FC, Baseball, Mccaw discussed on Darknet Diaries
Need a badge just to open the front door and then another badge to get through this gate to get into the building and all I'm doing is thinking. Oh my God like boy f why they need the tack to get our. I'M GONNA approach a security the security guards that And if they needs to out on kind of screwed right so I'm trying to put on a brave face. I talk this exit and thankfully it's just an infrared been detective someone's there and it just opens the gate and through and just okay on radio. Hope that I'm GonNa make it between like these security gates in the door which is like thirty feet but if someone is going to stop me any point it's going to be now and I just pushed the door open. Walk out onto the street and then run away like say. This is always running into new in social engineering. Nice he did it. He accomplish the objective which was just to get into the building not only that he got into two buildings implanted a raspberry Pi for further exploitation leader now. Fc likes to try to dress like the people who are supposed to be in that building and this way he can blend in better and looks like he belongs. So I always dressed. How my target? Woody is right so a broken the first time the beginning of the week into this building looking exactly the same as everyone else and no one repave any mind. Right side breakout went back the next day slightly dressed down again. No one inspired me so by light the third or fourth time I was dressing in complete slope right so I had like really ripped jeans was still wearing a baseball cap. I had like a fake tattoos. Leave on T. shirt like with the logo on it. All the stuff that they they shouldn't be allowed to wear in this building and but he was still paying attention. So part of my job is like take photographs of like evidence of where of not right. So I'm thinking okay. I need to step this up so I gave back down to reception and I'm not hey I'm I got my my Jackie. It's upstairs. I need to get something out. Mccaw can can you let me back in when when come back? They're like yeah. Sure no problem. And so we got my car and I get a massive s la camera right with a huge lens on it and I come back. In and desertion is funneling. Let me back into the building because she assumes that right so I won't pass onto the I think it's the finance. Hr floor quite restrictive. For I don't know how much can I push this so I stand on a chair right? Which is not normal office behavior. At least new offices I worked Has Done done chair and I start taking photos with this. Massive camera of like unlit desktops and all sorts of security issues right when all sudden. This woman appears from our no way. Excuse me Sir. Great someone's finally spoiled me and he's going to ask what the Hell I'm doing that right. Excuse me Sir. I'm going to be in a magazine kind of let me just carry on taking it. It's bizarre what you can get away with. By the time the assessment was over freaky clown had gained access to all three buildings and had poked around on every floor of each of them while the front door and exterior looked impenetrable. He still found numerous ways in which allowed him to build a report for his client. Who was happy to see. All the ways they can improve security obviously had taken this very seriously so they wanted to make it better over time. Fc has done many more penetration tests and physical assessments and one thing he keeps getting jobs. Doing is breaking into banks so at one point. I was Breaking to eight high street banks a week. Right this is how many doing at one point So we working down the country to release banks and one of the area. Managers didn't understand the test old point of the test and he thought we were there to really show him up so what he did was he called vs branches and told them that we becoming in which is big nights. I are up to this This high re bank and I'm so ushered to one side which is build a story the up given them right. Which I'm not going to give you because that would get you access into basically any bank right. So I get to decide McKenna's Abi Aad at ten minutes past twenty minutes go past and I'm like Oh man this is. This is not a right sudden. Blue flashing lights appear of rare armed response coming to the bank and it may be done So I had to explain to them. What my role was when job was and I was there. Really trying to rob the bank but not really as a criminal Which is always an interesting conversation to have with police. Now when social engineering gets caught typically try to figure out a way out of the situation to lie or make up a story just to get out of it but since the actual police were involved he knew he had to come clean with why he was there and so this is a couple of fails in this one. The client telling telling the Bronx I was coming to the branch massively panicked. There's a whole set of policies and procedures that they should go through if they think under attack like this. What they did was they sick and been aid. Most of them went straight according to police. And the interesting thing there is if they charged with Wasting police time and you can only have about three to five of those per year before you get blacklisted. So if they had any more of those than they're not going to get on response that quickly right because it's going to be the police be like well they wasting our time. It's ridiculous rule but it does happen So they they really messed up without one really badly but the interesting thing Mary's I have a letter explaining who I am. I'm there to do and I have authorisation Cetera but This is one of the very few times I've ever had to produce it. But the thing is I'm always carrying two and the second one is actually a fake and so that fake one has the same information but with numbers that relate to colleagues right so when the branch manager phoned up there actually finding a friend of mine and he's a Nanna he should definitely be that because we testing that procedure as well like doing everything is written on the light which says phone them using your internal systems. Don't use the numbers here. And if they're not foreing that s another fail for them beyond. The police are involved. You just don't want to play games with them. So he had to come clean on everything and they called all the people who he said gave him permission to do this and found that everything was legit so they let him go. But freaky clown doesn't always go on site to terrar- banks. Sometimes he can just rub them through. The Internet gaming is pre even easier than physical assessments right. Because you can. You can hit anywhere on that the environment to gain right. There's a loads of flaws that you can take advantage of where like what are some of those flaws so a lot cross site scripting log secret injection bad Bad configurations all network defenses Using some interesting techniques where he kind of blend the physical and digital side. So sometimes what we've done in the past is trade physical device Breaking the Bank itself that physical device and then use that to gain access in and this becomes prior to the whole core of I is. It's like if you don't have physical so it then it doesn't really matter how good your defenses are digitally move. Just use the physical bit to get past. Go by So yeah there's a ton of techniques that a law contest is used for getting into sites but because it's a bank doesn't make it any better to be honest you know the the generally a little bit more lax in some areas because of their so huge. They can't always update everything they need to do. While he's hacking networks over the Internet. He's sometimes able to fill his bank account with money. Yes so one of the. I love to show to two kids when we're doing a lot of outreach and I'm talking about how we have we banks and how we do all these fancy things is. I showed them a picture. I took some years a an ATM of my calves. After doing one of these assessments. Any what it does is it. Shows a picture of by five or six different accounts and in each one is more than a million pounds that we've taken out or we have to give the money back. Paul the ethics of it and be shows that once you're into those systems you can very easily transfer out money to where we need to An a lot of the defenses that banks use are very complicated because they have people that know how to transfer money right bulk money and they have people that know the Computer Systems. But they have this. We'd separation where they go. Okay the people that know. How transfer the money don't understand the technicalities that they need to circumvent? And the people that know how to circumvent the technicalities don't know how the money sending process works. So we kind of okay with that I am but when you get a an ethical hacker that comes in that knows a bit of both then that's when all sorts of trouble can happen and then you can literally just siphon out millions of pounds out of the bank systems into other accounts after hearing this. I think most companies aren't ready for a skilled social engineer to break into the building to try to steal real assets. Like this office. Workers get a yearly security training. Where they teach you how to spot phishing emails. But I don't think it teaches you how to handle a fishing call or person asking you to open door for them because they forgot their keys in their jacket upstairs. We want to be nice and helpful to others and often we are. It's often said that the human is the weakest link. Insecurity and scammers and criminals can manipulate people to carry out attacks. A lot easier than manipulating computer. But what's also true is. The human is often the strongest link to with the right set of eyes and well trained. Staff can drastically reduce the vulnerabilities in the office. There are troves of stories about how one person ruined entire plan for some hackers. Like for instance. When a hacking group broke into a bank attempted to transfer money to their accounts it was a human who saw that transfer was a little odd and decided to flag it to be followed up on and sure enough. It was not an authorized transfer. And there's one person stopped this cyberattack which took months of planning and preparation so I think if you want to have a secure environment it really needs to be the job of everyone in the office to help keep things secure starting with the CEO or president and working its way all the way down to the nightly cleaning crew with proper training and education. The human can be the strongest defense to cyber threats and in fact a lot of times. It's our only hope.