Tales from the Crypt

All right, one door's closing. Couple more folks coming in. Come in, sit down. Don't be afraid. Make friends. So, I get the easy part on this one. I uh I I'm very fortunate. I fly in. I get to just introduce somebody and I don't have to worry about giving a talk, which is rather nice. But I am going to take a minute or two. For those of you uh that have been hanging out in this industry for a while, there's a uh there's a lot of us that I would say that are probably would consider ourselves at the tip of the spear. Be it from a research standpoint, be it from a standpoint of red teaming, on the blue teaming side of

the world, whatever you might say, we are the ones that take all the intelligence that's handed to us and make actions and do things about it. And if we relate that back to previous worlds, uh how many of you are like former mill or former.gov gov side of the world. Yeah. So, Jeff and I were talking, was it last night? We were having a bit of a conversation, weren't we? Jeff and I were talking last night about being out in the sandbox. Uh, he and I are old enough that we were, well, I was prancing around the first time around we went into the sandbox. And, um, typically when you get sent into those situations, at best you have maybe

70 or 80% of the intelligence. The general idea being would you shut the hell up and either come in or get get out of here. Get your tips. Would you sit down? Stop being a trouble. You're a troublemaker. [Laughter] So those of us that are typically sitting on a a vehicle of of of the military's choice um normally going with about 70 or 80% of the intelligence or information. Uh it's the same thing in the digital world you know as we are building up architectures and systems we have maybe 70 or 80% of the intelligence the rest of it we rely upon everybody else to provide us to make sure that we can get in and get out preferably without being

too shot up or anything else along those lines. And as we say in this industry it takes a family. No one person in this room or any of us can defend and look after the very folks around us without information from others. I think that's one of those things that we tend to forget. We all stand there and go, "Hey, we have to do this alone." And that's not the case. That's why we have B sites and that's why we have other things. But bringing it back to Jeff, I'm very, very fortunate because when we were bouncing around the sandbox, Jeff and the team back at some very interesting buildings on the East Coast were providing us with

the information that we needed to make sure that a team of us went in and a team of us came back out again. So Jeff is going to be talking about the afterlife. In other words, what happens after you leave those all sorts of interesting agencies. So, it does give me amazing and great pleasure to be able to fly up here, hang out here, and introduce Jeff Man, who I consider not just friends and family, but somebody I look to for information, intelligence, and data. Jeff, it's all yours, sir. Please take it away.

Now you don't be a troublemaker. Sit down. Sit in the back. That's fine. So, my name's Jeff Man. I usually would walk around, but I've been told I have to stay in camera range. So, to make a good video recording, I'll try to stay put. Helps me look at my notes and stuff. That's my contact information. Please feel free to reach out to me. One of the things that I do is try to mentor and give back to the community, answer questions. I don't always have good answers, but I'll at least listen to you. Uh, if by the end of the presentation you want to get in contact me, that's the information. This is the

most important date in our lives. Does anybody have any idea what this date is? What what is the meaning or significance or wants to take a guess? Sorry. You're close. No, that was a good guess. That was much before that. That was in the 80s. That was probably 10 years before this. Anybody else have a guess? I don't know. Yeah, you're overthinking it. It was close to saying the the beginning of the internet. It was the beginning of the publicly available worldwide web browser. And that's what really opened up the internet, which had been around for gosh 10 or 15 years prior to that, but it really opened it up to everybody. Um, who am

I? Uh, some of the things that I do is uh co-host a podcast. I've been doing that for about nine years. Podcast called Paul Security Weekly. Anybody listen, watch, sign up on all your major podcasters? Thank you for listening. I apologize. We are uh just in the last couple weeks, corporate decided not to let us broadcast live anymore. Not if anybody of you ever used to listen live. We would interact on Discord and and uh YouTube chat and it was a lot of fun. Um what else about me? I do identify as a hacker and I have the hoodies to prove it. One of our listeners a couple years ago when I posted this when we used to do a

bunch of stuff on Twitter uh they updated the slide for [Laughter] me. Couple years ago a series of books came out called Tribe of Hackers. Anybody? Tribe of Hackers. Uh I am one of two people that are in all four books. You have to get the books to figure out who the other person is. Um, I've also been on podcasts, been interviewed uh on uh, you know, my favorite is Darknet Diaries. Check out the artwork. I'm off camera a second. Uh, almost a coincidence, but the artwork for my segment, which was called NSA Cryptologist, happened to be available as a t-shirt. You can get one, too. It was only like 15 bucks. It's pretty cool. Um, if you see me walking

around today and see my badge, you'll see which I took off. I I wear a sticker that I bring my own badge ribbon to that says Kromagin because I am a member of what's called the Cabal of the Kromagins, which is a group of old-timers that are pretty much uh disgruntled and synagal, but we haven't completely given up hope. Our our uh kromogen and chief, a gentleman named Jean Spafford or SpaF uh he predates predates me in this business by about 10 or 12 years and I've been in this business over 40 years. Um, so there's some people there. You may recognize some of those faces. Um, very briefly, my background spans over 40 careers. I I

got my start, as uh Chris alluded to, working for the government, working for three-letter agencies. I came out into the private sector uh about 28 years ago. Am I losing count? Call it 28. Um, which is really what this talk is about when I finally get to that. um shameless pitch because they pave my way to come to these conferences. I work for a company called online business systems. Uh I work on the security side. We call it risk security and privacy. So I do consulting and advisory work. I I don't we don't deal in the tech. We deal with people teaching them how to use the tech and do it in a secure manner uh with

secure processes and following certain frameworks which I'll get to later. Um this talk is called the afterlife. It's the third in a series of talks that I've given over the years. The first of which being called tales from the crypt dot dot dot analyst because I was in fact a crypt analyst at NSA. That's kind of where I got my start in this business sort of formally uh and it and dating back to the 1980s. There's a whole talk in this but if you haven't seen the talk just very brief highlights. Um, some of the things that I did in my first couple years at NSA was I was responsible for the uh design and production of what I

believe to be the first softwarebased encryption system that NSA ever produced, which was simply taking a one-time pad, which is the most secure form of uh communication, unbreakable. Uh, if you want to keep something secret, use a one-time pad. Um but it was semi-automated in that uh a one-time pad is enables communication between two points. One of those points got to get use a computer and the key that was printed on paper on one side could be put on a floppy disc. So software. Uh another thing I did working with uh US special forces was to design a cipher wheel that ended up being used by the US special forces for about 12 years. It

was a way for them to do their encryption using one-time pads a little bit quicker. Uh, which I I have come to learn over the years they uh very much appreciated because it helped save their lives in the battlefield if they could encrypt and decrypt messages a little bit more quicker more quickly. Shameless pitch again. Uh that cipher wheel is actually about to be put on display at the National Cryptologic Museum in uh which is right outside of NSA headquarters near Baltimore, Maryland. If you happen to be in town on April 29th, we're going to have a little uh reception party just to celebrate that. Um the last thing I did, well, one of the last things I did in this early

phase was also work with US special forces to upgrade their communications base station, which the public world sometimes might know as number stations. We did the same thing. We took one time pad uh key which in the case of the base stations was being produced on punch tape if you're old enough to remember that and again put it on floppy disc. Um I was around as Chris alluded to for that first skirmish in the desert, Desert Shield, Desert Storm. And if you want to hear that story, go on YouTube. There's several versions of it recorded. My favorite is from Besides DC. Uh so if if after hearing me talk today, you want to get more of the backstory, you can go

check it out. The sequel then was my uh last couple years at NSA, which is what I'm mostly known for in this uh community, which is I was responsible for architecting the first pen pen testing team at NSA. Um why do I say that? A book came out a couple years ago called Dark Territory. Chapter 4 was entitled Eligible Receiver. eligible receiver was the quot quote unquote first joint hack of the the military and the government and the DoD performed by a a team from NSA with other people mixed in. Um the book talks about this group operating out of a secret chamber um called the PIT. It's in a book, it's in writing. The pit was actually the

nickname for the office that I used to work with, work in with this small group of people that were committed to learning how to doing network testing, pen testing, learning how to break into people's systems and networks in order to tell them what their vulnerabilities were. Um, the pit was actually people at the end of the day. There were six of us, two of whom still work. Actually, I got to update this cuz one of the guys still there I learned recently retired. Four of us came out into the private sector. Uh the only one that I'm really allowed to say that was also a member of the pit public publicly, the guy on the

end there. Anybody know who that is? Gentleman named Ron Gula. Uh Ron Gula was the founder of a small startup in in Maryland called Teneal Network Security. Producers of a a scanner called Nessus that you might have heard of. So that was that was sort of the formation of the pit. The eligible receiver pit was the B team and that and they acknowledged that um we actually inadvertently didn't know it at the time were training them because the the intent of eligible receiver was to let casual hackers try to break into the government not the people that focused on it. Um but what we were doing in the pit and and what I was sort of

responsible for was sort of the bisdev side of things working out the the procedures and the methodologies uh and and talking with our clients. Word got out and we started working with uh being sought after by agencies outside of the DoD in particular the department of justice. So uh this you can see the date August 1996. This was the culmination of several months worth of paperwork and talking to lawyers and getting everything ironed out to actually do a penetration test of the Department of Justice uh internet presence. You can see at the bottom there I'm listed as the point of contact and that's signed by uh the director of NSA at the time. Note the date 21 August

1996. That letter had been signed the week before. I think 21 August was maybe a Thursday. Maybe it was a Wednesday. Somebody look it up. Um, the weekend before this happened, the very first hack of a government DoD website, the DoD website was defaced by a group of hackers and they replaced uh the attorney general at the time, Janet Reno. They replaced her picture with Adolf Hitler and so on so forth. That happened on August 17th, 1996. Um, I got a call that Monday morning from my my client, my customer, and he said, "Help. This happened." I took a team down by the next day, Tuesday, uh, uh, to do forensics. There were no guides. There were no training courses.

There were no publications. Nobody had ever really done it before, but we went down to see what we could do. Um, they they did like most people did in those days when there was a problem. And then in those days, everything was on servers. it was all hardware and you hosted everything yourself. Um, they pulled the plug and they rebuilt all the systems. So, there wasn't a whole lot of evidence to find out, but they had other systems that hadn't been touched. So, we were spending a couple days trying to figure out if we could find any evidence, any footprints of any activity. on a Thursday, uh, I got a call from the home office and,

uh, uh, excuse my French, but this is the literal quote, uh, is Jeff, the shits hit the fan, you got to come back. So, I was brought back to, we all drove back to NSA headquarters. We got brought into the deputy director's office and I was proceeded to be read the riot act because of what we had done was apparently illegal and somebody blew the whistle on us and it it kind of relates to NSA and think Edward Snowden and think how people have thoughts about NSA these days. What what's NSA's purview? What are they allowed to do? The the rule quite simply is NSA is not supposed to do what NSA does to US citizens. So

even though we were the good guys doing the ethical hacking, somebody got their nose out of shape in some political level and blew the whistle on us. Um I because I was the ring leader was uh put on double secret probation and I was investigated by internal security and u the upshot of it is I left. Um I I wasn't fired fortunately, but they were really happy to see me go. um my my lesson learned from NSSE I think summed up in this cartoon let you read it for a second and again more of that story can be found in the sequel find it on YouTube because that's just the that's just the prelude to what I'm talking

want to talk about today um I did pretty good so the afterlife I left NSA by the end of September 1996 I had already been talking to companies out in the private sector. Those of us in the pit, a lot of us wanted to get out. We were to be honest, the private sector pays more than the government. I think that's still true to this day. So, we all had sort of dollar signs in our eyes. But more importantly than that, um at least for me, I wanted to get away from the bureaucracy and I wanted to get away from the politics. um the fact that it took us 2 or 3 months to figure out how to do a um a a

penetration test of a civil agency. Uh if we could have had it a system or a process to be able to put that engagement in place in maybe a week or two weeks, maybe that hack, that compromise wouldn't have happened. Maybe it would, but maybe it wouldn't have. Um I went I wanted to go out into the private sector where things would move a little bit quickly. Um, I was anxious to leave and ironically the government, if you know the government, their fiscal year ends at the end of September, which is one of the reasons why I left at the end of September because they happened to do a buyout program that year. And they, even though they wanted me to

leave, they ended up paying me to leave. So, I got this nice fat bonus check to leave the government and go out in the private sector and immediately get, I don't know, maybe a 30% raise. Um, I was a little bit desperate to get out by the end of September. So, the first place that gave me an offer was a company called uh Computer Sciences Corporation. I was only there for 6 months. The guys that hired me, who I'd been talking to, uh, they left shortly after I came to work there to start their own little company because a lot of that was going on back then. Um, what's notable about my time at CSC

is, uh, I worked in the same building, in the same office as another hacker that's, uh, somewhat famous over the past couple years, a guy named Johnny Long. Uh, he wrote a book on I think uh, Google hacking. Somebody help me out. Um and he's he's been kind of quiet the last couple years, but he's very much in in has been involved in providing uh computer and network and security to uh underserved countries, especially in Africa. So he's, you know, he's gone on and done good things. But because I was kind of stuck at CSC and nobody knew who I was and nobody knew that I had been brought in to sort of spin up a

commercial division as a sort of a deputy to this one group and and they were like just throwing me on hourly work and contract work. I kept looking and I ended up going to work for a a company that was a government contractor at the time. There's a lot of those around NSA, but they were trying to spin up a commercial consulting practice, a commercial security practice, trying to focus on bringing this thing we called information security, internet security, network security out to the private sector and away from doing government contracting. And we did some pretty cool stuff, but it was pretty simple back in those days. There there weren't the plethora of solutions that there are

today. There weren't that many companies. There weren't conferences like this. There weren't training. There weren't certifications. There weren't college degrees. Uh it was basically companies that were trying to figure out how to make use of this new thing called the internet. And they wanted to plug in their corporate background to the internet. And we basically would go out and and show them that that's a bad thing by breaking into their networks. And uh the best thing to do back in those days was to put up a firewall because that's about all there was in terms of defenses back then. So we would go in and do architecture. We do consulting like this is how you need to

set up your environment. This is how you need to set up your perimeter. This is how you need to have firewalls in place and so on and so forth. We didn't actually do the installation work. We thought that was boring. We would farm that out to another company, a partner. More on that later. SANS was an organization that existed back then. They were about the only game in town. And back then they mostly put on like five-day conferences once once or twice a year, training courses, you know, with a vendor conference similar to like a black hat conference these days. Kind of similar to this in some sense where there's training, there's learning, there's vendors to learn from, except for back

then there weren't that many vendors. But they would put out these like once a year road maps to explain all the different aspects of information security and then they would show all the different companies that did all the things to help you out reading the small print under the uh security services penetration testing. Back then it was mostly the big five at the time accounting firms, big IT services companies, but you look down there and there was my company. We were on the list as one of the penetration comp companies that was out there doing the things back then. Um, what did we do? I mean, I I I took what I had learned how

to do in terms of the methodology of pentesting at NSA and brought it out to the private sector and uh, sorry, I accidentally hit the advance. Um, it's pretty simple. It's kind of how we do it today. You kind of we we have different names for it, but you figure out what your Stop doing. I must have it on a timer. I'm sorry. You figure out what your targets are. You figure out what's available and you go and figure out how to break into it. It's based on a movie that came out in 1992 called Sneakers. Yay. Best hacker movie ever. Y you after War Games, I guess. Um that War Games is the original. But

the OG. I'm the OG. The movie sneakers though is interesting because uh most pentesting red teaming companies to this day pretty much follow the methodology that's spelled out in this movie that came out in 1992 which by my math is over 30 years ago. In that movie, there's a quote, there's a sort of a pivotal scene between uh the Ben Kingsley character and the Robert Redford character where Ben Kingsley, who's playing the quote unquote bad guy, says to his friend, "There's a war out there, a world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think, it's all about the information.

kind of why we're here today, right? 32 years ago. Um, I won't dwell on this, but you know, details and the these, by the way, are slides that are 26 27 years old. These are the actual slides that we used to have to go out and sell our services back in the late '9s. So, we explained how to do all the different aspects of it. Penetration testing, what we called penetration testing back then is what most people refer to today as red team. We didn't really have that distinction back then. Um to be honest, what we mostly did was um vulnerability assessment because most companies wanted to know what all the holes were. I I

always used to start the conversation with a a potential customer. What do you want us to do? Do you want us to find a way in or do you want us to file all the ways in? They always said all the ways. So we ended up doing uh primarily vulnerability assessment starting with some of the rudimentary tools that were available at the time. Predating Nessus there was a tool that was a vulnerability scanner called the internet security scanner or ISS. That tool started out as freeware. We actually used it when we were at NSA. Uh they became a commercial company. They closed sourced it turned into the the company called in ISS Internet Security Systems. They produced a suite of tools

and what was very hap common back then uh was there were very few security companies and they would get snatched up by larger companies. So ISS was snatched up uh eventually by a small company called IBM. They rebranded all their products and one of the things they did was produce one of the first what they called uh intrusion detection systems. you know, some something to monitor the network and monitor the activity, especially stuff coming through the firewall. They called it real secure. They put out really cool marketing uh graphic novels. They pulled it a week after they well days after they published it. And I apologize to the ladies in the room because this was the

feature that was the bad guy was the female character there. And Real Secure was that sort of demonic looking harpy or whatever it is. Um, but they did have a sense of a humor and the back page. If anybody's ever read comic books or graphic novels, they they kind of uh had a had a humorous aspect to it. Um, but the thing got pulled. I happened to get one and I I kept it and I scanned it so I could make fun of him years later. Um, when we were starting out, I didn't want to use the ISS scanner because everybody was using it. We wanted to be different. almost the same day as I went to work

for Nicholls Research, this guy up in Canada published uh on a on a a bulletin board that he was starting a company and he he had his own vulnerability scanning tool called Ballista and I thought that was interesting. So I got in touch with them by email, found their website back in the days when websites were written in HTML and there was no moving parts to it basically. Um but uh we ended up using this tool called ballista. Um ballista was sort of the thing that we did to do the vulnerability assessments. It was different from ISS. It had sort of a an interesting interface where it had um I think I still have the source

code somewhere. I don't know of anything out there it could run on, but it it would let you kind of like in a Tron fashion fly 3D through a network and zoom in onto a server and then you could click on it and expand it and it would show the list of vulnerabilities that been discovered. It was kind of cool. Um, one of the things that came out of the company that was Ballista Secure Networks Incorporated um was a book uh uh it's not a book, it's a paper uh that is to this day sort of a a a classic research paper on how to evade intrusion detection systems written by a guy named Tom Teach. Uh

he's in the community somewhere, although I've never met him. Um but I mentioned it was common at the time. You don't need to take pictures. I got I got something for you later. I'm going to quit quittish you. What's the word? Quish. I'm going to quish you later on. Um, as was common back in those days, security vendors would pop up and they would get snatched up and and so Secure Networks Incorporated was uh bought up after only about a year. Look at the date there. Um, by a company called uh Network Associates. Network Associates was one of these buying spree companies that wanted to get into security because they thought, "Hey, there's gold in the

Nar Hills." Again, they had this weird marketing campaign. Um, back in those days, they had magazines that were printed on paper and these would be pull page ads that were running. We were always mad, not that the the hacker in this picture was a scantily clad woman. It was that she was running Windows 95 as an operating system. who who did that back then? Um, but this company, they snatched up uh McAfee to get the antivirus. They snatched up PGP for secure communications. Network General Sniffers. You've never heard of that. You've probably heard of something like Wire Shark. Thank you. You're old. Um, I have one. Oh, you have one? Yeah, I used to use

Nice old time. It should be in a museum. Um there was companies back then as said few and far between. I had actually interviewed at at trusted information systems. There was another company called Wheelgroup that had people that I had learned from back in the DoD days. They came out of the Air Force down in uh San Antonio and started Wheelgroup. and they they sort of were the first uh commercial company that did um sort of a giving you tools to do security operations uh monitoring and things like that. Trusted Information Systems was known for the first uh firewall uh largely accredited to a gentleman named Marcus Random who wrote something called the firewall toolkit which was

open- source code that was for decades I think source code that was in just about all the firewalls that were out there. Um, when I inter when I interviewed with trusted information systems, I actually inter uh interviewed with the woman that was running their consulting practice, their pentesting team. She at one point was married to Marcus. I think they were divorced at that point. Um, but at some point at Nichols Research, we were able to get her to come over because guess what happened to Trusted Information Systems? They got snatched up by yet another company to get the product and they sort of let let the consulting team a drift. So at some point the team that

we had put together at Nicholls research and we eventually started calling ourselves the information security group because after all this is all about information security. But we had this woman from trusted information systems. I was from NSA. We had someone working for us that had done uh sec securing the network at the US House of Representatives. Somebody at the White House and two guys that were responsible for security at the time at the Securities and Exchange Commission. Um we used tools uh again not the norm. Uh back in those days a lot of people were accessing the internet over phone lines and outofband communications to get to networking equipment was very often done over phone lines by modem. So we did

this thing called war dialing. Um there was a freeware tool called tone lo but we did a commercial project mostly because it was the product of a woman who had been sort of our denmother at the pit. She was the one that was talking to the senior level management at NSA. Uh, a woman named Becky Bass. If you don't know who Becky Bass is, do the research. We used to call her literally mom because she would shepherd us and and she was taking all the she was talking to all the suits, which is what we called management back at NSA and whispering in their ear telling them, "I know you don't understand what these guys are doing, but they need to be

doing it and you need to let them do it." She um she's actually the person that invited me into the Cabal of the Kromagins. You have to be nominated and you have to have somebody second it. Um so she got me into the Cabal of the Kromagins back in two 2017, two months before she passed away. So um moment of silence for Becky. Um we had some pretty cool clients back in those days. Again, there weren't that many companies doing this. Um there were companies mostly in in the area but and we because we were also doing contracting work in our company we did have some uh government clients one of which was uh an organization called I

forget what the ASC stands for but it was basically yeah you can read it I it's small print from where I'm in the angle bed anyway it was it was a research Arch group that was sort of joint forces and they had all the at the time the the best uh supercomputers all the different brands that were out there and they hired us to pentest the whole environment. I mention this because lesson learned. Um, when you're doing pentesting, we all knew that you had to inform people that you were going to be doing the activity because if you don't know, it looks like illegal activity. And we also would walk around with what we called a get out of jail

free card in case the the uh FBI happened to show up at our door or law various forms of law enforcement. Um, what we neglected to do and our customer neglected to think of was this was an organization that was being run by the army and but they were tenants on an air force base. Guess who owned the network on the air force base? The air force. Guess who forgot to tell the air force that we were going to be doing the pen testing? The army, the customer. So after the first day of testing, we got a phone call saying, "Hey, there was an Air Force C advisory issued against you guys. I would love to get it. I'm

working on getting it. It's but the Air Force advisories were classified. Um but I know people. So someday hopefully there's a slide that actually shows the cert advisory that was issued against me back in I want to say this was like 1998. Um one of our other customers was a company called Digex. Digex was a hosting company back in those days. is if you didn't host your own network, you would go to similar to an Equinex. Um but they they were providing the rack space and everybody could have all their servers and they would lease servers and um the the we became partners. We had marketing slicks uh um brought up that had our branding on it as well as Digex.

I mentioned earlier that uh we didn't do the firewall installs. We would farm it out to another company. That company was called RIPTEK. RIPE was uh started by a gentleman named Amit Yuran who's now the CEO of Tennibal. Uh he replaced Ron Gula. Uh gosh, it's been eight years ago now. Uh yeah, it's been eight years. Wow. Um I met Amit shortly after he uh came to work at Tennal. I I used to work at Tennal and I'm talking to him. I said, "Hey, you know, I never met you in person back in these days, but we used to throw a lot of work at you for firewalls installs." And he says, "Oh my gosh, I have you to thank for my career

cuz I wasn't even sure I wanted to do security, but you guys were giving us so much work, I decided to stick with it." So, you're welcome, Amid. Unfortunately, he just posted this week uh that he's going to be taking some time off um because he's he didn't say what kind, but he's been diagnosed with he said a very treatable form of cancer. So, thoughts and prayers and and all that warm fuzzy going out to a meet. Um, Digex, uh, guy that owned it, sold it off, uh, to a company called Intermedia, and I guess he took the proceeds. This is the guy here, Chris McCclary. And he started up a company called US Internetworking. US Internet

networking was one of the first what we would now today called cloud providers. They didn't call it that at the time. They called themselves application service providers. But they had the idea of instead of all these companies buying licenses for all this technology and applications that you use, why not we buy it and we just lease and rent, you know, access to it and and we'll take care of the headaches of maintaining it. So because of the relationship, we became their their security architects, security adviserss, and uh this leads to my all-time favorite penetration test. And I actually when I was putting this together, I actually found um the report that we wrote up for this thing and and

it goes back to 1998. Um in fact, the the it was September 4th there. Um they had brought in somebody to be effectively their CISO, although we didn't really have that term back in those days. And they um that person got frustrated at some point with management not listening to him, not giving him the funding and the resources he needed to do what he felt like he needed to do to protect their environment and protect an environment that not only was going to have their data, but data of all their clients. So he said, "Okay, I need you to do a no holdsb barred pentest. I'll give you 48 hours." It was a weekend. Do what you

can do. Do as much as you can do. rape and pillage. No holds barred, just do it. So, we did. Um, this is sort of the bullet points of kind of what kind of access we got. Down at the bottom, it it talks about how we initially got in. Um, does anybody have an idea of what we might have done with a misconigured SQL server? Anyone? Injections. a good guess of the SQL variety. Thank you very much. Um, port 3389 for those following along at home. So, we got our initial access through something that was publicly available to the internet. Uh, and we were able to do SQL in injection. We gained access and because I was told

rape and pillage and do as much not damage but just get as much information as possible. When I was looking around the inside of their network, I found a a a server that had in its name TEMC which at stood for Tivoli Enterprise Management Console. Tivoli at that time was a network monitoring tool. And I thought, what system in this entire network is probably trusted by everything? Yeah. So I was still using ballista, but ballista had been acquired and they got rebranded and the the tool was now called CyberCop. So we uploaded CyberCop and ran it from the Tivoli Enterprise Management Console on their entire enterprise. And I printed the report. It was about 800 pages. And I plopped it on

their desk and said, "There you go. We did all the We did all the things. Um, just for giggles, we did some password cracking. Look at some of those passwords. Now, to be honest, back in those days, um, well, a the passwords were available in in the Etsy password file. They weren't hidden back in those days. So, it was easy to get to them once you were on. And it was back in the days where everybody would get an account, but not everybody yet was getting on the computers and the networks cuz you know they didn't have a need or if they did it was very cursory. We also did the Windows cracking. Um so take a look at some of

those passwords just for giggles. Now an interesting uh turn of events. I I was responsible for a meet's career. I was repon responsible in part for Ron Gula because he came to the pit and I was one of the people that taught him some of his first pen testing skills. Yeah, we were peers but that's the story he tells. He also at the time was working for US internet working and he was so frustrated by the does that mean I have five minutes left? Well, I'm going to take a little longer. We'll give you 10. All right, fast forward. Um, and that's okay. Uh, he was so frustrated at how uh not well the intrusion detection

systems were working and the fact that we had gotten in undetected and we were inside undetected. He thought he could do it better. So, he actually quit USI and started a little company called Network Security Wizards and wrote uh an intrusion detection system called Dragon. And of course, Dragon like everything else back in those days was snatched up in about 18 months. and he took the proceeds and that's when he went to start tenable. So Ron thanks me twice for his career amit once I'm doing other things. I got bit by the the dot startup bug and at some point I decided to go work for a company called Meta Security Group. One of the founders of

that is somebody that was our client at Digex originally and he basically took our whole team from Nicholls and moved us over to Meta Security Group. It was a dumb idea in retrospect um because Meta Security Group was a spin-off of a company called Metagroup which is kind of like Gartner or Forester and their vision for this company was we're going to produce all sorts of research material and make lots of money on sending out uh subscriptions and having all this great amazing information. But to pay the bills, they hired a consulting group so that we could be earning revenue while they were doing all this stuff that was going to make millions of dollars and billions of

dollars. So we rebranded ourselves several times and of course at this time this seinal event in our history of the world took place which meant for us for about 3 months our clients actually listened to us when we said bad things could happen but that trickled off at some point um at some point we rebranded what good came out of meta security group there's a company called Inguardians they are one of the premier pentesting companies out there the guy that founded it used to work with me at meta security group several people from our team at Meta Security Group. They went off and started their own company and they've been running the uh password cracking contest at Defcon for many

years and another guy I worked with actually is on the board uh for Black Hat. Um the frustrations at Meta Security Group got me to the point where I wanted to look uh elsewhere and I had some friends that were working for a small startup company in Annapolis, Maryland. I'm from Maryland, by the way. Um and they enticed me to come work for them and that was a company called Trustwave. Uh shortly after I started there they merged and became Amberon Trustwave and that is when the story takes a twist and I started doing this thing called PCI. This is 2004. I've been doing PCI ever since. PCI, if you don't know it, don't listen to what

people say about it. It is probably the most uh impactful thing that's happened in our industry over the last 20 years, which is how long it's been around. We are 8 days away from version 4 of the PCI standard becoming the law of the land for any organization that deals with credit cards, payment cards. Um, and after 20 years, it's still based on six overall goals, which is basically secure your stuff and secure all the things and keep it secure and monitor it and do all the security things and write everything you do down on repeatable processes and procedures so that anybody can do it and it keeps going on a on a continuous basis. So, there's another

story in here, but I've been doing PCI for 20 years. That'll be version four of the story that nobody will want to come watch. Um, these are some of the clients I've had over the last 20 years. I I got to work for a practice uh after Trust Wave that was involved in a lot of the major breaches that happened in the the mid to late as the big one being TJX companies. I was I was at QSA for six years until I went to work for Teneal. But you'll see names of companies on there that you recognize. Some have come and some have gone. Some of the big ones that were the breaches, as I said, TJX,

Hartland Payment Systems, a payment processor in the industry, they were majorly popped. New York Times is a fun story. Um, here's the first quishing thing. My company spent a lot of time over COVID thinking about version 4. And uh, we put together a pretty decent resource. So, if you or your company or your clients or if you're just interested, want to learn about PCI, you can you can do that thing there. and that'll take you to a guide, a page that's got a lot of blogs, a lot of research papers I've written. There's some videos us talking about PCI. Everybody got it? Okay, you've all been quished. I know your pass I know your passwords now. Um, this is where I need

the extra five minutes. So, what does this all lead to? uh when I came out into the private sector in the late 90s, this is what we were saying was important about how you as an organization needed to do security. Um and I won't read it to you. I'm just going to flash it really quickly, but there was a need to do security. It needed to be focused on information, data, um the reasons why networks were insecure, and we referred to it as networks back in those days. And then what we were promoting was you had to think about security as something you do. It was a life cycle. The funny thing is when we were talking about life

cycle back then we were talking like 12 to 18 to 24 months is how long it would take to go through this process. These days that's weeks, days, sometimes hours that you got to be considering this. So thanks technology, you've made this so much easier. Um, don't worry that you may not get to read all of this because I've only got three minutes now to get through it. Um, we focused on you got to think about security before you get to the technology. You have to have a plan. You have to have a strategy. You have to know what you're trying to protect, what you need to protect, who wants to get at it. Uh, and the and the playing fields

changed as Marcel so illustriously shared with us earlier. Um, but we focused on the policy. You got to have a plan. It's got to be written down. And that's what makes a good policy. That's what a policy shouldn't be and isn't. But guess what? It usually is considered by most companies to this day. Um, so we would try to present a business case. Again, don't worry that you can't read all of this because I have a quiz for you. Um, we would talk about why efforts fail, keys to success, and again, it was all about a life cycle. I This is 26-y old slide deck that is still unfortunately 100% relevant to most organizations to this

day. But I also can say that we were wrong and partially we were wrong. uh and by we I don't mean my company by we I mean our whole industry back then we kind of thought of protecting the network and protecting organizations in a classical mil military sense that you know your most precious data and resources would be on the innermost boughels of your network and of course at those time back in those days you were plugging that network into this vast unknown thing called the internet. So how do you protect it? You put up a wall, thus the firewall. You have the perimeter and you protect it. That's been blown out of the water these days

because the innermost network more times than not now is up in that very cloud thing that we didn't trust a generation ago. Um, but we were even back then saying, you know, you're not good enough if you're just protecting the perimeter. You got to know what's going on on the inside and you got to know about trusted insiders and and what happens if somebody gets disgruntled and what happens if somebody gets in behind the perimeter then what um and our industry has sort of addressed that but most people aren't really paying attention. They didn't then they aren't now. Last couple slides and this is from my meta security group days. Uh and again I apologize you won't have time to

read it all but just some of the classic mistakes um that end users make not to pick on them classic mistakes that the executives make and classic mistakes that the IT make now some of the technology in all this is slightly changed but I'll guarantee you when you click on the quish later and get these slide decks and read through this if you can translate to the modern technology that we're using most of this stuff still applies. bias. Final

thought. If we had time for Q&A, I would take questions. It's up to you. Kathy, she says any questions, comments from anyone.

We we can we can make Hold that thought. Question there. Saw the are you seeing any correlation with that? How AI are starting to we're going to repeat all the mistakes that we've been making for a generation and AI is just the latest shiny object. Does it have the potential to do so much? Yeah, but everything has had the potential to do so much. And in in the in the life of information security that goes back to the DoD and go back goes back hundreds of years to protection of the country, it's always been, you know, we get something shiny that's going to be devastating and it works for a while until the adversary figures it out and

then they get something shiny, you know. So there's potential for good, there's potential for evil. It's just another tool. It's just another thing. And it quite possibly might be being overhyped a little bit right now because vendors I mean I was at Black Hat last year and it was amazing that of the 500 vendors 498 of them had apparently been working on AI for the last 5 years and their solution was AI. It was amazing how that worked. Uh to answer the slide deck question there's your quish. If you're not comfortable with the quish, there's the website. I am making these slides available and I'm getting your credentials. And that's it. Thank [Applause] you. Oh, P.