Perceptions: From A Blue Pill To A Blue & Black Dress by Jayson E. Street

can y'all still hear me because i'm going to be like wandering around a lot because it's better if i'm even moving targets so the tomatoes don't hit full full impact um i'd like to start off it's like i had a conversation i wanted to make sure i added this it's like someone was talking about how they just started uh working in the community and trying to get understand the community here in uh dublin and they were like well we need a bigger security community it's like it's like this is a good place to start and it's like and they were already putting in time as a volunteer so it's like and i reminded them it's like well you

understand that it's like without you creating this community it's like by creating this con conference and volunteering there would be no reason for me to be here it's like so they're the actual rock stars it's like i'm not a rock star i'm a roadie it's like it's like but they're the rock stars that actually get this stuff done and get this stuff working so it's like i'm very appreciative of their hospitality very appreciative of what they've done so that's community service it's like it's one thing to get up on stage and have everybody like oh look at me if i could talk and stuff it's another thing to do the stuff behind the scenes that no one knows and still puts

in that time to make this happen so thank you guys for that thank you for having me [Applause]

this is a offensive talk here well most of my talks are offensive but uh this is the one where i talk about technical stuff so uh i have to have my legal disclaimer i'm not a lawyer uh but i have played one on the internet successfully uh so uh when i talk about how i'm going to try to steal from you or kill you or ruin you financially uh remember the kittens i'm adorable i won't try to steal from you kill you or ruin you unless you pay me first there's always a contract okay most of the time it's like there's always a contract so i changed the title a little bit for the talk i hope you don't mind uh but bear

with me uh the new talk is called perceptions from a blue tractor to a blue black blue and black dress because it's this whole talk is about perception you know it's like how do we perceive things and i think one of the funnest things that we perceived is that we perceived you know tractors you know that's what grows our our vegetables but they also take tanks who knew right it's like i didn't realize that it's like uh i think it's a hilarious fact to find out it's also an unfortunate fact to find out but it's still sort of hilarious okay it's like so uh that was uh from there and don't worry i i'm i don't have anybody sponsoring me

there's no way i'm ever getting top secret clearance or anything like that so i say what i freaking want to say it's like so sorry don't at me bro uh this these are just me um the most boring slide in the deck is the one where you're supposed to like you know talk like hey this is white this is what i do it's like if you want to know uh i live uh tweet i live tweet my life it's like it's my live journal on twitter uh jcd street is where all the the blurbs and abouts are hacker adventures is where my cool stuff where my pictures are where these will be eventually uh but i do things i like riding my

motorcycle i like speaking i like telling people that they're wrong on on news interviews and i like uh exploring uh been on shows and i love playing no man's sky which is a good game uh so that's me it's like anything else it's like hopefully the rest of the stuff will show you why i was up here talking um we're going to cover stuff with where to go to find information that factors in to facilitates the attack crafting the attack to be the most effective using humans as the flaw not the technology and how to defend against these types of attacks but still conduct business now one of the things is like i'm going to talk about a lot of real world

engagement things not online stuff it's like people like but i use online to gather some stuff for for the physical but we need to understand you're almost identical it's like we've intertwined it's like people think uh when i used to work for a bank it's like i used to tell them like that big shiny uh metal monstrosity vault thing that looks really cool that's not where the money is who wants that it's like the computer terminal is where your bank vault is that's where i want to rob it's like if i go into a place and i rob them with a shotgun and a ski mask i'm going to have a bad day you know why

because most of the tellers and people are trained for that i have a hundred percent 100 success rate for robbing banks because i don't wear a ski mask and shotgun i wear usually a suit or a jacket or i mean i've worn a defcon leather jacket and thundercat tinny shoes one time in another country and it's like and did it successfully it's like but i had a microsoft badge or and i'm like using a usb drive not a shotgun so it's perceptions and so we're going to go talk more about that and i want to show that first i want to show how i actually figure this out i uh disclaimer i only use i do not use matego

i don't use i do not do advanced okay if you want someone up here talking about the zero days they popped or knobs that they sled or any of those things it's not this guy okay this stuff is so easy even i can do it we've got to figure out how to look at the basic stuff you hear about apt all the time i mean i already heard someone say do you know what apt really stands for and adequate fishing technique that is apt period it's like and i love it because i'm not going to credit who i got it from because i stole it from a guy from the fbi at a conference once and it's

like i just think that's even more humorous uh what i like to do is bad i just do bad basic adorable destruction i just go in and i try to mess you up and eff you up the most worst possible way that i can i only do two hours of google i do not use my out do not use any kind of recon ng i do not use those tools or methods i'm usually spending one hour and 45 minutes to successfully compromise a financial institution in jamaica was the longest i've ever taken to to create uh my fish my pretext was an hour and 45 minutes that was like if you know how bad my adhd is that was

a very long time people okay it's like that was like and i wasn't even getting to play usually i like i'll play usually i do it not playing like warcraft or i'm i'm not playing that anymore now but i'm playing uh no man's sky or something like that but no i had to like actually just do that first hour and 45 minutes but uh and i'll find the information and so i use those tools i use basic tools uh to commit to do these compromises so i start off with google i want to give a i want to give an example of how i do it so i like to pick different targets um and

i i will say i like to preface everybody that i show that i could have potentially compromised and i'll be showing videos of someone that i do i actually have compromised understand one important thing i could do it to you it's like i can do it you're gonna don't don't make fun of these people well even why just a little bit but it's like uh it's like the new york branch i i tried to get i tried to get a job with them when i was first getting out and because i didn't have a college degree they they totally nixed me i got everything correct all the technical stuff every all the rest interviews went perfect but

i didn't have a piece of paper so i'm petty uh and uh so i'm using them as my example uh but the whole thing is it's like you don't make fun of them because it could have been just anybody else so i'm not one of those red teamers that like to be that arrogant infantile toxic masculinity like punch them in the face and see if they've got a plan it's idiotic and infintile and we got to grow beyond that it's like we're supposed to be there as a uh advocate not their adversary so i wanted to go and i wanted to rob the maine new york office uh because they really don't like me because uh

ironically enough five years after uh they denied me i went to their extreme hacking course and on the first day i showed them an ms sql vulnerability that was internet facing on their on their uh on their ip address and they weren't pleased but so i want to go after the new york office because petty and um here we are and i look at it and now you don't say this is ernst nunn's headquarters but this is very important it says arsene young on the building but does ernst young actually run that building i mean yeah tony stark had a great building do you think he was collecting rent do you think he was making sure the

starbucks was there doing their job no there's a property management company that handles these properties i don't have to attack ernst young harness and young is a security-ish company it's like you know it's like they've got checks and balances there's somebody for mercy young i'm sorry i'm not going to stop you know slamming on you but i'm sorry uh but it's like they're like they're security guards so they're not going to have all their stuff out there they're going to be way more secure but their property management company is not in the business of security and consulting it for selling office space so that's who i want to go after so what bill what's the name of the building oh

well they're at five times square and what a coincidence that's the name of the that's the name of the company original it's like so here's uh five times square luxury office space it is i've been there very nice uh too fancy for me um and on their website they show you here are the dining areas here are the hotels and office neighbors these are all the places ernst young employees may be hanging out at or going to or staying at when they're visiting from locations or going to lunch or going to get something for breakfast if it's not in their lobby it's like so right there i know exactly where to do my uh badge corners it's

like now i know exactly where to start compromising certain things or sending out emails for lunchtime specials to ernst and young employees from these locations uh oh oh remember the good old days when you had to go into dumpsters and you had like a shady guy you had to meet to get the bank blueprints and stuff you know from a guy it's like i literally found bank blueprints in a dumpster once it was amazing i spent a lot of time in dumpsters i mean i used to live behind one when i was homeless but it's like yeah it's like i'm familiar with them but that was the best score i ever got was actually the bank blueprints uh it's

like so but we don't have to do that anymore because we got the internet it's like and we've got property management that needs to sell office space but i mean how good are they really going to be at office space right you know it's like how much are they going to show you because it's like i'd like to get some good detail oh wait hold on i do this is very good this is their concourse floor plan this is the lobby floor plan and what i like is not this don't ever look at the stuff that's highlighted it's like you look at the stuff that's grayed out because here's where i'm going to be breaking in through the back door to the

storage area it's like i love going through the freight elevator because it's like because you know why they've got guards here they're scary they're making sure people coming in they're checking they're like whoa hold up dude i'm just trying to rob you back off a little bit you know it's like no i don't like going through here i come in here with a package and trust me i've too many times if i just run yeah i'm doing a delivery upstairs okay cool thank you i'll be in it's like that's what i like i like that way better but what happens when i get up there now i'm like where'd i go perception that's the whole thing that runs through

this whole thing is perception because i need to know as much as i can about the floor plans of a building so i can walk naturally when someone questions me i can say i'm going to the electoral closet right down there to the right by the bathroom boom i'm trusted because i knew exactly where it was how could i know that it's like i go to architects websites because they'll showcase when you do new uh renovations or when you have a certain architect that will do your your office space i have rob people because of those it's like because i've been able to see their where their things are located and how to get in and bypass the

receptionist from the architect's website it's like i don't have to do that here because you know there's the floor plans uh for all the different kinds of floors they have and once again what am i looking at oh they really don't want you to see this why it's like i don't know uh oh because it shows you where the elevator where the electrical calls it where all the other devices are more importantly not only to show you where the mail room is because let's face it because it's probably the mail room right here it shows you where it goes out of so it shows you exactly where to turn or which way to go to make it look like

you're actually going through do you know you how to get do you know how to get out of freight elevators because usually front elevators people will tell me but jason don't they have like those little dead man locks where it's like you can't you know get in it's like yeah most of them that's where cell phones come in i spent 15 minutes in boston and the freight elevator like this now literally was talking to someone at some point and then i talked to another person and no one wants to talk to me anymore so i was just like hanging it's like and then someone comes up the freight elevator and then i just go oh

wait hold on hold on a second no you don't have to get me don't don't worry someone just showed up they'll let me in i'll meet you in your office uh things sorry to bother you it's like thank you and they let me in or it's even better i i don't know about all fire codes but like in america the fire codes are very simple there has to be a motion sensor on the uh inside part of the door so even if it's secured lock on the outside people can just go by and the motion sensor triggers but what happens when people are just walking by it it still triggers so you just listen really good

it's like and you wait to hear that little click and you walk in just like you're supposed to be there uh this was still hard to see i didn't like that one uh oops oops oops oops there we go it's like very little bitty buttons on this thing okay uh there's the uncensored version that's much easier to see right i appreciate that it's like um and i want another thing that i wanted to do is show you i don't use uh my parents basement it's like uh i don't talk to them but it's like they don't also don't have a basement so darn it's like uh i i would be trust me a hundred percent if my

house had a basement i would be in that basement with no shame whatsoever those are cool it's like uh no i was at the panera bread robbing them uh eating pizza and diet pepsi that's how easy it the reason why i showed that is because i'm usually in your lobby at your starbucks or your local caffeine cafe doing the same thing it's like doing that oh well i mean not just doing that usually if i'm at your location i'm also you know running a wi-fi pineapple and doing a wi-fi scan and compromising your employees as they're coming in and out at the same time i'm keeping recon of what kind of people are going in at what

time what the security looks like it's like and what the dress is of that uh that location so when i do come in to actually attack them i will be more dressed in that way and i'll blend in more well i mean honestly i i don't try to blend in too much it's like i will be robbing somebody with a shirt on eventually at some point it's like so uh i don't i don't try to blend in it's like but because i like to come with warning labels it's like uh because i'm doing security awareness engagements i'm not trying to do a red team engagement uh there is a big difference uh and there's just a close-up it's like

uh of the device for some reason i don't know why i put that in there why did i put that in there i guess because i want to see a close-up of the thing it's like i'm glad y'all asked also i'm going to social media it's like uh if you want to know why information security people drink just search on instagram new badge i mean i don't drink alcohol and it's it's been pretty close sometimes it's like oh this is why people want whiskey okay now i understand cause it gets depressing and jeff i have been able to uh on one engagement within less than an hour or two no it was less than an hour

it's like because i was going through this one other step before i did that step but it's like get an employee badge from the company i was specifically robbing and printed out it's like uh to use on an engagement uh also uh what i love too is on instagram you there's certain geo locations your headquarters usually have a geotag location that's awesome then i can just go to your location tag on uh instagram and i can see everyone that is what are the odds some of your employees have tagged where they work high it's very high okay it's like uh like these uh poor individuals uh that have done it it's like um with this guy if

i've dug deeper i can show you the whole trail of this guy it's like uh he's very social uh which is the best type of people to compromise uh and so uh also if you go on twitter you do uh search for hashtag new badge you'll get the same thing but you're also asking the question like but jason how do i print these badges out what kind of advanced alien technologies like that just instantly do that within a it's like you got to go into work and try to like say that you're you're you're in a new employee to get one of their badges that's where the badgi 100 comes in the only way this device could be cooler

people if it was the badgi 3000 okay they really missed an opportunity there okay so the badgi 100 it's only 649 u.s so that's what 120 euros or something i don't know it's like but yeah it's like right there you can get the badgi 100 and print out your own employee badge it's like does it have to be rfid no i've i've got batch cloners i've got uh this really cool boss cloner that's like three feet away you can scan your badges why that's so much work i'm a hacker i'm trying to be lazy here people it's like i'm you you you spend an hour so you don't have to do a 10-minute job right i mean that's that's

how it works so it's like you know i just i just want something that makes it look like i'm supposed to be there i've literally gone to security oh it's not working say it's not even and they'll buzz me in so once again i gotta remind you i gotta remind you one of the people in this video did everything almost perfectly the right way but there was one miscommunication and i used that to fully compromise the bank and what i mean by fully compromised the bank i mean i compromised every single machine including the data center in the bank and it's like and i tell a lot of stories and when i was getting this talk

right i realized like i've told a lot of stories uh throughout the years and y'all are like so y'all hear so many i'm like quite frankly i don't believe half of them i was there and i'm like just know what so now i'm going to give you a treat you're actually going to see how i robbed a bank in 15 seconds and how i completely robbed a bank in every machine in under eight minutes this video is less than eight minutes long by the way so here we go oh wait hold on i forgot how to do this i'm new to this kind of stuff so hold on here we go here we go and oh hold on

nope nope yep i'm not i am i'm going this i'm using a thumb control you saw that little bitty device right it's like i'm using it right now to present there we go and we scroll snot here we go we're getting there hi hi uh there we go it's like and there look at that face she knows i'm not blocked she was good she was like because i went in there when it was still closed there was wasn't customers coming in either way i was supposed to be there 15 seconds it's already in oh they had their outlook open too it's like that's nice uh here's executing the payload 20 seconds it pops up it's done

and right about and i just closed it out under 30 seconds completely compromised the first uh bank computer now watch watch what she does

oh she's doing just be on it always doing the usb oh could you log in real quick

again

nope okay we'll just stick it there okay that pauses i'm so the first time i've actually worked on this he's like that's what i'm going to say yeah here we go but watch how she approaches me she's directly questioning me like she should have doing the usb audit what's the usb out i have no idea could you log in real quick why it is the intent i'm not showing you this but okay i'm gonna start what i'm gonna say anyway what i did was did you notice as soon as i was challenged i did not stop because i belong there i made sure the perception was oh i'm doing my job it's like you can question

me but i gotta finish doing my job can you log in real quick i'm actually giving them a task which puts them off because bad guys don't ask you to keep doing stuff that if they're doing something bad so how many times it's like okay here we go oh i forgot i gotta look on this side computers are hard i'm tired of seeing that oh could you log in real quick you're supposed to be alright i'm here to do the usb audit i swear to goodness didn't headquarters call i have a head office was supposed to contact you head office didn't contact you no problem no i actually y'all saw me i pushed the pause button

microsoft okay um but when do you see what i did she did what was right what did she do she's like i don't know anything about that i don't know what you're supposed to be doing it's like you need to talk to the head manager a hundred percent correct it's like i was i literally you don't understand how much i love it when i get caught it's like that's my job is to make sure that they understand that they're doing the right thing to help show them and and show that it's like if i go back the year the next year and i don't get caught or i don't get uh if i'm not if i'm more successful

than i was before i failed it's like that's not a good thing okay here we go i think it's gonna work this time now it pauses mother okay this is just true no problem that sounds great and i'm all natural about it sure i'm not gonna pause screw it we'll just keep talking over here but look what you got this is the one mistake this was the fatal flaw uh i'll stand by can't wait to pick me okay see i say i'll stand by with me i did a crosstalk attack i may

told her to go away so the manager thinks that she vetted me yes she thinks the manager is going to vet me no one vetted me that is a crosstalk attack i've done that i broke it into high secure facilities that i cannot have you know say publicly awesome using that attack can i go to can you get me behind the teller line why not and do you have a network server here too why not everything oh can you show me that first let's jump in the data center first just to make sure i get that before i get found out you know that's my trusted agent the guy who's with the employer that uh you know

verify that i'm when if i do get caught or or someone pulls a gun on me uh this hasn't happened which is good um usually they'll be there to help me out so he walked me up to the data center this is being recorded on a button cam this was old footage from national geographic i found somewhere um that they didn't air uh but this is the whole united uh scene from it and um but i also have like a watch camera i have a pin camera i'm a walking talking google street car uh when i'm on an engagement okay and there you go now this is very important i'll be down there in a second to go to

the television just leave me unattended please

that is a sigh of sadness right there people that was a sigh of sadness like are you effing kidding me right now it's like and then i realized i want to keep the bank manager next to me he was really good so i hurry up and get out and catch up to him

okay

in the data center no i just showed that i could get in there and trust me with some of the stuff i have it's a lot better than a rubber ducky i could have used good yeah this one's okay this is my favorite here awesome well not my favorite but it's locked how rude oh this is what i muddle him i can't rob you with a lock so the manager's nice enough to get the employee off this break so he can unlock the workstation so i can get a complete 100 i mean that's what i'm going for right now so okay i'm sorry i'm limited with my friends see i don't believe this stuff either

i was in china just recently and i was telling them that their english was better than my chinese so it's like what are you going to do it's like the the uh the whole thing is this is lebanon so their main languages are french arabic and english if you ask any of the french i got a horrible accent too but it's like i can happily do some french words and it's like you know uh so i i try to i am so in the world i'm sorry this is the vault people now i'm in the vault because this is where the wire transfers happen this is where all the money is being done right here

there we go so that's good it's like that's fun oh they were in the middle of a wire transfer when i was oops oh my bad okay you were amazing i greatly appreciate your help yep it's like i think i could be there thank you that's disbelief you're hearing uh tone in my voice so oh good good i think we're good i think i've got everybody oh hold on the data center so oh i didn't get her a machine real quick remember i'm petty sorry i want to be thorough i just want to be petty i'm sorry i tried i'm not a hypocrite i've got flaws okay it's like i will admit them she did everything correct and she's

still into getting her machine compromised okay pop up done and done that this um oh let me plug it back in for you sorry got to be polite you know it's like okay thank you i appreciate it appreciate your help thank you very much y'all take care thank you great thank you

how the did that just happen i honestly did not know it was like i've done some branches like that but that was like one of the most successful ones i've done it's like but it was a matter of perception i have robbed other banks like that too where i would go and walk in a certain area like i knew where i was going wait a certain moment come back from a different direction or like they thought i was talking to the bank manager and then i would come in and say not from the headquarters and they would have by the time the bank manager finds me i'm behind the teller line so therefore i must have been vetted by one

of the employees and i've got full access still this is the best video thank goodness it's not that long so i shouldn't keep pausing it it's like we'll show you what i mean by perception it's not where you look for warning labels it's how our mind acts and our mind reacts through certain patterns so this is me robbing a bank uh another uh bank branch on this engagement notice i come in from the public's facing side so therefore i'm definitely a danger but look where i stopped i stopped here behind this column in front of that so it appears that i was talking to the lady who was on her phone and then i come from a safe direction

then i come from her death and i just walk in casually i'm now coming from a trusted side the tellers don't think in their brains like consciously this site is safe this site is dangerous but you do it is human nature that's what i'm exploiting it's like i'm i'm exploiting human nature it's like they know that that side was trusted that employees and stuff come from that direction if i was coming straight from the public side i would have been questioned they would have felt i mean i looked sketchy af they would have said something but i came from a trusted location here's me uh oh this is you it doesn't matter i'm just uh talking and and robbing them

it's like uh well i also got board cuz trying to wait for this lady so i just span around in the chair uh it's like and she says i have a lot of work and i'm like oh yeah i know just hold on to me you know i know you're busy sorry but i gotta still rob you uh is it the same organization huh yes

which is important because i guarantee you and also on the same engagements like uh um when they showed the show oh it doesn't be compromising the person that was on their phone it's like because now i'm coming from the teller area i'm coming from the safe area they let me compromise them as well uh i did this for the uh the national geographic show and i will tell you right now it's like when you look at this and you see these kind of things you're like why would they let you do that because they're not trained i guarantee you if i come back the next day or i come back the next week and i've come back on everyone they will

know better because they will realize or someone and they don't have to look like me just a different because now they know now they know not to ask ask someone it's like if someone's going to try to plug a device in they know they have to get an email or get some kind of confirmation from security it's like oh since i got five minutes oh i'm gonna be much longer than that it's like i'm the last guy and it's like it's like and if y'all leave i'm not offended don't worry it's like but i i'll be done um it's like so once again it's the perceiving of the threat external versus internal yeah that's more like it it's

like so um so it goes again i'm not attacking your network with technology in zero days to get in i'm fighting your people using your perceptions and expectations against them it's just our basic perceptions of what is safe and what is not um you know we're all familiar with the you know this crazy internet sensation it was a while back ago you know it was before even tick tock uh so it's like you may not be uh familiar with that but uh this was the whole uh uh white and uh was it blue and black white or gold dress uh phenomenon i wanted to update it a little bit so i did another one on

perception this is the thing about perception because remember back in the old days look at this clown look at this idiot dancing with the stars mr all prissy makeup comedian dude what a joke right and look at this buff rugged i don't need mosquitoes bounce off my chest you know it's like while i'm hunting or horseback riding because that's you know weird uh and um and also it's like oh there's my pet leopard this is the guy who wants to go after the lgbtq community by the way it's like okay project much but um so the uh the whole point here is look at all that masculine virility right i swoon him right but now we understand perception is one

thing actuality is another because look at this clown he should have been on dancing with the stars instead of trying to to do an invasion it's like look at him okay i mean look at this it's like these are all recent photos i mean i would almost feel sad for him if he had a soul but uh and then you look over at this guy mother that's the thing i would not make fun of this guy's jokes or walk out of his act okay i will tell you that right now i mean this guy his advisors are over here these guys you don't want to meet the dark alley those are his i mean i've

literally had the instinctual retake like i wanted to give my lunch money it's like it was it was just like instinctual it's like so that's that's what that is that's perception what you usually see can be totally different than what is i'm a very dangerous person it's like but i try to be very adorable it's like so you don't understand that you don't see that oh also that um here's another thing about perception it's about putting people at ease without them detecting that's what you're doing notice two things about these these are taking a day apart these two photos but what is one thing in common it's effing cold outside it is below zero celsius outside and i'm

not wearing a jacket or winter gear it's not because i'm like i am an idiot but it's not because i've been doing it for this one okay because once i successfully break into the company i can't be wearing an outside jacket because that shows that i'm from the outside that shows i don't have a place to put my jacket that shows i don't have a place to set up but if i'm inside your location they gotta love the proxima 3 scanner right there it's like but it's like i'm if i'm inside your facility in the winter and i don't have a jacket on well then obviously i've already sat down at my office or at my desk or in the

conference room and i've i've already got a place to store my gear human perception that's it that was no lee o'day attack that was just using people's perceptions against them also on the first day of recon i'm dressing up as a worker i got to go tea i don't have gel in my hair it's like i'm looking different but then i show up the next day the goatee shaved it's like i've got gel in my hair it's like i'm dressed nicer what does that do to people if they saw me the day before it makes them go oh he looks familiar i must have run into him before back in the day and it makes me

more trusted when i'm robbing them which is you know the whole point is me to rob them i'm to teach them you know via robbing um i just like saying robbie but okay and here's some of the attacks these are the three different attacks that i do i do the passive role that's usually my favorite uh the assertive role uh when i get to look like a stock broke a stock broker or a person with no soul fight wait that's the same thing uh stock broker or an executive or auditor kind of person uh or that's my like what the let's see if it works uh and those are those are some fun ones um because all three of

those i was doing attacks it's like uh i love getting a prox art a approximate scanner or getting a wi-fi device that will do some compromises and drops uh you just tape it to the back of the cardboard sign because who looks at the homeless people right it's like uh we don't want to acknowledge them because then we have to acknowledge we know the problems with our society so it's like we can just go right past them it's like uh it's like he gets way too political sorry i rant um and there we go so let's start with layer two assertive role assertive worlds do not mean aggressive okay what mannerisms and pretexts are involved are usually going

to be i'm in an authoritative role i'm here to audit your network uh there's a big acquisition coming up it's like because usually there is because i was able to research that and figure out there was i'm here to do an audit to make sure everything's working right uh we had a problem with one of our locations it's like i'm here to do a usb to make sure the gpu policies are working properly it's like i've literally in europe it's i usually want because it's like sometimes you guys have to be a little more assertive it's like i'm here for the surprise inspection and it's like i can't get in what part of surprise inspection do you

not understand i don't even want to be here right now let me into the server room or i'm putting you on the report as well i don't have time for this i mean surprise inspection thank you i still put them on the report but you know it's like a different way so hardware can be used used to be limited but more discrete the better your chances are to success because you want to use like a usb drive you want to use something small that's not going to outfit of a guy in a suit or a person that's looking all professional looking uh this is the way i usually look in assertive roles i tell people um this is

i tell people if you make me wear a tie i will utterly destroy you okay not because you're paying extra because i hate wearing ties that much i want to make sure you regret it um it's like this is a custom suit that i got made in uh beijing it's like uh it's my business to the doom uh it's like the one one of the worst things about not being able to go to china right now is i can't uh uh go to my uh taylor it's like uh but when i first asked when he at first told him what i wanted for this suit his first words out of his mouth were are you a

magician and i'm like no how could i be a magician you guys you know magicians always say there's nothing up my sleeve and i told them specifically to make pockets in my sleeves so those are two bash bunnies in the pockets of my sleeves so i can just literally say there is something up my sleeve it's like it's your network or what's left of it uh it's like so that's what i like about that so it's got hidden pockets all through the jacket all the uh the pants are i got big pockets i i love pockets it's like sorry ladies i know it's a short subject but it's like it's like there's just a lot available for me

it's like can you see the three hacking devices in this picture you got the watch which is a high def uh 16 gig usb drive uh infrared video camera uh the uh eight gig usb versus 16 i don't know i will get eight gig usb hard drive a video recorder pin uh those two are the easy ones walking talking google street car we mentioned it's like but what's the next one i made sure all my shirts were custom made too with french cuffs because i'm classy like that it's like i do the pinky and everything it's like so cufflinks gotta have the matching cufflinks uh well these aren't totally matching i have uh you have to forgive me uh one's

a usb wireless adapter uh that turns your desktop into a wireless access point for me and a gateway into your network from the parking lot uh and the other one is a two gig usb drive it's like don't worry i'm not going to steal any of your data and copy it onto the usb drive because you got all those right policies very nice stuff it's like i'm just going to use the command control software that i have on there and also has the wireless drivers for mac linux and windows so i can install the wireless drivers so i can compromise you uh so that's fun uh here are some of the other devices if you think this is overkill you are

correct if you think i'm flexing you are correct uh it's like how many of all these guys have you used and then actually i've used that one and uh i used that one and uh crap um i think it was a pineapple oh that one so that's it those are it those are the devices but it looks cool and intimidating doesn't it i could if i wanted to use all those but i'm not a big blowhard like other people who try to threaten you with a whole bunch of stuff they have but they're not going to use so um yeah that's bad so let's go to the next player passive roles do not mean wimpy or are uh timid

uh what matters that means i need your help to help you i'm usually with tech support help desk it's like i'm just here to do an audience like look i don't want to be here it's like i just can't let me do this order real quick i need to see you check this out it's like i mean i'll be out of your hair real quick i'm here to make the network faster be on a t1 line direct to your desktop via fiber and you tell someone you're making the network faster or if they notice the network's running so it's like yeah it is it's like that's great it's like what else can i do for you it's like so yeah

hardware used to be more varied and more unusual being explained away as a techno thinking somewhere or other which i've actually used in the field uh which is helpful uh this is the role i use uh these are some of the shirts i've compromised uh several companies my favorite one was in new york uh right across the uh cycling ground zero high secured building it says your company's computer guy on it uh they let me in uh but this one i use the most it says hacker i come with warning labels people it's like uh it says hackaron and i rob places uh with that all the time it's great uh one manager actually came

in after me uh when i was in the server room for about 20 minutes because the employee mentioned it's like yeah he's from some company called hacker it said hacker on it and then what and then i talked to him and and assured them and it was okay um so this is the uh the tool mechanism i'm using here it's my clipboard of doom there's a theme uh it's like and i love this clipboard theme the the clipboard of doom one of the best things about it it's got pockets ladies you with me i think one of the worst things in modern society right now is women can have pockets and men can't wear purses it's like people ask what i

call that my man purse effort you know it's like i i think it's awesome it's like so uh so yes it's like it's got nice little pockets it's got like some bash money some other devices in there but this is some of the scariest scariest devices that i used to compromise at almost 100 success rate okay not the omg cables those omg cables are amazing okay if you've never seen an omg cable you got to google that because it's awesome it's like uh no the envelopes and the marker because i go and i find while i'm walking around and i find someone's desk or their cube and it's got their name on it or their little name cards like that

and they're not there i take out an envelope i write their name on the envelope i put in a malware usb drive in the envelope you know seal the envelope and i put it on their desk and i walk on name the employee that you have in your enterprise that is not going to go to their desk in their secured area where they're safe and find a usb drive in an envelope that is filled with their name on who is not going to plug that into their computer good people are honest here that's awesome it's like let's go the next part there's other layers it's like you know i love layers in security we always use

definitive layers i like to be an ogre i have layers so it's like i love layers this is what's inside there uh here's a whole bunch of really scary things i am working on some new tools uh besides the shark jack i'm i'm loving this one right here this is the screen crab it's like you just plug into hdmi into one side and you plug in the hdmi back into the monitor and now you're recording everything on the monitor how many executives have those high-end hdmi monitors pretty good pretty good ratio take it from me i love it it's like so uh that's really nice so those are some of the devices that you can use

uh the last layer is the omg rolls uh should not be your first choice trust me um one banner is a prediction i can't tell you i went in i've robbed a financial place as an executive tv producer once uh i've uh i robbed i love robbing hotels uh barefoot in pajama bottoms it's like in a t-shirt i've literally walked into the lobby of of the hotel around two o'clock in the morning go to the lobby bathroom it's like stay there for about an hour and a half and trust me that is not a fun experience it's like especially at 2 30 in the morning it's like and then i wait then i take my

pants off i take my top shirt off it's like my shoes and my socks roll them all up stick them under the uh the counter the the sink counter and i walk out and now i'm a hotel guest it's like that works out very well too um it's like so that one it's like yeah hardware used to fit the situation also will likely need to be easy to hide it's like i usually wear like swim trunks underneath the pajama bottoms because i gotta have it's like i have to have some place to put all these things uh and so uh but usually it's just like either my my phone so i can call for help and a

usb uh uh was an old time it was rubber ducky now it's just a bash bunny too it's like much cooler uh or an omg cable uh this is what i i wear uh this is me robbing a very luxurious where i can't even say um hotel in the south of france teenage mutant ninja turtle jama bottoms uh barefoot uh this view was the cheap hotel they had to put me in because they couldn't afford to keep me in the hotel the whole entire time for the pin test it's like they could only afford one night in the nice hotel and then they put me in this little rinky dink shed uh for the rest of it i actually like this

one better because it's like i like the view but uh but that's what you do so what you're usually doing is carrying a pin uh or or a rubber ducky to commit uh commit attacks that way and we're gonna finish it off with you gotta remember if i do find a way in and i usually do i mean very clearly these are both using controls that i was told were okay this was on the seventh floor of necosia cypress office building of the financial institution because the cameras right there in the elevator lobby did not cover this window right here and also there was another window right over there another camera over there and it did not cover the server room

that had only had a drywall with glass windows on that but no one would be able to get in without being detected they said because what idiot would climb out that window with a seven-story drop and go around the column into the railing and then climb up the vent to get to there have you met me okay it's like and the best part about it was the guy who told me i couldn't do it i told him there was a camera in my pocket and i made him take the picture of it because i had my jacket it's like he had to hold my jacket so that was fun petty um so there we go

so then make sure your employees know how to respond once i'm there because i'm leisure i guess here's a better picture of your company's computer guy this picture is from my greatest accomplishment in my whole entire career it is the one that i'm most proud of everybody talks about accidentally robbing the wrong bank in beirut and stuff you know it's like whatever that was a failure on my part that was a mistake that i did i mean it was cool because i lived it's like but it was not planned i was hired the year before to break into this company i destroyed them i was the worst thing that happened to them in such a long time that no one had

ever gotten in and all the pins i had no one ever made it inside and up the elevator it's like and gotten into their office the guy who hired me family with one of his employees badges sitting at his desk when he came back from his uh conference meeting it's like going hi were you expecting me it's like so that was bad it's like the next year and during that year afterwards the ceo at their all hands employee meeting made sure to spend at least 10 minutes talking about the importance of security awareness of computer security he made sure that they took that to heart they took the things that i said i go back the next year

looking different than i did before there was a new receptionist uh at the at the desk stopped me as soon as i got in would not let me walk up naturally up the stairs i had to sign in i had to tell tell her who i was meeting she wrote it down then i had to go to the restroom i always have to go to the restroom right the beginning of the game i'll also drink too much pepsi but but in engagement i get lost when going to the restroom so i always say i gotta go to the restroom she lets me in instead of going left to the men's room i go right down the corridor compromise

two machines already a lady is getting up out of her desk to see why i'm over there it's like yes i compromised him already the receptors had already talked to the guy who was meeting me to let him know because there was a camera that she was watching and she noticed that i turned left instead of right every section of that company two floors different departments every department that i went into i was able to pone someone i was able to compromise but at every department i was caught every department someone caught me that's amazing and that shows that you're doing a good job that shows that you worked and you did it i loved it

it's like because they learned and they questioned and they didn't just let me do it willy-nilly it's like that's the first time i used willy nilly in a long time it's like but that that is literally what you're supposed to strive for is to have your employees do that i am not doing a test that they fail i'm doing a lesson so they learn and that's what we have to make sure our employees understand they're not being tested for failure they're being taught to learn to do better and to me that is what's important that we're missing a lot in these engagements so how do we teach them you don't just warn your employees show

them i've got some old youtube videos out there and others on how these attacks occur not in theory but show them real world examples but not just me there's plenty of people a lot more talented than i am and can do a lot more scarier things let your employees see that because they're watching these you know infographic six months every six months every year uh powerpoint the death by powerpoint slides so they can do the multiple choice question and if they get it wrong they can go back and then like you know choose again so they can be certified and regulated because you know sarbanes actually brand bleach lightly and all the other names and it's like yeah it's

like all that stuff it's like but seriously show them how it actually happens don't just tell them that oh don't click links be careful phishing emails this is what you should watch out for give them something to to know interact with employees when things aren't on fire guess what this is gonna hurt some people's feelings here because it hurts mine sometimes employees don't necessarily like information security you're not the nicest people to be around sometimes when i used to work on a gang task force it's like guess what i got the joy of seeing everybody on their worst day of their life something horrible just happened to them and i show up i show up

something horrible is about to happen to them it's not good that's the same way they see you in information security you only show up when something's bad has happened do luncheon learns show them how you're an actual asset show them how you look at them as an asset to the company to as you a part of the security team get them involved in that make them part of it make them know who you are and that you're trying to help before something bad happens and remember the three e's educating empowering your employees and then plus enforcing actual policies that help you need to be able to do that solution three stop making another task they should deal with and sell them on

the idea it's a way to offset work to security human nature remember they don't want to do anything that they're not being paid to do so we need to make sure they understand that security is part of their job but then we also need to let them know yeah you don't want to you don't you don't really want to look at that email or respond to it looks a little sketchy just forward it to security make them deal with it you see a guy walking in in the the building under the arctic you don't want to touch them it's like call security make them deal with it make it their problem sell them on that because trust me i've

been a perfect example humans are petty you know we don't like to do all that kind of work make the security people do it that's what they're there for they're they're there to go through all those freaking spam emails it's like all those different emails that you don't want to deal with it's like that's what you do you make them understand that you're there to help them and take some of the work from them and create teachable moments for your employees before a real attacker does in other words don't wait to hire something i love this because it's counterintuitive you don't have to hire me it's like when you're doing a security you shouldn't hire me you shouldn't be

hiring any red team person or pen tester it's like when you're starting out a security awareness program or starting down your security trying to get your employees involved your employees should be doing that you should be understanding what that is and what the needs are it's like you need to make sure that you're set up for that first before you try to get someone else to come in and look at it

oh i wasn't lying i'm done

[Applause] yeah i'm only i'm keeping you all back so bad i'm sorry is there any questions everybody wants to get the gtfo and get a drink yes

how do you hack remote employees do you go their home and steal their stuff or work from home employees oh my gosh those are easy because you know how many work from home employees are letting their children use their work computers do you know how many work from home employees are actually uh on unsecured wi-fi do you know how many work from home can employees are going to starbucks and panera bread to do their work because the wi-fi is better and they don't have to deal with their children harassing them while they're working if you think work from home protects you from getting compromised no it's like i would refer you to uh the 2004 uh dark source episode where

a a an attacker went through a dual home vpn to get source code it's like don't trust your employees it's like people and another thing is when we talk about like we'll work from your network is not at that headquarters it's not just that's untrusted network everything should be considered untrusted it's like you should be actually looking exfiltration where you the whole thing i tell people is that we're so set in this mindset of trying to defend our networks from attack get over it it's gonna get popped something's going down okay no matter how good your defenses are at some point something can be compromised there's an imp how quickly do you detect and how quickly do you respond

that's what we should be striving for is to make sure that our incident response is better making sure that our people understand when when to detect it when i broke into that company in 2020 in the before times it's like it was amazing because even though i was successful but for how long that compromise only lasted 10 minutes tops and they were able to they've been able to curtail it they've been able to respond to it and that wouldn't have brought them out of business but how many companies have you seen that have been compromised for six months for a year a year and a half how much damage was done then my gosh sony freaking 1.8 terabytes of

data leaving their network mother a network admission of at least asked hey would you like us to increase the bandwidth pipe it seems like you're doing a lot of data transfer nothing stop just trying to defend what's coming into your company or attacking site start looking closer at what's leaving it and how it's leaving that's where you find the compromises it's like how many people in here have firewall rules that say internal outside allow makes me want to seriously that's almost worse than the you know the any any rule so you have to make sure that you're doing that so work from home employees are just as easily compromised any other questions i i will be going to

the after party because i know a lot of people don't like asking questions and also you want to get out of here uh and so so i'll be around and please stop me question me and ask me things i don't mind uh answering questions and helping out uh oh and i'm also holding up people so that's even better oh my gosh i'm in between the prizes i'm glad you guys didn't even storm already the stage it's like uh that's a good thing so i will get out of here now thank you guys