the direct needs stuff you know for them to fix that so it's not just about you know being able to break in you've got to be able to make sure that you're properly educating and properly telling the client on how to fix these issues so so let's let's break down the best approaches I've used to be bad one of the key ones I love the most is being the tech repair guy it's like a delivery job applicant customer you know or just I wander in I mean I will just like oh look at the open door let me cool and see what I can find to the Auditor executive policy enforcement where the tech report the tech and repair guys usually the passive role except you know where I'm trying hey can you help the other one dude the Auditor executive policy enforcement that's usually more of a Thor ative role more of an aggressive role it's also very aggressive because the clients usually made me wear a tie and if I make you our tie I will destroy you utterly so it's like because I don't like them three crazy off-the-wall personalities not recommended but you know really fun it's like I've broken in two places in Teenage Mutant Ninja Turtle pajama bottoms barefoot in a t-shirt which has been really fun and I have broken in places wearing an actual shirt that said hacker on it also your company's computer guy I stole in a car one time at a hotel with a shirt that said I'm a liability so you know just really you should really be thinking about this so those are the three different personas and what I decided to do for story time is to give you three different stories from three different countries but the one thing that they have in common they're financially toons or organizations that deal with money because therefore they're going to be more secure right because you know they're dealing with Monday it's like they're also going to be more secure because you know why do you rob banks it's where the money's at right so speaking of banks let's start off with the first one which is the Beirut Bank job hackers trip was nice enough to turn this actually into a comic book because it's hilarious and basically I was hired by a client in Beirut Lebanon to test their financial systems and their financial branches in Lebanon Jordan and Cyprus it's like we spend I spent like one month in five different countries and stuff you know doing some of these engagements and I did this one and in Beirut it was pretty funny because they were like I don't blend well and Beirut by the way in case you haven't noticed I don't speak Arabic I don't speak French so I was like we'll see how it goes and this is one of the first branches I did because I was trying to show them how a physical compromise could lead to financial compromise of their internal network systems and I love this one because you can see from the time that I walked in looking at the timestamp to the time that I got behind the teller line two minutes 22 seconds two minutes and 22 seconds from the time that I walked in I walked in i don't know the manager's name i've never been in this building before i didn't know where anything was at but heck let's see if it works right so i walked in walked straight down the hallway like i knew exactly where I was I always when I'm walking I am always walking I know exactly where I'm going it's like I've done that completely yes just straight to a dead end like okay I'm walking this way now you know it's like I have walked into those dead ends before this one didn't work out that bad walk down from the manager's office his door was open there was someone inside so I do the half step half stepping is very important in information security and hacking and stuff where I gave you the half test step and then I back out and I wait for about 30 seconds right outside his door he has no idea that I'm there everybody else has no I I'm not in his office so after about 30 seconds I walked down the hallway to the first office and executive this lady's in her office and I said yes I'm with the I team from headquarters we're looking at the GPO policies and stuff you know I'm trying to test USB rights and stuff I need to plug this USB Drive in don't worry about the rubber ducky on on the label just let me plug this in and test it so she lets me test it I'm golden now because everybody now has seen me go to the managers office and they've seen me talk to the executive and I go back out and I talk to another lady he's like yeah I'm doing the rights and he checked it out I need to go behind the teller line so they let me behind the teller line and what I mean they let me behind the tour line I mean they let me behind the teller line while I was doing this engagement there was a guy depositing $200,000 in cash right beside me I'm sure he was selling falafels it's like honestly a great guy I don't know why he was armed under his jacket but you know I didn't question him so it's like so yeah that was going on so I spent there it's like so I and one of the issues and one of the funny things about this little side part about it was when I got there and I started working on it the manager comes out remember I hadn't talked to him he doesn't know that but he sees me doing all this stuff so he automatically assumes that someone else verified that I was supposed to be there everybody else is going on the assumption that he's not getting upset so therefore he verified me and items like what I'm doing with headquarters I'm with IT he's like oh we've got a problem with one of the computers can you come take a look at it and I'm like why sure I can let me go take a look trust me when you're one of these engagements don't ever go in as a plumber unless you know how to plumb okay because you're gonna have a bad day because someone eventually is going to have a problem with them stuff you know a plumbing situation that they're gonna expect you to fix so I go in as I - I've used to do desktop support so I can go in as an IT repair man pretty easily except you know and you know get the control panel at least to go like yeah I got your drivers we'll fix that later that's exactly what I did I was like oh this computer's up you know what we'll get you a new one from headquarters when I said that is eyes lit up like oh really well I've got this other thing over here where I need your help with I'm like oh sure let's take a look at it yeah that's critical you know what I can get you another one from heck orders and he's like we've got a problem with the scanner and stuff you know can you come over to the scanner Michael you know what we're doing a whole refurb of all our branches and because you're having so many issues here we're going to put you on the first of the list you're the top one starting next month to get totally refurbished we're just going to give you all new equipment all new screens all new scanners all new Printers we're just going to the refurb here I've got that kind of clout I'll put you on the top of the list cuz you're cool okay so that's all they're going to it he was so happy and stuff you know and on a side note one of the saddest things that I've ever not the saddest and it's like because we're gonna talk about that later was after this engagement was over it's like I do security awareness engagements I don't do read to me why just go in and break everything gah you know leave out write a report three months later they get a memo that something really bad happened I'd go in I compromise everybody I destroy everything and then I walk out of the building for two minutes I then walk back in usually with the representative the company with me that shows Authority and I explained to them to every person I compromised what I did why I was a bad person and why they shouldn't have done what they did and what to look for next time that gives them the information that gives them a teachable moment that gives them something that they can use to better protect themselves so this engagement was so horrible that we actually had everybody come in I waited till the bank was closed cuz I was so scared of the guy depositing the money so wait till the bank branch closed we got everybody all the employees together that the gentleman that was with me could speak Arabic to make sure it was totally translated how badly they screwed up and I explained me to tell them what I was doing why these issues were and halfway through the bank manager raises his hand like he's in like school and I'm like yes and he's like um - do we still get the equipment from other and I felt like I saw who some what I think no I was lying I'm a horrible person it's like you're not getting anything I felt like I kicked a puppy it was horrible it's like you know it's like this grown man's just like okay I like it sorry I can do that for you so while I was there and like I said I was there for a little bit if you can actually tell this timestamp I was there for over 22 minutes I was actually twirling in the chair on my iPad if you want to see this I could actually show you the actual light video and step you know it's like you see me twirling in the chair but also I want I need to show that I could do online bad things right so what I needed to do was you see that guy in that snappy sweater vest it's like I got his user ID and I got his password and they used son Oracle boxes with smart cards because they're very secure so I had to get a smart card too so now I have a user ID I have a password and I have a smart card so I need only two other things right I need a PC any network access and I can start wiring all the money I need to wire to wherever I need to go that'll be you know shouldn't be too difficult right it's like I've got three of it I got three out of five so what do I do next I go to another branch brand new branch this engagement I said zero I did not say a word to anybody I walk straight in down the hallway actually knit into the break room so I was able to get a you know little glass of water because you know coning people is a parched you know parched my throat so I got a little bit of wrinkled water and I waited for a couple minutes and I walked back out right into the teller area while the guy's conducting business and I stole the computer I literally stole the computer from behind the teller line why they were doing business without saying a word it was like why do i dick why do i do the pause why do you do a pause when you try to go into some place gives you validation it shows that you're there you're established you may have talked to somebody that you know you're doing you're obviously doing something you're not just like walking around milling you got to go somewhere and be there for a little bit show that there's a permanence and then you come back out and people accept it so I did that without saying a word so now I've got user ID password smart card there computer I need one more thing I believe so I went to the third branch you know holding the computer like hey I'm doing a test with the headquarters and stuff you know and I'm trying to attest any network access to your network calls it to finish this transaction make sure everything's working right and that sounded legit right I still they let me in there so there you are that's how that's how hard it was not one scrap of any kind of advanced research not one scrap of recon done no NLP tricks no leet social engineering you know micro facial expression reading or pre texting or anything like that I walked in try to be adorable and destroy as much as I can basic adorable destructive so let's go to the next one this one's actually the state treasury in the United States it's like one of the states I can't name the stage because you know they're not very happy about it but it also tells you think about what they do about scope let's talk a minute about scope it's like when you're doing a pen test it's like a pen tester they want to do an attack like an attacker will do it right so therefore an attacker scope is like this I'm going to hack all the things right it's like I'm gonna go in at any time I can I'm gonna find any kind of Avenue and you tell clients like you need to uh we needed to attack surface like this and the clients like yes of course you do that would be awesome but can you do that kind of attack between you know Monday through Friday okay and and we want to be able to do a quick response so can you do that between nine and five that would be awesome okay and we don't want you to affect the production server so could you leave those out of the scope okay we got this dev box on just one IP address can you go for there and try to attack us that should be great there you go attack us just like an attacker would here's your scope and that's not the same I believe but you know this this state Treasury had their scope like this this was their scope and when I mean this was their scope I mean we had already successfully got inside they were very unhappy with that results so they sent me out to prove that I could actually break in from inside to validate all the different findings that we have because they kept saying well you'd have to be inside the internal network to do that good to be inside the internal network to do that and we already like we already fell for the fishing thing we were in the eternal Network but let's let's for you know the sake of argument let's get Jason out there and actually get inside physically and see what happens so I looked at their headquarters their headquarters were nice no joke they had a man trap lobby we mean like he had like one door that you get validated in then another door to give validating with receptionist right there that was good that great camera placement they had the glass the glass should have been shaded but it wasn't but they did have blinds and stuff you know and they did most most of the monitors were away from this from the window which was good so I mean they that was a pretty nice setup it was like I mean it's like they were guarding money because you know they're the state treasury so that's a good thing right I did find one vulnerability I found that they had a dumbwaiter that wasn't deactivated seven no that went into the basement that was a public access area for a dining room down there and it's like and I could have gotten in there and I could have gone through this one cave staring and stuff you know and they've gone up the dumbwaiter into the inside the office bypassing the cameras and the doors but I didn't try that the dumbwaiter was dark it was like there were spiders and you know it's just no okay so I wasn't going to go that route that route was dead to me and stuff you know because they wouldn't let me have fire that wasn't part of the scope either so they did have a building an office in an office building farther afield well awesome you know what happened you know what happens with those kind of buildings you want to be connected to the internal network right so they just created an extranet tunnel so they're directly connected inside the internal network so sitting in that office is just like sitting in that headquarters but that office didn't have all those other controls so I was like and you know hackers we'd like to do things easy right I'm going to go after those guys so they said okay Jason okay Jason you can go after those guys but we just have a few little rules just a little bit of scope for you okay so your rules of engagement are you can't talk to anyone coming in or out of the building because they may not be one of our employees so you can't talk to anybody you can't Jimmy the door you can't use you know your usual cardboard or sledgehammers and stuff you know crowbars which are usually very helpful tools when getting into a building so that was unfortunate too if you do get inside the building I have to stay in the public areas I can't try to get anywhere else as I have to stay in the public areas until I hear the cleaning crew and then if I talk to the cleaning crew they're not an employee of the State Treasury so I can't lie to them I had to tell them the truth so can't talk to anybody have to stay in the public area and have to tell the truth but in that go ahead attack us we're ready let's see what happens well let's let's see how that worked out for them let's hurry up and get my nose off there there we go here we are this is always great here it's gum go to the side door first you know because maybe it's opens it is not and once again a crowbar was not in the list of things I could use which sort of ruins that part so disappointed I start walking over to the other side which I do tell you in the minute and 25 seconds of this video is going to last is the longest part of the video is walking but does give me a good time to uh you know trickle the Diet Pepsi you notice carefully when I get to the door which will be in just a second I promise I try it it's locked I then step off to the side pull out my magical hacking device a phone and started playing Angry Birds or something like that makes it look like I'm doing something and then about what eight seconds later I believe I did not say a word I broke into a telecom station telecom company in Beirut Lebanon compromising every single one of their floors in their high-rise building that had secured door access we won't discuss how I got up into the floor and bypassing Lobby we'll do that later but it's like well I got in there and each floor at each window secured doors what did I do I had a phone out and this guy freaking is it was my friend's phone he didn't even have like any cool games on it I just had like just look at a blink this is the screen have it turned on like swipe swipe and came down there swipe light you know just doing nothing but it soon as someone entered or someone left walked right in had a phone it's like I was busy so it's like obviously I belong there because I wasn't concerned about anything so now I'm inside so now I'm in here for two hours two hours I'm in this facility you do not understand how bad my ad D is and how horrible those two hours were okay cuz I am locked in a lobby doing nothing my battery was like down to 2% angry birds don't cover for two hours people it just doesn't work that way so I'm there waiting for two hours to hear something finally I hear upstairs that cleaning the vacuum cleaner close enough right so I go upstairs wouldn't be a good Jason video without my nose let's go in the upstairs now I'm going to have to sort of stop to repeat what they say usually I have that microphone down here let's say hello I told her I was trying to get back into the suite which is true I was there the day before and now I'm trying to get back in that is a truth after she let me in real quick she doesn't clean that one I asked if she could let me in and I couldn't get in which was true they wouldn't let me have the crowbar remember so I couldn't get in I just went to the bathroom I was there for two hours people drinking a lot of water okay and I don't have my badge I have an actual authorized employee badge for my my day job I did not have that badge with me truth again I didn't say it was their badge I have to be one thing real quick destroy their network once again honest so I was working too late I was on the job you know to do that it's like and I think that Courtney laughs that I have is endearing to people that's why I still use it that's what I tell myself anyway now here's the longest part of this video is walking to the door that I need opened I don't have the key to get in so now I call the employee that's in this car waiting for me to fail to let him know oh yeah I'm just waiting for the key down just give me a second we'll see what happens if there was no one there you still have the phone in your hand and used to act like you're talking to someone because when they come back what do you say you say oh yeah yeah they would they've got that he doesn't worry about it they've got the key now it's cool you don't have to come and that shows verification they'd start saying oh well he would have gotten in anyway he didn't really need me I'm just helping him out because he would already done it and that gives them that verification to do that that's exactly what I say in just a second so the key I'm good thanks and and that's what's go gets you so the scope when you talk to a client and stuff you know you tell them it's like you can give us as many things you want to ties around our things doesn't mean we're always going to get in but the attackers don't have those restrictions and you're not getting attacked by people that are auditing your network you're getting attacked by people that are attacking your network so the the next part is I don't do this I don't I honestly don't do these jobs and stuff you know because they're profitable I usually do them because I think they're fun it's like I go to weird place I do not I've never broken into a facility in Boise Idaho it's like no no disrespect to Boise I'm sure it sounds good and I like saying Boise a lot but it's just not one of those places on my bucket list of going and stuff you know I like going into attacking places when you say well Jason there's this research facility stuff you know with dangerous chemicals like okay let's try that one you know it's like or there's a hotel in the South of France except you know that wants to test your security I'm there so we'll go for those things this is one of those cases I got a job to go into financial institution in Jamaica and I actually gave them a discount because they said they'd give me at least two days of touring Jamaica so much yeah I'm there right and it was a it was a pretty good engagement it was a financial institution it's like in Kingston and they were they were happy with what was going on they really bad breaking stuff but they wanted they were a little upset with the fact that I got in and so they went to see how difficult they can make it so they're like would you come downtown and come and get our facility downtown I'm like well okay but this led to what I call the Jason the terrible horrible no good very bad social engineering engagement I have done some really low down things okay I have no problem coming into your facility in a wheelchair with a box on my lap and stuff you know and having you with the door no problem whatsoever you know what it's like people look at that to go chasing that is horrible excuse me the guy who's got the gun and robbing you doesn't go really sorry about this and stuff you know but I need all your money you know they don't they don't apologize like that unless they're in Canada maybe you know it's like I don't know about that but probably there other than that they're bad guys doing bad things they're trying to steal from you so they don't feel bad that they found a successful way that's just really sucky that works because it makes them money so I went in after doing an hour and 45 minutes of research and found out that my target had a charity organization and it was in scope because they were on the same network telling by their email address and headers and stuff and I was like Oh charity organization way easier than a financial institution to break into right and once again it's still on the same network so the pretext was I was a visiting TV producer from America that was going to put them on TV and make them famous because of their great charity charity and organizational works that they do in Jamaica because they were like great people that did awesome work in the communities in Jamaica and the poor areas of they were awesome these people were great so I called him up you know it's like had the the guy that I was working with locally called him up and he says like uh yeah it's like he's here he's visiting stuff you know so he let me put him on the phone it's like yeah what's going on yeah I just I was having dinner with something we're talking about you and stuff you know and in that you came up about what you're doing I was like this is perfect for my show because what we're doing is we're talking about corporations that do public good they don't get enough advertising it doesn't get enough exposure about all the things that happen from the organization from the corporate side that bring good charitable works to the community and after hearing what you're doing it was just phenomenal but I'm flying out at 6 a.m. tomorrow and stuff you know I need to meet you today is there any way that I can do that 2:30 hold on a second cancel cancel my cancel my 3 o'clock this is way more important and stuff you know so I'll be doing this look okay I'll got you in there I'll be there I'll see you at 2:30 would be great see you then show up to 15 I don't show up to the charity organization that's across the street right across the street show up to the the main headquarters because I've got mistaken I'm American what are you gonna do right so I mean that's a great excuse like usually when you're breaking into another place and in another country stuff you know your first reaction which should always be American they usually go oh sorry we've seen your television you will help you out so uh so I do that it's like you know time like oh this is the wrong okay sorry ameri-ghen uh but by the way since I'm here can I use the restroom quick because I'm early it's like I always go to the restroom it's not because of how much Diet Pepsi I dream trust me it's it's because I get lost so many times trying to find that darn restroom there was one location one facility I was lost for two hours trying to find the restroom I just couldn't it I found the the private area and stuff you know and there there there employee entrance doors Stephanie that was able to circumvent but I didn't find the bathroom that eluded me not on this trip they as soon as you walk in there is the receptionist and did a locked guarded door with a armed security guard right there by the door so this armed security guard opened the door for me and he followed me I thought he was going into the stall with me at some point and stuff you know the way he was like he was going in and I'm like so he stops outside and I'm like I get into the restroom and I'm like well crap I really don't have to go this time with it so I wait the appropriate amount of time it's like and then I could wash my hand because you know I want them to at least think that I'm a hygienic and stuff you know for no process and and I walk out of the bathroom as soon as I walk out there's this security guard at the door I mean I was like he was like letting me know did Nicky say you don't get lost sir right here and I walked straight back and then I waited and then I went over to the charity organization so I talked to the lady the manager and stuff you know she talked to me and I was like talk to her about ten minutes sounds like you know what do you have a CEO or the guy from the corporate side Evan step you know who who runs I need to talk to him to try to explain to this so I can get his buy-in cuz it oh yes the Board of Directors the guy who runs the Board of Directors definitely he's here right now together we talked to him that'd be great so he'd go up to his office and I start talking to him about the show that we're doing and and how I've done previous shows about these things and how we're starting to get it all the episodes together I'll you know what it's like I can keep telling you about how this is but you don't get to visualize it lets you actually see when the episodes so on this nice little USB Drive don't mind a rubber ducky on it let me plug this into your computer real quick and show you one of the videos so you will actually see it and it's like so he's like yeah that sounds good so I plugged that USB Drive in and it pops up and then there was like this other error message and there was actually technical error messages I honestly think the malware on his computer was actually combating with the malware that was on mine and they were like having a fight or something he was really weird so it's like so I'm like at a loss at this point I'm like actually like well that's never happened before that it hasn't it's like that's unusual and this guy really wanted to see this video so he contacts his tech support which is third-party now to scope and I'm like no no no that's okay that's okay I'll email you the clip and he's like no I'll should send it to he hands my USB Drive to this guy I make that very important he handed it to him not me not my bad okay he gave it to him not me and I'm like thanking quick on my feet here and stuff you know because when your social engineering that's when the biggest things you gotta do is be able to do stuff extras because you never know when it's just going to go hit the fan and so I'm like uh you know there's other videos on that USB Drive that you can't see their proprietary so it's like I got to go with him to make sure I know what video he's looking at supposed to write one he doesn't look at the other folders and basically I needed to go and find out what computer he put it on so I could put it the report that that machine was compromised so we go in and we go to his little desktops in her area and stuff you know he plugs into his computer Linux computer and I was like okay I programmed the coding stuff you know for to run on Windows okay that's when I realized how awesome a bun too is with wine it's like because the code ran I'm like well that was also unexpected so I got to put him on this no I'm domain admin creds on their network in every other network he supports some sort of good that was awesome right but then the bad part happened I've compromised both machines it's like I've got domain admin creds yay me I have to go back into that office and talk to those wonderful people those awesome humanitarians the lady gave me a copy of her book she's like the mother Teresa of Jamaica I still have it on my shelf but I feel bad like oh you know it's like and I had this talk for the next 15 to 20 minutes about how they were going to be on television and how that what wonderful works I actually started buying into it I was like you know we're going to do we're going to have this and female employee and what she's going to have is like we see her working ahead of her desk on the computer and then we're going to transition we're going to pan out to the rest of the call center until we get to the glass window and then it's going to fade and then you can see the streets of Jamaica and then you're going to see this one Street that's desolate streets M you know and there's that same lady kneeling down - helping to see the child and you're going to show how your corporation goes from the call center down in the impacts directly to the streets of Jamaica it's going to be I mean I would get into it I was like doesn't make it actually a pretty good TV show you know so I was like getting into that I was all good and then I leave and I walk out of the building and I wait two minutes then I wait three minutes about four or five minutes my driver comes over because he knows my process you know it's like I go I wait two minutes and I go back in about 45 minutes he drives up to me he's like Jay City are you going back inside and I'm like I can't tell those people what I just did I did some really crappy things I can't tell them what I just did for the first time in my life I actually had to call the client up and call him Tom's like look you have to tell those wonderful people what just happened to him because I'm not going back in you can't make me I'm heading back to the headquarters talk you later it's like and so I felt really bad about that one it's like so that was the results I really did feel bad about him usually when I successfully pwned somebody it's f you know I reward myself with ice cream and I did have ice cream on that one but it did taste a little bitter so it's like I didn't enjoy as much as I usually do but it was still out and ish unbelievable and it worked it's like these are not advanced attacks these are not something that's like you know it's just someone walking in and you a lot of people ask themselves why does it work why do these attacks work what did they all have in common we want to believe human nature wants to believe it's like I don't you know this was like a really great conference and stuff you know when we all finish this conference we're all going to go about I'm gonna get on a plane and die it's like because there's probably a plane crash you know halfway my house right that's a pleasant thought is it in the realm of reason yes do we want to think about that part of it that probability no people don't want to believe something bad can happen or will happen to them if I can give you a reasonable lie that is better than the unpleasant truth that is occurring you will believe the lie otherwise you'll have to believe that there's a guy with this USB Drive who's trying to steal data from you who's trying to compromise you and is trying to take all your secrets that's not fun that's not nice but if there's a nice helpful smiling technician guy who wants to plug in the USB device to make sure you're secure and safe and everything's all going looking happy well that's totally cool I literally I was doing a documentary for vice.com in London about three months ago - three months ago and they were like try to break into our headquarters and I'm like okay so I literally just walk in with my newest rubber ducky that I had some of my gear on so I did have my best to do him with me and I had a fake ID badge I love fake ID badges right so I had one it said Microsoft had my name said hacker on it okay it was on a lanyard that said professionally evil on it thank you Kevin Johnson and I walk in it is a predominantly a Mac shop apples everywhere right and I go up to but I'm like and one lady actually stopped through the first lady I pick up she's like your batch is Microsoft on it like yeah because we've got the main controller we're trying to the usb right to make sure the GPL policies are affecting all the different machines even though it's Apple to still on a network based networking so therefore we don't have a GC Pirie stacking stuff you know when it comes to the authorization of the USB drives because it's just better that way okay and it exactly she's like but that says hacker on it oh yeah because you know you need good hackers to go after the bad hackers and I'm one of the good hackers helping with the bad hackers that's why Microsoft hired me so she's like okay plug it in go thanks Paul all her windows disappear and like oh yeah it's supposed to do that let me let me just wipe this way and they all come back see I had it the malware on the program or the the it's not really malware it's like because I don't do like I said out a new red teaming I do security awareness so I try I make it a game so on a Mac all the windows disappear and you got to explain why all their discipline doze went away it's like and so but if you plug it into a Windows machine it brings up YouTube weird al' yankovic white nerdy and I have to explain why white and nerdy just popped up on their screen so it's like and I got to one of the accounting machines that was a windows-based machine like nerdy popped up and so but I don't know that that's just a test to make sure that you got an internet connectivity to make sure that actually was able to get out to the Internet and that that the code was working properly so yeah that works out great thank you very much okay the and they recorded all this the guy that was like when it was done the looks on people's faces when they realized what just occurred they were not happy that's like but I try to talk to me explain to them what happened why we did it except you know but was that believable no it's like why is a Microsoft guy coming in out of the blue at night actually to go and do all these things but they didn't have anything to judge it on so whose fault is that stupid user clicked on the link stupid user you know went to a website they should have gone to stupid user let someone into the facility that it shouldn't have been there how about stupid information security didn't properly turn their employees how about stupid information security he didn't show and have a good information security policy that took in the human factor and didn't prepare for the human factor we're failing obviously we've come to the vegetable parts of our talk it's like because those are the things that we need to start doing we need to educate empower and enforce for our users and what does that mean let's start off with educate we need to start educating our users on what they need to do to better protect themselves it's like because users when they know what a threat is they're very good at detecting them right if I would have gone in those banks in Beirut Lebanon and I had a ski master shotgun I was going to have it probably a pretty bad day it's like because my intentions would have been a little bit more clear what I was trying to do and employees have been trained for that we train our employees to be prepared for these guys well maybe not those guys because they're adorable but it's like we've prepared when they were using those things we're afraid of those things those are bad things right those are scary things so you know they they give you a lease not good so we protected those but we don't protect people against this we don't train them to be aware to these guys these are the guys you got to be afraid of especially that one guy with the pineapple he looks a little sketchy sorry Darrin but so you've got to watch out for those guys right the other guys go into a branch they walk out with a couple thousand dollars if they walk out at all and maybe a bullet hole or two these guys walk into a branch they walk out with millions you know and if they do get caught they get you know to the nice because she you know white-collar crime jail stuff you know wherever he wants to go anyway right if you commit a crime so that's what happens there we're not training our employees on what to be afraid of we're not teaching them to be aware of the dangers that these things have these are terrifying in a workplace environment it's like these things and you know what people talk about like oh I just get some malware USB drives not throw them in the parking lot or I put them in the bathroom or in the lobby floor so that is wasteful it's I walk into an engagement I have blank envelopes so I walk through the environment I see someone's desk when no one's there I see their name bad are their nameplate there's her name put the USB Drive in fold it put it on their desk they come back to their desk they see an envelope with their name on it they see a USB Drive who's not plugging it in please raise your hand okay probably lying but okay but so you go there you do open the you do plug in that USB Drive if even if the malware doesn't on stantly run it's like there's an excel file projects and projections and stuff you know for pay raises for 2016 no one's going to click on that right no one's going to click on something like that especially if you're an accounting especially if you're an HR especially if you're just like a general IT person you're not going to click on that so that's what I do with USB drives also you can go to conferences I love conferences because conferences love to give out USB drives it's like why pay for a malware launcher when you've got you know conference to go that gives them to you there was a conference in Australia with an energy conference where the guy actually went to one of the boost the vendor booths grabbed a handful of the USB drives went upstairs to his hotel room weaponized don't like to say weaponize because you know cyber war so it's like he weaponized this USB drives you know goes back down drops his payload into the bowl I'm talking USB drives here stop that's bad person there so it's like he drops the payloads into the bowl and he walks away compromising half the conference right it's like that's how easy it is and that is a known fact that that occurred it's like and I love doing these it could I did this talk in Johannesburg a couple weeks ago and this was the gift that they gave me so I thought that was fun so like I said it's like this doesn't have malware on it yet but I'll actually does now though but it didn't when I was doing the talk there it's like I should have take this slide so so this does have bound work on it now it's a nice pin and it's also a laser pointer so that's cool so we have to be worried about these things so we need to train our employees not to look for just the specific this is what things are going to look like we can't just say look out for this this is bad this is actually a poster someone actually may even put in their security operations center to warn them against people that come in and that are sketchy you know which is that is a valid target and that's a valid sketchy person to be aware of okay unfortunately that's only teaching them to be aware of one specific person not all the other people that could come in and attack them it's like you can't make it that narrow your focus you have to make sure they understand the behaviors not the people doing the behaviors because I don't have to come in your company's computer guy shirt I can come in with a lot of other different things thanks to this advanced social engineering facilitator called eBay or I can just go to derbycon pick up some badges from Sky dong you know that's that's really nice of him the top one where it says Gregory Evans I'm giving the troll face and it actually says I'm from oopsie Inc was a successful badge that I used at a client site that I made from their client machine and yes I am putting on the troll face and I still got in so you've got to be aware of what kind of tools that an attacker could use but most importantly we need to teach employees the common dangers that face not only at work I have a great revelation for you this is going to knock your socks off okay this is mind blown moment here employees don't care about your data they don't I'm calm down employees don't unclear what their employers data's have what they do for a living they just care about their job they are still getting pwned by phishing scams at home they are still getting taken by craigslist and ebay scams at home they still don't know what their children are doing on the internet on facebook or anything like that at home they still don't have a properly encrypted Wi-Fi access point at home why would you think that they would be better protecting your data at work stop trying to teach your employees how to protect your data you will fail start teaching your employees how to protect them selves teach your employees give a one-hour lesson on how to secure properly secure their home Wi-Fi access points give them an hour educational lesson on how to be aware of scams that affect them at home give them a one-hour lesson on how to lock down social media and Facebook profiles for their children in themselves at home and guess what's going to happen they're still not going to care about your data but they're going to be more security conscious for themselves so when they see something like that happened to them at work they're going to be able to go and say yeah that looks pretty sketchy I learned that not to do that at home I got to report it here and they'll start protecting your data you got to drive home the fact that stranger danger is a good policy no matter where or how old you are I love secured facility organizations I love those barriers those places that it's like lockdown heavy perimeter I love those places Bob wire fences gone over them under stuff you know it's like walls it's like I was in Miami jumping off a four foot gap of stuff from a parking garage to a third floor window just to show them that they should lock the windows I love those places you know why because once you're behind that perimeter what else is there the only thing worse than no security is a false sense of security I go into those facilities and every person looks at me and they're like well he made three Security's got to be okay they've got their keys out on their desk they've got their car keys they've got their their iPhones and their iDevices and their laptops are unsecured and that gage Minh I walked out with the CFO's laptop I started by putting a poem plug in the server room and stuff you know but you know me I'm greedy and they made me get up early so you know screw them so I walk in and it's like as I get in it's like I get all that stuff done in the server room and I'm walking out I'm coming back from the server room the assistants already seen me in the server I'm like I walk it on nose at the door it's a glass window thingy and I see the doors open and there's nobody inside the office I didn't know was to get photos at the time and I was like so I just went oops like I'm here to check on the laptop make sure that it's a security stuff you know because we're trying to test some from the RAM chips and stuff you know the make sure that they're not causing a conflict of interest from the from the IP stack okay I don't ever ever try to sound like I know what I'm talking about okay it's like I do talk that gibberish so I walk in and he had a laptop lock cable oh wait it wasn't attached to the laptop so I closed the laptop and I walk out with it the worst part of that whole scenario is walking outside opening up the laptop and realizing that the screen came back on was not locked and I had the open window of all his data that is called bad ok and not my kind of bad that's just seriously that's pretty horrible so that happens you also have to create teachable vint's year-round not annual exercise utility there's everybody have your web content questionnaire form they talked and explain to people the dangers of information security and hacking and and bad things that could happen till them the Internet I mean those are very hard you knows multiple-choice questions that if you fail you can go oh I got that one wrong gonna be backspace ok there you go checked it Boop secured that works out well for everybody right I'm sure Sony had one of those plans too and they're in there internet and stuff you know and look how great that happened I'm not trying to pick on something I just think they're horrible with their security so oh wait this is recording my bad so that's just that that's just the truth sorry so what else do we need to do we need to empower the employees because in the end you guys you're the only person that protection you need to give them the education show them what they can do to protect themselves show them what they can do to protect their area but then give them the will and the empowerment to actually do that these are some of the things that you can do users are not the from there part of your solution they're part of your idea system if anybody notice something that's going to be going wrong or something that is odd it's the person that is doing the same job over and over and over and over again every day of the week they're the first person that's going to notice something odd is occurring but do they know who to call not ghostbusters I mean seriously do they know who to call do they do you have an extension if you're in an organization or in a company do you have one extension that people can call for any security related issues physical or network based I was in Amman Jordan breaking into a bank there the bank manager is right there in front of me I'm plugging USB Drive into one of the terminals and she's like you can't do that dosnt and I'm like looking at you're right I said hold on I shouldn't be doing this it's like you should call somebody do you have a number to call it call upstairs to headquarters and said you know they'll be able to tell you that I'm supposed to because I'm really hold on there you go yeah I shouldn't be do I shouldn't be plugging these devices in without authorization I thought you had the authorization it's like you should talk to oh you should talk to someone you should call someone you should be talking to me right now I mean you need to go talk to her I shouldn't be doing hold on I shouldn't be doing this this is not cool it's like you need a contact someone let them know and they'll tell you I should be here oh thank you five by the way five machines are infected before she finally got upset because I went behind the teller line and there was a stack of money right by the computer and the didn't freak her out I was going to the computer it was just the stack of money was there and I was trying to tell her like look I'm not worried about the money I just won't plug this in real quick and that was a no-go so I just you know got to walk out so I can get my letter tell him that it was okay no one that wasn't reported to anybody management wasn't reported security wasn't notified no that whole incident was not reported to anybody that's might be something that your security team would want to be known about they would like probably to know that someone walked in off the street and started plugging a USB Drive into their terminals so give them opportunities to do the right thing and reward them when they succeed and teach them when they fail so create those moments by going and trying to walk in this is not having to hire a pin test team people just try to piggyback behind someone and stuff you know behind the door and see if they stop you send an email that seems a little suspicious and stuff you know we'll see if they actually click on it or they actually reply back to it it's like do things there that actually let them know that they can be better and when they do the right thing make sure you notify you put in a newsletter you put to their supervisor and you form your supervisor - hey they stopped me they did a very good job the Starbucks card thing doesn't always work because I always carry Starbucks cards so when people you know stop me and they question me I go congratulations we were doing a security awareness thing you won here's the Starbucks card I just need to get back in things that works - sort of sad and it sort of mean but you know we've got to verify they got to verify they got to have a number that they should be calling and that's how the person wins by actually calling the number and verifying what was going on so the last part is the funnel I like this one the best because it's one of the things you don't hear enough because also I bash so much on information and security guys I get to bash on employers upper management you know that whole thing this is a touch of tired cliché you have to have upper banishment buy into the security process for it to work what does that mean you have to have upper management buy into the security process basically it basically what it means is you may own the company that doesn't mean you have domain admin rights how many CEOs have domain admin rights because you know I run it I should have access to it how many of those people have those kind of rights have the you know badge that allows them in at any time of the day or night you know they've never done that do you know who the biggest target I target when I'm going after a company the CEO or CFO s assistant you know why because at a CEO and CFOs assistant has a file ninety nine percent of the time they have a file it's either in their email or it's on a notepad text file on their desktop that file consists of their boss's name full name date of birth social security number or national identity number the phone numbers that they have their credit card numbers with the back coat on the other side and their passport number why is that because they're the ones that are doing all the booking for them for travel I was actually giving this talk and not this talk but another talk in the Dominican Republic and I was talking to them it was a shipping conference and all of a sudden there was a disturbance I kid you not four rows into the audience and it was the CEO actually turning this way and screaming at his assistant asking if she had that file and she was like yeah I got that file and he's like delete that file now you know he's like creating a stir and I'm like I didn't meeting anybody trouble there was also a good example though I used to work for a online bank back in 2000 you know before the dot-com boom or bust so it's like so I was working for this online bank and the owner the guy who owned the bank was the CEO of the company as well and he had an office there and I had a policy that I would do walkthroughs checking to make sure you had your employee badge because you had to get into the second floor area was where all the technical gear was where all the servers were well the money was that was our virtual vault so we you have to make sure that you had identifiable badge if you didn't have a viable badge and you're an employee then you had to wear a really stupid visitor's badge that was bleed-out through the rest of the day so the next day was totally red and you'd know that it was void so I you had to wear that badge the whole day so like the badge of shame I walked by the CEOs office and I walked behind I was like do you get her badge I don't see your employee badge no I'll walk you to the reception she got a kicker badge what did he do he didn't fire me he went down to receptionist and he got a visitor's badge and he wore that badge the whole day what did that say that said if I believe in the employee the security policies of this company you better believe in them because as soon as upper management as soon as the CEO says this is an exception that I get to take because of who I am then the people that report to them are going to say that's a policy I can do an exception to because I report to them and then those people are going to say I can make an exception because I report to that person reports to that person and yes you have no security policy those policies are to be enforced by everybody not just because you're doubly so if your management doubly so if you have better rights in the my day job at a financial institution I have zero domain admin rights I have no rights to the actual server rooms server rooms it takes two employee badges two employees to go into one server room when I'm there it takes three because I have zero rights to it because I'm one of the biggest threats to the company it's like because of my knowledge my skill and stuff you know even though ethically there's there's no problem but because of based on skill set I've made sure that I'm out of that process that's how you explain it to your CEOs your CFO's because of their power and their in their things because of their power and and theirs in their their status you know also comes great responsibility no suit so you know they don't worry about wearing spandex but still they have to have that responsibility they've got that power I'm glad someone got the spider-man reference thank you so another thing is you have to show real world impact when I screw up online how do I know in the real world that something really happened I love playing first-person shooters Call of Duty advanced warfare once you get a freaking crazy system to actually run the freaking graphics on it because they sucked up their coding it's like but once you get something like that it's a great game to play and I'm a runner and gunner you know America you know that's how I roll I love that game it's like but now what happens if you put electroshocks on me little electro thingies that gives me a thousand Joe every time I get shot I'm going to be running and going pew pew pew nope it's gonna be pew pew pew pew you know my on line behavior will change because there is a kinetic real-world consequence to it that's how you have to teach employees how do you do that if someone actually installs a virus or goes to somewhere they're not supposed to go to and you get an alert from that invest in the time and having someone go to their desk we have a small facility so it's like when someone does that I show up and I'm not that adorable when I show up on that that assignment excuse me can you get out your chair I need look at your computer real quick thank you sit down you're down there where are they at they're standing right behind you trying to look at everywhere but you know the people that are looking at them and I'm like look at the computer God give me leave why every once in a while you know let them know that they're in trouble so you that walk away excuse me do you know the employee policy you know how it talks about you know not using executables or executing or transferring them through the internal network system are you aware of that okay well this was one of the infractions you're not supposed to be doing that it's like we're going to inform your supervisor I think you have a good day walked out sometimes if it's like actually you got something really bad on it I take the computer with me what did I just do I didn't just educate that employee I hated all those employees around them that we're watching you know and not watching at the same time all those employees going oh thank goodness I'm not Bob man he really screwed up it's like they're going to be telling all their friends around the water cooler about like oh my gosh Bob got into so much trouble and stuff you know it's like and then they're gonna post on Facebook Oh Bob really been at this time you know that creates that security awareness that shows them that there's a real-world kinetic response to what they do online that shows you how that behavior goes so sometimes visibility's all the sisters are just being able to show how many people in your comfy know that you exist how many people know that there's an Information Security Department it's like usually the only time people know that there's an information security department is when the chief level of the department is getting fired because of a massive breach Sonne so that's how the use easily occurs it's like you've got to do more about being visible letting people know that you're out there and that you're trying to protect them and then they need to help them be part of that if you're CEO to the mailroom don't understand that they're part of the security process then you need to make sure they do understand it because they are so the moral my story is I hate the TV show Breaking Bad I hated it I mean I the whole during the whole frickin show I was like why does this guy die already spoiler alert it's like you know I hated the show why do we why are we so happy watching the bad guy win why are we so happy when we see the bad guy succeed screw that start making the bad guy have a bad day start doing more for yourself and stuff you know for your company so these guys don't get the profit so much screw him smiling hope he dies a cat I shouldn't say it that way it's like he's a bad person and he should feel bad though he's fictional so that is the end of it this is the part where I get to drink some Pepsi that's totally not why people I am done no I'm not I'm not trying to do the advance I'm there's nothing there are a lot of social engineers that are out there doing it and I try to work with one of them and he was like he wanted to recreate that the janitors outfits and get their cell phone numbers and try to figure out what I preach I'm like and I'm literally halfway through the engagement I was like can I just walk in and be adorable I mean it works for me it's like it I don't try to show these advanced techniques I don't try it I mean there's a lot of people talking about NLP and they talk about facial micro expressions and how to do a proper pretext and how to get Adamle know I mean there are so many different places that I've walked in literally with nothing and I've just walked in and what I was in the South of France like I said with doing an engagement there and I walked in in the app in the morning it's like I'm wearing jeans a DEFCON hacker shirt my best to do a military DEFCON cap walking by a guy who's smoking cigar in France smoking cigarettes if you know out by the door and all I do is go Bonjour and walk through and then I go through and I'm actually in the kitchen I'd broken in earlier like 3:00 a.m. that morning it was like that went a different way so now I'm in the kitchen there's like two people cooking and I'm like Bonjour Bonjour that they asked me anything I was screwed because I only knew Bonjour okay I had that one down pretty good I can do comment allez-vous comes he come saw excuse them all I request a lawyer and an American ambassador but it's like that's all I know it's like so I was just walking around just going buzzer and having full rein of the building that's it it's like we need this if you tell your client and you're telling your client that oh yeah I did this we had to go through that your client gets to go and say wow that's really advanced that's really I mean we don't worry about stuff like that that's just way too saying we just need to shore this up and there should be good I want you to understand when I'm finished with this engagement that your security was so pissed poor even I got in your security was so bad I was able to break in if your security is so bad that I'm able to break in you should feel bad because I'm not really trying I mean I am and what's my success rate so far 100% I'm not talking about you know going into like oh I went and broke into a place that was right across the street from Ground Zero SWAT team in the annex lobby area eight security guards in the elevator lobby x-ray machine metal detector before I even go up to the secured lobby up on the upper floor I'm in with a valid badge and a t-shirt.this work shirt that said your company's computer guy this is not difficult stop trying to make it seem like it's difficult and start protecting employees and letting them know that it's they have to strengthen their security and their security awareness yes I've got a guy who sends me spam every day it's like when he gets a spam he Ford's it to me to let me know and be aware of it do I need all that spam no it's like I thank him every day and he's gotten to the point where he's actually spent me sent me spam from his home address just to make sure that I was aware of it and I'm like in his eye and that's what you do it's like he thinks that he's part of the security team because he now is so you say you have to do that there's anything yes I did a talk in crap the English 2012 I'm old called securing the internet you're doing it wrong we're actually talking about how to get upper management bond to the security process and what basically when the best things that executives want see this is our this is our conundrum ok route information security right so what are we we're proactive we have to be proactive to try to mitigate risk what is business what has been is taught to be reactive how to react properly so you and information security have to learn how to make your management Pro to react to something to make them secure and you do that by teaching them it's like shown examples of this company was breached because there was no exclusionary file access so people with any permissions ribbon access to file I mean there are so many opportunities right now to create a discussion with your upper management on proper security thanks to Sony and other companies like Target and like LinkedIn and like who hasn't been poned massively horribly recently no one is bad as Sony right now but still use those as examples it's like and I mean I'm sorry I hope nobody here works for something but you should feel bad it's like so that that's the way it works it's like you have to show them with these examples so it's like you can teach them in ways that they understand and you let them know it's like look your risk by having this is exponentially greater if we just took this much away to protect you it's like I promise you and this is one of the things I was in a management meeting one time with all these executives and this was way back in the day when you actually had to update your viruses off of a CD from a laptop that wasn't connected to the network before and my policy was to tell them it's like what you need to make sure before your owner of your company comes in and connects to the network they have to put the CD in and get their virus that's updated before they get on to the network to make sure they're not infected make sure they don't infect the network and they laughed at me but I was like yeah yeah that's hilarious until he gets infected and then he asked you why you didn't protect him from himself then laugh at that one and then everybody stopped laughing and I looked a little bit more smug but still that's the problem you have to protect them from themselves you let them know that my best interest of this company for this thing means that I'm trying to manage you as a threat because you are a potential threat if you are compromised and then what you've built for and what you've tried to create is going to be destroyed because of you and your permissions or what you had or your exceptions that you did on security you explaining to that to them and they're going to go crap yeah you're not stupid I hate people sayings you know the point here boss from Dilbert they're running a company it's like most people that are running companies are pretty intelligent it's like or they don't get to run companies for very long or they get bailed out from the government but that's a whole other story so as I still use like you got to watch out for that it's like they they know what they're talking about if you can explain it to them in ways they can understand about risk and mitigating that risk it's like you'll be ahead of the game I can talk for hours people anything else we good yes I had a broken arm when I did that I did okay I broke my I had broken my arm I Condor falls I fell in on the done River Falls I went seven months later or so and I climbed it one and a half times therefore by restoring and making up for it so now I know that that could have been it though I did sip on after that actually after I fell on the Falls with a broken arm I waited for two hours before our zip lines down the down the mountain and then I get back home and the doctor says it's like after saying there's Jason if you move this thing one more little millimeter we're going to have to rebuy kit I piece fell off or got broke off during it another occasion which is really another story I'll tell you another time because it was hilarious bad on my part it was like a cartoon but I broke it a piece off insulated like there's a titanium screw where they had to attach it back and I'd jostle dit I'm rambling at this point people we're done everybody wants to go home now there's candy bars outside it's like uh I don't know what was it oh that was me chopping off part of my thumb why do you want to bring up all those painful things that have happened to me that have caused me pain thank you you
Info
Channel: Adrian Crenshaw
Views: 262,752
Rating: 4.7760444 out of 5
Keywords: hacking, security, irongeek, bsides, marshall, AIDE, Appalachian, Institute, of, Digital, EvidenceInfosec
Id: UpX70KxGiVo
Channel Id: undefined
Length: 78min 28sec (4708 seconds)
Published: Fri Apr 24 2015
Reddit Comments

This sounds amazing, but I'm gonna need to know which part of the 78 mins to skip to

👍︎︎ 282 👤︎︎ u/screwloose6 📅︎︎ May 13 2019 🗫︎ replies

Man, he's really come a long way from QB1 on the Dillon Panthers.

👍︎︎ 82 👤︎︎ u/flakman129 📅︎︎ May 13 2019 🗫︎ replies

Intended to watch a few minutes before bed. Watched the whole thing. Dang.

👍︎︎ 27 👤︎︎ u/JRS0147 📅︎︎ May 13 2019 🗫︎ replies

I love his videos. Deviant Ollam as well, same sort of fun content about breaking into things.

👍︎︎ 11 👤︎︎ u/BeerJunky 📅︎︎ May 13 2019 🗫︎ replies

Lots of /r/actlikeyoubelong in pen testing.

👍︎︎ 10 👤︎︎ u/0311 📅︎︎ May 13 2019 🗫︎ replies

Feel bad for the manager who thought he was getting a full refurb :(

👍︎︎ 7 👤︎︎ u/RemoveTheTop 📅︎︎ May 13 2019 🗫︎ replies

Jayson E. Street is a treasure. He does some great work both in and outside of infosec.

👍︎︎ 4 👤︎︎ u/LakeVermilionDreams 📅︎︎ May 13 2019 🗫︎ replies

If you're given a 45 min speech slot and you can't keep it under an hour, you're an unprepared asshole. Especially if you spend the first 6 minutes talking about nothing.

👍︎︎ 17 👤︎︎ u/oldmangandalfstyle 📅︎︎ May 13 2019 🗫︎ replies

I keep watching Pentesting videos and at my actual dayjob, they wouldn't get through the door. Not like we have a lot of high tech security, just very paranoid people and decent separation of zones.

In a good day, he may reach one of our more secure terminals but actually getting on the inside of the network? No way.

👍︎︎ 4 👤︎︎ u/cosmitz 📅︎︎ May 14 2019 🗫︎ replies
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.