Operational Security in a Weaponized World

Thanks so I know what they told the conference I was going to what I'm actually dropping a zero-day and full disclosure so we're doing people with disclosure and messaging with things these please leave now rather than that there is no coordinates were anything for this talk we're going fall into it we're going all that because I want you guys to learn some new cool things on what we do for Red Team engagements and other things when we have to break into places so an insider we do things a little differently with red teaming we may have to be admitted for up to two years at a time somewhere and we need to maintain cover may need to maintain persistence

we maintain our access into things I'm gonna show you guys how to do some of that stuff with some of the toys that are out there at the market common objects that are fun on top of that on the flip side the blue team don't worry I haven't left you out at the end of it we're headed blocks on this definite depending on some of it so just real quickly I now work for insider agency if you guys want to know about Hawaii I do for a living just reach out to me after this we do not have time because I want to get into a lot of stuff with you guys so wait you guys don't think about right

now that if you joined or went into college in the 80s you were taught through graphic design and design that you should have a amount of space for whatever you were designing available for future expansion for upgrades unused space back in the late 70s early 80s that was a great and grand idea that every an engineer makes an action what he'll do if he expanded upgraded indefinitely and you'd have to buy one thing once and that was it never work that way however the mentality stayed throughout the years and there's always a pocket of space in consumer products that's left over or designed intentionally in last few years the average example that we found is about 30% of that object that

he bought off the shelf has an unused space of that and that's not unused space that's a bad phrase that's a bad word that's potential for you to conduct a tax that's potential for you to use that device as your own Trojan horse so today it kind of comes full circle I unofficially spoke at the first beast sites by getting into a lot of trouble what you don't know about the first beast science as it was a part of a thing called cyber raid where we have red versus blue and a few years back I tried to figure out what I wanted to do because I knew that Kansas City had some of the most

badass hackers on the planet that was intimidated I didn't know what to do I felt that the only thing I knew what to do and the only talent I had was graphic design social engineering so I decided to attack this at a very different level got into a lot of trouble did not make any friends with InfraGard FBI and other folks which we'll get into but this was one of us cool things ever was red vs. blue capture the flag it was at a hotel downtown which was awesome and it was a large space than the public that allowed us to get away a lot of stuff so one thing I thought we have is

I could use trust models to violate and get an advantage of everyone would think my trust models is you go out on the street you don't buy bread for this dude you go to the store because you inherently trust that the store has USDA ratings on everything everything is packaged everything's fresh they keep their best interest in your best interests not horror this too has better deal for you but your trust models and what you their time and risk monthly says don't you go to the store so we take for granted things in their package we always here think outside the box that's [ __ ] think inside the box we all accept the boxes we all are susceptible to that

giving and giving good marketing of the box we know that if it's vacuum sealed if one of those things as a clam shell be those clam shells are horrible you pretty much cut yourself open trying to open it you destroy whatever's inside trying to get it but it effectively keeps yeah you trust that that thing that clam shell safe and secure so we had to figure out something and had to violate some trust models and get an advantage over after with it in this cyber raid game so with social engineering I decided to take apart some things and put some things together I gave the blue team USB sticks because I think they had a good updates from one

computer to another usually to contest so what I did it ahead of time this took a tour and did a job interview at this hotel ahead of time before the game so I could get a tour around the facility learn the design aesthetics of what was being used and how everything fit the place also learned how job schedules and shift changes happened at the hotel I win at 4:00 a.m. the game day of the tournament dressed in a suit I picked the lock - the blue team room put everything in the blue team room and also the other devices I created and put in there and walked away with the parking lot changed into a hoodie and

jeans and waited for the game to start now the great thing about this in this picture is this was all done for free how I did full color printing Holograms of plastic plant cells for free is I asked for free samples I called manufacturers happens like hey I have a client I'm trying to convince to use the clamshell technology I'm not going to shell out for 500 clam shells but you know what I'll give you 20 bucks for postage to get a free sample once you send me some boxes and clam shells proximate science if you want to have a heart attack go find the hologram manufacturer right for free samples you'll get voting machine

tamper-resistant labels all sorts of stuff back from the Holograms and as you see on this packaging the Holograms had nothing to do with anything but they were there and they were a foundation point ultimately what was on there was a period of poison ivy I created and something went wrong because during the tournament it was about lunchtime and nothing happened so we all grew up for lunch and cyber day and we went about our business talking and figuring out and I felt like it to Apple as well because no one told me its cyber rate that we were using virtual machines or people's personal laptops and I didn't want to be that guy that blew up

everyone's computers I also figured out I needed some fun so at lunch I went out to Bill who isn't here and the nice lady and InfraGard who was nifty isle agent agent that had though such a humor and talked to them and said hey I had a really bad thing I do SB sticks that the plane infected I don't want to be the bad guy that blows up someone's personal computer can you please take them out of play she didn't understand what I was saying went into the blue team room and held up the package asked me is this one of them it was empty it was like yes and we need to find that now long story

short they didn't appreciate the craftsmanship of putting logos and putting many different mechanisms and controls completely serial numbers that matched everything that said hey don't use this if it's sealed we give instructions but it's something you trust and something you know it is sealed it took an act of God Allah Buddha to get that thing open because it's a clamshell so you have know it's safe and it wouldn't come later on afterwards build several others told me that they thought that sponsors have brought these in and dropped them off from the room while they were looking but we prayed upon the fact of it something is crossed and something's familiar to you and it's something

that's always around and you know where it's coming from it's safe the other thing I needed to do is I need to figure out how to past where change has happened and I need to figure out how and what was going on in the other room well I could put a bug in there but while I didn't wanna file a SEC arrangement to get the FBI a great me i also remember to cheat i had a budget of like 12 dollars so how much you keep a listening device on the whole time and a hacking contest you can behind a baby monitor and a power strip because everyone these paris traitors for a hacking contest and like i said earlier

there's 30% unused space and most products in this day and age so you can put anything you want in there the great thing was is time the baby monitor directly to the power rail it had powered the whole time so i could hear every single combination of family guide our two names for the passwords star wars names and other things and can't see royal things a guy they run on the blue team came afterwards when he saw me collecting all this stuff back and said you know I cried today this was single most horrible trying experience I've had my IT career I was like well that's what it's like in the real world so we're

trying to make it that way the great thing about this was is when we're finished with the product that's what it looks like you throw a lot of label makers says do not remove from this room or property of the hotel it's not going anywhere if you're listening to everything and anything that happens in the room but more importantly I want you to look at this again and if you saw this under your desk what would you do what's the first thing you do you use it you don't expect that to sit there switch from of you and collect data we're doing with our horrible things but did you see how much space was in there

that that's a lot of free space in there we can play with and do all sorts of stuff for your information and three raspberry PI's put in there

another Saturday so but you see now why I'm kind of concerned and why we do things we attack at a level of what you're familiar with late inside the box and use the stuff that's out there don't go out and get your Mickey stuff and do all this crazy stuff the stuff that's underneath your desk this is the stuff you're not looking at and that's where we put the bad stuff in the tricky so what about these things you know what these are and I did this on California to show this picture people to know what it was had to explain to a little bit mice in the Midwest especially do you mess with these at all under your desk what

touches one is open one who's actually looked inside of one no one because you don't want to know what really is this material and those of you that I have open it up it's it's amazing what's in there but you can't put in there but you're a shirt that don't mess with it but you guys are 90 or an architecture you're not in security and you have problems with little parties is walking away put them in the past racks bait traps at the empty people who wanna wave stuff so we started thinking about all these things these avenues and these objects out there that we've been co-opted and start creating weapons rather than hey this is a USB stick

wrong now it's a weapon and we use those in red teaming to go in and help get an advantage of bypass security mechanisms that we going through and you'll hear me you honor the p-word a lot today but we create policies and education to follow up to make sure that you understand why you don't tailgate and tailgate it's bad math well with tailgating I like using a bit if I like to go out and I sit in their smoking areas under your offices and I'll sit there and smoke and smoke and smoke and smoke until I find the right person and I will amen the reason why I do this this is it's so simple and it is the

fundamentals of human behavior that you can easily exploit people are off their guard smoking you can see certain behaviors the other kid who sits there and looks around as he smokes and then puts out the cigarette but he's doing a touchdown and showboats off you don't want to follow that individual because he's aware of what you're doing however I want the guy with a unix mode that his coffee stain that has long hair and chokes tune like five cigarettes in about two minutes because he doesn't care who's around every burger is following him back in long story short I love doing this technique because it's so simple but something happened a couple years ago and I was screwed I set

up there on date number three looking like a total creep on your campus that they're going where's the IT guys where is everything why am i this soul creepy smoking guy on this campus so then I saw everyone come home from lunch back to the kids in the office and everyone's came in with the vaporizers and I was like oh they're smoke-free campuses I am the dinosaur I can't do this technique in social engineering anymore smoking areas don't work what am I going to do again I'm gonna think inside the box and I'm going to take some objects that are coming every day that you're probably sitting there and I know several of you are in the audience right

now with these objects and we use these objects to attack the company so much so that I had to create a handler and proxy for the amount of Metasploit shells that came back there's a lot of space inside of vaporizers so what we did is created a vaporizer we created that payload based off the glitch model there are six payloads that can dump off based upon the environment and picks up with plugged in and registers as hid device not a USB so it never talks up so how do you get this into the environment well you go to booters you talk to the nice hit ladies and tell them the Camel cigarettes is going into the vaporizer Nathan here are

a bunch of t-shirts and polo shirts that you found a good well don't worry is totally legit you then put together a action based modeling contract for the young ladies between them and pay them $500 apiece to have a lot of fun so it's Camel cigarettes it's getting back into the bait game and trying to take over the nice young ladies go at lunchtime and you know the three vape samples - everyone's coming back in from lunch which is cooling down as rebates and Camel everything that package is legit but you know there's no wall outlet plug in to this packaging and what do you know the batteries are all run down so now you got to run it and plug it in

somewhere to charge would you do that USB port on your computer charger stuff so you plug it in at one of six payloads comes in the black spheres machine but you sit there you think about it and we come back from the blue team perspective from policy why don't you have a policy prohibiting the importation of alien devices or foreign objects why do your employees need to be bringing things in employing the men but simply they don't there's no excuse anymore this day and age and things are dangerous man which will show you so I'm not a Colorado to Denver and things are a little different always with legalization of objects and what's funny is people saw the research

we did with this and some of the manufacturers got wise to this and decided to change some things and someone decided autonomy and said you know what we heard talk we are to discussion the new advice and the white paper guess what we've got actually we've told you we reduce the size available for you to play with stuff so this is a marijuana vaporizer that's quite popular out of Denver and manufacturers that come out no space inside to do stuff what are you gonna do now kid I bet you can't use this to go out and bring it somewhere you know it's awesome they have their own apps an API is that our hope why I don't know but

for some reason your marijuana vaporizer needs to play games with your friends marijuana vaporizers and I don't know why so as a result they have open API eyes and they have open software and their apps in the App Store or horrible it's easy for you now to piggyback this thing and backdoor it so we're taking the USB train even further how many of you saw these at Def Con this year we had a series of Def Con USBs that we tested every single one was picked up every single one was executed and played with it was kind of scary but what we started doing with USB sticks is we've always heard the stories about people in the

parking lot you know we drop them in the parking lot and people plug it in and that's how it works that's stupid what happens when he forgot something in the parking lot it gets taken into lost or found or the front of deaths for the security and no one's been touching it so we started changing things to help get you to entice and pick up USB sticks because we could just throw them out there who cares we throw out a Def Con branded USB sticks people pick them up plug them in it can be a very very mean and find things that people want to pick up the minion winds are great the more desirable the object or the cooler

looking it is people pick it up you do these minions and you throw a payroll but XLS file on these guys but we try to throw parking lot it will get plugged in within about seven hours just because it's an ugly shape that attracts attention and more people psychologically are thinking and rationalizing to themselves that they're not stealing it they're going to take them home for their kids or someone else who can appreciate that object Micro Center here in town hates me but has several options and cools different varieties of things from superheroes to pink mustaches which work for lyft and that several other things that works for local businesses but the key thing is

start trading and using them that look more enticing the other thing is you hear about property in the parking lot don't do that because it doesn't look natural I go up to a vending machine I have a USB stick in my pocket I act like I'm putting a quarter in and I'll drop the USB stick during that motion so it falls a rest like it fell in my pocket naturally the other place that's the best two USB sticks is in the restroom at a stall because it looks like it fell out of my pocket naturally through the progression of me walking around that's where you want to put USB sticks that's where you would drop them inside places

where they are safe and you yourself rationalising then I know someone's gonna pilot things fall out of their pockets that's where this fell out it sounds a parking lot I know someone's testing that's the thing now is nine times out of ten we do a test and the client wants us to do a parking lot drop and we still have to do it it'll always get caught because people hear those stories there so you need to involve them entice them but what happens if you drop something in the parking lot and it got picked up by security how could you use that we'll get to that but also for here for you guys for conferences swag

is awesome how many if you have a mr. robot figure here well several people at a conference condom they don't exist because the no [ __ ] oh that has USB but still an entire information security department was excited because it was mr. robot and they plugged them all in

and we got a demo fail so if you drop something in the parking lot and you want people to get a hold of it you want to be able to be used we have some friends in South Korea that start making us these USB sticks and as you look at them they look like us peace however they do 20 hours of quality of recording based offers sound what's great about that is you drop then the parking lot now your cards and every would take it in and silient lost-and-found it's not sitting at the Guard Station we listen to the guards how do you retrieve that you go have your fridge is much cuter looking that you go in okay mister I

drop this it's exactly white color can you give it since it's the loss of found we finally had qualifiers reported to the credit Possible's there's a fun stuff so USB attacks are great and we're still kind of in the generic realm of okay we all know that USB you can be attacked with it it's easy to understand what it is let's start getting into some stuff that you may not see but you see every day what's this this is a wall outlet where you plug in now we have USB options well on this we can still attached USB connections a B and C so we have data this is only meant for powered however we can connect that data

connection and how much space behind the wall there's a lot of stuff that we can hook up into that and you know what those are really great convenient for your waiting room where you're logging think of how many people pass through there how many people are checking your Lobby what's last area check the network connections and power chairs are your company's Lobby to see if they are alive and you can how far you can catch there's a lot of room behind the wall I even had this is like this will be fun to be back here because I can hook it up to there because there's a B and C so we did enable the data on that go to the

airports now let's start thinking about that at the airport so think about some horrible person I had to go and install a lot of these around the airports and around the country and it all it takes us up one wire to connect that data channel so have ABC needs cell phone charging stations do you know what they are they're great services provided by manufacturers or others allow you to deposit your phone get a charge and pick it up safely they even lock now so they're totally safe see that you can see up there they're totally safe they got lots the crazy thing is the one in the center cost about a hundred bucks I can brand it

with any logo I want to drop it off on the front desk agribusiness the great thing about these is he's already come free program shipped and installed malware because they provide an incentive package for you to collect metrics on who's plugging in or you can push out ads as they call them to people's phones so a lot of these things already have basically a banner our channel built into it but it doesn't take much for you to put stuff in there and all your own you see these things all over KCCI has special please do not use the ones in case erm sky burner is called please don't use it as therefore but it doesn't take much for you to roll

one of those in and every puddle has it and it's hard for you to talk to your employees if you'll hate don't use this because this is familiar and easy to use and it's there for your convenience and three and you need to get out in front of your ploys with policies don't trip policies like a weapon tree policies as marching orders these are your instructions of marching orders to avoid problems and thankfully when people go out of conference like we're at now you guys are very vulnerable and susceptible to all sorts of attacks including the stuff that I'm showing you right now having policies in place helps you to prevent the stuff and identified this stuff because there's

all sorts of things and attack tales the end of the day it doesn't matter what year it is that's a Trojan horse the technology and everything behind it has never changed we just changed the afternoon so that's all crazy not great but what if I wanted to own an entire information security department by using the SANS Institute what is this this is a safe stop do you guys have your kendos that's supposed to basically prevent your USB for big bad prevent channels from being activated basically the screws here USB is gonna hold a charge of power there's no way to tamper with this right there's no way to open those up put your own stuff and

then roll it out because there's no standard shape or image for a sink stuff you just take for granted that it's a seat style so what happens in October every year in our industry okay one security weirdness yep cybersecurity Awareness Month do you know how much stuffs and sends out you all have been given the social engineering devices and tool kits today can grant stuff with this this is trusted right these are security professionals and standards right so if you're sitting back at your office in October and a large package comes in with sans posters backpacks stickers and six times your information security departments going to go out and install it on all the machines on all the

computers in the mall volunteer office and the information security department will own the business for you all of us in this room are susceptible to the stuff and could be the victims of this so never think that int security we're above anyone else the number one target were probably the worst people because of our arrogance in this industry but music is familiar channel all the packaging was there sans puts out all those posters at security awareness month it's legitimate it came from sans why wouldn't you plug him in and use them so the fishing platform I like to use keeping with our theme of familiarity is iTunes how many of you actually poked into iTunes recently it

seen how much has changed since 1998 most the code originally is still there the great thing about iTunes is you can send a gift to someone and you can do one of those little messages what's great is in the message box that doesn't filter anything at all if you want cross-site scripting if you want to other fun stuff go ahead and does not filter and let's go go through how many of you are actually filtering out information to messages and emails from iTunes and happen that's going to sneak right through that's really great for targeting people at a conference like here again hey you showed up besides Kansas City we're sending you a free episode of Game

of Thrones there's all the information that by the way here's a little bit of information I'll link to never minded because you know what you're a V didn't pick it up and your email didn't pick it up and nothing else oh that's it stuff's legit and it's Apple why would Apple send you something bad this is one of the greatest fishing tools and they have no cliana fixing this for decades from the sounds of it so it's fun but again you think about it we're thinking inside the box this is something you trust this is something you use it is quite listed on several manufacturers already so we'll use that channel how many of you

see in these around these awesome touchscreen code machines they have to have made the Tauri Wi-Fi and wireless and network capabilities which is really awesome so I'm not advocating anything but interesting that look into if you have one of these in your break room do you have any rules of police or firewalls for this it's amazing what's inside of these machines a lot of these actually come pre-owned which is kind of fun too it's also fun when your Coke machine in the break room starts fighting crypto-currency start looking around a great room those things that you have new great rumor in your office are intact Ana's think of how much space is in there that's more than 30% of space

integrity that's like the wall that's worlds of fun to be that Scotians of fun to me man I'm gonna have some fun there so we started thinking about all these crazy things around us and we start seeing that we have to think a little bit differently but we don't think outside of the box we think with the box because that's how we did the Trojan horse in that's how the Trojan horse worse we've gotten so far away from it by thinking outside the box and other gimmicks we don't test the core human conditions that we need to to have a successful security program we always screw up in security and we forget the security is a non-tangible construct and

it is different for me to person to person and more importantly it is a human condition and thing and we stray away from that a lot we get too technical by embracing that and looking at the things we start seeing these little systems are out that can be exploited like how many of you have worked on the helpdesk how do you memo have that one person at the beginning of the month that for the love of anything change and accept that password it changes every month at the same time safe place you understand things like that maybe you could exploit that system against it on the red team site same way with all the hardware out there we have

all this cool gadget create cool stuff out there now we have phones and do all sorts of stuff I remember when I was a kid I was told a whole room about this size was one day going to fit a computer now it fits in here the horrible thing about this is this is convenient once things are conveniently overlooked them just like security if we don't make security convenient and usable people were looking of other ways so what's something I could use to attack everyone in this room at a conference and here's now wherever you are getting into the zero-day attack I will practice this this will not harm anyone's phones this is a mobile based attack this attack has

not been fixed that cannot be fixed Apple is the only manufacturer that listened and fixed things because this directly impacts something pretty important to it so I have a background of graphic design and marketing of all sorts of horrible stuff like you've seen from earlier I'm a packaging when I did cyber raid and attacked everyone for this contest that the first be sides can't City so I thought I'd go full circle again but its Kansas City so everyone who can knows me I got to go crazy this did not be blocked by Android or Windows Phones if you have RFID enabled we're gonna see capabilities on your Android phone this is a Samsung Galaxy s8 it is fully patched there is

no offender or developer mode or debug enabled this is a business card I simply hold the business card up to the phone efforts online

it automatically shows me to a YouTube video which before we get into anything else all of you to test out here because I've read a bunch of these up for everyone to test here's where the lawyer wants me to reiterate everything [Music] it is also listed on the card to this card demonstrates the technology and attack and I won't be able to have these so you can take it back to your offices and go hey you know what do we have a mobile phone policy do we have a mobile device policy is that it an important thing to you oh it is it we'll watch this what we can do with these now I can

install music on your phone I can send you to a website I can add contacts to your phone and more importantly I can install ads the best thing is there is no authentication no authorization nothing you simply wave this in front of the phone that is enabled and it triggers well why is that important to rent a guy how can I actually use that to show impact to you as a client and test and how does this attack relevant well we'd go out to a conference like here how many of you have talked to vendors today how many of you see those little fish bowls full of cards how if you're at Def Con in the summer 700

cards were distributed at Def Con like this but Def Con made sponsored or reported a party that was going to happen this year with the metrics we collected at f-con this year on average each harvest skier 12 times in a 24-hour period because people would show others how important it was so you can have a plan on that as well so what would be something even bigger better that just having business Carter's well we develop the sick technology when abdomen RFID based inks where that comes into place we can print letters and ladies we are working on nail polish so you can have door access on fingers based upon polish but what's something you could use to attack some

women again a hacker conference or what's something you could show you have work even further to really bring in the impact if you know I probably have a mobile device policy probably have a policy covering of conferences in contact what a hacker conference right what's what's unique about a hacker conference anyone stickers yeah so wasn't it be cool

she had a sticker and you had a sticker up and all you had to do is pass the photo by it into the trigger this isn't RFID what we did with these which all these I want you guys to come up and take some because I want you to take these back to your workplace and show that hey we gotta get on the policy train we got any adaptive spanning engine technologies this is NFC we're stepping up the game the stickers are going to see so we have a lot more capabilities of things that we can do I can't talk about that today but all these are great for you guys to go out and test the stickers and these cards

both go to a youtube video where you can watch Bob the ninja talk about stuff that way it's benign and gets again after hearing by lawyers that is benign does not go to any where there is no executables there's no data transfer of binaries etc you simply watch a youtube video that way we pass this off to folks at your workplace there's a little bit of comfort and you can show them like hey this is this is bad this is not the Nerds screaming this guy is following this is that we can take a business card now and attack so what's another thing that we can do with these this technology man where somewhere you go

where you pass off the cell phone to someone and they hold it up against something Airport ticketing gates it's very easy to get a mechanism like that at the plate so you start thinking about places where people relinquish their phones and surrender things these attacks take on a whole new award or you can run around today and have a lot of the people even go hey let's take a selfie with me or I'll take yourself you watch this the scary thing is is that there's no authentication mechanisms on this at all you saw this is fully patched Samsung Android has to redo everything in a kernel level and Windows Phones people need to start using them so it doesn't

really matter so what we do though is once I use this card and say this environment I would put the contact of help desk into your phone so that way when I call you on a fishing pretext it's totally legit because the help test number power time or I would take your friends numbers and modify them by one digit or something or put my phone number and your friends contacts or what's the most used contact that you have in your phone I will find that will add to change things accordingly but this is scary because it opens up a new attack avenues and new ways of thinking in new ways of trying things and the

fact that manufacturers won't fix it Apple was the only one that did because this ties closely at the application in Apple wallet all the NFC transfers bit of our [ __ ] stuff that they do ties wave close in to Apple pay so they've quickly fixed everything here you cannot do this on any iOS device period the technology and everything the way they have done and how you can allocate libraries to the hardware level you can't do we tried a lot because we really thought to be cool to have iOS that's here today for that so one of the quick things here is where do you even start with all this stuff kind of throwing everything at the wall I keep

enemies the things that we do dat they have to break into places I talk about policies love I always mentioned the P word people hate policies if policies are going and inhibiting your production and your process of flow of security you're doing it wrong these are your marching orders for the field this tells you how to load your gun rack everything it's not a fire they are not anything that should be used to delay [ __ ] or slow your security processes they're supposed to be a fat guy gets hit by the bus tomorrow or this guy over here what's the lottery how do we keep on moving how do we keep on functioning in March that's what

policies need to be because there's all this stuff now you didn't think about this this morning you don't have a policy for this and it's stupid to write a policy directly for this but if you write a policy that says hey guys if you go to a conference especially some hacker conference please don't bring anything back into this room or house or anything or business or whatever leave that home it's cool go ahead and do it but we just don't want it at work if it time said to something through the love of all things holy please don't forget in the office and [ __ ] it leave it at home your end users if people need that information

they need that feedback and they need that education because this stuff changes all the time if you're teaching your people to don't click stuff that's stupid that's how we do it everything and achieve everything in computers as I click something and that it's cool and happens you have to educate users directly give them information to march with also do radiofrequency scans all this stuff that I show you to emits radio frequencies all this stuff would trip that out radio frequency skaters are very dirt cheap very affordable go to micro Center here in town find stuff but scan them but the most important thing is scan educate your employees to look for stuff report stuff be aware of

things they are target everyone in this room is now in a target we are a resource that can be harvested so real quickly we ran into the blue team side of things how do we fix all this stuff physical security side does everyone know this it's a hundred-dollar hook so what this does is we slide it under it to work it hooks the other side and handle on the other side we pulled the cable on and opens the door again we take basically the origins of this is a realtor sunny and piano wire again just taking things around the office around your normal everyday life you can utilize them in different ways this allows us to open

the door from the other side if it's not properly shielded since you guys are all our conferences here traveling and you might be in a hotel here's two ways to protect yourself against this if you're traveling one simply roll up a towel or washcloth and put it in the handle like so that way my hook under the door can't hook that handle down and pull it down it also provides resistance so that handle can't pull down right among the left is a wedge they're very lightweight the rubber they're great for hotel doors it wedged in if someone throws I throw open it starts digging in deeper that's great for protecting yourself physically what about the power situation bring

your own batteries you should be doing so many ways as a part of modern life the way that these things suck down power roll your own counter take it with you do not ever plug into anything in public because you saw we can pull out our own battery charger from control our own phone chargers at the airport we can put stuff in the wall have your employees check something out where you use a control power source there is no room in there to do any kind of shenanigans those batteries are tired they use all available space the other thing is you can start protecting your assets such as RFID badges there is now several RFID badge protectors allowing

this shield to prevent and cloned red or stolen this is now especially important since the advent of the Apple watches we're now using the Apple watches instead of procs marks to do most of our badging internet it also allows us to get it smaller and closer to you so we can steal stuff I love these things these are cheap with these are as artifice shielding bags if you're going to DEFCON buy these what these are for is in forensics and stuff we put equipment into it so radio frequencies will not escape so if I seize your laptop on a raid we can put it in here it ensures that the nothing changes with the time that we seized

your laptop to the point that forensics gets a hold of it and starts playing with it we can make sure that all your radio frequencies everything you were doing your wireless everything was not touched for the rest of us if we put this in there no one's going to scan it and what it's going to be able to access it because it's a little cord welfare to image these things are like five to nine dollars if you're at a pinch you can use tinfoil or a mylar balloon the party balloons those work very good to having these RFID shield packets are great they make it for your laptops cell phones everything else in modern day life

please start using these you leak out so much frequencies that signals and things in your water your bike don't realize it plus we go into hacker conferences you should probably be using these so again this data earlier what you guys to have these free tools both the stickers and the cars I want you guys to take today come up here help your stylist take them with you and run around with them try them out and show other people the reason I wanted you to do that is we can tell stories so many times about dropping the USB stick in the parking lot we can tell silly stories about things but man if you walk in tomorrow ensure that

pay I could do this with this I owned your cell phone with a business card this is next level scorpion CSI sniper special case put it on the deal and then do it yourself so I want you guys to all take these after this talk we go out and try this but more importantly use these to help educate people that the technologies around us are cool but convenience is the enemy take a closer look look at it what's under your desk like Monday morning I challenge everyone to go look what's under your desk open that rat trap up and see what's there if it actually does rapidly start looking around you there's so much stuff that

everyone could use around the world to attack everyone that it almost makes you scared but it also makes you more motivated to start going through your policies to make sure your programs actually working and that your security defenses are actually working so again don't treat it like the p-word policies are your marching orders those are your instructions for combat and they shouldn't be taken lightly and alongside with all these cards and stickers if you guys have any questions about this I suffer from insomnia I don't sleep around the clock and many people to serve addictive through that I'm available for reaching out answered questions of any sort any type any time we do hacker fire which we help people

find jobs and IT and information security the hash tags there we also help recruiters find people as well and we teach a lot of social engineering so any questions so QR codes trying to be used so much that I've seen a QR code still requires like a interaction of this scaling interacted with a llama and those family problems but you still have to interact with it whether it's the park basically they created a promotional channel for Android Windows Blackberry hardware that developer hardware channel is going to be able to like do all sorts of cool things like this RFID NFC stuff or you could use theater lighting protocols there's all this stuff that was supposed to happen in a better

transfer - regardless photography where is dr. awesome yeah it's I couldn't give the talk on that and 100% here but what I can tell you is if you're using wireless charging you're more susceptible to just like the convenience of oh this dude here hasn't mad I'm just going to set it down there but you're putting it at dependent on your phone at the end of the day and there's very little on the modern construction they do to bridge that so it's now broadcasting and receiving some other Facebook and when your speakers we ran into that that's why we didn't Hanasi but enough she allowed us to read and write and maintain some odds and ends but going down that road there's

there's there's the design things that we were in on - it was a problem okay the phone on the car truck somebody that's still an issue for attacks because we're not going to release the several feet away because that's no fair and fun average is about three to six inches as the greatest so usually from about here to here about here's the biggest we have three is six inches out or depends on the phone nexus we've had different results for yes because you do that to also conferences where you have your mobile app before conferences like RSA this week yeah you're you're actively good rather than scanning and putting this near stuff for kids so it wouldn't be much for this guy

to have this badge hanging off his shirt you didn't scan my phone for the conference there's all sorts of attack vectors I mean it just really opens up to inform your employees first to be aware of you know attacks can come in all shapes and sizes let's just be careful way to leave the office any other questions

so what two things I did is one of them I used things that were irrelevant to me at the time I'm a Scottish person mechanical to save his life but I can go to your Steve looks into this at Hugh's call this an ambush you know we really need that firearm I get it is there decay and all you hear is blah blah the Nerds are talking about love and paranoid 1/3 poise however you can sit there easy now if you know what you see the makeover drivers banner cost we got a shave at least three points off your golf game well I'm going to go get that why don't you go get that now you

know shape oneself your coffee with that driver may be no way that Palo Alto that's your driver but it's even better because now isn't shape points off your game it's got allow your about it haven't feel to play golf or instead of the clubhouse bracket or what else that I could call phone they update because my people handle this with the right equipment usually analogies that speak at their level or put stuff that does not speak down to it which is pretty cool so that they can actually understand like oh I'm shooting the points out my college mate with a good driver if I actually support the security guys that stuff I've shaded plants on my compliance the other thing

is just simply making sure that you're watching an act on what you're doing every post I would read it Aleppo suppose rivers and stuff there's some little things that help you really play the last point in the conversation the other thing is headed back up money so I always had a problem with mister responsibly how do we get management any kind of traction with is their response break it down to a dollar rather so if this guy here clicks that one link for fishing and he's got ransomware and his computer's offline we break everything down to a dollar value this guy's out of work for the day that guy's out of work they had to find a loaner laptop has to

back everything you're out of work for the day because you have to help coordinated we answer the call and you have to figure out what's on the machine a derivative at the pair men might be a free people salaries before the day that you want to pay the value we donate three people salaries for the day done because this one dude click this one too late you can start pulling things back and the dollar value and showing people through activities or relating it to salaries such as that dude has clipped this every month we're quantitatively at you know 168 K why is that guy still working we visited his value at the company you and I don't

think that way but once management starts sitting there going you know what every time is the tooth looks this one link that cost me 10 K and loss of productivity and loss of projects to the big things change and we are so area we all in this room are very America's community and we do things incorrectly because we always assume we always take things different direction in the humble our assets average understand that there is always a problem the problem never goes away because as long as there's a human involved for the system every one of us in this room will have a job and that has been communicated at work so when it comes to management you can't

find a way to ease an announcement if that doesn't work and you have problems where people are minimizing you and marginalizing your ideas to find another channel if they marginalize your ideas create something that you can demo but we're not crazy nerds you know with conspiracy theories let's take you on there you go you have to take some time but study your people you should use most cent on your management why haven't we done recon on your management recon your management forget how they work what do they like maybe you have to use your Pogo bears as an analogy or you have to use WNBA as whatever it is figurative now chance I got out with a cop program any other

questions around us he's a little different like these guys at squalls they are this is about probably two to three inches max with the stairs we're working on some things down the road cars are fighting three to six inches that varies on the phone it depends on these you have a case on it and all these other factors the safe thing to say is we plan about an inch to three inches where we plan for an operation so finding they engage em somehow my pre-tax needs to be at least one to three inches backs so maybe like I could concept and a fishbowl at the table at his vendor booth well that's cool but we have an escape route Billy

he will take it home and interact with it it's far enough distance that in that fishbowl if I set my phone down on the table it will be effective we are some changes with any limitations to the actual house RFIDs it works

working on it we're actually rolling out our websites or blogs or anything else we could do to fix it around there suppose that if you're interested upon this and other red tape tools there will be a passive resource it'll be available for some other resources so we're going to make sure that we had all the crazy stuff that we do is now available more widespread

yes if you want to play the basic framework of forensics two things just as you would with malware you're still tracking how the jump off point called the website or resource

more

Oh it depends because if you're trying to track back down say if you want to know that I have the guy you made this sign so you're only going to be looking at three manufacturers sticker labels that are available on top of that you're looking only one manufacturer that made tractors the hardware for the NFC and forensics level court order will give an endo quick oh yeah I can't really wear these that'd be anonymous like I don't like to overthink opponents mainly because they're so rare there is a very little pipeline of things so you start going and do Daniken's with those people will catch up to you mention also lately artifacts with you're doing stuff and

directing people so if I said that your website is general artifacts the install log quits deadly for the Android everything else is just the same just like you would with a hand same way with the music the only things that we found on the tacit doesn't work is going to ask the contacts and stuff we don't know what we see log that was written that depends on budget phone operators that's really the thing I get about Android there's so many different flavors of hardware and then OS I can't bring things down that's really what I wanted to look like the distances I wanted to distance where I can tell you all this farm everything but the Nexus is

different for the same size which is different basically what they're intended they're not the impunity on the backside as much as possible with forensics there's playing in place there's actually folks that I've actually put those two if you guys are wanting to know how to identify these if you get a business card from me you can hold it up the light you can bend it you can break it you can turn it have this just paper with these guys if you've owned them up to the light you'll see some of the mechanisms like RFID or they attended here you can feel around they don't bend as easy and there's something inside of it the stickers we made intentionally so if you

can hold them up to the light you can see everything inside of them so with the stickers I did not want to be permanently banned from every hacking conference Everton I did not want to be running out of town buddy all so we make sure that these could be detected and seen and he hold about to like it's good that has been done you've got some leeway because we hit that stickers all the time - we didn't wait you guys to progress we also made these little similar to the mystery up stickers for those of the Saudis ladies sort of fall back so you can run around and have fun student these on things before people found NFC

and verified these properties any other questions you guys want to reach out to a time in any place [Applause]