DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I work IT and just realized I need to start thanking that jerk in accounting for sending me all those phishing emails...

👍︎︎ 13 👤︎︎ u/I_sleep_on_the_couch 📅︎︎ Aug 06 2015 🗫︎ replies

If you are interested i can post one more video with similar content, its not the same person but still very interesting to watch

👍︎︎ 9 👤︎︎ u/deepthinker314 📅︎︎ Aug 06 2015 🗫︎ replies

If anyone's on the fence about the length it is worth it!

👍︎︎ 8 👤︎︎ u/AsmallDinosaur 📅︎︎ Aug 06 2015 🗫︎ replies

I was listening to this talk thinking about the two office buildings of my company I've been to and what damage somebody could cause and if they'd get in.

  • Door is only ajar when some people go to the toilet or for a smoke because they're too lazy to bring their keys with them. So you have one less person in the office that could detect you and the door is open.

  • The door to the server room is always open because it's not a server room and there's no proper ventilation so the door must stay open. The server rooms contains email server, VPN into the company network, data server with confidential and/or private data of customers and business partners.

  • My computer: They probably won't get in, but they could steal the hard disk, then back home they have plenty of time of mounting the disk without getting to a pass word prompt. Inside the disk they will find security keys to open emails, access data and code repositories. One silver lining there: If my hard disk got stolen I would immediately invalidate all the keys I have control over myself. They'd still had a copy of the data, but no access to our remote location. Also I don't save any passwords on my computer so they won't be able to login anywhere.

  • Tailgating is totally possible at the headquarters. I did it myself and I only visit there once. Nobody knows me there and they still let me in. I feel like a criminal doing it, even though I'm allowed and supposed to be there. I don't know what damage I could cause once I'm in, but nobody ever asked me anything in there and I've been to places where nobody knew me in the office. All computers are just there, all doors are open. Stealing something would be easy.

Now you might say: "Hey, it's maybe not so important what you do if the security is so lax." I don't think you could kill anybody with the data and information we have here, true, but I'm not even supposed to talk to other employees about the project I'm working on. They taught us phrases to answer without saying anything important and to evade questions. Yet the data could be easily extracted if anybody wanted to.

👍︎︎ 5 👤︎︎ u/P1r4nha 📅︎︎ Aug 06 2015 🗫︎ replies
👍︎︎ 10 👤︎︎ u/Cyfun06 📅︎︎ Aug 05 2015 🗫︎ replies

This is amazing.

👍︎︎ 9 👤︎︎ u/matthewjvince 📅︎︎ Aug 05 2015 🗫︎ replies

Can someone explain this? Literally have no idea what its about

👍︎︎ 3 👤︎︎ u/JeamBim 📅︎︎ Sep 10 2015 🗫︎ replies

Just getting around to watching this now so apologies for the late comment, but I couldn't help but think this guy seems like the Danny McBride of pen testing. The swig from the 2 liter of Diet Pepsi sold it to me at the end. Glorious.

👍︎︎ 1 👤︎︎ u/CuntyMcFuck 📅︎︎ Oct 28 2015 🗫︎ replies
Captions
this is my talk I want you to understand I have to start with this slide because I'm gonna say things that might sound a little you know bad mean spiteful mean hateful you know all those other adjectives I'm adorable okay I'm a wonderful fluffy person and stuff you know who does not like doing bad things unless people pay me I would never try to kill you unless you pay me to try it okay I promise so so when I tell you those really harmful terrible things I'm going to be talking about let's just remember the kittens okay toddle my talk steal everything kill everyone calls to the financial ruin or how I walked into misbehaved quite simply it's because of the security fails it's like I'm going to explain to you that the physical security and stuff you know is one of our biggest weaknesses because people can understand two-dimensional versus three-dimensional when they're walking up to the front door Jason E Street I've have lots of letters behind my name I promise let's start off with Who I am I've got a day job at a night job my day job is I'm the a VP of information security at financial institution my boss is going to love this on Monday what I do is I work in a cubicle with a lot of cool action figures around it I monitor firewalls I watch IDs systems I build out our infrastructure I find more creative ways to secure it and to go after people who are coming after us and I do all the day-to-day blue team stuff I'm my main job is blue team is defense ok on the my night job is the CIO CIO strategy one solutions where I do pen testing maybe like three times a year stuff you know it's like basically I do speaking engagements like this around the world it's like I've written a book dissecting the hack and I also do some other writing and that's what I do at night so I respond to incidents during the day I create incidents for other people at night so best of both worlds I love these pictures because you see the first picture with the baseball cap that was me standing outside for an hour in front of the industrial park building secured facility on a Sunday with no traffic and the security walks by twice and did not think to stop me and asked me what the are you doing on the sidewalk just watching our building and he didn't put in his report either so bad on him the second picture you know looking dapper in the glasses is actually going to apply for a job yes I'm wearing a black cat collared shirt because I like to come with warning labels and and I did not get the job unfortunately I was way under overqualified for that one I did get their data so you know win-win these are my two favorite pictures of engages I've been on the the one I'm wearing the I'm a liability shirt I think is the best one because I stole a car in that shirt I was at a hotel off the coast and the valet gave me the collar and I had explained it was like I can't get in this car right now and he's like why says well because I'm stealing it it's like they paid me to do an assessment I'm a liability and yeah it took him a while to figure that out so finally I had to say you might want to take this back I think the owner is going to want it the second the the next one is my favorite one of the most secured facilities I've ever seen in my life right across the street from Ground Zero SWAT teams you know with k9 units with their machine guns walking through the concourse eight security guards in the main elevator lobbying stuff not including the business lobby that's me in the upper floors wearing an actual valid badge and a shirt that says your company's computer guy I like that I like that picture a lot then we'll get more to that story in a little bit so I do have a CISSP I think the Code of Ethics say that I have to put a son zoo quote my talks there it is we're the intro halfway through so far so good we're going to talk about the one fact that we have to face when we're dealing with this subject we're talk about the two rules did I go by when I'm doing an engagement and the three outcomes from those two rules hopefully a good conclusion discussion let's face it you're going to the award ceremony right after this but still we can we can hope why this talk I gave a talk last year on the 36 charge was talking about the beginning of social engineering it was talking about things that you could do to try to get into the buildings that was the part one and quite frankly I got some feedback afterwards going psych man Jason that's some basic concept stuff you know it's like you weren't showing any kind of NLP or because I can't I am NOT a professional social engineering expert I don't know about NLP I don't know the psychology facial-recognition mind ninja techniques I still get in I have a hundred percent success rate of getting in to facilities when I'm doing a social engineering engagement so it's not that I'm not great trust me anybody will tell you that it's our securities that week so these are educational and hopefully in a funny way kind of talk just to give you an onset of where to go look for more stuff and then hopefully have a good chuckle while you're doing it okay you're not going to learn anything new but hopefully you'll remember something that will make you go look at something else and you'll be better for it so this is part two because now I'm not talking about the social engineering part so much as this is all the damage I'm going to do after your security guy let me through the front door because number one fact I'm getting in okay this is the I took this picture I kid you not I'm going to meet the guy for the first part of our meeting and as soon as I opened up got into the concourse and I saw the the door the employee door for the secured area I was like oh you got to be joking me I walked right over pushed one three five guess what I in is just I would have tried 5 3 1 or 3 1 5 you know I would try it but looks the other rubbed off is I mean is like she didn't look at the guy's face when I showed up 10 minutes before our meeting and no one knew I was there so that was fun here's another one I went to go to apply for another job and when I'm on these engagements I like to be bad so when I signed in to the receptionist I stole the pin so I'm a bad guy was what we do so as I go as soon as I finish getting the pin and signing in I ask to go where the bathroom is it's not because I drink so much frickin Diet Pepsi it's just because I get lost very easily and I will wander buildings looking for that darn bathroom for hours can't believe where the things I can get into well I'm going through and I actually happened to stumble into the secured area part of the employee area while I was looking for the bathroom and I found the employee entrance and this is like the security guy at this facility actually bragged about their million-dollar security system and I looked at the door and I saw this little rod thing I'm Steph you know that was the what was latching the door with and I said like only if I had a condom or something you know the protect that little rod and keep the door from Keith the door closing and then making it latch and then I remembered a wait I got a pin so I took the pin that I stole put the cap on the rod the door shut perfectly and it didn't latch so I leave it's like I come back in about 20 minutes or so it's still there I'm now in the secured facility no one knows so that was fun I am NOT a actually we're right here okay so I'm not a master locksmith I tell people I don't have to be a master locksmith okay if your people will let me through the front door okay I don't have to be a massive ninja coder which I'm not it's like if I can just steal the hard drive with all your data here are some of my master lock picking skills in action I'm terrible with the lock dicks but I'm awesome with cardboard we're back G open okay so here's another key I love forging emails and putting them on iPad the key is to put them on iPad if you forge an email and print it out they're gonna look at you fake oh this is you just you just type this up you put it on an iPad the blue hyperlink stay a hyperlink and also it's like it's on an iPad it's magically you must be telling the truth it's like so it's like so they're going to go and say you know okay he's like so I was up in that secured facility in New York the network guy Otis tan unusual amount of traffic coming from the CFO's assistance computer and it's going to their main server and was burning what was going on it was me and so he comes over and he asks it's like what's going on what are you doing and I start telling him exactly why I'm there I spent two hours on Google creating this email making it sound like the owner the new owner of this company was upset and sent an email to the other company that he owns to send one of his guys out and to go and look at the network and I made it sound very political I made it sound like there was urgency and that they were supposed to be surprised so no one was new I supposed to be there so I showed this to the the networking guy well he sent me to his office we went to his office and we talked to the CIO for about 10 minutes and the employee then started to escort me around to all the other computer desk and stuff you know so I could plug in my mouth where and I had an employee escort so I had to be ok so it's like I actually can finish the rest of the engagement and stuff you know having someone help me and make sure the people knew I was okay to be there and plugging in my USB devices and doing whatever else I needed to do so I really love that email I've got two rules but guess what looking for PCI is not one of them I don't care about your hippo or hippo I don't care about sarbanes-oxley I don't care about your ISOs and Lester got Linux on them I don't really care I just want to f you up I just want to mess you up in the worst possible way I want to be the worst thing to ever happen to you at the worst possible time okay remember the kittens so this is where I got my my two rules I got them from serenity which was based off the series uh Firefly which Fox canceled many die in the fire and the two quotes are very simple I aim to misbehave and let's go be bad guys that's it I'm just trying to do bad to team it up it's like you know red team it's like don't act surprised when we try to kick you below the belt it's like bank managers are still being kidnapped today taken to their home their family held hostage overnight until they go open up the bank for bank robbers that's not funny that's real this stuff still happens another thing is this is one of these things that we people talk about this is not a new concept what we're doing this is from 1992 the movie sneakers it's like so people hire you to break into their places to make sure no one can break into their places it's a living well this one's old now because it's not a very good one it's gotten pretty good now business is pretty good with this but this is a concept that's not new it's something that we still have to keep revisiting stuff you know better people than me talk about it a little bit more technically and stuff you know like I said I'm the comedy relief on this but let's keep going so another thing we have to understand is management is not proactive they are reactive so the Dana Irwin said in 2008 the best way to get management excited about a disaster plan is to burn down the building across the street hello everyone like to introduce myself I'm the fire so what we're gonna get to now is we're going to get to the fun part and the fun part is talking about all the different ways we can start those fires okay I love this one this is this is what I call the trifecta of bad because yes I stole the phone or cloned it yes I've got the laptop 30 laptops unsecured in this facility they had no laptop lock cables because they were secure by the time I did the exit interview I started seeing laptops lock cables which was good for them also the Bosch because you know my arms may get tired I might need to take make trips so it's like so I had me an employee badge I appreciated that okay I am I do feel bad about this one because I am a CSP have a code of ethics so please no one report me let's make this off-the-record I'm sure no one's watching not about the laptop because I have no problem stealing the laptop I mean the guy left the cable on it for him he was just giving it to me and I'm not talking about the screwdriver because I need to steal something maybe you know that was bolted down because you know I like to be thorough I was a little hungry and I stole one of the cookies I'm sorry okay let's go on I love this because you know people expect security not to be that thorough so they get their laptop lock cable or told to fasten it to the desk but that's hard you have to bend down so let's just lift that cable over the the desk and no one's going to pull it and you know what most security doesn't pull the cable to see if it's actually secured but I'm not security I'm a thief I'm going to pull the cable I'm going to try to steal it all so kudos for this guy because he had it firmly attached to the the desk he had it he had it locked his laptop but I'm telling you when it's the coach zero zero zero zero I'm going to try that one I'm going to try one one one I'm going to try nine nine nine I'm going if you're a geek I'm going to try zero zero zero seven so sorry about that one also they like to move the one there's like the last number or the the top number they'll move one in either direction and that's it that way they can just go get unlocked pink unlocked I'm going to try those also when I'm in engagement I'm going through all your drawers wait hello they didn't sound right I'm going to go through all your desk and your cabinets okay and I'm going to be looking for stuff because nice honest and pull coworkers are not going to go looking through your desk I'm not a nice honest and coworker this guy had his laptop locked totally correct everything was right and then he put the keys in his top drawer so now denial today I steal his laptop but now I have a nice really shiny laptop cable and stuff you know I can protect from someone stealing it because I hate when they steal my stuff that I stole Laurie's why this picture was in here is because I stole the iPod because that's like totally freakin retro how awesome was that this is another trifecta it's like I stole the purse stole the car keys and yes I saw the phone let the record state I did not steal the lunch okay I felt really proud about that but but now let's hold on let's let's cut it for a second I took the car keys took the driver's license out of her purse I didn't go to the parking lot to find out what car it is I unlocked the car I'd go back and put her car keys back she comes back after work I'm in the backseat with a gun telling her that I've got her driver's license showing with I know where she lives that I've got people there that will kill her family if she does not go back into that facility still all their data that I need and then come right back out and that we're tracing and we've got our phone cloned and we can monitor it employees need to know that their personal belongings are theirs but the impact can be severe for them as well as the company that's why they need to secure their stuff now let's remember the kittens real quick okay when you have this mini frowny faces on a slide you're just f'd okay it's just game over you literally gave me a blank check to steal your your credit and your identity and trust me my credit sucks so I'm taking it you know thanks for leaving the Social Security card there because it's got your signature on it so I know exactly how the forgit it's like that was very helpful not many people are that kind so oh when I stole the first car the guy sort of cheated and let some people know that I was going around and doing stuff like that so I said we'll screw you at two o'clock in the morning I walked in grabbed three mercedes-benz and a Beemer and just took them with me less than 66 seconds so Nicolas Cage beats that the look on the guy's face when the manager security was faced when I walked to them and I dropped him those four keys was priceless I wish I could've included the picture but it's on my desktop at my home so so some counter measures employees need to know that this stuff matters for them as well make sure they're locking their desk securing the property they secure their property at home they secure their property after in their car they need to secure their property at work now also no no tailgating you've got to make sure that they understand that they shouldn't tailgate it's like they shouldn't because you know what I'm doing I'm coming in the wheelchair and I got like four books it's like oh man Jason you're a douchebag and I'm like yes I'm a bad guy I'm trying to steal from you do you really think I care that you're gonna feel a lesser about me because I'm not supposed to be in a wheelchair no I'm evil it's like so what I'm going to do is I can trust me when I go up to that door and I got these books you're really going to the who's not gonna let me in the door I mean seriously no you're going to let me in and I thank you for that your employees not going to your employer's not going to but I will also if you see some see something say something you don't have to personally tackle the guy if you think he's suspicious okay you do have to call security you need to start empowering the employees to understand they are part of your security team and they need to start acting like it so yeah here's the real warm and fuzzy side we're asking to talk about how you know to kill everyone because that always brings up a crowd on a Sunday night this is a taking pictures at 2:30 in the morning I'm in a hotel sub where different hotels in the car and I'm inside a mechanical room I'm wearing Pepsi pajama bottoms over some cargo pants with some really bad things and a white t-shirt and I'm barefoot because I took all my clothes off in the bathroom and the guest area of the hotel and changed into that and then started walking around and see what I could do I could do a lot because you notice one important fact in this picture there are no padlocks on any of the switches I will tell you this right now I've got some OCD like you wouldn't believe okay if that switch is on I'm turning it off if that switch is off I'm turning it on and it by golly if there's a red button I'm pushing it twice okay that's just how I roll okay now I want you to understand I'm not a total jerk okay it's like because yes I'm going to start a fire in this room and yes it's going to have some poisonous chemicals in it so the smoke will go through the ventilation system that's right there but I'm not totally terrible because I mean it's 2:30 in the morning who wants to get woken up at 2:30 in the morning listen to this being ringing alarm sound going off so I'll silence the alarm system for you because it's like I mean I to be rude the only thing worse did having that alarm going off in your ears and stuff you know someone throwing cold water on your face when you're trying to sleep I'll turn the sprinkler off system off for you - okay it's like I don't anybody to get all you know wet and drenched and stuff you know there's a fire going on that'd be dangerous oh wait huh yeah maybe not okay so another place that I like to I think it's great to kill people is the kitchen it's like this guy didn't even ask who I was there but you know most people don't so just to bring that home here's a nice little video is there any law enforcement from the Lygia in here okay this was good this was a video that I took in Malaysia in a Malaysian hotel I was wearing this shirt and I'm in Malaysia I don't blend well so let's see what happens here we go I didn't edit this video because I want you to think you know shenanigans like you made yourself look or something like that but now say you'll get to see me doing exactly everything that I did including right here where I should have turned the other way but I turn this way but I didn't know what the building why so let's walk down this quarter first yay I'm walking as fast as I can and if I wanted to steal some tables there I go I was like wow that was a letdown I'm sure I'm oppressing people that are in the audience right now so I decided to keep going I'm a hacker we don't give up the first try right so now if you get motion sickness or seasickness take Dramamine or look away for a second okay because this gets me wasn't joking so I come up against this door here and I'm thinking oops there we go so I come up against this door and I'm thinking oh this is all so the reason is because it's secured and it's got stuff in there that you want protected so you put a padlock on it but then you don't padlock it so one thank you for that what could you be protecting I don't know let's see here oh I did not go in there with an Uzi or an ak-47 I did not bring c4 with me I just walked out of that closet with napalm I just walked out with poison so let's see what I can do well first I got to find a place to do that that's going to be a long search you know looking for the proper place to deploy this kind of stuff let me turn around and oh I'm in the kitchen that was quick so let's walk through here everybody say hello to this guy he didn't say hello to me jerk I'm if it was a little bit later at night I'd be you know tampering with right there's the refrigerator for the food supply I would destroy your food supply even if you detected it was poison it would be useless you'd have to destroy all of it that's me that's important right there here I'm going into another room I could have gone to some of these other doors I wasn't really trying especially since I didn't have permission I mean I'm in since they didn't know at first it's like they said okay first afterwards here's the mechanical areas this is where I start my mechanical fires using the napalm you notice those two guys there so I have to use social engineering countermeasures let's listen my countermeasures hey how's it going it was going okay and I kept moving so here we go through the rest of it that's just me showing you more places that I would spread the napalm I like Seng napalm one of the other things you notice that they protect guest information really well you know in the computer systems you know you can't go to the front desk to ask where someone's staying but obviously you can walk into the kitchen because every person their room number and their name is right there for room service so that's pretty low-tech now I'm going through this and I'm thinking to yourself like you're saying Jason all you're just walking around in freakin place what's that well basically first of all dude I told you I was showing you the physical stuff not social engineering but since you asked let's go try to do some social engineering because let's see what happens if someone notices me so I'm going to go talk to the head chef in the manager of the hotel so I asked what he's using Wi-Fi or cable I got an iPad and I've got my hacker shirt I was like using Wi-Fi I'm questioning on the stuff you know and he's saying he's incapable of tangle it up I love the way they smiled like the guy in the back window was just like you know photobombing means Savino going what's going on with that guy it's like and I just left that was it so that's how easy it can be and it's like and we talked about social here it's just easy as just saying how's it going and stuff you know and talking to someone people don't expect bad things to happen until they happen so some of the countermeasures one of the key ones that I could not stress enough is create a codeword make sure people understand that first of all make your employees understand this stuff happens workplace violence happens I mean for gosh sakes I got this information off of workplace violence news.com it happens too often they've got a website for it for gosh sakes that's depressing okay so you've got to understand that that happens so set up a code I tell people you got you especially with receptionist code oh my God he's got a gun run panic we're all going to die is not the best code okay it is effective it does you know raising but it may not be the best I always tell them to suggest something like a code periwinkle mister periwinkle to HR mr. periwinkle to HR and I'm hoping that someday someone Institute's an actual code periwinkle because I think that's just funny saying periwinkle another one is conduct routine safety checks not just safety checks of your equipment but of your people as well I when I walked around for an hour I noticed one thing at that facility there was this one door that I could easily Jimmy and it had a camera that was right over it but I couldn't tell by the angle because where the other two cameras were spaced if I walked diagonally from the other parking area they wouldn't see me except for that one camera and if that camera was angled at the right way I could totally bypass it so I talked to the former head of security there and I told us like dude it's like this is what walking in and he's like whatever like come with me he takes me into this office the Security office it was empty showed me the computer screens the TV monitor screens they were all turned off he turns them on the one camera that was not working was that one I looked him dead in the eye and I said no serious it's like oh I guess I wasn't the only one that had that idea you may want to check your inventory I did mention he was the former head of security at that facility ok good ok so let's talk about you know financial ruin this what about the espionage and and I hate to break some people's feelings and stuff you hurt some people's feelings and just say it's not just the Chinese ok 70s the 80s 90s it's like the French were doing awesome with it so sorry too you know didn't so actually I'm complimenting my French friends because they did a great counter espionage thing with the CIA and stuff back in the 90s at the Boeing incident you can google that one see I wish you wouldn't so that was fun so let's talk about some of things you can do there once again this mini frowny face is not good because you know what I'm an environmentalist I am do you know how many poor senseless trees die every day due to those printouts that you leave beside the printer well you know what they will not die in vain when I visit I'm taking all of them I'm going to liberate those trees I'm going to liberate all and you know what I'm such an environmentalist I will take the ones that are still printing out just to make sure you don't forget them those trees will not die in vain when I'm there it's like you know another like and this is so sad this is actually a Dilbert comic strip is that they still use thread bins to put all your you're telling me all your confidential data all the stuff that needs to be shredded let's put in a big blue bucket this is all the confidential and this is done in DC and this is done in financial institutions this is done in like DoD contractors offices with my favorite is the DoD contractors office the it's a secured area the office the office the actual office of the executives they're actually secured blocked where security cleaning crew can't go in because of all the top-secret data so what do they do at night they put the blue bucket outside their door yes that's awesome I mean I mean I'm sorry it's awesome for the bad guys oh dude yeah when I get to the point where I could just stick malware into your hard drive it's just gonna be a fun night for me not for you that really yeah DEFCON get with it one thing we're going off your workstation is when you see that USB Drive in your exchange server it's not going to end well for you okay I know where that USB drives been you don't want it in your exchange server okay and I mean and you're thinking it's like what kind of damage is something you can do going after our exchange server ask HBGary but we can go and say well then how about your accounting server being the 25 other employees that are also me there are now getting paychecks from you say well it's okay it's not going to be too bad or I could just do a wire sniff this was like for my part one talk you know just do a wash to define your traffic sniffing passwords are hard you got to configure all the stuff Linux you got the bar like I said I'm not that technical I'm not that you know bright it's like a well not just get them off your monitor okay I love this one I actually tried bracket leave blank bracket first I gave them the benefit of the doubt okay and yes it was just hit enter this is my favorite of all time you know why because this was at a pharmaceutical bio whatever research lab but stuff you know where I'm supposed to be done with rocket scientists write the password first of all they shouldn't have written it down at all but the password was that scratched out was actually an alphanumeric special character password it was very complex and it was hard so they scratched it out and put it to welcome so and it was all lowercase I tried the capital first because you know their rocket scientist the one thing worse than seeing me in Pepsi pajamas you know ask mercurial is actually seeing me in this suit because if I'm in this suit I am out to screw you over terribly okay because I'm wearing my best to do I call it the Vesta doom because I think it sounds good when I'm reliving my childhood if you want to know more about the Vesta doom and all these little toys it's in my part one talk that I did last year and it's like what those are but now I want you to know I've got a vested hoon 2.0 let's see some of those things okay I've got some video recorder USB pins right here not on my keeping one in my pocket I'm going to actually be going in and leaving them in your little cup holders that you leave so I can record you logging in your passwords carrying on your conversations things like that so that's awesome if I'm the tech guy I got my nice little handy 8 gig USB flashlight video recorder that I'm still your data off of and as you remember the little bouncy drem Amin that was because it was taking on my 4 gig audio video recorder watch when I walk into your facility I'm a walking talking Google Street car ok I'm capturing everything I can now I got another device institute my 2.0 vest this was something that was given to me by a three-letter agency in DC I'm not the only reason why he gave me this this device and stuff you know which cost billions of dollars research he said was that I was to never talk about it in public so this device he gave me is actually a USB keystroke logger it's undetected by any antivirus you can plug it in it's very streamlined its undetectable stuff you know it's very hard to spot when you actually plug it into the vise and it records all the keystrokes you write I'm lying I got it off the ThinkGeek ThinkGeek I like to put this for you know for the Q SAS if for your for your executives you know that you want to talk about this slide students have you know until when you get back and tell them about these things let them put it in a different way that they understand a little bit better the risk matrix available at a geek and gadget website well we've discovered that's a near certainty okay being able to log the CEOs keystrokes yeah I'm going to go with catastrophic on that one now you see all these other devices you see all these pins you know these devices those were required it's like you know from a very I mean you have to be a select group of people okay to be able to get access to that kind of technology I mean I think everybody is familiar with that kind of that kind of access I think everybody here has that access it's called frequent fliers I mean you talk about hackers doing this kind of data okay I'm an accountant I really hate my boss I really hate my job I want to go somewhere I want to steal a whole bunch of stuff from the company first how could I do that oh I'm on this flight oh look SkyMall oh I can put key log stroke keystroke logging and spyware on his my boss's computer oh I can you know have a USB recorder and stuff you know pin and take video of our company secrets and yes I can actually have a voice recorder so I can record our top secret confidential conference meetings this is not hard that is one of the biggest things you hear I see these talks and it's like these guys are like the rockstars and like they're two super elite and stuff you know and they deserve all the credit all this stuff but I'm telling you it's not just that I'm the reverse of that I'm the guy saying it's so easy even I can do it okay it is like it's just the general stuff people are so busy protecting their stuff from these very high-level attacks they're forgetting Oh SQL I oops sorry Sony you know it's like it sometimes it's a low-hanging fruit it really is the low-hanging fruit they're going to go after so you've got to be protecting that as well you got to be protecting from these kind of threats as well this is one I love this one I took these pictures this is a the pony plug from Pony Express I took these pictures at a bank branch off on the on the west coast and I did four branches four attempts for successes after the fourth one they told me to stop the reason why is because I walked in I was wearing a blue DEF CON shirt work shirt I come with warning labels and I told it's like I'm here to check we have been having brownouts at the corporate office and we need to check to make sure that the power fluctuations aren't affecting your operations here so I'm going to need to do is on you plug this device into your here plug into the network so you can take the readings and report back to the home office exactly what's going on and by the way I need to go in and check your make sure all the computers have proper power surges and UPS units working they used a face false name that I had no ID or dint ofin for I used a fake company and a fake phone number I signed into their vendor log if I would have come in there with a ski mask and a shotgun every single person would reacted exactly the right way they've been trained to handle that they were not able to they did not expect the geek factor and they walked me through the teller area the drive-through area and through the back rooms where the actual money is not too shiny little vault thing but the big saves with the actual money in it what kind of damage could I have done but I did do was I plugged in my pony device this one with the power unit and stuff you can see the power UPC on the right I like that one the best because I had to get the bank manager to get out of her seat so I could plug it into behind her desk and what I do right after that it's like I can I don't have to go to my car I don't have to phone home I go to the bank lobby and I've got backtrack 5 on the Xoom tablet and it's I've got it already connected to the Pony Express I'm pulling you before I even get out your door ok so what are some of the countermeasures there's only one major countermeasures people ok and that quite frankly is just going to be stop printing what happen to this paperless office for gosh sakes it's like make sure you're doing proper DLP making sure you're talking about.we there was a recent report about how some of these data leakages are mostly coming from insider and threats from the actual employees themselves so make sure you're watching you're doing dual diligence making sure that not everything is being shared open so now what can we do like I said I'm the blue team I like it when we win I love I am I kid you not I am rooting so hard for the good guys when I go on an engagement okay I mean I look at some of those employees sometimes like you've got to be I think you're believing what I just said seriously and it's like it didn't let me unit I'm like I don't like dude obviously I was a bad guy it's like so we need it what do we need to do though we need to educate empower and enforce our work force our employees and way to educate them is to stop this one simple phrase stupid users stupid users clicked on an email stupid users went to a website that weren't supposed to go you know what if I'm in the security department stupid me for not educating my employees properly on how to handle those kind of threats okay and another thing is if I hire an employee and on the first day they don't even have a driver's license and on the first day of work I tell them here's the keys to my Bentley go do some deliveries and they break and they crash that car who's the idiot the one that started driving and the one that gave them the keys we're giving them technology they don't know how to use they need to start being educated properly on how to use it then when they screw up we can say it but not until then we need to educate our employees and let them understand where they're going to do we also need to empower our employees and by empowering them I don't mean starting a union okay so don't get all upset with me you know management types okay we need to let them know one simple fact they are part of the security team from the CEO to the mailroom you are part of the security team it is part of your job in your duties to make sure you're protecting the company data and they need to know that and they need to enjoy that they need to understand you as information security has the has access to the biggest intrusion detection system known to man all those employees on the front line they're saying oh that looks weird that should have happened let me call somebody that's what you need to start doing you need to start empowering them you need to start letting them know that it's required I've got a guy who sends me 15 freakin emails okay a week on a phishing scam or some kind of other thing that he thought was weird and he wants you wanted to make sure I knew about it you know what I say every single time awesome thank you very much I appreciate it because that 16th one is not going to be a false positive it's going to be something we need to respond to I'd rather get a thousand false positives from people that are actually thinking about it because if they're sending it to me that means they're thinking about security we do walkthroughs in our facility during our day job and we look under keyboards for passwords I mean at first we actually started finding okay that was bad it's like but then we started not finding it but we still do it you know why because every time you do that everybody in that area is going oh they're checking for something we got to make sure creating that security awareness without shoving it down their throat that's how you do it that's how you and then you enforce it okay not with a baseball bat oh gosh that would be fun but no it's like not with a baseball bat but with positive enforcement when someone stops me when I don't have a visible badge and says what are you doing what are you doing there I report them to their supervisor and I say awesome job that person did what they're supposed to do that person is protecting our data we've got it where we put a list and stuff you know and our bulletins and stuff you know an employee bulletin saying people that got kudos for security they did the right thing they did it the right way and you know what that breeds competition because that freaking susiana counting she's always getting the credit for doing that stuff well I can do it too you know I can stop someone that I don't think they have a proper badge that's how you enforce it it doesn't have to be negative you've got to work force you've got a human iPS system out there just waiting to be used start using them okay so as when as you as soon as you stop saying stupid user and start saying my co-workers in the Information Security Department we're going to start winning so here are some links and there you go you
Info
Channel: Christiaan008
Views: 1,383,229
Rating: undefined out of 5
Keywords: DEF, CON, 19, Hacking, Conference, Presentation, By, Jayson, E, Street, Steal, Everything, Kill, Everyone, Cause, Total, Financial, Ruin, Video
Id: JsVtHqICeKE
Channel Id: undefined
Length: 40min 46sec (2446 seconds)
Published: Mon Feb 13 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.