War Stories Of A Social Engineer by Chris Pritchard

good morning how awesome is this be so certain in person fantastic um thank you everybody for coming thank you for the organizers and organizing peace children fantastic to be here really sorry to hear about the uh the other genomes uh who's supposed to be who has got corvid um today i'm going to talk to you about war stories of association for those of you who don't know me my name is chris pichard i work for an american company called lores now we don't know whether we call it perez or it's called lars

um and i'm going to talk to you about how i bypass million pounds cyber security solutions so you're a company you've invested this tech you've got lots of tools protect beautiful you've got next generation firewalls you've got this amazing full-time follow the sun 24 7 sucked with really talented analysts and you've got multi-factor authentication enabled absolutely everywhere brilliant insecure well uh not necessarily um i want to talk to you about something so essentially what's the reason how i bypassed all of that amazing technology and still got in and compromised her business now most models based themselves around

now what do you think is missing from this picture so users absolutely people the physical side the people side they are also part of that security on your model and nine times out of ten they're missing so where is that physical security now in fairness there are some models that do include the physical security side include users of the people but you know 80 percent of the ones that i saw in this research didn't include staff people they are part of that so let's talk about some examples where it was obviously missing from the businesses

common definition is the government's way of saying that something is crucial to operate for a society now that could be things like train stations it could be power stations it could be water because airports are also critical because you need them for really constant society so it's engaged uh to come and test a company that is critical to infrastructure and i have to say that their external internet facing side was really super secure brilliant that's a good start um they held a head office was also i think they were pretty secure in there uh because i did see some raising but they were a little risky and there was a good chance that i might have been

caught okay maybe i don't want to do this day one week or whatever what else is there what else could i get to it would allow me to get into this well what i found was it was a satellite office that wasn't quite so secure um and so i thought right i don't know how i can get it here i constructed a bridge test i hear a story as to why i should be there and i drove up to a very high secure uh barbed wire fence with a big electronic door sliding gate thing and i ran the intercom and i said hi it's leon from the it network team here and i heard i'm back on the intercom

oh and then all of a sudden i open sesame the door opens oh okay and that was pretty much the look of surprise on my face as well while this door opens literally just said hi it's leon from the it network team okay so i get in there and i get into the office and i start talking to the uh engineer who

[Music] now he had a little bit of an issue with the team which he was happy to talk to me about um last time which was very nice as well and he said to me i've designed an app for my mobile phone that allows me to walk around the site and control various systems and i went to the i.t team and they said no you can't have this you can't have this it's a security risk it's not a security risk you know this is because they could literally just jump over the walls another time i'm trying not to spit out my property because i literally sat there listening to him telling me about a hat

and then i thought well you know what does a hacker actually look like because your threat model isn't obviously my threat model it could be different i think his expectation was basically this someone jumping over the fencing a black hoodie and you know middle night type stuff in reality what he actually got was this okay so that was that particularly a lot of fun full network compromise i literally opened the door to me saying

really good and physical access wasn't quite so secure again i thought it was lots of satellites um and into the head office as well on the internal

and uh by that i mean when i say i'm leon from the arts network team truster but then go away and verify if necessary we need some friends with you to come and challenge me because i'm not the only network team

[Music] that isn't me

is really good it's really important but of all the people in the organization who has got this house then the authority is the highest person in that company to be able to challenge me the highest one is probably used [Music] um

and i literally went up to them and said hey it's leon from the it network team again and i'm from the other office and my swipe badge doesn't work in this one is it okay if you let me and indeed i'll let you so i want to talk about patches for example so contractor badge that i'm wearing here i'm wearing on purpose i do have a nice collection of badges back at home i don't wear all of them at once obviously um to get into places although that could be an interesting test um badges are really interesting because if your company needs to wear a badge then they will probably do so in a very

simple style

engaged a little while ago to come and test a us well an american company who had an office in the uk i thought okay how am i going to do this uh i know i'll say i'm a protector right so they get attracted by a job they walk into the office and somebody says oh are you in the red office and i said yeah yeah i i am in the office this is this office [Music]

i didn't even try to put on an american accent because that's a bad idea because of total assets but because i said i was a contractor and i had the reinforcement of wearing a contractor landlord it was accepted

and they showed me where the coffee machine was

[Music] c level exec and said hey bob can leon borrow your badge for a second he needs to go to the toilet yeah yeah sure no problem uh what what this is not the way it's supposed to work um and it was crazy it was absolutely crazy uh it got introduced to all of the sea levels uh and the hr director and i was given one of the sea level except parties for the day

okay um what about airports that's super secure gotta be one of the most secure places surely lots of physical security [Music]

now uh again in this case there is

um and so it's going to be really really hard to get into right because you've got signs like this it's a security restricted area you're not allowed in here basically now what i found really really interesting is it's an offense to enter this area unless you've got a reasonable excuse would you need a reasonable excuse to go into an air force ah okay strange um anyway it turned out that it actually wasn't quite so difficult to get into it and i'm not just talking about all the way into that should not be in fact i couldn't believe how easy it was to get into the places that i should be and so i went out

and came back in again and it was still easy i thought that this there's something wrong here this is somebody's missed something or i've just been totally literally fluked so it went out back in again they went out they came back again five times and in the end the um the ceo said

and uh they gave me targets i did the first target oh that was really easy we'll give you a new target it's all right don't worry we're kicking a new target and they kept giving me further depth if you like into the airport and kept giving me a new letter um and unfortunately it was crazy easy it's okay

to get

again i got in unfortunately but what was great is they made massive improvements uh since the previous test so they read my report and they wrote oh okay we'll do all these recommendations brilliant that's what every test he wants every test he wants you to go and take those recommendations fantastic so he made all these approvals and i've looked around and did some repositions on the silence

out of the box a little bit here about how i could try and get into a pokemon system and what there was was there was a hotel literally across the street from where

it and i attached it to an amazing uh canon eos 5d lens i think it was a camisole and you put it on a monopole and if anybody wants to do this um don't hire a monopole because those lenses are super super heavy and if you're standing there with a monopole with a super heavy lens on for four or five hours it ate in a tripod um and i went to the hotel and went higher to buy a room and do whatever yeah just one night i want that room just there okay um and what i did is i went hide the room and uh stay in the room at night but the next morning i got there really nice and

early stood there with the monopole and the camera lens like this and i was looking down

and i could see clear enough that um i could capture people's complex passwords as they were

desktop and what do most people put on these these these days to check those things and that is right now we all know nfl is great it's a fantastic thing to have um but it is just one part of your security

fine and i will try and get them to approve my push notification now they probably had one or two and hopefully i put it at the same time as they potentially look on and they did oh there's probably a system making a mistake or something i will approve thanks very much network team is in the network now thank you um so that's one way and then the other way is you just keep on sending them push notifications until they get really really bored and they accept and they're bombarded with all these push notifications i have to say that is a lot that is a really successful method that we get into um so do you worry about that

so that's the personal implication now some companies have got the six digit code the rotating code

well the most easy way that we've discovered is ring them let me go hi it's leon from the it network team uh your mfa codes are out of sync

and what they'll do is we could just read out those two codes two six digit toes for me to get things back in system now crazily that works a lot uh and it is showing how often that works so yeah now what i want to be fair about here is we are giving the end user technology and we are assuming because we rit professionals that the end user knows and understands who risks the attacks now nine times out of ten they don't um and that's a big thing that i think we need to improve that resolution so don't think we do that well i saw a thing in the posterior journal uh beginning of the week that said the

key challenge holding mfa back is not the technology itself but security's inability to communicate nfa in simple terms with a workforce easily understand now i get that um my my wife is a personal assistant she um is contracted out to go to work for those difficulties recently she was employed by a ceo and the first thing that she said to her is i need help with my diary my wife said okay what sort of things she wanted to do and she said i am

this is interesting let's see people write this out

in there and send them the info now if the ceo doesn't know that what hopefully they've got if we give them anything you need to educate them we need to tell them about these things and we need to help them understand risks so let's talk about some um some solutions if you like we talked about that security i mean at the beginning of it uh you need to make sure physical social engineering and users are in your security it's really really important it is such a massive part if you've got all of these amazing million pound cyber security solutions and i can bypass it by walking into your office the network team that's definitely an

issue i saw um some research published um literally yesterday i think it was it says we are going to spend 133 billion pounds in 2022 on cyber security solutions 133 billion pounds if i can bypass them by walking in it's not very well spent it's because we're only focusing on technology we need to focus focus on deeply as well part of our security solutions and same thing again don't just don't check on end users and expect them to understand all of the new risks and attack services that come with that sure uh things like uh security awareness campaigns are really good but nine times out of ten they're focusing on spam efficient attempts and things like that

you're not focusing on people coming into the office you're going high and you're from the uh so think about that when you start doing your security awareness and also encourage and empower people to challenge again if you're not comfortable with it do the trusted verify

it was brilliant um i took into an office in edinburgh and i said it was from the london office and sat up to see somebody and uh hi i'm leon from the london

and what he's done is he'd use the transport verify model essentially and they had an internal looking employee's pictures on it he looked at me when he looked at his employee's picture on the webpage the two were not the same and i knew and you knew as soon as you started praying yes um and yep sure enough five minutes later two people appeared by my side and went with you again

because otherwise this attack would be really really successful if you've got one person who saved you you know so someone take them out to dinner or something like that and then think about how you can include all of these attacks in your security works because at the moment what i'm seeing in businesses is we're focusing on spam we're focusing on phishing attacks and things like that we're not focusing on

raised okay um that is it for me has anybody got any questions

yes so the question was has anybody have you ever run a big company and said you have a day is messed up i tell you yes absolutely yeah yeah yeah yeah it's it's so full

is [Music]

um

um i don't want to give away too much information specifically but i can tell you that i basically had a people um with the logo on it and i did some reconnaissance and what i noticed was the airport staff had a variety of badges so they didn't just have one another but they didn't just have one badge

[Music] um

by emulating those things any other questions yes

um he actually had to pay for it because my credit card at the time didn't cover four thousand dollars um i think i think because it was a rental and i was gonna get the four thousand dollars back it was it was basically an insurance cover rather than it cost me four thousand pounds i think it costs about thousands to actually rent it but they wanted four thousand pounds to cover the cost of me potentially breaking it i think what i said is only a thousand pounds but we need five

back up again okay so the question was how did the password um that i saw through the camera lens gave me access to the building it didn't get me access to the building um my job and that particular engagement was to get compromised on network

[Music]

uh and then i'd obviously got the videos

[Music] media for uh um quite a lot because uh as a previous question about the competitor i want to emulate stuff

[Music]

[Music]

[Music]

yeah so the question is

[Music] um

because

is not quite the same it's similar but it's not quite the same and then hopefully

but it is

um yes so the question is has hybrid working working uh factored into social media um two degrees yes because i now rely on elevators

um

it's first so the question was uh when you're doing prison how many times do i have to target that company to get push certification

is

um

any other questions hello

so the question was would i ever compromise with home networks to get into a business um we've got something amazing in the uk called the computing misuse act and i cannot compromise the whole network um but it is absolutely that is not to say that somebody else wouldn't a genuine chat after if the target was valuable enough yes i'm sure it is because um the standard default password

years ago it's only eight characters and the characters in the actual world music are uh limited character sets it's so quite easy these days

um

okay i'm pretty conscious time so fast

uh

technology

okay i'm really conscious of the time um thank you very much uh some links on there to contact me if you want to um i didn't talk about the death penalty

as well if anybody sees me around today um please come and say hi please come and ask me questions or just seem very approachable uh and just commit to me and ask me whatever you want to talk to me about if you don't want to talk to me in thank you very much enjoy the rest of your day