 I don't think this guy needs much introduction, but in case you don't know Dave Kennedy, he's president CEO, trusted sec, also binary defense systems, which is pretty awesome. Creator of DerbyCon, which is also an awesome con, if you haven't been, you should, well I would say, co-creator, sorry. You should try to go, but they're all sold out for like the next five years, so you can't get in. So, what else can we say about Dave? He loves Hornsby. He loves pranking me. Yeah. He loves, he loves clowns. He loves clowns. I mean, if anyone's got clown stuff here, you should definitely have it out during this talk. He loves clowns. Oh, we have clown stuff, perfect, because Dave loves clowns, so we have a lot of clowns here. But Dave is talking, I got the title right here, The Wizard of Oz, Painting a Reality Through Deception. Everyone welcome, Dave Kennedy. Thank you everybody, appreciate coming. And the whole clown thing was interesting, because I've been in the industry for quite a while, and no one knew my secret about having issues with clowns, and you know, the whole story is when I was a kid, my mom decorated my entire room with clowns, like clown sheets and clown wallpaper and clown everything, and I saw the movie It on Accident. And then totally jacking me up, but what's funny is no one knew in the industry, and my dad is a sysadvent for a school district and presented at Derbikan, and of course he told the entire audience, and the rest of the world basically, that I was terrified at clowns. And so literally if you go to my Facebook profile, there's literally like random horrible clown pictures, like everyday people texting you horrible clown pictures. In fact, one of my good friends, Khalil, I don't know if he's in here or not, but Khalil actually ordered five clowns to follow me around in Vegas for a few days. But the good news is, oh jeez, seriously, what the heck is it, where did you get those from? I got shirts. All those shirts? I thought it was like a sticker. Oh, okay. Now I'm all nervous, oh my gosh, thank you so much. That's amazing. So I guess I'm going for president, and I'm going to be a clown running mate here, so all right. Thank you. Yeah. But anyways, before the whole clown thing happened, I got wind of it because it was supposed to happen the next day, so I ordered 16 tarantulas from an overnight tarantula place because the person I was going through was terrified of spiders, and I was just going to put it in his hotel room and see what happened, and he got wind that I did that, so then we canceled it and we were like, okay, we're never going to prank each other again and made a truce because we'll continue to try to one up each other and just win and go good. But anyways, I'm Dave, celebrated our first win for the Cavaliers, any Warriors fans here? Boo. I'm just kidding. But what's neat about what I want to talk about today is, you know, the topic that I'm talking about is more so understanding who you're going after, how you build things in a way that is believable. And what's interesting is all of the information that we typically use to go after individuals are readily available online, and building our attack vectors just takes a little bit of time caress and a little bit of care and feeding to actually go and get into an organization and compromise them. What's really neat is most recently, Seth was on the Mr. Robot TV show, so that was really cool, yeah? Mark Rogers, thank you for that. It's neat when you're sitting there watching and like, oh, that's my tool, that's really cool. And it's like hacking into stuff and, you know, neat, awesome. What's interesting about this topic too is, you know, if you look at kind of the shift around what we've been talking about in security, and I remember when Chris and I were hanging out in an IRC chat room, like, how many years ago, Chris? Ten years ago, 12 years ago? You know, we're like, hey, the social engineering thing's going to be a really big thing, and you know, we're going to see it, you know, kind of take over as far as statistics and what we see as far as breaches and things like that. And that's where social-engineer.org was formed and all that good stuff. You know, the mindset has kind of changed, and, you know, you look at the red team, and the red team's always like, oh, hey, you have to be 100% or we're always 100% effective, and the blue team only needs to miss things once. And we're starting to see the shift of that of where the blue team, you know, when an actual breach occurs, the blue team only needs one way of detecting an attacker to actually identify a breach as it happens. So it's starting to shift a little bit, but what's interesting about this one is with social engineering, it's very difficult in a lot of cases to understand the initial intrusion or the compromise. And that's the scary part about what we do, and I'll talk a little bit about the most effectiveness of that. Based on our own company data, if you look at a lot of the breaches that we've done, and done investigations over 82% endpoint compromises, 14% perimeter. So if you look at most of the highest risk factors that you have out there, it's going to be your endpoints themselves. You know, clicking on a link or opening a browser. The phone stuff doesn't happen as much, at least we don't see it from our data, but most of it's, you know, targeted spearfishing attacks, going after individual organizations. And so that's kind of how we see most of the breaches happen today. So it's interesting to see, like, you know, 12 years ago when social engineering was kind of a topic, but not something that was very popular yet in Infosec, to where we see it now as one of the most prominent and most reliable methods for exploitation. And it's cool because, I mean, it's a good testament to the security industry because it looks like we've gotten a lot better on the perimeter. If you actually look at the data, it just means that it's much easier to hack the users than it is to go after and understanding, you know, SQL injection and everything else out there. So high return, low investment for social engineering. You don't have to be awesome at what you do. You could just, you know, create a craft, a somewhat of a believable scenario and hopefully they click a link. So I'm going to walk you through how social engineering attacks work in general and a little bit about how I go after and break things down, which is what I find as being most effective for what I do. First and foremost, everything that we do is completely magic. There's nothing to do with anything else other than that. But we are creating a fantasy in some way. We have to create something that allows the user to believe that what they're doing is legitimate and it's an action that is authorized or that they believe that they are going to be rewarded in some way or something that is in the normal confines of business operations of who you're going after. And what's interesting is if you look at individual people, individual people are much harder to hack than an entire company because an entire company has, you know, hundreds, thousands, tens of thousands, hundred thousand employees. So you can just, you know, create multiple pretext and until you get a successful one, you know, you finally, you know, get access to somebody, now you have access. You have an unlimited source to go after organizations. And what's interesting is that a lot of the shift has gone from the education awareness piece to more technology and more restrictive technology of stopping those types of breaches. You have, you know, tools that do virtualization and sandboxing. You have, you know, all these end point software visibility things and none of those really stop us when it comes to what we do as attackers. And so there's a blend in the gap right now around what we have for this type of, for these type of techniques. So the first thing you need when you go after an organization is creativity. Doing your homework and identifying your target, building a threat model about how you're gonna go after an organization, attack, and then from their persistence and exfiltration of data. Now my favorite is looking at an organization of whom I'm gonna target. You know, the easiest route to typically go is the IT folks, right? Because they have elevated access into infrastructure but a lot of times they're much more savvy on what's actually happening. So if you're gonna go after IT folks, you have to build something that's very believable in some way, shape, or form, that they would be incentivized to do or could be something else. And I'll actually show you an example that I did on CNN last year here at DEF CON where it was a super easy hack where we broke into a company in less than 10 minutes and had full access to their infrastructure and their IT person, which is a help desk admin. But, you know, in those types of situations, you know, depending on who you wanna go after really depends on how you're gonna build your pretext. One of the most rewarding ones that we find, like this one works all the time for us, is if we do a survey. Now, surveys themselves are nothing but you give them a $10 reward for once they complete the survey and you will get a very high success rate. $10 is about the break-even point where people think it's real. You start going like $3,000, people are like, yeah, okay, that's not gonna happen. Or like, hey, you have a chance of winning a million dollars, it's not gonna happen, right? But, you know, you get a $10 gift card at a gas station or Target or wherever for completing a specific thing. And what's great is if you're actually attacking the company that is a retail chain of some sort and you say I'm gonna give you a gift card for that entire store, they'll do it. They believe it's part of the entire organization. So, you know, health and benefits surveys, you know, employee satisfaction surveys. All of those work very well. Health benefits are also a great target as well whenever you can target specific individuals with health benefits. All of these are common key things that you can build that if you can reward somebody and actively go and do it, they will click on something, they will open a link, they will do whatever they need to in order to get that $10 reward. So, usually, if you look at kind of the life cycle of an attack and how we typically go after an organization, you know, through and throughout, is we typically start off with defining what our targets are gonna be and who we're going after. And that's important because a lot of times when you go after an organization, especially if they're large ones, they could have subsidiaries in place, folks that don't necessarily equate to the corporate policy of corporate. What I'll find in most companies is that their corporate infrastructure is somewhat locked down, they follow policies and things like that. But if they're, let's just say, a retail chain that has store locations, they're usually not compliant as much as corporate. If they're international, different regions have more security than not. So, if you look at those different regions or different subsidiaries that they have or different branches that aren't necessarily there, banks are a good example, branch locations. Branch locations usually have good physical security, but when it comes to actual electronic information security, they don't necessarily follow the same standard as the corporate infrastructure, especially in large organizations. So, looking at who you're gonna target and the best method for getting into an infrastructure, is super important because that allows you to start to develop what types of techniques and attacks you're gonna use. Once you find that, the recon and intelligence gathering. My favorite thing to do is go and browse LinkedIn. LinkedIn, we all love talking about ourselves. We are ego-centric people. We know we wanna put our experience down because if I ever leave this job, I wanna get another job. So, I know exactly when you did your oxide implementation, how mature your semantic endpoint product is, you know, all this other stuff that you have for defenses, so that I know that before I even touch your systems, what you're actually leveraging from a defensive perspective. What's great is also looking at recently connected people within LinkedIn and recommendations that you have. You have someone from FireEye, FireEye would be like, hey, this company is great, it's awesome working with them, all this other stuff, and they give you recommendations. Sales guys are great, because now I know you have FireEye and I know when you purchased it, when you had it implemented, and ultimately what I have to do to get around it. And so you can find all that information online, start to build what defenses you have or what defenses they have in order to start getting a lot of their information and targeting. And then from there, you build or buy a tool or use an open source tool. This is interesting because we've seen a lot of shifts towards the exploit kit market. What was interesting about the whole ransomware and the exploit kit movement is, you know, the retail chains were getting breached left and right. So you saw Target and Home Depot and Jimmy John's and all those other ones. And so the whole retail space started freaking out and employing real-time encryption off when you actually swipe your things. So a more hardware device encryption that happens when you're swiping it. EMVs literally done nothing, I don't think, aside from like being able to do in-person fraud, but even that we're still just doing chip and sign, which is absolutely ridiculous. But you look at that and so the retailers got a little bit better, a little bit better, not a lot, a little bit better, and it became much harder to get access to bulk credit cards. And so you had that whole market that was developing like BlackPOS and all these other tools. And they started focusing on other things like exploit kits and ransomware to be able to get money and do those things and license those out. And what's awesome is you can go online and buy an exploit kit for anywhere between 300 bucks to a grand or a couple others that have everything already packaged for you. So if I'm not a good hacker, I know what I need to do to go and buy a tool that will have an exploit in it that is vulnerable to a specific company. And what's great is most exploits, especially when it comes to Java or Adobe Flash or things like that, there's not a really good patch management process in a lot of the different organizations. So you have a very good subset of attacks that you can leverage inside the company itself. And so once you do that, you build an attack profile about how you're gonna actively go in there. And this is where you start to build more of your actual attack itself. What am I gonna do to impersonate? How am I gonna impersonate? Who am I gonna impersonate and who am I gonna be? And those are all important things because it allows you to start to be able to start to build that fantasy around who you're gonna actually go and target. What's great is companies provide so much information on their marketing websites, things that are happening, if they're doing United Way fundraisers, things like that, things that allow you to build things that are relevant to the company, then publishes out. I often will send probes into the company, things that like for example, if I'm trying to impersonate somebody within the company, I'll send an email to somebody public facing like a PR person or sales people are great, just to get an email back so I can see what that email looks like, how they format their emails, the fonts, the logos, the disclaimers, all that other stuff so that I can make things look believable before I actually go and send things in. So those are all key things that I typically do before I actually launch any type of attack, just more exploratory to see what's actually happening out there. What's interesting though is if a company is business to business, I find that they're by far the easiest for me to social engineer as an organization because I just create a business that's in their market space that they wanna go to and say I have an insane budget that I need to spend by the end of next month for my quarter and those sales people will do anything that you want to, like literally you can have them hopping on one foot while clicking on this virus and they'll be cool with it as long as they're gonna get the sell. So business to business is very easy when it comes to things. Business to me to see consumers are a little bit more difficult but not as much. You need to know a little bit more about what you're doing, opening fake accounts, things like that. Those are all things that you have to start to prep for ahead of time to try to get them to click on things. What's great is places you can go into store locations and actually do things like retail stores or places that allow you to actually walk in physically. Those are always great as well. But anyways, starting to build your attack profile and what you're gonna actively go and do and then from there, testing detection. What's interesting about this phase is I usually skip this one because I already know enough about the company's detection capabilities that I've already built everything into them. Good example of that is the HTA attack factor which I'll show you here in a second which I still use very heavily. There's a number of ways to get access to an organization. Excel macros I guess has been kind of like the new old hotness but that is kind of going away. And so you have other methods too like Windows diagnostics is a great way of being able to get direct access without even having Microsoft Excel or anything like that installed. But HTA files are also the new old hotness. HTA files are something that has been around since like the mid to late 90s when people were using it for exploiting and they still work very effectively today. It's basically like Java without having to have Java installed. It looks like it's trying to open up a Windows document on your machine and that's fine. Most people will click open or okay on that. Now what's interesting about that one is things that would typically get picked up by traditional things like FireEye for example or other things. You can build your attack vector so that you have things like parameters and things like that that get called that when FireEye goes to investigate it, it's like oh, I don't know if this doesn't do anything because you're not feeding it any of the parameters. Then you can go and exploit it when it goes in a tax system. So there's a lot of things that you can do ahead of time to get around those and making sure you have your resources. Then you get for the actual deployment of your attack vector, infrastructure, command and control infrastructure. A lot of times what I do is I'll have my main exploit site where I fish everybody from and website attack vectors in one place and I pipe my shells to another place and then I have a secondary place that I pipe other shells to. So when they compromise what happens in most incident response scenarios is they'll be like okay, this box here is what was used for the fish so let's block that IP address. But they don't look at where the shells are going and I'll register domain names that look legitimate like businessweekly.com or whatever ends up being the different websites that look like legit traffic and I do all 443 and HTTPS communications and so they block that one and I still have another one. But I also offload shells to another machine that is out there just to make sure in case they block those I still have a little bit of persistence hooks in the environment to do what I need to. So that's all key things that I do. Then you can do the initial intrusion, sending the fish out. This is an important piece for me. When I actually send a fish out I only send it to one person at a time now. I don't even do like two or three or four or five. I send it to one person and I wait. And the reason for that is if you build your pretext good enough you will have somebody that will click it and you don't want to trigger any type of radar. So if I send it to 50 people what are the chances that someone is like that might be in part of marketing or maybe part of another different location. You start to get higher probabilities of detection when that actually occurs. So I'll only send it to like one person and I'll just wait and I'll wait an hour. If I don't get anything an hour I'll send it to another one. I'll wait another hour. Usually I don't have to wait that long unless I get out of the office and I'll switch to somebody else. But in a case especially if you do like a survey for example and say hey after you feel this you'll get a $10 thing sent to your corporate mailbox or something like that. People will do it very quickly and you have the ability to entice them for urgency. So those are all key ones. The initial intrusion is the most important part. For us in the security industry this is a bit problematic because this is the part that we don't detect very well. So the initial intrusion itself I'm deploying commoditized things like malware and stuff like that okay maybe but most intrusions in the initial breach part don't get detected. And I'll show you a couple examples of that. That's the most critical part for us to actually go and detect. But there are a number of other phases that we do as attackers that we need to start detecting better on before we actually get access to a lot of the data. There's I think the Verizon Data Breach Report had a stat that it takes a few hours to get access into a company and a few days to get to the systems that you need to exfiltrate the data. So you basically have a few days of a window to identify where you have to you know where an attacker's at other than that you're gonna lose all the data that you have. So you get the initial intrusion then we establish command and control, lateral movement, moving the different systems until we get access to the data that we want to. And then after that you know persistence hooks making sure we maintain access, all that good stuff exfiltrate the information and then kind of stay low and quiet after that. So here's something I did on CNN. And what was interesting about this one is most pen tests that we do today don't necessarily simulate what an attacker's trying to do. Even calling up on the phone isn't traditionally gonna happen from an attacker. It's gonna be mostly phishing. But if we're gonna do phone phishing and we're gonna actually call somebody up on the phone what's the thing that we typically go after? Secretaries, okay? HR. HR, good ones, yep. CEOs. CEOs, IT. What about help desks, right? What's the biggest thing that we typically are told to test as assessors? IT, but password resets, right? So hey, can you password reset somebody? That's the common one that most people traditionally do. Now the problem with password resets is in most cases it requires you to have some sort of information about the employee. Employee number, maybe last part of the social, who knows what it ends up being, but there's verification processes that are used. So in order for you to do those, you have to do a lot of analysis on who you're targeting, right? And to say, okay, who's this person? Use OSAP to find his birthday, grab the street addresses, pull a social security number, do all this stuff so that I can have it all ready to go and then I find out it's an employee ID. I'm like, oh, okay. So there's a lot of work going into that. But in social engineering, if you can talk to somebody in a way of a normal human being and say, listen, I need help, but you don't have them do anything that's sensitive that would trigger their minds to say, hey, I need to do something to verify this person. But I say, I just need some help. I can't get to this website. Can you help me out? Most people will do that without having to verify who you are. So if you call any organization, and you can do things like spoof phone numbers and things like that, right? Everybody knows that spoof app and all that other good stuff. You can just spoof your phone number, come from inside the company. And then from there, you have access to do whatever you want to as long as you don't trigger any type of emotional response or on having to challenge somebody or what we're taught to do. So let's go ahead and do this one. You think of when I say the word hacker, some creepy dude in a basement? Well, that's a misconception. I am a creepy dude in a basement, but. What if I told you there's a class of hackers who don't just have social skills? They have more social intelligence than anyone you'll ever meet. I don't know about that, but. I don't know about that, but that's fine. He's what's known as a social engineer or a people hacker. His craft is to dupe you into doing things and sharing information you probably shouldn't. Can I just get your credit card number? Some use it for illegal activity. In David's case, companies pay him to find out if employees are leaving the company vulnerable. He and his team show us how it's done. Step one, spoof his number so it looks like he's calling from inside the company and then call tech support. Hello, either. Hello? Hi, this is Ken from I Help You. I was wondering if you could, and one thing with this really quick is that we had a company give us permission to go and do it. The thing is, if they said their company name in any way, shape or form, we had to bleep it out or remove it from the segment. So we had full permission to do this. I didn't just call up a random company and then get shells to their boxes. I would be in jail at this point in time. So. Disclaimer. Take a look at a website I'm trying to get to. It's for a big customer thing I'm working on for Monday and I can't seem to get to the website from my computer. Sure, what's the website I'll see if I can get to it? Thanks, man, I really appreciate the help. I mean, it could be a stupid thing. I'm really stuck with computers, but. So it's www.survey, that's a S-U-R-V-E-Y dash pro.com. Yeah, I got a prompt to open. I just put the open and I'm at the site now. Here's what the IT guy doesn't realize. By clicking that link, he's just given David full access to his computer. Whoa, okay, that's weird. I just hit a network thing that seems like it's working fine now. Awesome. I don't know what you did, man, but I really appreciate the help. Hey, no problem. That was easy. That was it? We're on this computer right now. You were able to take over this guy's computer within, I would say like under two minutes. Under two minutes, yeah. Under two minutes, it took over his entire computer and think of it as not just his computer, but it's pretty much a downfall of the entire company. In this case, the company was paid. So this one specifically, I just used the HDA tech factor. What's funny is I forgot that we used survey dash parola time for all of our pen tests. So once I did it, I had to burn it and we can't use that domain name anymore. So if you go there, it's not gonna go to anything, but all my pen tests were totally pissed at me, but it's all good. Now the HDA tech factor, I'm gonna show you really quick. Now this is how crazy we are in security. Well, hang on. So loud. Oh, sorry. More horns me. So let me just get this ready here real quick. Now what's interesting is, you know, it's always a cat and mouse game when you talk about detection capabilities. And what was weird is about a week ago, right before Black Hat and Def Con are two weeks ago, I was doing a class that's each at Black Hat called red versus blue and showing like evasion techniques and stuff like that. And so I always check my stuff to make sure it works ahead of time. And I noticed that the partial injection technique that I wrote called unicorn I was getting picked up by antivirus. I'm like, okay, that's weird. All right, well, whatever, that's cool. Let's figure out how they're doing it. So I wrote this chunker that basically chunks it and submits it to Windows Defender or whatever the different lab for all the antivirus vendors, but it's submitted and I kept chunking up and I still kept getting flagged and flagged and flagged and I couldn't figure out why. And so I'm sitting there and I'm like, well, the only thing left is just to change something. And so if you look at this code here, here's the code for, did you see that? That's the code for the partial injection we encode and everything else. But notice here it says dash ENC. That's an abbreviated command for encoded command. Encoded command allows us to pass what's called base 64 encoded strings to PowerShell. Now, interesting enough, if you run this whole tool and paste it here into Windows Defender and I try to run it, it says, this script contains malicious content and has been blocked by your antivirus software. Okay? If I change dash ENC to encoded command, that can't work. Oh, hey, we get a shell, that's cool. That's awesome, fantastic. So that's the stuff we're dealing with, it's ridiculous, right? But anyways, the HTA attack factor is one of my favorite and set. And I recommend from a defensive perspective, blocking HTAs on the perimeter. You shouldn't need to have any use for downloading HTAs on the outside, use your web content software and block them. But here's a good one, so I'll go ahead and use the latest version of set. Was I just released? Ooh. So I'm gonna go to the social engineering attack factors. And by the way, there's a new module that actually it's an old module but new module now called SMS spoofing. So what's funny is when Mr. Robot aired last year for season one, in season one, episode five, Elliot is in Steel Mountain and he's trying to social engineer a lady to give him access so that he could take down Evil Corp and upload his malware and all that stuff, right? During that period, they spoof some text messages to the lady that he's talking to that your husband is in serious condition at the hospital, call immediately. And so she gets super disoriented and she moves away and then Elliot goes in and hacks the Evil Corp and all that stuff. Well, they use the social engineer toolkit to do the spoofing of the SMS text messaging and do that, right? So originally, the SMS spoof messages stuff was, I took it out a long time ago. So they're using a super old version in that episode of set to spoof the stuff. So like literally right after the Mr. Robot, I had like 3,000 requests and hey, where's the SMS spoofing module? Like can I get it back in there and I really want to use the SMS spoofing module and I finally broke and I added it. So I rewrote the entire SMS spoofing attack factor and it works extremely well. You can spoof from any phone number, any country you want to, to anybody you want to and you can start sending text messages. So I send text messages and it's actually a good story. Khalil was in class and we were all in class at Black Hat and Adrian is in the back helping students and things like that. And all of a sudden, I have no idea why, but Adrian starts yelling at the top of his lungs the Star Spangled Banner. In the middle of class, I'm like, what the heck are you doing, Adrian? He's like, dude, you told me to yell the Star Spangled Banner as loud as I could. I'm like, Khalil, I look over at Khalil, he's giggling over there. Yeah. He got him good. But so it works very well and it, you know, obviously you can impersonate anything, you know, from a spoofing perspective, which is really nice. But we're going to go ahead and do the website attack factor number two. We're going to do the HTA attack factor number eight and then we're going to clone a site. Now I need to know my IP address. So I'm going to grab that real quick. Oops, I messed up. I'm supposed to enter the URL in my bed. Figure if I wrote the tool, I'd probably know which menu to hit, but it's okay. I'll just clone trusted sec as an example. Enter my host, connect back on. Let's do interpreter and it'll generate everything for me. Now what's nice about this is I would normally submit like a website or something like that, right? That make it look believable. I'd register a domain name. I'd get all my pretext ready, but just for demonstration purposes we'll get going. And the reason I'm showing you this is I want to show you that when you're doing these types of fishes, people don't care what they have to click on as long as they have an end goal. Like for example, if you're going to a survey site to complete a survey, if you say, hey, when you get to the survey, you just hit the open button and then you're all set. As long as it's in the instructions, they will do whatever you want them to. So we'll go ahead and go over to internet explorer. Oh, I still got my shell open. So I was going to use internet explorer. This is one is 10. I'm going to my IP address or whatever. So go to my IP address, I should load in a second. Internet here is super slow. So I get a prompt to open. I just hit open. See that prompt? Set open. That was it. And over here we get our shell. That's it. Works great. So very easy to set up, very easy to do. It's still loading, it looks like. So I'll take a second to get to that at the next stage, but it'll go ahead and compromise the machine, which is fantastic. So it's super easy to build those as long as you have a good pretext. And to be honest with you, you can literally have them downloaded and executable and run it and they'll still do it as long as you build the pretext of the appropriate way. Now it doesn't always require doing things in the phone as well. You can always do things in physical. Physicals are my favorite because you can literally do whatever you want to as long as you have confidence. Like if you have a little bit of confidence, literally you can do anything you want to. Like for example, I combined, I just did one recently for, okay I'll just call them a retailer that you can, you know, that has store locations and stuff like that. And so we did some reconnaissance on LinkedIn. We saw that there was a person that, you know, was kind of like the IT person for that general region. You know, like so you had a person that would go out into these different locations, you know, the store locations and you know, help them out and stuff. And so we just spoofed their phone number and said, hey, this is Bob. I'm just letting you know that we're going to be sending two consultants out to do network upgrades to your infrastructure so that you have faster bandwidth and all that sort of stuff. And they're like, oh cool. You know, I'm like, yeah, but make sure you validate who they are when they get there. You know, ask them for business cards and stuff like that. And they're like, oh, what's the name of the company? I'm like, oh, yeah, it's this and we made fake business cards and all that. And then you just walk in and they're like, oh yeah, hey, we're supposed to, they don't even check my business card, which is fine. And then you walk in, they give you full access to the backend infrastructure where their entire network switches are at, everything else. And we just sat there for two days and just hacked and stole credit cards. Like it was amazing. So like, hey, do you need anything? Do you want some coffee or anything? I'm like, yeah, coffee'd be great. You know, thanks, you know, I mean, you guys are so nice here. It's amazing. It's so friendly. So the physical ones are always interesting. Now I'm gonna show you a video here. After the warning, it's a little cheesy because it's a local news one that we did. So when they, then they say this is Dave Kennedy, former NSA and all that other stuff. It's so cheesy. And so I'm a little embarrassed about this one, but it's still a good, good lesson because they sent a producer out and the thing is that, hey, we're doing a segment. You know, can you just walk outside? And she didn't know what she was gonna do. And so she walked past me and I'm like, oh, and you didn't know I was part of this or anything. I'm like, hey, I'm sorry, I'm not from here. Do you know where the Quicken Loans Arena is at? I'm going to the cabs game tonight. And I'm like, and so I started talking or in a striking conversation. She's like, yeah, hey, I'm supposed to be doing something for a thing. I'm like, no, no, I just take a second, you know, blah, blah, I don't know where to go. She's like, yeah, I think it's over there. And then I, you know, swept her badge and cloned her badge and then walked into the building and then I like, it was cool because like, I didn't know when you go into like a live studio, like they were like filming me and I went into a live studio as they're filming. And so you can actually see on the news earlier that me walking in and the news anchor crew like looked to the left and I'm like, oh shoot, I'm so sorry. I was like, you know, like, not supposed to do that apparently, right? An important security alert. You'll certainly want to see. So this is for the RNC stuff it is. It's not just during the RNC, but they need it right now. That's right. You know the electronic key cards that we all carry and use to get into most private places in our lives. But what if someone could clone that badge and actually steal your identity without the card ever leaving your pocket? Well, you know, we're always investigating and Megan Hickey had a hacker show exactly how it's done. Megan, he broke into our station today. He did with permission so that we could see for ourselves. You've probably heard of credit card hacks or ATM skimmers. Well, this technology takes it to a whole new level. We all know about parking lots. Your work, your apartment, your parking lot. For many people, it's the key to their lives. But what if anyone who passed you on the street could steal that key without a single touch? That hits all the tumblers and moves that door. Yeah. See that guy right there on the right-hand side? What's funny is this is not related at all. He's part of my Cub Scouts and they were randomly filming in downtown Cleveland and he's, of course, works for a federal agency and had his badges hanging right out there. So I'm sitting there watching the segment and I'm like, oh my gosh, that's Rod. I'm like, so I called him and started making fun of him for wearing his badge out or whatever, but. And now he's a professional hacker or some might say burglar. I've walked into a retail shop and actually taken the entire cash register and walked out of the place. Kennedy has worked- That one's the best, by the way. Like, you just, you like, you just walk in like you have a purpose and you just take the cash register. Like you drill it, you know, you take it out and you walk out with the entire cash register. And the thing's heavy as hell, right? You're sitting here like, God, this thing's heavy. You're walking out, people are like looking at you and they're like, keep going? Put it in your car and you drive off and you're like, got a whole bunch of money in your back of your car, you know? It's just like, whatever. For some of the most powerful companies in Cleveland. Financial institutions, you know, manufacturing, you name it. Hired to steal from them to show their weak spots. Even moonlighting as a bank robber. We've gone into bank vaults and stole a ton of money. But he says the easiest way to break into an organization is by cloning these. It takes about a half a second to clone somebody's badge and then now you're that person. Kennedy made his own radio frequency ID cloning device and he told me plenty of other hackers have done the same. This is the antenna. So we put him to the test. He hid the device inside this clipboard. We sent an unknowing producer into the parking lot and he asked for directions. Oh, I'm sorry. Well, hey, thanks so much, I appreciate it. Watch again and look for the clipboard. Next, he makes a B line for the keypad and he's in. And Kennedy said this summer's RN. So that was a good one because, you know, I was a good one because like, I didn't know where I was going, what I was supposed to be doing. So I just started walking through the building and I literally walked into that live segment and like it like jolted them because like it's funny. I got to find it. I got to find the clip because they're sitting there and they're talking about some story, whatever. And then all of a sudden like that, you know, and they're like, oh, I'm sorry. And then I shut the door, you know, like it says live on air, don't go in here and everything. I totally, whatever, that's fine. The bank one was a good one. I think I've told this story before, but like it was two years ago, three years ago, Chris Nickerson and I were at Derbycon and I had one of those electronic cigarettes. Have you seen those, right? You know, I don't smoke or anything like that. We had one because it blows big plumes of smoke or whatever. And so at the Hyatt, we got permission and we started blowing smoke through the cracks of the doors to figure out if you could trigger the motion sensor aside. And so we were able to do it and we're actually able to trigger the motion sensor by blowing, you know, water vapor in the air and trigger the motion sensor. So I wanted the longest time to do this on a bank job of like a bank branch because the bank branches are designed for customers. And so if you can trigger the motion sensor on one side, you know, the door should open up, right? You ever walked out of a supermarket and you walk out, you know, and it sees you and it opens the door? Same thing for this bank branch. So it was like two o'clock in the morning. We had like all of our like crazy, like came, you know, camouflage on everything else, you know, and we make a beeline for the front door and I'm sitting there like blowing smoke through the whole thing. The whole like inside of the building now is like completely caked with water vapor, right? And it looks like someone's having a great time inside of this bank at the time, right? And I'm sitting there for like 15 minutes and while I'm doing this, one of our other guys goes around the corner and is like, hey, I'm gonna check the other doors, whatever. And so like 15 minutes go by and I finally get the thing to trigger and the motion sensor door opens up. And so I walk inside and there's our guy just sitting on the counter, like sitting like, hey, it took you long enough. I'm like, hey, what, how'd you get him? Like did you lockpick somewhere else? He's like, no, the side door was open, dude. I'm like, it's always the easy stuff, right? We did a PCI pentest recently and this one was interesting because we ended up phishing one of the main IT admins, which is great. You know, with IT admins, you can't do things that would trigger suspicion with them because what ends up happening is, you know, they are very technical in nature so if anything is out of the ordinary, like, hey, I'm down learning a virus, they're probably gonna know that's a virus, right? Whereas salespeople, it's a different story. So to be very careful going after IT folks, again, incentivize things are really great, you know, things that may be issues, getting them to help other people, establishing communication, those are all key things that you can do. In this case, we ended up phishing them through Health Benefits Fish, which works very well and what was interesting is once we compromised them, we tried getting access to their PCI data, their credit card data and their credit card data was heavily segmented off, so if you know if you did a quick port scan here, you can see all they had open into the PCI environment was port 22 or SSH. Now it was interesting when we logged in to the admins box, he was only isolated as an individual machine. We saw that he was SSH-ing into the PCI environment. Now if you've ever used it, there's a tool called Pagent, I'm sorry, Pagent is a part of PuTTY that stores your certificates in memory and what you can do is you can basically use that to communicate over and inject into that to then hijack that session and then get access into the PCI zone. So we just hijacked that session, added our own public keys to the server, then we were able to log in. And then one thing, the first thing we do when we get into a environment is look at the history, which is always great and we saw some shell files in there for remoting into other systems. So we remoted into the other systems and looked at MySQL, again did history again, saw the password used in memory, which is great is MySQL-U-P, people put the passwords in there so we can see the password to MySQL and then we got credit card data. So very easy attack factor through phishing and it didn't take a lot of time. So these types of attacks are interesting because they take advantage of what we're supposed to do as humans, so this is gonna be a problem that isn't just now, it's gonna continue to move forward as we go along. So if you look at what people are trying to do right now, it's a balance between technology and using technology in a way to prevent users from doing things, but also at the same time the education piece. Things that are just like phishing examples, like using things like FishMe or whatever, they're great methods of awareness for people to try to keep things fresh in their heads, but at the same time you still have to do testing to see how well effective your detection controls are, how well you can stop it in the event that somebody doesn't do it. Click ratios to me mean absolutely nothing if people don't know how to report an issue to the organization. So if I can fish somebody and it's one person doesn't trigger any alarms, I now have free reign over that company until you have one indicator of compromise that I have as an organization. So those are all things that I typically do to kind of go through and look at that. So as an industry, we have to start looking at things a little bit better to go through and find things that work for us in our environments and who knows what that is, who knows if it's a combination of technology or anything else, but the types of techniques that we're leveraging right now is still very easy. I mean, Chris, I mean, how long have we been, is Chris sleeping over there? He's sleeping, he's sleeping, it's fine. No, he's sleeping. No, he's sleeping, okay. So what we've been doing this for a while, would you say it's harder, easier, or the same as the past 10 years? Easier, okay. I'd say for me it's about the same. Yeah, I mean, I don't, yeah. Yeah, yeah, and the commoditized fishing stuff is great. Again, I'm an advocate of getting awareness out to people and kind of being able to benchmark that. But those statistics are irrelevant in a security program. I mean, if somebody clicks a little bit less, that's great, but at the same time, the types of techniques that we leverage, and if we develop a very good fish, you still have to have detection capabilities to actively go and detect that. So that's some things that I really recommend focusing on. Got 10 minutes left, good job, that's good to sign. That's awesome. One last thing I wanna show you, and I've showed this many times before. So if you haven't, if you've seen it before, I apologize. If you have seen it, that's cool. But I like showing the Katie Kirk one as a good example because that one was one of my favorites to go and do. Has anybody not seen the Katie Kirk one before? Okay, we got quite a few people, okay? So this, by the way, this is big Dave, and this is little Dave. I've lost about 116, 117 pounds. So thank you, thank you. Thank you. It's all the frantic coding that I do and set, the muscles and stuff. It works it out quite a bit. It's been great. But in this specific example, what was great about it is Katie Kirk called me and it was funny that I happened to be on a physical pentest and I was like literally in a air conditioning event, like climbing through the air conditioning event. And I'm a big dude at this time. So I'm like all sweaty and I'm like, it's horrible and it's all hot up in there because the air conditioning's not on. It's like the weekend, they turn it off on the weekend. I thought it would be a good idea and it'd be nice and cool climbing through air conditioning events. But she called me and I left the phone on and I'm literally right above the security guard and the phone starts to ring and so I'm like trying to get to it and you can hear me like cussing and stuff like that and I can't imagine the security guards like, what in the? Didn't say anything though. It just kept like whatever. And once it was quiet, you didn't hear a thing and I just kept going on my way. Everything was fine. But I answered the phone like, hey, can I call you back? It's kind of a bad time right now, you know? But I'll call you back. Just give me like five minutes. I'm almost in this building and she's like, okay. But the producer, she wanted me to hack into somebody live in the audience and what she asked was like, hey, can you just randomly select somebody in the audience and hack them? I'm like, yeah, if I want to go to jail, I'd be cool, right? So what I need is permission first. And so they gave us permission and what we did is I did a little bit of reconnaissance on the individual I was targeting and went after her in that way. So this is the one here. Ashmed is here. She has two teenage daughters. She lives in Connecticut. And Stephanie, I understand that you believe your computer is unhackable. Why? Well, it's something that's really on my mind. I'm very concerned about it. I feel like all of my antivirus software is up to date. I've taken a lot of precautions. Oh, yeah, that A.B. Computer consultant who comes into my home. By the way, do you hear that? She has a computer consultant that comes in her home. Does anybody here know of anybody that has a computer consultant that comes in her home one of year? I'm like, Katie just picked the most secure person in the world here. And I gotta whip out some O-day stuff right here, you know, it didn't need to, which is good. But no, literally, I'm the IT consultant for my entire family, especially my grandfather who gets infected every other week. And I'll do all of the IT work for our church. Like, I'm the IT consultant for everybody in our entire family, which is fine, I'm cool with that. I just lock them down so they can't do anything. Like, hey, I need to get email. No, you don't. Just keep doing Pokemon, you're good. To check on these things, and so I really feel strongly that we have done everything that possible to try and protect myself and my daughters. I mean, it's something that's really worrisome for me. Well, that's very impressive because you seem like you're extremely ahead of the curve. So we decided to put David to the test to see if your comfort level with your security is actually warranted. Tell us what happened. How did you do when we gave you the challenge of? I'm just gonna keep that. Dude, that's blue steel, man. That's blue steel all the way. Whatever. Well, what's funny is during the actual live TV segment, it isn't sure in this one, but for just a split second, the person that was coming up next was Benedict Cumberpatch. The guy that played as Dr. Strange and, you know, Sherlock and all that other stuff. And so I was in totally fanboying for him like before this segment. So I'm like, oh my gosh, it's Benedict Cumberpatch. He's like, oh my God, it's Dave Kennedy. He didn't really say that, but, you know, but I was talking to him and I guess when I was on TV, it said up next, one of the world's sexiest men alive. And it had literally like this picture up here like this. And they removed the up next for like a split second. Of course, all the hacker people were like, oh, the world's sexiest man alive and all this other stuff. So it's pretty hot. It's pretty hot. Hacking into Stephanie's computer. So, you know, Stephanie, I would say, was actually one of the top 5% of what I would say is being most secure. You know, everything up to date, really locked down, all of those good things. And so I literally had plugged in, opened my computer up and less than 10 minutes or so had a fully designed website that looked real in every way and she performed a website that you would visit every single day. And I sent an email out and as soon as I sent the, so I friended a bunch of her Facebook friends and then I friended her. And then I, because, you know, established a little bit of credibility and then friended her and then I saw that she would order things like packages on Amazon. So I just created an Amazon website that looked like Amazon. I'm like, hey, your package is gonna be arriving tomorrow. I'll click here to update your settings and blah, blah, blah. And it was like, quick, quick. It looks very believable in every way. She clicked a link and then from there, again, less than 10 minutes of set up time and hacking and all that stuff. I had full access to her computer, her webcam, got around all of her antivirus, everything completely. You are kidding me. Wow. So tell us something that you were able to see. Well, the first thing we did is we enabled her. Oh my God, that's my. We enabled her webcam and we were actually able to monitor everything that was going on in her house, everything from her daughter working on her computer to Stephanie actually walking through the house itself. We actually enabled the audio as well so we could actually hear everything that was going on at the same time so we could listen to conversations. From there, we started looking at a lot. She was pissed. She's really cool actually. She's really cool. Afterwards, I asked a bunch of questions on how to protect her computer and everything and I think last time I talked to her was like six months ago or whatever, but she's awesome and the whole thing was just to kind of show exactly what was happening out there. So it is easy today, but what's interesting to see is that we are taking this seriously and what's nice to see is this room here would not have been packed 10 years ago. It's cool to see people getting interested in this and social engineering as a profession and the awareness that's happening with it. What the best fix is, I don't know, none of us have figured that out yet. There's no tool or product that you can download that stops all the APTs, although some apparently claim they can stop 99% which is bullshit, but you have things that you can do to protect yourself and it's really that defense and depth strategy of being able to identify where your weaknesses are and try to minimize your damage. And again, to that initial thing around, the red team needs to be right 100%. That is changing, the defense needs to be right just once to identify that a breach has actually occurred. The commoditized malware stuff, that's essentially just noise for us at this point in time, but being able to detect when a compromise occurs and the methods and techniques that attackers use to move to different systems, to get access to the data they need access to, that's the part that we need to mature in as an industry. Does anybody have any questions? Any questions at all? What's that? The lady fire consultant. The lady fire consultant, hey, it was Windows, man, I can't blame him. So question back there. It's a good question. So the question was to emphasize, what can you do aside from training to stop these types of techniques? Is that good paraphrasing? Yeah, so the thing is, is that, okay, you train your employees, which is good. That's what we need to do. Bringing awareness not only helps from them, not clicking on things, but also awareness when you implement things in security that may be restrictive. They understand why you're doing it. So you're no longer that draconian security folks, you have the best interest of them to protect. But we have to do more real world simulations of these attacks. Like, hey, I'm gonna do a targeted fish and we're gonna make it successful and we're gonna see what we detect and what we don't. So we call more of a purple team type situation where we have folks in the defense and folks in the offense working together to figure things out to get better at defense. And you know what? Every increment that you do of those, you get better and better and better at detection each time. And a good example of that is, we were doing an assessment for a company three years ago and it was the first purple team engagement that they had done. And real poor defenses didn't detect anything, but their goal was to get to the point to where they detected a breach within three weeks. That was their goal. So it might sound horrible, but if you look at all the other ones, it's like six months to like a year before they actually detect things. So I'll give them three weeks, whatever. So we got to three weeks. Well, next time we went there, it took them three weeks. They detected us after three weeks. Before the year came after, they wanted to go down to a week. Now we're at a date. They do very good at defense based on these simulations going on all the time to get better and better at detection. So it's a pairing of understanding the offensive ways that we attack organizations and putting controls into detect that as well as the training. I mean, you're never gonna get perfect, but I mean, I hope they trip up once or twice and I put things out there that make the attack or go after things that allow me to detect that as it's actually happening in our environment. So that's the most important piece. Will morality ever catch up to technology? You mean people being more moral with what they do? God, no, no way, no. Yeah. I think there's enough money to get people enticing to keep doing things. I think that the market itself continues to go up when it comes to this and there's a lot of money to be made. So I don't think we'll somehow become more conscious and not do things and harmful things that people have. World peace I hope for. Something huge I'm coming up with next year. I did a tweet and I said, hey, next year I'm gonna be releasing something huge. That's it, that's all I can tell you. It's a new framework that I'm working on that will break almost everything, but it needs to happen so that we can get better. The heck is that? Oh, okay. Well, hey, thank you very much everybody. Appreciate it.