 Okay well good afternoon, everybody enjoying the con so far? You got an hour left, if you haven't started having a good time yet, it's too late, you missed the boat this time. So first thing I want to do, I know a lot of people have been giving the goons a hard time out here and they don't ever get their due. Let's give a good round of applause for the goons out here and know what hard work they're doing. Because what I'm going to talk to you today about is a little bit about the insider threat. And when you think about it, the insider threat is facilitated primarily by the security folks in your organizations. And the goons are out here protecting everybody out here, they're protecting you and I from the insider threat during the event out here. So they've got a hard job, nobody ever gets any credit. And the security guys, if anybody works in security in their organization, they know they never get any credit. And they never get any money either, so you have to be real creative in what you do. So my name is Tony Rucci and there's who I am. And I spent 21 years in the Army and I was a counterintelligence special agent. I retired back in 2004 and I now work for Department of Energy at Oak Ridge National Laboratory. As with a lot of these deaf kind events, I'll have to caveat it. I don't speak for Department of Energy and all that other good and everything like that. But I do speak for Department of Energy on quite a few things and I do give a talk very similar to this. This is really about a three and a half to four and a half hour session that I give. In fact, I give it out at Infosec and I'll be out there with a half day seminar in March. Down there is my cheesy plug. So we're going to talk about a little under an hour. But I like to call myself a dirty smelly contractor because now that I used to be a Fed, I'm no longer a Fed, by the way, and T-Dub, I like his art so I ask him if I could borrow it and throw it up there. But when we go in there and we do some work in the Beltway, we always get called dirty smelly contractors. Every time I look at your badge and they see the sea on there. So I kind of have grown fond of that. But Die Hard Tennessee Falls fan been married for 26 years. So, you know, there's all your intel you guys can collect on me because I started doing your homework. But my son recently moved out of the house. We're empty nesters now and now the fun really starts. So any of y'all who've got kids who've moved out, now you know the fun really starts. That's when you start buying all your toys. Got my Harley now. So all that good stuff. So why am I giving this? It was really supposed to be a two-part talk. It was going to give really from the hiring perspective and the defensive perspective from the company's eyes over at Black Hat. They had a lot of great briefings and presentations out there this year. So I got kicked to the curb. So I'm talking out here. But really my intent was to flip this around and really give it to you from the hire or from the perspective candidates perspective. And so when you guys are going out there, you're looking at companies and you're interviewing and they're hiring you to kind of give you a little bit of an idea of what they're doing or what they should be doing when they're hiring you. But I'll really talk from the first person on the company's perspective. But when you start looking at it, when you look at today's economy now, as economy is struggling, people are having a hard time with layoffs, lots of layoffs. People are having to come up with creative ideas and it's really stressing families. When you've got yourself set in a mortgage, you're making money and you've kind of grown accustomed to that type of lifestyle. Then all of a sudden that's swept out from under your feet in one day. And now you're trying to figure out what you're going to do. And people will come up with some crazy ideas from time to time as we'll see. But the thing I really want to draw attention to, doodle come up here. This is the reason why we're having events like DEF CON and things like this. It's a networking event. It's able for you guys to come together and all of us to come together and put ideas together. But it's for young folks like doodle right here. This is doodle's first DEF CON. She's 13 years old from South Carolina. I want you all to give doodle a big old round of applause. It's folks like doodle who are up there like a sponge. The first day I came out here, I saw her up there in a hacking hardware village, a hardware hacking village. I've seen that electronics board up there. Back when I was a kid, you go on Radio Shack for 20 bucks and we had the wires and we were coming up with all kinds of crazy ideas back then. So she's up there and I asked her if she was going to port that to her badge and she didn't get one of the badges. So we hooked her up and got her one of the badges and I think she's going to probably win the hacking contest here in a couple of years. But go ahead and have a seat, doodle. Appreciate it. I don't mean to embarrass you. But it's about passing on the ideas and tradition and vision. And I challenge everybody to do that and to share ideas. And as you're sitting off with your little pull-asides and your party groups, it's about having fun as well. But it's also about sharing ideas and challenging the filters. We deserve unfiltered information and too often that happens to us. All right, I'll get to the real talk now for that other stuff. All right, so here's the agenda we're going to talk through. Really going to talk to you about insider threats and how to detect them and how to go about maybe through a hiring process. And so put yourself in whatever shoes you are. If you're on the hiring and the corporate side, industrial side, or if you're on the candidate side. So who are the insiders? The first question you need to ask and it's pretty much everybody. Everybody who touches your business process or your piece or your corporation or your organization is the folks who you work with, you collaborate with. It's visitors you bring in. If they touch not only your systems, but if they touch your people as well. If they have influence and they can influence your decision making process, that becomes a threat if it's a negative influence of course. But the intent is that you're collaborating. So we look at some preconditions and what I'm going to do is just kind of walk down each of these preconditions here for you. Lots of motives for people to present themselves as threats to an organization or commit espionage and that's kind of the sense that I think of. My whole life turned to the right. I did a little dog leg back in I guess the late 80s now is when I think about it. I was just a straight laced traditional espionage guy and sitting in my office. Well they do have traditional espionage. But I just sit in my office and I skipped lunch one day and somebody came in with their hair on fire saying, who knows anything about computers? Well, I was the only one there. So I said, I've got trash 80 on my desk at home. And that's all I knew really. I wasn't any kind of investigator with computer crimes or anything at that point. And it turned out that you guys may have heard Jim Christie talk about his case for the circuit years ago. Well that was my very first computer crimes investigation and I worked just very low level running some leads out in East Tennessee and southeast Kentucky out there. And from that point on, in that case, everybody who worked it became a meat expert in their field in seizing evidence and taking down a system and doing the forensics analysis on them and chaining custody of evidence and how to make sure that evidence isn't tainted and you became that resident expert. So you started getting called out in a lot of cases in the whole nine yards. So yeah, we milked it for a little while. But it started a career path and then all of a sudden they started creating the forensics. But with that, you started developing a lot of policy and of course a lot of our guides. And over the years, since then, you start looking at and you can develop or determine what people's motives are. And of course the big three is always greed, discoloration and revenge. And money is the big thing really. People are going to do anything illegal for money, money talks. But at the same time, nowadays people are just trying to get back at you especially if in this economy, when you get your pink slip from a company, somebody says the boss comes in and says you've got two weeks and go find something else and we'll help you put your resume out there. Well, that's when people really become a threat to your organization because they start scavenging everything. They start backing up their own discs, their data and they're going to take their Rolodexes with them and I'm dating myself but they're taking their contacts with them. And so those are things that you need to be cognizant of. So people are motivated by lots of different things and a cup of coffee is enough to motivate some folks there. And I love this little story back from 2005 and Verisign did that and they really just went out there and was asking people out in front of Starbucks. If you give up your data, we'll give you a Starbucks card. And some people, I like the idea. The guy didn't have enough time to go out there so he sent his assistant out there. So that's great. But for somebody to commit espionage or somebody to commit serious crimes and cross that line, they've got to be able to dig deep down inside them and overcome some of their inhibitions and we've all got morals and ethics. Everybody's got a varying degree. And so I like Bob Hansen. And if we've got time here at the end, I've got a short video of Bob Hansen on his last day of freedom back in February 18th for the last couple of minutes of his freedom when he went out and made his last dead drop and the FBI did the habeas grabbis on him. And incidentally it was my current boss, Mike Rodgford. Any of you guys see the movie Breach? Yeah. If you didn't see the movie Breach, get out and see it. It's a pretty interesting movie. There's a lot of Hollywood in it. But you may recognize my boss, Mike. He was played by a five foot eight blonde gal with long blonde hair. Yeah. That was Mike, but he used to be... Well, she sells more tickets than him. That's to be truthful. He's a pretty ugly guy. I wish I had a picture of him. So can we stop the camera on that part and edit that piece of it? My evals do. No, no, he's the one who told me that. But Hollywood needs to sell tickets. But the reality is that... I don't know where the hell I was going with that. But he was in the FBI for 30 years and he was the chief of the counter-espionage and counter-terrorism division. And that's one of the things that he talked about with Bob Hansen. He really gave you that persona. And when he was leading that double life that he was a really stand up guy, he went to church or went to Mass nearly every day. And he would push that off on his folks and everybody he came in contact with. He was really living this dark world, dark life out there. And he had crossed the line a long time ago. So I encourage you to go out there and see that movie. I don't get any royalties or anything. So at some point in time, you're going to get so stressed out and something's going to happen in your life and something's going to trigger that ultimate response. And you say, you know, I've been thinking of bad things. And a buddy of mine, John, a bump gardener over there, he and I, we kind of work in the same mindset. We sit around, we think of bad things. And we sit around just thinking of bad ideas and think, you know, this could really happen. And this is feasible or plausible. And people tell you to go away and they tell you to go lock yourselves in another dark closet somewhere just so that they don't have to hear it a lot of times. But that's the same thing with somebody who's considering crossing the line. They think up, you know what, I'm really disgruntled. The organization screwed me over. I'm taking a 10% pay cut this year so that we can all, you know, continue to march. And it's really getting to me. And then something happens and, you know, maybe they take away your company car or something. I don't know. But that trigger, that's all it takes. And I'll show you a few examples here later on with some case studies here of some people who did pop. But everybody deals with emotional responses differently. Some people will drink too much. Some people will, you know, take your system down and, you know, load up a lot of value in your network that will trigger somewhere down the road. So here's a short list here and it's very logical. And you guys have seen this before. It's a short list to make sure that you're protecting your organization, obviously. At least use your privileges. This is something that just blew my mind in 2004 when I retired and I came out to DOE and I was signing up that day and getting my badge issued to me. That lady over at the security office, she shakes up her, starts giving her mouse the, you know, the morning rattle and it takes about five minutes for everything to wake up and she's got a nice waterfall screensaver on there. And I says, wow, I can't believe you guys even got that crap on there. And she says, ah, I says it must be an old box. She says, oh, no, no, it's pretty new. But she had loaded up so much crap on her box and of course, when I finally had to wake up, she had everything open all the time. And she says, yeah, I downloaded this a couple weeks ago and it's pretty neat. It looks pretty good. I says, well, you can install everything. You got admin rights. I says, yeah, you must be in the security office. That's okay, huh? Oh, no, no, we all do. Everybody, you'll have admin rights. Everybody in the whole organization has admin rights, not today, but that's how it was a few years ago. So that just blew my mind. So you've got to be able to manage that. And some of the folks obviously are able to remote in and you've got to restrict the scope of remote access because everybody has full reign, especially the folks who are admin. In this case, it was everybody. And for those who do remote in, you need to make sure that not everybody has remote access. Not everybody does. I'm going to talk a little bit deeper here in a few minutes about monitoring employee behavior and the primary one is taking a look back in the backgrounds of your employees. I show hands and they're not going to record you like that. How many of you guys rely solely on the resume of your potential candidates for your organizations because you don't think it's right to look into their background and do open source on the Internet? How many of you? Yeah, you're not going to admit it out here. You would be surprised how many companies I talk to who say, oh, no, they're not our employee yet. We can't go out there and do an open source. We can't look them up on the Internet. That would be a violation of their privacy. When you put it on the Internet, you kind of give that privacy up. Wait till I show you the pictures from the party last night. They're already out there. But you need to screen your personnel. I mean, it's very basic. I mean, if you're going to bring somebody in to the circle of friends like the Fockers, right? You're a little inner circle. You want to keep an eye on them. And you want to make sure that they're the best candidate for your organization. But you want to make sure that you're not bringing the threat to your front door. Now, we're a little unique in my world. We invite 4,700 foreign nationals from you name the country out to our laboratory every year on purpose. I mean, so we invite the insider threat out there. So we've got a fairly robust program, and we try to mitigate the best we can. Are they getting us? Yeah, you probably read the news. We had PII divulged out there last year on the internet. It happens. It's going to happen. You've got to be able to mitigate it, and you've got to have a emergency response plan and be able to take action accordingly. But a lot of companies are afraid to do that if they're going through that whole process. So one of the things that I used to do, and I didn't really mention it up front, my last seven years when I was in CI, I was the counterintelligence operations officer at the White House military office. So we would go through a robust counterintelligence screening process for every candidate that would come to work there on the 18 acres. And so it trickled down. We had several security officers through like White House Communications Agency and Air Force One and those guys as well. And the third headquarters, for every position that we would hire, we'd do no less than 10 interviews, and we'd get applications from a large pool, and we'd screen them down just by the resumes themselves, and then we'd do the CI screenings. We'd bring them in, and we like to call it a murder board. So we'd put them in front of the board. And it was really one-on-one interviews. But really, we could knock out half of them right away just by doing financial and pulling up credit checks and looking to see if somebody's going to be susceptible to blackmail or somewhere like that, because if you're not managing your finances, like I said, one of the things, money talks, right? So somebody opens up a suitcase. We used to use this in our briefings years ago. If somebody were to open up a suitcase and it had $10 million, well, maybe not even that in a lot of cases, but $10 million, you'd think. You'd at least pause. I don't care how patriotic and how loyal you are to the cause in your organization or your country, you'd stop and think. And if it passed through your mind, you'd say, could I get away with it? What would I do with the money? Or how would I manage it? So I don't care how loyal you are, and we used to always ask the question, would everybody stand up? And then they would ask the question. Almost everybody would sit down, but it's the case that when you look at it, when Rodgford gave the guy who gave up Hanson, when he went overseas to do the pitch to him, he gave him $7.1 million in a briefcase. And that guy was telling him, there's no way. My family is taking care of him. I'm very well off, and there's nothing you can do that's going to change my mind, and I'm not going to give him up. He said, let's meet. He sat down with him, opened up the suitcase. $7.1 million made the guy talk. So it's a great story. And take a look, go dig up the data on it, and there's lots of Hanson reports out there. And if you're in Go sector, you can pull off all the classified reports as well. Or maybe if you're not in Go sector, if you're really creative, maybe somebody out here can pull that stuff down. But do open source checks. And I'm going to come back to that stuff here in just a minute. But one of the things that's really important as well, that keeps the organizations alive and keeps the people excited about being a part of protecting the culture of your organization, is take advantage of training opportunities. And this is a great training opportunity as well. Send your folks to events like this and not only IT sector, but security conferences and bring people in to talk to your organizations. And with fresh ideas, you don't want the talking head, you know, your head of security is sitting up there every week on Monday morning and we're giving the weekly stand-up or something like that and just beating down everybody. Pretty soon it's just like peanuts, you know, the teachers womp, womp, womp, and that's the case. And especially like, well, I'm doing it here, death by PowerPoint. I've only got 340 more slides. But seriously, you know, you want to have some fresh ideas and we'll bring case officers in from respective agencies. We'll bring folks in who had their stuff compromised and talk about how they responded and what mistakes they made. And you can't be shy about talking about your mistakes to a certain degree, of course. You know, except banking industry, they never talk about their compromises because that has a serious impact. But, you know, bring folks in and give fresh perspectives and something that they're doing wrong and something that they're doing right and take away from that. So, talk a little bit about the contributing factors. Excuse me here. It's been a long week and the hot cold, hot cold kind of kills you. I'm sitting at a poker table at 4 o'clock in the morning too. Was that thing on? Did I use my outside voice? Sorry about that. I'm up at least. Okay. So, when you start looking down contributing factors to somebody who's going to be an insider threat or potentially an insider threat to your organization, you start looking down some of these little checklists. And, you know, and you kind of chuckle because as you look down these, you start thinking about all these folks that you're working with. And I've got a pretty robust list down there in a second. But years ago, when you were dealing with folks who had security clearances, if you admitted to any kind of gambling, you all automatically became suspect and you're under the microscope. But since 2003 when Chris Moneymaker won the World Series of Poker out there, he's in my poker club in Knoxville. So, he really turned the whole idea of online poker and home games and the whole nine yards because he was an amateur and he really brought to the forefront. And all of a sudden you're seeing poker on TV and it's kind of the cool thing to do unless you're using your mortgage and all your life savings, you're dunking your car out there and throwing car keys up at a poker table, then you've got an issue. And then you see the numbers up here on the billboards up here. You guys need to give them a call. But, you know, keep in mind, it's excessive spending and gambling, and things like that. It's kind of like playing the stock market. If you're going to gamble, you're going to play the stock market. You need to be willing to walk away from that money and have it not impact your life. But let's focus a little bit on the internet presence. You know, you start looking out there and looking on the internet and folks are going to have internet presence, for most will. Surprisingly enough, it kind of turns me around. When I start looking on the internet, I don't find somebody. That makes me more suspicious than anything. But every now and again, you do find those folks. But if you're hiring them for your sys ad or something like that, probably not who you want to hire. So, when you start looking at it, you're going to find pictures out there. And everybody's got their different drop sites, photo bucket, whatever, where they put a few pictures out there of the parties and things like that. You know, doing a little keg standing. You might be the life of the party at the company or something like that. But you know, you don't want to be the one who's always got the company parties out there. Doodle cover your eyes. Cover your eyes. I'm just kidding. But you know, so this morning when I went to go wake John up, I'm sorry John, I need to give you credit on that photo too. So, there we go. That kind of looks like DT. Don't you think? I don't know. But you know, you might have a little value added. So that's an old school hack right there. But in all seriousness, well those are kids around. Those are folks, when you're young, you're going to do some retarded things. But take a look at this. I've got a nice little story with this here. Here's a guy who's truly a CEO candidate. And think about it. Do you want this guy who's got Swinger's lifestyle profile married with four kids and he's got a profile on there looking for three sims, four sims, oodles sims, I don't know. Lots of sims. But what stands out in your mind? Guy doesn't have his wife on there. So maybe this isn't something that's part of their lifestyle. You know, it's okay for some folks if that's what they want to do but he doesn't have his wife on there. Could that be a potential element of blackmail on the guy and you hold that over his head? All right. Be smart. This kind of stuff is easy to pull off. Facebook, MySpace, and all those other LinkedIn and everything like that. If you've got an account, you've probably got a little bit too much of information on there. Especially the ones that are more professional oriented but you still start bragging about yourself a little bit and that's just human nature. You do it in resumes as well. If you post your resume, you start dropping them out in places they're easily retrieved because you can just post out there like you're going to hire folks and you can see who's got a specific skill set. But I kind of turned this around since I'm a CI puke. I think of it in different terms. I look at it like, well, maybe he didn't put this out there. Maybe I don't like the guy. Maybe I work with him and he pissed me off. Maybe he got a contract that I really wanted. So I went out there and I got a picture of him at the last conference because he's got a conference badge on. Maybe I put that on there. Maybe I put... Yeah, it might be. What are you doing on the gay website? How do you know? No, I'm just kidding. I'm sorry. No, but you're absolutely right. Do something like that. And a perfect story is a guy who had a MySpace page and he was a CIA case officer and he had cover name. Well, he had MySpace with his true name out there. And it was a contact of a contact of a contact. Maybe. Or maybe it wasn't. But regardless, there was a picture of him and he had, you know, a little bit of information, just enough information about where he was, what he was doing, and it just kind of sat back and watched. What do you have on your MySpace and Facebook? You've got the little wall of hey, what's up? How are you doing? Everybody leaves a little comment on there. Wanted to see who knew him and really just track and see where his connections jump out to. So those are kind of interesting little ideas and you know, you can do the same thing with something like that. Not that I'm highly recommending that you go to Swinger's Lifestyle or anything like that. Unless you're into that. So you can kind of run down a little checklist like this about yourself falling in the couple of those categories. I know it's kind of small. But years ago when I started signing up to come to things like Black Hat and Def Con, people in my organization kind of scratched their head and said, why the hell would you want to go to that? And you probably still get a little bit of that this day and age. But I think not so much anymore as they're starting to build things like Cyber Command and things like that. It's really getting out there. So it's taking off. So here's a cute little story here the other night where Black Hat going to the sushi party over there that CORE put on. Anybody go to that? Do you eat lots of sushi? Or do you just stand around like this most of the time because it was so crowded in there because they always give away way too many badges on that. So everybody was standing outside there getting started with that thing. So Chan, he had gotten a badge for some guy that he hadn't met before. He's waiting to meet him up out there and he's supposed to link up at a certain time. The guy's running a little late, so John shoots up. Are you guys able to read that up there? Yeah? So he kind of runs down with some message traffic on there and kind of spooks him and says that he's in the guy says, who's this? I'm the guy who's surfing the internet off of your phone and the guy kind of says, wow, that's kind of cool. So how do you do that? The vendor didn't patch your phone's firmware. Okay, now try. You want a job? He says, what for hacking your phone? He says, man, you're still in. He says, you'll be killing my battery. So John's going to get a good job out of it and I don't know what's going on with that. So the whole thing is he influenced them. Didn't have to really hack his... All he was doing was just playing with them and just sending, you know, bunch of meaningless texts while we were out there kind of bored. ADD set in. So... So he influenced them, though. And that's the whole thing. You know, with terrorism, insider threat, you don't necessarily have to completely follow through with anything. All you have to do is influence that organization and you've been effective. So the sushi social engineering now becomes an integral part of future talks. But now there's the intentional insider and then there's the unintentional, aka idiot. Now I don't know the legitimacy of this. I looked it up on Snopes just to see if this was real but it's a really cool slide. And you probably can't read the text way back up there but it'll be on the slides archived up there. Guy had a video card so he shot into a help desk, I guess, saying that I don't have any pictures. I don't know how this picture ended up out there if he didn't have pictures. He got into the little slot thingies on the motherboard and it has little grooves in there so that you can cut away the slot thingies to make it fit. So he cut it away and it doesn't work now. I don't think you can take that back to Best Buy and get your money back now. So here's one. Give a little props to West McGrew. You guys might have been tweeting with him McGrew Security. So this is a little story about the double insider threat here. This guy here you guys may have heard about about Jess McGraw. He's a security guard, a night security guard out of the hospital in Dallas. So what do you do? You sit around and wait for somebody to rob the hospital I guess to make sure that no one is taking people's bags and all that stuff in bedpans. So he got bored and jumped on the box and he was able to hack the HVAC system in patient records in there. So he can influence a lot of things in the hospital. Everybody's always either hot or too cold and he can influence it. But he crossed that line and he took it a step further and he dropped his termination letter to the company saying I'm going to stop working here. My last day is going to be July 3rd. He was on the blogs out here and inciting an attack, a DDoS attack on the hospital on the 4th of July. The Patriotic Victory Party I guess. Well, now he's opened himself up to some felonies kind of crossed that line. But really he's got arrested and he's charged with downloading malicious code and threatening public health and safety because it could potentially shut down some people's life support or something like that that they're sitting on in the hospital. Now it's more of a therapeutic and sports medicine kind of hospital but regardless. $250,000 in fine. And what I really like about this one here is this is a double insider threat because the guy who dimmed him out is one of the guys in his hacker club in the ETA. So he exposed him by talking on another blog and of course they're posting all their photos or their movies of it on YouTube so it became known that way. So kudos to the folks who dimmed him out. But I like that double threat. So just this last weekend as we were rolling out here for Black Hat the Palm Pre came out at Best Buy. Anybody get one for $99? Anybody have one? Just pay $199? That's what it's supposed to be. How much you pay? I saw a hand go up there. There you go. See if you'd have gone to Best Buy on the 26 you could have got one for $99 in New York. So what happened apparently was that there was some talk and there was some posters of smite death that were being written up and managers shut it down on the 26 saying it wasn't supposed to go out and the price was supposed to be $199. Allegedly somebody just either didn't hear it or discounted it and so that whole New York area they got palms and all the Best Buys out there and they put it into the systems so you rang it up it didn't matter what was on the barcode in there $199 and I don't know how many were disclosed yet I go into news blackout when I come to something like this because I don't I listen to the news when I'm getting dressed in the morning so I really hadn't followed up on this so much I can't wait to get back and see what's going on with this but you know my thought right away is is this an insider threat? Somebody's pissed off and maybe he got stuck on a floor one day and okay I'll get back to you so my buddies want palm trees or something like that you know what better insider to have is a guy over at Best Buy if you need gadgets so here's no one tell me what you see spot spot the excitement on this picture yeah so in the Apple store in where is it North Carolina North Carolina Apple store out there where John's at on the barcode reader they're using Microsoft products in the Apple store so you thought that they probably had one of their own homegrown readers or something like that so Microsoft is able to infiltrate the Apple stores and pretty soon it'll be Applesoft is my prediction we're in the casino so I'm sure there's probably a line on it ultimate insider threat how many folks are married you got that husband wife trust relationship you just got an element of appreciation for coming home at night regards to what you do and be able to talk to your spouse and feel comfortable in what you do you don't expect your wife or your husband to talk about okay I'm in cover status and I've actually got call signs, code names and then they go on my Facebook when I take my job and I'm supposed to start work on the 4th of July or whatever day and go on her Facebook and say congratulations to my husband who's the head of MI6 and use his call sign of C on there which was not very well known so she's the insider threat to him it'll be interesting to see what goes on with that but that's kind of comical so here's one that's near and dear to my heart Leandro was a guy who worked at the White House he worked for Vice President Vice President's Office of Security and he's a Marine E7 and so he worked in the OVP staff from 99 to 03 over there and he worked badging and access control and did a lot of trip reports for those guys and so we had President Arroyo over for a visit and Clinton had her in excuse me and was able to meet with a lot of the Filipino nationals there and Leandro being one of them and a lot of the White House mess and they established a rapport and relationship with her Chief of Staff and they stayed in contact for years after the visit 2001 and ended up ultimately leaving the White House when he retired in 03 and went to work for the FBI the FMIT up in the FBI analyst and later on you find that he was disclosing classified documents he had lots of classified documents on his systems at home and he had been sending classified information to the Chief of Staff and the President about what was going on and what he was working on and so he was sentenced in July of 2007 for 10 years and so you know they were tugging on those hard strings the Chinese do it and the Filipinos do it you're very sympathetic to your homeland it's a very poor country pardon me it was a periodic review he was doing his five-year update and he blipped and then as they started running down the paper trail from there they started doing file reviews and somebody else who was working with the and it was part of the Chief of Staff from a Royal Staff kind of tipped it off and gave him up we're going to have a question and answer session over here afterwards so would be happy to kind of go into detail on the pull side on that too if you'd like so that's kind of near and dear to my heart and the only out that I have on that one is that my boss did the CI screening interview and I said we're all standing around the office as soon as this thing broke and we all called each other we'd all gone to our next lives by then and Rich Pete and I we're all calling each other going who did this interview and buddy of mine Rich Swerens he still works there and we started looking through there and it wasn't me so he didn't get by but anyway something that's very consistent with folks who are committing espionage is that they're very well organized and so everybody always thinks that they're really good people and this is kind of a common statement for a lot of folks who live around folks who commit espionage damn he's such a nice guy he just seemed to be pretty level headed and that's because you're balancing two lives you have to have that management skill nice guy just a shit bag so I'm sorry I used my outside voice again there's another one out there in East Tennessee Roy Oakley Tennessee Technology Park and what they're doing out there is they're de-mobbing there's a very lengthy process in destroying nuclear facilities and nuclear production facility so we hired a whole lot of janitors out there and folks to be able to supervise the process out there because we just can't have construction and facilities folks out there just walking away with materials and compromising because it's still a classified site out there so we brought them all into a room and gave them counterintelligence security awareness briefings and really just told them hey look folks the technology that you guys are destroying out here and you're working on lots of folks would be interested in this technology today it remains classified today take the French for instance and kind of ran down that whole line and just say this is something that would be of interest to them well this knucklehead took that as a hey I got a great idea that's never happened so call the French and say hey I've got access to stuff that you're interested in motivation guys got a whole bunch of rental properties he's fallen behind and maintenance and payments on him he didn't have people filling out the rentals so he's eating the rent himself and the mortgage on them all so he calls the French Embassy long story short information gets back to us and about a month or so later the French accent calls him up and says hey I'd like to meet with you let's see if we can do some business well he says okay flying to Knoxville airport and he did French guy flew in except he was an FBI agent that he met on the tarmac out there and so the rest is history from there so they arrested him right there and so he played out and it does in a lot of cases when you're dealing with espionage and classified information all nine yards and if it's going to go to trial you're going to have to disclose all that and so it's a whole mess and a lot of times they end up pleading out so he got six years in prison and he started serving so N1 Gen I'm really familiar with this case, Motorola so N1 Gen was a software engineer from 98 2008 for Motorola and she had tuberculosis and a couple other things going on in her life and so she had to take some leave and during the time of leave she made some contact and some unreported contact back to her motherland and so long story short is and I'll just kind of take you through the timeline with her but long story short is she's still not been prosecuted she's been indicted she's had three indictments against her for several you can see those down the bottom in the trial in January and everything kind of gets held up because it keeps getting meatier and meatier as you start digging up more discovery so she joined Motorola I'm not going to beat it to death a whole lot there but she started doing a little consulting on the side with one of the competitors and you kind of it's kind of not ethical to do that in most companies unless they give you the moonlighting privilege but especially with your competitors and so in April she took a trip to China and in June she came back and said hey I need to go on medical leave got tuberculosis, emphysema and a couple other things that are going on in her life so they put her on a medical leave and shortly after that she went to China again and then she comes back and she goes to medical leave again she takes a whole year off this time and who knows where she's at during that time well while she was gone they let her have access for a whole year they let her have access, remote access into the system out there remotely and so she was pulling down some PI and then she comes back in June and I'm sorry she didn't come back in June she had some discussions with Chinese technology company out there and they probably worked up some sort of a deal and so you can see the dates that she accessed the network again from China nonetheless and something that was told to her and this was captured along the way as they started looking at phone records and forensics of her laptop this is a comment by a Chinese executive, you should share in the full fruit of our collective effort and that's once she started taking some of the documents there's indicators already that she's not just doing this because she's interested in being a sponge and working away at the top of the organization so in mind we call that an indicator so um take you down to the last few days here in February of 07, she withdrew $10,000 from her bank and she bought a one-way ticket to Beijing right away that's an indicator especially somebody who's working in the states and you've got permanent residency out here you do a one-way ticket nowadays you're going to trigger all kinds of flags in the systems and you might even get an extra couple minutes over in the security side there at TSA and so she told the boss that she was ready to come back to work and so her badge was reactivated now it's I kind of think it's odd that they deactivated her security badge and access badge but yet they left all our accounts alive now I know we've never seen that happen before somebody leaves a company especially you know employees who terminate and then you come back and you do an audit a month later and they're still in the system that's never happened I'll bet you it happens where I'm at so on the 26th she reports to work and right away she starts visiting lots of folks and talking to project managers and she's interested in the future and what's going on with some projects down the road and right away she goes down and she's got 200 documents she pulls down and then she comes back at night she's already a hard charger trying to work her way back up at the top and she comes in at nine o'clock and starts sucking down a lot of data and and then she pulls out with bags of of items so on the 27th she sends an email saying that she's resigning again so came in and right away flags have been going crazy but allegedly they weren't and after she's the kicker here is after she told them that she's resigning she pulls down 65 more documents and and then she withdraws $20,000 and then comes back that night again and pulls down some more data and there it goes so on the February 28 she's at O'Hare going through airport security and they do a random check on her because there's no flag that's jumping in here at this point even though she bought a one-way ticket and she's fine as they start going through her stuff so they've got proprietary documents for Motorola she's got a whole bunch of Chinese documents technology books military, US military technology books some Chinese books and laptop well I think two or three thumb drives, four hard drives just just going on a little vacation so and there's a couple CDs in there 29 to be exact so see if you're a real smart person you put it on a thumb driver I don't know why you need those CDs but anyway maybe she didn't have time to process those big bags full of garbage and crap so for those who aren't visual here you go here's the textual version of what was on the other slide over there I'll spare you the animation on it but suffice to say she had lots of stuff she claimed $10,000 on her customs form $10,000 now here's the thing that just makes me fall out is they didn't let her get on her plane they said you can't fly and they sent her away you think they arrested her? not at that point she's arrested the next day going through customs again on a one-way ticket because they said you can't fly tonight because of all this we got to sort through it so they let her fly the next day or they were going to let her fly through customs again and they stopped her and so be it she was arrested so Motorola's claiming $600 million of proprietary information was lost and the DOJ is saying that they expect about $750,000 fine and they're looking at 30 years and as they start digging deeper and deeper and going through all the data the indictments are stacking up so the takeaway from this is that you just need to keep the mindset that you need to inspire commitment amongst yourselves and your colleagues and you're building for the future and it's the folks like Doodle that you need to inspire and protect your assets and your proprietary assets and you've got to watch out for those leaked snacksores so this is really my talk and again I'll be over in breakout room I guess number four for questions on there so appreciate your time and attention thank you