 We don't have a working mic on the stage. This is the way we're going to emcee everyone tonight We have a new hashtag awkward awkward talks So as you can tell Jason, I are pretty pretty friendly and we will be by the end of this talk I really like Jason and he's a really good red team pentester and author and Awkward hugger so join me in welcoming Jason Street Thank you everybody Chris is there any way that you could put the mic on and I give my talk like that through Because that would be awesome But probably totally awkward for everybody in the audience so maybe not Hello everyone. Let's get right into it. I am not a lawyer I've actually played one before but no I am not a lawyer, but I do know how to Google online Oh look, there's going to be a countdown clock for me So we already told you how successful that was but yes, so I am not a lawyer, but I know how to Google So this is my legal disclaimer I Will be I will tell you some of the really bad things I've done and horrible ways that I've done them and stuff you know and mostly all of it was legal and And you're going to ask yourselves like well, that's a horrible person. How can you do something like that? And I promise you I will never try to steal from you kill you or ruin you financially unless you pay me first So when you hear me tell you about the bad things that I've done It's like just remember the kittens. I'm adorable. Okay. I am not the bad guy So always keep that in the back of your mind because it'll probably be a couple stops here where you'll be going like what a jerk Which is probably true in most cases, but at least I'm a good jerk. So that's got to count for something So let's go to my talk here. Hold on someone went through the whole trouble making this will be flashy for me And I'm gonna get that going As soon as I find out how mouses work There we go It's worth every penny of the $500,000 I spent to make that happen. It's like so that's anyone talk breaking and bad basically You hear a lot of talks from all social engineers about what they do and how they've done it and I've done several of those talks So I decided to do something a little bit different. How about if I give you a talk? Where instead of just telling you what I've done I actually show you some of the bank surveillance footage. I actually let you hear and listen to me as I'm on the engagement talking to the client victim slash whatever And you get to actually hear that So that's what this talk is going to be about. I call this my desserts and vegetables talk Because I start off with dessert and then I end it with the vegetables and that will be I made abundantly clear As we go down the line I don't waste my name on on waste my time on who I am. It's like that's what Google's for So but just know that I am not a just a red team Fin tester. I am a blue team person as well. So I'm more of a purple teamish kind of person And I will not break into a company and just say here's a report of all of that things I do my thought is a little bit different. It's like I actually when I go on an engagement I break in destroy everything but then I leave for the building for two minutes I come back and I talk to every person I compromised right then and there Explain to them why I was bad explain to them why the situation was wrong and what they should look out for next time To help educate them. So I'd like I spent the last day of the engagement getting caught I do my best to get caught because that creates teachable moments for them And we'll definitely go into that a little bit later So first of all, I hate APT I Hate the word APT except for when we're trying to play the drinking game So the big thing for me is APT stands for we got fished. We got stockholders to appease It was advanced. It was persistent. It was threatening. What can we do? Basically, it's like when you tell me APT is a phishing email When you tell me that it's APT and you had sequel injection on your website for three years Reported and not fixed that is not APT That's getting calm. So what I do is say we gotta stop talking about APT. We gotta stop talking about the low-hanging fruit You know because they're going up to the low-hanging fruit. I'm not going to tell you how to attack people by low-hanging fruit Okay, my fruits already on the ground. Okay, some of this fruit's taking root and creating another tree Fix that stuff first instead of just going after the low-hanging fruit. So what I do is I do bad I'm just bad basic Adorable destruction. I Don't try to come in with it a big advanced technique and stuff, you know and a lot of research and recon to come after you It's like I don't try to go in and try to figure out what I can compromise it You took no, I'm just going to eff you up the best possible way That's just how I roll. Well, let me use some indicators on someone being bad Usually a recon mode is only about two hours of Google and the victims on the website I've never used a full two hours on a client site ever to make a successful compromise I've never used a full two hours So now in 45 minutes is the longest I've ever used to create a successful compromise on a person site To SC mode is usually walking to the victim's location and we need it note sometimes without doing number one Number three punish mode is basically pulling into a device to the victim's computer network Sometimes with their help not because of any particular thing, but just because I think it's funny to have them help me destroy them I'm a horrible person For that's supposed to be there Five profit, you know because like I said they pay me for this There we go So these are the best approaches I've used to be bad One is the tech repair guy delivery job. I believe customer wanderer. I call that my passive roles That's where I'm asking you for help. That's where I'm asking you to help me out because I'm trying to do something My most one I use is the tech repair guy Because I used to do desktop support so I can do that Never go into a situation Hosing as a plumber unless you know how to plum, okay? Because you never know when it's going down. So yeah, we've had this pipe working out for weeks I'm so glad you're here come and start snaking, you know, so I go in as a tech repair guy usually Number two is the auditor executive policy enforcement. That's where you got to wear a suit and tie and trust me If you make me wear a tie on an engagement I will utterly call so much pain on your operation You will definitely get your money's worth because you made me effing wear a tie. Okay, that doesn't play That's why I do my authoritative role. That's why I'm already pissed off because I'm in a tie So I do the authoritative role. I need to get into the server. We must have you know to finish the inspection Is it a surprise inspection? What part of surprise inspection do you not understand? Give me the server room or you're going on the report to now. I Let turn the play around with this crap and that's the authoritative role remember. I'm adorable kittens So it's like so that's the authoritative role three is the crazy off-the-wall personalities not recommended But totally fun and usually work. I've broken into a palace hotel in the south of France We're in teenage mutant into turtle pajama bottoms barefoot in a t-shirt I It's awesome. It's like I actually finished the compromise go up to the guy who's running the the room service And as soon as I get there, I'm like, I'm not I'm not supposed to be here Where am I I I Shouldn't be here. I Shouldn't be how do I get out of here and he puts me into I kid you not Puts me to the first elevator. That's right next to him Which is the employee elevator that puts me up to the first floor in their business corporate area behind the front desk So as I'm walking out of that unescorted I get to see an open office with a computer unlocked and hotel keys. It was a full-staff hotel They provided everything. It was awesome. So that's how that works. That's my off-the-wall Now another thing I'm gonna do for the dessert part is I'm gonna tell you stories three different stories from three different countries three different kinds of financial institutions with all three different roles and I chose different kinds of financial Institutions in different countries so you would understand one unifying thing You're screwed. It's like it's like these people know that they're supposed to protect the money These people know that my guys are coming after them to get the money Let's see how that worked out well for them. Okay So we're going to start with the first one as the tech the passive role This is this was like so an epically crazy story though. I've told so many times. They actually turned it into a comic strip It's a little embellished. It's like, you know, but still it's pretty freaking awesome of me going into the Bayward Bank Bayward Bank of Lebanon and Baking into them. Basically, I was asked to go in And see what I could do they want to see if I could actually make online damage from physical access This is one example in their main office The top left corner the guy sees me on the person's computer because their computer was unlocked I walked straight in without no knowledge of anything. I sit down Then they see me taking a picture of my iPad at the unlock screen showing that I just compromised the machine And he makes the mistake of asking me. What am I doing? So the very last picture in the low right-hand corner, you will see him now standing up Well, I'm behind his computer working on his computer and then taking a picture of it and leaving So that worked out well But let's get into the main thing. They wanted me to show how I could do an online compromise So I needed to do a water transfer. What do I need? I need five things for a wire transfer I needed a user ID. I needed a password I needed their smart card because they do two-factor authentication with smart cards because they're secure They're a bank people try to rob them and I need a machine that actually uses that smart card So I need one of their son oracle computers and then I also need network access to their internal network So I could do all that so with knowing that I need those five things I told them they need to give me access to three different branches I was not aware of any of the branches that I was going to They drove me to them blind. We're not blindfolded or anything because I'd be creepy in Lebanon But it's like they actually just drove me there. Just I didn't know anything about it And I walked in and let's see what I did because you can tell this is their bank surveillance footage Within the moment of walking into the bank in the upper left-hand corner to being behind the teleline to get ready to install my malware two minutes and 22 seconds From walking in for the first time to having full authorization in the bank two minutes and 22 seconds. I Walked in straight down the hallway like I knew exactly where I was going Which I didn't that's never stopped me before sometimes. It's living the dead ends which is always, you know uncomfortable But but usually like this one it led me to the manager's office Manager had someone in his office, which is even better. So it's I just stand out there right outside his office. I Stand out there for about 30 seconds I've got 30 seconds in the past. I walked to the very next executive's office Executive saw me go into the manager's office and talk to the manager right because why would a person just stand out someone's door? So if you know without talking to him, that's creepy And so I go into the executive's office. I say hey, I'm with help desk from headquarters We're trying to look on the machines We're gonna work on the GPO policies make sure the USB rights are properly installed because of the fact that they're Having a TCP reset stack problem of stuff, you know with flux passers not working like so let me Let me plug this USB drive in don't worry about the rubber ducky on it and test your Security, so that's good. So I didn't I plug it in command pumps comes up like oh that's strange Let me take my camera out and take a picture of that. There we go documented and I went out. I'm now golden Because now everybody else in the bank and see me go to the manager's office And they see me work with the lady executive in her office I go to the next place to the next one down the hall right by the teller office I'm with I'm with the desktop support from headquarters, or we're going to machines We didn't look on some stuff. She's like I need to go look at the term machines I need to do the the assessment stuff, you know because the TCP reset problems are really caused a problem for the GPO policies We need to make sure the USB is not interfering with the magnetic storms, so we got to do that so So she goes and she let's be behind the teller line and I want you to understand something This was a high value target Not just because of the fact that I was trying to commit, you know an online, you know criminal act It's also because that wonderful gentleman right there who's depositing money It's like was depositing two hundred and fifty thousand dollars in cash at the time. I was doing this So if I got lazy and just wanted to take the money I could have done that But you know, I never do anything the easy way right look at my life So it's like I decided to go in and actually start doing rest of my Problems of my compromise so I started plugging in the devices and started going after the data And one of the things I did please know I had plenty of time to do it I was there for 20 something minutes Without getting stopped the only area. I was not allowed to get into I kid you not was the bank vault and I tried So I need to go check the bank vault Make sure there's no network Jackson stuff you know because we don't want to like short-minute except, you know coming out To the bank and stuff, you know our computer going in and compromising your money And he's like well, we don't have any connections in certain things really are you sure maybe I should go look in sure No, no, no, it's okay. Yeah, but I really want to go look. Come on. Let me look and he's like no You wouldn't let me do it so darn so and then what we do is I Actually was fitting a round of the chair at that point because I'm getting bored now at this point Please also note one important thing during this whole compromise. I'm wearing khaki pants a shirt a death con leather jacket And red thunder cat Timmy shoes the whole entire time Seems legit, right? It's like so yeah, so I did that see that guy in the swap snappy sweater vest I love him. He was awesome. He wanted to help me get the issues. He wanted to help me fix the problems So he gave me his user ID. He gave me his past card his password But I need a smart card so you know he helped me with that too. That was nice It's like so I know I have three of the five things that I needed So I'm sitting in a computer in a network the problem with this one was actually the manager This is one of the things that made me the saddest because the manager comes out and he asked what I'm doing He thinks everybody else verified him. Everybody thinks that he verified me I told him what I'm doing with help desk and he immediately goes and says oh We got a problem with one of the computers. Can you come and look luckily? I'm not a plumber. So yes I go in and I start helping him with the computer. I start looking around convention like you know what? We'll get you a new computer. This is like this is really bad. It's like I will just go get you a new one from the office His eyes lit up like Christmas And he was like we got a problem with the scanner. Can you come over to get the scanner? You know what? We'll get you a new scanner. This one's like obviously needs to be repaired. We'll take this one and take it back I'll come back in about 30 minutes or something like that and take it from you And they're like, oh, we got a problem with the monitors and finally you know what guess what I? Wasn't supposed to say nothing. Okay But headquarters is actually doing a whole refurb of all the branch offices with new equipment Because we're upgrading our own infrastructure and you are so freaking cool. I like you It's like you know what we're gonna do. I'm putting you on the top of the list You will have all brand new equipment within the next two weeks It's like it'll be all good. He was so happy I Felt so horrible because once again, I said I do security awareness engagements So I pwned them so hard I actually had to wait till the branch closed so we could get all the employees together To tell them how bad this is by an executive from the company translated in Arabic. I speak no French or Arabic It's like in just this accent not usually this horse So he had to translate to make sure they understood fully exactly how horrible they were pwned So as he's as I'm talking and the guy's translating The bank manager holds his hand up like he's And I go Yes he's like The computers are always are we still getting the computer? And I felt so horrible. I was like no I'm a bad person. I was lying to you I felt like I was kicking a puppy. It was bad So I don't really thought about that and amazingly that's not the worst thing I've done So it's like so so yeah, so I've got my things. I've got the three things I needed from that that bank branch, right? So they drive me to another branch, which is awesome Except for when you don't know you can't read the signs. It was a glass building and the sign said Something in French and Erica. I had no idea what it said I thought it'd be like the next door so I go down the sidewalk to the next door and there's there's the bank branch And I see people and tellers and I'm like holding on a person about the compromise and my driver starts honking his horn Frantically, okay. Well, this is Lebanon traffic. There's a lot of horn honking communication So I couldn't tell it was up or not, but guess what he was trying to signal me So luckily I heated that little thing in my head and I went over to talk to them So I get up to him and he's frantic. He's like no, but what do you mean? That's not our bank What do you mean the other one had a door it said wait to be buzzed in I'm like, oh my bad So I went back over to the proper branch. It's like and I waited to get buzzed in And then after I did that I walked in We're straightening like I knew where I was going it led to a break room It's like and so that was a good thing because I went and got a cup of water Pony people's thirsty work. So I had a bit of water and then I walked into the teller behind the teller line without saying a word I Talked to no one. I did not say hello. I did not say where I was from I just calmly walked in behind the teller line while this guy is Doing his business going about work totally legit because you know, I'm adorable and I actually walked out with their computer So now I have a user ID. I have a password. I have a smart card. I have a computer So we go to the next branch and what do I say? Hey, I need to go check the network claws and make sure he's working the stuff You know because the voice capacitors aren't working with the mogan crystals and stuff You know, we got get the lithium going right, you know, I babble a lot so That happened mine compromise can come from a physical source. I Don't have to bypass your firewall if I can bypass your receptionist. It's like I say that all the time So that's how that happened. So that was me doing a passive engagement Let's how we do something where I've got to be more authoritative This was a state treasury in the United States But you would think they would be good about you know wanting to keep things secure since you know There's a little bit of money in some states, you know, this wasn't Florida. I'll tell you that but up Sorry, so what we go through there is we Successfully compromised. There's a guy from Florida really pissed in there now. Sorry It's like so what we did was we go in there and they were already compromised really bad internally But one of the things that the unionized IT support people were saying was Well, you'd have to actually break into our building get into that intro network access It wasn't just coming from the outside. That wasn't a cool test So the security company actually said contrary was a head Jason. You want to come in breaking to a state treasury my responses? Oh, yeah So it's like so I go out there and I start looking at their headquarters by golly Not even joking not even being facetious because I usually am it's like they had great success Security there was like a bulletproof glass. It was like tinted. It was like it was like to see in there was a receptionist It's like they were like with a security guard. It was like they were like they were not playing around I did find a compromise to get it into their headquarters if you went down to the to the basement There was a cafeteria right to the cafeteria There was a storage area and in that storage area there was a dumbwaiter that was not sealed off It actually went into the first floor room that was not also sealed off I could it was a refurbished building, but I did look in a dumbwaiter and there were spiders So therefore I cannot you know proceed So therefore that that place was now impeccable because you know no flamethrower was allowed on scope And that's another thing that brings up something scope Scope was a tricky thing, right? Because we all can agree that an attacker scope is this I mean not even like this. It's this right if I could go like that. I would that's the attacker scope and The client hires you as a pin test and they say hey We want you to attack us like an attacker does And you're like yeah, I can do that. I happen to be an attacker and it's like okay. That's great Go for it But we only work, you know Monday through Friday So a tag is like an attacker would I went sure okay, but oh wait But we can't do it after 9 p.m. Because that's out of our service window And I'm like okay And we're like but not a production servers because we're we haven't patched them in a while. So Here's this dead server. Can you go attack us just like an attacker would and that's their scope That's totally realistic because that is an exactly a way an attacker is going to attack you within the scope Well, the state treasury gave me a little bit shall we say? smaller scope Because I found out that they have an office building The suite in an office building 50 something miles away from them So it had a direct communication into their headquarters Why do I have to physically be inside the headquarters if I can compromise that suite and actually be logic logistically inside their headquarters So of course an attacker liking it the easy way. That's what I'm going after so they said sure Jason You attack us just like an attacker would we got some caveats Can you come in after 5 30 in the evening just to make sure and also by the way? Talk to no one coming in are the building because we don't know if they're state employees or not So you can't contact them that would be not fair Also only stay in the public areas if you do get in because you know We're only leasing this this this building this room also you can talk to the cleaners But they're not directly our employees. So you can't lie to them. You can only tell them the truth But hey Jason attack us like an attacker would Well, let's see how that worked out for them first off. I got onto the scene. This is the dreaded Jason nose cam Now going up to the front the side door I try the door doesn't work F and crowbars weren't on the list of scope So I'm out of like my usually basic option. It's like it's either cardboard or crowbars with me It's you know, I can get a door open either way Here's the longest part of the compromise, which I love the best because this is my first that episode break If you'll notice It's a little shaky. This was off a camera in my watch Called my geek bling bling look like a big fancy Rolex thing But it had a high-depth infrared camera on it 16 gig USB drive. So I wear those on engagements So I go up to the door It's locked No weapon cardboard. I pull out my hacking device my cell phone and I start playing Angry Birds It only took 10 seconds Because while I'm looking at my phone I Just walked in Notice at no time did I talk to anybody going in or out of the building I Compromised in another country I compromised at least I think 12 floors of a high-rise building that had a security doors at every entrance to the elevator lobby and every single time I Was looking at the cell phone down as the person came in or the person came out I just followed in and went in and that one was even more difficult Okay, because that wasn't my phone. It didn't have any freaking games on it Okay, so I just elevated a screen like I was doing something that wasn't cool. So now I'm inside Now this is the problem here. I'm now inside the building for two hours Inside the public area. I had to wait two hours. That doesn't sound like a big deal. You underestimate my ADD, okay? There's only so many tweets you can post and Facebooks you can like okay and Angry Birds you can flee and stuff You know in two hours So my battery was literally at 2% by the time this engagement was done Okay, so I'm like waiting and waiting and just finally I hit the vacuum cleaner It's upstairs, but it's that's been close enough like I said two hours left the two percent on the battery so I go up to the second floor and I just saw that there we go And here's the dreaded nose came again. I can only tell the truth. I Cannot lie to this person Hello I'm in trying to get back in between I'm trying to get back in I was there the day before that is truth Do you let me in real quick? Yeah Downstairs Could you let me in I can't get in no crowbar I Just went to the bathroom. I didn't have my badge. I drink a lot of water. Don't judge me, okay? It's like but one thing in truth, and I don't have my badge I have an actual up in a completely ID badge. I didn't have it with me. I didn't say it was their badge Could you try? Thanks, I just I gotta do one thing real quick One thing destroy their network Too late Was working late. I was on the car people and I think that laugh is endearing don't judge me Try to jump ahead to save time just a second Yeah So she goes to get the key and we try to jump ahead here And there I am okay, and there I was inside If I jumped a little head, but I want to try to go through because I can't see it very well But she came in with the key the key thing about that was I was on the phone when she was walking up and As soon as she walked up. I said oh, no, no, don't worry about it. She's got the key. She'll let me in don't worry about that What does that do? That gives them information that what they're doing is okay because someone else was going to do it anyway And they're saving them the trouble So even if you're not on the phone when you can act like you're on the phone But if it rings you're screwed it's like you can act like you're on the phone and say, you know Oh, don't worry. This person's gonna help me out. It's okay, and then just hang up So the next one we're going to talk about is Whatever I mean like I said the like the the thing I've done I've gone in and I've worn a shirt that said I'm a liability on it. Why I stole a car in Texas I've walked into several Hotels Barefoot and pajama bottoms and t-shirts because that's funny, but one of the most ridiculous and unbelievable. I can't believe this works Engagements was this financial institution in Kingston, Jamaica and I refer to this one as Jason the terrible horrible no good very bad social engineering engagement This has got to be by far one of the worst Horrible things I've ever done on an engagement and this is coming from a guy who's used to wheelchairs to get into places You need to get into okay, it's like I mean this was bad. I felt really bad about this one So what happened was I'd already successfully compromised his financial institution You know the third day I'm supposed to get caught, but what they wanted is something instead They want to challenge me like we'll try to get down to the headquarters Downtown Jamaica Kingston Jamaica is not like Denver Falls. It's I dare take security a little more secure serious there So I go and I try to do my research for an hour and 45 minutes. I do research and then I find it They have a charity organization That has the same email address as them so that means they're on the same network so that means they're on scope Scope can be a tricky mother for people right it's like so I go and say awesome So I have my friend the colleague and stuff, you know that that lives in Jamaica. He calls him up as my assistant Gets a hold of the manager. He puts me on the phone with her. Yeah, how's it going? I just I'm from a production company in LA We're talking to I started last night and he said that what you were doing It was just amazing because I'm doing this TV show on how corporations are doing great works in the community To help better the communities and involves. Oh my gosh, the work I'll do is awesome You've got to be on television. I got your story out. I got a fly out at 6 a.m. The stuff, you know But there's any way that I can meet you before then 2 30. Okay, let me check. Let me check. Cancel my three. No, no, this is more important. Cancel my three I can I can make it in there. I'll be there. I'll see you there. Thanks. You take care. Bye. Bye You know and I'm there So I show up at 2 15 It's like So I show up there at 2 15 at the actual corporations headquarters There are charity organizations across the street. First thing I do is walk in. It's a man trap The lobby of the building their very first lobby before you get into the actual common area of the building is actually the hugest most comfortable man traps I've ever seen It's like there's a receptionist there You got that door gotta be buzzed in from the street to get into there And then there's another door with the security guards. You got paid extra to look mean and stuff You know standing by that door and so I go in I sign in and it's like oh that's across the street. Oh, really? That's strange Can't go the restroom real quick because I need to freshen up. It's amazing how many times I have to go to the Restroom it's not because of all the diapepsies because I get lost so many times. I mean there's one time I was at a research facility. I got lost for over two hours trying to find the bathroom I never found that sucker. I mean I found their employee interest in how to get into their Stop secret stuff, but I never found the restroom that stuff eludes me sometimes so The security guard was nice enough to open the door and Walk with me to the bathroom. Well, I really thought he was going into the stall with me It was like it was a little awkward. Okay, even for me So so I go in there and I get in the restroom now realize one important fact. Well crap I don't actually have to go this time So now I got to wait an appropriate amount of time Then I got to wash my hands just to make sure in case anybody's listening that they know that I am hygienic And it's like and then I go out I start to walk out to go the other direction See as I walk out the door. Oh there. He is looking right at me like so I go Yes, I was walking right there all the time. It's like So I go there and I wait and I talk to the I finally go over to the charity organization I talked to the man to the lady. I asked her There's any executives from the company that works here. It's like all the CEO Also going the board of directors is there. Can I go talk to him? So she let's me talk to him. We go up there to his office And I start talking about what a wonderful TV show a couple of the videos We've already shown that we've already made for from different Episodes and stuff, you know, it's like how they're gonna love it how it's gonna really get their message out That they're doing such great work and this lady is not joking. She is literally the mother Teresa Jamaica. She gave me her book It's like I'm a horrible person. It's like so So I go in there talk talking about your five ten minutes of talking to him I go say you know what I could keep babbling all day about how this show is gonna be awesome And how it's gonna show you the positive light, but I actually have videos of this on my USB drive Don't mind the Barbara ducky. Let me plug this in real quick and show you So I plug the device into its computer and when the funniest things occurred I Got these weird error messages. I've never gotten this before I honestly believe that my malware was fighting with the malware that was already on his computer because this guy was totally Like a malware battle man. It was like it was amazing. Okay air popping up here But it was like we didn't know what to do. So I'm like well, this is odd This has never happened. It's like usually I'm the first attacker that does this But uh, but no, so it's a desire what what can we do? He wants to get his help that support person in Well, his help that support person is one got domain admin controls. That's awesome But to a third-party contractor for all these other companies. So out of scope. So I'm like, no It's fine. You don't have to I will I will email you that video Let me email you the 90% of social engineering for me is thinking on quick on your feet It's like I mean, let me let me must use no no he hands it to the help desk guy. That's very important fact Okay, he handed it to the help this guy. It wasn't me not my fault Okay, so he ended up and so I go and say thinking quick I go, hey, you know what there are other movies that have NDA on there and stuff You know that I can't share so I got to go with them to make sure that he's only looking at the video I need you to see There's no videos. I need to make sure I know which computer was also compromised so I can put it in the report So I follow the guy to his death and low and behold. He's running a boot you Great. I coded my my program except, you know, my malware on the drive is stuff, you know for windows That's when I learned that a boot he was awesome It ran perfectly pop pop pop command is awesome It's like he didn't know what he was doing is like, you know what was going on I quickly had the mouse. I closed that other. I don't know what's going on either. That's that's strange But we can go now because I guess it's not working So I go back up there and this is the horrible part. You haven't heard horrible yet. Okay, I spent 15 minutes With truly amazing wonderful people that are kind-hearted that are selfless That are out there trying to help others in need And I had to talk to them 15 minutes about how they're going to be on TV Halfway through I started believing it. I was going like this. I kid you not I was like I caught myself doing this. Okay, what we're gonna do is grab a lady She's gonna be working at her desk in a cube like I like a call center She'll be working in her cube working on our computer and we're gonna pan back And what we do is we're gonna pan across the call center seeing all the computers And then right here we're gonna do a transition as we once seen those to the next We're gonna do the transition blur and now we're on the street to Jamaica And there's a hungry child and there's that same woman that was right there at the computer that same woman feeding her So it shows how your work that you're doing in this company Actually directly impacts the lives of some of the people I mean, this would actually be a pretty good show y'all should contact me if you want a good production company So I was like really getting into it and then and then she gave me her book And it's like so I get outside the building and like I said, I wait two minutes before I go I want to tell people they've been compromised. So I get out of the building and I wait two minutes And then I wait three minutes Then I wait four minutes The guy who's driving me around from, you know, compromise compromise. He pulls up And he's like, um, aren't you supposed to go in? And I looked at him like And for the first time ever I actually had to call the client in the car. They're like, yeah, you you can't make me Tell them I'm not telling them Sorry, that's your job. You're done. I'm sorry. I'm not doing it. I can't do it And that's the first time I was not able to tell a client that I compromised him because it really made me sad Um, I usually I usually reward myself with a good talk or a good compromise with ice cream I did have ice cream there before the record. It was a little bitter. Okay, so I did talk about about that The summary is this Did technology fail them did training fail them Human nature failed them Because we like to believe the unbelievable like this guy could get all this money on PayPal for a fundraising, right? We like to believe the convenient lie Instead of inconvenient truth, no relation because you know, I'll go already invented that but it's like like the internet So that's the inconvenient Truth is I'm there to do something bad But if I can give you a convenient lie Make it sound okay You want to believe that I am never going to get in a plane crash, right because that's the lie. I like to tell myself Even though I fly all the time because no one wakes up going Yeah, I'm going to work today. I'll probably get shot. You know, it's uh to bank. They're gonna kill me But you know what hey, but whatever it's tuesday, so No one wants to think those things because uh, what's that they suck Right So let's not think those thoughts So if I can come to you and say I need your help to do something I need you to help me do that And that's a good thing then you want to believe that Otherwise, there's a really horrible bad man taking advantage of me and getting me in trouble and stealing from me and jeopardizing my job What a crappy guy that is So it's like let's watch out for that So how do we fix it? Uh-oh vegetable time. It's like I'm going to be a little bit long. Sorry chris. You can already get ready for the sprint and jump on me Um, we need to do educate empower and force. That's what I call the threes I'm not gonna go that long. We don't have to all leave yet, but it's like uh, but that's what you have to do You have to educate empower and force the first thing is education And what I talk about education is not those little webinars that you give your people on the internet to go and click And do multiple toys and they oh, yeah, we pass security awareness training No, you have to do better It's like because we need to train them That yeah, these may be dangerous Except for that low picture because we're all adorable in there. It's like those may be dangerous But those aren't usually the main threats These guys are the main threat This is where you're going especially there and he's especially sketching that picture, you know, don't Love Darren, but yeah, look a little sketchy. It's like those are what's going to get you That's what's going to compromise and instead of walking away with a couple of thousand with the gun and the ski mask You walk away with a couple of million with a usb drive because let's face it usb drives are awesome We're awesome And I don't care about mr. Robots method of like pulling and throwing them in the parking garage and parking lot and stuff You know who wants to do that that was sloppy I come on an engagement with a stack full of blank envelopes at a marker I go by someone's desk There's their name right there on their little name plate. So, you know, it's their desk And I got the marker. I write their name down on it. I make sure I spell it correctly Put a usb drive in the envelope You know, it's still the envelope and I put that on their desk Name one person who is not plugging that in Period Okay, that's how you do that talking there. I mean, let's face it usb drives aren't that expensive They're giving them out on conferences, you know all the time And I'm sorry this this slide is a little old because I say they don't have malware on them yet No, they do. Sorry my bad. I should fix that. Okay So That's how easy usb drives are So what do we need to do? We need to teach employees common dangers they face not only at work, but at home as well as make them security conscious by default Not by policy I'm only going to cover one of these topics, but that's one of the important ones right there Because I got so this is going to if there's any cio's or sea level people in this room I'm going to come with some starling truth. It's going to be shocking to some. Okay. I'm glad you're seated Uh, if anybody's a sea level, please sit down right there in the back. Um Employees Are never going to care about your data I'm serious They are never going to care about employee data They are getting compromised at home by not encrypting their wi-fi access points They're getting scammed on craig list and phishing emails on ebay They don't know where their children are community or who their children are communicating on facebook or twitter And they don't even have the clue what snapchat instagram or kick is So if they're getting compromised regularly at home because they're not properly trained to be security conscious at home What makes you think they give a flight about the stuff that's happening at work? So my thing is stop teaching your employees how to protect your data Stop it Teach your employees how to securely configure the wireless access points at home Have a session a training session to your employees on how to do the facebook privacy settings Teach your employees how to check to see what social media is out there and what kids are doing in the dangers of online social media And over sharing Show your employees how to do proper phishing protection and awareness so they don't get phished at home And guess what's going to happen? They're still not going to care about your data But they're going to be security conscious because that's the way they are So when they see something suspicious at work When they see a phishing email at work They're going to go. Well, I'm not going to fall for this at home. This is definitely sketchy. I wouldn't do this at home I should contact somebody That's how you properly secure and train your employees um The next one We go through here Here we go The next thing we need to oh, there we go Get to the education part Is teaching a teachable moment. I'll let y'all wonder what that was about. It's like I like to create teachable moments not just for employees, but for you We all like teachable moments, right? How do you make an employee have an impact on that? You do this These are all from conferences. I've been at where right the beginning of my talk. I threw up a wi-fi pineapple DNS booted so no internet traffic to it. No one was compromised. I don't do that crap It's like no one was compromised and just went to a page that said oops not the wi-fi access point You were looking for my bad and it will link you face on it so it educate them But you're thinking well jason try wi-fi pineapples here at def con and you're right But that's again. What's again. You're thinking that technology is your threat Technology is not always your threat I don't wear glasses How many conversations have I had with you guys throughout the day as I wore these glasses all day 8 gig usb hard drive with a high-debt video camera and audio inside them. They are 20 dollars on ebay That is what we call a teachable moment for you guys It's that impact that shows a person directly How to be it affects them how it impacts them. That's what you have to do with your employees And I'm so glad I could stop wearing these glasses. They were really annoying me gosh All right, so what else do we need to do? We need to empower our people We need to empower them not just to say, oh, you know You feel good. You're strong and dog on to somebody likes you. No not like that We need to show them that they see something they need to say something we got to make sure that they understand how to do that One of the biggest problems is we need to give our employees a way to be effective and then let them know about it In other words when we go in and we tell them if you see someone that's strange If you see a suspicious email Do they have a simple extension number they can call or an email address They can send something to to tell them something bad is happening How many thousands of millions of dollars that that calls versus a blinky box? It's an extension. It's manning that phone. That's getting that response Let them know that that's there and see how quickly they start responding to it and working it Another thing we need to do is we need to do enforcement We need to force this within our employees. It's like we need to make sure that they understand what they're doing What I think one of the best ways to do that is visibility number three We need to show them that information security teams that you actually exist I play a lot of first person shooters. Okay. It's like I'm going to turn 2004 of my main law. Okay I'm playing some COD modern warfare and I'm playing team match and they hate me They hate me. You know why? Because I'm a running gunner, man. I'm playing the game Pew pew pew America pew pew pew And I get shot I die I respond pew pew America you know I get like five kills at least to my 20 40 guests My team never wins very often. I don't know why it's like they suck. Okay. It's like so I do that Attach electrodes to my body That every time I get shot in the game I get a thousand volt jump How's my gameplay going to change? pew Pew pew America pew pew It's going to change a little bit, right? Because now there's a real world impact on something that goes online Make yourself known to your users Do a password sweep Not online But on people's desk have your security team pick a floor And go through every person's desk and look under the keyboard and on the monitor for passwords written down First of all, you're going to find it To it's going to let people know that they're actually someone looking for that kind of stuff How much did that cost you? How valuable is that So that's one things you can do Now the main thing is And this is my summary I hated this show I did It's like it's very popular and I started watching it because other people were telling me how awesome it was I hated this guy He was a bad guy Glad he died spoiler alert. Sorry. It's like he was a horrible person Why do we uh glamorize the bad guys? And watch their success while we're the good guys failing Stop making him happy Stop making those guys have the good day Our job is to screw their days over They need to just you know gtfo and dine a fire. So there you go So that with that being said Amazingly because I rushed it because chris is the meaning Um, I'm done with this part At a whole seven and four three minutes. I could have rambled at least another hour Which I will be available for questions if you want to talk to me or awkward hugs you can uh Contact me outside or y'all can scatter to the winds right now. It's all good