(Final Keynote) DECEPTION VIA PERCEPTION: Jayson E Street

okay so final talk for the day um afterwards we're just going to do a closing remark first and surprises and uh we'll be off the party as well but before that we imported some hacker goodness from the US but I don't want to introduce him myself because I might screw it up so I rather leave it to man himself and uh yeah give him a a warm K on welcome while he's here's birthday in South Africa just to talk to a lot of you so just take that it's not today but just take that into should be fine thank you thank you for being hard enough to actually stay to the very end is like uh and actually make my talk I always like it when that happens and surprised so uh thanks uh we're going to start off my legal disclaimer uh I'm not a lawyer uh but I played one on the internet successfully before uh and so uh this is my legal disclaimer because during my talk I'm going to talk about things that are going to probably you know go that's horrible why would you do that it's like it's like and it's like you're a bad man like no remember the kittens I'm adorable okay it's like I will not try to steal from you kill you or Ru you financially unless you pay me first there's always a contract okay so when I go when you hear those like you hear some of these stories and you see some of the video yeah I got video of it stuff it's like just remember the kittens uh title of my talk is perception from a blue tractor to a blue and black dress yes there is sort of a message behind it uh but it's basically one of perception uh it's like because we all saw you know I whenever I used to see the little blue tractors farm tractors I thought those are adorable I'm adorable I love those things those are no those we things are very scary they're anti-tank weapons who knew you know it's like so it's it's all about trying to go and show it's like oh this is what we think something is but you never know when someone can do something else with it or when we see something and then we see it every day and we're like oh that's what this is for it's totally harmless maybe not so much now also a big thing that I want to make sure that I address is I got a lot of swack for that uh I have some really good Russian friends and they are Ser sincerely my friends uh and I've been to Moscow I've been St Petersburg I spoke at a conference in St Petersburg Russia uh in 2019 it's like there are very good people there and they're very good uh wonderful hackers that are committed to doing good one of my friends is missing because he was protesting in Moscow against the uh illegal pu Invasion and it's like and but some other hackers were coming to me like well why are you you know why are you anti-russian and I'm like no I'm not anti-russian Russian's a wonderful country I'm anti Putin's illegal Invasion which is destroying his country and the Ukrainian country that's what I'm against there's a difference and I'm not trying to be political I'm trying to say there's some things that we have to stand up for it's like when uh George W bush illegally invaded Iraq it's like for you know the whole lie about the weapons of mass destruction because you know that was a lie and wrongful Invasion so I should know it's like you know that P stuff is wrong it's like there was a simple though from that it's like someone threw a shoot and if you are from if you know about Arabic culture they like in the Middle East a shoe just seeing the soul of one's foot is an insult to throw the shoe that's more than milkshakes or tomatoes okay that's bad it's like so it was it's a big insult and that one shoe became the symbol of the arrest that the Iraqis had from you know people invading you know their country because it's like attacking Iraq after 911 is like would be like you know the US attack it because attacked Afghanistan like oh let's take a rock two that's like if during World War II it's if we decided to go oh and during for Harbor like well let's attack Japan and Mexico you know it's like not really it shouldn't be done so that shoe was the symbl in the 1970s when women were having to fight for their rights you know to be counted as like you know a human being it's like they threw things in the dumpster to show that the Equal Rights they never burned it they never burned balls they were throwing them in the dumpster along with broom handles and other things that were supposed to be considered feminine but of course you know guys me the I the reporters all concentrated on the bra uh because boovies it's like and it's like and and and that became the symbol of that movement it's like and luckily you know since the 1970s that's all been fixed in America and women are just told oh wait no sorry it's like it's still dump sh fire there uh for women uh it's like but yes but that became the symbol and in Iran right now currently they are just doing the simple thing of cutting their hair and it's like in frustration and rebellion and people realize like why are they cut in your hair it's from all the way from a poem from the I I'm not going to mispronounce it but there's an old home it's like it's a tradition from hundreds and hundreds of years where when they go to battle or when they go to protest and when they go to show that they're ging for war they will cut their hair and so they are cutting their hair as their protest against the regime the unlawful regime that's going on right now in Iran that it's like putting them in just as much Jeopardy as Iran puts the rest of the world uh in Jeopardy so it's those kind of outpouring in those protests doesn't matter what country I'm from it's like I've got to stand up and say something because if you have a voice use it because a lot of other people don't have one and so that's what I try to do uh so that's what it's not I don't hate Russia it's like I hate dictators uh nothing about me I like to ride motorcycles uh I've been on uh television correcting reporters uh it looks like I like screaming at people but that's actually me getting a thought uh like to do weird things and weird places that's me actually sky diving uh outside of Mosel Bay uh here in South Africa and there's me robbing a bank uh and then I love playing no man's Sky no man's sky is amazing game it's like Minecraft for old nerds we should try it out uh so uh now let's get into the good stuff oh if you want to know more about me jason.com if you want to know where I've been hack adventures. world or if you want to read my live Journal diary uh Twitter at Jason Street while it still exists uh or M it on so uh when it wasn't so let's get into it uh this talk is a little bit different because I decided to end it on Miss it's like I want to bust some this uh this is the last talk I'm giving this year thank God it's like not long year it's like so it's like there's a lot of new content I want to go over it I want to start off with the blue team myth okay uh humans are the weaking that is so much bull crap so much of a ly excuse that blue tingers shoes when a user clicks on a link on a website or a user clicks on an email they they're like well we're blinging the user like click onink stupid user stupid information security didn't properly teach their users it's like they're not the weakness Ling they're the we least invested in if I and was running a company and I invested in my technology as much as I uh uh to protect my people as much as I invest in people to protect my technology our company would have a fireball like a px you know 800 or something like that with a default ACL list with a allow all right it's like no logging because you know that's just going to C up we a place to actually put the backup for that so screw that we don't need that it's like and they would have a snort Bas install with all the signatures running but that's okay no one's actually paying attention to it because we seen a freaking snort install with the basic script running right it's like would that be helpful for your company no so you invest money you work on that you make sure that you're applying the right technology protect your company from Network and computer-based attacks but you need to understand that it's evolving we need to start investing in our people to learn how to protect our technology and then using the technology as a safety net we've been using technology like it's a wall it's like you know we're like build a wall make the ATS pay for it trust me I know that doesn't work okay it's like spoiler alert it's like we got to stop trying to make it as the one all defense because when that technology fails and it will it's like you're screwed cuz the human's not prepared to to to take over and and figure out what's going on it's like so you need to start showing more and creating more of a way to get people to protect the technology and when they screw up and they will it's like the technology can be the safety net to keep you from being you know totally breached and trust me it's like every I you know a lot of R going like yeah those blue teamers let's talk about how stupid the red teamers for sometimes okay um because the the red team n that I hate the most is that they are there to Breaking systems exploit what they can and show the client how they failed in defending against their leak attacks and hacks it's like mother I am so tired of the toxic masculinity in the freaking red teaming industry where it's like they're their whole their whole model of of of quitting things is from a convicted rapist it's like who when he was hit with the in the face it's like theci to bite a guy's ear off as his only recourse okay if that's your life coach you need a new life okay and also he's a plagiarist he actually plagiarized that thing from uh oppression General who actually used it as a warning for people like the red team CU it was actually no battle Clan ever survived contact with the Enemy that should be a warning for red teamers that when you go into that place whatever you thought were you were planning you're not prepared for what you're going to find it's like that's what it was about but I mean you know Mike tyon is like you know I don't how did you expect to get it right it's like so we need to stop with this attitude that red teamers are there to break things that red teamers are there because they're because they're like the elite rockstars in this industry screw that noise the only reason why the red team exists is to make the blue team better and if you're not part of the red team and trying to be an advocate for your clients and you're more concerned about being the adversary you suck at your job it's like so that's what that's about it's like so making a lot of feeds here yeah but straight up that's what we need to understand it's like I'm not trying to be an adversary to my clients I'm trying to be an advocate it doesn't matter how well and leap my My ATT tax are they're not paying for that no clion history has paid you for that they're getting that for free every day they're paying you for the report mother that's what your job is it doesn't matter how good your leap hats are or how well you bust it if you can't properly train that and talk to that and communicate that to the team and to your clients and to their Executives and show them the importance of getting these things fixed and how they can get those things fixed you wasted everybody's time it's like it doesn't matter how cool it was it's ineffectual it's unimportant because there was no actionable items afterwards that's what we need to start understanding you were there to make the blue team better you were there to help verify and and make sure that their defenses are working the way they wanted them and if you're not doing that retire it's like um so I'm not sorry I'm a little feisty it's like it's like so I just GNA deal with it this is I'm going out in the blaze of glory this year guys it's like just enjoy the ride okay it's like cuz I ain't done it's like and I'm not limited to the red and blue team okay because it's like you know I like colors it's like uh I like to call myself a simulated adversary or uh Sean from a podcast that's like in UK he said I'm a security awareness operative and I say oh that sounds cool cuz I Secret Agent Man security Bo is operative it's like which it sounds a lot better than you know it's like hey I'm a guy who lik a lot people so but that sound cool too um but for me it's about education not exploitation I don't use any exploits in any of my attacks in any of my engagements it's like they're always like popping notepad or just you know doing something that helps educate I want them to catch me in every engagement I promise my client it is part of our contract it is part of their understanding that by the third day of the engagement I will be caught it's like either by them actually doing a great job which is the best It's like because if you're not rooting for your clients you need to you know re re reorganize your life priorities you want them to do good you're there not to break it but to validate it so if you validate it that show that they they were good and that they caught something that's still a win so I want to make sure that I get caught because I wanted to be a positive experience for the users because I'm not breaking into servers I'm attacking people I have never seen an email server get sad because they got popped within SOA 67 does it still happen yes today yes it still happens it's like you know now they're going to like the really hot new section thing from 20 2011 you know he turn on blue or something but still it's still happening okay but those servers don't get upset for that but people do instead of just giving them all the things to look down on and what they did wrong I always make sure I give them something to look up to something to show that they can try to emulate so they can go up to that point and be like that person and yes sometimes I have to try really hard to get caught if like it's fat it's like I mean I've spun around in a chair before it's like I I shut down a machine it's like during business hours and walked it out of the toer before they figured out that I wasn't supposed to be there for the last half hour it's like but they did and they were the wi and I wrote their names down never write down someone who failed it's like I always write down the people who catch me because it's not and I tell them that after about two minutes after I successfully escaped I go back and I talk to every single person that I was that's my job that's where the work starts cuz that's where the social engineering starts like yeah I'm sorry I was a horrible guy and I I just robbed you what you did you shouldn't have done I was being a bad person and oh yeah you're not giving those new computers I lied I'm I'm a horrible person remember the kidneys it's like but it's like yeah it's I'm sorry but this is why this is helping you cuz I'm not here to test you I'm here to teach you so therefore you didn't lose you learned it's like you had a lesson and that's what it was about and you show them how you're were just trying to teach them and you weren't trying to to and make it a positive experience and that way you have a very well educated Workforce that now understands what an attack looks like when it occurs and they'll be more ready for it it's like that's not that because and I don't use Advanced attacks it's like I'm not using like you know old days that's like no way you know my skill level it's like CU I always hear I'm so tired of hearing about APS oh my gosh it's like yeah we got public ab ab that got us it's like you know what ABT is what the CEOs tell the shareholders in the public when they get popped by an email right it's like that's what ATS are at stands for not Advanced persistant thre know it's chill scary it's like you know it's like no adequate fishing technique there that's a now we got it now we know what it is it's like that's what an AP is okay I'm not even doing that stuff I'm just bad basic adorable destruction that's okay that's it I'm not checking to see if you're compliant it's like you know I call PCI schro schlinger uh compliance because everybody's PCI Compliant until they're not have you notice that you notic all these companies that get popped like they're PCI we're PCI compant it's like you know it's like so yeah that's really weird but it's like no I don't care about your your your your uh PCI or your Hippa hippo hobo whatever your Grand Beach Island your St righty or what other old life dud you want to name a policy after I don't care I'm just there to F you up I'm there to be the worst possible thing to happen to you at the worst possible time in the worst possible way I'm cre parties you know it's like that's what I'm there for it's like I just want to be I mean I live by Firefly and sity you know big box not fire for cancelling but you know I just a to be a v it's like you know it's like I just want to misbehave and that's what I do it's like I if I go in there and I see so many people go into their clients and they tell them it's like oh I uh we went through the zero days and kind just like to get this remote shell get privilege expolation which we're able to then pivot into this other network and say them and then we got all the secret and then and then one of our uh rip teers and you know they went through the Skylock stuff you know they circumvent the security by overriding the the the match machine and stuff you know and and you know their clients are saying we're secure and you're like what the I just told you yeah but you were like mchas and Y were like epgs we don't have to worry about that we're not after we don't have to wor about nation states we're just like a donut factory in the mo it's like why do we have to worry about something like that and so therefore they don't understand the nature of what they really need to protect me I usually go in and I just say I spent less than two hours on Google I came up with this fishing ATT have and had your CEO click the link he's the one who hired me to do the fishing engagement story it's like it's like uh there was one it's like where I was like I walked in to this Bank I've never been there before and I compromised all the machines and it was bad and it's like and and trust me you're going to see a video of that later it's like that's something you have to take seriously that is something you have to fix now people may think that your zero days and stuff are not something that they have to worry about trust me the the data shows that out right it's like but when you show someone how easy it is and how basic it can be done that's something they have to take a little bit more seriously so I'm going to show you a little bit of the the network side is like if I'm want to do Focus mostly on just doing physical compromise but you know it's like a Hackle conference I got do like some you know computer stuff it's like technical stuff so I'm going to show guys some my Recon okay I use I use one of the most elite hacking tools ever developed in this world and stuff you know and I use it regularly it's like it's I mean only going to write down the Ural it's like it's a great place to go start off when you're doing a Recon for an engagement it's gle.com amazing hacking tool okay it's where I only start uh right here we're going to hack eany uh if you want fre y raise your hand no don't raise your hand I don't care um it's like when I was just already starting out in 2001 or so it's like uh I first got my job here at 2000 new information security because I'm old uh but 200 I tried to get a job at ernston Young and they want to hire me because it's like I passed everything even the technical stuff to leave it back then and but I didn't have a high school uh diploma it's like I was a GD you know High School Dropout so and I didn't have any college so they're like I'm good enough for us so I'm heavy so